Trend Micro Core Protection Module Administrator`s Guide
Contents
1. Scali Settings a a Ra Rate edn rete 5 7 CPU Usage On Demand Scans Only 1 5 8 Scan Exclusions Tab 1 3 8 AV Spyware Scan Exclusion ninna zine Mac 5 8 Scan Acton Tab spariti OEE RIE 5 9 Virus Malware Action u eee 5 9 Spyware Graywate Action i 5 11 Spyware White List Wizard 5 11 Web Reputation Blacklist Whitelist u iii 5 12 ActiveUpdate Server Settings Wizard iii 5 13 SOULE satana i LA pill 5 13 PIO Ridi 5 14 Othets sila EN a ai 5 14 Common Firewall Settings i unione ia 5 14 Chapter 6 Using Web Reputation How Web Reputation WOtkS esisi nali Migrating WPM Standalone Settings u iii Procedures Ovetvi w sn tini Web Reputation Security Levels uu iii How Web Reputation Works sss sessessssessssssesssseessseesnseesnneesnsssenssssressee Using Web Reputation in CPM Blacklist and Whitelist Templates Creating and Deploying a New Template Importing Lists of Web Sites n Viewing an Existing Template He Copying and Editing a Template iii Editno Custorm Actions ui iaia iii ia About Analys 8 sanir sini Chapter 7 Install and Manage the Client Firewall About the CPM Firewall and Policies iii 7 2 Add the Firewall Masthead to the ESP Server i 7 2 Remove Conflicting Firewalls ie ie 7 4 Greating Firewall Policies i ur iaia 7 4 Governing LOgi2. ii 9 7 Update Now iui iaia 9 8 Troubleshooting Installation sE E 10 2 Install Status DIRI ETER 10 2 Error Codes i bs do Installing the CPM Server on a Non default Drive 10 3 Virus Malware and Spyware Scanning Li 10 3 Core Protection Module Administrator s Guide Chapter 11 Appendix A vi Virus Spyware Logs on the CPM Client eee 10 4 Debus Loss csi aci i ila 10 4 Components Installation Debug Logs CPM Server 10 5 Components Installation Debug Logs CPM Client 10 5 CPM Clients rr aaa 10 5 Pattern Updates Aisnen a A iaia 10 6 Gettetal AEEA EAE EEEE ER 10 7 Automate Updates i ale 10 8 Proxy Servers ui lena aaa 10 8 Addivonal Inforniationi iii iaia 10 8 Client Side Logging ActiveUpdate iii 10 9 Addibonal Eiles lui Aia 10 9 Firewall Troubleshooting ie scis sevice anceneeventitn aa 10 9 Generali celate ii be ohtio sete ah 10 10 Client is not Connecting to the ESP Server or Relays 10 10 Contacting Trend Micro Technical Supportaci aaa 11 2 Contact Informa NOI ER EEE E E RO RT 11 2 Speeding Up Your Support Call won 11 2 Sending Suspicious Files to Trend Micro wuss cssessssessesesseseseees 11 3 DocunientationsFeedback i in dia 11 3 The Trend Micro Knowledge Base ccccccscsssessescessessssessensssesseseseesesees 11 3 Trend
3. Specific port s 20 Use a comma to separate port numbers FIGURE 7 9 Exception rules created within a policy will apply only to that policy If the rule is later modified it will not take affect on the targeted endpoints until the policy has been re deployed e Ports ports 0 1023 are well known 1024 49151 are registered ports and those above 49151 are dynamic or private ports e All ports Includes ports 1 through 65535 e Range Create multiple parallel exception rules to include a number of different ranges e Specified port s Do not use zero or invalid input such as non whole numbers Uninstalling the Common Firewall If you decide not to use the firewall there is no application that you need to remove or anything that gets uninstalled Instead you simply create a policy with the firewall disabled and deploy it in a Task In addition you can remove the CPM firewall site from the ESP Console Both procedures are provide in the sections that follow 7 19 Core Protection Module Administrator s Guide Disabling the Firewall from Endpoints You can disable the CPM firewall by deploying a policy with a disabled firewall status to your endpoints When you deploy a disabled firewall the policy will override any existing policy already in effect on the clients Only one policy with the firewall disabled can be included in any Task To disable the firewall 1 In the ESP Console menu click Common
4. 6 12 To create a new Template by importing lists of blacklisted and whitelisted Web sites 1 Create two text files one for the Web sites you want this template to block and another for the Web sites to which you want to give your users unrestricted access Note If you do not want to include a Whitelist in the template you can skip this part of the process Web Reputation allows you to create Blacklist Whitelist Using Web Reputation 10 11 12 13 Templates with both list types a blacklist and a whitelist only a blacklist or only a whitelist Press Enter or place a newline code at the end of each line to separate each entry You must have http before each URL entry To block all the pages for a site enter the domain name followed by for example http www badURL com Click Configuration gt Web Reputation Blacklist Whitelist gt Web Reputation Blacklist Whitelist Task to open the Web Reputation Blacklist Whitelist Wizard Click the Add Template button or Edit The Blacklist Whitelist Templates Add Template window opens Click Bulk Import Sites from external file The Import Sites from External File window appears Select the text file you wish to import by clicking Browse next to the Select Import File field The Open window appears Use the Open window to navigate to the location where you have stored the text file Select the file and click Open
5. Allow v Direction _ Inbound Outbound Protocol TCP x SE Bidirectional Ports _ All ports D Range Min Max Specific port s 23 Use a comma to separate port numbers FIGURE 7 3 You can add or remove rules from the Global Exception Rules list Global Exception Rules are not altered by editing a rule from within a policy Add or edit rules in the Global Exception list to have the change available for all new policies 7 7 Core Protection Module Administrator s Guide global exception rules already attached to a policy will not change even if they are edited in the rule list One other point to keep in mind is that global exception rules have a pre defined action either Allow or Deny Be sure this action agrees with the fundamental construct of your policy For example if you set the policy Security Level Low that is allow traffic to and from all ports you need to change any exception rules imported from the global list to Deny traffic for your exception ports See Global Exception Rules on page 7 14 for configuration details Create and Deploy a Firewall Policy 7 8 The procedure below is for creating a single firewall policy that will be applied to all endpoints You can use these same instructions to create multiple policies and target them to different endpoints The difference occurs according on the policies you enable in the Policy List when creating a Task and the computers
6. Fixlet Messages Tasks Baselines J Actions Computers Computer Groups Analyses Console Operators Reports Deployment gt Updates Configuration Global Settings On Demand Settings Real Time Settings gt Spyware Whitelist Web Reputation Blacklist Whitelist ActiveUpdate Server Settings A change ActiveUpdate Server gt Common Firewall Settings gt Tasks Analyses Troubleshooting Improper Service Status 1 gt Restart Needed 0 Insufficient Hardware Resources 2 Insufficient Software Resources Removal of Conflicting Product F Disable Windows Firewall 4 Server Settings Wizard Greate Server Configuration Action Source Trend Micro s ActiveUpdate Server Other Update Source URL Intranet location containing a copy of the current file I Use a proxy server for pattern and engine updates Log Rolling Frequency 1 90 10 Number of Updates to Keep on Server 1 100 15 FIGURE 5 5 Choose the location you will receive pattern updates from 5 13 Core Protection Module Administrator s Guide Other Update Source seldom used The default location is http cpm15 p activeupdate trendmicro com activeupdate http cpm p activeupdate trendmicro com activeupdate ver 1 0 Intranet location containing a copy of the current file If you want to use an intranet source for obtaining the latest pattern file update specify that l
7. 5 Below Actions click the here hyperlink to open the Take Action window Core Protection Module Enable Automatic Updates Server Trend Micro Core Protection Module Description Take the first action below to enable automatic updates on the Core Protection Module server After running this action when new patterns are downloaded by the CPM server they will be made available for application by endpoints that have also been configured for automatic updates Important Note Enabling automatic updates on the CPM Server additionally requires manual download and execution of the CPMAutoUpdateSetup script Please use the link below to download the setup script to the CPM Server Instructions for running the automatic update setup script can be found Important Note Please validate file integrity with the following information Filename CPMAutoUpdateSetup_1 6 vbs SHA1 1C97D104FDED722D2ADD2C14CO8C3BOFE1EDA947 Actions Q Click to enable automatic updates on the server aromiatic Updates Setup Script FIGURE 2 6 Use the Enable Automatic Updates Server task 6 Leave the default settings in the Take Action dialog 7 Select the ESP server and click OK 8 When prompted type your private key credential The Action Summary tab appears Check the Status after a few minutes to confirm that the Action is Fixed You do not have to wait for the task to complete before continuing 9 Close the open windows to return to t
8. ActiveUpdate Server Settings thc cette nt nl LIVE n gt Common Firewall Settings gt Tasks Reserved Disk Space Settings gt Analyses Troubleshooting Reserve 60 w MB of disk space for updates j Client Console Settings C Enable system tray icon Enable manual scan shortcut in Windows Explorer context menu FIGURE 8 3 Create location specific configurations 3 Click the Create Global Scan Settings Configure Task button The Edit Task window opens 4 Type a descriptive or memorable name for the Task such as Skip 2MB 2 5 Click OK to close the Windows and when prompted type your private key password and click OK to create the new global policy 6 The new policy now appears in the Configuration gt Global Settings dashboard B To create the second configuration and Task 1 From the CPM Dashboard click Configuration gt Global Settings gt New Global Settings Task The Global Scan Settings Wizard screen opens 8 7 Core Protection Module Administrator s Guide 6 Remove the check from Configure scan settings for large compressed files Click the Create Global Scan Settings Configure Task button The Edit Task window opens Type a descriptive or memorable name for the Task such as Scan BIG Click OK to close the Windows and when prompted type your private key password and click OK to create the new global policy The new policy now appears in the Configuration gt Gl
9. BigFix Client Logs ProgramFiles BigFix Enterprise BES Client __BESData __Global Logs TrendMirrorScript logs C Program Files BigFix Enterprise TrendMirrorScript logs CPM Agent Logs Troubleshooting SProgramFiles Trend Micro Core Protection Module Bin AU_Log TmuDump txt 4 CPM AU Server Logs SProgramFiles Trend Micro Core Protection Module Server bin AU_Data AU_Log TmuDump txt Components Installation Debug Logs CPM Server Get and use the following logs to help understand CPM server installation issues Directory WINDOWS x CPMInstallResult log CPMsrvInstall log li ClnExtor log d CPMsrvISSetup log Components Installation Debug Logs CPM Client Get and use the following logs to help understand CPM client installation issues Directory WINDOWS ClnExtor log CPMInstall log 2 CPMInstallResult log 2 CPMISSetup log x ofcdebug log OFCNT log setupapi log e OFCISSetup log Log file names followed by an asterisk also serve as CPM Client upgrade debug logs All logs files can be collected by CDT CPM Clients To enable debugging on the CPM clients 1 Create the following directory 10 5 Core Protection Module Administrator s Guide c logserver Change to this directory and then create a text file with name and content shown below File name ofcdebug ini debug Debuglog c logserver ofcdebug log Debuglevel 9 Debuglevel_new D Sa
10. Click the Remove Site button and then OK CPM Client Management The steps below are for experienced ESP administrators who just need a list for tasks involving the CPM clients Procedures include To display the CPM icon on endpoints on page A 6 To view CPM hidden client statistics for a given endpoint on page A 6 To decrypt quarantined files on page A 6 To deploy CPM clients on page A 6 To remove CPM clients on page A 7 To enable the Client Console on page A 7 To enable notifications on the client on page A 7 A 5 Core Protection Module Administrator s Guide To display the CPM icon on endpoints e In the CPM Dashboard click Tasks gt Enable Client Dashboard The Task Description opens To view CPM hidden client statistics for a given endpoint e From the endpoint you want to check press the following keys Ctrl Alt Shift T To decrypt quarantined files WARNING Decrypting an infected file may spread the virus malware to other files Trend Micro recommends isolating the computer with infected files by unplugging it from the network Move important files to a backup location When you decrypt or encrypt a file CPM creates the decrypted or encrypted file in the same folder For example type VSEncode d debug to decrypt files in the suspect folder and create a debug log Required the following files e Main file VSEncode exe e Required DLL files Vsapi32 dIl Run Restore Encrypted Vi
11. 2 20 Activate CPM Analyses sazia a iaia iaia 2 22 Removing CPM Server Components iii 2 23 Removing the Core Protection Module Site n 2 23 CPM Clients Installing and Updating About CPM Client Deployment iii 3 2 CPM Console and Client System Requirements oo 3 2 Compatibility with Trend Micro OfficeScan we 3 2 Incompatible or Conflicting Programs we 3 2 Overview of Deployment Steps we 3 3 Assess Endpoint Readiness ca rai 3 3 Remove Conflicting Products RA 3 3 Deploy CPM Clients to the Endpoints sssss sssssssssssssssssssssssssrsesssreessreessee 3 5 Pattern File and Engine Updates iii 3 7 Patter Rollbacks sec ssid iii 3 7 Incremental Updates alli ini EEA 3 7 Updat s trom the Cloud wic aei tania iaia 3 7 Procedure Overviews iuniiagia n E A acids aii einen 3 8 Update Pattern Files on the CPM Client ii 3 8 Show the CPM Icon on Endpoints iii 3 12 Removing CPM Chemis e ea ees 3 13 System Requirements cist aaa 3 14 Conflicting or Incompatible Programs iii 3 26 Contents Spyware Virus and Malware Programs iii Trend Micro Software Programs Incompatible with CPM on the ESP Server Chapter 4 Configuring and Managing CPM Using the CPM Dashboard and Menu Tips for Navigating the CPM Console How CPM Task Flows Work Configure Global Settings The Global Settings Analys
12. 3 10 6 2009 9 12 59 AM Open 100 00 1 1 Core Protection Module Set ActiveUpdate Server Patte Trend Micro Core Protecti admin Single Action 8 A My Actions 2 10 7 2009 1 34 39 PM Open 100 00 2 2 Core Protection Module Apply Automatic Updates Trend Micro Core Protect admin Single Action n val Actions 22 10 7 2009 1 21 14PM Open 100 00 1 1 Core Protection Module Enable Automatic Updates En Trend Micro Core Protecti admin Single Action a A al Fivlet Actions 8 10 7 2009 1 13 16 PM Open 100 00 1 1 Core Protection Module Endpoint Deploy Trend Micro Core Protecti admin Single Action amp Al Task Actions 14 10 7 2009 1 01 45PM Open 100 00 1 1 Core Protection Module Set ActiveUpdate Server Patte Trend Micro Core Protecti admin Single Action g sti 10 6 2009 12 28 36 PM Open Core Protection Module Enable Automatic Updates En Trend Micro Core Protecti admin Single Action 10 6 2009 12 02 31 PM Open 100 00 1 1 Core Protection Module Apply Automatic Updates Trend Micro Core Protecti admin Single Action 10f6f200n 16 7 Ne am Anon Caen Mentackian Marila Diabla Automatic ndsbne_En ee Single Action 10 6 20 PRESI admin Single Action E teat O BES Support External Subscribed O Trend Micro Common Firewall QA External Subscribed rete Custom te Trend Micro Core Protection Modul External Subscribed Re Sit trend Reporting QA External Subscribed A Properties Fixlet Messages Tasks Baselines Ac
13. CPM will encrypt the original file and make an encrypted copy on the client computer before it attempts to clean the file For instructions on decrypting backup copies see To activate analyses on page A 5 Display a notification message on the client computer when virus malware is detected Enabling this option allows CPM to display a notification message for end users to see when virus or malware has been detected on their client machine Spyware Grayware Action CPM performs the specified action for all types of spyware grayware Because spyware grayware does not infect files there are only three possible actions Clean Recommended CPM terminates processes or deletes registries files cookies and shortcuts Pass On Demand scans only CPM takes no action on the detected spyware grayware but records the detection in the logs Deny access Real Time scans only CPM leaves the file in its original location but prevents non Administrator users from opening deleting copying or moving the file Display a notification message on the client computer when spyware grayware is detected Enabling this option allows CPM to display a notification message for end users to see when spyware or grayware has been detected on their client machine Spyware White List Wizard CPM classifies applications as spyware or grayware based on their function and or on the basis of code analysis The Spyware Whitelist allows you to prevent CPM f
14. Close the open windows to return to the Dashboard view To schedule and apply automatic pattern file updates 1 In the CPM Dashboard click Updates gt Automatic Update Tasks gt Apply Automatic Updates 3 9 Core Protection Module Administrator s Guide The Task Description tab opens 2 Below Actions click the hyperlink to execute the Action The Take Action window opens 3 On the Target tab choose All computers with the property values selected in the tree list below and then select All Computers Note It is important to target All Computers for this action only endpoints with the CPM client installed and that have automatic updates enabled will be relevant 4 Click the Execution tab to display scheduling options as shown below Take Action Name Core Protection Ps ActiveUpdate Server Pattern Update Interval Preset Custom Policy show only personal presets Target Execution Users Messages Offer Post Action Applicability Success Criteria Action Script Constrain CW startson I 6 9 2009 at 3 31 5S2PM dient local time I Ends on at client local time Run between and client local time IT Run only on En IT Run only when Behavio MW On failure retry 99 times wat 1hour vib C Wait until computer has reboote i Reapply this action while relevant waiting between reapplications I timitto 3 reapplications TT Distribute over minut
15. File used for real time spyware grayware scanning Spyware Scan Engine Firewall The engine that scans for and takes appropriate action on spy ware grayware supports 32 bit and 64 bit platforms Common Firewall Pattern Required for the optional CPM firewall available in version CPM 1 6 not found in CPM 1 0 Damage Cleanup Services Virus Cleanup Tem plate Used by the Virus Cleanup Engine this template helps identify Trojan files and processes so the engine can eliminate them Virus Cleanup Engine The engine Damage Cleanup Services uses to scan for and remove Trojans and Trojan processes supports 32 bit and 64 bit platforms Common component Reference Tables COMPONENT DESCRIPTION Anti rootkit Driver A kernel mode driver used by the Spyware Scan Engine that pro vides functionality to bypass any potential redirection by rootkits supports 32 bit platforms Core Protection Module Administrator s Guide Scan Action Results for Compressed Files STATUS OF CLEAN DELETE INFECTED FILES IN COMPRESSED FILES CPM ACTION COMPRESSED FILE FORMAT RESULT Enabled Clean or Delete Not supported CPM encrypts def rar but Example def rar does not clean delete or contains an perform any other action on infected file 123 doc 123 doc Disabled Clean or Delete Supported Not CPM does not clean delete supported or perform any other action Example abc zip on b
16. choose the desired format from the drop down box in the upper right corner of the analysis in the Results tab Using Web Reputation 7 To deactivate the analysis return to the click here link in the Action window Core Protection Module Administrator s Guide 6 20 Chapter 7 Install and Manage the Client Firewall Trend Micro Core Protection Module provides an optional policy based CPM firewall that allows you to enable client level firewall protection Topics in this chapter include e About the CPM Firewall and Policies on page 7 2 e Add the Firewall Masthead to the ESP Server on page 7 2 e Remove Conflicting Firewalls on page 7 4 e Creating Firewall Policies on page 7 4 e Create and Deploy Smart Policies Example on page 7 10 e Global Exception Rules on page 7 14 e Firewall Policy Settings Wizard on page 7 15 e Firewall Policy Configuration on page 7 17 7 1 Core Protection Module Administrator s Guide About the CPM Firewall and Policies The CPM firewall is optionally available with the Trend Micro Core Protection Module and allows you to enable client level firewall protection It is policy based and provides bi directional port control to all or selected endpoints You can also apply policies selectively and automatically in real time according the user s current IP address For example you can have one policy for in office network connections and another for unsecured connections such as in an ai
17. cisadie windows Provat 0 Modde eat for Petal Ramewsifpy ade of Corfetrm Products Reaured lt urepectes gt Mode reke for batal Remowsifupy ade of Corfu Products Regent lt urepectes gt Mode Urrez al Web Patecton Mosse repo Not aggere by a BES Acton diari Jematpcn i May Cause Hande Leak on BES CentiServer Components ymos Gyre AV_R tytn AB einst ed hey Nim i B improper service state rotirstalied irodyti hardware Keonnected te database Bhenterpra as user ainat A screenshot showing the CPM Health Monitor 1 3 Core Protection Module Administrator s Guide e The ESP Server offers a collection of interacting services including application services a Web server and a database server which together form the heart of ESP The ESP Server coordinates the flow of information to and from individual computers and stores the results in the ESP database ESP Servers also include a built in Web reporting module ESP version 7 2 and later support the deployment of multiple servers to ease administrative burdens e The ESP Agent is installed on every client computer ESP manages The ESP Agent along with the ESP Server and Console is responsible for deploying communicating with and uninstalling all CPM components The ESP Agent is responsible for relaying the instructions you enter in the ESP Console to all CPM components It also relays the findings and results of scans and
18. different clients with different patterns although it is typical to update all patterns Running the CPM Automati c Update Setup Script Before you can download updates from the Trend Micro ActiveUpdate servers and then distribute them to endpoints you must first run a Visual Basic script that creates a custom site and a user that has privileges to propagate files to that site To run the CPM automatic update setup Visual Basic script 1 Logonto the Windows server running ESP 2 Download the CPM Automatic Update Setup script from the URL below and save it to the desktop http software bigfix com downlo ad bes cpm CPMAutoUpdateSetup_1 5 vbs 3 Double click the name of the script to start it The script prompts you to create a new user account in ESP a Unless you have a good reason to change it leave CPM Admin Username set to cpm_admin b Enter any password you would like for CPM Admin Password You may want to choose something more secure than trendmicro c Enter any email address for CPM Admin Email Address ESP only uses this address to generate a public key certificate for the user It does not send alerts or email to this address d Browse to the location of the license pvk file for your ESP server This file is usually in this folder C Documents and Settings lt Windows login gt My Documents BESCredentials where lt Windows login gt is the account you used to login with
19. 10 12 Chapter 11 Contacting Trend Micro This appendix provides information to optimize the Trend Micro Core Protection Module CPM performance and get further assistance with any technical support questions you might have Topics in this chapter include Technical Support on page 11 2 Contact Information on page 11 2 Sending Suspicious Files to Trend Micro on page 11 3 Documentation Feedback on page 11 3 The Trend Micro Knowledge Base on page 11 3 TrendLabs on page 11 4 Security Information Center on page 11 4 Security Risks on page 11 4 Core Protection Module Administrator s Guide Technical Support Trend Micro provides technical support pattern downloads and program updates for one year to all registered users after which you must purchase renewal maintenance If you need help or just have a question please feel free to contact us We also welcome your comments Worldwide support offices http www trendmicro com support Trend Micro product documentation http www trendmicro com download Contact Information In the United States you can reach the Trend Micro representatives through phone fax or email Trend Micro Inc 10101 North De Anza Blvd Cupertino CA 95014 Toll free 1 800 228 5651 sales Voice 1 408 257 1500 main Fax 1 408 257 2003 Web address www trendmicro com Email support trendmicro com Speeding Up Your Support Call When you contact Trend Micro to speed up y
20. 4 Packer Quarantine xj Others Clean 7 Quarantine z M Back up files before cleaning Display a notification message on the client computer when virus malware is detected o o mo ge mt 1Hk1pR1 cq q qq q q 6 Spyware Grayware Action Clean CPM will terminate processes or delete registries files cookies and shortcuts Pass CPM will log the spyware grayware detection for assessment L Display a notification message on the client computer when spyware grayware is detected Connected to database EnterpriseServer as user admin FIGURE 5 3 Trend Micro recommends that you use ActiveAction if you are not sure which scan action is suitable for each type of virus malware e Use the same action for all virus malware types If the first action fails CPM will automatically take the second action For example say the first action is Clean and the second is Quarantine If CPM detects a virus but the code cannot be removed that is the file cannot be cleaned the file will be quarantined See Available Virus Malware Scan Actions starting on page B 3 for more information e Use a specific action for each virus malware type Choose this option and specify a 1st action and 2nd action for each threat type See Available Virus Malware Scan Actions starting on page B 3 for more information 5 10 Configuration Wizards Reference Back up files before cleaning
21. 6 9 2009 3 20 35 PM Open 0 00 0 1 Core Protection Module Set ActiveUipdate Server Pattern Update Interval a A All Actions 22 6 9 2009 2 54 23 PM Open 0 00 0 1 Core Protection Module Set ActiveUpdate Server Pattern Update Interval a A All Fixket Actions 2 6 9 2009 10 46 21 AM Open 100 00 1 1 Custom action Configure Activo Update A All Task Actions 16 6 9 2009 6 45 42 PM Open 100 00 1 1 Swenson Custom Action Configure Active Update t gt Fodet Messages Tasks Baselines Actions Computers Computer Groups Analyses Console Operators Pattern Updates Wizard gt Reports Deployment Available Pattern Updates afresh Y Updater Y Updeta Reliback Patterns file Description me Venica Jaren Ay rev Patto Updata i v 9 20090604_141051 Rollback To Deploy Pattern Update Settings L SSAPITMASSABattarni Soyware Active monitoring 8322077 0 777 00 Autornatie Update Tasks L imernaiPatterniver Virus Pattern 19175499 6 169 00 Other Update Tasks IntemnalinteliTraphlachUst IntalliTrap Pattern 4038 0 118 00 Configuration InternalinteliTrapwhitakist IntelliTrap Exception Batte 619244 0 437 00 P Tasks L vragint ver Virus Sean Engine 091442 0990 102 x06 gt Anatysos DI vsagnT ver virus Scan Engine 2014382 9 990 2092 x68 Troubleshooting LI SSAPIPatterave Spyware Pattern 303106 777 serverini serverini 10645 20090604_14 SSAPT Ver soosse 6 2 3009 x06 C ssaprver ous 6 2 9009 x64 L rsceatemve
22. Core Prot 2 All Actions 22 Open 100 00 1 1 Core Protection Module Enable Automatic Updates En Trend Micro Core Prote A All Fixet Actions 8 Open 100 00 1 1 Core Protection Module Endpoint Deploy Trend Micro Core Prot Open 100 00 1 1 Core Protection Module Set Activelipdate Server Pate Trend Micro Core Protecti admin AR All Task Actions 14 Core Protection Module Enable Automatic Updates En Trend Micro Core Prot admin 100 00 1 1 Core Protection Module Apply Automatic Updates Trend Micro Core Protecti admin 1076 200014 chi dinni iais Core Protect adm 10 61 20 PE i admin Trend Micro Common Firewall QA External Subscribed Custom Site Trend Micro Core Protection Modul External Subscribed FREE A i External Subscribed Trend Reporting QA Properties Filet Messages Tasks Baselines Actions tes FIGURE 2 1 Add CPM sites to make them available in the ESP console 5 When prompted type your private key password and click OK The ESP Server will begin gathering the associated files and content associated with the masthead s you added and install them on the server 2 3 Core Protection Module Administrator s Guide Install and Update CPM on the ESP Server After adding the CPM Site s to the ESP Console you need to install the CPM server components on the ESP Server update the CPM pattern files and then prepare and deploy CPM clients to your endpoi
23. Firewall Settings gt New Policy Task The Firewall Policy Settings Wizard appears 2 Click the Add button and in the window that appears give the policy a name such as Disable Firewall e Clear the check from the Firewall Enabled check box Click Save The Firewall Policy List becomes active Select the policy you just created in the Policy List and clear the check from any other policies if necessary 5 Click the Create Firewall Policy Task button at the top of the screen The Policy Deployment Description appears 6 Accept the defaults and click OK When prompted type your private key password and click OK The Task Description window appears Below Actions click the hyperlink to open the Take Action window In the Target tab that opens click Applicable Computers or whichever option will include all endpoints with the firewall installed 9 Click OK and when prompted type your private key password and click OK 10 Inthe Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed 11 Close any open windows to return to the Dashboard view Removing the Firewall Site Remove the Common Firewall site from the ESP Console by deleting the masthead from the list of managed sites 7 20 Install and Manage the Client Firewall To remove the firewall masthead 1 In the ESP Console menu click Tools gt Manage Site
24. Scan Settings Configuration Task button The Edit Task window opens 4 Above the Description tab name the Task and then click OK to accept the default Actions and Relevance By default the Task will be relevant to any CPM clients that do not already have the Global Setting parameters set in their registry 5 Click OK to save the Task To deploy the Global Settings to CPM clients 1 Deploy the Global Settings by clicking Configuration gt Global Settings gt scan name in the CPM Dashboard In the window that opens under Actions click the link to initiate the scan In the Take Action window that opens click OK to deploy the configuration to all relevant CPM clients by default that is all CPM clients 4 Check the Action History tab to see which CPM clients received the update or if using multiple Tasks to deploy different sets of Global Settings which settings are in effect for a given endpoint The Global Settings Analysis When the CPM client is installed it includes a default configuration for Global Settings If you have changed any of these settings and updated your clients you will need to explicitly deploy these updates to any new computers as they are added to the network unless you select the Target by property recommended rather than by computer You can check which configuration is in place using the Global Settings Analysis To enable the Global Settings Analysis 1 In the CPM Dashboard click Analy
25. Service Pack 1 or later e Windows Server 2008 R2 Standard Enterprise Datacenter and Web Editions e CPM supports client installation on guest Windows 2008 operating systems hosted on the following virtualization applications e Microsoft Virtual Server 2005 R2 with Service Pack 1 e VMware ESX ESXi Server 3 0 or 3 5 Server Edition e VMware Server 1 0 3 or later Server Edition e VMware Workstation and Workstation ACE Edition 6 0 e Microsoft Windows Server 2008 64 bit Hyper V environment Note CPM cannot be installed if Windows 2008 runs in the Server Core environment CPM Clients Installing and Updating TABLE 3 6 Windows 2008 Windows 2008 R2 64 bit version Continued RESOURCE REQUIREMENT Hardware Processor e Minimum 1 4GHz Intel Pentium or equivalent 2GHz recommended e AMD64 and Intel 64 processor architectures RAM 1GB recommended Available disk space 700MB recommended Others Monitor that supports 800 x 600 resolution at 256 colors 3 23 Core Protection Module Administrator s Guide TABLE 3 7 Windows 7 32 bit version RESOURCE REQUIREMENT Operating system Note Windows 7 requires ESP agent 7 2 5 or later e Windows 7 build 7600 16385 Starter Home Basic Home Premium Ultimate Professional Enterprise e CPM also supports XP mode running in Windows 7 e CPM supports client installation on guest Windows 7 operating systems hosted on the
26. Task window opens Modify the default name in the Name field so that it clearly defines the purpose of this custom Task Edit the Description and the Relevance tabs if necessary to reflect your goals Click OK and then enter your private key password when prompted The Task Description window opens and the Task is added below New Spyware White List Task in the CPM Dashboard Below Actions click the hyperlink to open the Take Action window In the Target tab click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to e Execution Set the deployment time and retry behavior if any e Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur e Messages Configure these options to passively notify the user that the install is going to occur to obtain consent or to ask users to stop using their computer while the install occurs When finished identifying the computers you want to include in the exception click OK and when prompted type your private key password and click OK The Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view 4 19 Core Protection Module Administrator s Guide Res
27. The path to the selected file appears in the Select Import File field Choose Blacklist or Whitelist from the List Type Click the Add Sites from File button Click Yes to import the file If you click No to import the list you must re launch the Wizard and perform the import process again After you click Yes the Blacklist Whitelist Wizard displays the contents of the tab associated with the file Click Finish to end the import process and start generating the relevant Custom Action Note To see the process required to finish generating your Custom Action and deploying the template start at Step 7 in the Creating and Deploying a New Template section 6 13 Core Protection Module Administrator s Guide Viewing an Existing Template To view an existing Blacklist Whitelist template 1 Click Configuration gt Web Reputation Blacklist Whitelist gt New Web Reputation Blacklist Whitelist Task to open the Web Reputation Blacklist Whitelist Wizard Click the name of the Blacklist Whitelist template you want to examine The Blacklist Whitelist Templates Add Template window appears Copying and Editing a Template 6 14 Web Reputation enables you to create copies of existing Blacklist Whitelist templates Use this feature to create copies of existing templates or to create slightly modified versions of existing templates To create a copy of an existing Blacklist Whitelist template 1 Click Con
28. Triosi Allow teo 23 fidraztional Y Common Firewall Settings sip Allow Tee 25 Bidwectional Global Exception Rules A Nev Policy Task Allow uoe s Mideeiona DI Policy Deployment commen ONS UDP Policy Deployment common ue Allow une Bidwectional Policy Deployment Common ue Allow ree so Didveional gt Tasks Li Kartene TEP Allow Ten se Ridivaztional te Kerberos UDP Allow upp as Bidwactional gt Troubleshooting pops allow Tee 110 tidvectional o Aum cree Allow ten 113 Ridwecional aum tvor Allow uns 113 Bidwectional te cree Allow roe 12 Bidwecional NTP UDP allow uos 123 bidwectional o METBIOS Name ter Allow Tep 137 Bidvactional METRIME ricono Can allow une 107 Ridwational FIGURE 7 6 Global Exception Rules are available in new policies Once attached to a policy the rule will not change within that policy New rules and those modified in the Global Exceptions Rules list are available to all new policies However if from within a policy you modify a rule imported from the Global Exception Rules list that modification will not be applied to the global rule Likewise if 7 14 Install and Manage the Client Firewall you modify a rule in the global list any version of that rule that has been saved in an individual policy will not change To add or change global exception rules 1 In the ESP Console menu click Common Firewall Settings gt Global Exception Rules e Clicka Rule
