Core Protection for Virtual Machines 1
|
|
|
- Letitia King
- 5 years ago
- Views:
Transcription
1 Core Protection for Virtual Machines 1 Comprehensive Threat Protection for Virtual Environments. Administrator s Guide e Endpoint Security
2 Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at: Trend Micro, Core Protection for Virtual Machines, and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2010 Trend Micro Incorporated. All rights reserved. Document Part No. OSEM14002/90119 Release Date: January 2011 Version: 1.0
3 The user documentation for Trend Micro Core Protection for Virtual Machines is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro s Web site. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:
4 Contents Chapter 1: Introducing Trend Micro Core Protection for Virtual Machines What is Core Protection for Virtual Machines? Features and Benefits System Requirements How CPVM Works Overall Architecture Real-time Scan versus Scan Now VirusActions Virus Logs Deploying Updates Virus Detection Technology Pattern Matching Compressed Files OLE Layer Scan IntelliScan ActiveAction Chapter 2: Getting Started Accessing the Web Console Navigating the Web Console CPVM Configuration Checklist i
5 Trend Micro Core Protection for Virtual Machines Administrator s Guide Chapter 3: Monitoring Core Protection for Virtual Machines Overview Viewing System Information Viewing Virtual Machine Status Viewing Scan Results Viewing Server Update Status Chapter 4: Managing Core Protection for Virtual Machines Managing Groups Viewing Group Information Adding Groups Renaming a Group Deleting a Group Managing VC Inventory Managing Members Viewing Member Information Adding a Member to a Group Moving Members to Another Group Managing a Network Share Performing Scans Scan Types IntelliScan Scan Methods True File-type Detection File Extension Checking Scan Agents Real-time Agent CPVM Scanning Agent Initiating a QuickScan Initiating Scan Now Installing the Real-time Agent Installing the Scanning Agent ii
6 Contents Uninstalling Agents Upgrading Agents Enabling and Disabling the Scanning Agent Configuring Scan Settings ActiveAction versus Manual Settings Configuring QuickScan Settings Configuring Real-time Scan Settings Configuring Scheduled Scan Settings Configuring Scan Now Settings Viewing and Managing Logs Manually Deleting Logs Chapter 5: Updating Components Components Antivirus Anti-spyware Component Duplication Viewing an Update Summary Configuring Scheduled Server Updates Performing a Manual Server Update Specifying a Server Update Source Configuring Automatic Member Updates Performing Manual Member Updates Rolling Back Updates Chapter 6: Viewing and Managing Logs Overview Logged Actions Actions Logged at the Agents Viewing Member Logs iii
7 Trend Micro Core Protection for Virtual Machines Administrator s Guide Viewing Server Logs Viewing Virus/Malware Logs Viewing Spyware/Grayware Logs Using the Log Viewer Deleting Logs Chapter 7: Managing Notifications Configuring Alert Notifications Configuring General Settings Configuring Notification Triggers Chapter 8: Administering Core Protection for Virtual Machines Setting the Web Console Password Configuring Proxy Settings Configuring Virtual Infrastructure Settings Configuring Compatible Products Viewing and Updating Your Product License Appendix A: VMware Virtual Center Integration Index Virtual Center Plug-in...A-2 Virtual Center Reporting...A-3 iv
8 PrefacePreface Welcome to the Trend Micro Core Protection for Virtual Machines Administrator s Guide. This book contains information about product settings and service levels. This preface discusses the following topics: Core Protection for Virtual Machines Documentation on page vi Audience on page vi Document Conventions on page vii v
9 Preface Core Protection for Virtual Machines Documentation The Trend Micro Core Protection for Virtual Machines documentation consists of the following: Installation Guide: Describes the system requirements and steps to install Core Protection for Virtual Machines. Administrator s Guide: Helps you plan for deployment and explains how to configure all product settings, and how to manage and administer the product. Administrator Online Help: Helps you configure all features through the user interface. You can access the online help by opening the web console and then clicking the help icon ( ). Readme File: Contains late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history. The Core Protection for Virtual Machines documentation is available at: Audience The Core Protection for Virtual Machines documentation is written for IT managers, IT security managers, and virtual infrastructure managers. The documentation assumes that you have in-depth knowledge of virtualization technologies and networks, including details related to the following: Antivirus and content security protection Network concepts (such as IP address, Subnet Mask, LAN settings) Network devices and their administration Network configuration (such as the use of VLAN, SNMP) VMware V13 vi
10 Preface Document Conventions To help you locate and interpret information easily, the Core Protection for Virtual Machines documentation uses the following conventions. CONVENTION ALL CAPITALS Bold Italics Monospace Note: DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and Core Protection for Virtual Machines tasks References to other documentation Examples, sample command lines, program code, Web URLs, file names, and program output Configuration notes Tip: Recommendations WARNING! Reminders on actions or configurations that should be avoided vii
11 Preface viii
12 Chapter 1 Introducing Trend Micro Core Protection for Virtual Machines This chapter provides an overview of Trend Micro Core Protection for Virtual Machines (CPVM). Topics in this chapter: What is Core Protection for Virtual Machines? on page 1-2 Features and Benefits on page 1-2 System Requirements on page 1-3 How CPVM Works on page 1-5 Overall Architecture on page 1-6 Real-time Scan versus Scan Now on page 1-9 VirusActions on page 1-10 Virus Logs on page 1-11 Deploying Updates on page 1-11 Virus Detection Technology on page
13 Introducing Trend Micro Core Protection for Virtual Machines What is Core Protection for Virtual Machines? Trend Micro Core Protection for Virtual Machines (CPVM) improves and simplifies the implementation of corporate virus policy by enabling you to centrally manage the security of your virtual infrastructure. CPVM scans and cleans both online and powered off VMware Virtual Machine files within VMware Virtual Infrastructure 3 or VMware vsphere 4.0. CPVM senses changes in your virtual infrastructure, including provisioning of new virtual machines, and automatically protects the new machines. Core Protection for Virtual Machines enables you to manage servers from a single administration web console. In addition, you can configure virtual machines in the same group simultaneously and generate integrated virus incident reports from all of them. Features and Benefits Security risk protection protects your virtualized servers from viruses/malware and spyware/grayware. Scanning and real-time agents protect virtual servers, report events to the CPVM server, and receive updates from the CPVM server. Centralized management from the CPVM server web console offers transparent access to all virtualized servers on the network. You can coordinate automatic deployment of security policies, pattern files, and software updates on the virtualized server. You can download updates from an update source (such as the Trend Micro ActiveUpdate server) and initiate agent component updates. Core Protection for Virtual Machines also provides real-time monitoring, event notification, and comprehensive reporting. Configurable scanning tools offer greater security coverage and faster, more efficient scans. Scanning tools include ActiveAction, IntelliScan, and OLE layer scan. Viewable scanning statistics enable you to efficiently monitor your network antivirus security by providing the following details: total number of viruses found for the day and over the last seven days, status of the infections, total number of non-cleanable viruses, and more. 1-2
14 Introducing Trend Micro Core Protection for Virtual Machines System Requirements The following tables describe sthe system requirements for the CPVM Server, CPVM Scanning Agents, and Real-time Agents. TABLE 1-1. System Requirements for CPVM SYSTEM REQUIREMENT DESCRIPTION CPVM Server Operating System CPVM Server Hardware Web Server Microsoft Windows bit Standard Server with Service Pack 1 or 2 Microsoft Windows 2003 R2 32-bit Standard Edition with Service Pack 1 or 2 Microsoft Windows bit Enterprise Server with Service Pack 1 or 2 Microsoft Windows 2003 R2 32-bit Enterprise Edition with Service Pack 1 or 2 Minimum Requirements 800MHz Intel Pentium II processor or equivalent 512MB of RAM 1GB of available disk space Network Interface Card (NIC) Monitor that supports 800 x 600 resolution at 256 colors or higher Recommended Requirements 2.4GHz Intel Pentium 4 or faster 1GB of RAM 2GB of disk space Network Interface Card (NIC) Monitor that supports 1024 x 768 resolution at 32-bit colors or higher Microsoft Internet Information Server (IIS), Windows 2003 Server, Version 6.0 Administrator or Domain Administrator access on the server machine Microsoft.NET Framework 2.0 (CPVM installs it if it is not present) File and printer sharing for Microsoft Networks installed on the server and client machine 1-3
15 Introducing Trend Micro Core Protection for Virtual Machines TABLE 1-1. System Requirements for CPVM SYSTEM REQUIREMENT DESCRIPTION Administration Web Console Scanning Agents 300MHz Intel Pentium processor or equivalent 128MB of RAM 30MB of available disk space Monitor that supports 800 x 600 resolution at 256 colors or higher Microsoft Internet Explorer 6.0 or 7.0 Operating System Windows XP Professional with Service Pack 3 or later, 32-bit and 64-bit versions Windows 2003 (Standard, Enterprise Server) with Service Pack 2 or later, 32-bit and 64-bit versions Windows Server 2008 (Standard, Enterprise, Datacenter and Web Editions) with Service Pack 1 or later Windows Server 2008 R2 (Standard, Enterprise, Datacenter and Web Editions), 64-bit versions Required: Microsoft.NET Framework 2.0 SP2 or later Real-time Agents Operating system Windows XP Professional with Service Pack 3 or later, 32-bit and 64-bit versions Windows 2000 (Server, Advanced Server) with Service Pack 4 Windows 2003 (Standard, Enterprise Server) with Service Pack 2 or later, 32-bit and 64-bit versions Windows Vista Ultimate Edition with Service Pack 1 or later, 32-bit and 64-bit versions Windows Server 2008 (Standard, Enterprise, Datacenter and Web Editions) with Service Pack 1 or later Windows Server 2008 R2 (Standard, Enterprise, Datacenter and Web Editions), 64-bit versions 1-4
16 Introducing Trend Micro Core Protection for Virtual Machines TABLE 1-1. System Requirements for CPVM SYSTEM REQUIREMENT DESCRIPTION VMWare One of the following VMware configurations: VI3 (ESXi 3.5/ESX 3.5 and vcenter) vsphere 4 (ESXi 4.0/ESX 4.0 and vcenter) Note: Core Protection for Virtual Machines must be connected to the vcenter that manages your Virtual Infrastructure. If you are not using vcenter to manage your ESX/ESXi hosts, Core Protection for Virtual Machines will not work with a direct connection to ESX/ESXi hosts. How CPVM Works Core Protection for Virtual Machines monitors all activity in your VMWare virtual environment through its real-time and scanning agents. Virtual Machines with real-time agents monitor file read/write activity and check for file infections. Scanning agents perform on-demand and scheduled scanning of target VMs for file infections. If a scanning agent finds an infected file, the scanning agent notifies pre-defined recipients and takes action on the virus according to your configured virus response settings. An activity log records all activities of the system. Core Protection for Virtual Machines lets you design personal scanning profiles, saving you from having to re-configure frequently-needed settings. You can even assign multiple scanning options to a profile and use the profile for special circumstances, such as scanning incoming files only. 1-5
17 Introducing Trend Micro Core Protection for Virtual Machines Overall Architecture The following diagram shows a typical deployment of Core Protection for Virtual Machines within a VMware Virtual Infrastructure: FIGURE 1-1. Core Protection for Virtual Machines Typical Deployment The diagram shows active, scanning, and dormant VMs with the Real-Time Agent installed. You can install the CPVM Scanning Agent on a VM or on a physical machine (as indicated in the figure by the machine enclosed by a dotted line on the left). 1-6
18 Introducing Trend Micro Core Protection for Virtual Machines The VI infrastructure consists of VMware VirtualCenter, which is virtual infrastructure management software that centrally manages an enterprise s virtual machines as a single, logical pool of resources. The heart of VirtualCenter is the VirtualCenter server, which collects and stores persistent data in a dedicated database that contains per-system and environmental information. Core Protection for Virtual Machines is deployed within VI infrastructure. TABLE 1-1. Major Components of a CPVM Deployment COMPONENT DESCRIPTION VirtualCenter Client VirtualCenter Server VirtualCenter Agent VirtualCenter Database A user interface that runs locally on a Windows machine with network access to the VirtualCenter server. You can run the VirtualCenter client on the same machine as the VirtualCenter Server or on another machine with network access. The VirtualCenter server acts as a central administrator for VMware servers connected on a network. The server directs actions on the virtual machines and the virtual machine hosts. The VirtualCenter server is deployed as a Windows service and runs continuously. The server collects and stores persistent data in a dedicated database that contains per-system and environmental information. The VirtualCenter agent is installed on each managed host. The agent installs automatically the first time that you add a host to the VirtualCenter inventory. The VirtualCenter agent collects, communicates, and executes the actions received from the VirtualCenter server. The VirtualCenter database (SQL Server or Oracle) provides a persistent storage area for maintaining the status of each virtual machine, host, and user managed in the VirtualCenter environment. The database can be local or remote from the Virtual- Center server machine. 1-7
