Platform Support:
Architecture:
Additional Notes
- Trend Reporting.efxm and Trend Core Protection Module.efxm are required at minimum for CPM.
- Mac support is provided through a stand-alone masthead - Trend Core Protection Module for Mac.efxm - but does require the other mastheads in order to be usable.
- Common Firewall is also provided as a stand-alone masthead - Trend Common Firewall.efxm but requires the same basic mastheads for use.
- Common Firewall is only supported on Windows-based platforms. No CF for Mac.
Platform Support:
The Core Protection Module currently supports the following platforms:
Desktops
- Windows XP
- Microsoft Windows XP Professional 32-bit Edition with Service Pack 1 or 2
- Microsoft Windows XP Professional 64-bit Edition with Service Pack 1 or 2
- Windows Vista
- Microsoft Windows Vista Business 32-bit Edition (with latest service pack)
- Microsoft Windows Vista Enterprise 32-bit Edition (with latest service pack)
- Microsoft Windows Vista Ultimate 32-bit Edition
- Microsoft Windows Vista Business 64-bit Edition
- Microsoft Windows Vista Enterprise 64-bit Edition
- Microsoft Windows Vista Ultimate 64-bit Edition
- Windows 7
- Microsoft Windows 7 32-bit Edition
- Microsoft Windows 7 64-bit Edition
- Mac OS X
- Mac OS™ X version 10.4.11 (Tiger) or higher
- Mac OS™ X version 10.5.5 (Leopard) or higher
- Mac OS™ X version 10.6 (Snow Leopard)
Servers
- Windows 2003 R2
- Microsoft Windows Server 2003 R2 32-bit Edition with or without Service Pack 1 or 2
- Microsoft Windows Server 2003 R2 64-bit Edition with or without Service Pack 1 or 2
- Windows 2003
- Microsoft Windows Server 2003 32-bit Edition with or without Service Pack 1 or 2
- Microsoft Windows Server 2003 64-bit Edition with or without Service Pack 1 or 2
- Microsoft Windows Server 2003 64-bit Edition with or without Service Pack 1 or 2
- Microsoft Windows Storage Server 2003 32-bit Edition
- Microsoft Windows Storage Server 2003 64-bit Edition
- Microsoft Windows 2003 Web Edition, 32-bit Edition with or without Service Pack 1 or 2
- Microsoft Windows 2003 Web Edition, 64-bit Edition with or without Service Pack 1 or 2
- Microsoft Cluster Server 2003 64-bit Edition
Windows 2008
- Microsoft Windows Server 2008 32-bit Edition
- Microsoft Windows Server 2008 64-bit Edition
- Microsoft Windows Server 2008 R2 32-bit Edition
- Microsoft Windows Server 2008 R2 64-bit Edition
CPM Dashboard Terms
- What is Intellitrap?
Intellitrap works by monitoring the Internet Explorer and MS Outlook's temp folder and detects malwares (packed malwares) that uses real-time compression algorithms to evade detection. - What is ActiveAction?
ActiveAction are predefined actions for different types of malwares detected e.g. for cleanable virus, such as macros, it will have clean first action and quarantine second action. These are predefined in the virus signatures and changes from time to time depending on the viruses. - What is the 'assessment mode' checkbox in Global Settings Wizard?
When in assessment mode, spyware/grayware detections will not be cleaned but logged. This mode enables you to evaluate whether commonly detected spyware/grayware is legitimate and acceptable to your organization. You may then add acceptable items to the spyware/grayware approved list.
Scanning from CPM Dashboard
On Demand scans are user initiated scans or a scheduled scan and can be initiated using the "New On-Demand Settings Task Wizard".
To configure a Scan select Create Scan Task from New On-Demand Settings Task Wizard, create the Task, and Save. Open the new Task under On-Demand Settings: Run On-Demand Scan [Core Protection Module] and deploy as a Policy configuring runtime frequency in the Execution Tab without an expiration date. Other options can also be configured in the Task such as Target, Users, Messages, etc.
To configure a Task to configure settings, use Create Configuration Task from the Wizard, create a new Task, Save the Task, and then open this newly created Task under On-Demand Settings: Configure Default On-Demand Scan Settings [Core Protection Module] to deploy as a Policy and specify such options as Target, Execution, Messages, etc.
