Best Practice Configurations for OfficeScan (OSCE) 106 Applying Latest Patch(es) for OSCE 106 To find out the latest patches for OfficeScan click here
Enable Smart Clients 1 Ensure that Officescan client can query at least two Scan Servers
This guidance avoids the creation of a single-point of failure for anti-malware security If the
lone Scan Server on the network crashes this has repercussions for desktop security throughout the network
Adding a second Scan Server on the network or ensuring that all File Reputation-enabled clients can connect to the Trend Micro scan service if the primary Scan Service fails results in a more robust security implementation Options
Enable the Integrated Scan Server on multiple OfficeScan servers
Install VMWare-based standalone scan servers There are two types of local scan servers
Integrated Scan Server
Standalone Scan Server Both essentially work the same way but are ported for different software platforms Integrated Scan Server
The integrated scan server is automatically installed on the OfficeScan server It can be installed during OfficeScan server installation or at later point | Standalone Scan Server
The standalone scan server is recommended to large networks At this point this server is only available as a VMWare image that runs CentOS
For more information regarding image compatibility on virtual servers Refer to httpdocstrendmicrocomen-usenterpriseofficescanaspx
2 When opting to use the Integrated scan server make sure that it is actually installed
To verify if the scan server is installed and accessible from a particular desktop enter the following URL in the desktoplsquos browser httpsofficescan_hostltportgttmcssLCRC=08000000AC41080092000080C4F01936B21D9104
If the browser returns the following then the Scan Server is both enabled and accessible
3 Enable Smart Scan - The Integrated Scan Server is enabled using the following checkbox on the Scan Server screen on the OfficeScan management console
Before including an Integrated Scan Server in the scan server list make sure that it is enabled When using File Reputation functionality with an integrated scan server make sure that the scan server is enabled before switching scan types This is an important step because the mechanism for switching from standard scanning to File Reputation does not include automatic verification of scan server functionality
It is therefore possible to assign a File Reputation-enabled OfficeScan client to a non-functional scan server
4 Create separate domains for Smart and Conventional clients
Upon installation the default scan mode for the OfficeScan network is called ―Conventional scan This uses the traditional schema of using all-local patterns Administrators can switch OfficeScan clients to Smart Scan As with other OfficeScan client settings if the administrator sets this setting at the root of the OfficeScan client tree this becomes the default scan method and will affect all future clients in addition to existing clients that are not already assigned client-specific scan-method settings
Deploy clients in Conventional scan and then switch them over to Smart scan afterwards
Create OfficeScan domains that have Smart scan enabled by default and then migrate
5 Schedule Smart Scan Server to update on an hourly basis
Configuring Manual Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Manual Scan Settings 5 Configure the Target tab 6 Files to Scan gt All Scannable files 7 Scan Settings
71 Scan hidden folders 72 Scan network drive 73 Scan compressed files 74 Scan OLE object
741 Detect exploit code in OLE files 8 Virus Malware Scan Settings Only gt Scan boot area 9 CPU Usage gt Medium pause slightly between file scans 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 Configure the Action tab 12 VirusMalware gt Use a specific action for each virusmalware type
121 Joke Quarantine 122 Trojan Quarantine 123 Virus Clean amp Quarantine 124 Test Virus Quarantine
125 Packer Quarantine 126 Probably VirusMalware Quarantine 127 Others Clean amp Quarantine
13 Back up files before cleaning 14 Damage Cleanup Services
141 Cleanup type Advanced cleanup 142 EnablegtRun cleanup when probable virusmalware is detected
15 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Real-time Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Real-time Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 User Activity on Files gt Scan files being createdmodified and retrieved 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan network drive 92 Scan the boot sector of the USB storage device after plugging in 93 Scan compressed files 94 Scan OLE object
941 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Enable Intellitrap 11 Scan Exclusion Enable scan exclusion