29. You can choose the pattern engine files you want to update 4 17 Core Protection Module Administrator s Guide 2 In the list of components that appears select the pattern types that you want to allow updates for whenever pattern updates are applied By default all pattern files are selected 3 Click the Create Update Settings Task button in the upper right corner The Edit Task window opens 4 Modify the default name in the Name field so that it clearly defines the purpose of this custom Task Edit the Description and the Relevance tabs if necessary to reflect your goals Click OK and then enter your private key password when prompted The Task Description window opens and the Task is added below Pattern Update Settings in the CPM Dashboard Below Actions click the hyperlink to open the Take Action window In the Target tab click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to e Execution Set the deployment time and retry behavior if any e Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur e Messages Configure these options to passively notify the user that the install is going to occur to obtain consent or to ask users to stop using their computer while the install occurs 9 When finished ident
30. a location that does not allow it to be cleaned or is a Trojan or worm See scan results for details Delete Delete the virus or malware file Rename Click to change the extension of the file to VIR or to VIO VI1 and so on if there is more than one to prevent yourself or other users from opening it accidentally Viewing Scan Results To view the scan results 1 Perform a Manual Scan as described in Initiating a Manual Scan from the System Tray Icon on page 9 5 2 Click the Manual Scan Results tab Summary details display at the top of the screen See Figure 9 3 3 If the CPM configured the scan action to Pass Select a detected virus or malware Click Clean Delete or Rename See details in Table 9 2 Testing the CPM Client Console After enabling the CPM console your administrator may test it to verify that antivirus protection works EICAR the European Institute for Computer Antivirus Research developed a test script as a safe way to confirm proper installation and configuration of antivirus software Visit the EICAR Web site for more information at Core Protection Module Administrator s Guide http www eicat org The EICAR test script is an inert text file with a com extension It is not a virus and does not contain any fragments of viral code but most antivirus software reacts to it as if it were a virus WARNING Never use real viruses to test your antivirus installation Co
31. a past Cancel filename THcPHEncryot_1 0 0 028 pc ECHI Size 139264 SHA1 da39a3e05e6b4b0d325Sbfef956018902f480709 erver is needed Use the acton below to wnload and unzip extract the Usage Note The TMCPMEncrypt exe command line tool provides the option to generate an encrypted string The encrypted string can be FIGURE 6 2 Paste the password you encrypted for the proxy server 4 The Take Action window opens In the Target tab a list of endpoints that are running the CPM client appears Select all applicable computers those that are running WR and then click OK When prompted type your private key password and click OK 7 Inthe Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed 8 Close any open windows to return to the Dashboard view Web Reputation Security Levels After enabling WR on your endpoints you can raise the security level to Medium or High the default is Low to increase the degree of sensitivity that WR uses when evaluating URLs How Web Reputation Works Whenever an end user tries to open an Internet site the requested URL is scored at the proxy in real time and that score is then evaluated against the security level URLs with 6 7 Core Protection Module Administrator s Guide 6 8 a score that exceeds the level you select will be prevented from opening Note that this scoring is
32. can have CPM enforce different Web Reputation policies according to the 1 5 Core Protection Module Administrator s Guide client computer s location The client s connection status with the ESP Server or any Relay Server can be used to determine the location of the client e Web Reputation opens a blocking page whenever access to a malicious site is detected This page includes links to the Trend Micro Web Reputation Query system where end users can find details about the blocked URL or send feedback to Trend Micro e Proxy server authentication for Web Reputation is also supported You can specify a set of proxy authentication credentials on the Web console HTTP proxy servers are supported Client Side Firewall Optional The CPM firewall protects clients and servers on the network using stateful inspection You can create rules to filter connections by IP address port number or protocol and then apply the rules to different users and groups Contact your Trend Micro sales representative if you do not have the Firewall masthead for CPM 1 6 but ate interested in using it Traffic Filtering The CPM firewall can filter all incoming and outgoing traffic providing the ability to block certain types of traffic based on the following criteria e Direction inbound outbound e Protocol TCP UDP e Destination ports e Source and destination computers Customizable Profiles and Policies The CPM firewall gives you the ability
33. creating the first policy are provided below Repeat steps 2 and 3 modifying as needed to create the remaining three policies 1 In the ESP Console menu click Common Firewall Settings gt New Policy Task The Firewall Policy Settings Wizard appears 2 Click the Add button and in the window that appears give the policy a name that will make its function clear when it appears in the Policy List for example No FTP over W LAN in London The Firewall Policy Configuration screen opens 3 Configure the following see Firewall Policy Configuration on page 7 17 for configuration details Select Firewall Enabled e Select Security Level High to block all traffic to all ports e Select Apply to A Range of IP Addresses and enter the IP address range for London From 10 10 0 0 To 10 10 255 255 e Ifin fact you have a location that includes multiple ranges create a parallel firewall policy for each range differentiate the name by adding a number 7 11 Core Protection Module Administrator s Guide 7 12 e If you are using a subnet to represent the location enter the subnet IP in both the From and To fields Note Subnet notations such as 172 16 0 0 16 and 172 16 ate not supported From the Exception Rules enable FTP Data and FTP 4 Click Save The Firewall Policy List becomes active To create Tasks for the different locations In this procedure you will create different Tasks and include in them diff
34. error codes encountered If the status upon completion is not 5 or 6 an error occurred Install Status uyon UNEO Il Preparing Installation Installing CPM Component Upgrading CPM Component Installing OSCE Component Upgrading OSCE Component Done Done But Need Reboot Installing BF AU Server Component Upgrading BF AU Server Component Error Codes 10 2 0 Succeed Wrong Platform Extracting Package Failed Not Enough Disk Space No Administrator Privilege A Newer Version of Core Protection Module Exists Need Reboot Before Install Cannot Start Core Protection Module Service s Cannot Stop Core Protection Module Service s Wait Installation Time Out Another Installer Is Running Invalid Command Line Argument Copy File Failed Unknown Error Configuration File Missed Troubleshooting Installing the CPM Server on a Non default Drive By default the CPM component files will be installed to the local c drive However you can download and import a custom Task to enable installation to a different location To download the Task http esupport trendmicro com Pages Installing CPM module to a use r defined drive aspx OR http esupport trendmicro com sadmin Lists Solution 20Contribution S20Attachments Attachments 70 Core 20Protection 20Module 20 20Endp oint 20Deploy 20 20Custom 20Install 20Path bes To import the Task 1 In the ESP Console click File gt Import 2 Look for the
35. in the bfsites directory lt Program Files gt BigFix Enterprise BES Server wwwrootbes bfsites CustomSite_FileOnlyCustomSite_CPMAuto Update_1 CPM client After automatic updates have been enabled on the client the CPM site will exist in the ESP subscribed sites directory lt Program Files gt BigFix Enterprise BES Client __BESData Check for pattern updates on the CPM server From the CPM Dashboard click Pattern Updates gt New Pattern Update Task to open the Endpoint Pattern Update Wizard e If there are no new updates inspect the Task Core Protection Module Check Server for Pattern Updates e Ifthe Task was run but the updates are not working properly check the Action ot the BigFix Agent logs on the BigFix Server e Check the ESP Server to confirm whether pattern update are being received as expected wwwrootbes cpm patterns Check the TrendMirrorScript exe logs 10 7 Core Protection Module Administrator s Guide e Confirm that older pattern files are still located on the ESP Server by default a reserve of 15 patterns are retained Automatic Updates 1 Check on the ESP Server that the Task Core Protection Module Check Server for Pattern Updates has been created and run This task should be set to automatically reapply at a frequent interval often this is hourly and it should not be restricted in any way that would conflict with the action 2 Checkon the ESP Server that the Task Core Prote
36. malicious acts such as opening ports for hackers to enter A Traditional antivirus solutions can detect and remove viruses but not Trojans especially those already running on the system Contacting Trend Micro e Virus A program that replicates To do so the virus needs to attach itself to other program files and execute whenever the host program executes including e Worm A self contained program or set of programs able to spread functional copies of itself or its segments to other computer systems often through email VBScript JavaScript or HTML virus A virus that resides on Web pages and downloaded through a browser e ActiveX malicious code Code that resides on Web pages that execute ActiveX controls e Java malicious code Operating system independent virus code written or embedded in Java e Macro virus A virus encoded as an application macro and often included in a document e Test virus An inert file that acts like a real virus and is detectable by virus scanning software Use test viruses such as the EICAR test script to verify that your antivirus installation scans properly e Packer A compressed and or encrypted Windows or Linux executable program often a Trojan horse program Compressing executables makes packer more difficult for antivirus products to detect e Others Virus Malware not categorized under any of the other virus malware types e Boot sector virus A virus that infects the boo
37. regwdessd errs Run On Demand Sean Core Protection D Run On Demand Scan Core Protection kun OnDemand scan core Protection Ss FIGURE 4 6 Schedule a complete On Demand scan to occur weekly 4 Select all the relevant computers and click OK When prompted type your private key password and click OK 5 Inthe Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed 6 Close any open windows to return to the Dashboard view Configure Client Updates from the Cloud Receiving pattern updates from the cloud is not recommended as the default behavior However there are some cases such as when an endpoint is not connected to the ESP Server or Relay you may want the endpoint to fail over to updates from the cloud The 4 12 Configuring and Managing CPM most typical use case is to support roaming clients for example those being taken off site for travel Note Perhaps the best method for updating roaming endpoints is to place an ESP Relay in your DMZ This way endpoints are able to maintain continuous connectivity with the ESP architecture and can receive their updates through this Relay just as they would if located inside the corporate network There are several reasons updating from the cloud is not recommended for daily use by all endpoints 1 4 The Update from the cloud Task is not restr
38. s To view the Client Information Analysis 1 8 Click the Analyses tab The List Panel changes to show all available analyses Click All Applicable Analyses Click the sign and then click By Site Click Trend Micro CPM site Two analyses are available e Web Reputation Client Information Web Reputation Site Statistics Click the Web Reputation Client Information analyses link The Web Reputation Client Information window appears To view the view details about each property click the Results tab You can view the analysis property results in either List or Summary format To select a perspective choose the desired format from the drop down box in the upper right corner of the analysis in the Results tab To deactivate the analysis return to the click here link in the Action window To view the Site Statistics Analysis Oi ee OE Click the Analyses tab The List Panel shows all available analyses Click All Applicable Analyses Click the sign and then click By Site Click Web Reputation to see a list of both available analyses C lick the Web Reputation Site Statistics analyses link The Web Reputation Site Statistics window appears The window displays information on the two Web Reputation properties you can view with the analysis e Blocked Web sites e Visited Web sites You can view the analysis property results in a list or in summary form To select a perspective
39. several things to bear in mind with regards to rolling back a pattern update 1 Part of the rollback process is to lock down endpoints to prevent any further pattern updates until the lock has been cleared The lock serves as a safeguard against re introducing whatever issue it was that triggered the need for a rollback Once the issue has been resolved either by changing something on the endpoints or by acquiring a different version of the pattern file you will need to run the Clear Rollback Flag Task to re enable updates If your clients are not all running the same version of the pattern file that is some have the current pattern and some have a much older version and you perform a Configuring and Managing CPM rollback to the previous version those with the current version will be reverted to the previous version while those with the older version will be updated to the version 3 You can rollback all or selected pattern files However even if you only rollback one pattern file you will still need to reset the rollback flag for all pattern files Reverting to a Previous Version of the Pattern File To revert to a previous pattern file 1 In the CPM Dashboard click Updates gt Update Rollback Patterns gt New Pattern Update Rollback Task The Pattern Updates Wizard opens Trend Micro Endpoint Security Platform Console CPM Dashboard File Edit View Tools Dashboards Wizards Window Help Debug a Open Ac
40. tab click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to Click OK and when prompted type your private key password and click OK The Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view Chapter 5 Configuration Wizards Reference The CPM Dashboatd includes Wizards to help you understand and organize scan related configuration choices It also provides a Health Monitor for quick reference Use the On Demand Scan Settings Wizard for example to define which files to scan how to manage scan engine CPM usage and designate the action to take whenever a threat is discovered Individual scan configurations can also be saved as a Task which is then available in the main Task List Use the CPM Health Monitor for example to get a quick overview of endpoint statuses or as a Troubleshooting aid Topics in this chapter include e The CPM Health Monitor on page 5 2 e Global Scan Settings Wizard on page 5 3 e On Demand amp Real Time Scan Settings Wizards on page 5 5 e Spyware White List Wizard on page 5 11 e ActiveUpdate Server Settings Wizard on page 5 13 5 1 Core Protection Module Administrator s Guide The CPM Health Monitor 5 2 The CPM Console provides rich repo
41. that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed 5 Close any open windows to return to the Dashboard view Creating Firewall Policies 7 4 Configure firewall settings for your endpoints by creating one or more firewall policies in the Firewall Policy Settings Wizard Next create a Task to deploy the action Structure the policy to Allow or Deny all inbound and outbound network connections by setting the Security Level A security level of High creates a default behavior of Deny for all ports while Low does the opposite From there you can add individual port exceptions Install and Manage the Client Firewall and or use any of the 30 pre set exceptions for common ports such as HTTP FTP SMTP that are available as Global exception rules Completed policies are available in the Policy List You can select one or more policies from the list to include in a Task for deployment to the endpoints you specify Governing Logic There are several sets of logic that affect policy targeting When creating and deploying a firewall policy the chronological order is e Create a policy e Add it to a task e Deployit The endpoint which makes the final determination of relevance is more or less autonomous Irrespective of this chronology however is the determination of applicability Whether or not a given policy is in fact applied to a given endpoint is de
42. then fine tune the policy by adding port exceptions these exceptions should of course be the inverse of the action set through the Security Level Core Protection Module Administrator s Guide IP Address Apply to All Possible IP Addresses This is the correct choice for most firewall policies Possible IP addresses refers to the limits inherited through the creation of the Task Policy Action and the endpoint s own relevance evaluation Apply to A Range of IP Addresses This option is available for creating location aware policies Be sure to move these policies to the top of the Policy List to prevent the policy from being missed Exception Rules All exceptions rules are policy specific Exceptions created within a policy are not be available globally Add them in the Global Exceptions screen Add button Opens a screen for creating a new exception rule that will be unique to the policy Exceptions that you add will automatically be selected that is enabled in the policy Note that if you disable the exception and save the policy the exception will be removed from the policy See more information in Exception Rules Configuration on page 7 18 Import Global Rules button Repopulates the Exception Rules list with all exceptions from the Global Exception Rules list including the defaults and any that you have added This can be especially useful if you later re open the policy and want to add additional exceptions tho
43. to configure policies to block or allow specified types of network traffic This provides a highly customizable means of otganizing and configuring client firewall settings Stateful Inspection The CPM firewall is a stateful inspection firewall it monitors all connections to the client and records all connection states It can identify specific conditions in any 1 6 Introducing Core Protection Module connection predict what actions should follow and detect disruptions in normal connections Filtering decisions therefore are based not only on profiles and policies but also on the context established by analyzing connections and filtering packets that pass through the firewall The Trend Micro Pattern Files and Scan Engine All Trend Micro products including CPM can be configured to automatically check the Trend Micro ActiveUpdate TIMAU server then download and install updates when found This process is typically configured to occur in the background although you can manually update some or all of the pattern files at any time In addition pre release patterns are available for manual download at your own risk in the event that a situation such as a virus outbreak occurs Pre release patterns have not undergone full testing but are available to stop burgeoning threats You can manually download the virus pattern and other files from the URL provided below At the same location you can also check the current release versio
44. window opens 5 Type a descriptive or memorable name for the Task such as Enable Client Console 6 Click OK to close the Windows and when prompted type your private key password and click OK to create the new global policy 7 The new settings now appears in the Configuration gt Global Settings Dashboard To enable notifications on the client Use the On Demand or Real Time Scan Settings Wizards to display notifications on the client computer about virus malware or spyware grayware detections See If you are running Trend Micro ScanMail for Exchange you can configure CPM to exclude Microsoft Exchange 2000 2003 directories from On Demand and Real time Scans For Microsoft Exchange 2007 you need to manually add the directory to the scan A 7 Core Protection Module Administrator s Guide exclusion list For more information see http technet microsoft com en us library bb332342 on page 5 9 for details Pattern File Management The steps below are for experienced ESP administrators who just need a list for tasks involving the pattern files Procedures include A 8 To configure updates from the cloud on page A 8 To deploy selected pattern files on page A 8 To revert to a previous version of the pattern files on page A 8 To re enable updates following a rollback on page A 9 To update pattern files on the CPM server on page A 9 To update pattern files on the CPM clients on page A 9 To configure update
45. you have selected In the pop up menu that appears click Activate When prompted type your private key password and click OK to activate all the Analyses Removing CPM Server Components Use the Remove Server Components Task to uninstall CPM server components from the ESP Server seldom used To remove CPM server components 1 From the main ESP Console menu open the Tasks tab and then click All Tasks gt By Site gt Trend Core Protection Module Locate Core Protection Module Remove Server Components in the list of Actions that appears and click it to open the Description Click the hyperlink under Action to open the Take Action screen Select the CPM server and click OK When prompted enter your password to initiate the removal Removing the Core Protection Module Site Remove the Core Protection Module and or Trend Reporting site from the ESP Console by deleting the mastheads from the list of managed sites To remove the CPM masthead 1 In the ESP Console menu click Tools gt Manage Sites and select Trend Micro Core Protection Module Click the Remove Site button and then OK Enter your private key password and click OK to remove the CPM masthead 2 23 Core Protection Module Administrator s Guide 2 24 Chapter 3 CPM Clients Installing and Updating There any number of ways to handle the deployment of CPM clients to your endpoints and you will need to decide on the one that works best f
46. you target with that Task See Firewall Policy Configuration on page 7 17 for details To create a firewall policy 1 In the ESP Console menu click Common Firewall Settings gt New Policy Task The Firewall Policy Settings Wizard appears 2 Click the Add button and in the window that appears give the policy a name that will make its function clear when it appears in the Policy List 3 Configure the following Firewall Enabled This option must be selected for the policy to be on In addition the policy must be selected in the Policy List Both conditions must apply for the policy to be used e Security Level e Choose High to block all traffic to all ports and then use Exceptions to enable specific ports inbound outbound or both e Choose Medium to block all inbound traffic to all ports but allow all outbound traffic to all ports use Exceptions to alter specific ports To achieve the opposite choose High and create a single exception rule to Allow all inbound traffic for all ports and enable this rule in the Exception Rules list Install and Manage the Client Firewall e Choose Low to allow all traffic to all ports and then use Exceptions to block specific ports inbound outbound or both Apply to All Possible IP Addresses Choose this option for most cases An IP address is possible only if it is also included in the Task Firewall Policy Configuration Save Cancel General
47. 2936702 1040 O Tsc ver Virus Cleanup Engine 346492 6 0 1172 86 L Tsc ver Virus Cleanup Engine 965723 6 0 1172 x64 CFWDatterivier Common Firavall Pattern 7466 10276 Droornit ver Asti rootkit Ovivar 73069 2 2 1092 x06 FIGURE 3 4 You can deploy or rollback individual pattern files which are grouped in folders that start with the date In the list of folders that appears click the gt icon next to most recent folder to expand and display individual patterns as shown in Figure 3 4 If you recently updated the pattern file for the first time there will be only one folder available 3 11 Core Protection Module Administrator s Guide 3 Click the Deploy button across from the folder In the pop up window that appears choose e Deploy a one time action to open the Take Action window and select the computers you want to apply this one time Action to Any computers included in the Target that are not relevant for the Action at the time of deployment will respond with a not relevant statement Click OK e Create an update Fixlet to open Edit Fixlet Message window and configure a Fixlet that will deploy the Action whenever the selected clients become relevant When finished click OK and in the window that opens click the hyperlink that appears below Actions to open the Take Action window 4 Inthe Target tab that opens click All computers with the property values selected in the tree list below and then choose a p
48. AHH gt Tasks ADW_AAIB Analyses ADW_AAIIC Troubleshooting ADW_AAIN A Improper Service Status 1 Add gt B ADW_AAKA t Restart Needed 0 f ADW_AAMC Samone D Insufficient Hardware Resources ADW_AANJ D Insufficient Software Resources ADW_AAPD D Removal of Conflicting Product F ADW_AAPG P Disable Windows Firewall 4 ADW_AASV ADW_AAZA ADW_ABBMA ADW_ABETTERINTAA ADW_ABETTERINTER ADW_ABETTERINTRN gt Connected to database EnterpriseServer as user admin num FIGURE 5 4 The Spyware Grayware Approved list is populated with names after updating the pattern file on the ESP Server A good way to identify which programs innocuous and malicious are being detected as spyware grayware is to check your Spyware Grayware Logs CPM can accommodate a maximum of 1024 spyware grayware in the white or black lists Web Reputation Blacklist Whitelist For information on using Web Reputation Blacklist Whitelist see Blacklist and Whitelist Templates on page 6 10 5 12 Configuration Wizards Reference ActiveUpdate Server Settings Wizard Use this Wizard to select the location from where you want to download component updates You can choose to download from the Trend Micro ActiveUpdate AU server a specific update soutce or a location on your company intranet Source Trend Micro s ActiveUpdate Server This location contains the latest available patterns and is typically the best source
49. C ssp inteni ala 7 5 Policy Ve caloni Sa raan eO E EN 7 7 Contents Chapter 8 Chapter 9 Chapter 10 GlobaliExcepiorist i intatte ae 7 7 Create and Deploy a Firewall Policy iii 7 8 Create and Deploy Smart Policies Example iii 7 10 Global Exception Rules iii 7 14 All Existing Rules ith E 7 14 Firewall Policy Settings Wizard 7 15 Firewall Policy Configuration 7 17 Exception Rules Configuration 7 18 Uninstalling the Common Firewall 7 19 Disabling the Firewall from Endpoints iii 7 20 Removing the Fir wall Site ws cccsiccseks cosesti capris eatin eee ie 7 20 Setting Up and Using Locations OVENIey carillon aglio lanlcalalutai 8 2 Creating Locations cirri ail airs 8 2 Creating Location Specific Tasks iii 8 5 How Location Properties Work sssssssssssessssesssseessssssssssoessserenseronsseesssses 8 6 Using the Client Console COV EF VICI ill ANA 9 2 CPM Client Dashboard vs CPM Client Console 9 3 Accessing the Glient Console li unita ai 9 3 Client Connection with CPM Servet iui ziale 9 4 Miaritial SCAgis ai ara arena aires stia roads 9 4 Initiating a Manual Scan from the System Tray Icon wees 9 5 Initiating a Manual Scan from Windows Explotet 9 5 Manual Scan Results ire A TREE 9 6 Viewing Scan RESUS spiror yrei r E EEE 9 7 Testing the CPM Client Console
50. CPM Endpoints The Task Description window opens Click the hyperlink under Action to open the Take Action screen Select the computers you want to target and click OK When prompted enter your password The uninstall sequence begins 3 13 Core Protection Module Administrator s Guide 5 In screen that appears click the Reported Computers tab to follow the status of the scan It usually takes a few minutes for targeted computers to report back their Action status System Requirements 3 14 A quick list of supported operating systems is provided below Click each for details and hardware requirements e Windows 2000 e Windows XP Windows 2003 32 bit version e Windows XP Windows 2003 64 bit version e Windows Vista 32 bit and 64 bit versions e Windows 2008 32 bit version e Windows 2008 Windows 2008 R2 64 bit version e Windows 7 32 bit version e Windows 7 64 bit version Also included is a list of software programs that should be removed before installing the CPM client Most of the programs on this list have duplicate or competing functions including Trend Micro s OfficeScan and PC cillin Internet Security programs e Trend Micro OfficeScan e Trend Micro Internet Security 2008 e Trend Micro Pc cillin 2007 e Symantec Software Virtualization Solution Symantec AntiVirus e McAfee VirusScan e Sophos Antivirus e eTrust Antivirus CPM Clients Installing and Updating TABLE 3 1
51. Core Protection Module for Endpoint Security Platform Administrator s Guide Endpoint Security Trend Micro Core Protection Module Administrator s Guide Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice Before installing and using the software please review the readme files release notes and the latest version of the applicable user documentation Trend Micro the Trend Micro t ball logo OfficeScan Damage Cleanup Services ScanMail and TrendLabs are service marks trademarks or registered trademarks of Trend Micro Incorporated BigFix Fixlet and Fix it before it fails are registered trademarks of BigFix Inc iprevention Powered by BigFix Relevance Engine and related BigFix logos are trademarks of BigFix Inc All other product or company names may be trademarks or registered trademarks of their respective owners Protected by U S Patent No 5 623 600 5 889 943 5 951 698 6 119 165 Copyright 2009 Trend Micro Incorporated All rights reserved Document Part No APEM14023 90302 Release Date October 2009 Related Documents Use this Administrators s Guide to upgrade install and or configure Trend Micro Core Protection Module CPM on an existing ESP Server This Administrators Guide also covers ESP client deployment Web Reputation updates and configuration the Trend Micro Common Firewall and client con
52. Enable Configure scan settings for large compressed files and enter the limits shown here e Do not scan files in the compressed file if the size exceeds 2 MB Setting Up and Using Locations e Stop scanning after CPM detects 2_ virus malware in the compressed file Global Scan Settings Wizard _ Create Global Scan Settings Configuration Task Reports Deployment Scan Settings Updates Y Configuration V Configure scan settings for large compressed files Global Settings Do not scan files in the compressed file if the size exceeds 2 MB New Global Settings Task x Stop scanning after CPM detects 2 viruses malware in the compressed file CPM1 6 Disable systray and D CPM1 6 Enable systray and Scan OLE objects Maximum layers 3 v gt On Demand settings LJ exclude Microsoft Exchange server folders from scanning Y Real Time Settings A New Real Time Settings Task Virus Malware Scan Settings Only CPM1 6 Disable Popup Alert E crm ae e CORO C Clean Delete infected files within compressed files D CPM1 6 Enable Popup Alert D configure Default Real Time D configure Default Real Time Spyware Grayware Scan Settings Only D Configure Default Real Time Enable assessment mode D configure Default Real Time Valid until 11 59 59 pm of E D configure Generic Action 6 gt Spyware White List LJ Scan for cookies gt Web Reputation Blacklist Whitelist J count cookies into spyware log
53. File and Make the Action Automatic Next you need to set up a policy that periodically checks for and downloads updates as they become available This task is only responsible for downloading updates from the Trend Micro ActiveUpdate servers and then publishing them to the custom CPM update site To run the Set ActiveUpdate Server Pattern Update Interval task 1 Navigate to Dashboards gt CPM Dashboard 2 In the CPM Dashboard click Deployment gt Install gt Set ActiveUpdate Server Pattern Update Interval The Task Description tab opens 3 Below Actions click the here hyperlink to open the Take Action window Core Protection Module Administrator s Guide Core Protection Module Set ActiveUpdate Server Pattern Update Interval Trend Mecro Core Protection Module Take the action below to check the Trend Micro ActiveUpdate Server TMAU Server for updates to the following Virus Pattern Intelitrap Pattern Inteli rap Exception Pattern Virus Scan Engine Spyware Pattern Spyware Active Monitoring Pattern Spyware Scan Engine Virus Cleanup Template Virus Cleanup Engine Anti rootkit Driver Common Firewall Patten versions 1 5 and higher be download enabled for th jade available for deployment using the Pattern Update Roliback Wizard in the CPM Dashboard Additionally automatic updates have been configured and components the patterns will be published such that endpoints configured for automatic update
54. Has Not Changed The following CPM settings are retained and do not need to be modified to remain synchronized with the upgrade e Global Settings and any saved Tasks e On Demand Settings and any saved Tasks 2 8 ESP Server Installing and Updating Real Time Settings and any saved Tasks e Spyware White Lists and any saved Tasks e ActiveUpdate Server Settings proxy and AU server location e Logs and Reports e Analyses that have already been run however see above for new analyses e Other existing Fixlets Tasks Actions including relevance statements target definitions and other embedded logic and Baselines Update Pattern Files on the Server It is critically important to keep the ESP Server Relays and all CPM clients up to date with the current pattern and engine files from Trend Micro CPM uses as many as 14 different pattern files to identify viruses spyware and other malware threats See Security Risks starting on page 11 4 for the complete list Not all patterns are updated every day There are days however such as when a new threat is released and hackers are writing hundreds of variations to try and avoid detection that one or all the patterns are updated often over the course of a day or week Trend Micro recommends that you update the virus pattern file on the ESP Server immediately after installing CPM and then set the task to repeat hourly The same holds true for CPM clients Choose an Update
55. IP Policy Name New Policy Apply to All Possible IP Addresses Firewall Enabled V Apply to A Range of IP Addresses HJ Security Level High Q Medium Low WI Exception Rules dd Import Global Rules Rule Name Action Protocol Direction Port Mii ETP DATA Allow TCP Bidirectional 20 aj M 2 FIP Allow TCP Bidirectional 21 LJ a SSH Allow TCP Bidirectional 22 M4 Telnet Allow TCP Bidirectional 23 Ms SMTP Allow TCP Bidirectional 25 Mie DNS TCP Allow TCP Bidirectional 53 mE DNS UDP Allow UDP Bidirectional 53 Lis TETP Allow UDP Bidirectional 69 E gt HTTP Allow TCP Bidirectional 80 O 10 Kerberos T Allow TCP Bidirectional 88 Unselected rules won t be included for this policy FIGURE 7 4 Create a firewall policy and add exceptions if any Apply to A Range of IP Addresses Only use this option if you are creating a policy to bind to one of several possible IP addresses that an endpoint may use due to Dual NICs variable locations etc as described in Create and Deploy Smart Policies Example on page 7 10 Exception Rules Only enabled rules will be included in the policy Select an existing rule from the list of Global Exception rules that appears or add a new one In either case be sure your exceptions are in fact the opposite of the Security Level you have set for the policy Fot example the default action for most rules in the Global Exception list is Allow Enabling this rule for a policy where Se
