Core Protection for Virtual Machines1To help IT professionals protect their Virtual Infrastructure with more flexibility, Core Protection for Virtual Machines provides the following

Core Protection forVirtual Machines1Comprehensive Threat Protection for Virtual Environments.

Administrator’s Guide

Endpoint Securityd i t S

eeee

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at:

http://www.trendmicro.com/download

Trend Micro, Core Protection for Virtual Machines, and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Copyright ©2010 Trend Micro Incorporated. All rights reserved.

Document Part No. OSEM14002/90119

Release Date: July 2010

Version: 1.0 SP1

The user documentation for Trend Micro Core Protection for Virtual Machines is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software.

Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro’s Web site.

Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

Contents

Chapter 1: Introducing Trend Micro Core Protection for Virtual Machines

What is Core Protection for Virtual Machines? ......................................... 1-2

Features and Benefits ..................................................................................... 1-3Security Risk Protection ............................................................................ 1-3Centralized Management .......................................................................... 1-3State-of-the-Art Virus Detection Technology ....................................... 1-3Viewable Scanning Statistics ..................................................................... 1-3Compatibility .............................................................................................. 1-4

How Does Core Protection for Virtual Machines Work? ........................ 1-4

Core Protection for Virtual Machines Architecture .................................. 1-5VirtualCenter Client ................................................................................... 1-6VirtualCenter Server .................................................................................. 1-6VirtualCenter Agent ................................................................................... 1-7VirtualCenter Database ............................................................................. 1-7VirtualCenter Web Service ....................................................................... 1-7Core Protection for Virtual Machines Server ........................................ 1-7CPVM Scanning Agent ............................................................................. 1-7Real-Time Agent ........................................................................................ 1-8The Administration Web Console .......................................................... 1-8

Real-time Scan Versus On-demand Scan (Scan Now) .............................. 1-8

When Core Protection for Virtual Machines Finds a Virus) ................... 1-9

Virus Logs ...................................................................................................... 1-10

Deploying Updates ....................................................................................... 1-10

Core Protection for Virtual Machines Virus Detection Technology .... 1-11Pattern Matching ...................................................................................... 1-11

i

Trend Micro™ Core Protection for Virtual Machines Administrator’s Guide

Compressed Files .....................................................................................1-12OLE Layer Scan .......................................................................................1-14IntelliScan ..................................................................................................1-14ActiveAction .............................................................................................1-15

When to Select ActiveAction .............................................................1-15

Chapter 2: Getting Started with Core Protection for Virtual Machines

Exploring the Web Console ..........................................................................2-2

Summary Page ..................................................................................................2-5

Security Management ......................................................................................2-5Group Management ...................................................................................2-5VC Inventory ..............................................................................................2-6Member Management ................................................................................2-7Tasks .............................................................................................................2-8Settings .........................................................................................................2-9Install ..........................................................................................................2-10Logs ............................................................................................................2-10

Updates ...........................................................................................................2-12

Logs .................................................................................................................2-13

Notifications ...................................................................................................2-14

Administration ...............................................................................................2-15Console Password ....................................................................................2-15Proxy Settings ...........................................................................................2-16Virtual Infrastructure Settings ................................................................2-17Compatible Products ...............................................................................2-18Product License ........................................................................................2-19

Chapter 3: Monitoring Core Protection for Virtual MachinesOverview ...........................................................................................................3-2

Viewing System Information .........................................................................3-3

Viewing Virtual Machine Status ....................................................................3-3

ii

Contents

Viewing Scan Results ...................................................................................... 3-4

Viewing Server Update Status ....................................................................... 3-4

Chapter 4: Managing Core Protection for Virtual MachinesManaging Groups ........................................................................................... 4-2

Viewing Group Information .................................................................... 4-2Adding Groups ........................................................................................... 4-3Renaming a Group .................................................................................... 4-4Deleting a Group ....................................................................................... 4-4

Managing VC Inventory ................................................................................ 4-5

Managing Members ........................................................................................ 4-8Viewing Member Information ................................................................. 4-8

Adding a Member to a Group .......................................................... 4-10Moving Members to Another Group .............................................. 4-12Managing a Network Share ............................................................... 4-13

Performing Scans .......................................................................................... 4-15Scan Now .................................................................................................. 4-15QuickScan ................................................................................................. 4-16Real-time Scan .......................................................................................... 4-16Scheduled Scan ......................................................................................... 4-17About Agents ............................................................................................ 4-17

Real-time Agent ................................................................................... 4-17CPVM Scanning Agent ...................................................................... 4-18

IntelliScan .................................................................................................. 4-18True File-type Detection .................................................................... 4-18File Extension Checking .................................................................... 4-18

ActiveAction ............................................................................................. 4-19Scan Actions ............................................................................................. 4-19Initiating a QuickScan ............................................................................. 4-20

Performing a Scan Now ..................................................................... 4-22

Configuring Scan Settings ............................................................................ 4-23Configuring QuickScan Settings ....................................................... 4-24Configuring Real-time Scan Settings ................................................ 4-26Configuring Scheduled Scan Settings ............................................... 4-31Configuring Scan Now Settings ........................................................ 4-35

iii


Enabling and Disabling the Scanning Agent ............................................4-38

Managing Agents ...........................................................................................4-39Installing the Real-time Agent ...........................................................4-39Installing the Scanning Agent ............................................................4-40Uninstalling Agents .............................................................................4-42

Upgrading Agents ..........................................................................................4-43

Viewing and Managing Logs .......................................................................4-44Viewing Virus/Malware Logs ............................................................4-44Viewing the Spyware/Grayware Logs ..............................................4-46Manually Deleting Logs ......................................................................4-48

Chapter 5: Updating ComponentsComponents .....................................................................................................5-2

Antivirus ......................................................................................................5-2Anti-spyware ...............................................................................................5-2Component Duplication ...........................................................................5-2

Viewing an Update Summary ........................................................................5-5

Configuring Scheduled Server Updates .......................................................5-8

Performing a Manual Server Update ............................................................5-9

Specifying a Server Update Source .............................................................5-10

Configuring Automatic Member Updates .................................................5-12

Performing Manual Member Updates .......................................................5-14

Rolling Back Updates ....................................................................................5-15

Chapter 6: Viewing and Managing LogsOverview ...........................................................................................................6-2

Component Update Logs ..........................................................................6-2Spyware/Grayware Logs ...........................................................................6-2Virus/Malware Logs ..................................................................................6-2Server Update Logs ....................................................................................6-2System Event Logs .....................................................................................6-3Log Deletion ...............................................................................................6-3

iv

Contents

Viewing Security Risk Logs ........................................................................... 6-3

Viewing Member Logs ................................................................................... 6-5

Viewing Server Logs ....................................................................................... 6-6

Configuring a Log Deletion Schedule ......................................................... 6-6

Logged Actions ............................................................................................... 6-8Server Logs ................................................................................................. 6-8Actions Logged at the Scanning Agent .................................................. 6-9

Member System Event Logs ............................................................... 6-9Member Virus/Malware Logs ........................................................... 6-10Member Spyware/Grayware Logs ................................................... 6-10Member Update Logs ......................................................................... 6-10

Actions Logged at the Real-time Agent ............................................... 6-10Member System Event Logs ............................................................. 6-11Member Virus/Malware Logs ........................................................... 6-11Member Update Logs ......................................................................... 6-11

Using the Log Viewer ................................................................................... 6-12

Chapter 7: Managing NotificationsConfiguring General Settings ........................................................................ 7-2

Configuring Standard Notifications ............................................................. 7-3

Configuring System Notifications ................................................................ 7-5

Token Variables .............................................................................................. 7-7

Chapter 8: Administering Core Protection for Virtual Machines

Setting the Web Console Password ............................................................. 8-2

Configuring Proxy Settings ............................................................................ 8-4

Configuring Virtual Infrastructure Settings ................................................ 8-5

Configuring Compatible Products ............................................................... 8-6

Viewing and Updating Your Product License ............................................ 8-8

v


Appendix A:

Appendix A: VMware Virtual Center IntegrationVirtual Center Plug-in ....................................................................................A-2

Virtual Center Reporting ...............................................................................A-3

Index

vi

Preface

Welcome to the Trend Micro™ Core Protection for Virtual Machines Administrator’s Guide. This book contains information about product settings and service levels.

This preface discusses the following topics: • Core Protection for Virtual Machines Documentation on page viii• Audience on page viii• Document Conventions on page ix

vii

Preface

Core Protection for Virtual Machines Documentation

The Trend Micro Core Protection for Virtual Machines documentation consists of the following:

Installation Guide—Describes the system requirements and steps to install Core Protection for Virtual Machines.

Administrator’s Guide—Helps you plan for deployment, install, and configure all product settings, and how to manage and administer the product.

Administrator Online Help—Helps you configure all features through the user interface. You can access the online help by opening the Web console and then clicking the help icon ( ).

Readme File—Contains late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history.

The Core Protection for Virtual Machines documentation is available at:http://www.trendmicro.com/download

AudienceThe Core Protection for Virtual Machines documentation is written for IT managers, IT security managers, and virtual infrastructure managers. The documentation assumes that the reader has an in-depth knowledge of virtualization technologies and networks, including details related to the following:• Antivirus and content security protection• Network concepts (such as IP address, Subnet Mask, LAN settings)• Network devices and their administration• Network configuration (such as the use of VLAN, SNMP)• VMware V13

viii

http://www.trendmicro.com/download

Preface

Document ConventionsTo help you locate and interpret information easily, the Core Protection for Virtual Machines documentation uses the following conventions.

CONVENTION DESCRIPTION

ALL CAPITALS Acronyms, abbreviations, and names of certain commands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs, options, and Core Protection for Virtual Machines tasks

Italics References to other documentation

Monospace Examples, sample command lines, program code, Web URLs, file names, and program output

Note:Configuration notes

Tip: Recommendations

WARNING!Reminders on actions or configurations that should be avoided

ix

Chapter 1

Introducing Trend Micro Core Protection for Virtual Machines

This chapter introduces Trend Micro™ Core Protection for Virtual Machines™ (CPVM) with the following topics:

The topics included in this chapter are: • What is Core Protection for Virtual Machines? on page 1-2• Features and Benefits on page 1-3• How Does Core Protection for Virtual Machines Work? on page 1-4• Core Protection for Virtual Machines Architecture on page 1-5• Real-time Scan Versus On-demand Scan (Scan Now) on page 1-8• When Core Protection for Virtual Machines Finds a Virus) on page 1-9• Virus Logs on page 1-10• Deploying Updates on page 1-10• Core Protection for Virtual Machines Virus Detection Technology on page 1-11

1-1


What is Core Protection for Virtual Machines?Trend Micro™ Core Protection for Virtual Machines™ (CPVM) is the next generation of software for scanning and cleaning both online and powered off VMware Virtual Machines files within VMware Virtual Infrastructure 3 or VMware vSphere 4.0. It is designed to protect the virtual infrastructure from viruses of any kind by adopting the most advanced virus-detecting technology to ensure that your virtual infrastructure stays virus-free. Core Protection for Virtual Machines detects new file infections, identifies viruses in existing files, and cleans or removes them from your virtual servers. It senses the changes in your virtual infrastructure, including provisioning of new Virtual Machines and automatically provides protection for those new machines.

Core Protection for Virtual Machines enables network administrators to manage servers from a single administration Web-based console. The console enables the administrators to configure Virtual Machines in the same group simultaneously and to generate integrated virus incident reports from all of them.

By giving administrators a means to configure, monitor, and maintain antivirus efforts through the Core Protection for Virtual Machines Administrator Web console, Core Protection for Virtual Machines improves and simplifies the implementation of corporate virus policy.

1-2


Features and BenefitsTo help IT professionals protect their Virtual Infrastructure with more flexibility, Core Protection for Virtual Machines provides the following main features and benefits:

Security Risk ProtectionCore Protection for Virtual Machines protects your virtualized servers from viruses/malware and spyware/grayware.

The CPVM Scanning Agent and Real-Time Agent: • Provide security risk protection.• Report events to the CPVM server.• Receive updates from the CPVM server.

The CPVM server hosts the Web console, downloads updates from an update source (such as the Trend Micro ActiveUpdate server), and initiates agent component updates.

Centralized ManagementA Web-based management console gives administrators transparent access to all virtualized servers on the network. The Web console coordinates automatic deployment of security policies, pattern files, and software updates on the virtualized server. Core Protection for Virtual Machines also performs real-time monitoring, provides event notification, and delivers comprehensive reporting.

State-of-the-Art Virus Detection TechnologyNew configurable scanning tools like ActiveAction, IntelliScan, and OLE layer scan offer faster and more efficient scanning.