19 Introducing Trend Micro Core Protection for Virtual Machines TABLE 1-1. Major Components of a CPVM Deployment COMPONENT VirtualCenter Web service Core Protection for Virtual Machines Server CPVM Scanning Agent DESCRIPTION You can optionally install the VirtualCenter web service with the VirtualCenter server. The web service is a required application programming interface for third-party applications that communicate over HTTP using the VMware SDK application programmer interface (API). The CPVM server is a service that acts as a central administrator for scanning agent virtual machines connected to the network. The CPVM server is deployed as a Windows service and runs continuously. The CPVM server directs actions on the virtual machines. The CPVM server must have network access to the VirtualCenter server and all scanning agents that it manages. In addition, the CPVM server must be available for network access from any machine where the Administration web console runs. The CPVM Scanning Agent is a service that runs on a host and scans dormant VMDK files or live VMs as specified by the schedule and policy that you configure on the CPVM server. The CPVM server pushes the schedule and policies to all scanning agents. Note: The scanning agent can only scan offline VMDK files that are visible to the host machine where the agent is running. Real-Time Agent The Real-Time Agent service monitors all disk I/O and ensures that no disk writes result in possible malware. The Real-time Agent receives the latest signature updates from the CPVM server. You can install the Real-time Agent on any VM or physical machine. 1-8
20 Introducing Trend Micro Core Protection for Virtual Machines TABLE 1-1. Major Components of a CPVM Deployment COMPONENT Administration web console DESCRIPTION The Administration web console is a web-based user interface to the CPVM server. The web console enables you to configure and run scans, configure logs and notifications, and view a summary of activity for Core Protection for Virtual Machines. The web console can be on the same machine as the VirtualCenter server or on another machine with network access. Real-time Scan versus Scan Now Core Protection for Virtual Machines features two powerful scan functions: Real-time Scan and Scan Now. Real-time Scan runs continuously on a server and provides the maximum level of virus protection. Real-time Scan agents monitor all file I/O events on the server prevent infected files from being copied to or from the server. Scan Now is a manual, on-demand virus scan (that is, it occurs immediately after being invoked). Use Scan Now to check a server that you suspect may have been exposed to a computer virus or about which you want immediate information. Tip: To ensure maximum protection, Trend Micro recommends using both Real-time Scan and Scan Now. 1-9
21 Introducing Trend Micro Core Protection for Virtual Machines Real-time Scan and Scan Now benefits include: Redundant File Scan: If a file containing a virus is accidentally downloaded or copied, Real-time Scan stops it. However, if for any reason Real-time Scan is disabled, Scan Now will detect it. Efficient File Scan: By default, Real-time Scan is configured to scan files reliably, while minimizing the impact on system resources. Effective and Flexible File Scan: Core Protection for Virtual Machines offers effective and numerous scan configuration options to protect your networks based on your individual needs. VirusActions Core Protection for Virtual Machines enables you to configure the action for the system to take on infected files. Different actions work best with different virus types. TABLE 1-2. Configurable Virus Actions VIRUS ACTION DESCRIPTION Bypass/Ignore Delete Rename Quarantine For a manual scan, CPVM skips the file without taking any corrective action. However, the virus detection is still recorded in the program s log entries. For Real-time Scan, CPVM treats the file as "deny-write," protecting it from duplication or modification. Deletes the infected file. Renames the infected file extension to.vir. This prevents the file from being executed or opened. If a file of that name with the.vir extension already exists, the file is renamed to.v01,.v02, and so on until.v99. Moves the infected file to a folder of your choice. You can also change the file extension of the moved file to prevent it from being inadvertently opened or executed. 1-10
22 Introducing Trend Micro Core Protection for Virtual Machines TABLE 1-2. Configurable Virus Actions VIRUS ACTION Clean DESCRIPTION Attempts to clean the virus code from the file. Since the cleaning process sometimes corrupts the file and makes it unusable, you can back up the file before cleaning. Note: You can specify a secondary action if the cleaning process is unsuccessful. All virus events and associated courses of action are recorded in the log file. Note: On a 64-bit operating system, Core Protection for Virtual Machines detects both 32-bit viruses and 64-bit viruses. Virus Logs From the web console, Core Protection for Virtual Machines (CPVM) provides comprehensive information about the results of scanning, file updating and deploying. Furthermore, CPVM saves the information in a log file that you can retrieve or export. You can view the following virus scan statistics: scan start times, machines scanned, detected viruses and types, and infected virtual servers. In addition, you can export the log information to a comma-separated value (CSV) file for further analysis. Deploying Updates Core Protection for Virtual Machines simplifies the maintenance of Trend Micro software by enabling you to configure scheduled server updates and automatic member updates. Note: Trend Micro releases new versions of these update files on a regular basis. 1-11
23 Introducing Trend Micro Core Protection for Virtual Machines Core Protection for Virtual Machines update features include: Unattended scheduled update: Core Protection for Virtual Machines can perform updates of all servers and members automatically based on a schedule that you specify. Centralized update deployment: You can deploy updates to servers in your virtual infrastructure from the web console. Proxy server compatibility: Core Protection for Virtual Machines works with the majority of existing proxy servers. Update activity logging: Core Protection for Virtual Machines records all update activity in a log file for future reference. Update Roll-back option: If you encounter a problem while deploying an update, you can roll back a deployed pattern and scan engine file to the previous version. Virus Detection Technology Core Protection for Virtual Machines uses advanced virus detection technology, including the following technologies: Pattern Matching Compressed Files OLE Layer Scan IntelliScan ActiveAction Pattern Matching Using a process called "pattern matching," Core Protection for Virtual Machines draws on an extensive database of virus patterns to identify known virus signatures. Key areas of suspect files are examined for tell-tale strings of virus code and compared against tens of thousands of virus signatures that Trend Micro has on record. For polymorphic or mutating viruses, the Core Protection for Virtual Machines scan engine permits suspicious files to execute in a protected area where they are decrypted. Core Protection for Virtual Machines then scans the entire file, including the freshly decrypted code, and looks for strings of mutation-virus code. 1-12
24 Introducing Trend Micro Core Protection for Virtual Machines If such a virus is found, Core Protection for Virtual Machines performs the virus actions that you pre-configure, such as clean (autoclean), delete, bypass (ignore), quarantine (move), or rename. You can customize virus actions for both boot and file viruses. Note: It is important to keep the virus pattern file up-to-date. More than a thousand new viruses are created each year. Trend Micro makes it easy to update the pattern file by supporting scheduled updates. Compressed Files Compressed file archives (that is, a single file composed of many separate compressed files) are often distributed via and the Internet. Since some antivirus software cannot scan these types of files, compressed file archives are sometimes used as a way to "smuggle" a virus into a protected network or computer. Core Protection for Virtual Machines can scan files inside compressed archives, even compressed files composed of other compressed files. CPVM can scan up to a maximum of five compression layers. 1-13
25 Introducing Trend Micro Core Protection for Virtual Machines The Trend Micro scan engine used in Core Protection for Virtual Machines can detect viruses in files compressed using the following algorithms: PKZIP (.zip) & PKZIP_SFX (.exe) LHA (.lzh) & LHA_SFX (.exe) ARJ (.arj) & ARJ_SFX (.exe) CABINET (.cab) TAR GNU ZIP (.gz) RAR (.rar) PKLITE (.exe or.com) LZEXE (.exe) DIET (.com) UNIX PACKED (.z) UNIX COMPACKED (.z) UNIX LZW (.Z) UUENCODE BINHEX BASE64 Note: If a virus is found in an archive using other algorithms, they must first be decompressed in a temporary directory, then cleaned. 1-14
26 Introducing Trend Micro Core Protection for Virtual Machines OLE Layer Scan Microsoft Object Linking and Embedding (OLE) enables embedding Microsoft Office files. This means that you could have a Microsoft Word document inside an Excel sheet, and in turn this Excel sheet could be embedded in a Microsoft PowerPoint presentation. Although OLE offers a large number of benefits to developers, OLE can lead to potential infection. To address this issue, Core Protection for Virtual Machines includes the OLE Layer Scan feature, which complements state-of-the-art Core Protection for Virtual Machines virus protection. Tip: OLE layer scan offers five layers of protection. Trend Micro recommends a setting of 2 OLE layers for Scan Now and a setting of 1 for Real-time Scan. A lower setting will improve server performance. IntelliScan IntelliScan identifies which files to scan for more secure and efficient scanning than the standard "scan all files" option. For executable files, such as.exe, the true file type is determined from the file content. If a file is not executable (i.e. txt), IntelliScan uses the file header to verify the true file type. The following are just a couple of the benefits IntelliScan offers: Performance optimization: Server system resources allotted to a scan will be minimal. Therefore, IntelliScan will not interfere with other crucial applications running on the server. Time saving: Since IntelliScan uses true file type identification, IntelliScan scan time is significantly less than an "all files" scan. Only files with a greater risk of being infected are scanned. This time difference is noticeable when you use IntelliScan with Scan Now. 1-15
27 Introducing Trend Micro Core Protection for Virtual Machines ActiveAction ActiveAction is a set of pre-configured scan actions that can be performed on viruses and other types of malware. You can configure ActiveAction for both Scan Now and Real-time Scan. Tip: Trend Micro recommends that you select ActiveAction if you are not familiar with virus actions or if you are unsure of which scan action is most suitable for a certain virus. Viruses vary significantly from one another; this requires appropriate virus actions for each virus type. Customizing scan actions for file viruses requires knowledge of viruses and can be a tedious task. For this reason, Trend Micro recommends the use of ActiveAction. Some advantages of using ActiveAction versus customized scan actions are: Time saving: You spend no time customizing virus actions. Worry-free maintenance: ActiveAction uses Trend Micro recommended scan actions so you can concentrate on other tasks and not worry about making mistakes. Updateable scan actions: Trend Micro includes new ActiveAction scan actions with every new pattern. Viruses constantly change how they attack, thus scan actions should be frequently modified to prevent possible infection. 1-16
28 Chapter 2 Getting Started This chapter describes how to get started using Trend Micro Core Protection for Virtual Machines. Topics in this chapter: Accessing the Web Console on page 2-2 Navigating the Web Console on page 2-3 CPVM Configuration Checklist on page
29 Getting Started Accessing the Web Console The Core Protection for Virtual Machines Administrator web console enables you to monitor ongoing activity, configure and run scans, update components, view logs, generate notifications, and administer CPVM. Note: To access the Administrator web console, you must have a Trend Micro CPVM Administrator account. To start the web console: 1. Open your browser and navigate to the web console using local or remote access: Local access: If you are accessing the web console from the machine where CPVM resides, double-click on the CPVM Console icon created during installation, or open a web browser and enter the following URL: Remote access: If you configured the CPVM machine for network access, enter either of the following, where <hostname> is the hostname and <ip_address> is the IP address of the CPVM machine: The Logon screen appears. 2. Enter your password and click Logon. The web console Summary screen appears with the current CPVM status. 2-2
30 Getting Started Navigating the Web Console The Summary screen aggregates system information and status information for virtual machines, scan results, and component updates. FIGURE 2-1 Web Console Summary Screen These are the menu options on the CPVM console: TABLE 2-1. MENU OPTION Summary DESCRIPTION This screen provides system information and a summary of the current status of your virtual machines, scan results, and component updates. 2-3
31 Getting Started TABLE 2-1. MENU OPTION Security Management Updates Logs DESCRIPTION This screen enables you to: Manage groups and members in your virtual installation. Manage VC inventory. Configure and perform scans. Install/uninstall CPVM Scanning Agents and Real-Time Agents. Configure logs. Sync from VC directly. This screen enables you to configure CPVM to update server or members automatically or manually update them at any time. Available actions include: View an update summary. Configure the server update schedule. Update the server manually. Configure the server update source. Update members automatically. Update members manually. Rollback components. This screen enables you to configure and view logs to analyze your infrastructure protection and troubleshoot and manage security risks in your network. You can configure and view the following logs: Virus/malware Spyware/grayware Member update Server System events Additional log options are available on the Logs screen. Log configuration actions include: Configure the Virus/Malware Log Criteria Configure the Spyware/Grayware Log Criteria Delete Logs 2-4
32 Getting Started TABLE 2-1. MENU OPTION DESCRIPTION Notifications Administration This screen enables you to configure CPVM to send an alert when virus/malware or spyware/grayware is detected or a system event occurs. You can configure the specific events that trigger a notification, notification recipients, and notification methods ( and SNMP traps). These screens enable you to configure Core Protection for Virtual Machines settings, including the following: Set the console password Configure proxy settings Configure virtualization infrastructure settings Configure compatible products View and update your product license CPVM Configuration Checklist After installing Trend Micro Core Protection for Virtual Machines (CPVM) and setting the web console password, perform the following tasks to set up the product features and ensure that the system is working properly: TABLE 2-2. STEP WEB CONSOLE SCREEN ACTION TO TAKE 1 Administration Change Web console password. Configure proxy settings. Configure virtual infrastructure settings. Configure compatible products updates. 2 Security Management Configure groups and members. Install agents. 3 Logs Configure logs. 4 Notifications Configure notifications. 5 Update Update components. 6 Security Management Configure scans. 2-5