56. Micro Scan Engine and Detection Technologies on page 1 8 1 1 Core Protection Module Administrator s Guide Overview Trend Micro Core Protection Module CPM is an anti malware application for Trend Micro Endpoint Security Platform ESP It works with ESP to protect the desktop and notebook computers on your network from security risks including spyware viruses Trojans worms malicious Java applets and ActiveX controls ESP is built on the BigFix Enterprise Suite BES to provide extended management capabilities to the CPM server and clients The CPM client provides real time on demand and scheduled malware protection In addition you can protect your users against visiting malicious Web sites by enabling CPM s Web Reputation CPM also provides a policy based firewall that you can deploy on your endpoints to control port access Using a single agent and management console Trend Micro ESP can support over 250 000 endpoints From the management console you can track the progress of each computer as updates or configuration policies are applied mae s New in CPM Version 1 6 Windows 7 and Windows 2008 R2 platform support Note Upgrade to ESP 7 2 5 agent which supports Windows 7 and Windows 2008 R2 operating systems before attempting to install CPM e New client console for endpoints with manual scan scan results and update now features e Web Reputation allows enabling and disabling the collection of visit
57. Name in the list to open that rule for editing e Click the Add button to create a new rule e Click the Delete Rule s button to remove selected rule s When finished click the Save Rule button Firewall Policy Settings Wizard Use the Firewall Policy Settings Wizard to create one or more firewall policies You can structure the policy to Allow or Deny all inbound and outbound network connections by setting the Security Level and then individual port exceptions Completed policies appear in the Policy List as shown in Figure 7 7 Select policies from the list to include in a Task and deploy to your endpoints The following buttons and functions are available in the Firewall Policy Settings Wizard Create Firewall Policy Task Only policies that have been bundled into a Task can be deployed to endpoints You can apply different policies to different endpoints by creating multiple Tasks Save Order Because the firewall evaluates applicability by starting at the top of the list and working down put policies with a smaller Applied IP Range above those that apply to All IPs Save the order often to avoid losing your changes Add Use this button to create a new policy You must also select the policy before using it in a Task Delete Select one or more policies from the list and then use this button to remove them Only use Delete to remove the policy from any further use disable any policies that you do not want to include in a g
58. RAM 1GB minimum Available disk space 700MB recommended Others Monitor that supports 800 x 600 resolution at 256 colors TABLE 3 5 Windows 2008 32 bit version RESOURCE REQUIREMENT Operating e Windows Server 2008 Standard Enterprise Datacenter system and Web Editions with Service Pack 1 or later e CPM supports client installation on guest Windows Vista operating systems hosted on the following virtualization applications VMware ESX ESXi Server 3 0 or 3 5 Server Edition VMware Server 1 0 3 or later Server Edition VMware Workstation and Workstation ACE Edition 6 0 Microsoft Windows Server 2008 64 bit Hyper V environment Note CPM cannot be installed if Windows 2008 runs in the Server Core environment CPM Clients Installing and Updating TABLE 3 5 Windows 2008 32 bit version Continued RESOURCE REQUIREMENT Hardware Processor e Minimum 1 4GHz Intel Pentium or equivalent 2GHz recommended e AMD64 and Intel 64 processor architectures RAM 1GB recommended Available disk space 700MB recommended Others Monitor that supports 800 x 600 resolution at 256 colors 3 21 Core Protection Module Administrator s Guide 3 22 TABLE 3 6 Windows 2008 Windows 2008 R2 64 bit version RESOURCE REQUIREMENT Operating system Note Windows 2008 R2 requires ESP agent 7 2 5 or later e Windows Server 2008 Standard Enterprise Datacenter and Web Editions with
59. RNING Do not select whenever it becomes relevant again or the scan may run continuously e If you want to let users initiate the scan click the Offer tab and select Make this action an offer 4 11 Core Protection Module Administrator s Guide a Click any of the other Tabs to modify the trigger time and applicable users AI Apokcabile Tasks 96 a D a tacks 161 Core Protection Module Upload Quarantined Files Maintenance Trend Core Prote SHS lt nodownloed gt Trend Micro BG Or Caspar Core Protection Module Upload Logs Martene Trend Core Prete 6 15 Trend Mero are Core Protection Mode Start Scan Now Mantenne Trend Core Prete 6 15 Trend Mero a P BES Support 91 Core Protectan Modda Rarere Sarver Componenti uresa Trend Core Prote 3015 Trend Mero 1 16 2008 i a we on mld Core Protection Mode Endpoint Urinal Unimatali Trend Core Prete 6415 lt no dowload Trend Mero 11 12 2008 x Core Protectan Module Endpoint Deploy Deploy Trend Core Prote 3 15 anm Trend Mero 2 11 2009 a D Trend Corn Protection Made QA 9 Core Protection Module Check Server for Pattern Updates Mantenance Trend Core Prete 1 15 Trend Mero 12 16 2008 a P Web Protection Module 12 Oy Source E E Dy Source Release Date 5 D ES Agent Settings Tacks 20 gt Repons Deployment 7 Configuration Name Fun On Demand Scan Core Protection Mode Preset Cm lo I Shew ony personal pr
60. Reputation installed Select all the Applicable Computers and click OK When prompted type your private key password and click OK The Action Summary window that opens check the Status after a few minutes to confirm that the Action is Evaluating Running and then Completed Close any open windows to return to the Dashboard view 6 To redeploy your WPM policies to CPM clients 1 In the CPM Dashboard go to Configuration gt Web Reputation Blacklist Whitelist gt New Web Reputation Blacklist Whitelist Task The Web Reputation Blacklist Whitelist Wizard screen opens Select the template s you want to deploy and then click the Create Task From Template button The Edit Task window opens Modify the default name in the Name field so that it clearly defines the purpose of this custom Task Edit the Description tab to reflect your goals if necessary Click OK and then enter your private key password and click OK when prompted The Task Description window opens and the new Task is added below Web Reputation Blacklist Whitelist in the CPM Dashboard Below Actions click the hyperlink to open the Take Action window In the Target tab click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to e Execution Set the deployment time and retry the behavior optional 6 5 Core Protection Module A
61. Source and Proxy By default CPM is configured to use the Trend Micro ActiveUpdate AU server for pattern updates Although you can use an intranet source for example by manually downloading the pattern files to a internal computer and then pointing the ESP Server to that source Trend Micro recommends that you use the AU server This is the only official source for pattern updates and in conjunction with CPM AU provides several layers of authentication and security to prevent forged or unsupported patterns 2 9 Core Protection Module Administrator s Guide Trend Micro Endpoint Security Platform Console CPM Dashboard PW Elo Ed yew loos Dashboards Wizards Window hep ale x All Relevant Fodat Messages 17 D AbRelewark On Unloched Computers 17 gt AbPodet Messages 244 Dy My Custom Pedet messages 0 I Locally Hidden Fidet Messages 0 A Globally hidden Fidet Messages 0 Non Master Operator Custom Fodet Messages 0 ALDIT Web Protection Modde Log Maintenance Not Configured AUDIT Web Protection Modde Trend Micro OfficeScan 0 0 Confict lt unspecfad gt Web Protection 2 10 BES Chents Hove Incorrect Clock Time Moderate BES Support 3710 BES Quick Reference Production Low BES Support 1 10 EES nds have Incorrect Clocks Lom BES Support 1 10 Core Protection Modde Disable Autcmatic Updates Endpoint lt Unspectied gt Trend Micro Core 4 10 Core Protection Module Owsb
62. Space Settings on page 5 5 Client Console Settings on page 5 5 Scan Settings Configure scan settings for large compressed files CPM checks the file size and security risk count limit to determine whether to scan individual files contained in a compressed file Do not scan files in the compressed file if the size exceeds X MB Some compressed files can expand to 100 or even 10 000 times their compressed size 5 3 Core Protection Module Administrator s Guide innocently or maliciously in what is known as the zip of death Scanning these files can be dangerous and inefficient e Stop scanning after CPM detects X viruses malwate in the compressed file This option provides a reduced scan time which can be intensive for compressed files If a file is found to contain a lot of threats it can be summarily deleted Scan OLE objects Maximum layers lt drop down list gt Object Linking and Embedding OLE allows users to create objects with one application and then link ot embed them in a second application creating layers For example a Microsoft Word document that contains an Excel spreadsheet which in turn contains another embedded object Exclude Microsoft Exchange server folders from scanning Select this option to prevent CPM from scanning Microsoft Exchange 2000 2003 server folders on the client For example if you already use Trend Micro ScanMail for Exchange to protect email For Microsoft Exchang
63. System Drive See the Constraints tab for more details amp By Total Size of System Drive 2 By Location By Range ser By Location By Subnet demo E Cupertino 1 i LE e FIGURE 8 4 Find the Location you created so you can attach a Task to it Setting Up and Using Locations Next click the All Computers tree and then By Retrieved Properties gt By Subnet Address to open that branch Choose the Location name you created for the San Francisco subnet Step 3 on page 8 3 With your location still selected click the Execution tab Remove any Constraints that you do not want to apply such as a Start and End date and in the Behavior section make sure only the following option is enabled Reapply this action whenever it becomes relevant again Name Scan BIG Preset atelier sam Target Execution users Messages offer Post Action Applicability Success Criteria Action Script p Constraints T Starts on 6 1 2009 gt at 152 3 Pm dient local time client local time J Ends on I 6 3 2009 x at T Run between I 1 00 00 AM and 2 s9 00AM dient local time T Run only on Sun Mon roe wea Thu Fr J Sat IT Run only when Active Directory Path p Behavior I On failure retry Pa times wat thou E between attempts aie un Phas Te N Reapply this action whenever it becomes relevant agair 15 minutes gt between reapplications 7 I Limit
64. Task Core Protection Module Install Server Components 0 Applicable Computers Trend Micro Core Protection Module QA 1 Open Action Y Detais Applicable Computers Action History Core Protection Module Install Server Components Trend Micro Core Protection Module QA Description The listed computers are BES Servers which do not have Trend Core Protection Module Server components installed Core Protection Module Server components provides pattern updates for CPM endpoints Use this action to deploy Core Protection Module Server components on BES Servers that do not have it Important Note This action will restart the BES Root Server service Please schedule the installation to occur at a time when a service interruption is acceptable File Size 43 5 MB Click to initiate the deployment process Reference 15 Copyright 2009 Trend Mero Incorporated and or BigFix Ino and or their respective licensors All Rights Reserved Ready O items in list 0 selected Connected to database bfenterprise as user admin sa na A FIGURE 2 2 Begin by deploying CPM components to the ESP Server 3 Below Actions click the hyperlink to open the Take Action window 4 Select Specify computers selected in the list below Since you are updating only the ESP Server with CPM components only that computer will be relevant and appear in the list of Applicable Computers 5 Click OK and then when prompted enter yo
65. The Action Summary window opens Configuring and Managing CPM 5 Check the Status after a few minutes to confirm that the Action is Running and then Completed 6 Close any open windows to return to the Dashboard view Deploying Selected Pattern Files By default all pattern files are included when the pattern is deployed from the ESP Server to CPM clients You can however select and deploy a subset of patterns Note This Task is typically only used to address special cases and as a result is seldom used When used this Task tends to be targeted narrowly To deploy a specific patiern file 1 From the CPM Dashboard menu click Updates gt Pattern Update Settings gt New Pattern Update Settings Task The Update Settings Wizard screen opens D Trend Mic nt Security Plat Py filo Edt yew Took Qmhboaeds Wizards Winder tip 8 a By Category by Ste GES support 38 Care Protection Modde Upload Quarantined Files Gere Protection Modde Upload Logs Trend Core Prete Trend Core Prete 6 16 Trend Maro Trend Mero x Y Cere Protection Modde Start Scan Nowe Mantenne Trend Comprate 6 16 Trend Nero A Bora cer 0 Core Protection Modde Remove Server Components Unwetal Trend Core Prote 1 16 Trend Micro 1 16 2009 m Master Operator Ste 20 Core Protection Mode Endocart Urientall Urental Trend Core Prete 6 16 odmaka Trend Mxro 31 12 2008 trend Core Pr
66. To create and run a custom On Demand Scan Task on page A 3 To run an On Demand Scan on page A 3 To schedule an On Demand Scan on page A 3 General Scan Configurations A 2 The steps below are for experienced ESP administrators who just need a reminder list of tasks involving the CPM scan configurations Embedded OLE objects how to handle Microsoft Exchange folders prevent scanning Compressed file scanning how to handle Compressed file scanning large Action to take on spyware and malware Cookie scanning Disk space available for pattern files and updates To change or configure scan settings In the CPM Dashboard click Configuration gt Global Settings gt New Global Settings Task 1 Deploy the Global Settings by clicking Configuration gt Global Settings gt scan name in the CPM Dashboard Routine CPM Tasks Quick Lists Real time and On Demand Scans To configure the Scan Now scan e Click Configuration gt On Demand Settings gt New On Demand Settings Task To start scanning with the default settings e Click Tasks gt Core Protection Module gt Start Scan To create and run a custom On Demand Scan Task e Click Configuration gt On Demand Settings gt New On Demand Settings Task To run an On Demand Scan e Click Configuration gt On Demand Settings gt scan name To schedule an On Demand Scan 1 Click Configuration gt On Demand Settings gt scan name In t
67. V tsan compressed filer Maximum lavers v Ci ansiyses Views Malroare Scan Settings Only VY Scan bost ares I Enable InteliTrop FIGURE 4 1 CPM provides a Dashboard and classic tree navigation 4 2 Configuring and Managing CPM Click a Task to open it and view the description Run the Task by clicking the link that appears below the Action window e Target certain computers when the Task is open by clicking one of the sub tabs that appears Description default Details Applicable Computers and Action History Add or remove display columns by right clicking and then selecting or de selecting from the pop up menu that appears Bundle configuration settings into a Task attach it to selected endpoints and schedule it to run automatically Use the CPM Dashboard to make your security and firewall configurations for example setting up the behavior of client scans Close configuration windows by clicking the X in the upper right corner How CPM Task Flows Work In general you start by using the CPM Dashboard to make configuration settings Then you bundle the settings into a Task which delivers an Action to targeted computers Tasks also include a Relevance which provides an additional layer of logic that can further define eligible targets All ESP Agents on which the CPM client runs receive Tasks but then each agent makes its own determination as to whether its host endpoint meets the condition
68. Windows 2000 RESOURCE REQUIREMENT Operating e Windows 2000 with Service Pack 4 system e Windows 2000 Professional with Service Pack 4 e Windows 2000 Cluster Server with Service Pack 4 e Windows 2000 Advanced Server with Service Pack 4 e CPM supports client installation on guest Windows 2000 operating systems hosted on the following virtualization applications e Microsoft Virtual Server 2005 R2 with Service Pack 1 e VMware ESXTM ESXi Server 3 0 or 3 5 Server Edition e VMware Server 1 0 3 or later Server Edition e VMware Workstation and Workstation ACE Edition 6 0 e Microsoft Windows Server 2008 64 bit Hyper V environment Hardware Processor 300MHz Intel Pentium processor or equivalent RAM 512MB recommended Available disk space 700MB recommended Others Monitor that supports 800 x 600 resolution at 256 colors or higher 3 15 Core Protection Module Administrator s Guide 3 16 TABLE 3 2 Windows XP Windows 2003 32 bit version RESOURCE REQUIREMENT Operating Windows XP Professional with Service Pack 2 or later system Windows XP Home with Service Pack 3 or later Windows Server 2003 Standard Enterprise Datacenter and Web Editions with Service Pack 2 or later Windows Server 2003 R2 Standard Enterprise and Datacenter Editions with Service Pack 2 or later Windows Storage Server 2003 Microsoft Cluster Server 2003 CPM supports client installatio
69. able Computers tab will show a list of endpoints that have WPM standalone installed 2 Below Actions click the hyperlink to open the Take Action window Choose all Applicable Computers and then click OK When prompted type your private key password and click OK The Action Summary tab appears Check the Status after a few minutes to confirm that the Action is Fixed 5 Close the open windows to return to the Dashboard view 4 To install or upgrade to CPM 1 6 endpoints 1 Install or upgrade CPM 1 6 endpoints Install From the CPM Dashboard click Deployment gt Install gt Install CPM Endpoints e Upgrade From the CPM Dashboard click Deployment gt Upgrade gt Upgrade CPM Endpoints 2 Below Actions click the hyperlink to initiate the deployment process and open the Take Action window Choose all Applicable Computers and then click OK 4 When prompted type your private key password and click OK The Action Summary tab appears 5 Check the Status after a few minutes to confirm that the Action is Fixed Using Web Reputation 6 Close the open windows to return to the Dashboard view 5 To enable Web Reputation on your CPM clients 1 6 In the CPM Dashboard click Tasks gt Web Reputation gt Enable Web Reputation The Task Description screen opens Below Actions click the hyperlink to open the Take Action window In the Target tab a list shows the CPM clients without Web
70. against the list and create a short list of only those Actions that apply to them In the current example relevance is determined by IP address Configuration 1 is going to be deployed to all Agents but only those Agents running on an endpoint with an IP address in the subnet defined for San Francisco will pick up the configuration You will be able to see this self selection at work when you create the second configuration and apply it to a different Location One Action will be picked up by San Francisco endpoints and the other by German endpoints ESP Agents remain in sync with new relevance expressions by frequently checking the ESP server for updates Agents also maintain a detailed description of themselves that may include hundreds of values describing their hardware the network and software In short e First define some locations e Second configure your scan firewall or URL filtering settings e Next save the settings to a Task and create an Action to target some given endpoints When you deploy the Task the ESP Server converts the Action details into a relevance expression which is sent to all Agents at the endpoints Each Agent checks itself against the relevance expression and takes the Action required for every match found A To create the first configuration and Task 1 From the CPM Dashboard click Configuration gt Global Settings gt New Global Settings Task The Global Scan Settings Wizard screen opens 2
71. are Programs Symantec Software Virtualization Solution Symantec AntiVirus McAfee VirusScan Sophos Antivirus eTrust Antivirus Bit9 Parity Agent Computer Associates ARCserve Backup HSM Hierarchical Storage Management Backup Software Trend Micro Software These software programs should be removed from the endpoints before deploying CPM clients to those computers Use the program s native uninstaller to remove them OfficeScan versions 8 and 10 Internet Security 2008 Pc cillin 2007 Pc cillin 2006 Pc cillin 2005 Pc cillin 2004 AV Pc cillin 2004 TIS PC cillin 2003 PC cillin 2002 PC cillin 2000 WinNT PC cillin 2000 7 61 WinNT PC cillin 98 Plus WinNT PC cillin NT 6 CPM Clients Installing and Updating PC cillin NT HouseCall Pro Virus Buster 2000 for NT ver 1 20 Virus Buster 98 for NT Virus Buster NT Programs Incompatible with CPM on the ESP Server Trend Micro ServerProtect ServerProtect for Windows NT Core Protection Module Administrator s Guide 3 28 Chapter 4 Configuring and Managing CPM Before using this chapter you should already have the ESP Server ESP Console and at least one ESP Agent installed In addition you should have already installed the CPM server and deployed CPM clients and updated their pattern files If you have not see Chapters 2 and 3 for the procedures Topics in this chapter include e Using the CPM Dashboard and Menu on page 4 2 e Configur
72. as the following TMCPMEncrypt_1 0 0 1038 zip a Run the program and when prompted type your password in the field b Copy the encrypted results you will be prompted to paste them later Back in the Task Description window below Actions click the hyperlink and when prompted provide the following e Proxy IP address or host name e Proxy port e User name for proxy authentication Using Web Reputation Encrypted password paste the password you encrypted Trend Micro Endpaint Security Platform Console Task Web Reputation Enable Configure Proxy Settings BG fs Al Applicable Tasks 91 6 gt Al Tasks 164 m ESP Agent Settings Tasks 22 a P ESP Server Metry Sattings Tasks 13 m My Custom Tasks 20 P Locally Hidden Tasks 0 Gobaly Hidden Tasks 0 P Non Master Operator Custom Tasks 0 Restart Service Run On Demand Scan Core Protection Module def aut Scan BIG Core Protection Master Operator 5 7 Set ProgramFleshe to C Drive Master Operator 7 7 Trend Micro Core Protection Module QA 0 Open Actions Description petals Acpicabie Computers Action History Web Reputation Enable Configure Proxy Settings Trend Micro Core Protection Module QA Please enter the ENCRYPTED proxy server fs Web Reputation requires internet access I configure a proxy server E Important Note The proxy server passwor utility to encrypt
73. ashboard 0 Web Reputation Common Pravati gt anahtar D File types scannad by Intellizaan Niles with the following ext ions use commas to separate entries PARI BAT BIN BOO CAB CHM CLA CLASS COM CBC DLA_DOC DOT ORA EMA AXE G2 HLP HTA HTM HTML KPT IML JA RIPEG JPG J8 J8E NK ATH MOB MIO MPB MDT_MBG MBO NWE OCX OFF POF PHD BIF DL DOT_BPR DPT BRE RA R_REGRTE SCR_EMEEYE TAR UBE URS VEO VEE UST VXD WML WEF 2 ALE ALT XML Z ZIP ACCDA DOCK DOOM DOTX DOTM BPTX APTM POTX DOTM DOAM PPSM PORK XLSX 205M I TX ALTM XLER XLAM eee DV Sean compressed files Maximum layare 2 v Virus Malware Scan Settings Onky vi n be 4 Enadie InteitrTrap re a E Connected to database bfentergr t as user O items in list O selected FIGURE 4 5 The scan configuration 1 is bundled into a Task 2 that is run whenever you click Scan Now 3 Make your configurations choices Options are detailed in To add spyware graywate to the approved list on page 4 19 3 Click the Create Configuration Task button The Edit Task window opens 4 Since this is the default Start Scan Now Task keep the existing name and click OK to also accept the default Actions and Relevance The Task is set to be relevant to all CPM clients 5 Click OK when prompted type your private key password and click OK 6 Inthe Action Summary w
74. asks gt Web Reputation gt Enable Web Reputation To configure the security level In the CPM Dashboard click Tasks gt Web Reputation gt Configure Web Reputation Security Level The Task Description opens CPM Firewall The steps below are for experienced ESP administrators who just need a list for tasks involving the CPM Common Firewall Procedures include e To create a firewall policy on page A 10 e To deploy a firewall policy on page A 10 e To disable the firewall on all or selected endpoints on page A 11 To create a firewall policy 1 In the ESP Console menu click Common Firewall Settings gt New Policy Task Click the Add button 3 Choose the following Firewall Enabled e Security Level Apply to All Possible IP Addresses 4 Add any exceptions relative to the Security Level To deploy a firewall policy 1 Click Common Firewall Settings gt New Policy Task and select the policies you want in the Policy List 2 Move your policy to the top of the list and click the Save Order button A 10 Routine CPM Tasks Quick Lists 3 Click the Create Firewall Policy Task button at the top of the screen To disable the firewall on all or selected endpoints 1 Click Common Firewall Settings gt New Policy Task Click the Add button Remove the check from Firewall Enabled Click Save OM deo IS Select the policy you just created in the Policy List and clear the check f
75. ates To reduce network traffic generated when downloading the latest pattern the Trend Micro ActiveUpdate server includes incremental pattern updates along with the full pattern file Updates represent the difference between the previous pattern file and the current one Like the full pattern file incremental updates are automatically downloaded and applied Incremental updates are available to both the ESP Server which typically downloads pattern updates from the ActiveUpdate server and to CPM clients that are configured to get their updates from the ESP Server Updates from the Cloud Clients typically receive their updates from the ESP Server or Relays but CPM 1 6 also supports client updates from the cloud that is directly from the Trend Micro ActiveUpdate server Note however that updating clients from the cloud is not 3 7 Core Protection Module Administrator s Guide recommended as the default behavior Pattern files may exceed 20MB client so frequent direct client downloads from the AU server are usually not preferred Instead you can use the cloud as a fall back for clients to use whenever they are not able to connect to the ESP Server Updates from the cloud support incremental pattern updates however it does not allow you to update only certain pattern types Procedure Overview 1 Enable CPM clients to receive automatic pattern updates 2 Schedule and apply automatic pattern file updates 3 Manually upda
76. avior It is recommended you apply this Task with the following action parameters never expire reapply whenever relevant retry up to 99 times on failure reapply an unlimited number of times If you do not set this action with the above settings new pattern sets will not be automatically downloaded and applied by your endpoints Actiane FIGURE 2 10 Apply Automatic Updates Make this task a policy to allow the endpoints to download the updates automatically as soon as they become available Note You can set any patameters you want but Trend Micro recommends the following settings a Change the name of the action to POLICY Core Protection Module Apply Automatic Updates This helps distinguish the open action as a policy b Change the Preset from Default to Policy c On the Target tab select the All computers with the property values selected in the tree below option and then choose a group property or Active Directory container to target You can also target all computers d On the Execution tab make the following changes 2 21 Core Protection Module Administrator s Guide i Check On failure retry and set it to 99 times ii Select Wait between attempts when there is a failure and choose 10 minutes iii Do not change any other settings on this tab d Click OK 5 When prompted type your private key password and click OK The Action window opens Check the Status after a few minute
77. bes file and then click Open 3 Click OK Virus Malware and Spyware Scanning To enable debug logging 1 From the CPM client open Microsoft Regedit 2 Locate the following entry HKEY_LOCAL_MACHINE System CurrentControlSet Services Tmfilter P arameters 3 Double click DebugLogFlags and type the following under Value Data Ox3EFF 4 Save and close as necessary A log file will be created in the following location C Windows TMfilter log C WinNT TMfilter log 10 3 Core Protection Module Administrator s Guide Virus Spyware Logs on the CPM Client The virus spyware log directory is located here Th Program Files Trend Micro OfficeScan Client Misc following logs are significant Pcent35 log 20090108 lt gt 1131 lt gt JS_AMILALA A lt gt 1 lt gt 1 lt gt 0 lt gt C Documents and Settings Administrator QAL 22 13 001 Local Settings Temporary Internet Files Content IE5 WPIBG52Z trojan 1 htm lt gt Spyware log 20090108 lt gt 1140 lt gt JokePrograms_Test_File lt gt 2 lt gt 1 lt gt 0 lt gt 0 lt gt 2009 0108114038075460_JokePrograms_Test_File lt gt Spyware_detail log 20090108114038075460_JokePrograms_Test_File Timestamp 1231443630 ScanType 1 ActionResult 2 ItemCount 1 ItemLocation 0 C Documents and Settings Administrator Desktop JOKE_Test_File exe ItemScannerType 0 10 ItemThreatType 0 6 ItemRiskLevel 0 0 ItemActionResult 0 257 Debug Logs 10 4 1
78. can Engine 831442 8 950 1092 x86 gt analyses C vsapint ver Virus Scan Engine 1014382 8950 1092 n d Troubleshooting SSAPtPatternver Spyware Pattern somo 77 L server ini server ini 10645 20090604 14 u SSAPI Ver Spyvare Scan Engine 580956 6 2 3009 86 FIGURE 4 7 You can deploy or rollback all or selected pattern files 2 In the list of folders that appears click the gt icon to expand and display the pattern files you want to rollback to as shown in Figure 4 7 3 Click the Rollback To button across from the folder In the pop up window that appears choose e Deploy a one time action to open the Take Action window and the computers you want to apply this one time Action to Any computers included 4 15 Core Protection Module Administrator s Guide in the Target that are not relevant for the Action at the time of deployment will respond with a not relevant statement Click OK e Create an update Fixlet to open Edit Fixlet Message window and configure a Fixlet that will deploy the Action whenever the selected clients become relevant When finished click OK and in the window that opens click the hyperlink that appears below Actions to open the Take Action window In the Target tab that opens click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to e Execution Set the time and retry behavior
79. can not be infected File types scanned by IntelliScan Scans only files known to potentially harbor malicious code even those disguised by an innocuous looking extension name IntelliScan examines the file meta data to determine file type Files with the following extensions Scans files based on their extensions If selected only file types listed in this field will be scanned For example you can specify certain file types as a shortcut to excluding all those file types not on the list Scan Settings Scan floppy disk during system shutdown Real Time scans only Scan network drive Real Time scans only Includes client file activity as it extends to mapped network drives Scan compressed files Maximum layers lt drop down list gt CPM will scan up to a specified number of compression layers and skip scanning any excess layers For example if the maximum is two layers and a compressed file to be scanned has six layers CPM scans two layers and skips the remaining four 5 7 Core Protection Module Administrator s Guide Note Choose this option to enable scanning of the following file type Microsoft Office 2007 files in Office Open XML format These are considered compressed because Office Open XML includes ZIP compression technologies for Office 2007 applications such as Excel PowerPoint and Word e Scan boot area On Demand scans only Scans the boot sector of the client computer hard disk Enable Intell
80. ck the Create Spyware White List Configuration Task button To recover spyware files In the CPM Dashboard click Tasks gt Core Protection Module gt Restore Spyware Grayware The Spyware Grayware Restore Wizard appears CPM Server Management A 4 The steps below are for experienced ESP administrators who just need a list for tasks involving the CPM server The procedures include e To activate analyses on page A 5 e To update or remove CPM server components on page A 5 Routine CPM Tasks Quick Lists e To remove the Core Protection Module site on page A 5 e To display the CPM icon on endpoints on page A 6 e To view CPM hidden client statistics for a given endpoint on page A 6 e To decrypt quarantined files on page A 6 To activate analyses 1 2 3 4 In the ESP Console navigation pane click the Analyses tab Sort the Name column in alphabetical order Select all the Core Protection Module analyses Right click the list you have selected and click Activate To update or remove CPM server components 1 Open the Tasks tab and then click All Tasks gt By Site gt Trend Core Protection Module Locate Core Protection Module Remove Server Components in the list of Actions that appeats and double click it to open the Description To remove the Core Protection Module site 1 2 In the ESP Console menu click Tools gt Manage Sites and select the Trend Core Protection Module
81. ction Module Apply Automatic Updates has been run and that the Action has successfully completed 3 On the CPM server the a user account must be in place for the propagation site The PropagateManifest registry key must be set to 1 HKEY_LOCAL_MACHINE SOFTWARE BigFix CPM server 4 For CPM clients that have been enabled for automatic updates the EnableAutoUpdate registry key must be set to 1 HKEY_LOCAL_MACHINE SOFTWARE BigFix CPM client Proxy Servers If there is a proxy server between the ESP Server and Internet two separate configurations are necessary The BES Server proxy authentication settings used by BESGather service and typically set during the ESP Server install See the following knowledge base article for more information http support bigfix com cgi bin kbdirect pl id 231 e CPM server component proxy authentication settings used by the update program TMCPMAuHelper exe Set or check this from the CPM Dashboard Configuration gt Active Update Server settings gt Change Active Update Server settings Additional Information If the latest pattern file already exists on the CPM server you will need to perform the following manual steps to continue testing 10 8 Troubleshooting To continue testing 1 Locate and delete the following folder TMCPMAuHelper_install_path amp bin AU Data Delete all files and any subfolders from this directory but not the folder itself STMCPMAuHelper_in
82. curity Level Low would produce no effect 7 9 Core Protection Module Administrator s Guide 4 e Rule Name Click an existing rule to modify it Any modifications made to a global rule from within the policy will apply only to that policy the global rule itself will not change e Add Click this button to create and enable a new exception rule e Import Global Rules Click this button to repopulate the Exception Rules list with exceptions from the Global Exception Rules list Click Save The Firewall Policy List becomes active To deploy the firewall policy to endpoints 1 Enable the policy you just created in the Policy List by selecting it All enabled policies will be bundled into the Task when you create it Disable any policies in the list that you do not want in the Task Deleting a policy will make it unavailable for other Tasks Move your policy to the top of the list and click the Save Order button Click the Create Firewall Policy Task button at the top of the screen The Policy Deployment Description appears Accept the defaults and click OK When prompted type your private key password and click OK The Task Description window appears Below Actions click the hyperlink to open the Take Action window which opens to the Target tab Click Applicable Computers or whichever option will include all endpoints with the firewall installed Click OK and when prompted type your private key password an
83. cy to prevent PTP 7 ici Biceseall Disabled Lev All 19 Addresses A Policy Destoymnent common _ ___________ Ia Hock ETP anly Tratied Lew All 19 Addresses FTPLDATA STB I Policy Deployment Common z Enabled High All 19 Addresses FTP DATA FTP SSM Telnet SMTP DNE Peter Daplorenant Corveen TCP ONE UDP TTP HTTP Dy rater Deployment commen sv Tasks Anaiyrer terreno all donv excep Trouble shastng u0 NETBIOS Sessions Service UDP SNMP BNMP TRAP HTTPS GMB TCP SHB UDP Ieee TCP Pree VOP Connected to database bfontorprise a usor esp FIGURE 7 2 Firewall policies are evaluated in top down order The Policy Within a firewall policy include all possible IP addresses or a range of IP addresses Policy IP addresses will always be limited to the population of IP addresses defined in the Task that deploys it The Task You can make the Task relevant to all or certain computers By default tasks created for a firewall policy will use a relevance statement that is made up of conditions from the firewall policy The Action When you deploy a Task you select your targets from the population of endpoints made available in the Task You can reduce the population of endpoints to those that you want the policy to target and the conditions under which you want the policy to apply For example you can filter the possible endpoints by selecting a different target by de