111 Scan Exclusion list (Directories) 1111 Exclude directories where Trend Micro products are installed 1112 Retains client computerrsquos exclusion list
112 Scan Exclusion list (Files) 1121 Retains client computerrsquos exclusion list
12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scheduled Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scheduled Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Schedule to run at least once a week 7 Configure the Target tab 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan compressed files 92 Scan OLE object
921 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Scan boot area 11 CPU Usage gt Medium pause slightly between file scans 12 Scan Exclusion Enable scan exclusion
121 Scan Exclusion list (Directories) 1211 Exclude directories where Trend Micro products are installed 1212 Retains client computerrsquos exclusion list
122 Scan Exclusion list (Files) 1221 Retains client computerrsquos exclusion list
13 Configure the Action tab 14 VirusMalware gt Use a specific action for each virusmalware type
141 Joke Quarantine 142 Trojan Quarantine 143 Virus Clean amp Quarantine 144 Test Virus Quarantine 145 Packer Quarantine 146 Probably VirusMalware Quarantine 147 Others Clean amp Quarantine
15 Back up files before cleaning 16 Damage Cleanup Services
161 Cleanup type Advanced cleanup 162 EnablegtRun cleanup when probable virusmalware is detected
17 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scan Now Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scan Now Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 Files to Scan gt All Scannable files 8 Scan Settings
81 Scan compressed files 82 Scan OLE object
821 Detect exploit code in OLE files 9 Virus Malware Scan Settings Only gt Scan boot area 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 CPU Usage gt Medium pause slightly between file scans 12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 Cleanup type Advanced cleanup 152 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookiesand shortcuts
Summary
Real-time Scan Manual Scan Scheduled Scan Scan Now
Files to scan All Scannable All Scannable All Scannable All Scannable
Scan hidden folders
Scan network drive
Scan boot sector of USB storage
Scan compressed files
Scan OLE object
Detect exploit code in OLE files
Enable Intellitrap
Scan boot area
CPU usage Medium Medium Medium
Cleanup type for Damage Cleanup Services Advanced Cleanup Advanced Cleanup Advanced Cleanup
Run cleanup for probable virus
Clean action for detected Spyware
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
2 When opting to use the Integrated scan server make sure that it is actually installed
To verify if the scan server is installed and accessible from a particular desktop enter the following URL in the desktoplsquos browser httpsofficescan_hostltportgttmcssLCRC=08000000AC41080092000080C4F01936B21D9104
If the browser returns the following then the Scan Server is both enabled and accessible
3 Enable Smart Scan - The Integrated Scan Server is enabled using the following checkbox on the Scan Server screen on the OfficeScan management console
Before including an Integrated Scan Server in the scan server list make sure that it is enabled When using File Reputation functionality with an integrated scan server make sure that the scan server is enabled before switching scan types This is an important step because the mechanism for switching from standard scanning to File Reputation does not include automatic verification of scan server functionality
It is therefore possible to assign a File Reputation-enabled OfficeScan client to a non-functional scan server
4 Create separate domains for Smart and Conventional clients
Upon installation the default scan mode for the OfficeScan network is called ―Conventional scan This uses the traditional schema of using all-local patterns Administrators can switch OfficeScan clients to Smart Scan As with other OfficeScan client settings if the administrator sets this setting at the root of the OfficeScan client tree this becomes the default scan method and will affect all future clients in addition to existing clients that are not already assigned client-specific scan-method settings
Deploy clients in Conventional scan and then switch them over to Smart scan afterwards
Create OfficeScan domains that have Smart scan enabled by default and then migrate
5 Schedule Smart Scan Server to update on an hourly basis
Configuring Manual Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Manual Scan Settings 5 Configure the Target tab 6 Files to Scan gt All Scannable files 7 Scan Settings
71 Scan hidden folders 72 Scan network drive 73 Scan compressed files 74 Scan OLE object