Viewable Scanning StatisticsCore Protection for Virtual Machines enables you to efficiently monitor your network antivirus security. It displays scanning statistics, including the following, for viruses and spyware/grayware: total number of viruses found for the day and over the last seven days, and status of the infections, total number of non-cleanable viruses, and more.

1-3


CompatibilityThe server for Core Protection for Virtual Machines is fully compatible with:• VMWare Virtual Infrastructure 3 environment• Microsoft Windows Server 2003 SP2 or later• Microsoft Windows XP SP3 or later.

The agent for Core Protection for Virtual Machines is fully compatible with:• Microsoft Windows 2003• Microsoft Windows XP• Microsoft Windows Vista• Microsoft Windows 2008• Microsoft Windows 2008 R2.

For detailed information about 32-bit operation system and 64-bit operation system compatibility, see Trend Micro Core Protection for Virtual Machines Installation Guide.

How Does Core Protection for Virtual Machines Work?

Core Protection for Virtual Machines monitors all activity in your VMWare virtual environment. Virtual Machines with Real-time Agents monitor file read/write activity and check for file infections. The Scanning Agent performs on-demand and scheduled scanning of target VMs for file infections.

If the Scanning Agent finds that the file is infected, it sends notification messages to pre-defined recipients and takes action on the virus according to the Core Protection for Virtual Machines configuration. The Core Protection for Virtual Machines activity log records all the activities of the system.

Core Protection for Virtual Machines lets you design personal scanning profiles, saving you from having to re-configure frequently needed settings. You can even assign multiple scanning options to a profile and use the profile for special circumstances. For example, scanning incoming files only.

1-4


Core Protection for Virtual Machines Architecture

The following diagram shows a typical deployment of Core Protection for Virtual Machines within VMware Virtual Infrastructure:

FIGURE 1-1. Core Protection for Virtual Machines Typical Deployment

Figure 1-1 shows a typical Core Protection for Virtual Machines deployment on top of VMware. The diagram shows active, scanning, and dormant VMs with the Real-Time Agent installed. The user has the option of installing the CPVM Scanning Agent on a VM or on a physical machine, as indicated in the figure by the machine enclosed by a dotted line on the left.

1-5


The VI infrastructure consists of VMware VirtualCenter, which is virtual infrastructure management software that centrally manages an enterprise’s virtual machines as a single, logical pool of resources. The heart of VirtualCenter is the VirtualCenter server, which collects and stores persistent data in a dedicated database that contains per-system and environmental information. Core Protection for Virtual Machines is deployed within VI infrastructure.

The major components of a Core Protection for Virtual Machines deployment include:• VirtualCenter Client• VirtualCenter Server• VirtualCenter Agent• VirtualCenter Database• VirtualCenter Web service• Core Protection for Virtual Machines Server• CPVM Scanning Agent• Real-Time Agent• Administration Web console

VirtualCenter ClientThe VirtualCenter Client is a user interface that runs locally on a Windows machine. The VirtualCenter Client runs on a machine with network access to the VirtualCenter server. This can be on the same machine as the VirtualCenter Server or on another machine with network access.

VirtualCenter ServerThe VirtualCenter server is a service that acts as a central administrator for VMware servers connected on a network, directing actions on the virtual machines and the virtual machine hosts. VirtualCenter server provides the central working core of VirtualCenter. VirtualCenter server is deployed as a Windows service and runs continuously. It requires network access to all the hosts it manages and must be available for network access from any machine where the VirtualCenter client runs.

1-6


VirtualCenter AgentThe VirtualCenter Agent is installed on each managed host. It collects, communicates, and executes the actions received from the VirtualCenter server. It is installed automatically the first time any host is added to the VirtualCenter inventory.

VirtualCenter DatabaseThe VirtualCenter database (SQL Server or Oracle) provides a persistent storage area for maintaining the status of each virtual machine, host, and user managed in the VirtualCenter environment. This can be local or remote from the VirtualCenter server machine.

VirtualCenter Web ServiceThe VirtualCenter Web service can optionally be installed with the VirtualCenter Server. It is a required programming interface for third-party applications that use the VMware SDK application programmer interface (API).

Core Protection for Virtual Machines ServerThe CPVM Server is a service that acts as a central administrator for Scanning Agent virtual machines connected to the network. The CPVM server is deployed as a Windows service and runs continuously, directing actions on the CPVM virtual machines. It must have network access to the VirtualCenter server and all the Scanning Agent virtual machines that it manages. In addition, it must be available for network access from any machine where the Web-based Administration console runs.

CPVM Scanning AgentThe CPVM Scanning Agent is a service that runs on a host and scans dormant VMDK files or live VMs as specified by the schedule and policy that you set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the Core Protection for Virtual Machines Server. The Scanning Agent Server can only scan offline VMDK file that are visible to the host machine where it is running.

1-7


Real-Time AgentAn administrator can choose to install the Real-Time Agent on any VM or physical machine to provide real-time anti-malware protection. When installed, the Real-Time Agent service monitors all disk I/O and ensures that no disk writes result in possible malware. The Real-Time Agent also gets the latest signature updates from the Core Protection for Virtual Machines Server on the schedule defined by the administrator.

The Administration Web ConsoleThe Core Protection for Virtual Machines Administration Web console runs on a Windows machine with network access to the Core Protection for Virtual Machines Server. This can be on the same machine as the VirtualCenter server or on another machine with network access. The Administration Web console allows you to view manage Core Protection for Virtual Machines by configuring and running scans, configuring logs and notifications, and viewing a summary of activity.

Real-time Scan Versus On-demand Scan (Scan Now)

Core Protection for Virtual Machines features two powerful scan functions, Real-time Scan and Scan Now.

Real-time Scan runs continuously on a server and provides the maximum level of virus protection. All file I/O events on the server are monitored and infected files are prevented from being copied to or from the server. See Real-time Scan on page 4-16.

Scan Now is a manual virus scan (that is, it occurs immediately after being invoked). Use Scan Now to check a server that you suspect may have been exposed to a computer virus or about which you want immediate information. See Scan Now on page 4-15.

Tip: To ensure maximum protection, Trend Micro recommends using both Real-time Scan and Scan Now.

1-8


Real-time Scan and Scan Now benefits include:• Redundant File Scan: If a file containing a virus is accidentally downloaded or

copied, Real-time Scan will stop it. However, if for any reason Real-time Scan is disabled, Scan Now will still detect it.

• Efficient File Scan: By default, Real-time Scan is configured to scan files reliably, while minimizing the impact on system resources. See Scan Now on page 4-15.

• Effective and Flexible File Scan: Core Protection for Virtual Machines gives IT professionals effective and numerous scan configuration options to protect their networks based on their individual needs. See Scan Now on page 4-15.

When Core Protection for Virtual Machines Finds a Virus)

Core Protection for Virtual Machines lets you configure the kind of action that the software takes on infected files. You can even choose different courses of action for different kinds of viruses.

There are five possible actions that Core Protection for Virtual Machines can take on an infected file:• Bypass/Ignore: For a manual scan, Core Protection for Virtual Machines skips the

file without taking any corrective action. However, detection of the virus is still recorded in the program’s log entries. For Real-time Scan, Core Protection for Virtual Machines treats the file as "deny-write," protecting it from duplication or modification. See Scan Actions on page 4-19 for more information.

• Delete: The infected file is deleted.• Rename: The infected file extension is renamed to .vir. This prevents the file from

being executed or opened. If a file of that name with the .vir extension already exists, the file will be renamed to .v01, .v02, and so on, until .v99.

• Quarantine: The infected file is moved to a folder of your choice. You can also change the file extension of the moved file to prevent it from being inadvertently opened or executed.

• Clean: Attempt to clean the virus code from the file. Since the cleaning process sometimes corrupts the file and makes it unusable, you can back up the file before cleaning.

1-9


All virus events and associated courses of action are recorded in the log file. See Scan Actions on page 4-19 for more information.

Note: If you select Clean as the virus action, you can specify a secondary action if the cleaning process is unsuccessful.

Note: On a 64-bit operating system, Core Protection for Virtual Machines detects both 32-bit viruses and 64-bit viruses.

Virus LogsCore Protection for Virtual Machines (CPVM) provides comprehensive information about scanning, file updating, and deploying results from a single console. Furthermore, CPVM saves the information in a log file that can be retrieved or exported. For example, you can analyze the scanning statistics for virus scanning in your virtual infrastructure. These statistics include information such as scan start and times, machines scanned, detected virus and types, infected virtual servers. In addition, you can export the log information to a comma-separated value (CSV) file for further analysis.

Deploying UpdatesCore Protection for Virtual Machines simplifies the maintenance of Trend Micro software and reduces the total cost of your virtual infrastructure’s antivirus security. See Configuring Scheduled Server Updates on page 5-8 and See Configuring Automatic Member Updates on page 5-12.

Note: Trend Micro releases new versions of these update files on a regular basis.

1-10


Core Protection for Virtual Machines update features include:• Unattended scheduled update: You can specify a schedule for updates and Core

Protection for Virtual Machines will perform updates of all servers and members automatically based on the schedule.

• Centralized update deployment: You can deploy updates to servers in your virtual infrastructure from the Administration Web console.

• Proxy server compatibility: Core Protection for Virtual Machines works with the majority of existing proxy servers.

• Update activity logging: Core Protection for Virtual Machines records all update activity in a log file for future reference.

• Update Roll-back option: If you encounter a problem while deploying an update, you can roll back a deployed pattern and scan engine file to the previous version.

Core Protection for Virtual Machines Virus Detection Technology

Core Protection for Virtual Machines uses advanced virus detection technology. In this section, we feature the tools which support this state of the art technology and how IT professionals can benefit from it.

Pattern MatchingUsing a process called "pattern matching," Core Protection for Virtual Machines draws on an extensive database of virus patterns to identify known virus signatures. Key areas of suspect files are examined for tell-tale strings of virus code and compared against tens of thousands virus signatures that Trend Micro has on record.

For polymorphic or mutating viruses, the Core Protection for Virtual Machines scan engine permits suspicious files to execute in a protected area within which it is decrypted. Core Protection for Virtual Machines then scans the entire file, including the freshly decrypted code, and looks for strings of mutation-virus code.

1-11


If such a virus is found, Core Protection for Virtual Machines performs the virus action you previously specified. Core Protection for Virtual Machines virus actions include: clean (autoclean), delete, bypass (ignore), quarantine (move), or rename. Virus actions can be customized for both boot viruses and file viruses. See Performing Scans on page 4-15.

Note: It is important to keep the virus pattern file up to date. More than a thousand new viruses are created each year. Trend Micro makes it easy to update the pattern file by supporting scheduled updates. Configuring Scheduled Server Updates starting on page 5-8 and Configuring Automatic Member Updates on page 5-12 for more information.

Compressed FilesCompressed file archives (that is, a single file composed of many separate compressed files) are often distributed via email and the Internet. Since some antivirus software are not able to scan these kinds of files, compressed file archives are sometimes used as a way to "smuggle" a virus into a protected network or computer.

Core Protection for Virtual Machines can scan files inside compressed archives. It can even scan compressed files that are composed of other compressed files, up to a maximum of five compression layers.

1-12


The Trend Micro scan engine used in Core Protection for Virtual Machines can detect viruses in files compressed using the following algorithms:• PKZIP (.zip) & PKZIP_SFX (.exe) • LHA (.lzh) & LHA_SFX (.exe) • ARJ (.arj) & ARJ_SFX (.exe) • CABINET (.cab) • TAR • GNU ZIP (.gz) • RAR (.rar) • PKLITE (.exe or .com) • LZEXE (.exe) • DIET (.com) • UNIX PACKED (.z) • UNIX COMPACKED (.z) • UNIX LZW (.Z) • UUENCODE • BINHEX • BASE64

Note: If a virus is found in an archive using other algorithms, they must first be decompressed in a temporary directory, then cleaned.

For compressed file configuration information, refer to Real-time Scan on page 4-16, and Scan Now on page 4-15.

1-13


OLE Layer ScanMicrosoft™ Object Linking and Embedding (OLE) allows embedding Microsoft Office™ files. This means that you could have a Microsoft Word document inside an Excel sheet, and in turn this Excel sheet could be embedded in a Microsoft PowerPoint presentation.

OLE offers a large number of benefits to developers, at the same time it can lead to potential infection. To address this issue, Core Protection for Virtual Machines includes the OLE Layer Scan feature, which complements state-of-the-art Core Protection for Virtual Machines virus protection. See Scan Now on page 4-15.

Tip: OLE layer scan offers five layers of protection. Trend Micro recommends a setting of 2 OLE layers for Scan Now and a setting of 1 for Real-time Scan. A lower setting will improve server performance.