84. d click OK In the Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view Create and Deploy Smart Policies Example 7 10 In this procedure you will create four firewall policies one for each of the policy goals listed below Usage scenario Endpoints are comprised of desktop computers and laptops All are running the CPM Firewall Desktops have a single wired LAN The laptops have both a LAN and W LAN The laptops being mobile often travel to different corporate offices Install and Manage the Client Firewall London and New York In addition they are used outside the corporate netwotk Airport Create one firewall policy for each of the following cases e Policy 1 Prevent wireless FTP connections in London e Policy 2 Allow wired and wireless FTP connections in New York e Policy3 Allow wired FTP connections in London and New York e Policy 4 Prevent all but HTTPS connections in unknown locations wireless When targeting specific IP addresses in a firewall policy be sure that the IP address ranges specified are mutually exclusive that the same IP address is not included in related policies London 10 10 0 0 10 10 255 255 e New York 192 168 0 0 192 168 255 255 Unknown Not London or New York To create a policy for each case The steps for
85. d the settings the end user s Manual Scan will only scan for EXE files not all file types Trend Micro Endpoint Security Platform Console CPM Dashboard PP File Edit View Tool Trend Micro Com m Trend Micro Core D Trend Micro SysClean 5 Maintenance Trend Micro Core Protectio Deploy Trend Micro Core Protectiot Uninstall Trend Mirra Cora Prieta gt ection Module I Core Protection Module Enable Client Dashboard Core Protection Module Endpoint Deploy Core Protection Mndule Fndnnint Ininstall Fixlet Messages Tasks Baselines Actions Computers Computer Groups Analyses Console Operators On Demand Scan Settings Wizard Reports gt Deployment M Enable virus malware scan Updates M Enable spyware grayware scan y Configuration A Scan Target Scan Exclusion Scan Action Global Settings Y On Demand Settings Files to Scan All scannable files gt Real Time Settings File types scanned by Intelliscan Spyware Whitelist Web Reputation Blacklist Whitelist Files with the following extensions use commas to separate entries BAe piata erer acing 1 ARI BAT BIN BOO CAB CHM CLA CLASS COM CSC DLL DOC DOT DRV EML EXE G2 HLP HTA HTM HTML gt Common Firewall Settings VXD WML WSF v XLS M PPSK KLSX XLSM KL gt Tasks gt Analyses gt Troubleshooting COC n GG E e eenean aaaeeeaa Scan Setti
86. damage cleanup processes back to the ESP Console for reporting and analyses e The CPM Client Components are responsible for managing pattern files conducting scans and with the help of Trend Micro Damage Cleanup services removing any malware that they detect These components run undetected by end users and use minimal system resources You need to install a CPM client on each endpoint that you want to protect These endpoints should already have the ESP Agent installed e ESP Relays increase the efficiency of the system by spreading the load Hundreds to thousands of ESP Agents can point to a single ESP Relay for downloads which in turn makes only a single request of the server ESP Relays can connect to other relays as well further increasing efficiency and can be installed on any Microsoft Windows 2000 Windows XP Windows Server 2003 or Windows Server 2008 computer running an ESP Agent Features and Benefits CPM reduces business risks by preventing infection identity theft data loss network downtime lost productivity and compliance violations Additionally it provides your large enterprise with a host of features and benefits Ease of Management e Uses small state of the art pattern files and enhanced log aggregation for faster more efficient updates and reduced network utilization e Supports native 64 bit and 32 bit processing for optimized performance 1 4 Introducing Core Protection Module e Integrates wit
87. dates will be downloaded to the server and flow to the endpoints immediately Updates are available to all Trend Micro customers with valid maintenance contracts The Trend Micro Scan Engine and Detection Technologies 1 8 At the heart of all Trend Micro products lies a scan engine Originally developed in response to early file based computer viruses the scan engine now detects Internet worms mass mailers Trojan horse threats phish sites spyware and network exploits as well as viruses The scan engine checks for threats in the wild or actively circulating and those that are in the zoo or known theoretical threat types typically created as a proof of concept Rather than scanning every byte of every file the engine and pattern file work together to identify tell tale virus characteristics and the exact location within a file that the malicious code inserts itself CPM can usually remove this virus malware upon detection and restore the integrity of the file that is clean the file International computer security organizations including ICSA International Computer Security Association certify the Trend Micro scan engine annually Scan Engine Updates By storing the most time sensitive virus malware information in the pattern files Trend Micro minimizes the number of scan engine updates required while at the same time keeping protection up to date Nevertheless Trend Micro periodically makes new scan engine ver
88. dministrator s Guide 6 6 10 e Users This option works in combination with the Target linked by the AND operand both conditions must be present for the install to occur e Messages Configure these options to passively notify the user that the install is going to occur to obtain consent or to ask users to stop using their computer while the install occurs When finished identifying the computers you want to receive the lists click OK and when prompted type your private key password and click OK The Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view 7 To configure new proxy settings for Web Reputation If your endpoints connect to the Internet through a proxy server you will need to identify that proxy and provide log on credentials The credentials will be used by those CPM clients you target with this Action to connect to the Internet Note You will be prompted to provide a password for the proxy server Be sure to encrypt the password using the utility provided in the Task before deploying the Task user name and password will be visible in the Action s Summary Details In the CPM Dashboard click Tasks gt Web Reputation gt Enable Configure Proxy Settings The Task Description page opens Download and expand the encryption program which will have a name such
89. e the scan settings reflect the latest settings configured by the administrator for an On Demand Scan For example an administrator might schedule an On Demand Scan on every Thursday 12 00 PM that scans all file types Then the administrator might run an On Demand scan with different scan settings maybe scanning only for EXE files at 14 00 PM If an end user runs a Manual Scan at 15 00 PM and the administrator has not changed the settings the end user s Manual Scan will only scan for EXE files not all file types e Scheduled scans You can schedule an On Demand scan to trigger at a given time day or date You can also have the scan automatically reoccur according to the schedule you set e Real Time scans This scan checks files for malicious code and activity as they are opened saved copied or otherwise being accessed These scans are typically imperceptible to the end user Real time scans are especially effective in protecting against Internet borne threats and harmful files being copied to the client Trend Micro recommends that you enable real time scanning for all endpoints Configuring the Default Scan Settings Whenever you run the default on demand scan the settings applied are those that you configured for the default On Demand Scan Settings The relationship between these is shown in Figure 4 5 To configure the default on On Demand Scan settings 1 In the CPM Dashboard click Configuration gt On Demand S
90. e 2007 folders you need to manually add the folders to the scan exclusion list For scan exclusion details see http technet microsoft com en us library bb332342 aspx Virus Malware Scan Settings Only Clean Delete infected files within compressed files Selecting this option can slow scan processing time For a list of secondary actions if clean or delete fails see Security Risks starting on page 11 4 apy ware aware Scan Settings Only 5 4 Enable assessment mode CPM audits spyware grayware detections This can be especially useful for identifying and observing suspect programs for individual handling It also prevents any service interruption that may otherwise occur during the cleaning as well as the unexpected termination of any running processes or deleted registry keys Assessment also allows you to recognize and exonerate files that were incorrectly detected as spyware grayware by adding them to the Spyware White List as described on page 5 11 If enable set the Valid until 11 59 59 pm of lt select date gt field Configuration Wizards Reference Note Assessment mode overrides the user configured scan action If you have a scan action set to Clean but have also enabled the Assessment mode On Demand Scans will use the Pass action and Real Time Scans will use the Deny Action During assessment mode CPM performs the following scan actions e Pass On Demand Scans Deny Action Real Time Scans Tip
91. e Global Settings on page 4 3 e The Global Settings Analysis on page 4 5 e Configure and Run Malware Scans on page 4 6 e Configure Client Updates from the Cloud on page 4 12 e Use a Previous Pattern File Version on page 4 14 e Deploying Selected Pattern Files on page 4 17 e Exempting Programs From Spyware Detection on page 4 18 e Restoring Programs Incorrectly Detected as Spyware on page 4 20 4 1 Core Protection Module Administrator s Guide Using the CPM Dashboard and Menu e Open the CPM Console by clicking the Windows Start button then Programs gt Trend Micro Endpoint Security Platform gt ESP Console When prompted log in as a Master Console Operator Tips for Navigating the CPM Console When you open the ESP Console you will notice that there are two systems of navigation the CPM Dashboard and a classic folder tree Both are shown in Figure 4 1 1 Display the CPM Dashboard by clicking Dashboards gt CPM Dashboard in the Console menu Switch between Navigation Views such as Fixlet Messages Task and Actions Find any Task including custom Tasks by browsing the folder tree Click the Task tab and then click All Tasks gt By Site gt Trend Core Protection Module ll Trend Micro Endpoint Security Platform Console CPM Dashboard n fy File Cat View Dashboards wizards Window Mep N IA TA Al Aopbesble Tass 33 Ora ua Category i Feplkati Open Aten C Download Sse Source Seventy Sa
92. e Manually scan files and folders for virus malware and spyware grayware e View Manual Scan results and take see the action on infected files e Update to the latest version of protection components The CPM client console shown in Figure 9 1 allows users to initiate scans at any time on the files and folder selected then view the scan results Trend Micro Core Protection Module BEE About TREND MICRO Core Protection Module for windows Manual Scan Manual Scan Results m Directories Folders to scan E MS My Computer e 3 Floppy A 5 Ao REN E AY Documents and Settings RAGS 1386 RA Inetpub RAS Perl RAS Program Files RAG RECYCLER AE System Volume Information ERAS Temp Ca ddA SAL 1051 FIGURE 9 1 The CPM client console accesses Manual Scan and results Using the Client Console CPM Client Dashboard vs CPM Client Console The CPM Client Dashboard offers display only information about the client machine to the client machine user and the administrator Before accessing it it must be enabled from the CPM dashboard and deployed For more information about enabling and disabling the CPM Client Dashboard see To display the CPM icon on endpoints on page A 6 Users right click the red icon 1 in Figure 9 2 to access it The CPM Client Console provides on demand scan information about the client machine to the client machine user Before accessing it it must be enabled from the CPM Dashboard and d
93. e correct security policy for the new location This same idea also applies to firewall configurations and other CPM security features So for example in addition to location specific configurations you can create NIC specific security policies If you want to have one set of malware and firewall settings to that govern wireless connections and another set for wired connections Your LAN and W LAN settings can be the same for all geographic locations or they too can vary to reflect a local security policy For example wireless connections in New York could have one set of rules and wired connections mighty have a different set of rules In Germany there may be completely different rules for both wired and wireless connections two locations but four sets of rules that may apply Creating Locations Use the ESP Location Property wizard to create one or more named properties which allow ESP Agents to identify themselves according to their current network location or status As soon as the property is created it will be propagated to all clients and applicable computers will pick up the setting that is their configuration status may change according to the choices you have in place Before you begin you should know or have a list of the subnets used in your organization and their respective geographic locations Alternatively you can create a custom relevance expression to dynamically map retrieved client properties using a key value s
94. e use the link below to download the setup script to the CPM Server Instructions for running the automatic update setup script can be found Important Note Please validate file integrity with the following information Filename CPMAutoUpdateSetup_1 6 vbs SHA1 1C97D104FDED722D2ADD2C14CO8C3BOFE1EDA947 Actions Click to enable automatic updates on the server atic Updates Setup Script FIGURE 2 7 Use the Enable Automatic Updates Endpoints task 4 Make this task a policy and use the settings below recommended by Trend Micro Note Making this task a policy allows you to install CPM on a new machine have the new machine automatically download updates 2 16 ESP Server Installing and Updating e Change the name of the action to POLICY Core Protection Module Enable Automatic Updates Endpoint to distinguish the open action as a policy Change the Preset from Default to Policy On the Target tab select the All computers with the property values selected in the tree below option Choose a group property or Active Directory container to target or target all computers Click OK 5 Type your private key credential when prompted The Action Summary tab appears Check the Status after a few minutes to confirm that the Action is Fixed You do not have to wait for the task to complete before continuing 6 Close the open windows to return to the Dashboard view Updating the Pattern
95. ed sites How CPM Works Trend Micro ESP uses the patented Fixlet technology from BigFix to identify agents with outdated antivirus and malware protection You can trigger 50 000 computers to update their 10MB pattern file and have confirmation of the completed action in as little as 15 minutes 1 2 Introducing Core Protection Module Once CPM is installed you will find it easy to protect your networked computers and keep them secure all from the ESP Console Deploying CPM to ESP managed endpoints can be accomplished in minutes After completing this process you will be able to track the progress of each computer as you apply CPM component updates This Tracking makes it easy to gauge the level of protection actoss your entire enterprise Additionally the ESP Web Reporting module makes it simple to chart the status of your overall protection with Web based reports ESP Components CPM As a module in the Trend Micro Endpoint Security Platform ESP provides a powerful scalable and easy to manage security solution for very large enterprises This integrated system consists of the following components e The ESP Console ties all the components together to provide a system wide view of all the computers on your network along with security status information My Custom Piet Messages 3 Locally Mien Fadet Messages 0 Gtaaty rider Piet Messages 0 FIGURE 1 1 D temesi of contiamo Protua
96. ekly report Virus Encyclopedia which includes a comprehensive list of names and symptoms for known viruses and malicious mobile code Glossary of terms http www trendmicro com vinfo Security Risks This section describes common security risks viruses malware spyware grayware and Web threats CPM protects computers from each of the security risks described below Contacting Trend Micro Phish Attacks Phish or phishing is a rapidly growing form of fraud that seeks to fool Web users into divulging private information by mimicking a legitimate Web site In a typical scenario unsuspecting users get an urgent sounding and authentic looking email telling them there is a problem with their account that they must immediately fix to avoid account termination The email will include a URL to a Web site that looks exactly like the real thing it is simple to copy a legitimate email and a legitimate Web site but then change the so called back end the recipient of the collected data The email tells the user to log on to the site and confirm some account information A hacker receives data a user provides such as logon name password credit card number or social security number Phish fraud is fast cheap and easy to perpetuate It is also potentially quite lucrative for those criminals who practice it Phish is hard for even computer savvy users to detect And it is hard for law enforcement to track down Worse it is almost i
97. elect Wait between attempts when there is a failure and choose 10 minutes iii Select while relevant waiting between reapplications and choose 1 hour If you want to check for updates more or less frequently increase or decrease this interval Note If you are configuring CPM for testing a Proof of Concept installation ot simply reviewing the features in the product you can change this interval to 10 minutes to check for updates more frequently d Click OK Take Action _ D x POLICY Core Protection Module Set ActiveUpdate Server Pattern Update Interval Custom Policy fool si n se E frominuees SI ad thon _d ra oa M Ror all member actions of action Group regardless ichercrs FIGURE 2 9 Schedule the ESP Server to automatically check the Trend Micro Active Update Server for pattern updates Core Protection Module Administrator s Guide 2 20 5 When prompted type your private key password and click OK The Action window opens Check the Status after a few minutes to confirm that the Action is Running and then Completed You do not have to wait for the task to complete before continuing 6 Close any open windows to return to the Dashboard view Running the Apply Automatic Updates Task The last step in the configuration procedure is to set up a policy to download updates from the ESP server as soon as they become available This task is resp
98. elist Task The Web Reputation Blacklist Whitelist Wizard screen opens 2 Click the link Import Templates from WPM which will only appear in the screen if you have any existing blacklists whitelists that were created with and currently exist on the standalone WPM site See Figure 6 1 Q Trend Micro Endpoint Security Platiorm Comole CPM Dashboard Py Ele Cdk Yew Jods Dadbosrde Wizards Window His al lx All Relevant Pedet Messages 14 m Al Relevant On Unlocked Computers 14 N All Ftit Messages 753 DD Hy Custoen Fisiet Messages 5 Localty Maden Fodet Messages 0 gt Gobally Hidden Fodet Messages 0 Non Master Operator Custom Fidet Messages 0 Version of Cbmsipen di May Cause Mande Leak on BES Chent Server Components Restart tamda Not Triggered by a BES Acton Restart Needed Moderate 5 Support 157 BES Quick Referenze Prodtion Lom EES Support 177 Care Protection Module Enable Automatic Updates Lrdpont lt urspecfiad gt Trend Mero Core 5 7 Update to Pattern 20090602 113822 Core Protection Modise lt Unspectind gt Master Operator 357 Update to Pattern 21009040I_111212 Core Protection Module update fadet lt urepectied gt Master Operator 3 7 Endporrt Component Update Core Protection Mode Fiiet 20090609 111212 CRAP linspecited gt Master Operator 3 7 bd a ia Web Reputation Bladdist Whitelist Wizard gt Reports gt Deployment Blacklist W
99. end Maren Cren eS On Demand Scan Settings Wizard H Cradle virus mabeace sen 2 trable spywara grayvare scan Scan Target Scan Exclusion Scan Acton Plas tn Scan Al scannable files File types scanned by Intellibcan the ARI BAT DIN BO MTT INI JAR IPE Le POTESSE PPT PRC NML ACK TX KLTM IRSA KAM GE MIS HTA HTM HTML Ro POF PHP PIF KA KG ALT re e eeee __ Scan Settings Vj Sean compressed files Maximum layers 2 w Virus Malware Scan Settings Only MI Scan boot area WI tnebie inteltrrap CPU Usage I your client computare run COU intansive applications you may vant CPM to paura batveen fle scans to free up CPU resoun 3 Hight sean files ene after anather without pauring D Medium pause slightly between file scans The numbered taskflow illustrates how to save a scan configuration as the default Task or create custom configuration The configuration settings you define for these scan will apply in conjunction with whatever Global Settings you have configured e On Demand scans Use On Demand scans to run a one time scan of client hard drives and or the boot sector Launch the default scan with the Scan Now Task Core Protection Module Administrator s Guide On Demand scans can take from a few minutes to a few hours to complete depending on how many files are scanned and client hardware Note When an end user initiates a Manual Scan from the CPM client consol
100. eployed See To enable the Client Console on page A 7 for details Users right click the blue icon 2 in Figure 9 2 to access it z R I 12 11PM FIGURE 9 2 1 Client Dashboard 2 Client Console Accessing the Client Console To access the client console 1 Right click the icon in the system tray Table 9 1 shows the icons 2 Mouse over the icon to display client connection information 3 Select Core Protection Module Console The CPM client console opens 9 3 Core Protection Module Administrator s Guide Client Connection with CPM Server Icons on the client computer s system tray indicate the client s scan service status with the CPM server TABLE 9 1 ICON FOR Online client icons DESCRIPTION Manual scan All components are up to date and services work properly Manual or Scan is in progress D On Demand scan Real Time Scan service is disabled scan All scan types Improper scan service status User cannot perform scans Manual Scans The Manual Scan tab displays a folder tree that shows your disk drives folders and files as they appear in Windows Explorer Network resources such as Network Neighborhood or My Network Places do not display Manual Scan is an on demand scan that starts immediately after a user clicks the Scan button the client console The time needed to complete the scan depends on the number of files scanned and the hardware resourc
101. eputation Dledhst Whrakit n Ln a n e A n ah mirto naar FIP DATA FTP gt ActeUpdate Server Fattingi s AN Mah ae Y Cormon Firewall Settings ue MIPS ande off site WLAN Enabled gh all 19 addresses mw Global Exception Radas Js TE Kmailend Web OK Onebles Hegh All Addresses FTP DATA PTD SMTP HTTP A Mav Dobey Task le Mekat tnebled High All t Addresses Firewatt policy to prevent FTP i gt Ta eel saviano Ali 19 Addres Pettey Deploymant common _ De nock PTP onde All IP Addresses FIP DATA FTP panier Daploymane Common O All t addresses FIR DATA FTP 33H Telnet SMTP DNS Peter Dapierment common CTCP ONS UDS TITO MIT Peticy Deployment common Kerberos TC svenzon Kerberos UOP POPI AUTH TCP AUTH UDO b Tasks NTP TER NTP UDP METRIOE Mama gt Analyses SE il Barvite TCP NETBIOS UOP NETBIOS Dati gt Troubleshooting CTCP NETBIOS O OP NETAIOS ome Service TOP NETBIOS Sessions Service UDP SNMP SNMP TRAB HTTPS SMB TCP SMB UOP IPsec TCP IPsec UDP FIGURE 7 7 These example firewall policies cover roving endpoints disabling the firewall and targeting different policies to different endpoints 7 16 Install and Manage the Client Firewall Firewall Policy Configuration Create or modify a firewall policy by clicking the Add button ot a Policy Name in the policy list The options are explained below Firewall Policy Co
102. erent combinations of the policies created above The combinations you select for a Task are important as they determine the policies a given endpoint will have available to use 1 In the Firewall Policy Settings Wizard screen do the following a Be sure the policies are ordered correctly that is put the policy with an IP address range above the one for all IP addresses b Select both London policies Policies 1 and 3 For New York use Policies 2 and 3 For Unknown use Policies 1 2 and 4 2 Click the Create Firewall Policy Task button at the top of the screen The Policy Deployment Description appears 3 Inthe Name field give the Task descriptive name such as Firewall policy to prevent FTP over WLAN at London office 4 Below Description edit the text to provide for example the rationale for the policy to other console operators Below Actions edit Link 1 For example Click ___ to deploy firewall policy Click OK to close the windows and when prompted type your private key password and click OK The Task Description window appears Below Actions click the hyperlink to open the Take Action window Click Applicable Computers or whichever option will include all endpoints with the firewall installed Install and Manage the Client Firewall 9 Click the Execution tab to make it active Remove any Constraints that you do not want to apply such as a Start and End date and in the Behavior section make
103. es of the client computer Note When an end user initiates a Manual Scan from the CPM client console the scan settings reflect the latest settings configured by the administrator for an On Demand Scan For example an administrator might schedule an On Demand Scan on every Thursday 12 00 PM that scans all file types Then the administrator might run an On Demand scan with different scan settings maybe scanning only for EXE files at Using the Client Console 14 00 PM If an end user runs a Manual Scan at 15 00 PM and the administrator has not changed the settings the end user s Manual Scan will only scan for EXE files not all file types Initiating a Manual Scan from the System Tray Icon To manually scan for security risks 1 2 3 4 Right click the client console icon in the system tray Select Core Protection Module Console Click the Manual Scan tab Select the drives folders and files you want to scan manually If a plus sign appears next to a drive or folder it means that the drive or folder has at least one subfolder Click Scan See the Manual Scan Results tab immediately after completing the scan See Viewing Scan Results on page 9 7 for details Note Scan results are only available during the scan session If the console is closed scan results are no longer available Initiating a Manual Scan from Windows Explorer This option must be enabled from the CPM dashboard bef
104. es to reduce network load FIGURE 3 3 Schedule the CPM clients to automatically check the ESP Server for pattern updates a Change Preset Policy as shown by the number 1 in the Figure above b Enable Starts on and choose the current date and time do not set Ends on c Enable On failure retry 99 times d Choose to Wait 1 hour between attempts 3 10 CPM Clients Installing and Updating 7 e Enable Reapply this action whenever it becomes relevant again Click OK and when prompted type your private key password and click OK In the Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view To manually update CPM clients with the latest pattern files In the CPM Dashboard click Updates gt Update Rollback Patterns gt New Pattern Update Rollback Task The Pattern Updates Wizard opens 1 Trend Micro Endpoint Security Platform Console CPM Dashboard 1 File Edit View Took Dashboard Wizards Window Help Debug _ Open Actions 6 Time Issund State Complete Name amp Stopped Actions 0 6 9 2009 1 49 52 PM Open 100 00 1 1 Core Protection Module Disable Automatic Updates Server a Expred Actions 16 6 9 2009 1 41 37 PM Open 100 00 1 1 Core Protection Module Enable Automate Updates Server a A My Actions 22
105. esets save preset Delete Preset Mostages fer Postsactin Apsacabilty Success Criteria Action serge Y On Demand Settings A Mev On Demand Settings Tash A On Demand scan setings Core Proted On Demand scan Settings Core Protea Master Operator Ste On Demand Scan Settings Core Proteo F Ratson Damm J a ema detka zio a On Demand Sean Settings Core Proted This tock wil nafa OnDemarfil il F Ends on ynia x et 22sm diertiocaltime efipemand scan Settings Core Preted A F antenen ooo and zsa I iene kocsim c n on demand scan core Protection a Ron orvamIne seme tosta ration Run On Gemand fican Core Protection Pravo an mafie wed to rif I Chek hae condgue these il eae i i j iE Click the BigP bp vow the BigFix E Fa Gwa ros 2 tte stents I Run On Demand sean Core protestion Run On Demand Sean Core Protection D Run On Demand scan Core Protection D Run On Demand dean Core Protection C Walt unti computer has rebooted D Run On Demand fican Core Protection F Reagpiy thes action G vacare becomes relevant sgan A Run On Demand Scan Core Protection we relevent wating Tim a between reaggiications F umeto 5 2 reappications F rte 5 mates to reduca emtwort bad Di Run On Demand Scan Core Protection Di hun on demand scan Core Protection Di Run OnDemand dean Core Protection A Run Ore Oemand fican Core Protection BF Rin ok monte tin d tin gp
106. et See the ESP Administrators Guide for more information Setting Up and Using Locations Note The purpose of the procedure below is to create a property that will define the geographic location of an endpoint according to its subnet Using the same principles you could also create a property based on connection type relay operating system or any other characteristics and use it in conjunction with the CPM firewall CPM malware protection and CPM Web Reputation To create a location property 1 Log on to the ESP Console as Master Console Operator open the CPM console and then click Wizards gt Location Property Wizard The Location Property Wizard screen opens Choose one of the following and then click Next e Create a retrieved property that maps subnet to location For each location you want to identify type the subnet IP address If a single location includes more than one subnet type each subnet IP address followed by the same location name on a new line Clients will self determine their relevance to a given location by comparing their current IP address with the value s specified here Note that clients with multiple NICs may self identify using their W LAN or LAN IP address so you may need to include both subnets e Create a retrieved property that maps subnet to location using only the first two octets Use this option to support a larger block of IP addresses As above clients will self identify thei
107. ettings gt New On Demand Settings Task The On Demand Scan Settings Wizard appears Configuring and Managing CPM Trend Micro Endpoint Security Platform Console CPM Dashboard Fila Edt View Took Dashboards Wizards Window Help Debug Al Rolbvant Firlnt Messages 6 A Name gt Source Seve Sie D Al Relevant On Unlocked Computers 6 BES Quick Reference Producton Low RES Support a At Filet Messages 220 DES Server Cannot Access Internet Critical DES Support a My Custom Fixket Messages 2 Core Protection Module Enable Automatic Updatns Server lt Urepecified gt Trond Miro 1 D Locally Hidden Filet Messages 0 a Core Protectan Modulo Swenson ie lt Umpacifad gt ste Oporat 1 a lt gt lt gt Fraet essages Tashs Baseinas Actions Computers Computer Groups Analyses Console Operators 2 si On Demand Scan Settings Wizard tr ste Scan Now Task Create Configuration Task DI gt Degioyment Same 1 Contiguration gt Global Settings Y OnDemand Settings A rev on demand settings Ta DI tvensen s Gean Now Tank ti sian configuration adeddled ren m Web Rapadation Blacklist Whitelist Acbvelipdate Serrar Settings Commen Firewall Settings Y Tasks Core Protection Module di Restore Spyvara Grayware stat sean 0 3 Bie san 0S I Unieza inferuon Logs 0 D upiess Quarantine 0 Disable chert Dashboard 0 enabie client D
108. figuration gt Web Reputation Blacklist Whitelist gt Web Reputation Blacklist Whitelist Task to open the Web Reputation Blacklist Whitelist Wizard Select the name of the Blacklist Whitelist template you want to duplicate and click Copy The name of the template appears in the form of Copy of followed by the template name you chose to copy Web Reputation automatically copies the contents of the Blacklist and Whitelist fields into the new template Change the name in the Template Name field to a descriptive template name Make other necessary changes to the template For example in copied templates you can e Add new URLs to the copied blacklist or whitelist e Remove URLs from the blacklist or whitelist e Import and append either an external blacklist or an external whitelist to your blacklist and whitelist entries When you have modified the template click Finish to end the process and to start generating the relevant Custom Action Using Web Reputation Editing Custom Actions The Blacklist Whitelist Wizard allows you to edit existing blacklist or whitelist templates You may edit these Custom Actions in two different ways By making modifications using the Edit Task window immediately after you click Finish to create the Custom Task By accessing the Edit Task window AFTER you have completely generated the Custom Task To make modifications using the Edit Task window either access it as part of Cu
109. fining user eligibility or by setting execution or offer conditions Install and Manage the Client Firewall 5 The Endpoint The ESP Agent installed on the endpoint keeps a detailed list of computer specific parameters against which it continuously evaluates the relevance statements of all Tasks deployed to it If the endpoint finds that it is not relevant it will not incorporate the policy This is significant when you deploy multiple firewall policies to co exist on the same endpoint as opposed to one policy replacing another The endpoint selects which policy to apply based on its current status for example the IP address it is currently using to connect to the network Policy Verification It is possible to create a condition wherein no policies are applied to a given IP address or the wrong policy is inadvertently applied to a given IP address Trend Micro recommends that following deployment you confirm your policy coverage by using a port scanning program such as Nmap http nmap org to verify that the policy has been applied to the computers and ports and is functioning as you expect Global Exceptions You can add rules from the Global Exceptions list to individual firewall policies These tules are available when you create a new policy however only those rules that you have actually enabled in that policy will remain after you save it Exception Rule Configuration Save Rule Cancel Name Telnet Action
110. following virtualization applications e Microsoft Virtual Server 2005 R2 with Service Pack 1 e VMware ESX ESXi Server 3 0 or 3 5 Server Edition e VMware Server 1 0 3 or later Server Edition e VMware Workstation and Workstation ACE Edition 6 0 e Microsoft Windows Server 2008 64 bit Hyper V environment Hardware Processor Minimum 1GHz Intel Pentium or equivalent 2GHz recom mended RAM 1GB minimum 2GB recommended Available disk space 16GB minimum 3 24 CPM Clients Installing and Updating TABLE 3 8 Windows 76 64 bit version RESOURCE REQUIREMENT Operating system Note Windows 7 requires ESP agent 7 2 5 or later e Windows 7 e CPM also supports XP mode running in Windows 7 e CPM supports client installation on guest Windows 7 operating systems hosted on the following virtualization applications e Microsoft Virtual Server 2005 R2 with Service Pack 1 e VMware ESX ESXi Server 3 0 or 3 5 Server Edition e VMware Server 1 0 3 or later Server Edition e VMware Workstation and Workstation ACE Edition 6 0 e Microsoft Windows Server 2008 64 bit Hyper V environment Hardware Processor Minimum 2GHz Intel Pentium or equivalent RAM 2GB minimum Available disk space 20GB minimum 3 25 Core Protection Module Administrator s Guide Conflicting or Incompatible Programs Remove the following programs before deploying CPM to the endpoints Spyware Virus and Malw
111. for the update if any e Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur After selecting the computers you want to update click OK and when prompted type your private key password and click OK In the Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view Re enabling Updates Following a Rollback After a rollback you must clear the rollback flag setting attached to patterns on your CPM clients to re enable manual cloud and or automatic pattern updates The same holds true even for pattern files that were not included in the rollback all pattern files updates will be on hold after a rollback until their individual flags have been lifted You can lift the flag on all pattern files at once or on selected files 4 16 To clear the rollback flag 1 In the CPM Dashboard click Updates gt Other Update Tasks gt Clear Rollback Flag The Task Description window opens Below Actions click the hyperlink to open the Take Action window In the Target tab click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to Click OK and then when prompted type your private key password and click OK