Scan settings should be similar to the following: - CPU Usage: If scanning during work hours, might have to set to low or medium so that system can still be usable with less performance impact. Otherwise High is preferred for faster scan.
- frequency: most likely one a week during off work hours so user's work are not affected.
- Virus and Spyware scanning enabled
- Scan files Created/modified and retrieved
- Scan files by Intelliscan
- Scan compressed file 2 layers
- Enable Intellitrap
- Exclude CPM folder from scanning and other large files such as database and MS Outlook PST files, etc. and files that are frequently accessed and not prone to virus infections such as log or text files. Refer also to MS site: http://support.microsoft.com/kb/822158 for more recommended files/folders for exclusions.
- For Scan Action for Virus/Malware, select Use same Action for all types of Malware. First Action: Clean, Second Action: Quarantine or Delete.
- Scan Action for Spyware, Select Clean
Real-time scan protects the system in real-time and is constantly running and detecting real-time activities.
Real-time scans run constantly and do not need to be deployed like an On-Demand Scan however settings be configured using "New Real-Time Settings Task" and can be configured like other BES Tasks for Target, Execution, Messages, etc.
- Virus and Spyware scanning enabled
- Scan files Created/modified and retrieved
- Scan files by Intelliscan
- Scan compressed file 2 layers
- Enable Intellitrap
- Exclude CPM folder from scanning and other large files such as database and MS Outlook PST files, etc. and files that are frequently accessed and not prone to virus infections such as log or text files. Refer also to MS site: http://support.microsoft.com/kb/822158 for more recommended files/folders for exclusions.
- For Scan Action for Virus/Malware, select Use same Action for all types of Malware. First Action: Clean, Second Action: Quarantine or Delete.
- Scan Action for Spyware, Select Clean
- What is the best settings/policy for on-demand scan?
- What is the best settings/policy for real-time scans? How should this be setup and used?
Recommended Scan-Exclusion List
Database and encrypted type files should generally be excluded from scanning to avoid performance and functionality issues. Below are exclusions to consider depending on the type of machine you are installing the OfficeScan client on.
General Exclusions for all Windows platforms
Pagefile.sys
- .pst
- %systemroot%\System32\Spool (replace %systemroot% with actual directory
- %systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory
- %allusersprofile%\NTUser.pol
- %Systemroot%\system32\GroupPolicy\registry.pol
Microsoft Active Directory Domain Controller
- <drive>: \ WINNT \ SYSVOL
- <drive>: \ WINNT \ NTDS
- <drive>: \ WINNT \ ntfrs
- <drive>: \ WINNT \ system32 \ dhcp
- <drive>: \ WINNT \ system32 \ dns>
Microsoft IIS Server: Web Server log files should be excluded from scanning. By default.
- <drive>: \ WINNT \ system32 \ LogFiles
- <drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files
Domino Data Directory: The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being updated with new messages is not an efficient way to scan locally stored email. Use virus scanning applications like ScanMail for Domino to handle email viruses. By default, the Domino data directory for a non-partitioned installation:
- <drive>: \ Lotus \ Domino \ Data.
Cisco CallManager
- Drive:\Program Files\Call Manager
- Drive:\Program Files\Call Manager Serviceability
- Drive:\Program Files\Call Manager Attendant
Microsoft SQL Server: Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL Server databases are dynamic, exclude the directory and backup folders from the scan list. If it is necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.