741 Detect exploit code in OLE files 8 Virus Malware Scan Settings Only gt Scan boot area 9 CPU Usage gt Medium pause slightly between file scans 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 Configure the Action tab 12 VirusMalware gt Use a specific action for each virusmalware type
121 Joke Quarantine 122 Trojan Quarantine 123 Virus Clean amp Quarantine 124 Test Virus Quarantine
125 Packer Quarantine 126 Probably VirusMalware Quarantine 127 Others Clean amp Quarantine
13 Back up files before cleaning 14 Damage Cleanup Services
141 Cleanup type Advanced cleanup 142 EnablegtRun cleanup when probable virusmalware is detected
15 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Real-time Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Real-time Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 User Activity on Files gt Scan files being createdmodified and retrieved 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan network drive 92 Scan the boot sector of the USB storage device after plugging in 93 Scan compressed files 94 Scan OLE object
941 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Enable Intellitrap 11 Scan Exclusion Enable scan exclusion
111 Scan Exclusion list (Directories) 1111 Exclude directories where Trend Micro products are installed 1112 Retains client computerrsquos exclusion list
112 Scan Exclusion list (Files) 1121 Retains client computerrsquos exclusion list
12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scheduled Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scheduled Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Schedule to run at least once a week 7 Configure the Target tab 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan compressed files 92 Scan OLE object
921 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Scan boot area 11 CPU Usage gt Medium pause slightly between file scans 12 Scan Exclusion Enable scan exclusion
121 Scan Exclusion list (Directories) 1211 Exclude directories where Trend Micro products are installed 1212 Retains client computerrsquos exclusion list
122 Scan Exclusion list (Files) 1221 Retains client computerrsquos exclusion list
13 Configure the Action tab 14 VirusMalware gt Use a specific action for each virusmalware type
141 Joke Quarantine 142 Trojan Quarantine 143 Virus Clean amp Quarantine 144 Test Virus Quarantine 145 Packer Quarantine 146 Probably VirusMalware Quarantine 147 Others Clean amp Quarantine
15 Back up files before cleaning 16 Damage Cleanup Services
161 Cleanup type Advanced cleanup 162 EnablegtRun cleanup when probable virusmalware is detected
17 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scan Now Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scan Now Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 Files to Scan gt All Scannable files 8 Scan Settings
81 Scan compressed files 82 Scan OLE object
821 Detect exploit code in OLE files 9 Virus Malware Scan Settings Only gt Scan boot area 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 CPU Usage gt Medium pause slightly between file scans 12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 Cleanup type Advanced cleanup 152 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookiesand shortcuts
Summary
Real-time Scan Manual Scan Scheduled Scan Scan Now
Files to scan All Scannable All Scannable All Scannable All Scannable
Scan hidden folders
Scan network drive
Scan boot sector of USB storage
Scan compressed files
Scan OLE object
Detect exploit code in OLE files
Enable Intellitrap
Scan boot area
CPU usage Medium Medium Medium
Cleanup type for Damage Cleanup Services Advanced Cleanup Advanced Cleanup Advanced Cleanup
Run cleanup for probable virus
Clean action for detected Spyware
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
It is therefore possible to assign a File Reputation-enabled OfficeScan client to a non-functional scan server
4 Create separate domains for Smart and Conventional clients
Upon installation the default scan mode for the OfficeScan network is called ―Conventional scan This uses the traditional schema of using all-local patterns Administrators can switch OfficeScan clients to Smart Scan As with other OfficeScan client settings if the administrator sets this setting at the root of the OfficeScan client tree this becomes the default scan method and will affect all future clients in addition to existing clients that are not already assigned client-specific scan-method settings
Deploy clients in Conventional scan and then switch them over to Smart scan afterwards
Create OfficeScan domains that have Smart scan enabled by default and then migrate
5 Schedule Smart Scan Server to update on an hourly basis