112. form Administrator s Guide and the Endpoint Security Platform Console Operator s Guide RUN THE CPM AUTOMATIC UPDATE SETUP VISUAL BASIC SCRIPT TO CREATE THE CPM OPERATOR AND CUSTOM UPDATE SITE y RUN THE CORE PROTECTION MODULE ENABLE AUTOMATIC UPDATES SERVER FIXLET AS A ONE TIME ACTION TARGETING THE ESP SERVER Y RUN THE CORE PROTECTION MODULE ENABLE AUTOMATIC UPDATES ENDPOINT FIXLET AS A POLICY TARGETING ANY ENDPOINTS THAT SHOULD HAVE AUTOMATIC UPDATES ENABLED y RUN THE CORE PROTECTION MODULE SET ACTIVEUPDATE SERVER PATTERN UPDATE INTERVAL TASK AS A POLICY TARGETING THE ESP SERVER AND RUNNING EVERY HOUR WITH RETRY ON FAILURE SETTINGS ENABLED Y RUN THE CORE PROTECTION MODULE APPLY AUTOMATIC UPDATES TASK AS A POLICY TARGETING ALL ENDPOINTS THAT SHOULD AUTOMATICALLY APPLY UPDATES AND THAT HAVE RETRY ON FAILURE SETTINGS ENABLED FIGURE 2 4 Update overview ESP Server Installing and Updating Alternatively you can download the script and run it independent of this procedure You can even manually perform the steps automated by the script The URL below contains instructions for the manual procedure and a link to the script download http support bigfix com cpm_update html Note Pattern updates to the ESP Server always include all 14 patterns When configuring updates for CPM clients you can select patterns individually and selectively update
113. g services Spyware and other grayware applications may be masked as other types of files your users may want to download such as MP3 music files Periodically examine the installed software on your agent computers and look for applications that may be spyware or other grayware Keep your Windows operating systems updated with the latest patches from Microsoft See the Microsoft Web site for details Appendix A Routine CPM Tasks Quick Lists The Appendix includes a quick list of How To s for the most common and routine management tasks you are likely to encounter In addition you will find several processes that are intended to reduce some procedures to a simple reference Refer to the complete procedure if you need configuration steps an explanation of choices or other details Procedure sections in this appendix include Scan Management on page A 2 Spyware Handling and Correction on page A 4 CPM Server Management on page A 4 CPM Client Management on page A 5 Pattern File Management on page A 8 Web Reputation on page A 10 CPM Firewall on page A 10 A 1 Core Protection Module Administrator s Guide Scan Management Scan management procedures included in this section include For General Scan Configurations To change or configure scan settings on page A 2 For Real time an On Demand Scans To configure the Scan Now scan on page A 3 To start scanning with the default settings on page A 3
114. gh to low and have the following default actions e High blocks unknown suspicious and dangerous sites e Medium blocks dangerous and suspicious sites e Low blocks only dangerous sites For example if you set the Security Level to Low Web Reputation will only block URLs that are known to contain malicious software or security threats Using Web Reputation 8 To configure a default security level 1 In the CPM Dashboard click Tasks gt Web Reputation gt Configure Web Reputation Security Level The Task Description opens See Figure 6 4 appa S Taski Web Reputation Configure Web Reputation Security Level Trend Mero Core Protection Module QA Description Datak Applicable Computers Action History Deployment gt Updater PI SCOPRO Web Reputation Configure Web Reputation Security Level Tasks Trend Micro Core Protection Module QA Core Protection Module F Web Reputation Cd erat veti eai D Configure Web Reputation Se Web Reputation integrated into CPM proactively protects cients from malicious and potentially levels determmne whether Web Reputation will allow or block access to an URL o High Blocks URLS that are unrated a Web threat very likely to be a Web threat or like e Medium Blocks URLs that are unrated a Web threat or very likely to be a Web threat Log Maintenance ta e Low Blocks only URLS that are a Web threat D Upload Web Threat Logs 2 Use the actio
115. gt mo New Global Settings Task canning after CPM ruses meleare in the compr fil Dy configure Dafaule alobal sear Stop scanning alter CPM detects 100 virusws malware in the compressed file Configure Default Siobal Scar Z Seon OLE objects Maximum layers 3 J configure Default Global Scar gt On Damand Settings Real Time Settings Virus Mabware Scan Settings Only Spyware Whitelist IV Exclude Microsoft Exchange server folders from scanning Ly SleanyDelete infected files within compressed files wab Reputation Iacklise Whitelist P ActiveUpdete Server Settings Common Firevall Settings Spyware Grayware Scan Settings Only gt Task sei Enable assessment mode Analyses Valid until 12 59 59 pm of n Troubleshooting a L Sean for cookies Y Reserved Disk Space Settinus Vi Reserwe 60 MB of disk space for updates Client Console Settings E Enable system tray icon LJ Enable manual scan shortest in Windows Explorer context menu FIGURE 4 2 Configure a Task from the Global Scan Settings Wizard Configuring and Managing CPM To create a Global Settings configuration Task 1 In the CPM Dashboard click Configuration gt Global Settings gt New Global Settings Task The Global Scan Settings Wizard appears See Figure 4 2 2 Make your configurations choices options are detailed in Configure and Run Malware Scans on page 4 6 3 Click the Create Global
116. h the Trend Micro ESP Console to provide centralized security including the centralized deployment of security policies pattern files and software updates on all protected clients and servers Extended Platform Support Works with most versions of Microsoft Windows including Microsoft Windows 2000 Microsoft Windows XP 32 64 bit Microsoft Windows Vista 32 64 bit Microsoft Windows 2000 Server Microsoft Windows Server 2003 and Window Server 2008 32 64 bit Microsoft Windows 2008 R2 Microsoft Windows 7 Superior Malware Protection e Delivers powerful protection against viruses Trojans worms and new variants as they emerge e Protects against a wide variety of spyware grayware including adware dialers joke programs remote access tools key loggers and password cracking applications e Detects and removes active and hidden rootkits e Cleans endpoints of malware including processes and registry entries that are hidden or locked Web Reputation Technology The CPM Web Reputation technology proactively protects client computers within or outside the corporate network from malicious and potentially dangerous Web sites Web Reputation breaks the infection chain and prevents downloading of malicious code In addition to file based scanning CPM now includes the capability to detect and block Web based security risks including phishing attacks Using the ESP location awareness features you
117. hat have already been run however see above for new analyses e Other existing Fixlets Tasks Actions including relevance statements target definitions and other embedded logic and Baselines Upgrading CPM from Version 1 5 to Version 1 6 If you are currently running CPM 1 5 there are no steps to upgrade You will receive the CPM 1 6 content once it propagates to your site At that point you can enable the new feature shown in the following section You should upgrade the CPM server components to version 1 6 and then deploy the upgrade to your CPM clients What Has Changed And Requires Action e CPM Client Console The new console on the endpoint machines allows manual scanning of files and folders for virus malware and spyware grayware the ability to review the results and see what actions were taken on the infected files and a feature that allows the client machine to update immediately to the latest version of protection components See Using the Client Console on page 9 1 for details e New platforms supported Windows 7 and Windows 2008 R2 platform support added See System Requirements on page 3 14 for details Note Upgrade to ESP 7 2 5 agent which supports Windows 7 and Windows 2008 R2 operating systems before attempting to install CPM e Enable disable Web Reputation logging The collection of visited sites can be enabled and disabled using the Task pane See About Analyses on page 6 17 for details What
118. have already updated the CPM server components ahead of the clients e CPM server components Run the Task Core Protection Module Upgrade Server Components See Install CPM Components on the ESP Server on page 2 4 Web Reputation If you are currently using Trend Micro Web Protection Module WPM standalone version you will need to migrate your existing blacklist and whitelists to use them in CPM 1 6 See Migrating WPM Standalone Settings on page 6 2 for instructions on migrating and configuring WPM in CPM 1 6 e WPM Current standalone users only Migrate any black white lists to CPM 1 6 unsubscribe from the WPM site and uninstall WPM clients before upgrading the endpoints to CPM 1 6 e Common Firewall If you have purchased and installed the Trend Micro Common Firewall you will need to add that masthead and create firewall policies See Install and Manage the Client Firewall starting on page 7 1 for details ESP Server Installing and Updating Activate New Analyses Any existing analyses that you have activated in CPM version 1 0 will remain However to support new features in version 1 6 you should activate the following Analyses after upgrading and configuring the new features e Core Protection Module Spyware Grayware Restore Information e Web Reputation Client Information e Web Reputation Site Statistics e Common Firewall Endpoint Firewall Settings e Common Firewall Inbound Port Vi
119. he Dashboard view Enabling Automatic Updates on Endpoints Next you must set up a policy to enable automatic updates on the endpoints you want to manage with ESP Note that this task only enables updates It is not responsible for downloading or applying updates 2 15 Core Protection Module Administrator s Guide Note Be sure that any firewall running locally on or between ESP agents and the ESP server has the ESP communication port 52311 by default open for both TCP and UDP traffic Failure to do so could cause significant delays in agents receiving pattern and or engine updates To run the Enable Automatic Updates Endpoint task 1 Navigate to Dashboards gt CPM Dashboard 2 Once the dashboard appears navigate to Updates gt Automatic Update Tasks gt Enable Automatic Updates Endpoint 3 Find the action to enable automatic updates on the server and click the here link Core Protection Module Enable Automatic Updates Server Trend Micro Core Protection Module Description Take the first action below to enable automatic updates on the Core Protection Module server After running this action when new patterns are downloaded by the CPM server they will be made available for application by endpoints that have also been configured for automatic updates Important Note Enabling automatic updates on the CPM Server additionally requires manual download and execution of the CPMAutoUpdateSetup script Pleas
120. he Take Action window 2 Inthe Take Action window click the Execution tab e Choose a Start date and optionally configure the days you want the scan to run in the Run only on field e Select Reapply this action while relevant waiting 2 days between reapplications choosing whatever time period suits you To change or configure the following extra scan settings e Client performance CPU throttling e Virus and malware scanning e Spyware and grayware scanning e How threats are handled delete quarantine e Real time scanning scan files as they are created modified or received e Which files are scanned performance security e Boot sector scanning e Floppy disk scanning real time A 3 Core Protection Module Administrator s Guide e Network drive scanning e Compressed files performance security 1 In the CPM Dashboard click Configuration gt On Demand Settings gt New On Demand Settings Task 2 Deploy the On Demand settings by clicking Configuration gt On Demand Settings gt scan name OR 1 In the CPM Dashboard click Configuration gt Real Time Settings gt New Real Time Settings Task 2 Deploy the Real Time settings by clicking Configuration gt On Demand Settings gt scan name Spyware Handling and Correction To exempt files from detection 1 Click Configuration gt New Spyware White List Task 2 Identify the file s you want to prevent from being detected as spyware 3 Cli
121. he status of the agent s Web Reputation feature Enabled Disabled Web Reputation Security Level The security level for the Web Reputation feature High Medium or Low Proxy Server Enabled Disabled If a proxy server is enabled disabled Proxy Server Address The address of the proxy server Proxy Server Port The port being used by the proxy server Proxy Server User Name The user name used by the client to connect to the proxy server Blacklist Whitelist Template The name of all blacklist and whitelist templates deployed to the Agent Number of Days since Last Log Maintenance The number of days that have elapsed since you last performed Log Maintenance Log Age Deletion Threshold The number of days that logs will be kept on the endpoint before they are deleted the log age deletion threshold The Site Statistics analysis displays statistical information about the number of Web sites accessed by an endpoint You can use this analysis to view the following 1 2 Blocked Sites Shows the time a block occurred and the URL that was blocked Visited Sites Shows each domain visited and the number of visits Note Enable or disable the collection of visited sites in the task pane by selecting either Web Reputation Enable Collection of Visited Sites or Core Protection Module Administrator s Guide 6 18 Web Reputation Disable Collection of Visited Sites and applying it to the appropriate endpoint
122. hitelist Templates Updates Y Configuration import Templates from wir 204 remotes gt Global Settings me o Templates Template Nome test 3 Create Task from Template tert i On Demand Settings Real Time Settings Last Modified 06 16 2009 04 00 25 gt Spyware white List 3 Sosy Delete Y Web Reputation blacklist Whitelist A Mev Web Reputation Blacklist Blackiot Setes Whitelist sites Meeps vww yahoo com inp u wr2h winghipway com I swenson s template for Conf AciveUpdete Server Settings gt Common Frewall Settings Y Tashs Core Protection Module A Restore Sorwara Grayware start sean 5 A Step Scan 0 FIGURE 6 1 You can migrate existing lists from WPM standalone to CPM Core Protection Module Administrator s Guide 6 4 2 To unsubscribe from the WPM site Remove the standalone Web Protection Module site from the ESP Console by deleting the mastheads from the list of managed sites 1 In the ESP Console menu click Tools gt Manage Sites and select the Web Protection Module 2 Click the Remove Site button and then OK 3 Enter your private key password The ESP Server will remove the WPM masthead 3 To uninstall the standalone WPM Before you can install or upgrade CPM 1 6 endpoints you must uninstall any existing WPM standalone clients 1 In the CPM Dashboard click Deployment gt Uninstall gt Web Protection Module The Fixlet opens the Applic
123. iTrap Blocks real time compressed executable files and pairs them with other malware characteristics Trend Micro recommends quarantining not deleting or cleaning files when you enable IntelliTrap Do not use IntelliTrap if your users frequently exchange real time compressed executable files CPU Usage On Demand Scans Only On Demand scans can be CPU intensive and clients may notice a performance decrease when the scan is running You can moderate this affect by introducing a pause after each file is scanned which will allow the CPU to handle other tasks Consider factors such as the type of applications run on the computer CPU RAM and what time the scan is run e High No pausing between scans e Medium Pause slightly between scans Low Pause longer between scans Scan Exclusions Tab To increase scanning performance and reduce false alarms you can exclude certain files file extensions and directories from scanning There are different exclusion lists for different scans These exclusions do not apply to spyware See Spyware White List Wizard on page 5 11 to understand how to prevent false positives by excluding certain program files from spyware detection AV Spyware Scan Exclusion By default CPM will excludes its own directories The recommended setting are Exclude Trend Micro directories Exclude BigFix directories Real Time scans only 5 8 Configuration Wizards Reference Remove any conflicting antivi
124. iboadi Wicarde Window Mob Debug 9x I All Relevant Finhat Messages 8 amp All Relevant On Unlocked Computers 5 Name BES Quick Reference Production Low BES Support amp I All Pocket Messages 230 GES Server Cannot Access Internet Critical DES Support 1 1 0 A My Custom Fixlet Messages 2 Core Protection Module Enable Automatic Updates Server lt Unepecified gt TrendMioo C 1 1 Locally Hidden Fixiet Messages 0 Core Protection Mockite saanson lt Uripecified gt Master Operat 1 1 o si gt lt gt Fodet Messages Toks Goeie Actors Computers Computer Groups Anshis Console Operators x n 3 Tash Se Firewall Policy Settings Wizard Create Firwmali Policy Tash gt Deployment amp CE All Liieting Firewall Policies Hefresh Configuration Save Order Add Delete Global Settings x Policy name Sater security Level Applied IP Range Waiter On Damand Settings ni _ vs minded Lew FIP DATA FTP Real Time semings Landon no FTP on WLAN Spyware White List 2 Enabled High FTP DATA TP P Web Reputation Blackhut Whwmelint gt at FIB DATA FTP CAR Enabied aR Astivalipdato berse tetmngs ARETE OK ui a asia 4 AITEOnd atts WLAN Enabled High All 19 Addrenser rmos Global tuesonan Rules s ETPEmalland Web OK Enabled High All i Addresses FTP DATA FTP SMTP HTTP A Mew Paton Task Mock AB Enabled High Ali 10 Addrarsas A Firewall poli
125. ick OK and then type your private key password and click OK to deploy the Action In the Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view Now that locations have been defined the next step is to create a couple of different configuration settings and bundle them into a Task You can then associate these Tasks with the Locations you just created Creating Location Specific Tasks In the procedures below the goal is to create two different configurations and tasks and then attach them to different locations The result will be that Configuration 1 will automatically be picked up by users in Location 1 and Configuration 2 will be picked up by users in Location 2 If a user from Location 2 travels to Location 1 he will automatically pick up Configuration 1 when connecting to the network Core Protection Module Administrator s Guide See Install and Manage the Client Firewall starting on page 7 1 for instructions on creating location specific firewall policies and NIC specific and connection specific policies such connecting through the corporate LAN or a coffee shop How Location Properties Work 8 6 Each ESP Agent on which the CPM client resides receives a complete list of all the Actions deployed from the ESP Server through the various Tasks The individual Agents check themselves
126. icted only to roaming clients You will need to target your endpoints carefully to avoid triggering a bandwidth spike Full pattern and engine file updates can be 15MB or more Updates from the cloud will always include all patterns you cannot update selected patterns as you can from the ESP server Updates from the cloud are typically slower than updates from the ESP server Three additional points are relevant to cloud updates 1 The endpoint will need an Internet connection If the endpoint has a proxy configured for Internet Explorer those settings will be automatically used As with any pattern update following a pattern rollback further updates will be prohibited until the rollback condition has been lifted by running the Task Core Protection Module Clear Rollback Flag The CPM client will verify the authenticity of the pattern from the cloud Configuring Endpoints to Update Pattern File from the Cloud To update endpoint pattern files from the cloud 1 From the CPM Dashboard menu click Updates gt Other Update Tasks gt Update From Cloud The Task Description window opens Below Actions click the hyperlink to open the Take Action window In the Target tab choose All computers with the property values selected in the tree list below and then select the property that you want to apply for 4 13 Core Protection Module Administrator s Guide example one that distinguishes between corporate and non co
127. idirectional NTP UDP Allow UDP 123 Bidirectional NETBIOS Name Service Allow TCP 137 Bidirectional TCP NETBIOS Name Service Allow UDP 137 Bidirectional UDP NETBIOS Datagram Ser Allow TCP 138 Bidirectional vice TCP NETBIOS Datagram Ser Allow UDP 138 Bidirectional vice UDP Core Protection Module Administrator s Guide RULE NAME ACTION PROTOCOL PORT DIRECTION NETBIOS Sessions Ser Allow TCP 139 Bidirectional vice TCP NETBIOS Sessions Ser Allow UDP 139 Bidirectional vice UDP SNMP Allow UDP 161 Bidirectional SNMP TRAP Allow UDP 162 Bidirectional HTTPS Allow TCP 443 Bidirectional SMB TCP Allow TCP 445 Bidirectional SMB UDP Allow UDP 445 Bidirectional IPsec TCP Allow TCP 500 Bidirectional IPsec UDP Allow UDP 500 Bidirectional
128. ies Adware Displays advertisements and gathers data such as user Web surfing preferences used for targeting advertisements at the user through a Web browser Dialer Changes computer Internet settings and can force a computer to dial pre configured phone numbers through a modem These are often pay per call or international numbers that can result in a significant expense for your organization Joke program Causes abnormal computer behavior such as closing and opening the CD ROM tray and displaying numerous message boxes Hacking tool Helps hackers enter computers Remote access tool Helps hackers remotely access and control computers Password cracking application Helps hackers decipher account user names and passwords Others Other types of potentially malicious programs Viruses and Malware Tens of thousands of virus malware exist with more being created each day Although once most common in DOS or Windows computer viruses today can cause a great amount of damage by exploiting vulnerabilities in corporate networks email systems and Web sites Probable virus malware Suspicious files that have some of the characteristics of virus malware For details see the Trend Micro Virus Encyclopedia http www trendmicro com vinfo virusencyclo Trojan horse This type of threat often uses ports to gain access to computers executable program Trojan horse programs do not replicate but instead resides on systems to perform
129. ifying the computers you want to receive the selected patterns click OK and when prompted type your private key password and click OK 10 The Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed 11 Close any open windows to return to the Dashboard view Exempting Programs From Spyware Detection 4 18 You can add programs that you don t want CPM to detect as spyware to the Spyware Whitelist the whitelist is analogous to exceptions in the CPM Firewall In addition you can create different sets of whitelists and target them to different computers This is especially useful for example if you want your Help Desk people to be able to use Configuring and Managing CPM certain diagnostic tools but also want those same tools to be removed from any non authorized computers To add spyware grayware to the approved list 1 10 11 In the CPM Dashboard click Configuration gt Spyware White List gt New Spyware White List Task The Spyware White List Wizard opens Select spyware from the reference list on the left list and click Add to include it in the spyware list on the right those programs on the right will be exempted from future detection Choose multiple names by holding the Ctrl key while selecting Click the button Create Spyware White List Configuration Task when you are finished selecting programs for exclusion The Edit
130. indow that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed 4 9 Core Protection Module Administrator s Guide 7 Close any open windows to return to the Dashboard view Starting a Scan of Relevant Endpoints Scan Now To start a scan of relevant endpoints In the CPM Dashboard click Tasks gt Core Protection Module gt Start Scan Creating an On Demand Scan This scan configuration will be saved apart from the default scan now settings You can run it from the CPM Dashboard anytime to initiate an On Demand scan that uses the saved settings and applies to the selected computers To create an On Demand Scan 1 In the CPM Dashboard click Configuration gt On Demand Settings gt New On Demand Settings Task The On Demand Scan Settings Wizard appears Make your configurations choices options are detailed in To add spyware grayware to the approved list on page 4 19 Click the Create Scan Now Task button The Edit Task window opens Edit the Name the Description fields so they clearly identify the scan parameters you have selected and the computers you will target in this Task Select all the relevant computers and click OK When prompted type your private key password and click OK In the Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed Close an
131. is Configure and Run Malware Scans Configuring the Default Scan Settings Starting a Scan of Relevant Endpoints Scan Now 4 10 Creating an On Demand Scan 4 10 Running an On Demand Scan 4 10 Scheduling an On Demand Scan Automatic Scanning 4 11 Configure Client Updates from the Cloud iii 4 12 Configuring Endpoints to Update Pattern File from the Cloud 4 13 Usea Previous Pattern File Versioni i iii ieri 4 14 Reverting to a Previous Version of the Pattern File 4 15 Re enabling Updates Following a Rollback sss ssssssssssssssssssssrssssssesssee 4 16 Deploying Selected Pattern Files iii 4 17 Exempting Programs From Spyware Detection wees 4 18 Restoring Programs Incorrectly Detected as Spyware 4 20 Chapter 5 Configuration Wizards Reference The CPM Health Monitor RR aiar 5 2 Global Scan Settings Wizard RI IRINA aa 5 3 Scan Settings sciiti aa Arion api na 5 3 Virus Malware Scan Settings Only e ie 5 4 Spyware Grayware Scan Settings Only we eee 5 4 Reserved Disk Space Settings MERE 5 5 Client Console Settings ironia iaranafaia paia aaa 5 5 On Demand amp Real Time Scan Settings Wizards iii 5 5 Scan Target Tabiano 5 7 User Activity on Files Real Time Scans Only Lee 5 7 Files to Scan ie ee ated he iets 5 7 Core Protection Module Administrator s Guide
132. ith conflicting software 1 4 In the CPM Dashboard click Troubleshooting gt Removal of Conflicting Product Required The Fixlet Description opens Click the Applicable Computers tab A list of endpoints running conflicting software appears Below Actions click the hyperlink if you want to connect to the Support Web page for more information Close any open windows to return to the Dashboard view To remove the conflicting software 1 In the CPM Dashboard click Deployment gt Uninstall gt product name The Fixlet Description tab opens showing a list of the endpoints currently running the program e Alternatively you can click the Fixlet Messages tab and then navigate to All Fixlet Messages gt By Site gt Trend Core Protection Module In the list of Fixlets that appears in the right window pane select Core Protection Module Uninstall product name by double clicking it Below Actions click the hyperlink to open the Take Action window In the Target tab a list of the endpoints that are running the selected program appears Click Applicable Computers to choose all relevant computers In addition you may also want to configure other options as described below e Execution Set the deployment time and retry behavior e Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur e Messages Configure these options to pass
133. itly receive notifications whenever a detection occurs on their computer Note See Show the CPM Icon on Endpoints on page 3 12 for information on making some detection information visible to your end users Detections are logged and available for review in CPM Reports Configuring and Managing CPM Note On Demand scans can be CPU intensive on the client Although you can moderate the affect by configuring the CPU Usage option sets a pause between each file scanned you may also want to configure an Offer as part of the Task The Offer will allow users to initiate the scan themselves As with most Tasks in the ESP Console you can associate any of these scans with selected computers users or other conditions As a result you can define multiple scan settings and then attach a particular scan configuration to a given set of computers Scan settings are saved in the CPM Dashboard LD trend Mero Co D Trend Mero SyeClean 5 Reports Deployment gt Updates Y Configuration Global Settings Y On Demand Settings 2 Realtime T Spyware Whnelist Web Reputation Blacklist whaetst Acbvevpdate Sarvar Settings Commen Firewall Settings Tasks Analyier Troubleshootng FIGURE 4 4 Trend Micro Endpoint Security Platform Console CPM Dashboard 1 Trend Micro Core Modde aad Trend Mero Core Protect Deploy Trend Mero Core Protection Invented Tr
134. ively notify the user that the uninstall is going to occur to obtain consent or to ask users to stop using their computer while the install occurs e Offer Configure these options if you want the user to be able to choose whether or not the program is removed A pop up message will be displayed on the target endpoints Requires that the client is enabled for offers Click OK and then in the Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed CPM Clients Installing and Updating 5 Close any open windows to return to the Dashboard view Deploy CPM Clients to the Endpoints Use the Core Protection Module Endpoint Deploy Task to deploy CPM to all computers you want to secure against viruses and spyware The CPM client package is about 65MB and each endpoint will be directed to download the file from the ESP Server or Relay If you target your endpoints using properties rather than by computer which is the recommended behavior any endpoint that subsequently joins the network will automatically receive the CPM client Installation takes about five minutes and the CPM client can be installed with or without the target user s consent Installation does not typically require a reboot however a DOS style command console may open on the client as the install scripts are run In addition the client will be briefly disconnected from the netw
135. iven Task 7 15 Core Protection Module Administrator s Guide e Open an existing policy Click the Policy Name to open an existing policy for viewing or modification Changes will not be applied to endpoints until you re deploy the policy Trend Micro Endpoint Security Platform Console CPM Dashboard Fio Edit View Took Dushbowrds Wizards Window Hop Detug 89X All Relevant Fadet Messages 6 Nome Source Seve Site Applicable C OPON Acton Al Relevant On Uniocked Computers 6 AES Quick Referenca Production tow BES Support 1 1 o i All Fatet Messages 230 BES Server Cannot Access Internet Critical BES Support 1 1 o a My Custom Fotot Messages 2 Core Protection Module Enable Atomatic Updates Server Unspacifiad gt Trend Micro 1 1 o A Locally Hidden Fedet Messages 0 Core Protection Module swenson Unspecifiad gt Master Operat 1 1 J oa lt ne gt Fodet Messages Tanto Baselines Actors Computers Computer Groups Analyses Console Operators ma Firewall Policy Settings Wizard Greate Firewall Policy Tasks Deployment gt Update si Y Configuration Save Order Add Delete Global Settings aa e Ig Oe TT Policy Numa Statue Security Laval Applad IP Range Man gt On Demand Settings vi ar P m n aie Mai d Low DATA FTP im London FTR on x gt Real Time Settings WLAN Spyware White Ust Oa Nem York ereo Ended tgh Aran monta re Wab R
136. labs ch cala ele d ia 11 4 Secutity Information Center ccd rari 11 4 Security Risks ween CAIRO 11 4 Phish Attacks 2 232 Sin noah uni e rada 11 5 Spy wate and Gray wate uil alia lai iaia 11 5 Types of Spywate Graywate iii reina 11 6 Viruses and Malware iii 11 6 Guarding Against Spyware Grayware and Other Threats 1 1 7 Routine CPM Tasks Quick Lists Scan Management iii ii A 2 General Scan Configurations sristi apesan e in aT EIEN EAS A 2 Real time and On Demand Scans A 3 Spyware Handling and Correction ii A 4 Contents Appendix B CPM Serv r Mana rement e oa ea A 4 CPM Ghent Management di urlo dial A 5 Pattern Mile Maniagement oretan an a E E N A 8 Web Reputationi E TEE A A 10 CPM Firewall aea onea ile i ie il A 10 Reference Tables Default ActiveAction Behaviors u iii B 2 Available Virus Malware Scan Actions ii B 3 Pattern and Scan Engine Files B 4 Scan Action Results for Compressed Files iii B 6 Default Firewall Global Exceptions iii B 7 vii Core Protection Module Administrator s Guide viii Chapter 1 Introducing Core Protection Module This chapter introduces Trend Micro Core Protection Module CPM and provides information on the following topics Overview on page 1 2 What s New in CPM Version 1 6 on page 1 2 How CPM Works on page 1 2 ESP Components on page 1 3 Features and Benefits on page 1 4 The Trend
137. le Automatic Updates Server lt unspecfed gt Trend Micro Cere 1 10 Core Protection Mede Ingeaper Service Status lt Unspectied gt Trend Core Prote 1 10 x f Fot ges Tasks Baselines Actions Computers Computer Groups Analyses Console Operators rer Server Settings Wizard Deployment Y Updater Katie Y Update Rollbach Patterns Trend Moe s Acivavipdate Server Aree Pattern Update Rollba amp 7 Pattern Update Settings A ev Pattern Update Settings Automatic Update Tasks Other Update Tasks Y Configuration Global Settings gt On Demand Settings Other Update Source URL intranet location containing a copy of the currant file Real Time Setungs gt Spyware White List P Web Reputation Blacklist whitelist Y AckiwaUpdate Server Settings A change actireupdate server N gt Common Firewall Settings may Tasks a I Use a prony server for pattern and engine updates Troubleshooting Proxy Dretoceli HTTP D socxsa Server Name or IP 20 20 2 0 Pont 0 63533 Sodo User name arp_server Password al Close the active window and prompts to sane the documents Connected to database bienterpran as uom seat pes el Pi FIGURE 2 3 Identify a source for pattern file updates and the proxy server if any between CPM and the Internet You can and should configure the CPM server to frequently contact the AU server to check for and download pattern and componen
138. lete CPM deletes the infected file Quarantine CPM renames and then moves infected files to the following non con figurable directory on the client s computer c Program Files Trend Micro Core Protection Module Quarantine If you need to access any of the quarantined files you can access the directory using system administrator credentials and restore it using the VSEncrpyt tool see Scan Action Results for Compressed Files on page B 6 Clean CPM cleans the infected file before allowing full access to the file If the file is uncleanable CPM performs a second action which can be one of the following actions Quarantine typical Delete Rename or Pass Rename CPM changes the infected file s extension to vir Users cannot open the renamed file initially but can do so if they associate the file with a certain application Warning Renaming the file will not prevent the virus malware from executing Consider using Quarantine or Delete instead Pass CPM performs no action on the infected file but records the virus mal ware detection in the logs The file stays where it is located CPM cannot use this scan action during Real time Scan because per forming no action when an attempt to open or execute an infected file is detected allows virus malware to execute All the other scan actions can be used during Real time Scan For the probable virus malware type CPM always performs no action
139. location property Creating Location Specific Tasks on page 8 5 with your firewall Tasks Be sure that conflicting policies have not been deployed to the same endpoint s a b From the ESP Console select a target computer and open its Action History If you see in History that multiple firewall Tasks are overwriting one another chances are that multiple policies are claiming relevance and updating the policy on the endpoint In this case delete all your Actions and re apply the Tasks Confirm that the firewall services are running on the computers in question From the CPM Dashboard click Troubleshooting gt Improper Service Status to run the Improper Service Status Fixlet At the endpoint s in question check that the following Windows Services are running OfficeScan NT Listener OfficeScan NT RealTime Scan OfficeScan NT Firewall Client is not Connecting to the ESP Server or Relays By default ESP Server Agent and CPM server client communication occur using port 52311 This port is automatically allowed by the Trend Micro Common Firewall 10 10 Troubleshooting If you have installed ESP using a different port the firewall will automatically recognize that port However if you have re installed the ESP Server and in that installation designated a different port the firewall will not pick up that change Add an exception in your firewall policies 10 11 Core Protection Module Administrator s Guide
