Platform Support:

Architecture:

• x86 and x64

Additional Notes

• Trend Reporting.efxm and Trend Core Protection Module.efxm are required at minimum for CPM.
• Mac support is provided through a stand-alone masthead - Trend Core Protection Module for Mac.efxm - but does require the other mastheads in order to be usable.
• Common Firewall is also provided as a stand-alone masthead - Trend Common Firewall.efxm but requires the same basic mastheads for use.
• Common Firewall is only supported on Windows-based platforms. No CF for Mac.

 

Platform Support:

The Core Protection Module currently supports the following platforms:

Desktops

• Windows XP
  • Microsoft Windows XP Professional 32-bit Edition with Service Pack 1 or 2
  • Microsoft Windows XP Professional 64-bit Edition with Service Pack 1 or 2
• Windows Vista
  • Microsoft Windows Vista Business 32-bit Edition (with latest service pack)
  • Microsoft Windows Vista Enterprise 32-bit Edition (with latest service pack)
  • Microsoft Windows Vista Ultimate 32-bit Edition
  • Microsoft Windows Vista Business 64-bit Edition
  • Microsoft Windows Vista Enterprise 64-bit Edition
  • Microsoft Windows Vista Ultimate 64-bit Edition
• Windows 7
  • Microsoft Windows 7 32-bit Edition
  • Microsoft Windows 7 64-bit Edition
• Mac OS X
  • Mac OS™ X version 10.4.11 (Tiger) or higher
  • Mac OS™ X version 10.5.5 (Leopard) or higher
  • Mac OS™ X version 10.6 (Snow Leopard)

Servers

• Windows 2003 R2
  • Microsoft Windows Server 2003 R2 32-bit Edition with or without Service Pack 1 or 2
  • Microsoft Windows Server 2003 R2 64-bit Edition with or without Service Pack 1 or 2
• Windows 2003
  • Microsoft Windows Server 2003 32-bit Edition with or without Service Pack 1 or 2
  • Microsoft Windows Server 2003 64-bit Edition with or without Service Pack 1 or 2
  • Microsoft Windows Server 2003 64-bit Edition with or without Service Pack 1 or 2
  • Microsoft Windows Storage Server 2003 32-bit Edition
  • Microsoft Windows Storage Server 2003 64-bit Edition
  • Microsoft Windows 2003 Web Edition, 32-bit Edition with or without Service Pack 1 or 2
  • Microsoft Windows 2003 Web Edition, 64-bit Edition with or without Service Pack 1 or 2
  • Microsoft Cluster Server 2003 64-bit Edition

Windows 2008

• Microsoft Windows Server 2008 32-bit Edition
• Microsoft Windows Server 2008 64-bit Edition
• Microsoft Windows Server 2008 R2 32-bit Edition
• Microsoft Windows Server 2008 R2 64-bit Edition

 

CPM Dashboard Terms

• What is Intellitrap?
  
  Intellitrap works by monitoring the Internet Explorer and MS Outlook's temp folder and detects malwares (packed malwares) that uses real-time compression algorithms to evade detection.
• What is ActiveAction?
  
  ActiveAction are predefined actions for different types of malwares detected e.g. for cleanable virus, such as macros, it will have clean first action and quarantine second action. These are predefined in the virus signatures and changes from time to time depending on the viruses.
• What is the 'assessment mode' checkbox in Global Settings Wizard?
  
  When in assessment mode, spyware/grayware detections will not be cleaned but logged. This mode enables you to evaluate whether commonly detected spyware/grayware is legitimate and acceptable to your organization. You may then add acceptable items to the spyware/grayware approved list.

 

Scanning from CPM Dashboard

On Demand scans are user initiated scans or a scheduled scan and can be initiated using the "New On-Demand Settings Task Wizard".

To configure a Scan select Create Scan Task from New On-Demand Settings Task Wizard, create the Task, and Save. Open the new Task under On-Demand Settings: Run On-Demand Scan [Core Protection Module] and deploy as a Policy configuring runtime frequency in the Execution Tab without an expiration date. Other options can also be configured in the Task such as Target, Users, Messages, etc.

To configure a Task to configure settings, use Create Configuration Task from the Wizard, create a new Task, Save the Task, and then open this newly created Task under On-Demand Settings: Configure Default On-Demand Scan Settings [Core Protection Module] to deploy as a Policy and specify such options as Target, Execution, Messages, etc.