IntelliScanIntelliScan identifies which files to scan that is both more secure and more efficient, than the standard "scan all files" option.

For executable files, such as .exe, the true file type is determined from the file content. In the event that a file is not executable (i.e. txt), IntelliScan will use the file header to verify the true file type. See Scan Now on page 4-15.

The following are just a couple of the benefits IntelliScan offers to administrators: • Performance optimization: Server system resources allotted to scan will be

minimal, thus using IntelliScan will not interfere with other crucial applications running on the server.

• Time saving: Since IntelliScan uses true file type identification, IntelliScan scan time is significantly less than that of all files scan (this means that only files with a greater risk of being infected are scanned). This time difference is noticeable when you use IntelliScan with Scan Now. See Scan Now on page 4-15.

1-14


ActiveActionActiveAction is a set of pre-configured scan actions that can be performed on viruses and other types of malware. ActiveAction can be configured for both Scan Now and Real-time Scan.

When to Select ActiveActionTrend Micro recommends that you select ActiveAction if you are not familiar with virus actions or if you are unsure of which scan action is the most suitable for a certain virus.

Viruses vary significantly from one another; this requires appropriate virus actions for each virus type. Customizing scan actions for file viruses requires knowledge of viruses and can be a tedious task. For this reason, Trend Micro recommends the use of ActiveAction.

Some advantages of using ActiveAction versus customized scan actions are:• Time saving: You spend no time customizing virus actions.• Worry-free maintenance: ActiveAction uses Trend Micro recommended scan

actions so you can concentrate on other tasks and not worry about making mistakes.• Updateable scan actions: Trend Micro includes new ActiveAction scan actions

with every new pattern. Viruses constantly change how they attack, thus scan actions should be frequently modified to prevent possible infection.

1-15

Chapter 2

Getting Started with Core Protection for Virtual Machines

This chapter describes how to get started using Trend Micro Core Protection for Virtual Machines.

Topics in this chapter include:• Exploring the Web Console on page 2-2• Summary Page on page 2-5• Security Management on page 2-5• Updates on page 2-12• Logs on page 2-13• Notifications on page 2-14• Administration on page 2-15

2-1


Exploring the Web ConsoleThe Core Protection for Virtual Machines Administrator Web console allows you to monitor ongoing activity, configure and run scans, update components, view logs, generate notifications, and administer Core Protection for Virtual Machines. To access the Administrator Web console, you must have a Trend Micro Core Protection for Virtual Machines Administrator account.

To start the Web console:

1. Open your Web browser and navigate to the Web console using one of the following:• Local access: If you are accessing the Web console from the same machine

where Core Protection for Virtual Machines resides, double-click on the Core Protection for Virtual Machines Console icon created at the time of installation, or from a Web browser enter the following:https://<hostname>/WebUI/login.aspx

• Remote access: If you have configured the Core Protection for Virtual Machines machine for network access, enter either of the following, where <hostname> is the hostname and <ip_address> is the IP address of the Core Protection for Virtual Machines machine:https://<hostname>/WebUI/login.aspx

https://<ip_address>/WebUI/login.aspx

You can also click on the CPVM Console desktop icon to open the browser to the CPVM logon window.

2-2


2. On the Logon page, enter your password and click Logon.

FIGURE 2-1. Administrator Web console Logon page

2-3


The Web browser opens the Summary page, where you can view the current Core Protection for Virtual Machines status.

FIGURE 2-2. Viewing the Core Protection for Virtual Machines Summary

For details on the Summary page, see Monitoring Core Protection for Virtual Machines starting on page 3-1.

Using the Administrator Web console, you can:• View a summary of Core Protection for Virtual Machines activity and status• Manage Security• Update components• Generate and view logs• Configure notifications• Perform administrator tasks

2-4


To view the pages for performing these tasks, use the main Core Protection for Virtual Machines menu in the left pane of the browser window.

Summary PageThe Summary page appears when you open the Core Protection for Virtual Machines Web console or click Summary in the main menu. This page provides system information and a summary of the current status of your virtual machines, scan results, and component updates. For more on the Summary page, see Monitoring Core Protection for Virtual Machines starting on page 3-1.

Security ManagementThe Security Management page provides a central page to:• Manage the groups and members in your virtual installation• Manage VC inventory• Configure and perform scans• Install/uninstall CPVM Scanning Agents and Real-Time Agents• Configure logs• Sync from VC directly

Group ManagementGroups allow you to organize the members in your environment. When you create a group, it will be added to the Current Groups list in the right pane of the Security Management page. After you create a group you can add members or move members into the group. The Group Management page allows you to:• Create and view group information• Add members to and remove members from groups• Rename groups• Delete groups

2-5


The following figure shows the Group Management page:

FIGURE 2-3. Group Management page

For more on Group Management, see Monitoring Core Protection for Virtual Machines starting on page 3-1.

VC InventoryThe VirtualCenter inventory provides a single point for viewing members and related information, move machines among groups, and manage licenses. The VC Inventory page displays information about all the Virtual Machines, the host that they belong to, and licensing information. You can use this page to move members between existing groups.

2-6


The following shows the VC Inventory page:

FIGURE 2-4. VC Inventory page

For more on managing VirtualCenter inventory, see Monitoring Core Protection for Virtual Machines starting on page 3-1.

Member ManagementMembers are virtual machines in your Core Protection for Virtual Machines environment. Adding members to groups helps you to logically manage your security tasks. Actions you can take on group members include:• Add members• Move members between groups• Add and remove network shares

2-7


The following figure shows the Member Management page:

FIGURE 2-5. Member Management page

TasksThe Tasks menu allows you to run scans at any time. These include • QuickScan Now• Scan Now

For information on configuring the scans, along with configuring Real-Time Scans and Scheduled Scans, see Managing Core Protection for Virtual Machines starting on page 4-1.

2-8


SettingsThe Settings menu allows you to configure the settings for Core Protection for Virtual Machines (CPVM) scans. CPVM provides a number of options for scanning members in a group You can perform a full scan at anytime, or perform a limited scan of the disk based on information from the Windows Registry. You can also configure a Real-time Scan or a Scheduled Scan.

Scan actions you can take on groups or individual members include:• QuickScan Settings• Real-time Scan Settings• Scheduled Scan Settings• Scan Now Settings• Enable or disable Scanning Agent

The following figure shows the Target tab of the Scan Now Settings page:

FIGURE 2-6. Scan Now Settings page

2-9


For details, see Performing Scans on page 4-15.

InstallYou can install the Real-time Agent on any given member to provide real-time anti-malware protection. When installed, the Real-time Agent service will monitor all disk I/O and ensure that no disk writes result in possible malware. The Real-time Agent gets the latest signature updates from the CPVM Server on a schedule defined by the administrator.

The Scanning Agent is a service that runs on a host and scans dormant VMs or live Virtual Machines as specified by the schedule and policy set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the CPVM Server.

LogsLogs help you analyze your infrastructure protection, troubleshoot, and manage security risks in your network. Additional log options are available on the Logs page. Log configuration actions include:• Configure the Virus/Malware Log Criteria• Configure the Spyware/Grayware Log Criteria• Delete Logs

2-10


The following figure shows the Spyware/Grayware Log Criteria page:

FIGURE 2-7. Spyware/Grayware Log Criteria window

For details, see Performing Scans on page 4-15. Additional log options are available on the Logs page. For details, see Performing Scans on page 4-15.

2-11


UpdatesYou can configure Core Protection for Virtual Machines to update server or members automatically or manually update them at any time. You should configure Core Protection for Virtual Machines to regularly check the update server and automatically download any available updates. Using scheduled updates ensures that components are current. You can also roll back component updates. Available actions include:• View an Update Summary• Configure the Server Update Schedule• Update the Server Manually• Configure the Server Update Source• Update Members Automatically• Update Members Manually• Roll Back Components

The following figure shows the Automatic Updates for Members page:

FIGURE 2-8. Automatic Updates for Members page

For details, see Performing Scans on page 4-15.

2-12


LogsLogs help you analyze your infrastructure protection, troubleshoot, and manage security risks in your network. Core Protection for Virtual Machines provides options for managing and viewing logs. Logs you can configure and view include:• Virus/malware• Spyware/grayware• Member update• Server• System events

The following shows a system event log.

FIGURE 2-9. System Event log

For details, see Viewing and Managing Logs on page 6-1.

2-13


NotificationsYou can configure Core Protection for Virtual Machines to alert an administrator when virus/malware or spyware/grayware is detected or a system event occurs. Core Protection for Virtual Machines enables you to configure the specific events that will trigger a notification and to whom the notifications will be sent. You can configure Core Protection for Virtual Machines to send notifications through email and SNMP traps.

FIGURE 2-10. Configure General Settings page

For details, see Managing Notifications on page 7-1.

2-14


AdministrationThe Administration pages allow you to perform Core Protection for Virtual Machines administration tasks, including:• Set the console password• Configure proxy settings• Configure virtualization infrastructure settings• Configure compatible products• View and update your product license

Console PasswordOn the Console Password page you can reset your password for logging onto the Administrator Web console.

FIGURE 2-11. Console Password page

For details, see Setting the Web Console Password on page 8-2.

2-15


Proxy SettingsYou can connect Core Protection for Virtual Machines to a proxy server. If you want to use a proxy server for public connections, see Configuring Proxy Settings on page 8-4.

FIGURE 2-12. Proxy Settings page

2-16


Virtual Infrastructure SettingsFrom the Virtual Infrastructure Settings page, you can:• Configure the information required to connect to the Virtual Center.• Register or unregister the Virtual Center plug-in.• Specify time intervals to automatically sync with Virtual Center.

FIGURE 2-13. Virtual Infrastructure Settings page

For more information, see Configuring Virtual Infrastructure Settings on page 8-5.

2-17


Compatible ProductsUsing the Compatible Products page, you can define the products you want to allow to operate in your Core Protection for Virtual Machines environment and the products that Core Protection for Virtual Machines will keep updated. Products that you can configure are:• Trend Micro OfficeScan• Trend Micro ServerProtect

FIGURE 2-14. Compatible Products page

For information on configuring compatible products settings, see Configuring Compatible Products on page 8-6.

2-18


Product LicenseThe Product License page displays the current status of your current Core Protection for Virtual Machines product license and allows you to update your product license when necessary. For more information, see Viewing and Updating Your Product License on page 8-8.

2-19

Chapter 3

Monitoring Core Protection for Virtual Machines

This chapter describes how to monitor Core Protection for Virtual Machines status using the Summary page. Topics in this chapter:• Overview on page 3-2• Viewing System Information on page 3-3• Viewing Virtual Machine Status on page 3-3• Viewing Scan Results on page 3-4• Viewing Server Update Status on page 3-4

3-1


OverviewThe Summary page provides current information on Core Protection for Virtual Machines activity and status. The Summary page shows:• System information• Status of virtual machines• Current scan results• Server update status

To open the Summary page:

• From the main Core Protection for Virtual Machines menu, click Summary.

FIGURE 3-1. Viewing the Core Protection for Virtual Machines Summary

3-2


Viewing System InformationThe System Information area shows the status and details of all of the Core Protection for Virtual Machines system. The following information is provided:• Product Version: The version of the Core Protection for Virtual Machines

software installed on your server • Platform: The hardware platform of your Core Protection for Virtual Machines

Server • OS: The operating system install on your Core Protection for Virtual Machines

Server.

For information on updating your Core Protection for Virtual Machines software, see Updating Components starting on page 5-1.

Viewing Virtual Machine StatusThe Virtual Machine Status area shows the current status of the components in your Core Protection for Virtual Machines installation.• PoweredOn Virtual Machines• PoweredOff Virtual Machines• Real-Time Agents• CPVM Scanning Agents• Virtual Machines Scanned• Virtual Machines Infected/Cleaned

3-3


Viewing Scan ResultsThe Scan Results For area displays a summary of the scan results for the day and the total for the week. The number of viruses and spyware/grayware detected for the day is displayed in the right corner of the Scan results for title bar.

To view scan results:

• Select Scan results for > Virus or Scan Results for > Spyware/Grayware.Scan results for today and the last seven days are displayed. This includes the numbers that are:• Uncleanable• Quarantined• Deleted• Passed• Cleaned• Renamed

Viewing Server Update StatusThe Server Update Status area shows the status of each component in your installation for the followings:• Antivirus• Anti-spyware

3-4


To view update status details:

1. From the main Core Protection for Virtual Machines menu, click Summary.

FIGURE 3-2. Viewing a Component Update Summary

3-5


2. Click in front in front of the Member Component name to expand the display.The list expands to show the current version, latest version, and last update for any of the following:• Antivirus

• Virus Pattern• Virus Scan Engine (32-bit)• Virus Scan Engine (64-bit)

• Anti-spyware• Spyware Pattern• Spyware Scan Engine (32-bit)• Spyware Scan Engine (64-bit)

3. To perform updates of all the components for the server, click Update Now.

For information on updating the Core Protection for Virtual Machines components, see Updating Components starting on page 5-1.