33 Getting Started 2-6
34 Chapter 3 Monitoring Core Protection for Virtual Machines This chapter describes how to monitor Core Protection for Virtual Machines status using the Summary screen. Topics in this chapter: Overview on page 3-2 Viewing System Information on page 3-3 Viewing Virtual Machine Status on page 3-3 Viewing Scan Results on page 3-4 Viewing Server Update Status on page
35 Monitoring Core Protection for Virtual Machines Overview The Summary screen provides current information on Core Protection for Virtual Machines activity and status. The Summary screen shows: System information Status of virtual machines Current scan results Server update status To open the Summary screen: On the Core Protection for Virtual Machines navigation bar, click Summary. FIGURE 3-1. Viewing the Core Protection for Virtual Machines Summary 3-2
36 Monitoring Core Protection for Virtual Machines Viewing System Information The System Information area shows the status and details of all of the Core Protection for Virtual Machines system. The following information is provided: Product Version: The version of the Core Protection for Virtual Machines software installed on your server Platform: The hardware platform of your Core Protection for Virtual Machines Server OS: The operating system install on your Core Protection for Virtual Machines Server. For information on updating your Core Protection for Virtual Machines software, see Updating Components starting on page 5-1. Viewing Virtual Machine Status The Virtual Machine Status area shows the current status of the components in your Core Protection for Virtual Machines installation. PoweredOn Virtual Machines PoweredOff Virtual Machines Real-Time Agents CPVM Scanning Agents Virtual Machines Scanned Virtual Machines Infected/Cleaned 3-3
37 Monitoring Core Protection for Virtual Machines Viewing Scan Results The Scan Results For area displays a summary of the scan results for the day and the total for the week. The number of viruses and spyware/grayware detected for the day appears in the right corner of the Scan results for title bar. To view scan results: Select Scan results for > Virus or Scan Results for > Spyware/Grayware. Scan results for today and the last seven days are displayed. This includes the numbers that are: Uncleanable Quarantined Deleted Passed Cleaned Renamed Viewing Server Update Status The Server Update Status area shows the status of each component in your installation for the followings: Antivirus Anti-spyware 3-4
38 Monitoring Core Protection for Virtual Machines To view update status details: 1. On the Core Protection for Virtual Machines navigation bar, click Summary. FIGURE 3-2. Viewing a Component Update Summary 3-5
39 Monitoring Core Protection for Virtual Machines 2. Click in front in front of the Member Component name to expand the display. The list expands to show the current version, latest version, and last update for any of the following: Antivirus Virus Pattern Virus Scan Engine (32-bit) Virus Scan Engine (64-bit) Anti-spyware Spyware Pattern Spyware Scan Engine (32-bit) Spyware Scan Engine (64-bit) 3. To perform updates of all the components for the server, click Update Now. For information on updating the Core Protection for Virtual Machines components, see Updating Components starting on page
40 Chapter 4 Managing Core Protection for Virtual Machines This chapter describes how to manage Core Protection for Virtual Machines. Topics in this chapter: Managing Groups on page 4-2 Managing VC Inventory on page 4-5 Managing Members on page 4-8 Performing Scans on page 4-15 Installing the Real-time Agent on page 4-22 Installing the Scanning Agent on page 4-23 Uninstalling Agents on page 4-24 Upgrading Agents on page 4-25 Configuring Scan Settings on page 4-28 Viewing and Managing Logs on page
41 Managing Core Protection for Virtual Machines Managing Groups You can manage groups from the Security Management screen. Setting up groups enables you to organize the members in your virtual infrastructure and set separate scanning rules for the different groups. Members are the virtual machines or network shares in your virtual infrastructure. Viewing Group Information The Security management screen enables you to view group information, such as the number of members and an overview of component updates and scans. To view group information: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. Current group information appears. FIGURE 4-1. View group information 4-2
42 Managing Core Protection for Virtual Machines The list in the right pane provides the following information for each group: Groups: The current groups on your site. Members: The number of members in the group. Scanning Agents: The number of scanning agents in the group. Real-Time Agents: The number of real-time agents in the group. Last Scheduled Security Scan: The last time a scheduled scan was run on the group members. Adding Groups To create a group, create the group first and then add or move members to the group. To add a group: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. The Security Management screen appears. 2. On the Current Groups toolbar, click Manage Security Groups > Add Group. The Add Group screen appears. FIGURE 4-2. Add Group screen 3. Type a Group name and click Add. You can now add members to the group. For instructions on how to add members, see Adding a Member to a Group on page
43 Managing Core Protection for Virtual Machines Renaming a Group To rename a group: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. The Security Management screen appears. 2. In the Current Groups list, select the group to rename. 3. On the Current Groups toolbar, click Manage Security Groups > Rename Group. The Rename Group screen appears.. FIGURE 4-3. Rename Group screen 4. Type the new group name and click Save. Deleting a Group To delete a group: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. The Security Management screen appears. 2. In the Current Groups list, select the group to delete. 4-4
44 Managing Core Protection for Virtual Machines 3. On the Current Groups toolbar, click Manage Security Groups > Delete Group. The system asks if you are sure you want to delete the select group(s). FIGURE 4-4. Delete Group screen 4. Click Delete. Managing VC Inventory The VirtualCenter inventory provides a single point for viewing members and related information, moving machines among groups, and managing licenses. Note: Individual VMDK files on a network share are not displayed in the VC inventory list, but the network share appears. 4-5
45 Managing Core Protection for Virtual Machines To manage VC inventory: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. The Security Management screen appears. 2. Click VC Inventory. The VC Inventory screen displays a list of members in your site, along with the group, host, and license status. FIGURE 4-5. VC Inventory screen Note: Do not move members between groups while a scan, including a scheduled scan, is in progress. 3. Select the members you want to move, and click Move. 4-6
46 Managing Core Protection for Virtual Machines 4. In the Move selected member(s) to drop-down list, select the group where you want to move the members to. FIGURE 4-6. Move Members screen 5. To apply the settings of the group to the members, select Apply settings of new group to selected members. 4-7
47 Managing Core Protection for Virtual Machines Managing Members Members are virtual machines or network shares in your Core Protection for Virtual Machines environment. Adding members to groups helps you to logically manage your security tasks. Actions you can take on group members include: View member information Add members Move members Search for a member Add network share Remove network share Viewing Member Information The Security management screen enables you to view member information in each group, such as power status and scan results. To view member information: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups to view the current groups. 4-8
48 Managing Core Protection for Virtual Machines 3. Select the group whose member information you want to view. FIGURE 4-7. View Member information The list in the right pane provides the following information for each member in the selected group: Category Power Status Scan Status Scan Results IP Address 4-9
49 Managing Core Protection for Virtual Machines Adding a Member to a Group Virtual machine inventory is obtained directly from the Virtual Center, but if you want to set up a physical machine to perform the scanning function, you must explicitly add it as a member. When you add the physical machine as a member, the Scanning Agent is automatically installed on that machine. Note: Physical Scanning Agent (SA) members are allowed only in the Default group. If you add or move a physical SA to any other group, the physical SA is moved back to the Default group. When you uninstall the Scanning Agent from the physical machine using Install->Uninstall Agent, the member is automatically removed from the list of members. To add a physical machine as a member: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups to view the current groups. 3. Select the group to which to add a member. 4-10
50 Managing Core Protection for Virtual Machines 4. Click Member Management > Add Member. The Add Physical SA screen appears. FIGURE 4-8. Add Physical SA screen 5. Type the IP address or hostname in IP/Hostname field. 6. Type the Username and Password. 7. Click Add. The Physcial SA member is added to the Default Group. 4-11
51 Managing Core Protection for Virtual Machines Moving Members to Another Group Members are virtual machines in your Core Protection for Virtual Machines environment. You can move members from one group to another to help you logically manage your security tasks. When CPVM senses new virtual machines, the virtual machines are initially placed under the Default security group and automatically assigned the default policy for scanning. You can then move those virtual machines to other groups to apply a different group security policy. Note: Do not move members between groups while a scan, including a scheduled scan, is in progress. Otherwise, there could be a problem synchronizing with the CPVM server. To move a member: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups to view the current groups. 3. Select the group that includes the members you want to move. 4. In the Members list, select the members to move. 5. Click Member Management > Move Member. The Move Member(s) screen appears. FIGURE 4-9. Move Member(s) screen 6. Select the group to which you want to move the member. 7. Click Move. 4-12
52 Managing Core Protection for Virtual Machines Managing a Network Share Core Protection for Virtual Machines enables you to scan VMDK files that are not in the VirtualCenter inventory but are located on a network share. You can add a network share by specifying a network path as a root folder which could contain more than one subfolder that contains VMDK files. When you add the network share that stores the VMDK files, and if there are multiple VMDK files, all the VMDK files share the same security policy as defined by either the group policy or the actual network share policy. The group policy is used for scanning each VMDK. You can define a specific scan policy for each on the Security Management screen. CPVM logs any events associated with these files and includes the network path as part of the log. If you remove members, the members are removed from the VC inventory list. Note: Snapshots on dormant VMs on a network share are not scanned and cleaned during a scan. To add a network share: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups to view the current groups. 3. Click the group to which you want to add a network share. 4-13
53 Managing Core Protection for Virtual Machines 4. Click Member Management > Add Network Share. The Add Network Share screen appears. FIGURE Add Network Share screen 5. Type a name for the network share. 6. Type the path to the network share. For example, if your vmdk files are located on both \\ \vmdk\winxp and \\ \vmdk\win2003, you could specify \\ \vmdk as your network share. 7. Enter the user name and password of the network share. 8. Click Test Connection to test the network share information you entered. 9. Click Add. To remove a network share: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups to view the current groups. 3. Select the group to which you want to remove a network share. 4. In the Members list, select the network share you want to remove. 5. Click Member Management > Remove Network Share. 6. Click OK. 4-14
54 Managing Core Protection for Virtual Machines Performing Scans Before you can perform scans with Core Protection for Virtual Machines, you must perform the following tasks: Install the scanning and real-time agents. Configure scan settings. Scan Types Core Protection for Virtual Machines enables you to perform the following scans: TABLE 4-1. Scan Types SCAN TYPE DESCRIPTION Scan Now Performs a full on-demand scan. 4-15
55 Managing Core Protection for Virtual Machines TABLE 4-1. Scan Types SCAN TYPE DESCRIPTION QuickScan Performs a limited scan of the disk based on information from the Windows Registry. QuickScan loads the Registry to identify what files need to be scanned and performs a scan and clean operation on those files. If QuickScan detects malware, an attempt is made to clean the malware. If the clean operation is unsuccessful, QuickScan quarantines the file and modifies the Registry accordingly. Core Protection for Virtual Machines takes the following actions based on user settings when it detects malware during QuickScan: If you configured CPVM to perform a full scan if malware is detected, CPVM performs a full scan on the member and logs the event with the following details: malware type, whenthe malware was detected, and the results of the clean operation or file quarantine. If you configured CPVM to simply log the event when detecting malware, CPVM logs the event with the following details: malware type, when the malware was detected and the result of the clean operation or file quarantine. Note: QuickScan is allowed only on dormant machines as it may require modifications to the registry if malware is detected. Real-time Scan Scheduled Scan Runs continuously in the background to monitor all file I/O events, preventing malware files from being copied to or from the server. Initiates a full scan based on a set schedule for selected members. CPVM sequentially performs a full scan of each selected member. Since the CPVM Scanning Agent may be deployed on multiple hosts, multiple scanning agents can perform full scans on different members at the same time. 4-16