 

Scan settings should be similar to the following:
• CPU Usage: If scanning during work hours, might have to set to low or medium so that system can still be usable with less performance impact. Otherwise High is preferred for faster scan.
• frequency: most likely one a week during off work hours so user's work are not affected.
• Virus and Spyware scanning enabled
• Scan files Created/modified and retrieved
• Scan files by Intelliscan
• Scan compressed file 2 layers
• Enable Intellitrap
• Exclude CPM folder from scanning and other large files such as database and MS Outlook PST files, etc. and files that are frequently accessed and not prone to virus infections such as log or text files. Refer also to MS site: http://support.microsoft.com/kb/822158 for more recommended files/folders for exclusions.
• For Scan Action for Virus/Malware, select Use same Action for all types of Malware. First Action: Clean, Second Action: Quarantine or Delete.
• Scan Action for Spyware, Select Clean

Real-time scan protects the system in real-time and is constantly running and detecting real-time activities.

Real-time scans run constantly and do not need to be deployed like an On-Demand Scan however settings be configured using "New Real-Time Settings Task" and can be configured like other BES Tasks for Target, Execution, Messages, etc.

• Virus and Spyware scanning enabled
• Scan files Created/modified and retrieved
• Scan files by Intelliscan
• Scan compressed file 2 layers
• Enable Intellitrap
• Exclude CPM folder from scanning and other large files such as database and MS Outlook PST files, etc. and files that are frequently accessed and not prone to virus infections such as log or text files. Refer also to MS site: http://support.microsoft.com/kb/822158 for more recommended files/folders for exclusions.
• For Scan Action for Virus/Malware, select Use same Action for all types of Malware. First Action: Clean, Second Action: Quarantine or Delete.
• Scan Action for Spyware, Select Clean

1. What is the best settings/policy for on-demand scan?
2. What is the best settings/policy for real-time scans? How should this be setup and used?

 

Recommended Scan-Exclusion List

Database and encrypted type files should generally be excluded from scanning to avoid performance and functionality issues. Below are exclusions to consider depending on the type of machine you are installing the OfficeScan client on.

General Exclusions for all Windows platforms



Pagefile.sys

• .pst
• %systemroot%\System32\Spool (replace %systemroot% with actual directory
• %systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory
• %allusersprofile%\NTUser.pol
• %Systemroot%\system32\GroupPolicy\registry.pol

Microsoft Active Directory Domain Controller

• <drive>: \ WINNT \ SYSVOL
• <drive>: \ WINNT \ NTDS
• <drive>: \ WINNT \ ntfrs
• <drive>: \ WINNT \ system32 \ dhcp
• <drive>: \ WINNT \ system32 \ dns>

Microsoft IIS Server: Web Server log files should be excluded from scanning. By default.

• <drive>: \ WINNT \ system32 \ LogFiles
• <drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files

Domino Data Directory: The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored email. Use virus scanning applications like ScanMail for Domino to handle email viruses. By default, the Domino data directory for a non-partitioned installation:

• <drive>: \ Lotus \ Domino \ Data.

Cisco CallManager

• Drive:\Program Files\Call Manager
• Drive:\Program Files\Call Manager Serviceability
• Drive:\Program Files\Call Manager Attendant

Microsoft SQL Server: Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.

• <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data
• <drive: \ WINNT \ Cluster (if using SQL Clustering)
• Q:\ (if using SQL Clustering)

Cluster Servers

• Q:\ (Quorum drive)
• C:\Windows\Cluster

Microsoft Sharepoint Portal Server

• <drive>: \ Program Files \ SharePoint Portal Server
• <drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System
• <drive>: \ Windows \ Temp \ Frontpagetempdir
• M:\

Microsoft Systems Management Server (SMS)

• SMS \ Inboxes \ SMS_Executive Thread Name
• SMS_CCM \ ServiceData

Microsoft Operations Manager Server (MOM)

Microsoft Operations Manager

• <drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \
• <drive>: \ Program Files \ Microsoft Operations Manager 2005

Microsoft Internet Security and Acceleration Server (ISA)

• <drive>: \ Program Files \ Microsoft ISA Server \ ISALogs
• <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data