3-6

Chapter 4

Managing Core Protection for Virtual Machines

This chapter describes how to manage Core Protection for Virtual Machines.

Topics in this chapter include:• Managing Groups on page 4-2• Managing VC Inventory on page 4-5• Managing Members on page 4-8• Performing Scans on page 4-15• Configuring Scan Settings on page 4-23• Enabling and Disabling the Scanning Agent on page 4-38• Managing Agents on page 4-39• Viewing and Managing Logs on page 4-44

4-1


Managing GroupsGroups allow you to organize the members in your virtual infrastructure. Actions you can take on groups include:• View group information• Add groups• Rename groups• Delete groups

Viewing Group InformationThe Security management page allows you to view group information, such as number of members and an overview of component updates and scans.

To view group information:

• From the main Core Protection for Virtual Machines menu, click Security Management.

FIGURE 4-1. View group information

4-2


The list in the right pane provides the following information for each group:• Groups: The current groups on your site.• Members: The number of members in the group.• Scanning Agents: The number of Scanning Agents in the group.• Real-Time Agents: The number of Real-Time Agents in the group.• Last Scheduled Security Scan: The last time a Scheduled Scan was run on the

group members.

Adding GroupsWhen you add a group, it will be added to the Current Groups list in the right pane of the Security Management page. After you create a group you can add members or move members into the group.

To add a group:

1. From the main Core Protection for Virtual Machines menu, click Security Management.

2. From the Manage Security Groups drop-down list, select Add Group.

FIGURE 4-2. Add Group window

3. In the Add Group window, enter a name in the Group name text box and click Add.

You can now add members to the group. For instructions on how to add members, see Adding a Member to a Group on page 4-10.

4-3


Renaming a GroupTo rename a group:


2. In the Current Groups list, select the group to rename.3. Click Manage Security Groups and select Rename Group from the drop-down

list to open the Rename Group window.

FIGURE 4-3. Rename Group window

4. In the Rename Group window, enter the new name in the Rename the selected group to text box and click Save.

Deleting a GroupTo delete a group:


2. In the Current Groups list, select the groups to delete.

4-4


3. From the Manage Security Groups drop-down list, select Delete Group.

FIGURE 4-4. Delete Group window

4. In the dialog box, click Delete.

Managing VC InventoryThe VirtualCenter inventory provides a single point for viewing members and related information, move machines among groups, and manage licenses.

Note: Individual VMDK files on a network share will not be shown in the VC inventory list, but the network share will be shown.

4-5


To manage VC inventory:


2. Click VC Inventory.The VC Inventory window displays a list of members in your site, along with the group, host, and license status.

FIGURE 4-5. VC Inventory window

Note: Do not move members between groups while a scan is in progress. Before you move a member, be sure a scan, including a scheduled scan, is not in progress.

3. Select the members you want to move and click Move.

4-6


4. In the Move selected member(s) to drop-down list, select the group where you want to move the members.

FIGURE 4-6. Move Members box

5. To apply the settings of the group to the members, select Apply settings of new group to selected members.

4-7


Managing MembersMembers are virtual machines or network shares in your Core Protection for Virtual Machines environment. Adding members to groups helps you to logically manage your security tasks. Actions you can take on group members include:• View Member information• Add members• Move members• Search for a member• Add network share• Remove network share

Viewing Member InformationThe Security management page allows you to view member information, such as power status and scan results, in each group.

To view member information:


2. Click in front of Security Groups in the left pane to view the current groups.

4-8


3. Click on the group whose member information you want to view.

FIGURE 4-7. View Member information

The list in the right pane provides the following information for each member in the selected group:• Category• Power Status• Scan Status• Scan Results• IP Address

4-9


Adding a Member to a GroupVirtual machine inventory is obtained directly from the Virtual Center, but if you want to set up a physical machine to perform the scanning function, you must explicitly add it as a member. When you add the physical machine as a member, the Scanning Agent will automatically be installed on that machine.

Note: Physical Scanning Agent (SA) members are allowed only in the default group. If you add or move a physical SA to any other group, it will be moved back to the default group.

Note: When you uninstall the Scanning Agent from the physical machine using Install->Uninstall Agent, the member will automatically be removed from the list of members.

To add a member:


2. Click in front of Security Groups in the left pane to display the current groups.3. In the Security Groups pane, click on the group to which you want to add a

member.

4-10


4. Click Member Management and select Add Member from the drop-down list to open the Add Physical SA dialog box.

FIGURE 4-8. Add Physical SA window

5. In the IP/Hostname text box, enter the IP address or host name of the new member.

6. Click Add.

4-11


Moving Members to Another GroupMembers are virtual machines in your Core Protection for Virtual Machines environment. Members can be moved from one group to another to help you logically manage your security tasks. When new virtual machines are sensed by CPVM, they are initially placed under the default security group and automatically assigned the default policy for scanning. These can then be moved to other groups to apply a different group security policy.

Note: Do not move members between groups while a scan is in progress. Before you move a member, be sure a scan, including a scheduled scan, is not in progress. Otherwise, there could be a problem syncing with CPVM server.

To move a member:


2. Click in front of Security Groups in the left pane to display the current groups.3. In the Security Groups pane, click on the group that includes the member you

want to move.4. In the Members list, select the members to move.5. Click Member Management and select Move Member from the drop-down list

to open the Move Member(s) window.

FIGURE 4-9. Move Member(s) window

4-12


6. In the Move selected members to drop-down box, select the group where you want to move the member.

7. Click Move.

Managing a Network ShareCore Protection for Virtual Machines allows you to scan VMDK files that are not in the VirtualCenter inventory but are located on a network share. You can add a network share by specifying a network path as a root folder which could contain more than one subfolder(s) which contain VMDK files inside.

When you add the network share that stores the VMDK files, and if there are multiple VMDK files, all the VMDK files share the same security policy as defined by either the group policy or the actual network share policy.

The group policy is used for scanning each VMDK, and you can define a specific scan policy for each on the Security Management page. CPVM logs any events associated with these files and includes the network path as part of the log. If you remove members, the members will be removed from the VC inventory list.

Note: Any snapshots on dormant VMs on a network share will not be scanned and cleaned during a scan.

To add a network share:


2. Click in front of Security Groups in the left pane to display the current groups.3. Click the group to which you want to add a network share.

4-13


4. From the Member Management drop-down list, select Add Network Share.

FIGURE 4-10. Add Network Share window

5. Enter a name for the network share.6. Enter the path to the network share. For example, if your vmdk files are located on

both \\10.1.1.1\vmdk\winxp and \\10.1.1.1\vmdk\win2003, you could specify \\10.1.1.1\vmdk as your network share.

7. Enter the user name and password of the network share.8. Click Test Connection to test the network share information you have entered.9. Click Add.

To remove a network share:


2. Click in front of Security Groups in the left pane to display the current groups.3. In the Security Groups pane, click on the group to which you want to remove a

network share.4. In the Members list, select the network share you want to remove.5. From the Member Management drop-down list, select Remove Network Share.6. In the dialog box, click OK.

4-14


Performing ScansYou have the option in Core Protection for Virtual Machines to perform the following types of scan:• Scan Now• QuickScan• Real-time Scan• Scheduled Scan

For information on configuring how the scans will behave, see Configuring Scan Settings on page 4-23.

Scan NowScan Now performs a full scan whenever an administrator chooses. It can be user-initiated by selecting a VM from the inventory list.

4-15


QuickScanUnlike a full scan where a complete scan of all files is performed, a QuickScan performs a limited scan of the disk based on information from the Windows Registry. It loads the Registry to identify what files need to be scanned and performs a scan and clean operation on those files. If malware is detected, it attempts to clean the malware. If that is unsuccessful, it quarantines the file and modifies the Registry accordingly.

Note: QuickScan is allowed only on dormant machines as it may require modifications to the registry if malware is detected.

The Core Protection for Virtual Machines Server receives updates to the VC inventory periodically from the VirtualCenter. If it identifies a new VM that was previously not on its list, then it will perform a QuickScan on the VM if it is in dormant state.

Core Protection for Virtual Machines takes following actions based on user settings when performing a quick scan and malware is detected:• If the administrator has configured Core Protection for Virtual Machines to

perform a full scan if malware is detected, then upon detection of malware Core Protection for Virtual Machines will perform a full scan on the member. It will also log the event indicating the malware type detected, when it was detected, and results of the clean operation or file quarantine.

• If the administrator has set configuration to just log the event when malware is detected, then upon detection of malware Core Protection for Virtual Machines will log the event indicating malware type detected, when it was detected and the result of the clean operation or file quarantine.

Real-time ScanA Real-time Scan runs continuously and provides solid virus protection. All file I/O events are monitored and infected files are thus prevented from being copied to or from the server.

4-16


Scheduled ScanA full scan can be initiated based on a set schedule for selected members. Core Protection for Virtual Machines sequentially performs a full scan of each selected member. Since the CPVM Scanning Agent may be deployed on multiple hosts, multiple Scanning Agents can perform full scans on different members at the same time.

About AgentsCPVM provides two agents for performing scanning tasks:• Real-time Agent• Scanning Agent

Real-time AgentThe Real-time Agent provides real-time protection for live members. The Real-time Agent does not perform full scans. It provides protection as follows:• Performs pattern signatures and engine updates based on the schedule set by the

administrator or when it gets a specific notification from the Core Protection for Virtual Machines Server.

• Monitors disk I/O and protect the files being written to and introduce malware.• When the CPVM Scanning Agent performs a full scan of the live member and finds

malware, it notifies the CPVM Server. The CPVM Server informs the Real-time Agent and requests that the virus be cleaned or files quarantined. Upon completion of this action, the Real-time Agent informs the central server of the result (success/failure).

Note: If the Real-time Agent is unable to see the virus (such as root kit), then a failure event is sent to the CPVM Server as an error. You will need to turn the member off and then perform a full scan/clean when the member is dormant.

Note: If you have not installed Real-time Agent in a live member, because there is an instance of ServerProtect, OfficeScan, or some other competitor product running in the member, then cleaning is not an option and the CPVM Server sends an event to the administrator informing him or her to take appropriate action.

4-17


CPVM Scanning AgentThe CPVM Scanning Agent is a service that runs on a host and scans dormant or live Virtual Machines as specified by the schedule and policy set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the Core Protection for Virtual Machines Server.

IntelliScanRather than relying on the file name alone, Core Protection for Virtual Machines uses IntelliScan to identify the true file type and determine whether the file is a type that Core Protection for Virtual Machines should scan.

True File-type DetectionUsing true file-type identification, IntelliScan examines the header of the file first and checks if the file is an executable, compressed, or other type of file that may be a threat. IntelliScan examines all files to be sure that they have not been renamed. The extension must conform to the file's internally registered data type.

For example, Microsoft Word documents are file extension independent. Even if you rename a document from "legal.doc" to "legal.lgl", Word still recognizes and opens the document along with any macro viruses it contains. IntelliScan identifies the file as a Word document regardless of the file extension and scans it accordingly.

File Extension CheckingIntelliScan also uses extension checking, that is, the file name itself. An updated list of extension names is available with each new pattern file. For example, the discovery of a new ".jpg" file vulnerability prompts Trend Micro to add the ".jpg" extension to the extension-checking list in the next pattern update.

4-18


ActiveActionActiveAction is a set of pre-configured scan actions for specific types of viruses/malware. Trend Micro recommends using ActiveAction if you are not sure which scan action is suitable for each type of virus/malware. With ActiveAction, you do not have to spend time customizing the scan actions.

The following table illustrates how ActiveAction handles each type of virus/malware.

Scan ActionsFor Virus/Malware:• Delete: Deletes an infected file.• Quarantine: Moves an infected file to the member’s quarantine directory found in

{Core Protection for Virtual Machines member folder}\Virus. The default quarantine directory is {Core Protection for Virtual Machines server folder}\Virus, which you can change by going to Security Management > (Group Name) > Settings > {Scan Type} > Action tab.