Configuring Manual Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Manual Scan Settings 5 Configure the Target tab 6 Files to Scan gt All Scannable files 7 Scan Settings
71 Scan hidden folders 72 Scan network drive 73 Scan compressed files 74 Scan OLE object
741 Detect exploit code in OLE files 8 Virus Malware Scan Settings Only gt Scan boot area 9 CPU Usage gt Medium pause slightly between file scans 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 Configure the Action tab 12 VirusMalware gt Use a specific action for each virusmalware type
121 Joke Quarantine 122 Trojan Quarantine 123 Virus Clean amp Quarantine 124 Test Virus Quarantine
125 Packer Quarantine 126 Probably VirusMalware Quarantine 127 Others Clean amp Quarantine
13 Back up files before cleaning 14 Damage Cleanup Services
141 Cleanup type Advanced cleanup 142 EnablegtRun cleanup when probable virusmalware is detected
15 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Real-time Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Real-time Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 User Activity on Files gt Scan files being createdmodified and retrieved 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan network drive 92 Scan the boot sector of the USB storage device after plugging in 93 Scan compressed files 94 Scan OLE object
941 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Enable Intellitrap 11 Scan Exclusion Enable scan exclusion
111 Scan Exclusion list (Directories) 1111 Exclude directories where Trend Micro products are installed 1112 Retains client computerrsquos exclusion list
112 Scan Exclusion list (Files) 1121 Retains client computerrsquos exclusion list
12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scheduled Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scheduled Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Schedule to run at least once a week 7 Configure the Target tab 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan compressed files 92 Scan OLE object
921 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Scan boot area 11 CPU Usage gt Medium pause slightly between file scans 12 Scan Exclusion Enable scan exclusion
121 Scan Exclusion list (Directories) 1211 Exclude directories where Trend Micro products are installed 1212 Retains client computerrsquos exclusion list
122 Scan Exclusion list (Files) 1221 Retains client computerrsquos exclusion list
13 Configure the Action tab 14 VirusMalware gt Use a specific action for each virusmalware type
141 Joke Quarantine 142 Trojan Quarantine 143 Virus Clean amp Quarantine 144 Test Virus Quarantine 145 Packer Quarantine 146 Probably VirusMalware Quarantine 147 Others Clean amp Quarantine
15 Back up files before cleaning 16 Damage Cleanup Services
161 Cleanup type Advanced cleanup 162 EnablegtRun cleanup when probable virusmalware is detected
17 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scan Now Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scan Now Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 Files to Scan gt All Scannable files 8 Scan Settings
81 Scan compressed files 82 Scan OLE object
821 Detect exploit code in OLE files 9 Virus Malware Scan Settings Only gt Scan boot area 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 CPU Usage gt Medium pause slightly between file scans 12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 Cleanup type Advanced cleanup 152 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookiesand shortcuts
Summary
Real-time Scan Manual Scan Scheduled Scan Scan Now
Files to scan All Scannable All Scannable All Scannable All Scannable
Scan hidden folders
Scan network drive
Scan boot sector of USB storage
Scan compressed files
Scan OLE object
Detect exploit code in OLE files
Enable Intellitrap
Scan boot area
CPU usage Medium Medium Medium
Cleanup type for Damage Cleanup Services Advanced Cleanup Advanced Cleanup Advanced Cleanup
Run cleanup for probable virus
Clean action for detected Spyware
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
125 Packer Quarantine 126 Probably VirusMalware Quarantine 127 Others Clean amp Quarantine
13 Back up files before cleaning 14 Damage Cleanup Services
141 Cleanup type Advanced cleanup 142 EnablegtRun cleanup when probable virusmalware is detected
15 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Real-time Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Real-time Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 User Activity on Files gt Scan files being createdmodified and retrieved 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan network drive 92 Scan the boot sector of the USB storage device after plugging in 93 Scan compressed files 94 Scan OLE object