Microsoft Windows System Update Server (WSUS)

• <drive>: \ WSUS
• <drive:> \ WsusDatabase

VMWare Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading performance and the ability interact with the virtual machine. Exclusions can be configured for the directory(ies) that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files. Microsoft Exchange Server Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive M must also be excluded to prevent the corruption of the Exchange Information Store. Exchange 5.5

• <drive>: \ EXCHSRVR \ IMCData
• <drive>: \ EXCHSRVR \ MDBData

Exchange 2000

• <drive>: \ EXCHSRVR \ MDBData
• <drive>: \ EXCHSRVR \ MTAData
• <drive>: \ EXCHSRVR \ Mailroot
• <drive>: \ EXCHSRVR \ SrsData
• <drive>: \ WINNT \ system32 \ InetSrv

Exchange 2003

• <drive>: \ EXCHSRVR \ MDBData
• <drive>: \ EXCHSRVR \ MTAData
• <drive>: \ EXCHSRVR \ Mailroot
• <drive>: \ EXCHSRVR \ SrsData
• <drive>: \ WINNT \ system32 \ InetSrv
• <drive>: \ EXCHSRVR \ MdbDataUtility

Exchange 2007 See http://technet.microsoft.com/en-us/library/bb332342.aspx exclusions required for the various Exchange 2007 roles Mapped Drives / Shared Folders This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan client installed, and updated to the latest virus signature.



Volume Shadow Copies Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access. It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service: http://support.microsoft.com/kb/833167



Other Trend Micro Products Make sure the check box for Exclude from scanning the directories where Trend Micro products are installed is enabled in OfficeScan’s Exclusion List settings.



Additional References:

• Microsoft Operating Systems: http://support.microsoft.com/kb/822158/
• Microsoft SQL Server: http://support.microsoft.com/kb/309422
• Microsoft Exchange 2003: http://support.microsoft.com/kb/823166
• Microsoft Exchange 2000 : http://support.microsoft.com/kb/328841
• Microsoft Exchange 2000/2003 : http://support.microsoft.com/kb/245822
• Microsoft Exchange 2007 : http://technet.microsoft.com/en-us/library/bb332342.aspx
• Microsoft Sharepoint Portal Server : http://support.microsoft.com/kb/320111
• Microsoft Systems Management Server : http://support.microsoft.com/kb/327453
• Microsoft IIS : http://support.microsoft.com/kb/817442
• Domain Controllers: http://support.microsoft.com/kb/822158/en-us

 

CPM Agent Information

To ensure the installation process was completed properly, please check the following verification list.

• Trend Micro Core Protection Module Adapter Server
• OfficeScan NT Listener
• OfficeScan NT RealTime Scan

x86 system:

• HKLM\SOFTWARE\TrendMicro\CPMli>
• HKLM\SOFTWARE\TrendMicro\NSC
• HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp
• HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Trend Micro Core Protection Module

x64 system:

• HKLM\SOFTWARE\Wow6432Node\TrendMicro\CPM
• HKLM\SOFTWARE\Wow6432Node\TrendMicro\NSC
• HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp
• HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Trend Micro Core Protection Module

• %ProgramFiles%\Trend Micro\Core Protection Module\
• %ProgramFiles%\Trend Micro\OfficeScan Client\

x86 system:

• HKLM\SOFTWARE\TrendMicro\PCcillinNTCorp\CurrentVersion\Misc\ProgramVer

x64 system:

• HKLM\SOFTWARE\Wow6432Node\TrendMicro\PCcillinNTCorp\CurrentVersion\Misc\ProgramVer

1. The following services are created and running:
2. The following registry keys exist:
3. The following folders exist:
4. The following registry key is set to corresponding program version of CPM package (ex.1.0):

CPM Agent Logging

To enable debug logging for the CPM client:

[debug]

Debuglog=c:\ofcdebug.log

Debuglevel=9

Debuglevel_new=D

 

1. Create a file ofcdebug.ini with the following content in C:\Program Files\Trend Micro\OfficeScan Client\
2. Run Logserver.exe from C:\Program Files\Trend Micro\OfficeScan Client.

Additional logging can be found:

C:\Program Files\Trend Micro\Core Protection Module\Bin\AU_Data\AU_Log