Trend Micro Portable Security 2. Malware Scanning and Cleanup Tool for Stand-alone PCs or Closed Systems

Size: px

Start display at page:

Download "Trend Micro Portable Security 2. Malware Scanning and Cleanup Tool for Stand-alone PCs or Closed Systems"

Shona Perry
5 years ago
Views:

1 Trend Micro Portable Security 2 Malware Scanning and Cleanup Tool for Stand-alone PCs or Closed Systems

2 Contents TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an as is condition. 4 Anti-virus Security for Stand-alone PCs or Closed Systems 6 What is Trend Micro Portable Security 2? 8 Main Features 11 Operation 14 Usage Scenarios 16 Appendix I and Appendix II

3 In the past, it had been said that stand-alone computers and closed-network environments without internet access had a lower risk of being exposed to external threats and were relatively secure. However, as a matter of fact, it cannot be said to be safe. A survey by Trend Micro of companies operating in Japan found that approximately 70 percent have stand-alone computers and/or closed-network environments, 20 percent of which have suffered virus infections. Why, then, do such virus infections occur? We believe that such systems are rendered vulnerable by these factors: restrictions on software installation, difficulty in scanning systems with the latest pattern file since they are not connected to the internet, and the use of computers or USB devices brought in from outside. In this white paper, we introduce the Trend Micro Portable Security 2, a malware scanning and cleanup tool, shaped like a USB flash drive, that is designed for use in environments where an internet connection is not available or anti-malware software cannot be installed.

4 Anti-virus Security for Stand-alone PCs or Closed Systems Companies use a variety of terminals, depending on the tasks at hand. In most cases, the IT department oversees computers, servers and other devices as part of corporate infrastructure management. However, there are many other devices that are out of the IT department s control. Examples are computers loaned out to employees, or computers and workstations used in software development environments. These terminals are not always connected to the corporate network, and may instead be used as stand-alone terminals or in a closed network. In some cases, such terminals are not covered by internal security policies. At the same time, there are companies in the energy industry (supplying oil, gas, electricity and other essential forms of infrastructure) and in the manufacturing industry (running large-scale supply and production facilities). Information technology has been introduced in such facilities to control terminals and test equipment, meaning that computers are used. In addition, there are analyzers in production lines and research and development facilities, and there are embedded devices in medical equipment in hospitals. Such devices are often used also as stand-alone computers or in a closed-network environment. In the past, it had been said that stand-alone computers and closed-network environments without internet access had a lower risk of being exposed to external threats and were relatively secure. However, as a matter of fact, it cannot be said to be safe. A survey by Trend Micro of companies operating in Japan found that approximately 70 percent have stand-alone computers and/or closed-network environments, 20 percent of which have suffered virus infections. Why, then, do such virus infections occur? We believe that the following factors leave such systems vulnerable. Restrictions on Software Installation It may not be possible to install anti-virus software since it s not confirmed whether the application used and the anti-virus software are compatible. Because of this, installing the anti-virus software may cause the device vendor to cease to provide support, may seriously affect system performance, or may cause the application to become unstable. 4 Trend Micro Portable Security 2 TM

5 Lack of Internet Access Since anti-virus software downloads new virus pattern files from the internet, ensuring that virus scanners can use the latest pattern files on stand-alone computers and closed-network environments is problematic. Use of Computers or USB Devices Brought in From Outside Another route for virus infection is users bringing in their own computers or USB flash drives in order to exchange data. Viruses that abuse the auto-run functionality of USB flash drives, such as MAL_OTORUN, are still widespread. 5 Trend Micro Portable Security 2 TM

What is Trend Micro Portable Security 2? The question as to whether anti-virus security should be implemented on stand-alone computers and in closed-network environments has been long debated.