56 Managing Core Protection for Virtual Machines Note: VirtualCenter periodically sends VC inventory updates to the CPVM Server. If CPVM identifies a new VM that was previously not on its list, it performs a QuickScan on the VM (if the VM is in a dormant state). For information on configuring scans, see Configuring Scan Settings on page IntelliScan Scan Methods Rather than relying on the file name alone, Core Protection for Virtual Machines uses IntelliScan to identify the true file type and determine whether the file is a type that Core Protection for Virtual Machines should scan. True File-type Detection Using true file-type identification, IntelliScan examines the header of the file first and checks if the file is an executable, compressed, or other type of file that may be a threat. IntelliScan examines all files to ensure that they were not renamed. The extension must conform to the file's internally registered data type. For example, Microsoft Word documents are file extension independent. Even if you rename a document from "legal.doc" to "legal.lgl", Word still recognizes and opens the document along with any macro viruses it contains. IntelliScan identifies the file as a Word document regardless of the file extension and scans it accordingly. File Extension Checking IntelliScan also uses extension checking, that is, the file name itself. An updated list of extension names is available with each new pattern file. For example, the discovery of a new ".jpg" file vulnerability prompts Trend Micro to add the ".jpg" extension to the extension-checking list in the next pattern update. Scan Agents CPVM provides two agents for performing scanning tasks: Real-time Agent Scanning Agent 4-17
57 Managing Core Protection for Virtual Machines Real-time Agent The Real-time Agent provides real-time protection for live members. The Real-time Agent does not perform full scans. It provides the following protection: Performs pattern signature and engine updates based on your specified schedule or when it receives a specific notification from the CPVM server. Monitors disk I/O and protects the files being written to. When the CPVM Scanning Agent performs a full scan of the live member and finds malware, it notifies the CPVM Server. The CPVM Server informs the Real-time Agent and requests that the virus be cleaned or files quarantined. When the action is complete, the Real-time Agent informs the server about the result (success/failure). Note: If the Real-time Agent cannot see the virus (such as root kit), then the agent sends a failure event to the CPVM Server as an error. You will need to turn the member off and perform a full scan/clean when the member is dormant. If you have not installed the Real-time Agent in a live member, because there is an instance of ServerProtect, OfficeScan, or some other competitor product running in the member, cleaning is not an option and the CPVM Server sends an event to the administrator informing him or her to take appropriate action. CPVM Scanning Agent The CPVM Scanning Agent is a service that runs on a host and scans dormant or live Virtual Machines as specified by the schedule and policy set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the Core Protection for Virtual Machines Server. Initiating a QuickScan A QuickScan performs a limited scan of the disk based on information from the Windows Registry. QuickScan loads the Registry to identify what files need to be scanned and performs a scan and clean operation on those files. If malware is detected, QuickScan attempts to clean the malware. If the clean operation fails, QuickScan quarantines the file and modifies the Registry accordingly. A QuickScan scans only dormant VMs. 4-18
58 Managing Core Protection for Virtual Machines The Core Protection for Virtual Machines server receives updates to the VC inventory periodically from the VirtualCenter. If the server identifies a new VM that was previously not on its list, the server performs a QuickScan on the new VM if it is in dormant state. Note: To avoid performance impact on your network, the scan progress is updated every 60 seconds and may not immediately reflect the actual scan progress. To see the actual scan progress, click Refresh to refresh the screen. To initiate a QuickScan: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. Note: To change the pre-configured QuickScan settings before initiating the scan, click Settings > QuickScan Settings and modify settings as needed. 4-19
59 Managing Core Protection for Virtual Machines 2. Click Tasks > QuickScan Now. The QuickScan Now screen appears. FIGURE QuickScan Now screen 3. Select the members to scan and click Initiate QuickScan Now. The server notifies the scanning agents for that group to perform a scan on those members. 4. On the Security Management screen, verify the scan status of member machines. Note: If you select multiple members to scan and then stop the scan, scans for all members that are still in a Pending or Scanning state are aborted. Their scan progress displays as 0 and scan status displays as "Stopped." 4-20
60 Managing Core Protection for Virtual Machines Initiating Scan Now In addition to turning on Real-time Scan and configuring Scheduled Scan, Trend Micro recommends initiating Scan Now on members that you suspect are infected. To perform a Scan Now: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. Note: To change the pre-configured Scan Now settings before initiating the scan, click Settings > Scan Now settings. The Scan Now Settings screen opens so you can make changes. 2. Click Tasks > Scan Now. The Scan Now screen appears. FIGURE Scan Now screen 3. Select the target members to scan. Use the Search box to search for a specific member. 4-21
61 Managing Core Protection for Virtual Machines 4. Click Initiate Scan Now. The server notifies the Scanning Agent in that group to perform a scan on the target members. 5. For members already in the process of scanning, click Stop Scan Now if you want them stop scanning. Note: Stop Scan Now does not terminate the scan for a member (VM or network share) whose scan status is Pending. Installing the Real-time Agent To install the Real-time Agent: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Under Security Groups, click the group that has members on which to install the Real-time Agent. 3. Select one or more members on which you want to install the Real-time Agent. Note: The members you select must be online and connected. The members cannot already have a Real-time Agent installed and cannot be a network share. 4-22
62 Managing Core Protection for Virtual Machines 4. Click Install > Install Real-time Agent. The Install Real-time Agent screen appears. FIGURE Install Real-time Agent screen 5. Enter the user name and password. The account must have administrator privileges on the target VMs. 6. Click Install. Installing the Scanning Agent To install the Scanning Agent: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Under Security Groups pane, click the group that has the members on which to install the Real-time Agent. 3. Select one or more members on which to install the Scanning Agent. Note: The members you select must be online and connected. They cannot be members that already have the Scanning Agent installed and cannot be a network share. 4-23
63 Managing Core Protection for Virtual Machines 4. Click Install > Install Scanning Agent. The Install Scanning Agent screen appears. FIGURE Install Scanning Agent screen 5. Enter the user name and password. The account must have administrator privileges on the target VMs. 6. Click Install. Uninstalling Agents To uninstall agents: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Under Security Groups, click the group that has the members from which to uninstall the agent. Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot uninstall a mixed group that includes both SAs and RTAs. 4-24
64 Managing Core Protection for Virtual Machines 3. Click Install > Uninstall Agent. FIGURE Uninstall Agent screen 4. Enter the user name and password. The account must have administrator privileges on the target VMs. 5. Click Uninstall. Upgrading Agents Note: To upgrade agents, you must have administrator privileges on the target VMs and the VMs must all have the same username and password. To upgrade agents: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Under Security Groups, select the group that has the members to be upgraded. 4-25
65 Managing Core Protection for Virtual Machines 3. Select the members that contain the agent to be upgraded. Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot upgrade a mixed group that includes both SAs and RTAs. 4. Click Install > Upgrade Agent. The Upgrade Agent screen appears. FIGURE Upgrade Agent screen 5. Enter the Username and Password for the target VMs. 6. Click Upgrade. A system message appears, "Upgrade Agent installation is initiated in the selected machine(s)." 4-26
66 Managing Core Protection for Virtual Machines Enabling and Disabling the Scanning Agent You can enable or disable the Scanning Agent for any member in your Core Protection for Virtual Machines environment. For example, you can disable scanning prior to virtual infrastructure maintenance. To enable the scanning agent: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Select the group that has the machines on which to enable the Scanning Agent. 3. Select the machines on which to enable the Scanning Agent. 4. From the Settings menu, select Enable Scanning Agent. The Enable Scanning Agent screen appears. FIGURE Enable Scanning Agent screen 5. Enter your user name and password. 6. Click Enable. To disable the Scanning Agent: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Select the group that has the machines on which to disable the Scanning Agent. 3. Select the members on which to disable the Scanning Agent. 4-27
67 Managing Core Protection for Virtual Machines 4. From the Settings menu, select Disable Scanning Agent. The Disable Scanning Agent screen appears. FIGURE Disable Scanning Agent screen 5. Enter your user name and password. 6. Click Disable. Configuring Scan Settings Core Protection for Virtual Machines provides a number of options for scanning members in a group. You can perform a full scan at anytime, or perform a limited scan of the disk based on information from the Windows Registry. You can also configure a Real-time Scan or a Scheduled Scan. Scan actions you can take on groups include: QuickScan settings Real-time Scan settings Scheduled Scan settings Scan Now settings You can set Scan settings at the group level and member level. Group level settings represent all generic settings that apply to all members within a group. Member level settings override specific settings defined at the group level. You can only set a scan schedule at the group level. All members within that group are scanned according to the schedule of the Scanning Agents within that group. 4-28
68 Managing Core Protection for Virtual Machines Scan exclusion settings are global. If scan exclusion settings are defined for one type of scan, such as Real-time Scans, they are automatically applied to all other types of scans. ActiveAction versus Manual Settings ActiveAction is a set of pre-configured scan actions for specific types of viruses and malware. Trend Micro recommends using ActiveAction if you are not sure which scan action is suitable for each type of virus and malware. With ActiveAction, you do not have to spend time customizing the scan actions. The following table illustrates how ActiveAction handles each type of virus/malware. TABLE 4-1. ActiveAction Virus/malware Handling VIRUS/MALWARE TYPE REAL-TIME SCAN MANUAL SCAN/SCHEDULED SCAN/SCAN NOW FIRST ACTION SECOND ACTION FIRST ACTION SECOND ACTION Joke Quarantine N/A Quarantine N/A Virus Clean Quarantine Clean Quarantine Test Virus Pass N/A Pass N/A Packer Quarantine N/A Quarantine N/A Others Clean Quarantine Clean Quarantine Generic Pass N/A Pass N/A Configuring QuickScan Settings To configure a QuickScan, specify the scan targets and the actions to take when security risks are encountered. 4-29
69 Managing Core Protection for Virtual Machines To configure a QuickScan: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups to view the current groups. 3. Click the group for which to configure QuickScan Settings. 4. Click Settings > QuickScan Settings. The QuickScan Settings screen appears. FIGURE QuickScan Target tab 5. On the Target tab, select whether to initiate a QuickScan when a new virtual machine is added. 6. Click Save. 4-30
70 Managing Core Protection for Virtual Machines 7. Click the Action tab. FIGURE QuickScan Action tab 8. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate: For Virus/Malware, select from the following actions: TABLE 4-2. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Delete Deletes an infected file. 4-31
71 Managing Core Protection for Virtual Machines TABLE 4-2. Virus/Malware Scan Actions SCAN ACTION Quarantine Clean DESCRIPTION Moves an infected file to the member s quarantine directory found in {Core Protection for Virtual Machines member folder}\virus. The default quarantine directory is {Core Protection for Virtual Machines server folder}\virus, which you can change by going to Security Management > (Group Name) > Settings > {Scan Type} > Action tab. Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Rename Pass Changes the infected file s extension to "vir". Users cannot open the file initially, but can do so if they associate the file with a certain application. A virus/malware may execute when opening the renamed infected file. Enables full access to the infected file without doing anything to the file. A user may copy/delete/open the file. If you select Pass, you may allow a VM to become infected. For Spyware/Grayware, select from the following actions: TABLE 4-3. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Delete Deletes an infected file. 4-32
72 Managing Core Protection for Virtual Machines TABLE 4-3. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Clean Terminates processes or delete registries, files, cookies and shortcuts. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Pass Logs the spyware/grayware detection for assessment. WARNING! If you select Pass, you may allow a VM to become infected. 9. Type a Quarantine Directory, if you want to specify a different virus/malware quarantine directory. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Use an absolute file path format for the quarantine directory, such as C:\temp. WARNING! If you specify an incorrect quarantine directory, the CPVM client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the virus/malware logs of the server, the scan result is "Unable to send the quarantined file to the designated quarantine folder." 10. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. 11. Select whether to perform a full scan when malware is detected. 12. Click Save. 4-33
73 Managing Core Protection for Virtual Machines Configuring Real-time Scan Settings To configure a Real-time Scan, specify the scan targets and the actions to take when security risks are encountered. To configure a Real-time Scan: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Under Security Groups, click the group to configure. 3. Click Settings > Real-time Scan Settings. The Real-time Scan Settings screen appears. FIGURE Real-time Scan Target tab 4-34