TABLE 4-1. ActiveAction Virus/malware Handling

VIRUS/MALWARE TYPE REAL-TIME SCAN MANUAL SCAN/SCHEDULED

SCAN/SCAN NOW

FIRST ACTION

SECOND ACTION

FIRST ACTION

SECOND ACTION

Joke Quarantine N/A Quarantine N/A

Virus Clean Quarantine Clean Quarantine

Test Virus Pass N/A Pass N/A

Packer Quarantine N/A Quarantine N/A

Others Clean Quarantine Clean Quarantine

Generic Pass N/A Pass N/A

4-19


• Clean: Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file.

• Rename: Changes the infected file’s extension to "vir". Users cannot open the file initially, but can do so if they associate the file with a certain application. A virus/malware may execute when opening the renamed infected file.

• Pass: Allows full access to the infected file without doing anything to the file. A user may copy/delete/open the file.

Note: If you select Pass, you may allow a VM to become infected.

For Spyware/Grayware:• Clean: Terminates processes or delete registries, files, cookies and shortcuts.• Pass: Logs the spyware/grayware detection for assessment.

Note: If you select Pass, you may allow a VM to become infected.

• Delete: Deletes an infected file.

Initiating a QuickScanUnlike a full scan where a compete scan of all files is performed, a QuickScan performs a limited scan of the disk based on information from the Windows Registry. It loads the Registry to identify what files need to be scanned and performs a scan and clean operation on those files. If malware is detected, it attempts to clean the malware. If that is unsuccessful, it quarantines the file and modifies the Registry accordingly. A QuickScan scans only dormant VMs.

The Core Protection for Virtual Machines Server receives updates to the VC inventory periodically from the VirtualCenter. If it identifies a new VM that was previously not on its list, then it will perform a QuickScan on the new VM if it is in dormant state.

Note: To avoid performance impact on your network, the scan progress is updated every 60 seconds and may not immediately reflect the actual scan progress. If you wish to see the actual scan progress, use the Refresh link to refresh the page.

4-20


To initiate a QuickScan:


2. To change the pre-configured QuickScan settings before initiating the scan, click Settings and select QuickScan Settings, and make any changes in the QuickScan Settings window. For instructions on how to configure the settings, see Configuring QuickScan Settings on page 4-24.

3. Click Tasks and select QuickScan Now from the drop-down list to open the QuickScan Now window.

FIGURE 4-11. QuickScan Now window

4. In the member list, select the members that are required to be scanned and then click Initiate QuickScan Now. The server sends a notification to the Scanning Agent(s) for that group to perform a scan on those members.

5. View the status for member machines on the Security Management page to verify the scan status.

4-21


Note: If you selected multiple members to scan and you decide to stop the scan, scans for all members that are still in Pending or Scanning state will be aborted. Their scan progress will show 0 and scan status will show "Stopped."

Performing a Scan NowIn addition to turning on Real-time Scan and configuring Scheduled Scan, Trend Micro recommends initiating Scan Now on members that you suspect to be infected.

To perform a Scan Now:


2. To change the pre-configured Scan Now settings before initiating the scan, click Settings > Scan Now settings. The Scan Now Settings screen opens. For information on configuring the Scan Now settings, see Configuring Real-time Scan Settings on page 4-26.

3. Click Tasks > Scan Now to open the Scan Now window.

FIGURE 4-12. Scan Now window

4-22


4. In the member list, select the target members to be scanned. To search for a specific member, enter the member name into the Member Name text box and click Search.

5. Click Initiate Scan Now. The server sends a notification to the Scanning Agent in that group to perform a scan on the target members.

6. For members already in the process of scanning, click Stop Scan Now to notify them to stop scanning.

Note: Stop Scan Now does not terminate the scan for a member (VM or network share) whose scan status is pending.

Configuring Scan SettingsCore Protection for Virtual Machines provides a number of options for scanning members in a group. You can perform a full scan at anytime, or perform a limited scan of the disk based on information from the Windows Registry. You can also configure a Real-time Scan or a Scheduled Scan. Scan actions you can take on groups include:• QuickScan settings• Real-time Scan settings• Scheduled Scan settings• Scan Now settings

Scan settings can be set at group level and at member level. The group level settings represent all generic settings that you require to be applied to all members within a group. Member level settings are applied to override specific settings that were defined at the group level.

A scan schedule can only be set at the group level. All members within that group are scanned as per the schedule by the Scanning Agent(s) within that group.

Scan exclusion settings are global, and if defined for one type of scan settings, such as Real-time Scan Settings, they are automatically applied to all other types of scan settings.

4-23


Configuring QuickScan SettingsTo configure a QuickScan, specify the scan targets and the actions to take when security risks are encountered.

To configure a QuickScan:


2. Under Security Groups, click the group you want to configure.3. Click Settings and select QuickScan Settings.

FIGURE 4-13. Configure QuickScan Target tab

4. On the Target tab, select whether to initiate a QuickScan when a new virtual machine is added. Click Save.

5. To configure scan actions:

4-24


a. Click the Action tab.

FIGURE 4-14. Configure QuickScan Action tab

b. Specify virus/malware scan action(s). You can:

• Use ActiveAction. For more information, see ActiveAction on page 4-19.• Manually select a specific scan action for each virus/malware type. For

more information, see Scan Actions on page 4-19.

Note: If you manually select a scan action and choose Clean, you need to specify a second action that Core Protection for Virtual Machines takes if cleaning is unsuccessful.

4-25


c. To specify a different virus/malware quarantine directory, enter the path in the field provided. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found.

Specify the quarantine directory as absolute file path format on the member—for example, C:\temp.

WARNING! If you specify an incorrect quarantine directory, the CPVM client keeps the files in the \Virus folder until a correct quarantine directory is speci-fied. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder."

d. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location.

e. Select whether to perform a full scan when malware is detected.

f. Click Save.

Configuring Real-time Scan SettingsTo configure a Real-time Scan, specify the scan targets and the actions to take when security risks are encountered.

To configure a Real-time Scan:


2. Under Security Groups, click the group you want to configure.

4-26


3. Click Settings and select Real-time Scan Settings.

FIGURE 4-15. Configure Real-time Scan Target tab

4-27


4. On the Target tab configure the scan target:a. Decide whether to enable real-time scanning for virus/malware, and then

select or deselect the check box.

b. Select the files to scan based on user activity.

c. Select one of the options under Files to Scan.

Some notes on the options:• To learn more about IntelliScan, see IntelliScan on page 4-18.• If you choose to scan files based on extensions, you can add or delete

extensions from the default set of extensions.

d. Select additional settings under Scan Settings.

TABLE 4-2. User Actions

ACTIVITY IF THE OPTION SELECTED IS...

SCAN FILES BEING CREATED/MODIFIED

SCAN FILES BEING RETRIEVED

SCAN FILES BEING CREATED/MODIFIED AND RETRIEVED

Open a read-only file

Real-time Scan does not scan the file.

Real-time Scan scans the file.

Real-time Scan scans the file.

Copy or move a file from a direc-tory excluded from scanning

Real-time Scan scans the file in the destination directory (if Core Protection for Vir-tual Machines does not exclude this directory from scanning).

Real-time Scan does not scan the file in the destina-tion directory

Real-time Scan scans the file in the destination directory (if Core Protection for Vir-tual Machines does not exclude this directory from scanning).

4-28


e. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions.

Tip: You can also use * as a wildcard when specifying extensions.

There are some Trend Micro product directories that you need to manually add to the scan exclusion list.

f. There are some Trend Micro product directories that you need to be excluded. To exclude these directories, select Exclude directories where Trend Micro products are installed.

g. Click Save.

5. To configure scan actions:a. Click the Action tab.

FIGURE 4-16. Configure Real-time Scan Action tab

4-29



• Use ActiveAction. For more information, see ActiveAction on page 4-19.• Manually select a specific scan action for each virus/malware type. For

more information, see Scan Actions on page 4-19.



Specify the quarantine directory as absolute file path format on the member. For example, C:\temp.

WARNING! If you specify an incorrect quarantine directory, the Core Protection for Virtual Machines client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder."


e. Click Save.

4-30


Configuring Scheduled Scan SettingsTo configure a Scheduled Scan, specify the scan targets and the actions to take when security risks are encountered.

Note: The schedule can only be set at the group level. All members within that group are scanned as per the schedule by the Scanning Agent(s) within that group. The scan is performed by the Scanning Agent(s) for that group as per the specified schedule.

To configure a Scheduled Scan:


2. Under Security Groups, click the group you want to configure.3. Click Settings and select Scheduled Scan Settings.

FIGURE 4-17. Configure Scheduled Scan Target tab

4-31


4. On the Target tab, configure the scan target:

f. Configure a schedule for the scan.

g. Select one of the options under Files to Scan.



h. Select additional settings under Scan Settings.

i. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions.

Tip: You can also use * as a wildcard when specifying extensions.

j. There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed.

k. Click Save.

4-32



FIGURE 4-18. Configure Scheduled Scan Action tab


• Use ActiveAction. For more information, see ActiveAction on page 4-19.• Manually select a specific scan action that applies to all virus/malware

types. For more information, see Scan Actions on page 4-19.


4-33




WARNING! If you specify an incorrect quarantine directory, the Core Protection for Virtual Machines client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quar-antined file to the designated quarantine folder."

d. Trend Micro recommends that you Back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location.

e. Click Save.

4-34


Configuring Scan Now SettingsTo configure a Scan Now, specify the scan targets and the actions to take when security risks are encountered.

To configure a Scan Now:


2. Under Security Groups, click the group you want to configure.3. Click Settings and select Scan Now Settings.

FIGURE 4-19. Configure Scan Now Target tab

4. On the Target tab configure the scan target:

f. Select one of the options under Files to Scan.



g. Select additional settings under Scan Settings.

4-35


h. Specify the directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions.

i. There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed.

Note: You can also use * as a wildcard when specifying extensions.

j. Click Save.


FIGURE 4-20. Configure Scan Now Action tab

4-36



• Use ActiveAction. For more information, see ActiveAction on page 4-19.• Manually select a specific scan action for each virus/malware type.




WARNING! If you specify an incorrect quarantine directory, the Core Protection for Virtual Machines client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder."


e. Click Save.

4-37


Enabling and Disabling the Scanning AgentYou can enable or disable the Scanning Agent for any members in your Core Protection for Virtual Machines environment. For example, you will disable scanning prior to virtual infrastructure maintenance.

To enable the scanning agent:

1. From the Core Protection for Virtual Machines main menu, click Security Management.

2. Select the group where you want to enable the Scanning Agent.3. Select the machines on which you want to enable the Scanning Agent.4. From the Settings menu, select Enable Scanning Agent.

FIGURE 4-21. Enable Scanning Agent window

5. Enter your user name and password.6. Click Enable.

To disable the Scanning Agent:

1. From the Core Protection for Virtual Machines main menu, click Security Management.

2. Select the group where you want to disable the Scanning Agent.3. Select the members on which you want to disable the Scanning Agent.

4-38


4. From the Settings menu, select Disable Scanning Agent.

FIGURE 4-22. Disable Scanning Agent window

5. Enter your user name and password.6. Click Disable.

Managing AgentsThis section describes how to manage agents, including:• Installing the Real-time Agent• Installing the Scanning Agent• Uninstalling Agents• Upgrading Agents

Installing the Real-time AgentTo install the Real-time Agent:


2. In the Security Groups pane, click on the group that includes the members where you want to install the Real-time Agent.

4-39


3. Select one or more members on which you want to install the Real-time Agent.

Note: The members you select must be online and connected. Also these must not include members that already have a Real-time Agent installed and must not be a network share.

4. Click Install and select Install Real-time Agent from the drop-down list to open the Install Real-time Agent window.

FIGURE 4-23. Install Real-time Agent window

5. Enter the user name and password. The account must have administrator privileges on the target VMs.

6. Click Install.

Installing the Scanning AgentTo install the Scanning Agent:


2. In the Security Groups pane, click on the group that includes the members where you want to install the Real-time Agent.

4-40


3. Select one or more members on which you want to install the Scanning Agent.

Note: The members you select must be online and connected. Also these must not include members that already have the Scanning Agent installed and must not be a network share.

4. Click Install and select Install Scanning Agent from the drop-down list to open the Install Scanning Agent window.

FIGURE 4-24. Install Scanning Agent window


6. Click Install.

4-41


Uninstalling AgentsTo uninstall agents:


2. In the Security Groups pane, click on the group that includes the members where you want to uninstall the agent.

Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot uninstall a mixed group that includes both SAs and RTAs.

3. Click Install and select Uninstall Agent from the drop-down list.

FIGURE 4-25. Uninstall Agent window


5. Click Uninstall.

4-42


Upgrading Agents

Note: To upgrade agents, you must have administrator privileges on the target VMs and the VMs must all have the same username and password.

To upgrade agents:


2. Click the Security Group with the members that contain the agent to be upgraded.

Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot upgrade a mixed group that includes both SAs and RTAs.