6 What is Trend Micro Portable Security 2? The question as to whether anti-virus security should be implemented on stand-alone computers and in closed-network environments has been long debated. Trend Micro Portable Security 2 (TMPS2) is designed to solve the issues surrounding this question. TMPS2 is a malware scanning and cleanup tool, shaped like a USB flash drive, that is designed for use in environments where an internet connection is not available or anti-malware software cannot be installed. The features of TMPS2 are: No Installation Required By loading scanning software onto a scanning tool shaped like a USB flash drive, malware scanning and removal are enabled without installing the scanning software on the target terminal. 1 Figure 1. TMPS2 scanning tool 1 When scanning for malware, drivers are created on the target terminal and files on the local HDD temporarily. After the scan, the drivers and files do not remain on the target terminal. (A log is created on the local hard disk of the target terminal at USB boot scanning) 6 Trend Micro Portable Security 2 TM

7 Centralized Management The management program provides a centralized management function. This enables the comprehension of scan logs of the scanning tools in multiple locations in an integrated fashion. Also, malware pattern files and configurations of the scanning tools can be centrally managed. Moreover, the event log of the system lockdown security software Trend Micro Safe Lock (separately charged) can be obtained with the management program of TMPS2. Easy Operation Scan status and result notification with LED The LED equipped on the scanning tool notifies of the scan status and result. Since the person in charge does not have to meticulously check the scan status using the target terminal screen, it does not interfere with operational efficiency. Using only the scanning tool, malware can be scanned and removed, and the malware pattern file can be updated. Updating the malware pattern files and viewing the logs are available using any general-purpose PC connected to the internet and the scanning tool by selecting a mode that does not use the management program (unlike with conventional products that require management computers). 2 Security measures are easily enabled even when management computers cannot be prepared separately. 2 TMPS2 checks for malware with the latest pattern files at the time of updating by the management computer/scanning tool. 7 Trend Micro Portable Security 2 TM

8 Main Features Management Program The updating of malware pattern files, management of the scanning tool, and centralized management of logs can also be performed on remote systems by installing the management program on a management computer connected to the internet. In addition, event logs can be managed in cooperation with Trend Micro Safe Lock (TMSL). Updating the malware pattern file The latest malware pattern file and scanning engine can be downloaded on the management computer. Periodic downloading is also available by setting up scheduled updates. Management of scanning tool Updated date and time, scanning configurations, and log synchronization date and time can be checked for each scanning tool registered to the management computer. Also, the configuration for each scanning tool registered to the management computer is available, including target folders, actions at malware detection, and scanning exclusion lists. Scanning type All local folders, IntelliScan, 3 Default folders (quick scan), 4 Specified folders Action at detection Select action manually, Only record log, Use Trend Micro recommended settings Centralized management of logs Scan logs can be viewed and managed by sending the scan logs of each location to the management computer from the scanning tool. The event log of TMSL and the scan log of USB boot scan (Trend Micro Rescue Disk) are also viewable. 3 Determines the actual file type and scans files that have the possibility of malware. 4 Scans only folders often targeted by malware (e.g. system folders of Windows ). 8 Trend Micro Portable Security 2 TM

Collaboration with TMSL When scanning a PC with TMSL installed with the scanning tool, the event log of TMSL can be viewed along with the scan log by automatically collecting the event log and

9 Collaboration with TMSL When scanning a PC with TMSL installed with the scanning tool, the event log of TMSL can be viewed along with the scan log by automatically collecting the event log and sending it to the management computer. Figure 2. Management program Scanning Tool When malware is detected, it is cleaned, quarantined or ignored, depending on the configuration. The scanned result is saved on the scanning tool. Malware scanning on target terminal Malware can be scanned and the scan log obtained by connecting the scanning tool to a target terminal. Scan status and result notification with LED The LED equipped on the scanning tool blinks when scan is in progress and notifies of the scan status and result with three stages: Red: Malware scan completed. Detected and waiting for operator s action. Yellow: Malware scan completed. Detected and cleaned. Blue: Malware scan completed. Malware not detected. 9 Trend Micro Portable Security 2 TM

10 Updating the malware pattern file When the management computer is being used, the latest malware pattern file is downloaded from the registered management computer; otherwise, it is downloaded directly from the Trend Micro server. USB boot scanning With USB boot scanning, a target terminal can be booted with the scanning tool to scan for malware. Malware infection prevention The scanning tool is protected so that the TMPS2 itself is not infected with malware. 10 Trend Micro Portable Security 2 TM