74 Managing Core Protection for Virtual Machines 4. On the Target tab, configure the scan target. Select whether to Enable Real-time scan for virus/malware. 5. Select the files to scan based on user activity. TABLE 4-2. User Actions ACTIVITY IF THE OPTION SELECTED IS... SCAN FILES BEING CREATED/MODIFIED SCAN FILES BEING RETRIEVED SCAN FILES BEING CREATED/MODIFIED AND RETRIEVED Open a read-only file Real-time Scan does not scan the file. Real-time Scan scans the file. Real-time Scan scans the file. Copy or move a file from a directory excluded from scanning Real-time Scan scans the file in the destination directory (if CPVM does not exclude this directory from scanning). Real-time Scan does not scan the file in the destination directory Real-time Scan scans the file in the destination directory (if CPVM does not exclude this directory from scanning). 6. Select the Files to Scan. If you choose to scan files based on extensions, add or delete extensions from the default set of extensions. Use a comma to separate entries. Note: To learn more about IntelliScan, see IntelliScan Scan Methods on page Select additional settings under Scan Settings. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions. Tip: You can also use * as a wildcard when specifying extensions. 4-35
75 Managing Core Protection for Virtual Machines There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed. 8. Click Save. 9. Click the Action tab. FIGURE Real-time Scan Action tab 10. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate: 4-36
76 Managing Core Protection for Virtual Machines For Virus/Malware, select from the following actions: TABLE 4-4. Virus/Malware Scan Actions SCAN ACTION Delete Quarantine Clean DESCRIPTION Deletes an infected file. Moves an infected file to the member s quarantine directory found in {Core Protection for Virtual Machines member folder}\virus. The default quarantine directory is {Core Protection for Virtual Machines server folder}\virus, which you can change by going to Security Management > (Group Name) > Settings > {Scan Type} > Action tab. Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Rename Pass Changes the infected file s extension to "vir". Users cannot open the file initially, but can do so if they associate the file with a certain application. A virus/malware may execute when opening the renamed infected file. Enables full access to the infected file without doing anything to the file. A user may copy/delete/open the file. If you select Pass, you may allow a VM to become infected. For Spyware/Grayware, select from the following actions: TABLE 4-5. Virus/Malware Scan Actions SCAN ACTION Delete DESCRIPTION Deletes an infected file. 4-37
77 Managing Core Protection for Virtual Machines TABLE 4-5. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Clean Terminates processes or delete registries, files, cookies and shortcuts. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Pass Logs the spyware/grayware detection for assessment. WARNING! If you select Pass, you may allow a VM to become infected. 11. Type a Quarantine Directory, if you want to specify a different virus/malware quarantine directory. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Use an absolute file path format for the quarantine directory, such as C:\temp. WARNING! If you specify an incorrect quarantine directory, the CPVM client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the virus/malware logs of the server, the scan result is "Unable to send the quarantined file to the designated quarantine folder." 12. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. 13. Click Save. 4-38
78 Managing Core Protection for Virtual Machines Configuring Scheduled Scan Settings To configure a Scheduled Scan, specify the scan targets and the actions to take when security risks are encountered. Note: The schedule can only be set at the group level. The scanning agents scan all members within that group according to the group schedule. To configure a Scheduled Scan: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Under Security Groups, click the group to configure. 3. Click Settings > Scheduled Scan Settings. The Scheduled Scan Settings screen appears. FIGURE Scheduled Scan Target tab 4-39
79 Managing Core Protection for Virtual Machines 4. On the Target tab, configure a schedule for the scan. 5. Select the Files to Scan. If you choose to scan files based on extensions, add or delete extensions from the default set of extensions. Use a comma to separate entries. Note: To learn more about IntelliScan, see IntelliScan Scan Methods on page Select additional settings under Scan Settings. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions. Tip: You can also use * as a wildcard when specifying extensions. There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed. 7. Click Save. 4-40
80 Managing Core Protection for Virtual Machines 8. Click the Action tab. FIGURE Configure Scheduled Scan Action tab 9. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate: For Virus/Malware, select from the following actions: TABLE 4-6. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Delete Deletes an infected file. 4-41
81 Managing Core Protection for Virtual Machines TABLE 4-6. Virus/Malware Scan Actions SCAN ACTION Quarantine Clean DESCRIPTION Moves an infected file to the member s quarantine directory found in {Core Protection for Virtual Machines member folder}\virus. The default quarantine directory is {Core Protection for Virtual Machines server folder}\virus, which you can change by going to Security Management > (Group Name) > Settings > {Scan Type} > Action tab. Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Rename Pass Changes the infected file s extension to "vir". Users cannot open the file initially, but can do so if they associate the file with a certain application. A virus/malware may execute when opening the renamed infected file. Enables full access to the infected file without doing anything to the file. A user may copy/delete/open the file. If you select Pass, you may allow a VM to become infected. For Spyware/Grayware, select from the following actions: TABLE 4-7. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Delete Deletes an infected file. 4-42
82 Managing Core Protection for Virtual Machines TABLE 4-7. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Clean Terminates processes or delete registries, files, cookies and shortcuts. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Pass Logs the spyware/grayware detection for assessment. WARNING! If you select Pass, you may allow a VM to become infected. 10. Type a Quarantine Directory, if you want to specify a different virus/malware quarantine directory. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Use an absolute file path format for the quarantine directory, such as C:\temp. WARNING! If you specify an incorrect quarantine directory, the CPVM client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the virus/malware logs of the server, the scan result is "Unable to send the quarantined file to the designated quarantine folder." 11. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. 12. Click Save. 4-43
83 Managing Core Protection for Virtual Machines Configuring Scan Now Settings To configure a Scan Now, specify the scan targets and the actions to take when security risks are encountered. To configure a Scan Now: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Under Security Groups, click the group you want to configure. 3. Click Settings > Scan Now Settings. The Scan Now Settings screen. FIGURE Configure Scan Now Target tab 4. Select the Files to Scan. If you choose to scan files based on extensions, add or delete extensions from the default set of extensions. Use a comma to separate entries. Note: To learn more about IntelliScan, see IntelliScan Scan Methods on page
84 Managing Core Protection for Virtual Machines 5. Select additional settings under Scan Settings. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions. Tip: You can also use * as a wildcard when specifying extensions. There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed. 6. Click Save. 7. Click the Action tab. FIGURE Configure Scan Now Action tab 8. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate: 4-45
85 Managing Core Protection for Virtual Machines For Virus/Malware, select from the following actions: TABLE 4-8. Virus/Malware Scan Actions SCAN ACTION Delete Quarantine Clean DESCRIPTION Deletes an infected file. Moves an infected file to the member s quarantine directory found in {Core Protection for Virtual Machines member folder}\virus. The default quarantine directory is {Core Protection for Virtual Machines server folder}\virus, which you can change by going to Security Management > (Group Name) > Settings > {Scan Type} > Action tab. Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Rename Pass Changes the infected file s extension to "vir". Users cannot open the file initially, but can do so if they associate the file with a certain application. A virus/malware may execute when opening the renamed infected file. Enables full access to the infected file without doing anything to the file. A user may copy/delete/open the file. If you select Pass, you may allow a VM to become infected. For Spyware/Grayware, select from the following actions: TABLE 4-9. Virus/Malware Scan Actions SCAN ACTION Delete DESCRIPTION Deletes an infected file. 4-46
86 Managing Core Protection for Virtual Machines TABLE 4-9. Virus/Malware Scan Actions SCAN ACTION DESCRIPTION Clean Terminates processes or delete registries, files, cookies and shortcuts. Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails. Pass Logs the spyware/grayware detection for assessment. WARNING! If you select Pass, you may allow a VM to become infected. 9. Type a Quarantine Directory, if you want to specify a different virus/malware quarantine directory. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Use an absolute file path format for the quarantine directory, such as C:\temp. WARNING! If you specify an incorrect quarantine directory, the CPVM client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the virus/malware logs of the server, the scan result is "Unable to send the quarantined file to the designated quarantine folder." 10. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. 11. Click Save. 4-47
87 Managing Core Protection for Virtual Machines Viewing and Managing Logs Core Protection for Virtual Machines enable you view and delete virus/malware and spyware/grayware logs. To view Virus/Malware logs: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups and click the group whose logs you want to view. 3. Select the members whose logs you want to view. 4. Click Logs > Virus/Malware Logs. The Virus/Malware Log Criteria screen appears. FIGURE Virus/Malware Log Criteria screen 5. Specify the Time Period. If you select a range of dates, set the From and To dates (start date and end dates) for the logs. 4-48
88 Managing Core Protection for Virtual Machines Note: If you select a range and leave the From field blank, CPVM includes all logs from the earliest date. If you select a range and leave the To field blank, CPVM includes all logs up to the present date. 6. Specify the Scan Type for the logs and click Display Logs. To view the Spyware/Grayware logs: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups and click the group whose logs you want to view. 3. Select the members whose logs you want to view. 4-49
89 Managing Core Protection for Virtual Machines 4. Click Logs > Virus/Malware Logs. The Spyware/Grayware Log Criteria screen appears. FIGURE Spyware/Grayware Log Criteria screen 5. Specify the Time Period. Note: If you select a range of dates and leave the From date blank, CPVM includes all logs from the earliest date. If you leave the To field blank, CPVM includes all logs up to the present date. 6. Click Display Logs. 4-50
90 Managing Core Protection for Virtual Machines Manually Deleting Logs You can specify a schedule for deleting logs. You can specify which logs to delete, and whether to delete them daily, weekly, or monthly. To manually delete logs: 1. On the Core Protection for Virtual Machines navigation bar, click Security Management. 2. Expand Security Groups and click the group to delete logs for. 3. Click Logs > Delete Logs. The Log Maintenance screen appears. FIGURE Log Maintenance screen 4. Select the Log Types to Delete. Other logs deletes the server logs. 5. Choose whether to delete all selected logs or only logs older than the specified number of days. 6. Click Delete. 4-51
91 Managing Core Protection for Virtual Machines 4-52
92 Chapter 5 Updating Components The Updates screens enable you to schedule, perform and rollback component updates. Topics in this chapter: Components on page 5-2 Viewing an Update Summary on page 5-5 Configuring Scheduled Server Updates on page 5-8 Performing a Manual Server Update on page 5-9 Specifying a Server Update Source on page 5-10 Configuring Automatic Member Updates on page 5-12 Performing Manual Member Updates on page 5-14 Rolling Back Updates on page
93 Trend Micro Core Protection for Virtual Machines Administrator s Guide Components The following are the Core Protection for Virtual Machines components. Antivirus Virus Pattern: A file that helps Core Protection for Virtual Machines identify virus signatures, unique patterns of bits and bytes that signal the presence of a virus. Virus Scan Engine: The engine that scans for and takes appropriate action on viruses/malware; supports 32-bit and 64-bit platforms. Note: You can roll back both the Virus Pattern and Virus Scan Engine. Anti-spyware Spyware Pattern: The file that identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts. Spyware Scan Engine: The engine that scans for and takes appropriate action on spyware/grayware; supports 32-bit and 64-bit platforms. Component Duplication When the latest version of a full pattern file is available for download from the Trend Micro ActiveUpdate server, fourteen "incremental patterns" also become available. The Core Protection for Virtual Machines server compares its current full pattern version with the latest version on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions. Incremental patterns are smaller versions of the full pattern file that account for the difference between the latest and previous full pattern file versions. For example, if the latest version is 175, incremental pattern v_ contains signatures in version 175 not found in version 173. Version 173 is the previous full pattern version since pattern numbers are released in increments of 2. Incremental pattern v_ contains signatures in version 175 not found in version
94 Updating Components To reduce network traffic generated when downloading the latest pattern, Core Protection for Virtual Machines performs component duplication, a component update method where the Core Protection for Virtual Machines server or Update Agent downloads only incremental patterns. Component duplication applies to both virus and spyware patterns. Updating a component as soon as a new version is available reduces the impact of component duplication on server performance. Therefore, ensure that you download components regularly. To help explain component duplication for the server, refer to the following scenario: Full patterns on the Core Protection for Virtual Machines Server Current version: 171 Other versions available: Latest version on the ActiveUpdate server Full pattern version: 175 Incremental patterns: Component duplication process for the Core Protection for Virtual Machines server 1. The Core Protection for Virtual Machines server compares its current full pattern version (171) with the latest version (175) on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions. Note: If the difference is more than 14, the server automatically downloads the full version of the pattern file and 14 incremental patterns. 5-3