941 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Enable Intellitrap 11 Scan Exclusion Enable scan exclusion
111 Scan Exclusion list (Directories) 1111 Exclude directories where Trend Micro products are installed 1112 Retains client computerrsquos exclusion list
112 Scan Exclusion list (Files) 1121 Retains client computerrsquos exclusion list
12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scheduled Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scheduled Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Schedule to run at least once a week 7 Configure the Target tab 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan compressed files 92 Scan OLE object
921 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Scan boot area 11 CPU Usage gt Medium pause slightly between file scans 12 Scan Exclusion Enable scan exclusion
121 Scan Exclusion list (Directories) 1211 Exclude directories where Trend Micro products are installed 1212 Retains client computerrsquos exclusion list
122 Scan Exclusion list (Files) 1221 Retains client computerrsquos exclusion list
13 Configure the Action tab 14 VirusMalware gt Use a specific action for each virusmalware type
141 Joke Quarantine 142 Trojan Quarantine 143 Virus Clean amp Quarantine 144 Test Virus Quarantine 145 Packer Quarantine 146 Probably VirusMalware Quarantine 147 Others Clean amp Quarantine
15 Back up files before cleaning 16 Damage Cleanup Services
161 Cleanup type Advanced cleanup 162 EnablegtRun cleanup when probable virusmalware is detected
17 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scan Now Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scan Now Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 Files to Scan gt All Scannable files 8 Scan Settings
81 Scan compressed files 82 Scan OLE object
821 Detect exploit code in OLE files 9 Virus Malware Scan Settings Only gt Scan boot area 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 CPU Usage gt Medium pause slightly between file scans 12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 Cleanup type Advanced cleanup 152 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookiesand shortcuts
Summary
Real-time Scan Manual Scan Scheduled Scan Scan Now
Files to scan All Scannable All Scannable All Scannable All Scannable
Scan hidden folders
Scan network drive
Scan boot sector of USB storage
Scan compressed files
Scan OLE object
Detect exploit code in OLE files
Enable Intellitrap
Scan boot area
CPU usage Medium Medium Medium
Cleanup type for Damage Cleanup Services Advanced Cleanup Advanced Cleanup Advanced Cleanup
Run cleanup for probable virus
Clean action for detected Spyware
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scheduled Scan Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scheduled Scan Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Schedule to run at least once a week 7 Configure the Target tab 8 Files to Scan gt All Scannable files 9 Scan Settings gt
91 Scan compressed files 92 Scan OLE object
921 Detect exploit code in OLE files 10 VirusMalware Scan Settings Only gt Scan boot area 11 CPU Usage gt Medium pause slightly between file scans 12 Scan Exclusion Enable scan exclusion
121 Scan Exclusion list (Directories) 1211 Exclude directories where Trend Micro products are installed 1212 Retains client computerrsquos exclusion list
122 Scan Exclusion list (Files) 1221 Retains client computerrsquos exclusion list
13 Configure the Action tab 14 VirusMalware gt Use a specific action for each virusmalware type
141 Joke Quarantine 142 Trojan Quarantine 143 Virus Clean amp Quarantine 144 Test Virus Quarantine 145 Packer Quarantine 146 Probably VirusMalware Quarantine 147 Others Clean amp Quarantine
15 Back up files before cleaning 16 Damage Cleanup Services
161 Cleanup type Advanced cleanup 162 EnablegtRun cleanup when probable virusmalware is detected
17 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookies and shortcuts
Configuring Scan Now Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scan Now Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 Files to Scan gt All Scannable files 8 Scan Settings
81 Scan compressed files 82 Scan OLE object
821 Detect exploit code in OLE files 9 Virus Malware Scan Settings Only gt Scan boot area 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 CPU Usage gt Medium pause slightly between file scans 12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 Cleanup type Advanced cleanup 152 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookiesand shortcuts
Summary
Real-time Scan Manual Scan Scheduled Scan Scan Now
Files to scan All Scannable All Scannable All Scannable All Scannable
Scan hidden folders
Scan network drive
Scan boot sector of USB storage
Scan compressed files