- <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data
- <drive: \ WINNT \ Cluster (if using SQL Clustering)
- Q:\ (if using SQL Clustering)
Cluster Servers
- Q:\ (Quorum drive)
- C:\Windows\Cluster
Microsoft Sharepoint Portal Server
- <drive>: \ Program Files \ SharePoint Portal Server
- <drive>: \ Program Files \ Common Files \ Microsoft Shared \ Web Storage System
- <drive>: \ Windows \ Temp \ Frontpagetempdir
- M:\
Microsoft Systems Management Server (SMS)
- SMS \ Inboxes \ SMS_Executive Thread Name
- SMS_CCM \ ServiceData
Microsoft Operations Manager Server (MOM)
Microsoft Operations Manager
- <drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \
- <drive>: \ Program Files \ Microsoft Operations Manager 2005
Microsoft Internet Security and Acceleration Server (ISA)
- <drive>: \ Program Files \ Microsoft ISA Server \ ISALogs
- <drive>: \ Program Files \ Microsoft SQL Server \ MSSQL$MSFW \ Data
Microsoft Windows System Update Server (WSUS)
- <drive>: \ WSUS
- <drive:> \ WsusDatabase
VMWare Other file extension types that should be added to the exclusion list include large flat and designed files, such as VMWare disk partition. Scanning VMWare partitions while attempting to access them can affect session loading performance and the ability interact with the virtual machine. Exclusions can be configured for the directory(ies) that contain the Virtual Machines, or by excluding *.vmdk and *.vmem files. Microsoft Exchange Server Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive M must also be excluded to prevent the corruption of the Exchange Information Store. Exchange 5.5
- <drive>: \ EXCHSRVR \ IMCData
- <drive>: \ EXCHSRVR \ MDBData
Exchange 2000
- <drive>: \ EXCHSRVR \ MDBData
- <drive>: \ EXCHSRVR \ MTAData
- <drive>: \ EXCHSRVR \ Mailroot
- <drive>: \ EXCHSRVR \ SrsData
- <drive>: \ WINNT \ system32 \ InetSrv
Exchange 2003
- <drive>: \ EXCHSRVR \ MDBData
- <drive>: \ EXCHSRVR \ MTAData
- <drive>: \ EXCHSRVR \ Mailroot
- <drive>: \ EXCHSRVR \ SrsData
- <drive>: \ WINNT \ system32 \ InetSrv
- <drive>: \ EXCHSRVR \ MdbDataUtility
Exchange 2007 See http://technet.microsoft.com/en-us/library/bb332342.aspx exclusions required for the various Exchange 2007 roles Mapped Drives / Shared Folders This option is best disabled. If it is enabled, it may create unnecessary network traffic when the end users access remote paths or mapped network drives. It can severely impact the user’s experience. Consider disabling this function if all workstations have OfficeScan client installed, and updated to the latest virus signature.
Volume Shadow Copies Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume shadow copies have read-only access. It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service: http://support.microsoft.com/kb/833167
Other Trend Micro Products Make sure the check box for Exclude from scanning the directories where Trend Micro products are installed is enabled in OfficeScan’s Exclusion List settings.
Additional References:
CPM Agent Information
To ensure the installation process was completed properly, please check the following verification list.
- Trend Micro Core Protection Module Adapter Server
- OfficeScan NT Listener
- OfficeScan NT RealTime Scan
x86 system:
- HKLM\SOFTWARE\TrendMicro\CPMli>
- HKLM\SOFTWARE\TrendMicro\NSC
- HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp
- HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Trend Micro Core Protection Module
x64 system:
- HKLM\SOFTWARE\Wow6432Node\TrendMicro\CPM
- HKLM\SOFTWARE\Wow6432Node\TrendMicro\NSC
- HKLM\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp
- HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Trend Micro Core Protection Module
- %ProgramFiles%\Trend Micro\Core Protection Module\
- %ProgramFiles%\Trend Micro\OfficeScan Client\
x86 system:
- HKLM\SOFTWARE\TrendMicro\PCcillinNTCorp\CurrentVersion\Misc\ProgramVer
x64 system:
- HKLM\SOFTWARE\Wow6432Node\TrendMicro\PCcillinNTCorp\CurrentVersion\Misc\ProgramVer
- The following services are created and running:
- The following registry keys exist:
- The following folders exist:
- The following registry key is set to corresponding program version of CPM package (ex.1.0):
CPM Agent Logging
To enable debug logging for the CPM client:
[debug]
Debuglog=c:\ofcdebug.log
Debuglevel=9
Debuglevel_new=D
- Create a file ofcdebug.ini with the following content in C:\Program Files\Trend Micro\OfficeScan Client\
- Run Logserver.exe from C:\Program Files\Trend Micro\OfficeScan Client.
Additional logging can be found:
C:\Program Files\Trend Micro\Core Protection Module\Bin\AU_Data\AU_Log