3. Click Install > Upgrade Agent. The Upgrade Agent dialog box is displayed.

FIGURE 4-26. Upgrade Agent Dialog Box

4. Enter the Username and Password for the target VMs. 5. Click Upgrade.

A system message is displayed, "Upgrade Agent installation is initiated in the selected machine(s)."

4-43


Viewing and Managing LogsLogs help you analyze your infrastructure protection, troubleshoot, and manage security risks in your network. Log actions include:• View Virus/Malware logs• View Software/Grayware logs• Delete logs

Viewing Virus/Malware LogsTo view Virus/Malware logs:


2. In the Security Groups pane, click on the group for which you want to view the logs.

3. Within the group select the members for which you want to view the logs.

4-44


4. Click Logs and select Virus/Malware Logs from the drop-down list to open the Virus/Malware Log Criteria window, where you can specify the criteria for log viewing.

FIGURE 4-27. Virus/Malware Log Criteria window

5. To specify a time period to include in the log, click on the Time Period drop-down box and select a time period.

6. To enter a start date and an end date, click on the Range option and do the following.• Click the Calendar icon next to the From box.• Select the month from the drop-down list or move backwards or forwards

through the months by clicking on the Arrow buttons. Enter the year and select a day. If you leave the Start Date field blank, all logs from the earliest date will be searched for.

4-45


7. To enter the latest date to include, click the Calendar icon next to the To box and follow the same steps as described above for From. If you leave the To box empty, all logs up to the present date will be included.

8. Specify the type of logs to view, by selecting All Scan Types or any combination of the following:• QuickScan• Real-time Scan• Scheduled Scan• Scan Now

9. Click Display Logs.

Viewing the Spyware/Grayware LogsTo view the Spyware/Grayware logs:


2. Click the group for which you want to view the logs.3. Within the group select the members for which you want to view the logs.

4-46


4. Click Logs and select Virus/Malware Logs from the drop-down list to open the Spyware/Grayware Log Criteria window, where you can specify the criteria for log viewing.

FIGURE 4-28. Spyware/Grayware Log Criteria window

5. To specify a time period to include in the log, click on the Time Period drop-down box and select a time period.

6. To enter a start date and an end date, click on the Range option and do the following.• Click the Calendar icon next to the From box.• Select the month from the drop-down list or move backwards or forwards

through the months by clicking on the Arrow buttons. Enter the year and select a day. If you leave the Start Date field blank, all logs from the earliest date will be searched for.

4-47


7. To enter the latest date to include, click the Calendar icon next to the To box and follow the same steps as described above for From. If you leave the To box empty, all logs up to the present date will be included.

8. Click Display Logs.

Manually Deleting LogsYou can specify a schedule for deleting logs. You can choose which logs you want to delete, and whether to delete them daily, weekly, or monthly.

To manually delete logs:


2. In the Security Groups pane, click on the group for which you want to delete logs.

4-48


3. Click Logs and select Delete Logs from the drop-down list to open the Log Maintenance window.

FIGURE 4-29. Log Maintenance window

4. Select the log types to delete, as follows:• All Member logs:

• Virus/Malware logs

• Spyware/Grayware logs

• Member Update logs

• Other logs - deletes the server logs.5. Choose whether to delete all selected logs or only logs older than the specified

number of days, as follows:• Delete all logs selected above

• Delete logs selected above older than x days

4-49


6. Click Delete.

4-50

Chapter 5

Updating Components

The Updates pages allow you to:• Components on page 5-2• Viewing an Update Summary on page 5-5• Configuring Scheduled Server Updates on page 5-8• Performing a Manual Server Update on page 5-9• Specifying a Server Update Source on page 5-10• Configuring Automatic Member Updates on page 5-12• Performing Manual Member Updates on page 5-14• Rolling Back Updates on page 5-15

5-1


ComponentsThe following are the Core Protection for Virtual Machines components.

AntivirusVirus Pattern: A file that helps Core Protection for Virtual Machines identify virus signatures, unique patterns of bits and bytes that signal the presence of a virus.

Virus Scan Engine: The engine that scans for and takes appropriate action on viruses/malware; supports 32-bit and 64-bit platforms.

Note: You can roll back both the Virus Pattern and Virus Scan Engine.

Anti-spywareSpyware Pattern: The file that identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts.

Spyware Scan Engine: The engine that scans for and takes appropriate action on spyware/grayware; supports 32-bit and 64-bit platforms.

Component DuplicationWhen the latest version of a full pattern file is available for download from the Trend Micro ActiveUpdate server, fourteen "incremental patterns" also become available.

The Core Protection for Virtual Machines server compares its current full pattern version with the latest version on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions.

Incremental patterns are smaller versions of the full pattern file that account for the difference between the latest and previous full pattern file versions. For example, if the latest version is 175, incremental pattern v_173.175 contains signatures in version 175 not found in version 173 (version 173 is the previous full pattern version since pattern numbers are released in increments of 2. Incremental pattern v_171.175 contains signatures in version 175 not found in version 171.

5-2

Updating Components

To reduce network traffic generated when downloading the latest pattern, Core Protection for Virtual Machines performs component duplication, a component update method where the Core Protection for Virtual Machines server or Update Agent downloads only incremental patterns.

Component duplication applies to the following components:• Virus pattern• Spyware pattern

Updating a component as soon as a new version is available reduces the impact of component duplication on server performance. Therefore, make sure you download components regularly.

To help explain component duplication for the server, refer to the following scenario:• Full patterns on the Core Protection for Virtual Machines Server• Current version: 171• Other versions available: 169 167 165 163 161 159• Latest version on the ActiveUpdate server• Full pattern version: 175• Incremental patterns: 173.175 171.175 169.175 167.175 165.175 163.175

161.175 159.175 157.175 155.175 153.175 151.175 149.175 147.175

Component duplication process for the Core Protection for Virtual Machines server

1. The Core Protection for Virtual Machines server compares its current full pattern version with the latest version on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions.

Note: If the difference is more than 14, the server automatically downloads the full version of the pattern file and 14 incremental patterns.

5-3


To illustrate based on the example:• The difference between versions 171 and 175 is 2. In other words, the server

does not have versions 173 and 175.• The server downloads incremental pattern 171.175. This incremental pattern

accounts for the difference between versions 171 and 175.2. The server merges the incremental pattern with its current full pattern to generate

the latest full pattern.To illustrate based on the example:• On the server, Core Protection for Virtual Machines merges version 171 with

incremental pattern 171.175 to generate version 175.• The server has 1 incremental pattern (171.175) and the latest full pattern

(version 175).3. The server generates incremental patterns based on the other full patterns available

on the server. If the server does not generate these incremental patterns, clients that missed downloading earlier incremental patterns automatically downloads the full pattern file, which will consequently generate more network traffic.To illustrate based on the example:• Because the server has pattern versions 169, 167, 165, 163, 161, 159, it can

generate the following incremental patterns:169.175 167.175 165.175 163.175 161.175 159.175

• The server does not need to use version 171 because it already has the incremental pattern 171.175.

• The server now has 7 incremental patterns:171.175 169.175 167.175 165.175 163.175 161.175 159.175

• The server keeps the last 7 full pattern versions (versions 175, 171, 169, 167, 165, 163, 161). It removes any older version (version 159).

5-4

Updating Components

4. The server compares its current incremental patterns with the incremental patterns available on the ActiveUpdate server. The server downloads the incremental patterns it does not have.To illustrate based on the example:• The ActiveUpdate server has 14 incremental patterns:

173.175 171.175 169.175 167.175 165.175 163.175 161.175 159.175 153.175 151.175 149.175 147.175

• The Core Protection for Virtual Machines server has 7 incremental patterns:171.175 169.175 167.175 165.175 163.175 161.175 159.175

• The Core Protection for Virtual Machines Server downloads an additional 7 incremental patterns:173.175 157.175 155.175 153.175 151.175 149.175 147.175

• The server now has all the incremental patterns available on the ActiveUpdate server.

5. The latest full pattern and the 14 incremental patterns are made available to clients.

Viewing an Update SummaryThe Update Summary screen displays the overall component update status. You can view the following information for each component:• Current version• Date and time of latest update• Number of members with updated components• Number of members with outdated components• Total members, members online, and members offline

Tip: Refresh the page periodically for an accurate picture of your component update status.

The Update Summary screen displays the overall component update status.

5-5


To view the update summary:

1. From the Core Protection for Virtual Machines main menu, select Updates > Summary.

FIGURE 5-1. Update Summary page

2. In the Update Status for Members table, you can view the update status for each component.

5-6

Updating Components

3. For each component, you can view its current version and the last update date. You can also view members with out-of-date components.The Update Status for Members section displays the following current update status for all members in your infrastructure, broken down by category:• Component Version—The current version and date/time of the last update.• Member Update Status—The total number of members currently online and

offline that have been updated, along with those that need to be updated. The chart provides a graphical representation of members updated and not yet updated. Click on the Offline, Online, or Total value for Outdated Status to go to the Manual Update page where you can update member components.

4. The above information is displayed for each of the following components:• Antivirus—Shows the current status of virus pattern and virus scan engine

updates for all members in your environment.• Virus Pattern

• Virus Scan Engine (32-bit)

• Virus Scan Engine (64-bit)

• Anti-spyware—Shows the current status of anti-spyware pattern and scan engine updates for all members in your environment.• Spyware Pattern

• Spyware Scan Engine (32-bit)

• Spyware Scan Engine (64-bit)

5-7


Configuring Scheduled Server UpdatesConfigure the Core Protection for Virtual Machines server to regularly check its update source and automatically download any available updates. Because members normally get updates from the server, using automatic scheduled update is an easy and effective way of ensuring that your protection against security risks is always current.

To configure a server update schedule:

1. From the main Core Protection for Virtual Machines menu, click Updates > Scheduled Update.

FIGURE 5-2. Server Scheduled Update page

2. Select Enable scheduled update of the Core Protection for Virtual Machines server.

5-8

Updating Components

3. Specify the update schedule. For daily, weekly and monthly updates, the period of time is the number of hours during which Core Protection for Virtual Machines will perform the update. Core Protection for Virtual Machines updates at any given time during this time period.

4. Specify the action to take if the update is unsuccessful.5. Click Save.

Performing a Manual Server UpdateYou can perform a manual server update at any time.

To update the server manually:

1. From the main Core Protection for Virtual Machines menu, click Updates > Server | Manual Update.

FIGURE 5-3. Server Manual Update page

5-9


2. To view component details, click in front of Antivirus or Anti-spyware.3. Click Update. The server downloads the updated components.

Note: If you did not specify a component deployment schedule on the Automatic Update screen, the server downloads the updates but does not deploy them to the members.

Specifying a Server Update SourceThere are two events that can trigger members to perform component updates. One is after the server downloads the latest components and the other is when members restart and then connect to the server. To trigger component update when these events occur, click Updates >Members > Automatic Update and go to the Event-triggered Update section.

To configure the server update source:

1. From the main Core Protection for Virtual Machines menu, click Updates > Server | Update Source.

FIGURE 5-4. Server Update Source page

5-10

Updating Components

2. Select the location from where you want to download component updates. You can choose to download from the Trend Micro ActiveUpdate server, a specific update source, or a location on your company intranet.

3. To use an intranet location containing a copy of the current files, specify the location and credentials for the Server Update source files:• UNC path: The location where the update files are stored.• User name: The user name to access the shared folder.• Password: The password to access the shared folder.• Domain: The domain where the CPVM server is installed. If in a workgroup,

leave this text box empty.• User name: The user name to access the CPVM server.• Password: The password to access the CPVM server.

Note: Core Protection for Virtual Machines uses component duplication when downloading components from the update source.

4. Click Save.

5-11


Configuring Automatic Member UpdatesTrend Micro recommends that you always use automatic update. It removes the burden placed on members of performing manual updates and eliminates the risk of members not having up-to-date components.

To configure automatic member updates:

1. From the main Core Protection for Virtual Machines menu, click Updates > Automatic Update.

FIGURE 5-5. Automatic Update page

Note: If the Core Protection for Virtual Machines server is unable to successfully send an update notification to members after it downloads components, it automatically resends the notification after 15 minutes. The server continues to send update notifications up to a maximum of five times until the client responds. If the fifth attempt is unsuccessful, the server stops sending notifications. If you select the option in this screen to update components when members restart and then connect to the server, component update will still proceed.