Scan OLE object
Detect exploit code in OLE files
Enable Intellitrap
Scan boot area
CPU usage Medium Medium Medium
Cleanup type for Damage Cleanup Services Advanced Cleanup Advanced Cleanup Advanced Cleanup
Run cleanup for probable virus
Clean action for detected Spyware
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
Configuring Scan Now Settings
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Scan Settings gtgt Scan Now Settings 5 Enable virusmalware scan and Enable spywaregrayware scan 6 Configure the Target tab 7 Files to Scan gt All Scannable files 8 Scan Settings
81 Scan compressed files 82 Scan OLE object
821 Detect exploit code in OLE files 9 Virus Malware Scan Settings Only gt Scan boot area 10 Scan Exclusion Enable scan exclusion
101 Scan Exclusion list (Directories) 1011 Exclude directories where Trend Micro products are installed 1012 Retains client computerrsquos exclusion list
102 Scan Exclusion list (Files) 1021 Retains client computerrsquos exclusion list
11 CPU Usage gt Medium pause slightly between file scans 12 Configure the Action tab 13 VirusMalware gt Use a specific action for each virusmalware type
131 Joke Quarantine 132 Trojan Quarantine 133 Virus Clean amp Quarantine 134 Test Virus Quarantine 135 Packer Quarantine 136 Probably VirusMalware Quarantine 137 Others Clean amp Quarantine
14 Back up files before cleaning 15 Damage Cleanup Services
151 Cleanup type Advanced cleanup 152 EnablegtRun cleanup when probable virusmalware is detected
16 SpywareGrayware gt Clean OfficeScan will terminate processes or delete registries files cookiesand shortcuts
Summary
Real-time Scan Manual Scan Scheduled Scan Scan Now
Files to scan All Scannable All Scannable All Scannable All Scannable
Scan hidden folders
Scan network drive
Scan boot sector of USB storage
Scan compressed files
Scan OLE object
Detect exploit code in OLE files
Enable Intellitrap
Scan boot area
CPU usage Medium Medium Medium
Cleanup type for Damage Cleanup Services Advanced Cleanup Advanced Cleanup Advanced Cleanup
Run cleanup for probable virus
Clean action for detected Spyware
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
Summary
Real-time Scan Manual Scan Scheduled Scan Scan Now
Files to scan All Scannable All Scannable All Scannable All Scannable
Scan hidden folders
Scan network drive
Scan boot sector of USB storage
Scan compressed files
Scan OLE object
Detect exploit code in OLE files
Enable Intellitrap
Scan boot area
CPU usage Medium Medium Medium
Cleanup type for Damage Cleanup Services Advanced Cleanup Advanced Cleanup Advanced Cleanup
Run cleanup for probable virus
Clean action for detected Spyware
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
Enable Web Reputation WRS allows OfficeScan to detect and block access to sites that harbor Web-based threats When a client requests a URL it first checks the ldquoreputation scorerdquo of the URL by querying the Trend Micro reputation servers Access to the URL is then allowed or denied depending on the score and the security level you configured To configure WRS please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Web Reputation Settings 5 For both External and Internal Clients Enable Web Reputation Policy 6 Enable Check HTTPS URLs 7 Select the Medium security level for the policy 8 ApprovedBlock URL list
You may add the URLs of the Web sites you want to approve or blockBy default Trend Micro and Microsoft Web sites are included in the Approved list
9 Select whether to Allow clients to send logs to the OfficeScan server You can use this option to analyze URLs blocked by WRS
10 Click Save
Administrators can also configure OfficeScan to log all connections between clients and confirmed CampC IP addresses These are the steps on how to do it
1 Navigate to Networked Computers gt Global Client Settings 2 Go to the CampC Contact Alert Settings section 3 Enable the Log network connections between agents and Trend Micro confirmed CampC IP
addresses option 4 Select to log connections from all endpoints or only endpoints running specific operating
systems 5 Click Save
Note Service Pack 3 should be installed in order to have the CampC connection detection feature
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
Enable Smart Feedback The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting analysis and resolving It not only helps increase the detection rate but also provides a quick real-world scenario It also benefits customers to help ensure they get the latest protection in the shortest possible time
To configure Smart Feedback please do the following
1 On the OSCE Server login to the Management Console 2 On the left pane menu click Smart Protection gt Smart Feedback 3 Check Enable Trend Micro Smart Feedback option box 4 Click Save