140. loyment status and results Assess Endpoint Readiness The CPM client supports most operating systems and typically does not require system resources in excess those of required by the host operating system However there are some factors that can preclude otherwise eligible endpoints from receiving the CPM client Perform the procedures that follow to identify which of your endpoints if any need to be modified in order for the client to be installed Do this before removing any existing security products to ensure a continuation of your endpoint security To identify ineligible endpoints 1 In the CPM Dashboard click Troubleshooting gt Insufficient Hardware Resources The Fixlet Description opens Click the Applicable Computers tab A list appears with the endpoints running conflicting software Below Actions click the hyperlink if you want to connect to the Support Web page for more information Otherwise just close any open windows to return to the Dashboard view Repeat steps 1 3 for any Tasks that pertain to endpoint readiness for example Troubleshooting gt Insufficient Software Resources Remove Conflicting Products Before deploying the CPM client to your endpoints you need to uninstall any programs that will conflict with the CPM functions See Conflicting or Incompatible Programs starting on page 3 26 for more information 3 3 Core Protection Module Administrator s Guide 3 4 To identify endpoints w
141. lude all subdirectories by using the wildcard http www example com e Include all subdomains by using the wildcard http example com Not valid https www example e To import a URL that uses a non standard port use the following format http www example com 8080 e URLs can be up to 2083 characters long e List each URL on a new line e You can add or import up to 500 URLs in a given list Blacklist and Whitelist Templates The Web Reputation Blacklist Whitelist Wizard enables you to create and maintain global lists of Web sites in the form of templates that you can use to control your users Web access Once you have defined these templates you use them to create Custom Tasks which you can then apply to your endpoints There are two types of URL lists you can create and group into templates using the Wizard e Blacklists These are lists of blocked Web sites If the endpoint tries to access a site in one of these lists they receive a message in their Web browser indicating that access to the site is blocked e Whitelists These are lists of Web sites you allow your endpoints to access without restriction Note Use care when selecting sites for Whitelists Once a site is added to a Whitelist it will no longer be checked Therefore endpoints connecting to that site would no longer be protected by WR should that site become a host for malware at some point in the future Using Web Repu
142. mpossible to prosecute Spyware and Grayware Client computers are at risk from potential threats other than viruses malwate Spyware Grayware refers to applications or files not classified as viruses or Trojans but can still negatively affect the performance of the computers on your network and introduce significant security confidentiality and legal risks to your organization Often spyware grayware performs a variety of undesired and threatening actions such as irritating users with pop up windows logging user keystrokes and exposing computer vulnerabilities to attack If you find an application or file that CPM cannot detect as grayware but you think is a type of grayware send it to Trend Micro for analysis http subwiz trendmicro com SubWiz How Spyware Grayware Gets into the Network Spyware Grayware often gets into a corporate network when users download legitimate software that have grayware applications included in the installation package Most software programs include an End User License Agreement EULA which the user has to accept before downloading Often the EULA does include information about the Core Protection Module Administrator s Guide application and its intended use to collect personal data however users often overlook this information or do not understand the legal jargon Types of Spyware Grayware Spyware Gathers data such as account user names and passwords and transmits them to third part
143. n date and review all the new virus definitions included in the files http www trendmicro com download pattern asp Incremental Virus Pattern File Updates CPM in conjunction with Trend Micro ActiveUpdate supports incremental updates of the virus pattern file Rather than download the entire pattern file each time full pattern files can be more than 20MB ActiveUpdate can download only the portion of the file that is new and append it to the existing pattern file How Scanning Works The scan engine works together with the virus pattern file to perform the first level of detection using a process called pattern matching Because each virus contains a unique binary signature or string of tell tale characters that distinguishes it from any other code the virus experts at TrendLabs capture inert snippets of this code to include in the pattern file The engine then compares certain parts of each scanned file to the data in the virus pattern file looking for a match Pattern files use the following naming format 1 7 Core Protection Module Administrator s Guide lptSvpn where represents the pattern version for example 400 If multiple pattern files exist in the same directory only the one with the highest number is used Trend Micro publishes new virus pattern files on a regular basis typically several times per week and recommends configuring hourly automatic updates With automatic update enabled new up
144. n Module Enable Nitorivatic Updates Undpalit lt r rem nee meg OE Deployment 4 Trend micro Core Protection Module QA Y Updates Description Details Appicable Computers Action History Update Rolibacd Patterns il OE 4 Core Protection Module Enable Automatic Updates Endpoint Y Automatic Update Tasks Trend Micro Core Protection Module QA gt D Apply Automatic Updates D Enable Automatic Updates Server 1 4 3 De RE D Disable Automatic Updates Server 0 4 Take the action below to enable automatic updates on Core Protection Module endpoints Disable automatic Updates Endpoint 372 gt Other Update Tasks Configuration f ia Click bev to enable automatic updates on endpoints gt Analyses c ci Troubleshooting A Conyrgrt 2208 Trans Were Insorpornae ans rg NERC WINGTH SO COCMAL LINO A mr nm he ant tie EN Ri datare FIGURE 3 2 This composite screen shows the Dashboard Task and Fixlet that open after steps 1 and 2 3 On the Target tab choose All computers with the property values selected in the tree list below 4 Choose a property that will include all the computers you want to deploy this Action to and click OK 5 When prompted type your private key credential and click OK The Action Summary tab appears 6 Check the Status and Count after a few minutes to confirm that the Action is Fixed 7
145. n on guest Windows XP 2003 operating systems hosted on the following virtualization applications e Microsoft Virtual Server 2005 R2 with Service Pack 1 e VMware ESX ESXi Server 3 0 or 3 5 Server Edition e VMware Server 1 0 3 or later Server Edition e VMware Workstation and Workstation ACE Edition 6 0 e Microsoft Windows Server 2008 64 bit Hyper V environment CPM Clients Installing and Updating TABLE 3 2 Windows XP Windows 2003 32 bit version Continued RESOURCE REQUIREMENT Hardware Processor 300MHz Intel Pentium or equivalent AMD 64 or Intel 64 processor architectures RAM 512MB recommended Available disk space 700MB recommended Others Monitor that supports 800 x 600 resolution at 256 colors Core Protection Module Administrator s Guide 3 18 TABLE 3 3 Windows XP Windows 2003 64 bit version RESOURCE REQUIREMENT Operating system e Windows XP Professional with Service Pack 2 or later e Windows Server 2003 Standard Enterprise Datacenter and Web Editions with Service Pack 2 or later e Windows Server 2003 R2 Standard Enterprise and Datacenter Editions with Service Pack 2 or later e Windows Storage Server 2003 e Microsoft Cluster Server 2003 e CPM supports client installation on guest Windows XP 2003 operating systems hosted on the following virtualization applications e VMware ESX ESXi Server 3 0 or 3 5 Server Edition e VMware Se
146. n the ESP Console If you are logging into the ESP Server using an administrator account you can use NT Authentication instead of entering a password If you are running the ESP Console remotely you will need a user name and password To open the ESP Console 1 On the Windows desktop click the Windows Start button then Programs gt Trend Micro Endpoint Security Platform gt ESP Console 2 Connect to the ESP Server database by entering the user name you created when installing the ESP Server if you installed the Evaluation version type EvaluationUser for the user name and then click OK 3 The ESP Console opens Add the CPM Site to the ESP Server 2 2 You install the Trend Micro Core Protection Module by adding its site masthead to the list of managed sites in the ESP Console If you do not have the Core Protection Module and Reporting mastheads contact your Trend Micro sales representative to obtain them The Trend Micro Common Firewall is also available for CPM The firewall provides client level access control for your ESP endpoints CPM now includes a Web Reputation component that replaces the stand alone version You will be able to migrate any existing WPM blacklists and whitelists you may have Note If you are a current Web Protection Module WPM customer you will need to remove any installed clients and then the WPM site prior to installing CPM Before adding the site make sure that the ESP Server can co
147. nd Detection Technologies 1 8 Scan Engine Updates 1 8 Trend Micro Damage Cleanup Services iii 1 9 GerienCleana riunione iii a a 1 9 Rootkit Detection 1 0 iran aula ani 1 9 Intelll Itap asociale ian lea 1 9 ESP Server Installing and Updating Open the ESP Console iii 2 2 Add the CPM Site to the ESP Server esssersirsesersesesessessesscesseresrsseesersessrere 2 2 Install and Update CPM on the ESP Server n 2 4 Ovetview OF Procedures lt i sisi aaa aan 2 4 Install CPM Components on the ESP Servet i 2 4 Core Protection Module Administrator s Guide Chapter 3 Upgrading CPM from Version 1 0 to Version 1 6 iii 2 5 What Has Changed and Requires Action we 2 6 What Has Not Changed for Version 1 6 we 2 7 Upgrading CPM from Version 1 5 to Version 1 6 2 8 What Has Changed And Requires Action 12 8 What HasNot Changed initial aianialni 2 8 Update Pattern Files on the Server ii 2 9 Choose an Update Source and Proxy 2 9 Prepare the ESP Server and Update the Pattern Files 2 11 Running the CPM Automatic Update Setup Script 2 13 Enabling Automatic Updates on the ESP Server 2 14 Enabling Automatic Updates on Endpoints i 2 15 Updating the Pattern File and Make the Action Automatic 2 17 Running the Apply Automatic Updates Task
148. nfiguration General Policy Name Firewall Enabled Security Level Exception Rules OOOORSRONSE ooVnnsonn E H o New Policy M High Rule Name ETP DATA FIP SSH Telnet SMTP DNs TCP DNS UDP TETP HTP Kerberos T L Save j Cancel IP Apply to All Possible IP Addresses Apply to A Range of IP Addresses GH D Medium Low W Add Import Global Rules Action Protocol Direction Port Allow TCP Bidirectional 20 la Allow TCP Bidirectional 21 Allow TCP Bidirectional 22 Allow TCP Bidirectional 23 Allow TCP Bidirectional 25 Allow TCP Bidirectional 53 Allow UDP Bidirectional 53 Allow UDP Bidirectional 69 Allow TCP Bidirectional 80 Allow TCP Bidirectional 88 Le Unselected rules won t be included for this policy FIGURE 7 8 Select policies to include in a Task by choosing them in the Firewall Policy Configuration screen The following options are available in the Firewall Policy Configuration screen General e Policy Name The name you type here will appear in the firewall policy list Once saved it cannot be changed Use a name that will make the purpose of the policy clear Firewall Enabled Selected by default only disable this option in a policy to uninstall the firewall from your endpoints the Task must be deployed e Security Level This option sets the predisposition of the policy that is whether it Allows or Denies all traffic to all ports You can
149. ng WPM Standalone Settings on page 6 2 e Web Reputation Security Levels on page 6 7 e Using Web Reputation in CPM on page 6 9 e Importing Lists of Web Sites on page 6 12 e Viewing an Existing Template on page 6 14 e About Analyses on page 6 17 e To view the Client Information Analysis on page 6 18 e To view the Site Statistics Analysis on page 6 18 6 1 Core Protection Module Administrator s Guide How Web Reputation Works The Trend Micro Web Reputation WR technology joins its real time visibility and control capabilities with CPM to prevent Web based malware from infecting your users computers WR intercepts malware in the cloud before it reaches your users systems reducing the need for resource intensive threat scanning and clean up Specifically WR monitors outbound Web requests stops Web based malware before it is delivered and blocks users access to potentially malicious Web sites in real time Web Reputation is requires no pattern updates It checks for Web threats when a user accesses the Internet by performing a lookup on an in the cloud database Web Reputation uses the site s reputation score and a security level set by the Console Operator to block access to suspicious sites The Web Reputation database lookups are optimized to use very little bandwidth similar in size to a DNS lookup and have a negligible impact on network performance Note Users who are logged on to their com
150. ngs M Scan compressed files Maximum layers Virus Malware Scan Settings Only Scan boot area CA M Enable IntelliTrap CPU Usage If your client computers run CPU intensive applications you may want CPM to pause between file scans to free up CPU resourc High scan files one after another without pausing Medium pause slightly between file scans Low pause longer between file scans FIGURE 5 2 There are different scanning options available for On Demand and Real Time Scan 5 6 Configuration Wizards Reference Enable virus malware scan recommended The different types of viruses and malware threats are described in Security Risks starting on page 11 4 Enable spyware grayware scan recommended The different types of spyware and grayware are described in Security Risks starting on page 11 4 which also contains information about excluding programs you know to be safe from spyware detection Scan Target Tab User Activity on Files Real Time Scans Only Scan files being e Created scans new files and files as they are copied to the client e Modified scans files that are opened as they are saved to the client e Received scans files as they are moved or downloaded to the client Files to Scan All scannable files This option is the safest but will also have the greatest effect on client performance all files are scanned On Demand or monitored Real Time even file types that
151. nnect to the source of the masthead files that is can connect to the Internet If it can not the request will remain pending until the connection is made To add the CPM site 1 From any computer with the ESP Console installed locate and double click the masthead file to automatically add its site 2 Alternatively in the ESP Console menu click Tools gt Manage Sites and then the Add External Site button ESP Server Installing and Updating 3 In the Add Site window that opens locate the masthead file s you received from the Trend Micro Sales Representative The following mastheads are available file names ate shown here Trend Micro Core Protection Module efxm Trend Micro Reporting efxm Trend Micro Common Firewall efxm optional The masthead s you selected appear in the Manage Site window 4 Click the Gather All Sites button and then OK lt 2 Trend Micro Endpoint Security Platform Console File Edit View Tools Dashboards Wizards Window Help A Open Actions 11 e Complete fi I2Y7 HdidJZ i Issued B xy Stopped Actions 0 34231 Core Protection Module Trend Micro Core Protecti Bored Adine tti Core Protection Module Di i Trend Micro Core Prot A Expired Actions 11 100 00 1 1 Core Protection Module Set ActiveUpdate Server Patte Trend Micro Core Prote E A My Actions 22 Open 100 00 2 2 Core Protection Module Apply Automatic Updates Trend Micro
152. nowledge Base to submit a question if you cannot find the answer in the product documentation Access the Knowledge Base at http esupport trendmicro com enterprise search aspxPmode advance Trend Micro updates the contents of the Knowledge Base continuously and adds new solutions daily If you are unable to find an answer however you can describe the problem in an email and send it directly to a Trend Micro support engineer who will investigate the issue and respond as soon as possible Core Protection Module Administrator s Guide TrendLabs TrendLabs is the global antivirus research and support center of Trend Micro Located on three continents TrendLabs has a staff of more than 250 researchers and engineers who operate around the clock to provide you and every Trend Micro customer with service and support You can rely on the following post sales service Regular virus pattern updates for all known zoo and in the wild computer viruses and malicious codes Emergency virus outbreak support Email access to antivirus engineers Knowledge Base the Trend Micro online database of technical support issues TrendLabs has achieved ISO 9002 quality assurance certification Security Information Center Comprehensive security information is available at the Trend Micro Web site List of viruses and malicious mobile code currently in the wild or active Computer virus hoaxes Internet threat advisories Virus we
153. ns Add the Firewall Masthead to the ESP Server Install the Trend Micro Common Firewall by adding its site masthead to the list of managed sites in the ESP Console If you do not have the Common Firewall masthead contact your Trend Micro sales representative to obtain it 7 2 Install and Manage the Client Firewall Before adding the site make sure that the ESP Server can connect to the source of the masthead files that is can connect to the Internet If it cannot the request will remain pending until the connection is made To add the CPM Firewall site 1 In the ESP Console menu click Tools gt Manage Sites and then the Add External Site button The Add Site window opens 2 Locate and select the Common Firewall masthead file you received from Trend Micro Trend Micro Common Firewall efxm optional The selected masthead appears in the Manage Site window as shown in Figure 7 1 tr end Micro Endpoint Security Platform Console ol x File Edit View Tools Dashboards Wizards Window Help BA Open Actions 11 Tmelssied___T state Compete Nene ste issued tp Stopped Actions 0 10 8 2009 10 42 03AM Open Core Protection Module Enable Automatic Updates En Trend Micro Core Protesti admin Singe Action 8 A Expred Actions 11 10 8 2009 10 40 40 AM Open Core Protection Module Disable Automatic Updates En Trend Micro Core Protecti admin Single Action
154. ns below to set the Web Reputation security level Common Firevali gt Analyses Troubleshoot GW ccc _1dmdddd g g1 1 1 r1 ST Click to set High Web Reputation security level Click to set Medium Web Reputation security level Click to set Low Web Reputation security level Ratecwnce 11 Copiyripe 7003 Trend Mero Incomeratad mate Magli ne Sile thar renpactiva kansert Al Rooper Reserved x Close the active window and prompts to save the de connected to database Bi enterprise as user ad izes fies Jed FIGURE 6 4 You can change the security level from the default of Low 2 Below Actions choose a Security Level by clicking the hyperlink The Take Action window opens 3 Inthe Target tab select all Applicable Computers to apply the WR security level to all your endpoints Click OK When prompted type your private key password and click OK 5 Inthe Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed 6 Close any open windows to return to the Dashboard view Using Web Reputation in CPM The following rules apply when creating whitelists and or blacklists 6 9 Core Protection Module Administrator s Guide e The prefix http will automatically be affixed to URLs added to the list e Secure URLs that is those starting with https are not supported e Inc
155. ntact your CPM administrator for information about how to use the EICAR test script Update Now 9 8 Keeping client components current is essential to ensuring that your computer stays protected The Update Now feature allows updating at any time The client connects to an update source to check for updates to security components that detect the latest vituses spyware and malware If updates are available the client automatically downloads the components Note Update Now always updates from the cloud and not the ESP Server whether the endpoint runs remotely or connects to the LAN To update the client manually 1 Right click on the CPM client console icon in the system tray 2 Click Update Now from the console menu 3 In the Update Status tab click Update Now When complete a message displays saying Component update is complete Chapter 10 Troubleshooting This chapter includes information to help with basic troubleshooting and problem solving Topics in this chapter include e Installation on page 10 2 e Virus Malware and Spyware Scanning on page 10 3 e CPM Clients on page 10 5 e Pattern Updates on page 10 6 e Firewall Troubleshooting on page 10 9 10 1 Core Protection Module Administrator s Guide Installation The CPM installer writes install logs to the following file SWINDOWS CPMInstallResult log The log typically includes the install start and finish time current status and any
156. nts that are running the ESP Agent Overview of Procedures e Install the CPM components See page 2 4 e Do one of the following if necessary e Upgrade from CPM 1 0 to CPM 1 6 See page 2 5 e Upgrade from CPM 1 5 to CPM 1 6 See page 2 8 e Update the pattern files on the ESP Server Starts on page 2 9 e Configure a proxy server and identify a pattern update source e Runa script to set up the ESP server for automatic updates e Update the pattern files manually e Set up automatic pattern updates e Deploy and update CPM clients See page 3 1 Install CPM Components on the ESP Server 2 4 After adding the mastheads to the ESP Server the next step is to open the ESP Console and update the CPM Server with the required components You will need at least one relevant computer In this case the ESP Server to which you just added the CPM masthead should be relevant If it is not resolve this issue before you begin For example check that the server has an ESP Agent installed or that the CPM components have not already been updated on the server To install the CPM server components 1 From the ESP Console menu click Dashboard gt CPM Dashboard ESP Server Installing and Updating 2 Click Deployment gt Install gt Install CPM Server The Install Server Components window opens to the Description tab Fixlet Messages rase Baselines Actions Computers Computer Groups J Analyses Console Operators J
157. obal Settings Dashboard C To make the configurations location specific 1 2 In the Configuration gt Global Settings Dashboard click the Skip 2MB 2 task you just created The Description window opens Under the Actions heading click the hyperlink to configure the policy settings The Take Action window opens to the Target tab Select All computers with the property values selected in the tree below Take Action DAR e _ Name Custom Action Configure Active Update Preset Fixlet Action Defaults vy Show only personal presets Target Execution Users Messages Offer Post Action Applicability Success Criteria Action Script Target O Specific computers elow ZI Al computers with the property values selected in the tree below gt O The computers specified in the list of names below one per line E By Active Directory A E E By Retrieved Properties 3 By Computer Name Ey By OS cH Sy By CPU By Last Report Time This action will be targeted at all computers with the Sy By Locked retrieved property values selected on the left There are By BES Relay Selection Method currently 1 computers with the selected property values amp By Relay Any computers that change to match the selected property ca By User Name values while the action is open will be targeted as well eG By RAM This action will end 2 21 2009 4 58 15 PM client local time a By Free Space on
158. ocation here This is typically used on a temporary basis for one time updates unless the intranet source is configured to poll and receive updates from the Trend Micro ActiveUpdate server on a regular basis Proxy Use a proxy server for pattern and engine updates If there is a proxy server between the ESP Server and the pattern update source you selected above enable this option and provide the location and proxy access credentials Others Log Rolling Frequency 1 90 To keep the cumulative size of log files from occupying too much space on the server you can specify how many days to retain logs The newest logs will replace oldest after this number of days The default is 10 days Logs are stored in the following directory TrendMirrorScript log Number of Updates to Keep on Server 1 100 You can store previous pattern file sets on the server in case you ever need to revert or roll back to an older file By default CPM keeps the current pattern and 15 snapshots of the pattern set Common Firewall Settings For more information on Common File Settings see Install and Manage the Client Firewall on page 7 1 5 14 Chapter 6 Using Web Reputation This chapter will help you optimize the features of Web Reputation WR for your environment by detailing how to manage Blacklist and Whitelist templates Analyses and the Dashboard Topics in this chapter include e How Web Reputation Works on page 6 2 e Migrati
159. olations e Common Firewall Outbound Port Violations CPM Client Console The new console on the endpoint machines allows manual scanning of files and folders for virus malware and spyware grayware the ability to review the results and see what actions were taken on the infected files and a feature that allows the client machine to update immediately to the latest version of protection components See Click the Create Firewall Policy Task button at the top of the screen on page A 11 and Using the Client Console on page 9 1 for details New platforms supported Windows 7 and Windows 2008 R2 platform support added See System Requirements on page 3 14 for details Note Upgrade to ESP 7 2 5 agent which supports Windows 7 and Windows 2008 R2 operating systems before attempting to install CPM Enable disable Web Reputation logging The collection of visited sites can be enabled and disabled using the Task pane See About Analyses on page 6 17 for details What Has Not Changed for Version 1 6 The following CPM settings are retained and do not need to be modified to remain synchronized with the upgrade Global Settings and any saved Tasks On Demand Settings and any saved Tasks Real Time Settings and any saved Tasks Spyware White Lists and any saved Tasks ActiveUpdate Server Settings proxy and AU server location 2 7 Core Protection Module Administrator s Guide e Logs and Reports e Analyses t
160. on detected files regardless of the scan type to mitigate false posi tives If further analysis confirms that the probable virus malware is indeed a security risk a new pattern will be released to allow CPM to take the appropriate scan action If actually harmless the probable virus malware will no longer be detected Deny Access This scan action can only be performed during Real time Scan When CPM detects an attempt to open or execute an infected file it immedi ately blocks the operation Users receive no CPM specific notification of the action only a message from the operating system Users can manu ally delete the infected file Core Protection Module Administrator s Guide Pattern and Scan Engine Files COMPONENT DESCRIPTION Antivirus Virus Pattern A file that helps CPM identify virus signatures unique patterns of bits and bytes that signal the presence of a virus IntelliTrap Pattern IntelliTrap Excep tion Pattern The file for detecting real time compression files packed as exe cutable files The file containing a list of approved compression files Virus Scan Engine The engine that scans for and takes appropriate action on viruses malware supports 32 bit and 64 bit platforms Anti spyware Spyware Pattern Spyware Active monitoring Pattern The file that identifies spyware grayware in files and programs modules in memory Windows registry and URL shortcuts
161. on the same client when deploying If you do only the last deployed settings will apply or the overlapped endpoints may constantly cycle between different applicable settings Trend Micro Endpoint Security Platform Console CPM Dashboard 7 Ele Edt yew Tools Dashbosrds Wizards Window Heip l x All Relevant Fodet messages 15 m D All Relevant On Unlocked Computers 15 m All Fodet Messages 243 m My Custom Fodet Messages 0 A Locally redden Fodet messages 0 Globally ridden Fedet messages 0 Non Master Operator Custom Fidet Messages 0 ALDIT Web Protection Modde Log Maintenance Not Config red arated BES Chents Have Incorrect Clock Time Moderate GES Quick Reference Production low BESS Core Protection Modde Cisable Automatic Updates Endpoint lt ungpectind gt Core Protection Module Disable Automatic Updates Server lt Urepedied gt Trend M Core Protection Module Inelgble for install Insufficient Software Resources lt urepectind gt TrendM Core Protection Madde Inelgble for instal Removallpgrade of Conflicting Products Required lt ungectied gt Trond M Global Scan Settings Wizard Create Global Scan Settings Configuration Task gt Deployment Updates Y Configuration Global Settings LY Configure scan settings for large compressed files Do not sean files in the compressed file if the sire exceeds
162. onsible for downloading updates from the ESP server and applying them to your endpoints Note This task does not appear as relevant in the ESP console until the Set ActiveUpdate Server Pattern Update Interval task completes at least once and downloads new pattern files from the Trend Micro ActiveUpdate servers However as the steps below indicate you can still deploy it as a policy targeting all computers or a particular group of computers Once you download the new pattern files this task then becomes relevant on all endpoints that do not yet have the new pattern files To run the Apply Automatic Updates task 1 Navigate to Dashboards gt CPM Dashboard 2 Once the dashboard appears navigate to Updates gt Automatic Update Tasks gt Apply Automatic Updates 3 Below Actions click the here hyperlink to open the Take Action window ESP Server Installing and Updating Core Protection Module Apply Automatic Updates Trend Micro Core Protection Module Description Use this task to apply pattern updates to Core Protection Module endpoints that have been configured for automatic updates Important Note This action requries that the endpoint has been configured to allow automatic updates using the Enable Automatic Updates Endpoint task Additionally the server components must also have automatic updates configured and enabled Important Note You should set this action to run as a policy with reapplicability beh
163. or each type of virus malware See Default ActiveAction Behaviors starting on page B 2 for a list threat types and their associated ActiveAction Core Protection Module Administrator s Guide Fixlet Messages Tasks Baseines J Actions Computers Computer Groups Analyses Console Operators On Demand Scan Settings Wizard Create Scan Now Task Create Configuration Task gt Reports gt Deployment V Enable virus malware scan Updates V Enable spyware grayware scan Confi tio di Titan ration Scan Target Scan Exclusion Scan Action Global Settings On Demand Settings Virus Malware Action New On Demand Settings Ta Use ActiveAction gt Real Time Settings Use the same action for all virus malware types Spyware Whitelist O Web Reputation Blacklist Whitelist If you choose Clean specify the second action CPM will take if cleaning fails ActiveUpdate Server Settings Type dst Action 2nd Action Common Firewall Settings All Types Clean Y Quarantine xj gt Tasks HA Use a specific action for each virus malware type y Troubleshooting Type 1st Action 2nd Action D Improper Service Status 1 Joke Quarantine vy Aisa ili aaa bY P Restart Needed 0 Trojan Quarantine M D Insufficient Hardware Resources Enait REA A gt Insufficient Software Resources Virus Clean v Quarantine v Removal of Conflicting Product F Test Virus Pass z A Disable windows Firewall
164. or you and your organization However Trend Micro does recommend that you start off incrementally deploying and then configuring a small number of clients and then either gradually or in batches proceed until you have installed CPM clients on all your endpoints Topics in this chapter include e About CPM Client Deployment on page 3 2 e Assess Endpoint Readiness on page 3 3 e Remove Conflicting Products on page 3 3 e Deploy CPM Clients to the Endpoints on page 3 5 e Pattern File and Engine Updates on page 3 7 e Update Pattern Files on the CPM Client on page 3 8 e Show the CPM Icon on Endpoints on page 3 12 e Removing CPM Clients on page 3 13 e System Requirements on page 3 14 e Conflicting or Incompatible Programs on page 3 26 3 1 Core Protection Module Administrator s Guide About CPM Client Deployment The Tasks created in the procedures described below can only be deployed to relevant computers the number of which is indicated after the Task name In the ESP environment relevance is determined by a relevance statement which defines certain conditions that the computer must meet Any computers running an ESP Agent can receive relevance statements and when they do they perform a self evaluation to determine whether they are included in the criteria Relevant computers will complete whatever Action has been specified When targeting more than a few computers Trend Micro suggests that you target endpoints by prope
165. ore it is available to the endpoint user To initiate a scan from Windows Explorer 1 2 3 Open Windows Explorer on the endpoint computer Right click on any folder or file to be scanned Select Scan with Core Protection Module to initiate the scan Results will let you know if the scan was successful e If nothing was found click OK in the confirmation dialog box e If the scan found an issue the action for handling malware configured by the system administrator occurs 9 5 Core Protection Module Administrator s Guide 4 See the Manual Scan Results tab immediately after completing the scan for details See Viewing Scan Results on page 9 7 for more information Manual Scan Results The Manual Scan Results tab displays the result of the most recent Manual Scan You can choose to view virus malware or spyware grayware scanning results Note Closing the client console removes the information displayed on this screen The upper half of the screen contains the scan summary and the lower half contains a table with detailed information about any security risk detected during scanning Trend Micro Core Protection Module About F a TREND MICRO Core Protection Module for windows Manual Scan Manual Scan Results SBE r Summary Files Objects scanned 55050 Elapsed time 00 42 Virus Malware Infected files 10 Cleaned 4 Last virus malware found DCT_TESTFILE A Spyware Grayware Sp
166. ork Note Prior to deploying the CPM client be sure your targeted endpoints are not running a conflicting product see Conflicting or Incompatible Programs on page 3 26 and that they meet the hardware and software requirements as explained in Assess Endpoint Readiness on page 3 3 To deploy CPM to your endpoints 1 In the CPM Dashboard click Deployment gt Install and pause for a second to note the number of eligible clients in the parenthesis after the task name 2 Click Install CPM Endpoint The Task Description tab opens 3 Below Actions click the hyperlink to open the Take Action window In the Target tab that opens a list of eligible endpoints appears The default behavior is to install the CPM client on every relevant endpoint regardless of who is logged on to the computer and whether the user is present or not 4 Use the following deployment options if you want to change the target 3 5 Core Protection Module Administrator s Guide FIGURE 3 1 Target Click All computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to Take Action Name Core Protection Module Set ActiveUpdate Server Pattern Update Interval E SEL Target Specific computers selected in the list below Preset Default v Show only personal presets Target Execution Users Messages Offer Pos