95 Trend Micro Core Protection for Virtual Machines Administrator s Guide To illustrate based on the example: The difference between versions 171 and 175 is 2. In other words, the server does not have versions 173 and 175. The server downloads incremental pattern This incremental pattern accounts for the difference between versions 171 and The server merges the incremental pattern with its current full pattern to generate the latest full pattern. To illustrate based on the example: On the server, Core Protection for Virtual Machines merges version 171 with incremental pattern to generate version 175. The server has 1 incremental pattern ( ) and the latest full pattern (version 175). 3. The server generates incremental patterns based on the other full patterns available on the server. If the server does not generate these incremental patterns, clients that missed downloading earlier incremental patterns automatically downloads the full pattern file, which will consequently generate more network traffic. To illustrate based on the example: Because the server has pattern versions 169, 167, 165, 163, 161, 159, it can generate the following incremental patterns: The server does not need to use version 171 because it already has the incremental pattern The server now has 7 incremental patterns: The server keeps the last 7 full pattern versions (versions 175, 171, 169, 167, 165, 163, 161). It removes any older version (version 159). 5-4
96 Updating Components 4. The server compares its current incremental patterns with the incremental patterns available on the ActiveUpdate server. The server downloads the incremental patterns it does not have. To illustrate based on the example: The ActiveUpdate server has 14 incremental patterns: The Core Protection for Virtual Machines server has 7 incremental patterns: The Core Protection for Virtual Machines Server downloads an additional 7 incremental patterns: The server now has all the incremental patterns available on the ActiveUpdate server. 5. The latest full pattern and the 14 incremental patterns are made available to clients. Viewing an Update Summary The Update Summary screen displays the overall component update status. You can view the following information for each component: Current version Date and time of latest update Number of members with updated components Number of members with outdated components Total members, members online, and members offline Tip: Refresh the page periodically for an accurate picture of your component update status. The Update Summary screen displays the overall component update status. 5-5
97 Trend Micro Core Protection for Virtual Machines Administrator s Guide To view the update summary: 1. On the Core Protection for Virtual Machines navigation bar, select Updates > Summary. The Update Summary screen appears. FIGURE 5-1. Update Summary screen 2. In the Update Status for Members table, view the update status for each component. 5-6
98 Updating Components 3. For each component, you can view its current version and the last update date. You can also view members with out-of-date components. The Update Status for Members pane displays the following current update status for all members in your infrastructure, separated by category: Component Version: The current version and date/time of the last update. Member Update Status: The total number of members currently online and offline that have been updated, along with those that need to be updated. Click the Offline, Online, or Total value for Outdated Status to go to the Manual Update screen where you can update member components. 4. View update information for the following components: Antivirus: Shows the current status of virus pattern and virus scan engine updates for all members in your environment. Virus Pattern Virus Scan Engine (32-bit) Virus Scan Engine (64-bit) Anti-spyware: Shows the current status of anti-spyware pattern and scan engine updates for all members in your environment. Spyware Pattern Spyware Scan Engine (32-bit) Spyware Scan Engine (64-bit) 5-7
99 Trend Micro Core Protection for Virtual Machines Administrator s Guide Configuring Scheduled Server Updates Configure the Core Protection for Virtual Machines server to regularly check its update source and automatically download any available updates. Use automatic scheduled updates for an easy and effective way of ensuring that your protection against security risks is always current. To configure a server update schedule: 1. On the Core Protection for Virtual Machines navigation bar, click Updates > Scheduled Update. FIGURE 5-2. Server Scheduled Update screen 2. Select Enable scheduled update of the Core Protection for Virtual Machines server. 5-8
100 Updating Components 3. Specify the update schedule. For daily, weekly and monthly updates, the period of time is the number of hours during which Core Protection for Virtual Machines will perform the update. Core Protection for Virtual Machines performs updates at any given time during this time period. 4. Specify the action to take if the update is unsuccessful. 5. Click Save. Performing a Manual Server Update You can perform a manual server update at any time. To update the server manually: 1. On the Core Protection for Virtual Machines navigation bar, click Updates > Server > Manual Update. The Server Manual Update screen appears. FIGURE 5-3. Server Manual Update screen 5-9
101 Trend Micro Core Protection for Virtual Machines Administrator s Guide 2. To view component details, click in front of Antivirus or Anti-spyware. 3. Click Update. The server downloads the updated components. Note: If you did not specify a component deployment schedule on the Automatic Update screen, the server downloads the updates but does not deploy them to the members. Specifying a Server Update Source There are two events that can trigger members to perform component updates. One is after the server downloads the latest components and the other is when members restart and then connect to the server. To trigger component update when these events occur, click Updates >Members > Automatic Update and go to the Event-triggered Update section. 5-10
102 Updating Components To configure the server update source: 1. On the Core Protection for Virtual Machines navigation bar, click Updates > Server > Update Source. The Server Update Source screen appears. FIGURE 5-4. Server Update Source screen 2. Select the location from which to download component updates. You can choose to download from the Trend Micro ActiveUpdate server, a specific update source, or a location on your company intranet. 3. To use an intranet location containing a copy of the current files, specify the location and credentials for the Server Update source files: UNC path: The location where the update files are stored. User name: The user name to access the shared folder. Password: The password to access the shared folder. Domain: The domain where the CPVM server is installed. If in a workgroup, leave this text box empty. User name: The user name to access the CPVM server. Password: The password to access the CPVM server. 5-11
103 Trend Micro Core Protection for Virtual Machines Administrator s Guide Note: Core Protection for Virtual Machines uses component duplication when downloading components from the update source. 4. Click Save. Configuring Automatic Member Updates Trend Micro recommends that you always use automatic update. Automatic update removes the burden of performing manual updates on members and eliminates the risk of members not having up-to-date components. To configure automatic member updates: 1. On the Core Protection for Virtual Machines navigation bar, click Updates > Automatic Update. FIGURE 5-5. Automatic Update screen 5-12
104 Updating Components Note: If the Core Protection for Virtual Machines server is unable to successfully send an update notification to members after it downloads components, it automatically resends the notification after 15 minutes. The server continues to send update notifications up to a maximum of five times until the client responds. If the fifth attempt is unsuccessful, the server stops sending notifications. If you select the option in this screen to update components when members restart and then connect to the server, component update will still proceed. 2. Specify the schedule for performing updates. If you select Daily or Weekly and specify the time of the update and the time period for updating components. For example, if your start time is 12pm and the time period is 2 hours, Core Protection for Virtual Machines will randomly notify all online members to update components from 12pm until 2pm. This setting prevents all online members from simultaneously connecting to the server at the specified start time, significantly reducing the amount of traffic directed to the server. Offline members are not notified. Offline members are updated as part of the scheduled scan process, when they come online, or if you initiate manual update, depending on which takes place first. 3. Click Save. 5-13
105 Trend Micro Core Protection for Virtual Machines Administrator s Guide Performing Manual Member Updates Use the Manual Updates screen to manually update components for members and view the date and time of the last component updates. Members can also update components if you configure automatic component update settings. To configure manual member updates: 1. On the Core Protection for Virtual Machines navigation bar, click Updates > Manual Updates. The Manual Update (Members) screen appears. FIGURE 5-6. Manual Update screen 5-14
106 Updating Components 2. Select the target members : To update all members with outdated components, select Select members with outdated components. To Manually select members, search for the members using the Search for members option, or navigate through the Security Groups tree and select each member to update. 3. Click Update. The server starts notifying each member to download updated components. Rolling Back Updates Rolling back refers to reverting to the previous version of the Virus Pattern or Virus Scan Engine. If these components do not function properly, roll them back to their previous versions. Core Protection for Virtual Machines retains the current and the previous versions of the Virus Scan Engine and the last five versions of the Virus Pattern. Note: You can only roll back the Virus Pattern and Virus Scan Engine. When you roll back updates, the rollback applies to all components. Core Protection for Virtual Machines uses different scan engines for members running 32-bit and 64-bit platforms. You need to roll back these scan engines separately. The rollback procedure for all types of scan engines is the same. 5-15
107 Trend Micro Core Protection for Virtual Machines Administrator s Guide To roll back the Virus Pattern or Virus Scan Engine: 1. On the Core Protection for Virtual Machines navigation bar, click Updates > Rollback. The Rollback screen appears. FIGURE 5-7. Rollback screen 2. Click next to Antivirus to view the current antivirus component versions and the date and time of the latest update. Select component versions to roll back. 3. Click next to Anti-spyware to view the anti-spyware component versions and the date and time of the latest update. Select component versions to roll back. 4. Click Rollback Member Versions. 5. To cancel the rollback, click Cancel. 5-16
108 Chapter 6 Viewing and Managing Logs This chapter describes how to get timely information about Core Protection for Virtual Machines activity by generating and viewing logs. Topics in this chapter: Overview on page 6-2 Logged Actions on page 6-3 Viewing Member Logs on page 6-6 Viewing Server Logs on page 6-7 Viewing Virus/Malware Logs on page 6-8 Viewing Spyware/Grayware Logs on page 6-9 Deleting Logs on page
109 Viewing and Managing Logs Overview Core Protection for Virtual Machines keeps comprehensive logs about security risk detections, events, and updates. Use these logs to assess your organization's protection policies and to identify clients at a higher risk of infection or attack. Also, use these logs to check client-server connections and verify if the component update is successful or not. You can configure, view, and delete the following logs: TABLE 6-1. Core Protection for Virtual Machine Logs LOGS DESCRIPTION Component Update Spyware/Grayware Virus/Malware Server Update CPVM clients send virus pattern update logs to the server. In the Component Update Progress screen, you can view the number of members updated for every 15-minute interval and the total number of members updated. After cleaning spyware/grayware, Core Protection for Virtual Machine clients back up spyware/grayware data, which you can restore anytime if you consider the spyware/grayware safe. Core Protection for Virtual Machines keeps logs of events related to virus/malware, such as a virus detected by a manual scan or a Virtual Center inventory change after a virus is detected by QuickScan. Core Protection for Virtual Machines keeps logs for all events related to component updates on the Core Protection for Virtual Machines server. View the logs to verify that Core Protection for Virtual Machines successfully downloaded the components required to keep your protection current. 6-2
110 Viewing and Managing Logs TABLE 6-1. Core Protection for Virtual Machine Logs LOGS DESCRIPTION System Events Core Protection for Virtual Machines records events related to the server program, such as shutdown and startup. Use these logs to verify that the Core Protection for Virtual Machines server and services work properly. Core Protection for Virtual Machines logs the following events: Trend Micro Virtualization Service is started Trend Micro Virtualization Service is stopped Virus pattern out of date! Expire days Scan start and stop times and the number of files scanned Logged Actions Core Protection for Virtual Machines logs different information depending on the type of log and where the event is logged. Events are logged in server logs, at the Scanning Agent, and at the Real-time Agent. 6-3
111 Viewing and Managing Logs Actions Logged at the Agents The following member logs are recorded at the Scanning Agent and at the Real-time Agent: Member system event log Virus/malware Spyware/grayware Member update TABLE 6-2. MEMBER ACTIONS LOGGED AT THE SCANNING AGENT MEMBER ACTIONS LOGGED AT THE REAL-TIME AGENT System event logs: Virus pattern out-of-date Scheduled purge start/stop Real-time Agent service start/stop CPVM service start/stop Spyware pattern out-of-date VC Inventory change (such as add or remove) when a new VM detected if QuickScan is enabled and a QuickScan Summary is generated Scanning Agent start/stop System event logs: Virus pattern out-of-date Scheduled Purge start/stop Real-time Agent service start/stop CPVM service start/stop (Real-time Agent start/stop) Virus/Spyware caught by Real-time Scan logs details about viruses caught in a zip file, if any Scanning agent logs include the following group level information: Scheduled Scan start/stop for a group Start/stop for scanning individual VMs within a group Information about any files that could not be scanned on the Scanning Agent Details about viruses caught in a zip file, if any, on the Scanning Agent 6-4