Enable Behavior Monitoring OfficeScan constantly monitors computers (or endpoints) for unusual modifications to the operating system or on installed software Administrators (or users) can create exception lists that allow certain programs to start despite violating a monitored change or completely block certain programs In addition programs with a valid digital signature or have been certified are always allowed to start To configure Behavior Monitoringrsquos Malware Blocking feature please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management gt Settings gt Behavior Monitoring Settings 3 Check Enable Malware Behavior Blocking 4 Click Save
Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications After detecting a newly encountered file administrators can choose to prompt users before executing the file Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network To enable the Behavior Monitoring feature to monitor these ldquonewly encounteredrdquo files do the following steps
1 On the OSCE Server go to Networked Computers gt Global Client Settings 2 Under Behavior Monitoring Settings check Prompt users before executing newly encountered
programs downloadedhellip 3 Click on Save down at the bottom
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
Note Service Pack 3 should be installed in order to have Behavior Monitoringrsquos ldquonewly encounteredrdquo files detection feature
Configure Global Client Settings Advance settings that will apply to all the Officescan clients on your network To configure Global Client Settings please do the following
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Global Client Settings 3 Enable Officescan Service Restart
31 Automatically restart an Officescan client service if the service terminates unexpectedly 4 Click Save
Configure Client Self-protection
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings and select Privileges and Other Settings 5 Click Other Settings tab 6 Enable all Client Self-protection
61 Protect OfficeScan client services 62 Protect files in the OfficeScan client installation folder 63 Protect OfficeScan client registry keys 64 Protect OfficeScan client processes
7 Click Save
Configure Device Control One of the new features of OfficeScan 10x is the Device Control It provides control feature that regulates access to external storage devices and network resources connected to computers Device control helps prevent data loss and leakage and combined with file scanning helps guard against securitry risks By default Device Control feature is enabled but ALL devices have FULL ACCESS Block AutoRun functions on USB devices are also enabled
1 On the OSCE Server login to the Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
4 Click on Settings and select Device Control Settings 5 Check Enable Device Control for both External and Internal Clients 6 Enable Block the Autorun function on USB storage devices
Permissions for Storage and Non-Storage Devices
Allow access to USB storage devices CDDVD floppy disks and network drives You can grant full access to these devices or limit the level of access Limiting the level of access brings up ldquoProgram listsrdquo which allows programs on storage devices to have modify read and execute read List device content only and Block permissions
Configure the list of approved USB storage devices Device Control allows you to block access to all USB storage devices except those that have been added to the list of approved devices You can grant full access to the approved devices or limit the level of access
Use default permission for Non-Storage Devices You can only allow or block access to non-storage devices There are no granular or advanced permissions for these devices
Configure the settings according to your preference
Enhanced GeneriClean Technology There are instances wherein registry remnants are left after a Trend Micro product has cleaned or quarantined a file There is also a possibility that the malware payload can modify local security policies
of the machine that restrict certain functionalities (ie Task Manager) GeneriClean has the capability to restore system policy and this has been implemented via the use of TSCINI file For more information on how to clean malware remnants and restore security policies visit httpesupporttrendmicrocomPagesHow-to-clean-malware-remnants-and-restore-policies-using-GeneriCleanaspx
Disabling Roaming Mode for Machines in the Network Trend Micro recommends not to enable roaming mode for the machines that are in the Local Area Network