167. otection Mode QA 7 Cere Protection Modde Endport Deploy Degloy Trend Core Prete 4 16 ez Trend Moro 2 11 2009 fa DA Web Protection Hodde 10 Core Protection Modde Check Server for Pattern Updates Mantenance Trend Core Prete sue Trend Moro 32 16 2008 Teet Messages Tasks sore CO re Update Settings Wizard Creste Update Settings Task gt Deployment Componente w Update Befresh Configuration 2 On Demand Settings Componente Current Version Last Update Real Time Settings TEDE Components gt Global Samtinge vi Cp aneve gt Spyware White Ust vj Vous Pattern 3 889 00 12 Mar 2009 02 12 14 0000 Pattern Update settings M tenelirtrap Pattern 0 109 00 02 Dec 2008 12 49 34 0000 A mev Pattern Update settnar VI IntalliTrso Exception Patten 0 409 00 12 Mar 2009 02 12 15 40000 server Settings Yj Your tcan Engine 32 bit 6910 1002 08 Dec 2000 12 49 34 40000 Pattern Updates VI Virus Scan Engine 64 bit 8 910 102 DA Dec 2008 12149124 40000 A New Pattern Update Tash TE Ant spveare gt Vasks atem ves 09 Mar 2009 20 21 32 0000 Troubleshosting ro Acbve monitoring Pattern 0 743 00 09 Mar 2009 22 30 40000 gt Anelvser wit can Engine 32 bit 6 1 2028 dA Dec 2000 12 48 34 40000 i Spyware Scan Engine 64 bit 61 2025 DI Der 2008 12143124 40000 TY Damage Cleanup Services Uj Vous Cleanup Template 2018 12 Mar 2009 02 12 16 0000 VI Virus Cleanse Engine 92 bit 6 03272 0 Mar 2009 20 29 07 40000 FIGURE 4 8
168. oth abc zip and 123 doc contains an infected file 123 doc Enabled Not Clean or Supported Not CPM performs the configured Disabled Delete in other supported action Rename Quaran words any of Example abc zip tine Deny Access or Pass the following contains an on abc zip not 123 doc Rename Quar infected file If the action is antine Deny 123 doc Access or Pass Rename CPM renames abc zip to abc vir but does not rename 123 doc Quarantine CPM quaran tines abc zip 123 doc and all non infected files are quarantined Pass CPM performs no action on both abc zip and 123 doc but logs the virus detection Deny Access CPM denies access to abc zip when it is opened 123 doc and all non infected files cannot be opened Reference Tables Default Firewall Global Exceptions RULE NAME ACTION PROTOCOL PORT DIRECTION FTP Data Allow TCP 20 Bidirectional FTP Allow TCP 21 Bidirectional SSH Allow TCP 22 Bidirectional Telnet Allow TCP 23 Bidirectional SMTP Allow TCP 25 Bidirectional DNS TCP Allow TCP 53 Bidirectional DNS UDP Allow UDP 53 Bidirectional TFTP Allow UDP 69 Bidirectional HTTP Allow TCP 80 Bidirectional Kerberos TCP Allow TCP 88 Bidirectional Kerberos UDP Allow UDP 88 Bidirectional POP3 Allow TCP 110 Bidirectional AUTH TCP Allow TCP 113 Bidirectional AUTH UDP Allow UDP 113 Bidirectional NTP TCP Allow TCP 123 B
169. our problem resolution ensure that you have the following details available e Microsoft Windows and Service Pack versions e Network type e Computer brand model and any additional hardware connected to your computer e Amount of memory and free hard disk space on your computer e Detailed description of the install environment e Exact text of any error message given Contacting Trend Micro e Steps to reproduce the problem Sending Suspicious Files to Trend Micro If you think you have an infected file but the scan engine does not detect it or cannot clean it Trend Micro encourages you to send in the suspicious file You can also send Trend Micro the URL of any Web site you suspect of being a phish site or other so called disease vector the intentional source of Internet threats such as spyware and viruses e Send an email to virusresponse trendmicro com and specify Phish or Disease Vector as the Subject e Use the Web based submission form http subwiz trendmicro com subwiz Documentation Feedback Trend Micro always seeks to improve its documentation If you have questions comments or suggestions about this or any Trend Micro document please go to the following site http www trendmicro com download documentation rating asp The Trend Micro Knowledge Base The Trend Micro Knowledge Base maintained at the Trend Micro Web site has the most up to date answers to product questions You can also use K
170. pears Click Yes Web Reputation removes the template from the Blacklist Whitelist Wizard Template Management window Note The Blacklist Whitelist Wizard Delete feature only deletes the template from the Management list It does not delete the Custom Task you created with the template To completely remove the Blacklist Whitelist template from your endpoints follow the steps below To delete a custom task 1 Select the name of the template you wish to delete in the My Custom Tasks list and right click The right click menu appears Select Remove from the right click menu The Remove Task confirmation window appears Click OK The Private Key Password window appears Enter your Private Key Password and click OK A series of messages displays when the Custom Task is removed from the affected CPM clients and the List Panel Using Web Reputation About Analyses Web Reputation allows you to view detailed information about an endpoint or group of endpoints protected by Web Reputation Use the Client Information analysis to view information about each endpoint protected by a CPM client In the CMS Dashboard click Reports gt Web Reputation The following Properties are available for each endpoint WR Installation Date The date Web Reputation was installed Number of Web Threats Found The number of Web threats encountered and recorded in the endpoint s storage file Web Reputation Enabled Disabled T
171. puter with Administrator rights can disable Web Reputation Migrating WPM Standalone Settings Some customers start with an evaluation copy of Web Reputation called the Web Protection Module WPM before moving to CPM You can migrate blacklists and whitelists created in WPM standalone version to Web Reputation WR on CPM The alternative is to create new lists in the WR wizard In the wizard you can also import lists from a text file Note Perform the migration before you unsubscribe from the WPM site However Trend Micro recommends that you do not stay subscribed to both sites and that you do not run both WPM and WR at the same time either on the same endpoints or by having a mix of endpoints Procedures Overview 1 Migrate black and or white lists from WPM standalone to CPM 1 6 See page 6 3 6 2 Using Web Reputation Unsubscribe from the WPM site See page 6 4 Uninstall WPM standalone See page 6 4 Install or upgrade to CPM 1 6 clients on your endpoints See page 6 4 Enable Web Reputation See page 6 5 b Redeploy your WPM policies to CPM clients See page 6 5 Configure new proxy settings for WR See page 6 6 S S AL Configure a default security level for new WR templates See page 6 9 1 To migrate black and or white lists from WPM standalone to CPM 1 6 1 In the CPM Dashboard click Configuration gt Web Reputation Blacklist Whitelist gt New Web Reputation Blacklist Whit
172. r relevance to this IP address block Clients not included in the block will either inherit the default configuration which is not location specific or not be covered by any location property e Create a retrieved property that maps IP address range to location only one range per line is supported do not delimit multiple ranges e Create a retrieved property that uses a custom relevance expression and maps the result using a key value set Sce the ESP Administrators Guide for more information Give the property a name that will clearly identify its purpose and click Next Core Protection Module Administrator s Guide 8 4 4 For each location type the subnet address es click the Insert Tab button and then type a name Use only one IP location pair per line as shown in Figure 8 1 Create multiple lines for the same location if it uses multiple subnets Location Property Wizard x BES Location Property Wizard Key Value Pairs Please provide Key Value Pairs Please enter one Key Value pair per line according to sample pairs Each key and value must be TAB delimited and please use the Insert Tab button below to insert a tag character Invalid lines or pairs will be ignored and they will be displayed on next page 192 168 100 0 California 192 168 101 0 California 192 168 102 0 California 192 210 101 0 New York 10 210 132 0 Florida 10 155 173 1 Germany v rf The BES Clients with the key will re
173. relative to security not whether a site may contain objectionable content Note As you set the security level higher the Web threat detection rate improves but the likelihood of false positives also increases You can override incorrect blocking by adding the URL to the whitelist Likewise you can force blocking of a site by adding it to the blacklist Trend Micro Core Protection Module Event URL Blocked The URL Mat you are attempting to access Is potential security risk Trend Micro Core Protection Module has blocked this URL in keeping wah network security policy URL Pp irata winghigway com Risk Lever High Details For more informadon about mis URL oF to report ito Trend Micro fer roclassification visit nino meciagsify wis trendmicro com FIGURE 6 3 End users who visit a blocked site will see a message like this URLs are scored on a security scale that runs from 0 to 100 e Safe Scores range from 81 to 100 Static and normal ratings URLs are confirmed as secute however content may be anything including objectionable content e Unknown Score equals 71 Unknown ratings These URLs are not included in the rating database e Suspicious Scores range from 51 to 80 URLs that have been implicated in Phishing or Pharming attacks e Dangerous Scores range from 0 to 49 Static and malicious ratings URLs are confirmed as malicious for example a known vector for spyware or viruses Security Levels range from hi
174. rewall policy You can use the rules to quickly add commonly used UDP and TCP ports to your policy for example those used for SMTP FTP and HTTP traffic All Existing Rules You can add modify or remove unused exception rules from the global list Trend Micro Endpoint Security Platform Console CPM Dashboard A File Edt View Tools Dastbosrds Wizards Window Heb Debug 8 x All Relevant Fixlet Messages 6 Name Source Seve Sit Applicable C Open Acta 2 All Relevant On Unlocked Computers 6 BES Quick Reference Production Low RES Support 1 1 o a D All Pixtot Messages 230 BES Server Cannot Access Internet Critical RES Support 1 1 o a D My Custom Fiat Messages 2 Core Protection Module Enable Automatic Updates Server Unspecified gt TrendMeroC 1 1 o D Locally Hidden Firiet Messages 0 Core Protection Module swenson lt Unepecified gt Master Operat 1 1 o lt gt lt gt Fodet Messages Tashs Baseinas Actions Computers Computer Groups Analyues Console Operators n a Global Exception Rules gt Reports gt Deployment a Updater Configuration Add Rule Delete fuulo Global Settings Rule Name Acton Protocol Port Direction gt On Demand Settings rar 7 Allow ree 20 Ridvecions gt Real Time Settings EXERAIA gt Spyware White List w ee Aiae Ter mn Bidredional P Web Reputation Blacklist whitelist Ag Allow ree 22 Oidveional b AdtiveUpdate Server Settings a
175. rom treating whitelisted applications as spyware or grayware For example say you have a utility installed on clients that performs behavior that under a different set of circumstances would be malicious or dangerous You can add that file to the whitelist to allow it to run CPM will continue to detect the file as spyware but it will not take the configured action 5 11 Core Protection Module Administrator s Guide Note The Spyware Grayware Approved list will only be populated as seen in Figure 5 4 after you have downloaded at least one set of pattern files to the server Fixlet Messages Tasks Baseiines J Actions Computers Computer Groups J Analyses J Console Operators J Spyware Whitelist Wizard use Create Spyware Whitelist Configura Reports Deployment ved List LI gt Updates Apro Configuration Search spyware list gt Global Settings ADW_007GUARD al Cookie_WebTrendsLive Y On Demand Settings ADW_180SOLUTIONS CrackingApps_Borland New On Demand Settings Ta ADW_2NDTHOUGHT Downloader_SvcHost Real Time Settings F ADW_2SQUARED il HackingTools_WinPass Y Spyware Whitelist ADW_AADB HackingTools_Wins New Spyware Whitelist Task ADW_AAFC HackingTools_WinSniff A Configure Default spyware w ADW_AAFQ JokePrograms_ScreenFly gt Web Reputation Blacklist Whitelist ADW_AAFZ gt ActiveUpdate Server Settings ADW_AAGC gt Common Firewall Settings ADW_A
176. rom any other policies if necessary 6 Click the Create Firewall Policy Task button at the top of the screen Core Protection Module Administrator s Guide Appendix B Reference Tables The reference tables included in this appendix include Default ActiveAction Behaviors on page B 2 Available Virus Malware Scan Actions on page B 3 Pattern and Scan Engine Files on page B 4 Scan Action Results for Compressed Files on page B 6 Default Firewall Global Exceptions on page B 7 B 1 Core Protection Module Administrator s Guide Default ActiveAction Behaviors REAL TIME SCAN ON DEMAND SCAN VIRUS MALWARE TYPE FIRST SECOND FIRST SECOND ACTION ACTION ACTION ACTION Joke program Quarantine N A Quarantine N A Trojan horse Quarantine N A Quarantine N A Virus Clean Quarantine Clean Quarantine Test virus Deny Access N A Pass N A Packer Quarantine N A Quarantine N A Others Clean Quarantine Clean Quarantine Probable virus malware Pass N A Pass N A CPM renames and then moves infected files to the following non configurable directory on the client s computer c Program Files Trend Micro Core Protection Module Quarantine If you need to access any of the quarantined files you can access the directory using system administrator credentials and restore it using the VSEncrpyt tool Reference Tables Available Virus Malware Scan Actions SCAN ACTION DESCRIPTION De
177. roperty that will include all the computers you want to deploy this Action to e Execution Set the time and retry behavior for the update if any e Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur 5 After selecting the computers to update click OK and when prompted type your private key password and click OK 6 Inthe Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed 7 Close any open windows to return to the Dashboard view Show the CPM Icon on Endpoints 3 12 By default the CPM agent running on your endpoints is in stealth mode it is not visible to the end users and they do not have any control over the settings If you want users to know that CPM is running on their computer however you can display a CPM icon in the Windows taskbar Users can right click the icon to view basic information about the client in the Client Dashboard including recent detections and the CPM client version When displayed the CPM icon also includes a hidden Technical mode that Support or the CPM administrator can use to see a variety of information including a list of Fixlets that are relevant on that computer Useful for example to help understand and troubleshoot a client side issue After deploying the Task as described in the procedure CPM Clients In
178. roubleshooting Task in the Dashboard to reboot the endpoints identified here Not Installed The endpoint is eligible for a CPM client but the client has not been deployed As such there is no CPM information available for that endpoint Configuration Wizards Reference Conflicting product The CPM client is not installed because ESP has detected one or more incompatible programs Run the existing Uninstall Task s on the endpoints or if a Task is not available for that particular program uninstall it manually Ineligible hardware CPM client is not installed See System Requirements starting on page 3 14 Ineligible software CPM client is not installed See System Requirements starting on page 3 14 Improper service status One or more client services for the ESP Agent or CPM client on the endpoint are not reporting The service s likely need to be restarted Services include the BES Client and BES FillDB Unknown The ESP Agent is installed on the endpoint but there is no information about the CPM client The CPM client may not be installed or the endpoint may offline N A The computer s are not relevant to any Fixlet Task or Analyses in the CPM Site Global Scan Settings Wizard The Global Scan Settings Wizard page contains sections for setting the following parameters Scan Settings on page 5 3 Virus Malware Scan Settings Only on page 5 4 Spyware Grayware Scan Settings Only on page 5 4 Reserved Disk
179. rporate Internet connections e Execution Schedule the time and duration of the cloud updates as well as the retry behavior This setting can be very useful for cloud updates e Users Select the computers you want to convert to cloud updates by User This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur Click OK when finished and then when prompted type your private key password and click OK The Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view Use a Previous Pattern File Version Problems with the scan engine and or pattern files are very uncommon However if a 4 14 problem does occur it is likely to be due either to file corruption or false positives incorrect detection of malware in non problematic files If a problem does arise you can deploy an Action to affected endpoints that will delete the file s in question and replace them with a different version This action is called a pattern rollback and you can rollback all or selected pattern files By default the CPM server keeps 15 previous versions of the pattern and engine file for rollbacks set this at the bottom of the Server Settings Wizard Configuration gt ActiveUpdate Server Settings gt Change ActiveUpdate Server Settings There are
180. rport The appropriate policy will automatically be applied as the end user changes location The firewall configuration is not available from the ESP Console by default you need to add the firewall site before the Wizard will appear in the CPM Dashboard Firewall policies are automatically enabled and active when you deploy them to the endpoints There are no installation steps required Several examples of the firewall versatility are worth pointing out Procedures for each appear later in this chapter e Uniform security You can create a policy apply it to all your endpoints enable one or more of the global exceptions and then deploy the policy to all your endpoints in just a few minutes Targeted security You can create multiple policies each with a different set of ports enabled and then use different Tasks to selectively target the different policies to different endpoints e Smart flexible security You can create two policies each with different rules and create two Tasks each of which deploys one of the policies to the same endpoints By attaching a different Location Property to each Task prior to deployment the targeted endpoints will receive both policies Whenever conditions on an endpoint change to those set for one of the Locations the policy in affect for that endpoint will also change In this way you can create different policies for the same computer and they will automatically adapt to different conditio
181. rting features including graphical representations and drill down granularity The Health Monitor provides a quick summary showing you the overall condition of CPM clients on the network Q Tred Micro Endpoint Security Platform Conscle CPM Dashboard Ps Ele E Yew leos Dashboards Weeards Window teb alal S All Relevant Fodet Messages 17 pe Al Reira On Uniochas Computers 17 AUDIT Web Protection Module Log Maintenance Not Configured i Al Podet Messages 244 Mofi My Custom Fodet Messages 0 T Locsdy rc Pet Messages 3 Gobaty redken Filet Messages 0 A Nore Master Operator Custom Fida Messages 0 Lf Be Violations Deglermani gt Updater I terutticent softw Drom I oirsbie windows Meevelt 0 AV B mery Nima symantec Byr AY i Bight AP sinet B winem Blige per service state B sophos Boae Tend Other none E rotinstated B inedite Qrardvare sanang y Connected to database Mectercrie as user ndr FIGURE 5 1 The Health Monitor provides a quick over view of endpoint statuses and can serve as a impetus to Troubleshooting Available health status e Healthy Computers are considered healthy if they are relevant to at least one Fixlet Task or Analysis in the CPM site and are using the current pattern files e Restart needed Identifies endpoints that must be rebooted before a pending Action can be completed Use the T
182. rty rather than by list Targeting by property does not require that any computers appear as relevant instead you can use logic such as Install on all XP computers in California that are part of the User group CPM Console and Client System Requirements A complete list of system requirements can be found in System Requirements starting on page 3 14 For information on ESP Server and ESP Console requirements refer to the Trend Micro Endpoint Security Platform Administrators Guide Compatibility with Trend Micro OfficeScan Trend Micro CPM is intended to replace OfficeScan clients with CPM clients which can be managed using the scalability and flexibility of the ESP Console Before deploying CPM clients you should use the native OfficeScan uninstall program to remove all installed OfficeScan clients and then reboot them Incompatible or Conflicting Programs 3 2 For a complete list of incompatible or conflicting programs see Conflicting or Incompatible Programs starting on page 3 26 Below is a short list of software that you should remove from the endpoints before deploying the CPM client e Trend Micro OfficeScan and Trend Micro PC cillin CPM Clients Installing and Updating AntiVirus software including Symantec AntiVirus McAfee VirusScan Sophos Antivirus and eTrust Antivirus Overview of Deployment Steps AY Np Assess endpoint readiness Remove conflicting products Deploy CPM clients Check the dep
183. rus products or add them to the scan exclusion list Note If you are running Trend Micro ScanMail for Exchange you can configure CPM to exclude Microsoft Exchange 2000 2003 directories from On Demand and Real time Scans For Microsoft Exchange 2007 you need to manually add the directory to the scan exclusion list For more information see http technet microsoft com en us library bb332342 Scan Action Tab Virus Malware Action The default scan action CPM performs depends on the virus malware type and the scan type that detected the virus malware For example because Trojan horse programs cannot be cleaned there is no virus code to remove from an infected file the default action is to Quarantine them The default action for viruses however is to clean them If that fails the backup action is to quarantine them Note Quarantining files You can have CPM quarantine any harmful files that it detects These files will be encrypted and moved to a directory on the endpoint that prevents users from opening them and spreading the virus malware to other computers in the network Trend Micro provides a tool for decrypting quarantined files called VSEncode exe See To decrypt quarantined files on page A 6 for more information e Use ActiveAction ActiveAction is a set of pre configured scan actions for specific types of viruses malware Trend Micro recommends using ActiveAction if you ate not sure which scan action is suitable f
184. rus using the following parameters no parameter encrypt files in the Suspect folder d decrypt files in the Suspect folder debug create debug log and output in the client temp folder o overwrite encrypted or decrypted file if it already exists lt filename gt encrypt or decrypt a single file nr do not restore original file name To deploy CPM clients 1 Click Deployment gt Install 2 Click Install CPM Endpoints Routine CPM Tasks Quick Lists To remove CPM clients To uninstall CPM you first remove all the CPM clients installed on the endpoint and then the CPM server components from the ESP Server and any Relays including the mastheads 1 From the main ESP Console menu open the Tasks tab and then click All Tasks gt By Site gt Trend Core Protection Module 2 Locate Core Protection Module Endpoint Uninstall in the list of Actions that appears and double click it to open the Description To enable the Client Console 1 Goto Configuration gt Global Settings gt New Global Settings Task 2 Scroll down to the Client Console Settings 3 Check the appropriate check boxes e Click Enable system tray icon to display the icon used to access the client console on the relevant endpoints e Click Enable the manual scan in the Windows Explorer context menu to allow initiating a manual scan from Windows Explorer 4 Click the Create Global Scan Settings Configure Task button The Edit Task
185. rver 1 0 3 or later Server Edition e VMware Workstation and Workstation ACE Edition 6 0 e Microsoft Windows Server 2008 64 bit Hyper V environment Hardware Processor e Intel x64 processor e AMD64 processor RAM 512MB recommended Available disk space 700MB recommended Others Monitor that supports 800 x 600 resolution at 256 colors CPM Clients Installing and Updating TABLE 3 4 Windows Vista 32 bit and 64 bit versions RESOURCE REQUIREMENT Operating Windows Vista Business Edition with Service Pack 1 or system later Windows Vista Enterprise Edition with Service Pack 1 or later Windows Vista Ultimate Edition with Service Pack 1 or later Windows Vista Home Premium Edition with Service Pack 1 or later Windows Vista Home Basic Edition with Service Pack 1 or later CPM supports client installation on guest Windows Vista operating systems hosted on the following virtualization applications e VMware ESX ESXi Server 3 0 or 3 5 Server Edition e VMware Server 1 0 3 or later Server Edition e VMware Workstation and Workstation ACE Edition 6 0 e Microsoft Windows Server 2008 64 bit Hyper V environment 3 19 Core Protection Module Administrator s Guide 3 20 TABLE 3 4 Windows Vista 32 bit and 64 bit versions Continued RESOURCE REQUIREMENT Hardware Processor e 800MHz Intel Pentium or equivalent e AMD64 or Intel 64 processor architectures
186. s and select the Trend Micro Common Firewall The Remove Site button becomes enabled Click Remove Site and then the OK button Type your private key password and then click OK to remove the firewall components 7 21 Core Protection Module Administrator s Guide 7 22 Chapter 8 Setting Up and Using Locations This chapter has information about creating locations tasks related to the locations and how to use locations Topics in this chapter include Overview on page 8 2 Creating Locations on page 8 2 Creating Location Specific Tasks on page 8 5 How Location Properties Work on page 8 6 To create a location property on page 8 3 8 1 Core Protection Module Administrator s Guide Overview You can have ESP apply different CPM security configuration on the basis of the client s current geographical location For example say an organization has offices in California New York and Germany and that travel between offices is not uncommon In California and New York the corporate security policy requires that suspicious files be quarantined In Germany such files must be deleted In locations other than California or Germany incidents should be logged but no action taken You can accommodate all these regulations by creating Location Properties In short a client can disconnect from the corporate network in the California one day and reconnect in Germany the next and his computer will automatically pick up th
187. s e Avoid running the Assessment Mode for long periods because spyware grayware will not removed Instead use it for periodic evaluations e Ifunsureof the risk posed by detected a file send it Trend Micro for analysis Scan for cookies Select this option to have CPM scan and evaluate cookies e Count cookies into spyware log Disable this option to reduce the number of spyware logs that are generated Reserved Disk Space Settings Reserve X MB of disk space for updates Sets the amount of client disk space that will be saved for CPM pattern files scan engines and program updates Client Console Settings Enable system tray icon Displays the icon used to access the client console on the relevant endpoints Enable manual scan shortcut in Windows Explorer context menu Allows initiating a manual scan from Windows Explorer On Demand amp Real Time Scan Settings Wizards Note When an end user initiates a Manual Scan from the CPM client console the scan settings reflect the latest settings configured by the administrator for an On Demand Scan Core Protection Module Administrator s Guide For example an administrator might schedule an On Demand Scan on every Thursday 12 00 PM that scans all file types Then the administrator might run an On Demand scan with different scan settings maybe scanning only for EXE files at 14 00 PM If an end user runs a Manual Scan at 15 00 PM and the administrator has not change
188. s from the cloud From the CPM Dashboard menu click Updates gt Other Update Tasks gt Update From Cloud The Task Description window opens To deploy selected pattern files By default all pattern files are included when the pattern is deployed from the ESP Server to CPM clients You can however select and deploy a subset of patterns 1 From the CPM Dashboard menu click Updates gt Pattern Update Settings gt New Pattern Update Settings Task 2 Inthe list of components that appears select those that you want to include in the pattern update By default all patterns are selected 3 Click the Create Update Settings Task button in the upper right corner To revert to a previous version of the pattern files In the CPM Dashboard click Updates gt Update Rollback Patterns gt New Pattern Update Rollback Task Routine CPM Tasks Quick Lists To re enable updates following a rollback After a rollback you must clear the rollback flag setting attached to patterns on your CPM clients to re enable manual cloud and or automatic pattern updates The same holds true even for pattern files that were not included in the rollback 1 In the CPM Dashboard click Updates gt Other Update Tasks gt Clear Rollback Flag The Task Description window opens Below Actions click the hyperlink to open the Take Action window e In the Target tab click All computers with the property values selected in the tree lis
189. s of the Task that is whether the Action is Relevant or not Relevance is determined by checking whether a given set of conditions is true for a particular endpoint If all the conditions are true the endpoint is designated as eligible for whatever Task Fixlet or Action did the checking Fixlets are a way of polling endpoints to see if they are Relevant for an Action In other words Fixlets make Actions in a Task possible when conditions are right Fixlets can be grouped into Baselines to create a sequence of Fixlet Actions Offers are a way of obtaining end users consent before taking an action Configure Global Settings Global settings apply to all On Demand and Real Time scans You can think of them as a superset or background against which all scan policies and associated Tasks are applied Global settings also apply to both virus malware and spyware graywate 4 3 Core Protection Module Administrator s Guide 4 4 Set your global configurations before creating any on demand or real time scans then create and deploy a Task You can also create multiple Global Settings Tasks which are saved in the Dashboard For example if you want to apply different scan policies to different endpoints according to location See Chapter 8 for more information In this case you need to be mindful about keeping each global setting aligned with its corresponding scan policy and its location Note Avoid overlapping two Global Scans
190. s to confirm that the Action is Running and then Completed You do not have to wait for the task to complete before continuing 6 Close any open windows to return to the Dashboard view Activate CPM Analyses 2 22 The Core Protection Module includes a number of Analyses that are used to collect statistics from target computers Analyses data are used to display information typically in Reports about endpoint scan and configuration settings server settings spyware and virus events Analyses must be activated before they can be used To activate CPM analyses 1 In the CPM Dashboard click Analyses gt CPM Server gt analysis name The Analysis Description tab opens Below the Description click the hyperlink to activate the analysis 3 type your private key password and click OK Close any open windows to return to the Dashboard view Shortcut You can activate all CPM analyses at once thus avoiding the need to repeatedly type your private key password and click OK You can activate the CPM client Analyses anytime before or after the CPM clients have been deployed To activate all CPM analyses 1 In the ESP Console navigation pane click the Analyses tab A list of available analyses appears ESP Server Installing and Updating Click the Name column header to sort the analyses in alphabetical order then scroll down the list and select all the Core Protection Module analyses Right click the list
191. s will download and apply the new patterns immediately Important Note You should set this action to run as a policy with periodic reapplicabdity behavior It is recommended you apply thes Task with the following action parameters never expire fun once an hour retry up to 99 times on failure reapply an unlimited number of times If you do not set this action to run periodically new pattern sets will not be available for deployment to your endpoints When this action is run the Core Protection Module server component will check to see if any new patterns have been published by Trend Micro if there are new patterns they will Action Click to check the TMAU Server for updates FIGURE 2 8 Set the AU server pattern update interval and make it a policy 4 Make this task a policy to allow the ESP server to check the Trend Micro ActiveUpdate servers periodically for new updates Note You can set any patameters you want but Trend Micro recommends the following settings a Change the name of the action to POLICY Core Protection Module Set ActiveUpdate Server Pattern Update Interval This helps to distinguish the open action as a policy b Change the Preset from Default to Policy c On the Target tab select the ESP server d On the Execution tab shown in Figure 2 9 make the following changes i Check On failure retry and set it to 99 times 2 18 ESP Server Installing and Updating ii S
192. se not included the first time will no longer appear in the list Editing existing rules Modifications made to rules within a policy apply only to that policy even if the rule is one of the Global Exception Rules Selecting exception rules Select exceptions to include them in a policy Exception Rules Configuration 7 18 Add a custom exception rule to the firewall policy by clicking the Add button Click an existing exception rule to open the rule for editing The options are explained below Name The name you type here will appear in the Exception Rules list Once saved it cannot be changed Use a name that will make the purpose of the policy cleat Actions Deny Allow Choose an action that contradicts the prevailing disposition of the policy as set by the Security Level Install and Manage the Client Firewall e Protocol Select TCP UDP to affect all traffic on the port the typical assumption Otherwise to block or allow a specific application match the protocol and port Direction Inbound Outbound or both Blocking inbound traffic for example can prevent unauthorized access on the endpoint while blocking outbound traffic can be used thwart malicious spyware or programs such as file sharing Exception Rule Configuration Save Rule JI Cancel Name FTP DATA Action Allow X Direction _ Inbound _ Outbound Protocol TCP v rea Bidirectional Ports All ports _ Range Min Max
193. ses gt CPM Endpoint gt Global Client Settings 4 5 Core Protection Module Administrator s Guide The Analysis window opens 2 Under Actions click the link to activate the analysis and type your private key password and click OK when prompted 3 Inthe Take Action window that opens click OK to deploy the configuration to all relevant CPM clients by default that is all CPM clients Core Protection Module Endpoint Protection Assessment Valid Until X lt none gt Clean Compressed Files False Configure Scan Settings for Large Compressed Files True Configure Scan Settings Do not scan if file gt X MB 2 Configure Scan Settings Stop scanning if gt X virus in a compressed file 100 Count Cookies into Spyware Log lt none gt Enable Scan for Cookies False Enable Spyware Grayware Assessment Mode False Exclude Microsoft Exchange Server Folders from Scanning True Reserve X MB of Disk Space for Updates 60 Scan Up to X OLE Layer s 3 FIGURE 4 3 This screen shows an example Global Settings Analysis Configure and Run Malware Scans 4 6 CPM provides two types of malware scans On Demand and Real Time In addition you can schedule On Demand scans to automatically reoccur You can apply the same scan to all endpoints or create different scan configurations and apply them to different sets of endpoints based on whatever criteria you choose Users can be notified before a scheduled or on demand scan runs but do not explic
194. sions available Trend Micro releases new engines under the following circumstances e Incorporation of new scanning and detection technologies into the software e Discovery of new potentially harmful malware unhandled by the current engine e Enhancement of the scanning performance e Addition of file formats scripting languages encoding and compression formats Introducing Core Protection Module Trend Micro Damage Cleanup Services CPM uses Trend Micro Damage Cleanup Services DCS to clean computers of file based and network viruses plus viruses and worm remnants Trojans registry entries viral files through a fully automated process DCS e Detects and removes live Trojans e Kills processes that Trojans create e Repairs system files that Trojans modify e Deletes files and applications that Trojans drop Because DCS runs automatically in the background you do not need to configure it Users are not even aware when it runs GeneriClean Also known as referential cleaning GeneriClean is a new way of removing viruses malware without the availability of virus cleanup components Using a detected file as basis GeneriClean determines if the detected file has a corresponding process service in memory and a registry entry and then removes them altogether Rootkit Detection CPM also detects and removes rootkits Currently on the rise rootkits corrupt regular operating system functions that the application programs ass