11 Operation TMPS2 has two operation methods: centralized management type operation (centralized management mode), which is operated with a management program, and scanning tool stand-alone operation (standalone mode), which is operated without a management program. With a management program, the administrator can perform a range of tasks, from malware scanning configuration and scanning log aggregation to scanning tools in remote branches, production and maintenance sites. When a management program is not used, unlike with conventional products that require management computers, updating of malware pattern files and viewing of the log are available using any generalpurpose PC connected to the internet and the scanning tool. Security measures can be easily implemented even when management computers cannot be prepared separately. Centralized management type operation (centralized management mode) 1. Installing the management program The management program is installed by connecting TMPS2 to a computer with an internet connection. 2. Updating virus pattern files The management program downloads the latest virus pattern files and scan engine from the Active Update Server to keep TMPS2 up to date. 3. Synchronization The scanning tool can be connected to computers on-site to update settings and pattern files. 4. Virus scan A computer can be scanned for viruses by connecting the scanning tool to it. 5. Transmission of logs The scan results are saved in the scanning tool and then sent to the management computer (via other computers connected to an enterprise network). 11 Trend Micro Portable Security 2 TM

12 Figure 3. Operation in central management mode Scanning tool stand-alone operation (stand-alone mode) 1. Activating the scanning tool The scanning tool is activated by connecting TMPS2 to a computer with an internet connection. 2. Update The scanning tool downloads the latest virus pattern files and scan engine from the Active Update Server. 3. Settings The scanning tool settings can be changed or checked before starting a scan. 4. Virus scan A computer can be scanned for viruses by connecting the scanning tool to it. 5. Saving of logs The scan results are saved in the scanning tool. 12 Trend Micro Portable Security 2 TM

13 13 Trend Micro Portable Security 2 TM Figure 4. Operation in stand-alone mode

14 Usage Scenarios TMPS2 can be used in several key scenarios where terminal or system checks are advisable. Regular checking of stand-alone PC/closed systems TMPS2 checks in-house stand-alone PC or closed systems regularly, which is difficult with standard antimalware software. Before TMPS2 deployment: One day, the operation of a medical administration system at a hospital had become slow, impeding the performance of work. Eventually, a system server error occurred, prompting an investigation. The result of this investigation indicated that there was a virus infection, requiring 72 hours of nonstop day-and-night work to remove the viruses and restore the system. During these days the medical administration system was unavailable, so accounting was done manually, inconveniencing patients. After TMPS2 deployment: With TMPS2, virus scans can be performed with the latest pattern files to prevent the spread of viruses on computers in a closed-network environment like in this hospital. Checking before corporate LAN connection and restoration at time of malware infection TMPS2 checks a terminal not connected to a corporate network before connecting to the network. It also checks infected terminals disconnected from the network to restore them. Before TMPS2 deployment: An employee of A Inc. connected to the company network a computer that he had taken on an overseas trip, not knowing that the computer had been infected with viruses during the trip. A virus outbreak ensued. Cases such as this are particularly likely to occur following overseas business trips, during which the updating of pattern files may not be possible. 14 Trend Micro Portable Security 2 TM

15 After TMPS2 deployment: By using TMPS2 to scan for viruses before connecting computers that were taken out of the office, such virus outbreaks can be prevented. Checking before product shipment TMPS2 checks for malware before shipment to prevent malware contamination of the shipped product. Before TMPS2 deployment: B Inc., a computer manufacturer, outsources its manufacturing to the plants of other companies. As a test before shipment, these plants carry out operational checks and other tests by using special computers for testing installed in the plants for finished products. One day, these special test computers got infected with viruses when a USB flash drive was used to install new software on them, leading to an incident in which all products tested by using these terminals also became infected with viruses before being shipped. The effect of this accident was not limited to the shipped products, as the viruses spread to the computers of the customers who purchased the products, requiring B Inc. to collect and replace the infected products with new ones for free. After TMPS2 deployment: With TMPS2, the virus infection of manufactured products can be prevented by performing virus scans on testing terminals before starting the production line. Checking at maintenance service TMPS2 checks for malware on systems and devices delivered to customers on-site at maintenance. Before TMPS2 deployment: C Inc. produces special computers to carry out pre-shipment inspections on production lines. One day, an incident occurred where special terminals manufactured by C Inc. that were in use at a plant were found to be infected with viruses. This incident led to concerns that the products became infected when C Inc. performed maintenance on the special computers. After TMPS2 deployment: Since TMPS2 features functionality for virus scanning and removal, as well as for the generation and management of logs, the logs of virus scans performed during maintenance can be used as proof to dispel such concerns. 15 Trend Micro Portable Security 2 TM