5-12

Updating Components

2. Select how often members will perform scheduled update by selecting either of the following. • Select Minute(s) or Hour(s) for updates.• Select Daily or Weekly and specify the time of the update and the time period

the Core Protection for Virtual Machines server will notify members to update components. For example, if your start time is 12pm and the time period is 2 hours, Core Protection for Virtual Machines will randomly notify all online members to update components from 12pm until 2pm. This setting prevents all online members from simultaneously connecting to the server at the specified start time, significantly reducing the amount of traffic directed to the server.Offline members will not be notified. Offline members will be updated as part of the scheduled scan process, when they come online, or if you initiate manual update. This is dependent on which takes place first.

3. Click Save.

5-13


Performing Manual Member UpdatesUse the Manual Updates page to manually update components for members and view the date and time of the last component updates. Members can also update components if you configure automatic component update settings.

To configure manual member updates:

1. From the main Core Protection for Virtual Machines menu, click Updates > Manual Updates.

FIGURE 5-6. Manual Update page

5-14

Updating Components

2. Choose the target members. You can update only members with outdated components or manually select members.• To update all members with outdated components, select Select members

with outdated components.• To Manually select members, search for the members using the Search for

members option, or navigate through the Security Groups tree and place a check mark in front of each member to update.

3. Click Update.The server starts notifying each member to download updated components.

Rolling Back UpdatesRolling back refers to reverting to the previous version of the Virus Pattern or Virus Scan Engine. If these components do not function properly, roll them back to their previous versions. Core Protection for Virtual Machines retains the current and the previous versions of the Virus Scan Engine and the last five versions of the Virus Pattern.

Note: You can only roll back the Virus Pattern and Virus Scan Engine.

Note: When you roll back updates, the rollback applies to all components.

Core Protection for Virtual Machines uses different scan engines for members running 32-bit and 64-bit platforms. You need to roll back these scan engines separately. The rollback procedure for all types of scan engines is the same.

5-15


To roll back the Virus Pattern or Virus Scan Engine:

1. From the main Core Protection for Virtual Machines menu, click Updates > Rollback.

FIGURE 5-7. Rollback page

2. Select the component versions to roll back by selecting the components.3. Antivirus—Click to view the current antivirus component versions and the date

and time of the latest update.4. Anti-spyware—Click to view the anti-spyware component versions and the date

and time of the latest update.5. Click Rollback Member Versions.6. To cancel the rollback, click Cancel.

5-16

Chapter 6

Viewing and Managing Logs

This chapter describes how to get timely information about Core Protection for Virtual Machines activity by generating and viewing logs. Topics in this chapter include:• Overview on page 6-2• Viewing Member Logs on page 6-5• Viewing Server Logs on page 6-6• Configuring a Log Deletion Schedule on page 6-6• Logged Actions on page 6-8

6-1


OverviewCore Protection for Virtual Machines keeps comprehensive logs about security risk detections, events, and updates. Use these logs to assess your organization's protection policies and to identify clients at a higher risk of infection or attack. Also, use these logs to check client-server connections and verify if the component update is successful or not.

Component Update LogsCore Protection for Virtual Machines clients send virus pattern update logs to the server. In the Component Update Progress screen, you can view the number of members updated for every 15-minute interval and the total number of members updated.

Spyware/Grayware LogsAfter cleaning spyware/grayware, Core Protection for Virtual Machines clients back up spyware/grayware data, which you can restore anytime if you consider the spyware/grayware safe.

Virus/Malware LogsCore Protection for Virtual Machines keeps logs of events related to virus/malware, such as a virus detected by a manual scan or a Virtual Center inventory change after a virus is detected by QuickScan.

Server Update LogsCore Protection for Virtual Machines keeps logs for all events related to component updates on the Core Protection for Virtual Machines server. View the logs to verify that Core Protection for Virtual Machines successfully downloaded the components required to keep your protection current.

6-2


System Event LogsCore Protection for Virtual Machines also records events related to the server program, such as shutdown and startup. Use these logs to verify that the Core Protection for Virtual Machines server and services work properly. Core Protection for Virtual Machines logs the following events:• Trend Micro Virtualization Service is started• Trend Micro Virtualization Service is stopped• Virus pattern out of date! Expire days• Scan start and stop times and the number of files scanned

Log DeletionTo keep the size of your logs from occupying too much space on your hard disk, you can delete logs manually or configure Core Protection for Virtual Machines to delete logs based on a schedule.

Viewing Security Risk LogsTo view the security risk log for a member:

1. To search for a specific member, enter the member name in the Search for members text box and click Search.

2. Under Security Groups, click on a security group name.3. In the member list in the left pane, select the members whose logs you want to view.4. Click View Logs and select the type of logs you want to view.

To view virus/malware logs:

1. Specify log criteria and click Display Logs.2. View logs. For details about the virus/malware log, click View.

Note: Scan results display under the Result column. Check which of the results require your attention.

6-3


3. To save the log as a comma-separated value (CSV) data file, click Export to CSV.4. Open the file or save it to a specific location. A CSV file usually opens with a

spreadsheet application such as Microsoft Excel.

To view spyware/grayware logs:

1. Specify log criteria and click Display Logs.2. View the logs.

Note: Scan results display under the Result column. Check which of the results require your attention.

3. To save the log as a comma-separated value (CSV) data file, click Export to CSV.4. Open the file or save it to a specific location. A CSV file usually opens with a

spreadsheet application such as Microsoft Excel.

6-4


Viewing Member LogsThe Member Update logs show the date/time for each incident and the component involved.

To view the update log for a member:

1. From the main CCPVM menu, click Logs > Member Logs.

FIGURE 6-1. Security Risk Logs for Members page

2. Select the desired group.3. Within the group select the desired member.4. Click View Logs and select the type of log to view5. To sequence through the list, click the navigation buttons.6. To increase the number of rows on the page, click on the Results per page

drop-down list box and select a new number.7. To export the logs to CSV format, click Export to CSV.

6-5


Viewing Server LogsThe server logs show the date/time, result, member name involved, and the server action.

To view the server log:

1. From the main Core Protection for Virtual Machines menu, click Logs > Server Logs.

FIGURE 6-2. Server Logs page

2. To sequence through the list, click the navigation buttons.3. To increase the number of rows on the page, click on the Results per page

drop-down list box and select a new number.4. To export the logs to CSV format, click Export to CSV.

Configuring a Log Deletion ScheduleTo keep the size of your logs from occupying too much space on your hard disk, you can configure Core Protection for Virtual Machines to delete logs manually or based on a schedule. To manually delete logs, see Manually Deleting Logs on page 4-48.

6-6


To delete logs based on a schedule:

1. From the main Core Protection for Virtual Machines menu, click Logs > Log Maintenance.

FIGURE 6-3. Log Maintenance page

2. Select Enable scheduled deletion of logs if you want to periodically delete logs according to a schedule you specify.

3. To delete one or more specific log types, select the logs as follows:• All Member logs

• Infection logs - deletes all virus/malware and spyware/grayware logs.• System Event logs

• Member Update logs

4. Choose whether to delete all selected logs or delete them after a specified number of days, as follows:• Delete all logs selected above

• Delete logs selected above older than x days 5. Specify a time period to include in the log, click on the Time Period drop-down

box and select a time period, as follows:

6-7


• Daily - if selected, specify a start time.• Weekly, every - if selected, specify the day of the week and a start time.• Monthly, on day - if selected, specify the day of the month and a start time.

6. Click Save.

Logged ActionsThe following sections describe the actions that are logged for the CPVM logs, including server logs, logs recorded at the Scanning Agent, and logs recorded at the Real-time Agent.

Note: Logs generated by a manual scan of target VMs, including those with the Real-time Agent installed, are stored at the Scanning Agent. The specific log where an event is stored is based on the agent that is running on a specific VM. If the Real-time Agent is running on a VM, the log data will be recorded at the Real-time Agent. Because manual scan logs are stored on the Scanning Agent, those logs are stored at the Scanning Agent.

Server LogsThe following actions are recorded in the Server Log:• Administrator Web console login/logout• Scanning Agent install/uninstall• Real-time Agent install/uninstall• Administrator Web console password change• Server update• CPVM service start/stop (MCS start/stop)

6-8


Actions Logged at the Scanning AgentThe following member logs are recorded at the Scanning Agent:• System event• Virus/malware• Spyware/grayware• Member update

The following sections describe the actions that are recorded in each of the logs.

Member System Event LogsThe following actions are recorded in System Event logs at the Scanning Agent:• Virus pattern out of date• Spyware pattern out of date• VC Inventory change (such as add or remove) when a new VM detected if

QuickScan is enabled and a QuickScan Summary is generated• Scheduled purge start/stop• Real-time Agent service start/stop• CPVM service start/stop• Scanning Agent start/stop

Scanning Agent logs include the following group level information:• Scheduled Scan start/stop for a group• Start/stop for scanning individual VMs within a group• Information about any files that could not be scanned on the Scanning Agent• Details about viruses caught in a zip file, if any, on the Scanning Agent

Target VMs in a group include the following:• Start/stop of Scheduled Scan• Summary of the number of files scanned, not scanned, and infected• Information about any files that could not be scanned• Details about viruses detected in zip files, if any

6-9


Member Virus/Malware LogsThe following actions are recorded in Member Virus/Malware logs:• VC Inventory change (such as add and remove) if a virus is detected by QuickScan• When a virus/spyware is detected by a Manual Scan• Scheduled Scan if individual VMs in the group have the following an entry for each

virus/spyware file that might be detected. There will be only one entry for a zip file even if it contains multiple viruses

Member Spyware/Grayware LogsThe following actions are recorded in Spyware/Grayware logs:• VC Inventory change (such as add and remove) if spyware or grayware is detected

by QuickScan• QuickScan (dormant VMs only) if spyware is detected by QuickScan

Member Update LogsThe Member Update log records all member updates.

Actions Logged at the Real-time AgentThe following member logs are recorded at the Real-time Agent:• System event• Virus/malware• Spyware/grayware• Member update

6-10


Member System Event LogsThe following actions are recorded in System Event logs at the Real-time Agent:• Virus pattern out of date• Scheduled Purge start/stop• Real-time Agent service start/stop• CPVM service start/stop (Real-time Agent start/stop)• Virus/Spyware caught by Real-time Scan logs details about viruses caught in a zip

file, if any

Member Virus/Malware LogsThe Member Virus/Malware Log records the following actions and events the Real-time Agent:• Manual Scan if virus/spyware is detected by a manual scan• Scheduled Scan logs an entry for each virus/spyware file that might be detected.

There will be only one entry for a zip file even if it contains multiple viruses• Real-time Scan logs details about viruses detected in a zip file, if any

Member Update LogsThe Member Update Log records all member updates at the Real-time Agent.

6-11


Using the Log ViewerThe Log Viewer enables you to view, independently from the CPVM Web console, logs on each machine that has installed agents.

To view the logs:

1. Go to the folder where the agent is installed. For example, C:\Program Files\Trend Micro\CPVM Scanning Agent or C:\Program Files\Trend Micro\CPVM Real-Time Agent.

2. Copy the VSLog\vslog.dbf file to the above directory.3. Start the LogViewer.exe tool 4. From the File menu, select the vslog.dbf file.

The following shows a typical view, which displays the logs in the DB file.

FIGURE 6-4. Log View tool

Note: It is not possible to open the vslog.dbf file directly from the VSLog folder because the agent service is using it. Only a copy of the file can be opened.

6-12

Chapter 7

Managing Notifications

You can configure Core Protection for Virtual Machines to alert an administrator when virus/malware or spyware/grayware is detected or a system event occurs. Core Protection for Virtual Machines enables you to configure the specific events that will trigger a notification and to whom the notifications will be sent. You can configure Core Protection for Virtual Machines to send notifications when through email, SNMP traps, or NT Event. Available actions include:• Configuring General Settings on page 7-2• Configuring Standard Notifications on page 7-3• Configuring System Notifications on page 7-5• Token Variables on page 7-7

7-1


Configuring General SettingsYou can specify the settings Core Protection for Virtual Machines will use when sending notifications through email and SNMP traps. The General settings apply to all the Core Protection for Virtual Machines notification messages.

To configure general notification settings:

1. From the main Core Protection for Virtual Machines menu, select Notifications > General Settings.

FIGURE 7-1. General Notifications Settings

7-2


2. To configure email notifications, select Enable notification via email and specify the following:• SMTP server

• Port number

• From

• To - separate multiple recipients by a comma (,).• Subject

3. To send SNMP trap notifications, select Enable notification via SNMP and specify the following:• Server IP address

• Community name

4. To send notifications to the NT Trap log, select Enable notification by NT Event log.

5. Click Save.

Configuring Standard NotificationsYou can configure the server to notify you and other Core Protection for Virtual Machines administrators of security risks detected on members. You can allow Core Protection for Virtual Machines to send standard notification messages through the following:• Email• SNMP trap• Windows NT Event Log

7-3


To configure standard notifications:

1. From the main Core Protection for Virtual Machines menu, select Notifications > Standard Notifications.

FIGURE 7-2. Standard Notifications Settings

2. Specify one or more of the options listed below and type the message(s) to be sent. You can use token variables within the message.• Send notifications when CPVM detects virus/malware and spyware/grayware,

or only when the action on these security risks is unsuccessful. • Send notifications when the virus and spyware patterns are out of date or only

when the action on these security risks is unsuccessful. • Send notifications when the virus and /or spyware pattern pattern is

out-of-date.