195. sole information For related information see ESP 7 2 Administrator s Guide Contains deployment strategies installation instructions and common configuration tasks ESP 7 2 Console Operator s Guide Contains information for using the ESP Console to administer protected endpoints Feedback Trend Micro always seeks to improve its documentation If you have questions comments or suggestions about this or any Trend Micro document please contact us at docs trendmicro com Please evaluate this documentation on the following site http www trendmicro com download documentation rating asp Contents Chapter 1 Chapter 2 Introducing Core Protection Module OVERVIEW siii ARL AAA 1 2 What s New in CPM Version 1 6 1 2 How CPM W6tks iali aan ail 1 2 ESP Components iii iaia tenant Seta a 1 3 Features and Benefits iii ano dada alal 1 4 Ease of Management i iii iaia 1 4 Ext nded Platform Suppo t i iau dal 1 5 Superior Malware Protection 1 5 Web Reputation Technology ei 1 5 Client Side Firewall Optional si EEEE 1 6 Tratfic Rilterino iurlia lla ila 1 6 Customizable Profiles and Policies iii 1 6 Statefull Inspection ssn anen na on RRA ARE iaia 1 6 The Trend Micro Pattern Files and Scan Engine s sssssssssrssssrssssrseessreesssses 1 7 Incremental Virus Pattern File Updates iii 1 7 How Scanning Wotks i iiuiii A E 1 7 The Trend Micro Scan Engine a
196. stall_path download From the CPM Dashboard run the Check Server for Pattern Updates Task Client Side Logging ActiveUpdate 1 On the CPM server create locate and open the following text file CPM_SERVER_INSTALL_FOLDER bin aucfg ini Add or change the following parameter debug level 1 Save and close the file Log output will be saved here SCPM_SERVER_INSTALL_FOLDER Bin AU_Data AU_Log TmuDump txt Additional Files Create a manifest file and list of URLs by typing the following at a command prompt TMCPMAuUpdater pu m Manifest f urllist Check the file server ini in the following location CPM_INSTALL_FOLDER Web officescan download Firewall Troubleshooting The best tool for understanding and troubleshooting the Trend Micro Common Firewall in CPM is a port scanner Many are available Use your favorite or try Nmap from nmap org 10 9 Core Protection Module Administrator s Guide General 1 2 Disable third party firewalls or other conflicting products Check that you are running CPM version 1 6 In the ESP Console select the Analysis Core Protection Module Endpoint Information Upgrade endpoints as necessary by running the Task Core Protection Module Update Endpoint Confirm that the firewall is enabled In the ESP Console select the Analysis Common Firewall Endpoint Firewall Setting Check the Action History for Tasks already run especially if you are using a
197. stalling and Updating below simultaneously press the following keys on the client s keyboard to display the Technical mode screen Ctrl Alt Shift T To show a CPM icon on your endpoints taskbars 1 In the CPM Dashboard click Tasks gt Enable Client Dashboard The Task Description opens Below Actions click the hyperlink to open the Take Action window In the Target tab that opens click AIl computers with the property values selected in the tree list below and then choose a property that will include all the computers you want to deploy this Action to e Execution Do not select a retry behavior e Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur When finished click OK to initiate the action and type your private key password and click OK In the Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed Close any open windows to return to the Dashboard view Removing CPM Clients To uninstall CPM from the ESP Server you first remove all the CPM clients deployed to the endpoints then remove the CPM server components from the server including any mastheads You can do the former by running the Endpoint Uninstall Task To uninstall CPM clients from one or more endpoints 1 From the CPM Dashboard menu click Deployment gt Uninstall gt
198. stom Task generation process or select it by right clicking on the name of an existing Custom Task and selecting Edit The Edit Task window consists of four tabs Description Use the Description tab to make modifications to the task name title and description Actions Use the Actions tab to view or change the Action this Custom Task performs For example use this window to add or remove blacklisted or whitelisted URLs from the presented Action Script Relevance Use the Relevance tab to view and make modifications to the relevance for a Custom Task By default the relevance for the blacklist or whitelist is static Its purpose is to detect endpoints for Web Reputation Properties Use the Properties tab to view and modify the properties for this custom task When you have finished making modifications click OK When the Private Key Password window appears enter your password and click OK again The edited changed Blacklist Whitelist template appears To delete a template Follow the steps below to delete an existing blacklist or whitelist template from the Wizard s Template list 1 Click Configuration gt Web Reputation Blacklist Whitelist gt Web Reputation Blacklist Whitelist Task to open the Web Reputation Blacklist Whitelist Wizard 6 15 Core Protection Module Administrator s Guide Select the name of the blacklist or whitelist template you want to delete and click Delete The Delete window ap
199. sure only the following option is enabled Reapply this action whenever it becomes relevant again Preset Target Execution users Messages Offer Post Action Applicability Success Criteria Action Script r Constraints T Starts on ergono a Pesce dientlocaltime T Ends on 6 3 2009 x at 1 52 38PM dient local time T Run between 1 00 00 AM and 2 59 00Am dient local time T Run only on sun Mon Tel Weal Thu FF J Sat IT Run only when Active Directory Path X p Behavior T Onfailure retry 3 times E Wait 1 hour F between attempts whenever it becomes relevant agai n 15 minutes z I Limitto f3 4 reapplications I Distribute over 5 minutes to reduce network load KW Run all member actions of action araup regardless of errors between reapplications FIGURE 7 5 Choose Reapply this action so the endpoint Agent will always monitor its IP address relative to the firewall policies in the Task 10 Click OK and when prompted type your private key password and click OK 11 Inthe Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed 12 Close any open windows to return to the Dashboard view 7 13 Core Protection Module Administrator s Guide Global Exception Rules The list of 30 or so default global exception rules appears whenever you create a new fi
200. t in the Whitelist pane enter or copy paste the URLs you want your users to be able to access without restriction You may enter up to 499 URLs per template You also must have http before each URL entry To grant access to all the pages on a site enter the name of the domain followed by 6 11 Core Protection Module Administrator s Guide 10 11 12 Example http www goodURL com When you are finished creating your template click Save The Blacklist Whitelist Templates window returns Click the Create Task From Template button The Edit Task window opens Click OK type your Private Key Password and click OK A Task window appears Click the Jere link in the Actions window The Take Action window opens Select the computer or computers in the window to which you want to deploy your Blacklist Whitelist template and set any desired options Note For more information about setting options using tabs in the Take Action window see the BigFix Console Operators Guide When you have finished selecting options click OK Enter your Private Key Password and click OK An Action window appears in which you can track the progress as BES deploys your Blacklist Whitelist template to your endpoints After deployment the status shows Completed Importing Lists of Web Sites Web Reputation allows you to import URLs for new Blacklist and Whitelist templates from new line delimited files
201. t Action Applicability Success Criteria Action Script All computers with the property values selected in the tree below The computers specified in the list of names below one per line 5 By Retrieved Properties By Computer Name By OS w By CPU By Last Report Time Cy By Locked By BES Relay Selection Method 4 By Relay By User Name By RAM O By Free Space on System Drive O By Total Size of System Drive amp By Subnet Address By Swenson s Location By Subnet By Group This action will be targeted at all computers with the retrieved property values selected on the left There are currently 1 computers with the selected property values Any computers that change to match the selected property values while the action is open will be targeted as well This action will end 6 24 2009 9 09 32 PM client local time See the Constraints tab for more details to the network Taking Action on the basis of computer properties means the action will automatically be applied whenever the property becomes true e g a new computer is added Execution Set the deployment time and retry behavior if any Users This option works in combination with Target linked by the AND operand both conditions must be present for the install to occur Messages Configure these options to passively notify the user that the install is going to occur or to ask users
202. t below and then choose a property that will include all the computers you want to deploy this Action to e Click OK and then when prompted type your private key password and click OK To update pattern files on the CPM server 1 Configure the ActiveUpdate server and proxy settings In the CPM Dashboard click Configuration gt ActiveUpdate Server Settings gt Change ActiveUpdate Server Settings Enable CPM Server updates Open the Fixlet Messages tab gt All Fixlet Messages gt Core Protection Module Enable Automatic Updates Server Update the pattern file on the CPM server In the CPM Dashboard click Deployment gt Install gt Set ActiveUpdate Server Pattern Update Interval To update pattern files on the CPM clients 1 Enable CPM clients to receive automatic pattern updates this is typically a one time Task Click Updates gt Automatic Update Tasks gt Enable Automatic Updates Endpoint Schedule and apply automatic pattern file updates Click Updates gt Automatic Update Tasks gt Apply Automatic Updates Manually update CPM clients with the latest pattern files Click Updates gt Update Rollback Patterns gt New Pattern Update Rollback Task A 9 Core Protection Module Administrator s Guide Web Reputation The steps below are for experienced ESP administrators who just need a list for tasks involving the Web Reputation To enable Web Reputation In the CPM Dashboard click T
203. t sector of a partition or a disk e COM and EXE file infector An executable program with com or exe extension e Joke program A virus like program that often manipulates the appearance of things on a computer monitor Guarding Against Spyware Grayware and Other Threats There are many steps you can take to prevent the installation of spyware grayware onto your computer Trend Micro suggests the following e Configure On Demand Real time and Scheduled On Demand Scans to find and remove spyware grayware files and applications e Educate your client users to do the following Core Protection Module Administrator s Guide e Read the End User License Agreement EULA and included documentation of applications they download and install on their computers e Click No to any message asking for authorization to download and install software unless client users are certain both the creator of the software and the Web site they view are trustworthy e Disregard unsolicited commercial email spam especially if the spam asks users to click a button or hyperlink Configure Web browser settings that ensure a strict level of security Trend Micro recommends requiring Web browsers to prompt users before installing ActiveX controls If using Microsoft Outlook configure the security settings so that Outlook does not automatically download HTML items such as pictures sent in spam messages Do not allow the use of peer to peer file sharin
204. t updates If there is a proxy server between the ESP Server and the Internet you need to identify it and provide any required log on credentials The proxy server you identify here is not inherited for use by other CPM components including the client settings for Web Reputation That is a separate configuration Likewise if you have configured a proxy to enable BESGather service typically identified during install those settings will not be inherited for pattern updates even if the same proxy is being used 2 10 ESP Server Installing and Updating In the procedures below you will configure CPM to get pattern updates apply the configuration to the ESP server run script to set the environment and then configure and deploy the pattern update These steps typically only need to be performed once To configure a proxy server and an update location 1 In the CPM Dashboard click Configuration gt ActiveUpdate Server Settings gt Change ActiveUpdate Server Settings to open the Server Settings Wizard 2 Under Source choose Trend Micro s ActiveUpdate Server See ActiveUpdate Server Settings Wizard on page 5 13 for information about all the configuration choices available on this page 3 Under Proxy click Use a proxy server for pattern and engine updates and provide the following there is no validation checking be sure of the settings you configure here e Proxy Protocol Choose the option that reflects your pro
205. tation By creating multiple tasks you can apply different sets of Blacklist and Whitelist templates to different users ot groups of users You can perform the following tasks Create and deploy a New Blacklist Whitelist Template Create and deploy a New Blacklist Whitelist Template by importing an existing list View an existing Blacklist Whitelist Template Copy a Blacklist Whitelist Template Copy and edit a Blacklist Whitelist Template Delete a Blacklist Whitelist Template Creating and Deploying a New Template To create a new Blacklist Whitelist Template 1 In the CPM Dashboard click Configuration gt Web Reputation Blacklist Whitelist gt New Web Reputation Blacklist Whitelist Task The Web Reputation Blacklist Whitelist Wizard window opens showing a list of your currently available templates Click Add Template The Blacklist Whitelist Template Add Template page opens Enter a name fot your template in the Template Name field In the Blacklist pane enter or copy paste the URLs you want to block You may enter up to 500 URLs You also must have http before each URL entry To block all the pages for a site enter the name of the domain followed by Example http www badURL com Note You can include up to 500 URLs in a single template and can create multiple templates for use However only one template can be active on an endpoint at the same time To enter a Whitelis
206. te CPM clients with the latest pattern files Update Pattern Files on the CPM Client 3 8 Before performing the client update procedures below be sure that you have updated the pattern files on the CPM Server and that you have enabled that server to perform automatic updates See Upgrading CPM from Version 1 0 to Version 1 6 on page 2 5 for details Trend Micro recommends that you perform the first full pattern file update on a small number of CPM clients then repeat the procedure on an expanded scope as you become more familiar with the procedures To enable CPM clients to receive automatic pattern updates 1 In the CPM Dashboard click Updates gt Automatic Update Tasks gt Enable Automatic Updates Endpoint The Fixlet Description tab opens CPM Clients Installing and Updating 2 Below Actions click the hyperlink to open the Take Action window Trend Micro Endpoint Security Platform Console CPM Dashboard 1 File Edit vew Tool Dashboards weards Window Help Debug a I All Relevant Firet Messages 5 a D All Relevant On Unlocked Computers 5 a D Al Filet Messages 229 My Custom Fixiet Messages 1 D Locally Hidden Fixiot Messages 0 D Globally Hidden Fixet Messages 0 DA Nn Master Qneraine Nemm Firiot Mee gt Tasks Baselines Actions Computers Computer Groups Analyses Console Operators Fodet Reports J Fadet Cdre Protectio
207. termined by the population of endpoints that remains after configuring the Task and Action This is important because it means that simply including an IP address in a firewall policy does not mean that the IP address will receive the policy The list below shows the order of inheritance The Task defines the population within which the Action can occur and the Action defines the population within which IP addresses defined in the policy can occur The Policy sets the population of IP addresses available for the Task Knowing exactly which endpoints will ultimately receive your policy can be complex To determine which endpoints receive a policy depends on 1 The Policy List Only one policy will ever be in effect for a given client at a given time The policy in effect is the first policy on the policy list that contains the IP address of a targeted endpoint This condition makes the order of policies in the Policy List significant Evaluation occurs from the top down and stops once a policy has been found that applies to an endpoint IP addresses Always put policies that specify fewer than All Possible IPs above those that specify all IP addresses 7 5 Core Protection Module Administrator s Guide 7 6 which is typically most if not all policies If you do not the policy that includes specific IP addresses will never be applied Trend Micro Endpoint Security Platform Console CPM Dashboard File Edit View Took Dast
208. tions Cc FIGURE 7 1 Add the firewall site to make it available in the ESP console 3 Click OK when prompted type your private key password and click OK 7 3 Core Protection Module Administrator s Guide The ESP Server will begin gathering the files and content associated with the masthead you added and install them on the server Remove Conflicting Firewalls You should only deploy the CPM firewall on endpoints that do not have another firewall installed regardless of whether that firewall is active for example the driver and services may continue to load although no firewall policies are in place If the endpoints to be protected already have a firewall such as Windows Firewall installed you need to open port 52311 to allow the ESP server to communicate with the endpoint before enabling the CPM firewall CPM provides a Fixlet for disabling the Windows Firewall For other firewalls you can use the same program that was used to install it to uninstall it or create a custom Fixlet To disable the Windows firewall 1 In the CPM Dashboard click Troubleshooting gt Disable Windows Firewall The Task Description opens 2 Below Actions click the hyperlink to open the Take Action window A list of the endpoints that are running the Windows Firewall appears under the Target tab 3 Select all Applicable Computers and click OK When prompted type your private key password and click OK 4 Inthe Action Summary window
209. tions 6 Time Isa State Complete Nume A Stopped Actions 0 6 9 2009 1 49 52 PM Open 100 00 1 1 Cone Protection Module Disable Automatic Updates Server A Expired Actions 16 6 9 2009 1 41 37 PM Open 100 00 1 1 Core Protection Module Enable Automatic Updates Server s A My Actions 22 6 9 2009 3 20 35 PM Open 0 00 0 1 Core Protection Module Set ActiveUpdate Server Pattern Update interval All Actions 22 6 9 2009 2 54 23 PM Open 0 00 0 1 Cone Protection Module Set ActiveUpdute Server Pattern Update interval A All Pedet Actions 2 6 9 2009 10 46 21 AM Open 100 00 1 1 Custom Action Configure Active Update A All Task Actions 16 6 8 2009 6 46 42 PM Open 10 0 1 1 Swinson Qastom Action Configure Actia Update lt Fixiet Messages Tasks Baselines Actions Computers Computer Groups Analyses Console Operators Pattern Updates Wizard gt Reports F Deployment di Available Pattern Updates Refresh Y Update Rollback Patterns a Description fire Veni Ara L New Pattern Updates Y 20090604_141051 Rollback To Duploy gt Pattem Update Seltings L SSAPITMAS SAP atterriVer Spyware Active monitering 8522077 0 777 00 gt automatic Update Tasks L internalPatternver Virus Pattern 15175499 6 169 00 gt Other Update Tasks i internelintaliTrapdleckust intelitrap ettem as osas00 P Configuration InternalInteliTrapWhiteList IntelliTrap Exception Patte 619244 0 477 00 gt Tasks L VsApINT Ver Virus S
210. to f3 4 reapplications I Distribute over 5 minutes to reduce network load KW Run all member actions of action group regardless of errors FIGURE 8 5 Choose Reapply this action so the Agent will monitor its IP address relative to the Location rules Click OK and then enter your password when prompted Repeat this procedure for the second configuration and Task choose Scan BIG from the Global Settings Dashboard and use the Location name you used for the Germany subnet 8 9 Core Protection Module Administrator s Guide Chapter 9 Using the Client Console This chapter includes information to help with using the Core Protection Module CPM client console that runs on end users machines Topics in this chapter include Overview on page 9 2 Accessing the Client Console on page 9 3 Client Connection with CPM Server on page 9 4 Manual Scans on page 9 4 Testing the CPM Client Console on page 9 7 Update Now on page 9 8 9 1 Core Protection Module Administrator s Guide Overview 9 2 The CPM client provides security risk protection and reports events to and gets updates from the CPM server A system tray icon for the client console informs the user of the current scan service status of CPM and gives access to the client console Also if enabled the client console installation allows initiating a manual scan from Windows Explorer You can perform the following tasks using the CPM client console
211. to stop using their computer while the install occurs Offer Configure these options if you want the user to be able to choose whether or not the client is installed A pop up message will be displayed on the target endpoints Requires that the client is enabled for offers CPM Clients Installing and Updating When finished type your private key password and click OK to initiate the action In the Action Summary window that opens check the Status after a few minutes to confirm that the Action is Running and then Completed 7 Close any open windows to return to the Dashboard view Pattern File and Engine Updates It is important to keep your CPM clients current with the latest pattern and engine files from Trend Micro The update process can be scheduled to occur automatically and is transparent there is no need to remove the old pattern or install the new one Pattern Rollbacks CPM supports pattern rollbacks that is swapping out the current pattern to a different one Although seldom used it is useful in case there is a problem with the pattern file for example to address an issue of false positives The default is to keep 15 patterns on the server for clients to rollback to if necessary but you can set this number as high as 100 in the CPM Dashboard click Configuration gt ActiveUpdate Server Settings gt Change ActiveUpdate Server Settings and scroll to the bottom of the screen Incremental Upd
212. toring Programs Incorrectly Detected as Spyware CPM will keep up to 15 copies per client of the files it detects as spyware If CPM incorrectly classified a program running on the endpoints as spyware you can undo the 4 20 action that is replace the file on the endpoint by running the Restore Spyware Grayware task Before running the restore be sure to add the program s in question to the Spyware White List so the mis detection will not occur again Note If the same program was detected on many different endpoints or if you choose to restore many different programs at the same time it may take a while for the restoration to finish on the targeted computers To restore files incorrectly detected as spyware 1 10 11 In the CPM Dashboard click Configuration gt Spyware White List gt New Spyware White List Task The Spyware White List Wizard opens Select the snapshot s that contain the software you want to restore to the computers from which it was removed Click the button Restore Selected Snapshots The Edit Task window opens Modify the default name in the Name field so that it clearly defines the purpose of this custom Task Edit the Description and the Relevance tabs if necessary to reflect your goals Click OK and then enter your private key password when prompted The Task Description window opens Below Actions click the hyperlink to open the Take Action window In the Target
213. turn the corresponding Value instead FIGURE 8 1 Create one or more Location Properties to support site or NIC specific CPM configurations multiple subnets in the same location Be careful not to overlap any IP addresses when specifying ranges Computers included in multiple locations will constantly be updated as they re evaluate and recognize their relevance to one location and then another Click Next and if no valid IP location pairs are displayed click Next again Accept the defaults that are selected in the Extra Options window and click Finish The Import Content window opens In the Import Content window enable Open documents after creation as shown in Figure 8 2 Do not miss this step or it will prevent the location property Setting Up and Using Locations 10 from being deployed to your endpoints and your locations will not be relevant for any of your Actions 3 Import Content Review each ESP object to import by clicking Edit or double clicking in the list below Actions will immediately be sent to clients and are targeted at all applicable computers by default Open documents after creation Title Type Create in Site Change Swenson s Location By Subnet Setting Single Action Master Operator Site Swenson s Location By Subnet New Property Master Operator Site FIGURE 8 2 This option must be selected to deploy the location property you configured to the endpoints Cl
214. uce By Category Sere Protein bd etal Server Components D ow reesi Core Prote 11 6 sam ampe Trend ian S By 2e a Tare Protection Mode Indporre Deloy Dego Brand Core Proto 1 1 o Gan lt unepeefied gt Trend Men i ee i Click here to close Trend Core Protection Module i gt Resi ions A E these windows DD Trend Micra Wes Pretisetion Bata 1 C Py Source Sevwety Source is FiA Message Tasks JBacelnes Arbors Comeuters Comeuter Groups Analyses Grab ard move to resize the frames CPM Dashboard On Demand scan Settings Wizard CA Sean Nom task Create Configuration Task enable viruafiglaivare scan EpReports Overview LI versione Asia Sear Sean Exchusion vo wiss J OmDemand Scan Settings Sean Acton RealTime Sean Settings Global Settings L Spyware white List L Endpoint Pattern Updates ian i ARI DAT DIN BOO CAD CHM CLA CLASI CIC DU DOC DOT DRVENE EKE GE MLD MTA HTM MTMIMTT 3W3 JAR _JPEG J Sarvar Configuration Saingi 19G 15 38E ANKLIM MDAL MPO MPD MDT ME NWS OCK OFT OVLDOF PHP DIF DL DOT DOS DOT DRC RAR AEG RTF CR BNB SV8 TAR VOE VBE VEO VES VET VID WNL WEF MAMAS NLT 1119 ACCOB DOCX DOCM DOTX DOTM DOTAD DI Custom Configuration DTM DOTX POTM DDAM PPSM PPZXXLEX MI SM LTX STM KL SR LAM Sy Pattern Updates Gy deploy isun a Scan Settings gt C Montor PO Other Tasks
215. umes are still valid to gain various levels of control of a user s computer Without adequate protection rootkits are extremely hard to remove without reformatting the infected computer hard drive IntelliTrap Virus writers often attempt to circumvent virus filtering by using real time compression algorithms IntelliTrap helps reduce the risk of virus malware entering your network by blocking files with real time compressed executable files 1 9 Core Protection Module Administrator s Guide Chapter 2 ESP Server Installing and Updating Before beginning these procedures you should have Trend Micro Endpoint Security Platform ESP installed including the ESP Server ESP Console and ESP Agents This chapter covers installing the Trend Micro Core Protection Module CPM server components on the ESP Server updating the related files and preparing endpoints to receive the ESP client Topics include e Open the ESP Console on page 2 2 e Add the CPM Site to the ESP Server on page 2 2 Install CPM Components on the ESP Server on page 2 4 Install and Update CPM on the ESP Server on page 2 4 e Upgrading CPM from Version 1 0 to Version 1 6 on page 2 5 e Upgrading CPM from Version 1 5 to Version 1 6 on page 2 8 e Choose an Update Source and Proxy on page 2 9 e Prepare the ESP Server and Update the Pattern Files on page 2 11 e Activate CPM Analyses on page 2 22 2 1 Core Protection Module Administrator s Guide Ope
216. ur private key password to initiate the Task A status summary page appears when the Task is finished 6 Close any open windows to return to the Dashboard view Upgrading CPM from Version 1 0 to Version 1 6 When new CPM site content is published on the BigFix host it automatically becomes available in the ESP Console You should upgrade the CPM server components to 2 5 Core Protection Module Administrator s Guide version 1 6 and then deploy the upgrade to your CPM clients See About CPM Client Deployment on page 3 2 for important information about client update strategies No concomitant upgrades to the ESP Server software are necessary Note You may upgrade directly from CPM 1 0 to CPM 1 6 No intermediate upgrade to CPM 1 5 is necessary What Has Changed and Requires Action 2 6 The following CPM features are new or have changed and require action to ensure they remain synchronized with the upgrade e CPM clients Run the Task Core Protection Module Upgrade Client Components See Deploy CPM Clients to the Endpoints on page 3 5 for details WARNING After upgrading the CPM 1 6 server components you need to upgrade your installed CPM client base from version 1 0 to 1 6 to ensure access to the latest pattern files Patterns updates even manual cannot occur if the CPM server components have been upgraded to version 1 6 but the endpoints are running CPM client 1 0 Contact Support for a workaround if you
217. ve and close the file Run the following program from a command prompt Logserver exe To collect information by CDT 1 Run the following program on the endpoint in question SProgramFiles Trend Micro Core Protection Module CDT CaseDiagnosticTool exe Copy the output file from its location at C CDT_Data The file name will be similar to CDT 20091003 030750 zip Send the compressed file to Trend Micro Technical Support Pattern Updates There are a number of moving parts and components involved with the routine task of 10 6 updating the pattern files CPM server components include e Proxy Settings e TMCPMAuHelper exe e TrendMirrorScript exe CPM console components include e Pattern Update Wizard e Pattern set Loading via Manifest json CPM client components include Troubleshooting e BESClient exe for dynamic download requests for pattern sets e TMCPMAuUpdater exe for request and application of pattern sets General The default ActiveUpdate server for pattern updates appears in the ESP Server registry HKEY_LOCAL _MACHINE SOFTWARE TrendMicro CPMsrv ServerUpdateSourc e DefaultAUServer The default ActiveUpdate server URL for CPM version 1 6 http cpm15 p activeupdate trendmicro com activeupdate CPM server Check that the server exists in the Windows Registry HKEY_LOCAL_MACHINE SOFTWARE BigFix CPM server CPM server If the automatic update Task is successful the CPM site will exist
218. when you originally installed ESP Core Protection Module Administrator s Guide e Enter your Site Admin password Be sure that you use the correct password and not your ESP console password If you are unsure of which password to use start the ESP Administration Tool The password you use to start this tool is the same one you should enter here Note Using an incorrect password results in an error and the script does not complete f Click OK CPM Automatic Update Setup Windows Internet Explorer CPM Admin Username cpm_admin CPM Admin Password trendmicro CPM Admin Email Address cpm_admin mycompany BES Site Admin Private Key license pvk Location C Documents and Setting Browse BES Site Admin Private Key Password Z Cancel FIGURE 2 5 Use the correct Site Admin password Enabling Automatic Updates on the ESP Server Running the Enable Automatic Updates Server task enables automatic updates on the ESP server If you do not enable automatic updates on the server clients will not update automatically To enable automatic updates on the ESP server 1 Logon to the ESP console 2 Navigate to Dashboards gt CPM Dashboards 3 In the CPM Dashboard click Updates gt Automatic Update Tasks gt Enable Automatic Updates Server The Task Description tab opens See Figure 2 6 4 Find the action to enable automatic updates on the server 2 14 ESP Server Installing and Updating
219. xy server e Server Name or IP Use an IP address if you have not configured ESP Server to recognize host names e Port Iypically this is port 80 or 8080 e User Name Type a name with access rights to the proxy e Password The password is encrypted when stored and transmitted 4 Click the Create Server Configuration Action button The Take Action window opens Select the ESP server and click OK When prompted type your private key credential The Action Summary tab appears Check the Status after a few minutes to confirm that the Action is completed 7 Close the window to return to the Dashboard view Prepare the ESP Server and Update the Pattern Files This procedure requires running a script to prepare the ESP Server for recurring automatic pattern updates which are then used for CPM client updates Trend Micro recommends that you enable automatic pattern updates and that you use this script to do it 2 11 Core Protection Module Administrator s Guide 2 12 Note The file and folder paths mentioned in this section assume that you have installed the components of ESP and CPM in their standard locations If you installed them in other locations you must adjust the paths accordingly The section also assumes you have a basic knowledge and understanding of ESP and ESP related terminology If you are not familiar with the product s overall architecture and or terminology review the Endpoint Security Plat
220. y open windows to return to the Dashboard view Running an On Demand Scan To run an On Demand Scan 1 2 4 10 Click Configuration gt On Demand Settings gt scan name in the CPM Dashboard Under Actions click the link to initiate the scan Configuring and Managing CPM 3 Inthe Take Action window select the computers you want to target typically by Properties and then click OK When prompted type your private key password and click OK 4 Inthe Action Summary window that opens check the Status and Count after a few minutes to confirm that the Action is Running and then Completed 5 Close any open windows to return to the Dashboard view Scheduling an On Demand Scan Automatic Scanning A scheduled scan will run automatically according to the schedule you set Although it will appear in the CPM Dashboard along with any other On Demand scans you do not need to trigger it To schedule an On Demand Scan 1 Schedule an On Demand scan by clicking Configuration gt On Demand Settings gt scan name in the CPM Dashboard In the window that opens under Actions click the link to initiate the scan In the Take Action window click the Execution tab See Figure 4 6 e Choose a Start date and optionally configure the days you want the scan to run in the Run only on field e Select Reapply this action while relevant waiting 2 days between reapplications choosing whatever time period suits you WA
221. yware Grayware detected 3 Cleaned 3 Last spyware grayware found Spyware_Test_File DCT_TESTFILE A Dialer_Test_File Quarantined Successful n Piaf C Temp Test_Virus T est_ a il Spyware Grayware Lilia PA To learn more about a virus malware or to view manual cleaning instructions for malware that cannot be cleaned automatically select the virus malware and click Information FIGURE 9 3 Security Risk Type Security Risk Infected File Object Clear List viru VBS S leaned CAT emp T Virus X2KM_TEST_VIR Cleaned C Temp Test_Virus Test V Information De I MES He Scan result details display in the Summary section Table 9 1 describe the buttons beside the scan results TABLE 9 2 Scan results buttons and usage BUTTON USAGE Clear List Click this button to remove the information in the table 9 6 Using the Client Console TABLE 9 2 Scan results buttons and usage BUTTON USAGE Information To learn more about the security risk click the security risk name and then click this button Note The next three buttons apply only to virus malware scan results if the scan action configured by the CPM administrator is Pass Pass means that CPM detected the file but did not take any action CPM allows you to clean delete or rename the file Clear CPM may not be able to automatically clean some files because the file may be encrypted in
Download Pdf Manuals
Related Search