1 Login to the OfficeScan Management Console 2 Go to Networked Computers gt Client Management 3 Select the groupcontainer you wish to apply the settings to 4 Click on Settings gt Privileges and Other Settings 5 On the Privileges tab gtRoaming Privilege 6 Uncheck Enable roaming mode option if enabled for LAN machines Otherwise leave it as is
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
Install Intrusion Defense Firewall (IDF) plug-in Note Intrusion Defense Firewall (IDF) is part of the OfficeScan plug-in manager This requires a new activation code Please contact sales to obtain a license
Intrusion Defense Firewall is an advanced host-based intrusion defense system that brings proven network security approaches including firewall and intrusion detection and prevention down to individual networked computers and devices In addition it can also prevent a malware attack that exploits the vulnerability More information can be found here
1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Intrusion Defense Firewall click Download
Install OfficeScan ToolBox plug-in OfficeScan Toolbox manages deploys executes and consolidates logs for a variety of standalone Trend Micro tools 1 Login to the OfficeScan Management Console 2 Click Plug-in Manager 3 Under Trend Micro OfficeScan ToolBox download and install the plug-in
1 4 After installing the plug-in click on Manage Program to access the OfficeScan ToolBox console 2 5 Select which OfficeScan clients to deploy the ATTK package then click Deploy
3 6 On the Deployment Settings window the ATTK toolkit is already selected by default Click Deploy
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
4 7 A confirmation that the tool deployment is successful will appear The ATTK package will be deployed on the client in a few minutes
8 On the Logs tab you will see that the ATTK deployment is being processed
9 Once the deployment is finished it will indicate on the Tool Deployment page that it is complete
5 10 Go to the Logs tab and the result would be Completed You can download the file and send it to Trend Micro Technical Support for analysis
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
11 You can also go to the Feedback tab and send the Reference ID to Trend Micro Technical Support for analysis
Using the Security Compliance Security Compliance allows you to detect client computers that do not have antivirus software installed within your network environment by scanning your Active Directory Scope and connecting to port(s) used by OfficeScan server(s) to communicate with the OfficeScan clients Security Compliance can then install the OfficeScan client on unprotected computers
1 Login to the OfficeScan Management Console 2 Click on ldquoSecurity Compliancerdquo gt Outside Server Management 3 Inline with ldquoActive Directory Scoperdquo click on ldquoDefinerdquo button 4 If you have more than one (1) OfficeScan server click on the link for Specify Ports under 1 ldquoAdvanced Settingrdquo then click on ldquoSaverdquo button 5 Click on ldquoSave and re-assessrdquo button 6 You will be presented with the assessment result for the machines within your Active Directory
Scope You can then highlight the machines you wish and click on ldquoInstallrdquo button to deploy OfficeScan client program to them
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows
Note
If you have more than one (1) OfficeScan servers installed within your environment you need to specify each communication port being used by Officescan clients to connect to their respective OfficeScan server
This feature can only validate machines with OfficeScan client software installed If a machine is running other anti-virus program assessment will return a BLANK result for the machine names you have queried
Disable System Restore
1 In Active Directory Users and Computers navigate to Computer Configuration Administrative 1 Templates System System Restore 2 Double-click Turn off System Restore set it to Enabled then click OK 3 Close the policy and exit Active Directory Users and Computers 4 The changes will take effect on the next policy refresh
Disable Autorun
1 Click on Start then Run 2 Type in GPEDITMSC then hit Enter 3 Go to Local Computer Policy | Administrative Template | System 4 On the right pane double-click Turn off Autoplay 5 When you are in the properties dialog box click enabled 6 Choose All drives from the drop-down list underneath 7 Click on OK
Run Microsoft Baseline Security Analyzer once a month to check for Unpatched PC
1 Download the tool on the link below httpwwwmicrosoftcomen-usdownloaddetailsaspxid=7558
2 See more information on the link below httptechnetmicrosoftcomen-ausecuritycc184924aspx
Educate users not to click on links they do not trust Do not open suspicious links or files especially from instant messengers emails from unidentified users and from pop-up windows