Note: Use only token variables to represent data in the Message field. The Subject field does not accept token variables.

7-4


3. Click Save.

To enable notifications and specify delivery methods, see Configuring General Settings on page 7-2.

Configuring System NotificationsYou can configure Core Protection for Virtual Machines to notify you and other Core Protection for Virtual Machines administrators when a system event is detected. On this page, you need to define the event criteria that will trigger a notification message, and then configure Core Protection for Virtual Machines to send notification messages through the following:• Email• SNMP trap• Windows NT Event Log

7-5


To configure system notifications:

1. From the main Core Protection for Virtual Machines menu, select Notifications > System Notifications.

FIGURE 7-3. System Notifications Settings

2. Specify the events that will trigger security notification messages:• When Scanning Agent is unable to access specified machine• When Scanning Agent is unable to complete scheduled scan in the specified

time • When there is a Scanning Agent connection failure • When there is a Real-Time Agent connection failure• Fill in the Message text box with the specific message to be sent. You can use

token variables within the message.

Note: Use only token variables to represent data in the Message field. The Subject field does not accept token variables.

3. Click Save.

7-6


Token VariablesUse token variables to represent data in the Message field of standard and system notifications. Token variables are not allowed in the Subject field.

Note: Pattern Update has only the %s option. Virus malware can have additional options, such as %f, %l, %i and %y.

TABLE 7-1. Standard Notifications

VARIABLE DESCRIPTION

%s Member with security risk

%n Name of the user logged on to the infected computer

%m Domain of the computer

%p File path of the computer

%v Security risk name

%y Date and time of security risk detection

%a Action taken on the security risk

%T Spyware/Grayware and scan result

TABLE 7-2. System Notifications


%CV Total number of security risks detected

%CC Total number of computers with security risks

%A Log type exceeded

7-7


For example, at %y, Core Protection for Virtual Machines found the following virus on member %m%s: virus %v, location: %p. Core Protection for Virtual Machines performed the following action on the infected computer: %a.

%M Time period, in minutes

TABLE 7-2. System Notifications


7-8

Chapter 8

Administering Core Protection for Virtual Machines

The Administration pages allow you to:• Setting the Web Console Password on page 8-2• Configuring Proxy Settings on page 8-4• Configuring Virtual Infrastructure Settings on page 8-5• Configuring Compatible Products on page 8-6• Viewing and Updating Your Product License on page 8-8

8-1


Setting the Web Console PasswordThe Web console is password-protected to prevent unauthorized users from modifying Core Protection for Virtual Machines settings. During installation, the Core Protection for Virtual Machines Setup program requires you to specify a Web console password; however, you can modify your password from the Web console.

The following guidelines can help you create an effective password:• Include both letters or special characters as well as numbers in your password• Avoid words found in any dictionary, of any language• Intentionally misspell words• Use phrases or combine words• Use both uppercase and lowercase letters

Note: If you forget the console password, contact Trend Micro technical support for instructions on how to gain access to the Web console. The only other alternative is to uninstall and reinstall Core Protection for Virtual Machines.

8-2


To change your password:

1. From the main Core Protection for Virtual Machines menu, click Administration > Change Password.

FIGURE 8-1. Change Password page

2. In the Old Password box, enter your password.3. Enter a new password in the New Password box. The password must contain a

mixture of numbers, letters (upper and lower case), and special characters. The password can range from 7 to 14 characters.

4. Re-enter the password in the New Password Confirm box.5. Click Change Password.

The message "Your password was changed" is displayed if the reset was successful.

8-3


Configuring Proxy SettingsIf your network’s Internet connection is routed through a proxy server, you need to enter the proxy server information before you will be able to retrieve updates from the Internet.

To configure a proxy server:

1. From the main Core Protection for Virtual Machines menu, click Administration > Proxy Settings.

FIGURE 8-2. Proxy Settings page

2. Select Use a proxy server for pattern, engine, and license updates.3. Choose a protocol type—either HTTP or Socks 4.4. Under Proxy Settings, in the Server name or IP address and Port text boxes,

enter the name of the proxy server and the port number.5. In the User ID and Password text boxes, enter the proxy server user name and

password.6. Click Save.

8-4


Configuring Virtual Infrastructure SettingsFrom the Virtual Infrastructure Settings page, you can configure the information required to connect to the Virtual Center.

To configure the Virtual Center:

1. From the main Core Protection for Virtual Machines menu, click Administration > Virtual Infrastructure Settings.

FIGURE 8-3. Virtual Infrastructure Settings page

8-5


2. Enter the following settings:• Virtual Center Address

• Virtual Center User Name

• Virtual Center Password

• Virtual Center Verify Password

• Auto-sync with Virtual Center every - this is the frequency for automatically synchronizing with Virtual Center to update virtual machine information.

Note: The time it takes to synchronize with the Virtual Center depends on the number of virtual machines in the Virtual Center. Synchronization could take awhile, up to thirty minutes, if you have a lot of virtual machines.

3. Select Register VC Core Protection for Virtual Machines plug in to register the plug-in.

4. To test the settings you have entered, click Test Connection.5. Click Save.

Configuring Compatible ProductsUsing the Compatible Products page, you can define the products you want to allow to operate in your Core Protection for Virtual Machines environment and the products that Core Protection for Virtual Machines will keep updated. Products that you can configure are:• Trend Micro OfficeScan• Trend Micro ServerProtect

8-6


To configure compatible products:

1. From the main Core Protection for Virtual Machines menu, click Administration > Compatible Products.

FIGURE 8-4. Compatible Products page

2. To allow OfficeScan to be updated, enter the Update Agent URL. This is the URL of the update server, which could be one of the following server URLs:• The installed Agent Update server URL for OfficeScan, such as:

http://osce10-p.activeupdate.trendmicro.com/activeupdate

• Your own OfficeScan AU update server URL:http://<hostname>:8080/officescan/download

• Your AU update server URL (if you configured a client as the AU server from the OfficeScan setting): http://<ip-address>:[port]/activeupdate.

8-7


3. To allow ServerProtect to be updated, enter the following settings:• Information Server IP Address: The IP address of the installed

ServerProtect.• Username: The username to access ServerProtect.• Password: The password to access ServerProtect.

4. Click Save.

Viewing and Updating Your Product LicenseThe Product License page displays the current status of your current Core Protection for Virtual Machines product license and allows you to update your product license when necessary.

Note: The product supports user-based license and CPU-based license. Depending on your purchase, it will display the number of seats or number of CPUs licensed for your product.

8-8


To update your license information:

1. From the main Core Protection for Virtual Machines menu, click Administration > Product License.

FIGURE 8-5. Product License page

The Product License page displays:• Status: Your current product license status, Active, Inactive, or Expired.• Version: Either "Full" or "Evaluation" version. If you have both full and

evaluation versions, the version that displays is "Full".• Expiration Date: The date your current license will expire.

8-9


2. In the Services column, click on the name of the product to view or update.

FIGURE 8-6. Antivirus for Servers page

The Product License page shows the following product information:• Status: "Activated", "Not Activated" or "Expired". If a product service has

multiple licenses, and at least one license is still active, "Activated" displays.• Version: Either "Full" or "Evaluation" version. If you have both full and

evaluation versions, the version that displays is "Full".• License Type: This can either be a "User based" or "CPU based" license

depending on which you have purchased.• Seats or Number of CPUs: This can be either the seat count purchased or the

number of CPU licenses purchased.• Expiration Date: If a product service has multiple licenses, the latest

expiration date displays. For example, if the license expiration dates are 12/31/2008 and 06/30/2009, 06/30/2009 displays.

• Activation Code

Note: The version and expiration date of product services not activated is "N/A”.

8-10


3. To update your activation code:a. Click New Activation Code.

FIGURE 8-7. Enter a New Code page

4. Enter your new activation code in the New Activation Code box.5. Click Activate.

Note: You must register a service before you can activate it. Contact your Trend Micro representative for more information about your Registration Key and Activation Code.

6. Back in the Product License Details screen, click Update Information to refresh the page with the new license details and the status of the service. This screen also provides a link to your detailed license available on the Trend Micro Web site.

8-11

Appendix A

VMware Virtual Center Integration

To allow management from within VMware Virtual Center, Core Protection for Virtual Machines is integrated with Virtual Center interface. There two management options provided:• Virtual Center Plug-in on page A-2• Virtual Center Reporting on page A-3

A-1


Virtual Center Plug-inIf the Virtual Center plug-in was enabled during CPVM installation or enabled from the Web-based console, the CPVM Administration console will be available from the Virtual Infrastructure client as a tab. The plug-in allows full CPVM management as if you were accessing the standalone CPVM Administrator Web console.

FIGURE A-1. Virtual Center—Virtual Machines tab

A-2


Virtual Center ReportingVirtual Center reporting is implemented in the Virtual Center interface without any action required. The CPVM server creates and updates a custom attribute as part of the Summary page Annotation section, providing the scan status of any VM in your inventory as shown in the figure below.

FIGURE A-2. Virtual Center—Virtual Machines tab

Note: If you do not see the custom attribute being updated when viewing virtual machines use F5 to refresh your page.

A-3

Index
Aactions 4-19ActiveAction 1-15, 4-19
advantages 1-15when to select 1-15

adding groups 4-3administration 2-15, 8-1Administrator Web console 1-8, 2-2agents 4-17

CPVM Scanning Agent 4-18installing 4-39Real-time Agent 4-17uninstalling 4-42

anti-spyware patterns 5-2antivirus patterns 5-2

Ccompatible products 2-18, 8-6component duplication 5-2Component Update logs 6-2components 5-2compressed files 1-12Core Protection for Virtual Machines

architecture 1-5compatibility 1-4how it works 1-4virus detection technology 1-3

CPVM Scanning Agent 4-18

Ddeleting groups 4-4deleting logs 4-48

Ffile extension checking 4-18

Ggroup information 4-2Group Management 2-5groups

adding 4-3deleting 4-4renaming 4-4

IIntelliScan 1-14, 4-18

Llicense 2-19, 8-8logs 1-10, 2-13, 6-1, 1-1

Component Update logs 6-2deleting 4-48, 6-3managing 4-44Security Risk logs 6-2Server Update logs 6-2spyware/grayware 4-46Spyware/grayware logs 6-2System Event logs 6-3virus/malware 4-44

MMember Management 2-7

Install 2-10Logs 2-10Settings 2-9Tasks 2-8

Member Update logs 6-5members

managing 4-8moving 4-12viewing member information 4-8

moving members 4-12

Nnetwork share 4-13notifications 2-14, 7-1

OOLE layer scan 1-14

Ppassword 2-15, 8-2pattern matching 1-11proxy 2-16

QQuickScan

configuring 4-24initiating 4-20

IN–1

Trend Micro™ Message Archiver Administrator’s Guide

RReal-time Agent 4-17

installing 4-39Real-time Scan 4-16

configuring 4-26Real-time Scan versus on-demand scan (Scan Now) 1-8renaming groups 4-4

SScan Now 4-15

configuring 4-35initiating 4-22

scan results 3-4scanning

OLE layer 1-14Scanning Agent

enabling and disabling 4-38installing 4-40uninstalling 4-42

scansactions 4-19configuring 4-23performing 4-15Real-time Scan 4-16Scan Now 4-15Scheduled Scan 4-17

Scheduled Scan 4-17configuring 4-31

Security Management 2-5Security Risk logs 6-2–6-3server update

logs 6-2status 3-4

spyware/grayware logs 4-46Summary 2-5, 3-2System Event logs 6-3system information 3-3

Ttrue file-type detection 4-18

Uupdates 2-12

deploying 1-10

VVC inventory 2-6, 4-5Virtual Infrastructure settings 2-17, 8-5virtual machine status 3-3virus

actions 1-9, 1-12detection technology 1-3, 1-11

virus/malware logs 4-44VMware Virtual Center integration A-1

IN–2

Documents

Core Protection for Virtual Machines1To help IT professionals protect their Virtual Infrastructure with more flexibility, Core Protection for Virtual Machines provides the following