16 Appendix I System Requirements Management Program Scanning Tool OS Windows XP Professional SP1/SP2/SP3 32bit Windows Vista Business/Enterprise/Ultimate SP1/SP2 32/64bit Windows 7 Professional/Enterprise/Ultimate SP1 32/64bit Windows 7 Home Basic/Home Premium SP1 64bit Windows 8 Pro/Enterprise 32/64bit* Windows Server 2003 Standard/Enterprise SP2/R2 SP2 32/64bit Windows Server 2008 Standard/Enterprise SP2 32/64bit Windows Server 2008 Standard/Enterprise R2 SP1 64bit Windows Server 2012 Standard 64bit Windows XP Professional SP1/SP2/SP3 64bit Windows XP Embedded SP1/SP2/SP3 32bit** Windows Embedded Standard bit** Windows Embedded Standard 7 32bit/64bit Windows Embedded POSReady bit Windows Embedded POSReady 7 32bit Windows XP Professional for Embedded Systems SP1/SP2/SP3 32bit Windows Vista for Embedded Systems SP1/SP2 32bit Windows 7 for Embedded Systems SP1 32/64bit Windows Server 2003 for Embedded Systems SP1/ SP2 32bit, R2 32bit Windows Server 2008 for Embedded Systems 32bit/64bit, R2 64bit CPU Memory Equivalent to minimum system requirements of operating system Equivalent to minimum system requirements of operating system Free HDD Space 300MB 200MB Display resolution At least 1024x768 At least 640x480 Language MUI (English, Japanese) Table 1. Systems requirements*** * Windows RT and Windows 8 installed on tablet terminals are not supported. ** This operating system (OS) is a componentized version of Windows XP Professional. When the OS components are customized by customer, we may not offer support for troubles that occur only in the customized environment and are not replicated on Windows XP Professional. *** Contents of system requirements such as supported OS and hard disk capacity are subject to change without notice due to the end of OS support and product improvements by Trend Micro. 16 Trend Micro Portable Security 2 TM

17 Notes: TMPS2 does not have a real-time scanning function. TMPS2 cannot be used as a general USB flash drive because it does not have the data storage area for customers. TMPS2 does not scan for malware on management computers. A log is created on the local hard disk of the scanning target computer at USB boot scanning. Windows 2000 can be scanned via USB boot. However, it is not supported if it does not support booting from USB devices, it uses EFI/UEFI, it has a RAID environment, the HDD is initialized with GPT instead of MBR, the HDD is connected via SCSI, etc. 17 Trend Micro Portable Security 2 TM

Scanning tool back view Interface Power supply voltage Maximum consumption current USB 2.

18 Appendix II Appearance and Hardware Specifications of the Scanning Tool Figure 5.Scanning tool front view Figure 6. Scanning tool back view Interface Power supply voltage Maximum consumption current USB 2.0 compatible DC 4.5 V 5.5 V (at the USB port) 313 ma Operating temperature 0 C 60 C Operating humidity 20% 90% (No condensation) Table 2. Scanning tool hardware specifications 18 Trend Micro Portable Security 2 TM

19 TREND MICRO TM Trend Micro Incorporated, a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers. A pioneer in server security with over 20 years experience, we deliver top-ranked client, server, and cloud-based security that fits our customers and partners needs; stops new threats faster; and protects data in physical, virtualized, and cloud environments. Powered by the Trend Micro Smart Protection Network infrastructure, our industry-leading cloud-computing security technology, products and services stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

DRIDEX s New Tricks Lead to Global Spam Outbreak

Appendix DRIDEX s New Tricks Lead to Global Spam Outbreak Appendix TrendLabs Security Intelligence Blog Michael Casayuran, Rhena Inocencio, and Jay Yaneza May 2016 TREND MICRO LEGAL DISCLAIMER The information