112 Viewing and Managing Logs TABLE 6-2. MEMBER ACTIONS LOGGED AT THE SCANNING AGENT MEMBER ACTIONS LOGGED AT THE REAL-TIME AGENT Target VMs in a group include the following: Start/stop of Scheduled Scan Summary of the number of files scanned, not scanned, and infected Information about any files that could not be scanned Details about viruses detected in zip files, if any MEMBER VIRUS/MALWARE LOGS: VC Inventory change (such as add and remove) if a virus is detected by QuickScan Logs virus/spyware detected by a Manual Scan Scheduled Scan if individual VMs in the group have the following an entry for each virus/spyware file that might be detected. There will be only one entry for a zip file even if it contains multiple viruses MEMBER VIRUS/MALWARE LOG : Manual Scan if virus/spyware is detected by a manual scan Scheduled Scan logs an entry for each virus/spyware file that might be detected. There will be only one entry for a zip file even if it contains multiple viruses Real-time Scan logs details about viruses detected in a zip file, if any SPYWARE/GRAYWARE LOGS: VC Inventory change (such as add and remove) if spyware or grayware is detected by QuickScan QuickScan (dormant VMs only) if spyware is detected by QuickScan MEMBER UPDATE LOG Records all member updates. MEMBER UPDATE LOGS Records all member updates. 6-5
113 Viewing and Managing Logs Viewing Member Logs To view member logs: 1. From the left navigation bar, click Logs > Member Logs. The Security Risk Logs for Members page appears. FIGURE 6-1 Security Risk Logs for Members page 2. Expand Security Groups and click the group that the member belongs to. Note: To search for a specific member, enter the member name in the Search for members text box and click Search. 3. Select the member whose logs you want to view. 4. Select View Logs > {log type}. 5. Specify log criteria and click Display Logs. 6. For details about the log, click View. 7. To save the log as a comma-separated value (CSV) data file, click Export to CSV. 8. Open the file or save it to a specific location. A CSV file usually opens with a spreadsheet application (such as Microsoft Excel). 6-6
114 Viewing and Managing Logs Viewing Server Logs The server logs show the date/time, result, member name involved, and the server action. The following actions are recorded in the Server Log: Administrator Web console login/logout Scanning agent install/uninstall Real-time agent install/uninstall Administrator Web console password change Server update CPVM service start/stop (MCS start/stop) To view the server log: From the left navigation bar, click Logs > Server Logs. The Server Logs screen appears. FIGURE 6-2 Server Logs screen Tip: To export the logs to CSV format, click Export to CSV. 6-7
115 Viewing and Managing Logs Viewing Virus/Malware Logs To view Virus/Malware logs: 1. From the left navigation bar, click Security Management. 2. Expand Security Groups and click the group to which the member belongs. 3. Select the members for which to view the logs. 4. Click Logs > Virus/Malware Logs. The Virus/Malware Log Criteria screen appears. FIGURE 6-3 Virus/Malware Log Criteria screen 5. Select a time period for the log. Tip: Leave the Start Date field blank to search for all logs from the earliest date. Leave the To field empty to search for all logs to the present. 6. Specify the type of scan that generated the log. 7. Click Display Logs. 6-8
116 Viewing and Managing Logs Viewing Spyware/Grayware Logs To view the Spyware/Grayware logs: 1. From the left navigation bar, click Security Management. 2. Click the group to which the members belong. 3. Select the members for which to view the logs. 4. Click Logs > Spyware/Grayware Log. The Spyware/Grayware Log Criteria screen appears. FIGURE 6-4 Spyware/Grayware Log Criteria Dialog Box 5. Specify a time period for the logs. Tip: Leave the Start Date field blank to search for all logs from the earliest date. Leave the To field empty to search for all logs to the present. 6. Click Display Logs. 6-9
117 Viewing and Managing Logs Using the Log Viewer The Log Viewer enables you to view, independently from the Web console, logs on each machine with installed agents. To view logs: 1. Go to the folder where the agent is installed. For example: C:\Program Files\Trend Micro\CPVM Scanning Agent or C:\Program Files\Trend Micro\CPVM Real-Time Agent 2. Copy the VSLog\vslog.dbf file to the above directory. Note: You cannot open the vslog.dbf file directly from the VSLog folder because the agent service is using it. You can only open a copy of the file. 3. Start the LogViewer.exe tool. 4. From the LogViewer File menu, select the vslog.dbf file. The following shows a typical view, which displays the logs in the DB file. FIGURE 6-5 Log View tool 6-10
118 Viewing and Managing Logs Deleting Logs Core Protection for Virtual Machines can automatically purge logs if you configure a deletion schedule. Otherwise, you will need to manually delete logs. To delete logs based on a schedule: 1. From the left navigation bar, click Logs > Log Maintenance. The Log Maintenance screen appears. FIGURE 6-6 Log Maintenance page 2. Select Enable scheduled deletion of logs. 3. Select one or more log types to delete. Note: Infection logs include all virus/malware and spyware/grayware logs. 4. Specify the log deletion schedule, and click Save. To manually delete logs: 1. From the left navigation bar, click Security Management. The Security Management screen appears. 6-11
119 Viewing and Managing Logs 2. Click the group for which you want to delete logs. 3. Click Logs > Delete Logs. The Log Maintenance screen appears. FIGURE 6-7 Log Maintenance window 4. Select the log types to delete. 5. Select the logs to delete, and click Delete. 6-12
120 Chapter 7 Managing Notifications This chapter explains how to configure notifications to be sent for threats or system events. Topics in this chapter: Configuring Alert Notifications on page 7-2 Configuring General Settings on page 7-2 Configuring Notification Triggers on page
121 Managing Notifications Configuring Alert Notifications To configure notifications to be sent in response to security threats or system events, configure notification general settings and notification triggers. Configuring General Settings General settings define the notificaton mode ( , SNMP or NT Event Log) and apply to all Core Protection for Virtual Machines notification messages. To configure general notification settings: 1. From the left navigation bar, click Notifications > General Settings. The General Settings screen appears. FIGURE 7-1 General Notifications Settings 2. Select one or more notification methods and type the associated information. Enable notification via Enable notification via SNMP Enable notification by NT Event log - sends to the NT Trap log 3. Click Save. 7-2
122 Managing Notifications Configuring Notification Triggers Notification triggers define the threat and /or event that triggers an alert: Standard Settings define security threat triggers plus the message data for the notification. System Notification Settings define system events that trigger a notification. To configure standard notification settings: 1. From the left navigation bar, click Notifications > Standard Notifications. The Standard Notifications screen appears. FIGURE 7-2 Standard Notifications Settings 2. Specify which events will trigger the system to send notifications. 3. Select the message and token variables for the Message field. Token variables represent the data that you want to display in the notification message. For example, at %y, Core Protection for Virtual Machines found the following virus on member %m%s: virus %v, location: %p. Core Protection for Virtual Machines performed the following action on the infected computer: %a. 7-3
123 Managing Notifications Note: Pattern Update has only the %s option. Virus malware can have additional options, such as %f, %l, %i and %y. TABLE 7-1. Token Variables for Standard Notifications VARIABLE DESCRIPTION %s Member with security risk %n Name of the user logged on to the infected computer %m Domain of the computer %p File path of the computer %v Security risk name %y Date and time of security risk detection %a Action taken on the security risk %T Spyware/Grayware and scan result Note: The Subject field does not accept token variables. 4. Click Save. 7-4
124 Managing Notifications To configure notifications for system events: 1. From the left navigation bar, click Notifications > System Notifications. The System Notifications screen appears. FIGURE 7-3 System Notifications Settings 2. Specify the system events that will trigger notification messages. 3. Select the message and token variables for the Message field and click Save. Token variables represent the data that you want to display in the notification message. TABLE 7-2. Token Variables for System Event Notifications VARIABLE DESCRIPTION %CV %CC Total number of security risks detected Total number of computers with security risks 7-5
125 Managing Notifications TABLE 7-2. Token Variables for System Event Notifications VARIABLE DESCRIPTION %A Log type exceeded %M Time period in minutes Note: The Subject field does not accept token variables. 7-6
126 Chapter 8 Administering Core Protection for Virtual Machines The Administration screens enable you to perform general administrative configurations such as the web console password, proxy settings, and virtual infrastructure settings. Topics in this chapter: Setting the Web Console Password on page 8-2 Configuring Proxy Settings on page 8-4 Configuring Virtual Infrastructure Settings on page 8-5 Configuring Compatible Products on page 8-6 Viewing and Updating Your Product License on page
127 Administering Core Protection for Virtual Machines Setting the Web Console Password The web console is password-protected to prevent unauthorized users from modifying Core Protection for Virtual Machines settings. During installation, the Core Protection for Virtual Machines Setup program requires you to specify a web console password; however, you can modify your password from the web console. The following guidelines can help you create an effective password: Include both letters or special characters as well as numbers in your password Avoid words found in any dictionary, of any language Intentionally misspell words Use phrases or combine words Use both uppercase and lowercase letters Note: If you forget the console password, contact Trend Micro technical support for instructions on how to gain access to the Web console. The only other alternative is to uninstall and reinstall Core Protection for Virtual Machines. 8-2
128 Administering Core Protection for Virtual Machines To change your password: 1. On the Core Protection for Virtual Machines navigation bar, click Administration > Change Password The Console Password screen appears. FIGURE 8-1. Change Password screen 2. In the Old Password box, enter your password. 3. Enter a new password in the New Password box. The password must contain a mixture of numbers, letters (upper and lower case), and special characters. The password can range from 7 to 14 characters. 4. Re-enter the password in the New Password Confirm box. 5. Click Change Password. The message "Your password was changed" appears if the reset was successful. 8-3
129 Administering Core Protection for Virtual Machines Configuring Proxy Settings If the Internet connection for your network is routed through a proxy server, you need to enter the proxy server information to retrieve updates from the Internet. To configure a proxy server: 1. On the Core Protection for Virtual Machines navigation bar, click Administration > Proxy Settings. The Proxy Settings screen appears. FIGURE 8-2. Proxy Settings screen 2. Select Use a proxy server for pattern, engine, and license updates. 3. Choose a protocol type, either HTTP or Socks Type Server name or IP address. 5. Type the Port number. 6. Type the proxy User ID and Password. 7. Click Save. 8-4
130 Administering Core Protection for Virtual Machines Configuring Virtual Infrastructure Settings From the Virtual Infrastructure Settings screen, you can configure the information required to connect to the Virtual Center. To configure the Virtual Center: 1. On the Core Protection for Virtual Machines navigation bar, click Administration > Virtual Infrastructure Settings. The Virtual Infrastructure Settings screen appears. FIGURE 8-3. Virtual Infrastructure Settings screen 8-5
131 Administering Core Protection for Virtual Machines 2. Type the following settings: Virtual Center Address Virtual Center User Name Virtual Center Password Virtual Center Verify Password Auto-sync with Virtual Center every - this is the frequency for automatically synchronizing with Virtual Center to update virtual machine information. Note: The time it takes to synchronize with the Virtual Center depends on the number of virtual machines in the Virtual Center. Synchronization could take awhile, up to thirty minutes, if you have a lot of virtual machines. 3. Select Register VC Core Protection for Virtual Machines plug in to register the plug-in. 4. To test the settings you have entered, click Test Connection. 5. Click Save. Configuring Compatible Products Use the Compatible Products screen to define the products that you want to operate in your Core Protection for Virtual Machines environment and the products that Core Protection for Virtual Machines will keep updated. Products that you can configure include the following: Trend Micro OfficeScan Trend Micro ServerProtect 8-6
132 Administering Core Protection for Virtual Machines To configure compatible products: 1. On the Core Protection for Virtual Machines navigation bar, click Administration > Compatible Products. The Compatible Products screen appears. FIGURE 8-4. Compatible Products screen 2. To allow OfficeScan to be updated, select Trend Micro OfficeScan and type the Update Agent URL. This is the URL of the update server, which could be one of the following server URLs: The installed Agent Update server URL for OfficeScan, such as: Your own OfficeScan AU update server URL: Your AU update server URL (if you configured a client as the AU server from the OfficeScan setting): 8-7
133 Administering Core Protection for Virtual Machines 3. To allow ServerProtect to be updated, select ServerProtect and type the following settings: Information Server IP Address: The IP address of the installed ServerProtect. Username: The username to access ServerProtect. Password: The password to access ServerProtect. 4. Click Save. Viewing and Updating Your Product License The Product License screen displays the current status of your Core Protection for Virtual Machines product license and enables you to update your license as needed. Note: The product supports user-based license and CPU-based license. Depending on your purchase, CPVM displays the number of seats or number of CPUs licensed for your product. 8-8
134 Administering Core Protection for Virtual Machines To update your license information: 1. On the Core Protection for Virtual Machines navigation bar, click Administration > Product License. FIGURE 8-5. Product License screen The Product License screen displays the following information: Status: Your current product license status, Active, Inactive, or Expired. Version: Either "Full" or "Evaluation" version. If you have both full and evaluation versions, the version that displays is "Full." Expiration Date: The date your current license will expire. 8-9
135 Administering Core Protection for Virtual Machines 2. In the Services column, click the name of the product to view or update. FIGURE 8-6. Antivirus for Servers screen The Product License screen shows the following product information: Status: "Activated", "Not Activated" or "Expired". If a product service has multiple licenses, and at least one license is still active, "Activated" displays. Version: Either "Full" or "Evaluation" version. If you have both full and evaluation versions, the version that displays is "Full". License Type: This can either be a "User based" or "CPU based" license depending on which you have purchased. Seats or Number of CPUs: This can be either the seat count purchased or the number of CPU licenses purchased. Expiration Date: If a product service has multiple licenses, the latest expiration date displays. For example, if the license expiration dates are 12/31/2008 and 06/30/2009, 06/30/2009 displays. Activation Code 8-10
136 Administering Core Protection for Virtual Machines Note: The version and expiration date of product services not activated is "N/A. 3. To update your activation code, click New Activation Code. The Enter a New Code appears. FIGURE 8-7. Enter a New Code screen 4. Type your new Activation Code. 5. Click Activate. Note: You must register a service before you can activate it. Contact your Trend Micro representative for more information about your Registration Key and Activation Code. 6. On the Product License Details screen, and click Update Information to refresh the screen with the new license details and the status of the service. This screen also provides a link to your detailed license available on the Trend Micro web site. 8-11
137 Administering Core Protection for Virtual Machines 8-12
138 Appendix A VMware Virtual Center Integration To enable management from within VMware Virtual Center, Core Protection for Virtual Machines is integrated with the Virtual Center interface. This topic explains two management options for the VMWare Virtual Center integration. Topics in this chapter: Virtual Center Plug-in on page A-2 Virtual Center Reporting on page A-3 A-1
139 VMware Virtual Center Integration Virtual Center Plug-in If the Virtual Center plug-in was enabled during CPVM installation or enabled from the web console, the CPVM Administration console is available from the Virtual Infrastructure client as a tab. The plug-in enables full CPVM management as if you were accessing the standalone CPVM Administrator web console. FIGURE A-1. Virtual Center Virtual Machines tab A-2
140 VMware Virtual Center Integration Virtual Center Reporting Virtual Center reporting is implemented in the Virtual Center interface without any action required. The CPVM server creates and updates a custom attribute as part of the Summary screen Annotation section, providing the scan status of any VM in your inventory. FIGURE A-2. Virtual Center Virtual Machines tab Note: If you do not see the custom attribute being updated when viewing virtual machines, press F5 to refresh your screen. A-3
Core Protection for Virtual Machines 1
Core Protection for Virtual Machines 1 Comprehensive Threat Protection for Virtual Environments. Administrator s Guide e Endpoint Security Trend Micro Incorporated reserves the right to make changes to
Trend Micro ServerProtect for NetApp 5.8 SP1 Getting Started Guide
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro ServerProtect for EMC Celerra 5.8 Getting Started Guide
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Client Server Security3
Client Server Security3 for Small and Medium Business Getting Started Guide Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Chapter 5: Configuring ServerProtect
Chapter 5: Configuring ServerProtect Chapter Objectives After completing this chapter, you should be able to achieve the following objectives: Describe the types of ServerProtect tasks Describe which actions
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
OfficeScanTM 10 For Enterprise and Medium Business
OfficeScanTM 10 For Enterprise and Medium Business Installation and Upgrade Guide es Endpoint Security Trend Micro Incorporated reserves the right to make changes to this document and to the products
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Document Part No. PPEM27723/ Protected by U.S. Patent No.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the service described herein without notice. Before installing and using the service, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Getting Started with ESX Server 3i Installable Update 2 and later for ESX Server 3i version 3.5 Installable and VirtualCenter 2.5
Getting Started with ESX Server 3i Installable Update 2 and later for ESX Server 3i version 3.5 Installable and VirtualCenter 2.5 Getting Started with ESX Server 3i Installable Revision: 20090313 Item:
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
VMware Infrastructure 3 Primer Update 2 and later for ESX Server 3.5, ESX Server 3i version 3.5, VirtualCenter 2.5
Update 2 and later for ESX Server 3.5, ESX Server 3i version 3.5, VirtualCenter 2.5 VMware Infrastructure 3 Primer Revision: 20090313 Item: EN-000021-02 You can find the most up-to-date technical documentation
Getting Started with ESX Server 3i Embedded ESX Server 3i version 3.5 Embedded and VirtualCenter 2.5
Getting Started with ESX Server 3i Embedded ESX Server 3i version 3.5 Embedded and VirtualCenter 2.5 Title: Getting Started with ESX Server 3i Embedded Revision: 20071022 Item: VMW-ENG-Q407-430 You can
TREND MICROTM IM Security
TREND MICROTM IM Security Proactive Antivirus and Content Security for Instant Messaging Environments for Microsoft TM Live Communications Server Getting Started Guide Trend Micro Incorporated reserves
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
VMware View Upgrade Guide
View 4.0 View Manager 4.0 View Composer 2.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for
Trend Micro Incorporated reserves the right to make changes to this document and to the service described herein without notice. Before installing and using the service, review the readme files, release
ADMINISTRATION GUIDE Cisco Small Business
ADMINISTRATION GUIDE Cisco Small Business Cisco ProtectLink Endpoint 1.0 CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Getting Started with ESXi Embedded
ESXi 4.0 Embedded vcenter Server 4.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent
IBM Proventia Management SiteProtector Installation Guide
IBM Internet Security Systems IBM Proventia Management SiteProtector Installation Guide Version2.0,ServicePack8.1 Note Before using this information and the product it supports, read the information in
Kaspersky Administration Kit 8.0 GETTING STARTED
Kaspersky Administration Kit 8.0 GETTING STARTED APPLICATION VERSION: 8.0 CRITICAL FIX 2 Dear User! Thank you for choosing our product. We hope that this document will help you in your work and will provide
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file
Virtual Infrastructure Web Access Administrator s Guide ESX Server 3.0 and VirtualCenter 2.0
Virtual Infrastructure Web Access Administrator s Guide ESX Server 3.0 and VirtualCenter 2.0 Virtual Infrastructure Web Access Administrator s Guide Revision: 20060615 Item: VI-ENG-Q206-217 You can find
F-Secure Client Security. Administrator's Guide
F-Secure Client Security Administrator's Guide F-Secure Client Security TOC 2 Contents Chapter 1: Introduction...7 1.1 System requirements...8 1.1.1 Policy Manager Server...8 1.1.2 Policy Manager Console...8
TREND MICROTM PortalProtectTM1.5
TREND MICROTM PortalProtectTM1.5 Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
2.5. Smart Protection Server Security Made Smarter. Administrator s Guide. Endpoint Security. Messaging Security
Smart Protection Server Security Made Smarter 2.5 Administrator s Guide e m p w Endpoint Security Messaging Security Protected t Cloud Web Security Trend Micro Incorporated reserves the right to make
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product/service described herein without notice. Before installing and using the product/service, review the readme
TREND MICRO. InterScan VirusWall 6. FTP and POP3 Configuration Guide. Integrated virus and spam protection for your Internet gateway.
TM TREND MICRO TM TM InterScan VirusWall 6 Integrated virus and spam protection for your Internet gateway for Linux TM FTP and POP3 Configuration Guide Trend Micro Incorporated reserves the right to make
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Document Part No. NVEM12103/41110
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
FinalCode Viewer User Manual
FinalCode Viewer User Manual Edition 2.3 Target: FinalCode Viewer Ver.4.30 January 7th, 2015 1 Introduction Thank you for choosing FinalCode. This manual describes how to install, and operate FinalCode
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
vsphere Update Manager Installation and Administration Guide 17 APR 2018 VMware vsphere 6.7 vsphere Update Manager 6.7
vsphere Update Manager Installation and Administration Guide 17 APR 2018 VMware vsphere 6.7 vsphere Update Manager 6.7 You can find the most up-to-date technical documentation on the VMware website at:
Getting Started Guide. This document provides step-by-step instructions for installing Max Secure Anti-Virus and its prerequisite software.
Getting Started Guide This document provides step-by-step instructions for installing Max Secure Anti-Virus and its prerequisite software. Contents 2 Contents Introduction... 3 System Requirements... 4
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Copyright 2012 Trend Micro Incorporated. All rights reserved.
Trend Micro reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes,
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Getting Started with VMware View View 3.1
Technical Note Getting Started with VMware View View 3.1 This guide provides an overview of how to install View Manager components and provision virtual desktops. Additional View Manager documentation
Trend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central
Trend Micro Apex One as a Service / Apex One Best Practice Guide for Malware Protection 1 Best Practice Guide Apex One as a Service / Apex Central Information in this document is subject to change without
Seqrite Endpoint Security
Enterprise Security Solutions by Quick Heal Integrated enterprise security and unified endpoint management console Enterprise Suite Edition Product Highlights Innovative endpoint security that prevents
OfficeScanTM 10 For Enterprise and Medium Business
OfficeScanTM 10 For Enterprise and Medium Business Administrator s Guide es Endpoint Security Trend Micro Incorporated reserves the right to make changes to this document and to the products described
Document Part No. PPEM25975/ Protected by U.S. Patent No. 5,951,698
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Sophos for Virtual Environments. startup guide -- Sophos Central edition
Sophos for Virtual Environments startup guide -- Sophos Central edition Contents About this guide... 1 About Sophos for Virtual Environments...2 Key steps in installation... 5 Check the system requirements...
Dell License Manager Version 1.2 User s Guide
Dell License Manager Version 1.2 User s Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either
Installing and Administering VMware vsphere Update Manager. Update 2 VMware vsphere 5.5 vsphere Update Manager 5.5
Installing and Administering VMware vsphere Update Manager Update 2 VMware vsphere 5.5 vsphere Update Manager 5.5 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
Quick Heal Microsoft Exchange Protection
Quick Heal Microsoft Exchange Protection Intuitive. Effective. Comprehensive. Feature List Web-based console makes administrative management easy and simple. Comprehensive and rapid scanning of emails
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
Copyright 2013 Trend Micro Incorporated. All rights reserved.
Trend Micro reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes,
Basic System Administration ESX Server and Virtual Center 2.0.1
ESX Server 3.0.1 and Virtual Center 2.0.1 Basic System Administration Revision: 2006105 Item: VI-ENG-Q306-293 You can find the most up-to-date technical documentation on our Web site at http://www.vmware.com/support/
Installing and Configuring vcenter Multi-Hypervisor Manager
Installing and Configuring vcenter Multi-Hypervisor Manager vcenter Server 5.1 vcenter Multi-Hypervisor Manager 1.1.2 This document supports the version of each product listed and supports all subsequent
Installation Guide - Windows
Kony Visualizer Enterprise Installation Guide - Windows Release V8 SP3 Document Relevance and Accuracy This document is considered relevant to the Release stated on this title page and the document version
Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:
EventTracker Enterprise Install Guide 8815 Centre Park Drive Publication Date: Aug 03, 2010 Columbia MD 21045 U.S. Toll Free: 877.333.1433 Abstract The purpose of this document is to help users install
Annexure E Technical Bid Format
Annexure E Technical Bid Format ANTIVIRUS SOLUTION FOR MAIL SERVER SECURITY AND SERVER SECURITY FOR DESKTOP,LAPTOP Sr. No Description Compliance (Y/N) Remark 01 Must offer comprehensive client/server security
System Requirements 2008 R2
System Requirements 2008 R2 Below are the basic system requirements for installing and running Virtual Machine Manager (VMM) 2008 R2. More complete and comprehensive information covering additional system
SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide
SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide Copyright and Trademark Statements 2014 ViewSonic Computer Corp. All rights reserved. This document contains proprietary information that
Product Guide. McAfee GetSusp
Product Guide McAfee GetSusp 3.0.0.461 COPYRIGHT LICENSE INFORMATION Copyright 2013-2017 McAfee, LLC. YOUR RIGHTS TO COPY AND RUN THIS TOOL ARE DEFINED BY THE MCAFEE SOFTWARE ROYALTY-FREE LICENSE FOUND
Trend Micro Incorporated reserves the right to make changes to this document and to the product/service described herein without notice. Before installing and using the product/service, review the readme
NexentaStor VVOL
NexentaStor 5.1.1 VVOL Admin Guide Date: January, 2018 Software Version: NexentaStor 5.1.1 VVOL Part Number: 3000-VVOL-5.1.1-000065-A Table of Contents Preface... 3 Intended Audience 3 References 3 Document
Sophos Anti-Virus for VMware vshield: On-Premise Edition startup guide. Product version: 2.1
Sophos Anti-Virus for VMware vshield: On-Premise Edition startup guide Product version: 2.1 Document date: August 2016 Contents 1 About this guide...4 2 About Sophos Anti-Virus...5 3 Key steps in installation...7
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
VMware vfabric Data Director Installation Guide
VMware vfabric Data Director Installation Guide vfabric Data Director 1.0.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced