Core Protection for Virtual Machines 1

Transcription

1 Core Protection for Virtual Machines 1 Comprehensive Threat Protection for Virtual Environments. Administrator s Guide e Endpoint Security

2 Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at: Trend Micro, Core Protection for Virtual Machines, and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2010 Trend Micro Incorporated. All rights reserved. Document Part No. OSEM14002/90119 Release Date: July 2010 Version: 1.0 SP1

3 The user documentation for Trend Micro Core Protection for Virtual Machines is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro s Web site. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:

4 Contents Chapter 1: Introducing Trend Micro Core Protection for Virtual Machines What is Core Protection for Virtual Machines? Features and Benefits Security Risk Protection Centralized Management State-of-the-Art Virus Detection Technology Viewable Scanning Statistics Compatibility How Does Core Protection for Virtual Machines Work? Core Protection for Virtual Machines Architecture VirtualCenter Client VirtualCenter Server VirtualCenter Agent VirtualCenter Database VirtualCenter Web Service Core Protection for Virtual Machines Server CPVM Scanning Agent Real-Time Agent The Administration Web Console Real-time Scan Versus On-demand Scan (Scan Now) When Core Protection for Virtual Machines Finds a Virus) Virus Logs Deploying Updates Core Protection for Virtual Machines Virus Detection Technology Pattern Matching i

5 Trend Micro Core Protection for Virtual Machines Administrator s Guide Compressed Files OLE Layer Scan IntelliScan ActiveAction When to Select ActiveAction Chapter 2: Getting Started with Core Protection for Virtual Machines Exploring the Web Console Summary Page Security Management Group Management VC Inventory Member Management Tasks Settings Install Logs Updates Logs Notifications Administration Console Password Proxy Settings Virtual Infrastructure Settings Compatible Products Product License Chapter 3: Monitoring Core Protection for Virtual Machines Overview Viewing System Information Viewing Virtual Machine Status ii

6 Contents Viewing Scan Results Viewing Server Update Status Chapter 4: Managing Core Protection for Virtual Machines Managing Groups Viewing Group Information Adding Groups Renaming a Group Deleting a Group Managing VC Inventory Managing Members Viewing Member Information Adding a Member to a Group Moving Members to Another Group Managing a Network Share Performing Scans Scan Now QuickScan Real-time Scan Scheduled Scan About Agents Real-time Agent CPVM Scanning Agent IntelliScan True File-type Detection File Extension Checking ActiveAction Scan Actions Initiating a QuickScan Performing a Scan Now Configuring Scan Settings Configuring QuickScan Settings Configuring Real-time Scan Settings Configuring Scheduled Scan Settings Configuring Scan Now Settings iii

7 Trend Micro Core Protection for Virtual Machines Administrator s Guide Enabling and Disabling the Scanning Agent Managing Agents Installing the Real-time Agent Installing the Scanning Agent Uninstalling Agents Upgrading Agents Viewing and Managing Logs Viewing Virus/Malware Logs Viewing the Spyware/Grayware Logs Manually Deleting Logs Chapter 5: Updating Components Components Antivirus Anti-spyware Component Duplication Viewing an Update Summary Configuring Scheduled Server Updates Performing a Manual Server Update Specifying a Server Update Source Configuring Automatic Member Updates Performing Manual Member Updates Rolling Back Updates Chapter 6: Viewing and Managing Logs Overview Component Update Logs Spyware/Grayware Logs Virus/Malware Logs Server Update Logs System Event Logs Log Deletion iv

8 Contents Viewing Security Risk Logs Viewing Member Logs Viewing Server Logs Configuring a Log Deletion Schedule Logged Actions Server Logs Actions Logged at the Scanning Agent Member System Event Logs Member Virus/Malware Logs Member Spyware/Grayware Logs Member Update Logs Actions Logged at the Real-time Agent Member System Event Logs Member Virus/Malware Logs Member Update Logs Using the Log Viewer Chapter 7: Managing Notifications Configuring General Settings Configuring Standard Notifications Configuring System Notifications Token Variables Chapter 8: Administering Core Protection for Virtual Machines Setting the Web Console Password Configuring Proxy Settings Configuring Virtual Infrastructure Settings Configuring Compatible Products Viewing and Updating Your Product License v

9 Trend Micro Core Protection for Virtual Machines Administrator s Guide Appendix A: Appendix A: VMware Virtual Center Integration Index Virtual Center Plug-in...A-2 Virtual Center Reporting...A-3 vi

10 Preface Welcome to the Trend Micro Core Protection for Virtual Machines Administrator s Guide. This book contains information about product settings and service levels. This preface discusses the following topics: Core Protection for Virtual Machines Documentation on page viii Audience on page viii Document Conventions on page ix vii

11 Preface Core Protection for Virtual Machines Documentation The Trend Micro Core Protection for Virtual Machines documentation consists of the following: Installation Guide Describes the system requirements and steps to install Core Protection for Virtual Machines. Administrator s Guide Helps you plan for deployment, install, and configure all product settings, and how to manage and administer the product. Administrator Online Help Helps you configure all features through the user interface. You can access the online help by opening the Web console and then clicking the help icon ( ). Readme File Contains late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history. The Core Protection for Virtual Machines documentation is available at: Audience The Core Protection for Virtual Machines documentation is written for IT managers, IT security managers, and virtual infrastructure managers. The documentation assumes that the reader has an in-depth knowledge of virtualization technologies and networks, including details related to the following: Antivirus and content security protection Network concepts (such as IP address, Subnet Mask, LAN settings) Network devices and their administration Network configuration (such as the use of VLAN, SNMP) VMware V13 viii

12 Preface Document Conventions To help you locate and interpret information easily, the Core Protection for Virtual Machines documentation uses the following conventions. CONVENTION ALL CAPITALS Bold Italics Monospace Note: DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and Core Protection for Virtual Machines tasks References to other documentation Examples, sample command lines, program code, Web URLs, file names, and program output Configuration notes Tip: Recommendations WARNING! Reminders on actions or configurations that should be avoided ix

13 Chapter 1 Introducing Trend Micro Core Protection for Virtual Machines This chapter introduces Trend Micro Core Protection for Virtual Machines (CPVM) with the following topics: The topics included in this chapter are: What is Core Protection for Virtual Machines? on page 1-2 Features and Benefits on page 1-3 How Does Core Protection for Virtual Machines Work? on page 1-4 Core Protection for Virtual Machines Architecture on page 1-5 Real-time Scan Versus On-demand Scan (Scan Now) on page 1-8 When Core Protection for Virtual Machines Finds a Virus) on page 1-9 Virus Logs on page 1-10 Deploying Updates on page 1-10 Core Protection for Virtual Machines Virus Detection Technology on page

14 Introducing Trend Micro Core Protection for Virtual Machines What is Core Protection for Virtual Machines? Trend Micro Core Protection for Virtual Machines (CPVM) is the next generation of software for scanning and cleaning both online and powered off VMware Virtual Machines files within VMware Virtual Infrastructure 3 or VMware vsphere 4.0. It is designed to protect the virtual infrastructure from viruses of any kind by adopting the most advanced virus-detecting technology to ensure that your virtual infrastructure stays virus-free. Core Protection for Virtual Machines detects new file infections, identifies viruses in existing files, and cleans or removes them from your virtual servers. It senses the changes in your virtual infrastructure, including provisioning of new Virtual Machines and automatically provides protection for those new machines. Core Protection for Virtual Machines enables network administrators to manage servers from a single administration Web-based console. The console enables the administrators to configure Virtual Machines in the same group simultaneously and to generate integrated virus incident reports from all of them. By giving administrators a means to configure, monitor, and maintain antivirus efforts through the Core Protection for Virtual Machines Administrator Web console, Core Protection for Virtual Machines improves and simplifies the implementation of corporate virus policy. 1-2

15 Introducing Trend Micro Core Protection for Virtual Machines Features and Benefits To help IT professionals protect their Virtual Infrastructure with more flexibility, Core Protection for Virtual Machines provides the following main features and benefits: Security Risk Protection Core Protection for Virtual Machines protects your virtualized servers from viruses/malware and spyware/grayware. The CPVM Scanning Agent and Real-Time Agent: Provide security risk protection. Report events to the CPVM server. Receive updates from the CPVM server. The CPVM server hosts the Web console, downloads updates from an update source (such as the Trend Micro ActiveUpdate server), and initiates agent component updates. Centralized Management A Web-based management console gives administrators transparent access to all virtualized servers on the network. The Web console coordinates automatic deployment of security policies, pattern files, and software updates on the virtualized server. Core Protection for Virtual Machines also performs real-time monitoring, provides event notification, and delivers comprehensive reporting. State-of-the-Art Virus Detection Technology New configurable scanning tools like ActiveAction, IntelliScan, and OLE layer scan offer faster and more efficient scanning. Viewable Scanning Statistics Core Protection for Virtual Machines enables you to efficiently monitor your network antivirus security. It displays scanning statistics, including the following, for viruses and spyware/grayware: total number of viruses found for the day and over the last seven days, and status of the infections, total number of non-cleanable viruses, and more. 1-3

16 Introducing Trend Micro Core Protection for Virtual Machines Compatibility The server for Core Protection for Virtual Machines is fully compatible with: VMWare Virtual Infrastructure 3 environment Microsoft Windows Server 2003 SP2 or later Microsoft Windows XP SP3 or later. The agent for Core Protection for Virtual Machines is fully compatible with: Microsoft Windows 2003 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 2008 Microsoft Windows 2008 R2. For detailed information about 32-bit operation system and 64-bit operation system compatibility, see Trend Micro Core Protection for Virtual Machines Installation Guide. How Does Core Protection for Virtual Machines Work? Core Protection for Virtual Machines monitors all activity in your VMWare virtual environment. Virtual Machines with Real-time Agents monitor file read/write activity and check for file infections. The Scanning Agent performs on-demand and scheduled scanning of target VMs for file infections. If the Scanning Agent finds that the file is infected, it sends notification messages to pre-defined recipients and takes action on the virus according to the Core Protection for Virtual Machines configuration. The Core Protection for Virtual Machines activity log records all the activities of the system. Core Protection for Virtual Machines lets you design personal scanning profiles, saving you from having to re-configure frequently needed settings. You can even assign multiple scanning options to a profile and use the profile for special circumstances. For example, scanning incoming files only. 1-4

17 Introducing Trend Micro Core Protection for Virtual Machines Core Protection for Virtual Machines Architecture The following diagram shows a typical deployment of Core Protection for Virtual Machines within VMware Virtual Infrastructure: FIGURE 1-1. Core Protection for Virtual Machines Typical Deployment Figure 1-1 shows a typical Core Protection for Virtual Machines deployment on top of VMware. The diagram shows active, scanning, and dormant VMs with the Real-Time Agent installed. The user has the option of installing the CPVM Scanning Agent on a VM or on a physical machine, as indicated in the figure by the machine enclosed by a dotted line on the left. 1-5

18 Introducing Trend Micro Core Protection for Virtual Machines The VI infrastructure consists of VMware VirtualCenter, which is virtual infrastructure management software that centrally manages an enterprise s virtual machines as a single, logical pool of resources. The heart of VirtualCenter is the VirtualCenter server, which collects and stores persistent data in a dedicated database that contains per-system and environmental information. Core Protection for Virtual Machines is deployed within VI infrastructure. The major components of a Core Protection for Virtual Machines deployment include: VirtualCenter Client VirtualCenter Server VirtualCenter Agent VirtualCenter Database VirtualCenter Web service Core Protection for Virtual Machines Server CPVM Scanning Agent Real-Time Agent Administration Web console VirtualCenter Client The VirtualCenter Client is a user interface that runs locally on a Windows machine. The VirtualCenter Client runs on a machine with network access to the VirtualCenter server. This can be on the same machine as the VirtualCenter Server or on another machine with network access. VirtualCenter Server The VirtualCenter server is a service that acts as a central administrator for VMware servers connected on a network, directing actions on the virtual machines and the virtual machine hosts. VirtualCenter server provides the central working core of VirtualCenter. VirtualCenter server is deployed as a Windows service and runs continuously. It requires network access to all the hosts it manages and must be available for network access from any machine where the VirtualCenter client runs. 1-6

19 Introducing Trend Micro Core Protection for Virtual Machines VirtualCenter Agent The VirtualCenter Agent is installed on each managed host. It collects, communicates, and executes the actions received from the VirtualCenter server. It is installed automatically the first time any host is added to the VirtualCenter inventory. VirtualCenter Database The VirtualCenter database (SQL Server or Oracle) provides a persistent storage area for maintaining the status of each virtual machine, host, and user managed in the VirtualCenter environment. This can be local or remote from the VirtualCenter server machine. VirtualCenter Web Service The VirtualCenter Web service can optionally be installed with the VirtualCenter Server. It is a required programming interface for third-party applications that use the VMware SDK application programmer interface (API). Core Protection for Virtual Machines Server The CPVM Server is a service that acts as a central administrator for Scanning Agent virtual machines connected to the network. The CPVM server is deployed as a Windows service and runs continuously, directing actions on the CPVM virtual machines. It must have network access to the VirtualCenter server and all the Scanning Agent virtual machines that it manages. In addition, it must be available for network access from any machine where the Web-based Administration console runs. CPVM Scanning Agent The CPVM Scanning Agent is a service that runs on a host and scans dormant VMDK files or live VMs as specified by the schedule and policy that you set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the Core Protection for Virtual Machines Server. The Scanning Agent Server can only scan offline VMDK file that are visible to the host machine where it is running. 1-7

20 Introducing Trend Micro Core Protection for Virtual Machines Real-Time Agent An administrator can choose to install the Real-Time Agent on any VM or physical machine to provide real-time anti-malware protection. When installed, the Real-Time Agent service monitors all disk I/O and ensures that no disk writes result in possible malware. The Real-Time Agent also gets the latest signature updates from the Core Protection for Virtual Machines Server on the schedule defined by the administrator. The Administration Web Console The Core Protection for Virtual Machines Administration Web console runs on a Windows machine with network access to the Core Protection for Virtual Machines Server. This can be on the same machine as the VirtualCenter server or on another machine with network access. The Administration Web console allows you to view manage Core Protection for Virtual Machines by configuring and running scans, configuring logs and notifications, and viewing a summary of activity. Real-time Scan Versus On-demand Scan (Scan Now) Core Protection for Virtual Machines features two powerful scan functions, Real-time Scan and Scan Now. Real-time Scan runs continuously on a server and provides the maximum level of virus protection. All file I/O events on the server are monitored and infected files are prevented from being copied to or from the server. See Real-time Scan on page Scan Now is a manual virus scan (that is, it occurs immediately after being invoked). Use Scan Now to check a server that you suspect may have been exposed to a computer virus or about which you want immediate information. See Scan Now on page Tip: To ensure maximum protection, Trend Micro recommends using both Real-time Scan and Scan Now. 1-8

21 Introducing Trend Micro Core Protection for Virtual Machines Real-time Scan and Scan Now benefits include: Redundant File Scan: If a file containing a virus is accidentally downloaded or copied, Real-time Scan will stop it. However, if for any reason Real-time Scan is disabled, Scan Now will still detect it. Efficient File Scan: By default, Real-time Scan is configured to scan files reliably, while minimizing the impact on system resources. See Scan Now on page Effective and Flexible File Scan: Core Protection for Virtual Machines gives IT professionals effective and numerous scan configuration options to protect their networks based on their individual needs. See Scan Now on page When Core Protection for Virtual Machines Finds a Virus) Core Protection for Virtual Machines lets you configure the kind of action that the software takes on infected files. You can even choose different courses of action for different kinds of viruses. There are five possible actions that Core Protection for Virtual Machines can take on an infected file: Bypass/Ignore: For a manual scan, Core Protection for Virtual Machines skips the file without taking any corrective action. However, detection of the virus is still recorded in the program s log entries. For Real-time Scan, Core Protection for Virtual Machines treats the file as "deny-write," protecting it from duplication or modification. See Scan Actions on page 4-19 for more information. Delete: The infected file is deleted. Rename: The infected file extension is renamed to.vir. This prevents the file from being executed or opened. If a file of that name with the.vir extension already exists, the file will be renamed to.v01,.v02, and so on, until.v99. Quarantine: The infected file is moved to a folder of your choice. You can also change the file extension of the moved file to prevent it from being inadvertently opened or executed. Clean: Attempt to clean the virus code from the file. Since the cleaning process sometimes corrupts the file and makes it unusable, you can back up the file before cleaning. 1-9

22 Introducing Trend Micro Core Protection for Virtual Machines All virus events and associated courses of action are recorded in the log file. See Scan Actions on page 4-19 for more information. Note: If you select Clean as the virus action, you can specify a secondary action if the cleaning process is unsuccessful. Note: On a 64-bit operating system, Core Protection for Virtual Machines detects both 32-bit viruses and 64-bit viruses. Virus Logs Core Protection for Virtual Machines (CPVM) provides comprehensive information about scanning, file updating, and deploying results from a single console. Furthermore, CPVM saves the information in a log file that can be retrieved or exported. For example, you can analyze the scanning statistics for virus scanning in your virtual infrastructure. These statistics include information such as scan start and times, machines scanned, detected virus and types, infected virtual servers. In addition, you can export the log information to a comma-separated value (CSV) file for further analysis. Deploying Updates Core Protection for Virtual Machines simplifies the maintenance of Trend Micro software and reduces the total cost of your virtual infrastructure s antivirus security. See Configuring Scheduled Server Updates on page 5-8 and See Configuring Automatic Member Updates on page Note: Trend Micro releases new versions of these update files on a regular basis. 1-10

23 Introducing Trend Micro Core Protection for Virtual Machines Core Protection for Virtual Machines update features include: Unattended scheduled update: You can specify a schedule for updates and Core Protection for Virtual Machines will perform updates of all servers and members automatically based on the schedule. Centralized update deployment: You can deploy updates to servers in your virtual infrastructure from the Administration Web console. Proxy server compatibility: Core Protection for Virtual Machines works with the majority of existing proxy servers. Update activity logging: Core Protection for Virtual Machines records all update activity in a log file for future reference. Update Roll-back option: If you encounter a problem while deploying an update, you can roll back a deployed pattern and scan engine file to the previous version. Core Protection for Virtual Machines Virus Detection Technology Core Protection for Virtual Machines uses advanced virus detection technology. In this section, we feature the tools which support this state of the art technology and how IT professionals can benefit from it. Pattern Matching Using a process called "pattern matching," Core Protection for Virtual Machines draws on an extensive database of virus patterns to identify known virus signatures. Key areas of suspect files are examined for tell-tale strings of virus code and compared against tens of thousands virus signatures that Trend Micro has on record. For polymorphic or mutating viruses, the Core Protection for Virtual Machines scan engine permits suspicious files to execute in a protected area within which it is decrypted. Core Protection for Virtual Machines then scans the entire file, including the freshly decrypted code, and looks for strings of mutation-virus code. 1-11

24 Introducing Trend Micro Core Protection for Virtual Machines If such a virus is found, Core Protection for Virtual Machines performs the virus action you previously specified. Core Protection for Virtual Machines virus actions include: clean (autoclean), delete, bypass (ignore), quarantine (move), or rename. Virus actions can be customized for both boot viruses and file viruses. See Performing Scans on page Note: It is important to keep the virus pattern file up to date. More than a thousand new viruses are created each year. Trend Micro makes it easy to update the pattern file by supporting scheduled updates. Configuring Scheduled Server Updates starting on page 5-8 and Configuring Automatic Member Updates on page 5-12 for more information. Compressed Files Compressed file archives (that is, a single file composed of many separate compressed files) are often distributed via and the Internet. Since some antivirus software are not able to scan these kinds of files, compressed file archives are sometimes used as a way to "smuggle" a virus into a protected network or computer. Core Protection for Virtual Machines can scan files inside compressed archives. It can even scan compressed files that are composed of other compressed files, up to a maximum of five compression layers. 1-12

25 Introducing Trend Micro Core Protection for Virtual Machines The Trend Micro scan engine used in Core Protection for Virtual Machines can detect viruses in files compressed using the following algorithms: PKZIP (.zip) & PKZIP_SFX (.exe) LHA (.lzh) & LHA_SFX (.exe) ARJ (.arj) & ARJ_SFX (.exe) CABINET (.cab) TAR GNU ZIP (.gz) RAR (.rar) PKLITE (.exe or.com) LZEXE (.exe) DIET (.com) UNIX PACKED (.z) UNIX COMPACKED (.z) UNIX LZW (.Z) UUENCODE BINHEX BASE64 Note: If a virus is found in an archive using other algorithms, they must first be decompressed in a temporary directory, then cleaned. For compressed file configuration information, refer to Real-time Scan on page 4-16, and Scan Now on page

26 Introducing Trend Micro Core Protection for Virtual Machines OLE Layer Scan Microsoft Object Linking and Embedding (OLE) allows embedding Microsoft Office files. This means that you could have a Microsoft Word document inside an Excel sheet, and in turn this Excel sheet could be embedded in a Microsoft PowerPoint presentation. OLE offers a large number of benefits to developers, at the same time it can lead to potential infection. To address this issue, Core Protection for Virtual Machines includes the OLE Layer Scan feature, which complements state-of-the-art Core Protection for Virtual Machines virus protection. See Scan Now on page Tip: OLE layer scan offers five layers of protection. Trend Micro recommends a setting of 2 OLE layers for Scan Now and a setting of 1 for Real-time Scan. A lower setting will improve server performance. IntelliScan IntelliScan identifies which files to scan that is both more secure and more efficient, than the standard "scan all files" option. For executable files, such as.exe, the true file type is determined from the file content. In the event that a file is not executable (i.e. txt), IntelliScan will use the file header to verify the true file type. See Scan Now on page The following are just a couple of the benefits IntelliScan offers to administrators: Performance optimization: Server system resources allotted to scan will be minimal, thus using IntelliScan will not interfere with other crucial applications running on the server. Time saving: Since IntelliScan uses true file type identification, IntelliScan scan time is significantly less than that of all files scan (this means that only files with a greater risk of being infected are scanned). This time difference is noticeable when you use IntelliScan with Scan Now. See Scan Now on page

27 Introducing Trend Micro Core Protection for Virtual Machines ActiveAction ActiveAction is a set of pre-configured scan actions that can be performed on viruses and other types of malware. ActiveAction can be configured for both Scan Now and Real-time Scan. When to Select ActiveAction Trend Micro recommends that you select ActiveAction if you are not familiar with virus actions or if you are unsure of which scan action is the most suitable for a certain virus. Viruses vary significantly from one another; this requires appropriate virus actions for each virus type. Customizing scan actions for file viruses requires knowledge of viruses and can be a tedious task. For this reason, Trend Micro recommends the use of ActiveAction. Some advantages of using ActiveAction versus customized scan actions are: Time saving: You spend no time customizing virus actions. Worry-free maintenance: ActiveAction uses Trend Micro recommended scan actions so you can concentrate on other tasks and not worry about making mistakes. Updateable scan actions: Trend Micro includes new ActiveAction scan actions with every new pattern. Viruses constantly change how they attack, thus scan actions should be frequently modified to prevent possible infection. 1-15

28 Chapter 2 Getting Started with Core Protection for Virtual Machines This chapter describes how to get started using Trend Micro Core Protection for Virtual Machines. Topics in this chapter include: Exploring the Web Console on page 2-2 Summary Page on page 2-5 Security Management on page 2-5 Updates on page 2-12 Logs on page 2-13 Notifications on page 2-14 Administration on page

29 Getting Started with Core Protection for Virtual Machines Exploring the Web Console The Core Protection for Virtual Machines Administrator Web console allows you to monitor ongoing activity, configure and run scans, update components, view logs, generate notifications, and administer Core Protection for Virtual Machines. To access the Administrator Web console, you must have a Trend Micro Core Protection for Virtual Machines Administrator account. To start the Web console: 1. Open your Web browser and navigate to the Web console using one of the following: Local access: If you are accessing the Web console from the same machine where Core Protection for Virtual Machines resides, double-click on the Core Protection for Virtual Machines Console icon created at the time of installation, or from a Web browser enter the following: Remote access: If you have configured the Core Protection for Virtual Machines machine for network access, enter either of the following, where <hostname> is the hostname and <ip_address> is the IP address of the Core Protection for Virtual Machines machine: You can also click on the CPVM Console desktop icon to open the browser to the CPVM logon window. 2-2

30 Getting Started with Core Protection for Virtual Machines 2. On the Logon page, enter your password and click Logon. FIGURE 2-1. Administrator Web console Logon page 2-3

31 Getting Started with Core Protection for Virtual Machines The Web browser opens the Summary page, where you can view the current Core Protection for Virtual Machines status. FIGURE 2-2. Viewing the Core Protection for Virtual Machines Summary For details on the Summary page, see Monitoring Core Protection for Virtual Machines starting on page 3-1. Using the Administrator Web console, you can: View a summary of Core Protection for Virtual Machines activity and status Manage Security Update components Generate and view logs Configure notifications Perform administrator tasks 2-4

32 Getting Started with Core Protection for Virtual Machines To view the pages for performing these tasks, use the main Core Protection for Virtual Machines menu in the left pane of the browser window. Summary Page The Summary page appears when you open the Core Protection for Virtual Machines Web console or click Summary in the main menu. This page provides system information and a summary of the current status of your virtual machines, scan results, and component updates. For more on the Summary page, see Monitoring Core Protection for Virtual Machines starting on page 3-1. Security Management The Security Management page provides a central page to: Manage the groups and members in your virtual installation Manage VC inventory Configure and perform scans Install/uninstall CPVM Scanning Agents and Real-Time Agents Configure logs Sync from VC directly Group Management Groups allow you to organize the members in your environment. When you create a group, it will be added to the Current Groups list in the right pane of the Security Management page. After you create a group you can add members or move members into the group. The Group Management page allows you to: Create and view group information Add members to and remove members from groups Rename groups Delete groups 2-5

33 Getting Started with Core Protection for Virtual Machines The following figure shows the Group Management page: FIGURE 2-3. Group Management page For more on Group Management, see Monitoring Core Protection for Virtual Machines starting on page 3-1. VC Inventory The VirtualCenter inventory provides a single point for viewing members and related information, move machines among groups, and manage licenses. The VC Inventory page displays information about all the Virtual Machines, the host that they belong to, and licensing information. You can use this page to move members between existing groups. 2-6

34 Getting Started with Core Protection for Virtual Machines The following shows the VC Inventory page: FIGURE 2-4. VC Inventory page For more on managing VirtualCenter inventory, see Monitoring Core Protection for Virtual Machines starting on page 3-1. Member Management Members are virtual machines in your Core Protection for Virtual Machines environment. Adding members to groups helps you to logically manage your security tasks. Actions you can take on group members include: Add members Move members between groups Add and remove network shares 2-7

35 Getting Started with Core Protection for Virtual Machines The following figure shows the Member Management page: FIGURE 2-5. Member Management page Tasks The Tasks menu allows you to run scans at any time. These include QuickScan Now Scan Now For information on configuring the scans, along with configuring Real-Time Scans and Scheduled Scans, see Managing Core Protection for Virtual Machines starting on page

36 Getting Started with Core Protection for Virtual Machines Settings The Settings menu allows you to configure the settings for Core Protection for Virtual Machines (CPVM) scans. CPVM provides a number of options for scanning members in a group You can perform a full scan at anytime, or perform a limited scan of the disk based on information from the Windows Registry. You can also configure a Real-time Scan or a Scheduled Scan. Scan actions you can take on groups or individual members include: QuickScan Settings Real-time Scan Settings Scheduled Scan Settings Scan Now Settings Enable or disable Scanning Agent The following figure shows the Target tab of the Scan Now Settings page: FIGURE 2-6. Scan Now Settings page 2-9

37 Getting Started with Core Protection for Virtual Machines For details, see Performing Scans on page Install You can install the Real-time Agent on any given member to provide real-time anti-malware protection. When installed, the Real-time Agent service will monitor all disk I/O and ensure that no disk writes result in possible malware. The Real-time Agent gets the latest signature updates from the CPVM Server on a schedule defined by the administrator. The Scanning Agent is a service that runs on a host and scans dormant VMs or live Virtual Machines as specified by the schedule and policy set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the CPVM Server. Logs Logs help you analyze your infrastructure protection, troubleshoot, and manage security risks in your network. Additional log options are available on the Logs page. Log configuration actions include: Configure the Virus/Malware Log Criteria Configure the Spyware/Grayware Log Criteria Delete Logs 2-10

38 Getting Started with Core Protection for Virtual Machines The following figure shows the Spyware/Grayware Log Criteria page: FIGURE 2-7. Spyware/Grayware Log Criteria window For details, see Performing Scans on page Additional log options are available on the Logs page. For details, see Performing Scans on page

39 Getting Started with Core Protection for Virtual Machines Updates You can configure Core Protection for Virtual Machines to update server or members automatically or manually update them at any time. You should configure Core Protection for Virtual Machines to regularly check the update server and automatically download any available updates. Using scheduled updates ensures that components are current. You can also roll back component updates. Available actions include: View an Update Summary Configure the Server Update Schedule Update the Server Manually Configure the Server Update Source Update Members Automatically Update Members Manually Roll Back Components The following figure shows the Automatic Updates for Members page: FIGURE 2-8. Automatic Updates for Members page For details, see Performing Scans on page

40 Getting Started with Core Protection for Virtual Machines Logs Logs help you analyze your infrastructure protection, troubleshoot, and manage security risks in your network. Core Protection for Virtual Machines provides options for managing and viewing logs. Logs you can configure and view include: Virus/malware Spyware/grayware Member update Server System events The following shows a system event log. FIGURE 2-9. System Event log For details, see Viewing and Managing Logs on page

41 Getting Started with Core Protection for Virtual Machines Notifications You can configure Core Protection for Virtual Machines to alert an administrator when virus/malware or spyware/grayware is detected or a system event occurs. Core Protection for Virtual Machines enables you to configure the specific events that will trigger a notification and to whom the notifications will be sent. You can configure Core Protection for Virtual Machines to send notifications through and SNMP traps. FIGURE Configure General Settings page For details, see Managing Notifications on page

42 Getting Started with Core Protection for Virtual Machines Administration The Administration pages allow you to perform Core Protection for Virtual Machines administration tasks, including: Set the console password Configure proxy settings Configure virtualization infrastructure settings Configure compatible products View and update your product license Console Password On the Console Password page you can reset your password for logging onto the Administrator Web console. FIGURE Console Password page For details, see Setting the Web Console Password on page

43 Getting Started with Core Protection for Virtual Machines Proxy Settings You can connect Core Protection for Virtual Machines to a proxy server. If you want to use a proxy server for public connections, see Configuring Proxy Settings on page 8-4. FIGURE Proxy Settings page 2-16

44 Getting Started with Core Protection for Virtual Machines Virtual Infrastructure Settings From the Virtual Infrastructure Settings page, you can: Configure the information required to connect to the Virtual Center. Register or unregister the Virtual Center plug-in. Specify time intervals to automatically sync with Virtual Center. FIGURE Virtual Infrastructure Settings page For more information, see Configuring Virtual Infrastructure Settings on page

45 Getting Started with Core Protection for Virtual Machines Compatible Products Using the Compatible Products page, you can define the products you want to allow to operate in your Core Protection for Virtual Machines environment and the products that Core Protection for Virtual Machines will keep updated. Products that you can configure are: Trend Micro OfficeScan Trend Micro ServerProtect FIGURE Compatible Products page For information on configuring compatible products settings, see Configuring Compatible Products on page

46 Getting Started with Core Protection for Virtual Machines Product License The Product License page displays the current status of your current Core Protection for Virtual Machines product license and allows you to update your product license when necessary. For more information, see Viewing and Updating Your Product License on page

47 Chapter 3 Monitoring Core Protection for Virtual Machines This chapter describes how to monitor Core Protection for Virtual Machines status using the Summary page. Topics in this chapter: Overview on page 3-2 Viewing System Information on page 3-3 Viewing Virtual Machine Status on page 3-3 Viewing Scan Results on page 3-4 Viewing Server Update Status on page

48 Monitoring Core Protection for Virtual Machines Overview The Summary page provides current information on Core Protection for Virtual Machines activity and status. The Summary page shows: System information Status of virtual machines Current scan results Server update status To open the Summary page: From the main Core Protection for Virtual Machines menu, click Summary. FIGURE 3-1. Viewing the Core Protection for Virtual Machines Summary 3-2

49 Monitoring Core Protection for Virtual Machines Viewing System Information The System Information area shows the status and details of all of the Core Protection for Virtual Machines system. The following information is provided: Product Version: The version of the Core Protection for Virtual Machines software installed on your server Platform: The hardware platform of your Core Protection for Virtual Machines Server OS: The operating system install on your Core Protection for Virtual Machines Server. For information on updating your Core Protection for Virtual Machines software, see Updating Components starting on page 5-1. Viewing Virtual Machine Status The Virtual Machine Status area shows the current status of the components in your Core Protection for Virtual Machines installation. PoweredOn Virtual Machines PoweredOff Virtual Machines Real-Time Agents CPVM Scanning Agents Virtual Machines Scanned Virtual Machines Infected/Cleaned 3-3

50 Monitoring Core Protection for Virtual Machines Viewing Scan Results The Scan Results For area displays a summary of the scan results for the day and the total for the week. The number of viruses and spyware/grayware detected for the day is displayed in the right corner of the Scan results for title bar. To view scan results: Select Scan results for > Virus or Scan Results for > Spyware/Grayware. Scan results for today and the last seven days are displayed. This includes the numbers that are: Uncleanable Quarantined Deleted Passed Cleaned Renamed Viewing Server Update Status The Server Update Status area shows the status of each component in your installation for the followings: Antivirus Anti-spyware 3-4

51 Monitoring Core Protection for Virtual Machines To view update status details: 1. From the main Core Protection for Virtual Machines menu, click Summary. FIGURE 3-2. Viewing a Component Update Summary 3-5

52 Monitoring Core Protection for Virtual Machines 2. Click in front in front of the Member Component name to expand the display. The list expands to show the current version, latest version, and last update for any of the following: Antivirus Virus Pattern Virus Scan Engine (32-bit) Virus Scan Engine (64-bit) Anti-spyware Spyware Pattern Spyware Scan Engine (32-bit) Spyware Scan Engine (64-bit) 3. To perform updates of all the components for the server, click Update Now. For information on updating the Core Protection for Virtual Machines components, see Updating Components starting on page

53 Chapter 4 Managing Core Protection for Virtual Machines This chapter describes how to manage Core Protection for Virtual Machines. Topics in this chapter include: Managing Groups on page 4-2 Managing VC Inventory on page 4-5 Managing Members on page 4-8 Performing Scans on page 4-15 Configuring Scan Settings on page 4-23 Enabling and Disabling the Scanning Agent on page 4-38 Managing Agents on page 4-39 Viewing and Managing Logs on page

54 Managing Core Protection for Virtual Machines Managing Groups Groups allow you to organize the members in your virtual infrastructure. Actions you can take on groups include: View group information Add groups Rename groups Delete groups Viewing Group Information The Security management page allows you to view group information, such as number of members and an overview of component updates and scans. To view group information: From the main Core Protection for Virtual Machines menu, click Security Management. FIGURE 4-1. View group information 4-2

55 Managing Core Protection for Virtual Machines The list in the right pane provides the following information for each group: Groups: The current groups on your site. Members: The number of members in the group. Scanning Agents: The number of Scanning Agents in the group. Real-Time Agents: The number of Real-Time Agents in the group. Last Scheduled Security Scan: The last time a Scheduled Scan was run on the group members. Adding Groups When you add a group, it will be added to the Current Groups list in the right pane of the Security Management page. After you create a group you can add members or move members into the group. To add a group: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. From the Manage Security Groups drop-down list, select Add Group. FIGURE 4-2. Add Group window 3. In the Add Group window, enter a name in the Group name text box and click Add. You can now add members to the group. For instructions on how to add members, see Adding a Member to a Group on page

56 Managing Core Protection for Virtual Machines Renaming a Group To rename a group: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. In the Current Groups list, select the group to rename. 3. Click Manage Security Groups and select Rename Group from the drop-down list to open the Rename Group window. FIGURE 4-3. Rename Group window 4. In the Rename Group window, enter the new name in the Rename the selected group to text box and click Save. Deleting a Group To delete a group: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. In the Current Groups list, select the groups to delete. 4-4

57 Managing Core Protection for Virtual Machines 3. From the Manage Security Groups drop-down list, select Delete Group. FIGURE 4-4. Delete Group window 4. In the dialog box, click Delete. Managing VC Inventory The VirtualCenter inventory provides a single point for viewing members and related information, move machines among groups, and manage licenses. Note: Individual VMDK files on a network share will not be shown in the VC inventory list, but the network share will be shown. 4-5

58 Managing Core Protection for Virtual Machines To manage VC inventory: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click VC Inventory. The VC Inventory window displays a list of members in your site, along with the group, host, and license status. FIGURE 4-5. VC Inventory window Note: Do not move members between groups while a scan is in progress. Before you move a member, be sure a scan, including a scheduled scan, is not in progress. 3. Select the members you want to move and click Move. 4-6

59 Managing Core Protection for Virtual Machines 4. In the Move selected member(s) to drop-down list, select the group where you want to move the members. FIGURE 4-6. Move Members box 5. To apply the settings of the group to the members, select Apply settings of new group to selected members. 4-7

60 Managing Core Protection for Virtual Machines Managing Members Members are virtual machines or network shares in your Core Protection for Virtual Machines environment. Adding members to groups helps you to logically manage your security tasks. Actions you can take on group members include: View Member information Add members Move members Search for a member Add network share Remove network share Viewing Member Information The Security management page allows you to view member information, such as power status and scan results, in each group. To view member information: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click in front of Security Groups in the left pane to view the current groups. 4-8

61 Managing Core Protection for Virtual Machines 3. Click on the group whose member information you want to view. FIGURE 4-7. View Member information The list in the right pane provides the following information for each member in the selected group: Category Power Status Scan Status Scan Results IP Address 4-9

62 Managing Core Protection for Virtual Machines Adding a Member to a Group Virtual machine inventory is obtained directly from the Virtual Center, but if you want to set up a physical machine to perform the scanning function, you must explicitly add it as a member. When you add the physical machine as a member, the Scanning Agent will automatically be installed on that machine. Note: Physical Scanning Agent (SA) members are allowed only in the default group. If you add or move a physical SA to any other group, it will be moved back to the default group. Note: When you uninstall the Scanning Agent from the physical machine using Install->Uninstall Agent, the member will automatically be removed from the list of members. To add a member: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click in front of Security Groups in the left pane to display the current groups. 3. In the Security Groups pane, click on the group to which you want to add a member. 4-10

63 Managing Core Protection for Virtual Machines 4. Click Member Management and select Add Member from the drop-down list to open the Add Physical SA dialog box. FIGURE 4-8. Add Physical SA window 5. In the IP/Hostname text box, enter the IP address or host name of the new member. 6. Click Add. 4-11

64 Managing Core Protection for Virtual Machines Moving Members to Another Group Members are virtual machines in your Core Protection for Virtual Machines environment. Members can be moved from one group to another to help you logically manage your security tasks. When new virtual machines are sensed by CPVM, they are initially placed under the default security group and automatically assigned the default policy for scanning. These can then be moved to other groups to apply a different group security policy. Note: Do not move members between groups while a scan is in progress. Before you move a member, be sure a scan, including a scheduled scan, is not in progress. Otherwise, there could be a problem syncing with CPVM server. To move a member: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click in front of Security Groups in the left pane to display the current groups. 3. In the Security Groups pane, click on the group that includes the member you want to move. 4. In the Members list, select the members to move. 5. Click Member Management and select Move Member from the drop-down list to open the Move Member(s) window. FIGURE 4-9. Move Member(s) window 4-12

65 Managing Core Protection for Virtual Machines 6. In the Move selected members to drop-down box, select the group where you want to move the member. 7. Click Move. Managing a Network Share Core Protection for Virtual Machines allows you to scan VMDK files that are not in the VirtualCenter inventory but are located on a network share. You can add a network share by specifying a network path as a root folder which could contain more than one subfolder(s) which contain VMDK files inside. When you add the network share that stores the VMDK files, and if there are multiple VMDK files, all the VMDK files share the same security policy as defined by either the group policy or the actual network share policy. The group policy is used for scanning each VMDK, and you can define a specific scan policy for each on the Security Management page. CPVM logs any events associated with these files and includes the network path as part of the log. If you remove members, the members will be removed from the VC inventory list. Note: Any snapshots on dormant VMs on a network share will not be scanned and cleaned during a scan. To add a network share: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click in front of Security Groups in the left pane to display the current groups. 3. Click the group to which you want to add a network share. 4-13

66 Managing Core Protection for Virtual Machines 4. From the Member Management drop-down list, select Add Network Share. FIGURE Add Network Share window 5. Enter a name for the network share. 6. Enter the path to the network share. For example, if your vmdk files are located on both \\ \vmdk\winxp and \\ \vmdk\win2003, you could specify \\ \vmdk as your network share. 7. Enter the user name and password of the network share. 8. Click Test Connection to test the network share information you have entered. 9. Click Add. To remove a network share: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click in front of Security Groups in the left pane to display the current groups. 3. In the Security Groups pane, click on the group to which you want to remove a network share. 4. In the Members list, select the network share you want to remove. 5. From the Member Management drop-down list, select Remove Network Share. 6. In the dialog box, click OK. 4-14

67 Managing Core Protection for Virtual Machines Performing Scans You have the option in Core Protection for Virtual Machines to perform the following types of scan: Scan Now QuickScan Real-time Scan Scheduled Scan For information on configuring how the scans will behave, see Configuring Scan Settings on page Scan Now Scan Now performs a full scan whenever an administrator chooses. It can be user-initiated by selecting a VM from the inventory list. 4-15

68 Managing Core Protection for Virtual Machines QuickScan Unlike a full scan where a complete scan of all files is performed, a QuickScan performs a limited scan of the disk based on information from the Windows Registry. It loads the Registry to identify what files need to be scanned and performs a scan and clean operation on those files. If malware is detected, it attempts to clean the malware. If that is unsuccessful, it quarantines the file and modifies the Registry accordingly. Note: QuickScan is allowed only on dormant machines as it may require modifications to the registry if malware is detected. The Core Protection for Virtual Machines Server receives updates to the VC inventory periodically from the VirtualCenter. If it identifies a new VM that was previously not on its list, then it will perform a QuickScan on the VM if it is in dormant state. Core Protection for Virtual Machines takes following actions based on user settings when performing a quick scan and malware is detected: If the administrator has configured Core Protection for Virtual Machines to perform a full scan if malware is detected, then upon detection of malware Core Protection for Virtual Machines will perform a full scan on the member. It will also log the event indicating the malware type detected, when it was detected, and results of the clean operation or file quarantine. If the administrator has set configuration to just log the event when malware is detected, then upon detection of malware Core Protection for Virtual Machines will log the event indicating malware type detected, when it was detected and the result of the clean operation or file quarantine. Real-time Scan A Real-time Scan runs continuously and provides solid virus protection. All file I/O events are monitored and infected files are thus prevented from being copied to or from the server. 4-16

69 Managing Core Protection for Virtual Machines Scheduled Scan A full scan can be initiated based on a set schedule for selected members. Core Protection for Virtual Machines sequentially performs a full scan of each selected member. Since the CPVM Scanning Agent may be deployed on multiple hosts, multiple Scanning Agents can perform full scans on different members at the same time. About Agents CPVM provides two agents for performing scanning tasks: Real-time Agent Scanning Agent Real-time Agent The Real-time Agent provides real-time protection for live members. The Real-time Agent does not perform full scans. It provides protection as follows: Performs pattern signatures and engine updates based on the schedule set by the administrator or when it gets a specific notification from the Core Protection for Virtual Machines Server. Monitors disk I/O and protect the files being written to and introduce malware. When the CPVM Scanning Agent performs a full scan of the live member and finds malware, it notifies the CPVM Server. The CPVM Server informs the Real-time Agent and requests that the virus be cleaned or files quarantined. Upon completion of this action, the Real-time Agent informs the central server of the result (success/failure). Note: If the Real-time Agent is unable to see the virus (such as root kit), then a failure event is sent to the CPVM Server as an error. You will need to turn the member off and then perform a full scan/clean when the member is dormant. Note: If you have not installed Real-time Agent in a live member, because there is an instance of ServerProtect, OfficeScan, or some other competitor product running in the member, then cleaning is not an option and the CPVM Server sends an event to the administrator informing him or her to take appropriate action. 4-17

70 Managing Core Protection for Virtual Machines CPVM Scanning Agent The CPVM Scanning Agent is a service that runs on a host and scans dormant or live Virtual Machines as specified by the schedule and policy set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the Core Protection for Virtual Machines Server. IntelliScan Rather than relying on the file name alone, Core Protection for Virtual Machines uses IntelliScan to identify the true file type and determine whether the file is a type that Core Protection for Virtual Machines should scan. True File-type Detection Using true file-type identification, IntelliScan examines the header of the file first and checks if the file is an executable, compressed, or other type of file that may be a threat. IntelliScan examines all files to be sure that they have not been renamed. The extension must conform to the file's internally registered data type. For example, Microsoft Word documents are file extension independent. Even if you rename a document from "legal.doc" to "legal.lgl", Word still recognizes and opens the document along with any macro viruses it contains. IntelliScan identifies the file as a Word document regardless of the file extension and scans it accordingly. File Extension Checking IntelliScan also uses extension checking, that is, the file name itself. An updated list of extension names is available with each new pattern file. For example, the discovery of a new ".jpg" file vulnerability prompts Trend Micro to add the ".jpg" extension to the extension-checking list in the next pattern update. 4-18

71 Managing Core Protection for Virtual Machines ActiveAction ActiveAction is a set of pre-configured scan actions for specific types of viruses/malware. Trend Micro recommends using ActiveAction if you are not sure which scan action is suitable for each type of virus/malware. With ActiveAction, you do not have to spend time customizing the scan actions. The following table illustrates how ActiveAction handles each type of virus/malware. TABLE 4-1. ActiveAction Virus/malware Handling VIRUS/MALWARE TYPE REAL-TIME SCAN MANUAL SCAN/SCHEDULED SCAN/SCAN NOW FIRST ACTION SECOND ACTION FIRST ACTION SECOND ACTION Joke Quarantine N/A Quarantine N/A Virus Clean Quarantine Clean Quarantine Test Virus Pass N/A Pass N/A Packer Quarantine N/A Quarantine N/A Others Clean Quarantine Clean Quarantine Generic Pass N/A Pass N/A Scan Actions For Virus/Malware: Delete: Deletes an infected file. Quarantine: Moves an infected file to the member s quarantine directory found in {Core Protection for Virtual Machines member folder}\virus. The default quarantine directory is {Core Protection for Virtual Machines server folder}\virus, which you can change by going to Security Management > (Group Name) > Settings > {Scan Type} > Action tab. 4-19

72 Managing Core Protection for Virtual Machines Clean: Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file. Rename: Changes the infected file s extension to "vir". Users cannot open the file initially, but can do so if they associate the file with a certain application. A virus/malware may execute when opening the renamed infected file. Pass: Allows full access to the infected file without doing anything to the file. A user may copy/delete/open the file. Note: If you select Pass, you may allow a VM to become infected. For Spyware/Grayware: Clean: Terminates processes or delete registries, files, cookies and shortcuts. Pass: Logs the spyware/grayware detection for assessment. Note: If you select Pass, you may allow a VM to become infected. Delete: Deletes an infected file. Initiating a QuickScan Unlike a full scan where a compete scan of all files is performed, a QuickScan performs a limited scan of the disk based on information from the Windows Registry. It loads the Registry to identify what files need to be scanned and performs a scan and clean operation on those files. If malware is detected, it attempts to clean the malware. If that is unsuccessful, it quarantines the file and modifies the Registry accordingly. A QuickScan scans only dormant VMs. The Core Protection for Virtual Machines Server receives updates to the VC inventory periodically from the VirtualCenter. If it identifies a new VM that was previously not on its list, then it will perform a QuickScan on the new VM if it is in dormant state. Note: To avoid performance impact on your network, the scan progress is updated every 60 seconds and may not immediately reflect the actual scan progress. If you wish to see the actual scan progress, use the Refresh link to refresh the page. 4-20

73 Managing Core Protection for Virtual Machines To initiate a QuickScan: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. To change the pre-configured QuickScan settings before initiating the scan, click Settings and select QuickScan Settings, and make any changes in the QuickScan Settings window. For instructions on how to configure the settings, see Configuring QuickScan Settings on page Click Tasks and select QuickScan Now from the drop-down list to open the QuickScan Now window. FIGURE QuickScan Now window 4. In the member list, select the members that are required to be scanned and then click Initiate QuickScan Now. The server sends a notification to the Scanning Agent(s) for that group to perform a scan on those members. 5. View the status for member machines on the Security Management page to verify the scan status. 4-21

74 Managing Core Protection for Virtual Machines Note: If you selected multiple members to scan and you decide to stop the scan, scans for all members that are still in Pending or Scanning state will be aborted. Their scan progress will show 0 and scan status will show "Stopped." Performing a Scan Now In addition to turning on Real-time Scan and configuring Scheduled Scan, Trend Micro recommends initiating Scan Now on members that you suspect to be infected. To perform a Scan Now: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. To change the pre-configured Scan Now settings before initiating the scan, click Settings > Scan Now settings. The Scan Now Settings screen opens. For information on configuring the Scan Now settings, see Configuring Real-time Scan Settings on page Click Tasks > Scan Now to open the Scan Now window. FIGURE Scan Now window 4-22

75 Managing Core Protection for Virtual Machines 4. In the member list, select the target members to be scanned. To search for a specific member, enter the member name into the Member Name text box and click Search. 5. Click Initiate Scan Now. The server sends a notification to the Scanning Agent in that group to perform a scan on the target members. 6. For members already in the process of scanning, click Stop Scan Now to notify them to stop scanning. Note: Stop Scan Now does not terminate the scan for a member (VM or network share) whose scan status is pending. Configuring Scan Settings Core Protection for Virtual Machines provides a number of options for scanning members in a group. You can perform a full scan at anytime, or perform a limited scan of the disk based on information from the Windows Registry. You can also configure a Real-time Scan or a Scheduled Scan. Scan actions you can take on groups include: QuickScan settings Real-time Scan settings Scheduled Scan settings Scan Now settings Scan settings can be set at group level and at member level. The group level settings represent all generic settings that you require to be applied to all members within a group. Member level settings are applied to override specific settings that were defined at the group level. A scan schedule can only be set at the group level. All members within that group are scanned as per the schedule by the Scanning Agent(s) within that group. Scan exclusion settings are global, and if defined for one type of scan settings, such as Real-time Scan Settings, they are automatically applied to all other types of scan settings. 4-23

76 Managing Core Protection for Virtual Machines Configuring QuickScan Settings To configure a QuickScan, specify the scan targets and the actions to take when security risks are encountered. To configure a QuickScan: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Under Security Groups, click the group you want to configure. 3. Click Settings and select QuickScan Settings. FIGURE Configure QuickScan Target tab 4. On the Target tab, select whether to initiate a QuickScan when a new virtual machine is added. Click Save. 5. To configure scan actions: 4-24

77 Managing Core Protection for Virtual Machines a. Click the Action tab. FIGURE Configure QuickScan Action tab b. Specify virus/malware scan action(s). You can: Use ActiveAction. For more information, see ActiveAction on page Manually select a specific scan action for each virus/malware type. For more information, see Scan Actions on page Note: If you manually select a scan action and choose Clean, you need to specify a second action that Core Protection for Virtual Machines takes if cleaning is unsuccessful. 4-25

78 Managing Core Protection for Virtual Machines c. To specify a different virus/malware quarantine directory, enter the path in the field provided. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Specify the quarantine directory as absolute file path format on the member for example, C:\temp. WARNING! If you specify an incorrect quarantine directory, the CPVM client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder." d. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. e. Select whether to perform a full scan when malware is detected. f. Click Save. Configuring Real-time Scan Settings To configure a Real-time Scan, specify the scan targets and the actions to take when security risks are encountered. To configure a Real-time Scan: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Under Security Groups, click the group you want to configure. 4-26

79 Managing Core Protection for Virtual Machines 3. Click Settings and select Real-time Scan Settings. FIGURE Configure Real-time Scan Target tab 4-27

80 Managing Core Protection for Virtual Machines 4. On the Target tab configure the scan target: a. Decide whether to enable real-time scanning for virus/malware, and then select or deselect the check box. b. Select the files to scan based on user activity. TABLE 4-2. User Actions ACTIVITY IF THE OPTION SELECTED IS... SCAN FILES BEING CREATED/MODIFIED SCAN FILES BEING RETRIEVED SCAN FILES BEING CREATED/MODIFIED AND RETRIEVED Open a read-only file Real-time Scan does not scan the file. Real-time Scan scans the file. Real-time Scan scans the file. Copy or move a file from a directory excluded from scanning Real-time Scan scans the file in the destination directory (if Core Protection for Virtual Machines does not exclude this directory from scanning). Real-time Scan does not scan the file in the destination directory Real-time Scan scans the file in the destination directory (if Core Protection for Virtual Machines does not exclude this directory from scanning). c. Select one of the options under Files to Scan. Some notes on the options: To learn more about IntelliScan, see IntelliScan on page If you choose to scan files based on extensions, you can add or delete extensions from the default set of extensions. d. Select additional settings under Scan Settings. 4-28

81 Managing Core Protection for Virtual Machines e. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions. Tip: You can also use * as a wildcard when specifying extensions. There are some Trend Micro product directories that you need to manually add to the scan exclusion list. f. There are some Trend Micro product directories that you need to be excluded. To exclude these directories, select Exclude directories where Trend Micro products are installed. g. Click Save. 5. To configure scan actions: a. Click the Action tab. FIGURE Configure Real-time Scan Action tab 4-29

82 Managing Core Protection for Virtual Machines b. Specify virus/malware scan action(s). You can: Use ActiveAction. For more information, see ActiveAction on page Manually select a specific scan action for each virus/malware type. For more information, see Scan Actions on page Note: If you manually select a scan action and choose Clean, you need to specify a second action that Core Protection for Virtual Machines takes if cleaning is unsuccessful. c. To specify a different virus/malware quarantine directory, enter the path in the field provided. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Specify the quarantine directory as absolute file path format on the member. For example, C:\temp. WARNING! If you specify an incorrect quarantine directory, the Core Protection for Virtual Machines client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder." d. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. e. Click Save. 4-30

83 Managing Core Protection for Virtual Machines Configuring Scheduled Scan Settings To configure a Scheduled Scan, specify the scan targets and the actions to take when security risks are encountered. Note: The schedule can only be set at the group level. All members within that group are scanned as per the schedule by the Scanning Agent(s) within that group. The scan is performed by the Scanning Agent(s) for that group as per the specified schedule. To configure a Scheduled Scan: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Under Security Groups, click the group you want to configure. 3. Click Settings and select Scheduled Scan Settings. FIGURE Configure Scheduled Scan Target tab 4-31

84 Managing Core Protection for Virtual Machines 4. On the Target tab, configure the scan target: f. Configure a schedule for the scan. g. Select one of the options under Files to Scan. Some notes on the options: To learn more about IntelliScan, see IntelliScan on page If you choose to scan files based on extensions, you can add or delete extensions from the default set of extensions. h. Select additional settings under Scan Settings. i. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions. Tip: You can also use * as a wildcard when specifying extensions. j. There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed. k. Click Save. 4-32

85 Managing Core Protection for Virtual Machines 5. To configure scan actions: a. Click the Action tab. FIGURE Configure Scheduled Scan Action tab b. Specify virus/malware scan action(s). You can: Use ActiveAction. For more information, see ActiveAction on page Manually select a specific scan action that applies to all virus/malware types. For more information, see Scan Actions on page Note: If you manually select a scan action and choose Clean, you need to specify a second action that Core Protection for Virtual Machines takes if cleaning is unsuccessful. 4-33

86 Managing Core Protection for Virtual Machines c. To specify a different virus/malware quarantine directory, enter the path in the field provided. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Specify the quarantine directory as absolute file path format on the member. For example, C:\temp. WARNING! If you specify an incorrect quarantine directory, the Core Protection for Virtual Machines client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder." d. Trend Micro recommends that you Back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. e. Click Save. 4-34

87 Managing Core Protection for Virtual Machines Configuring Scan Now Settings To configure a Scan Now, specify the scan targets and the actions to take when security risks are encountered. To configure a Scan Now: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Under Security Groups, click the group you want to configure. 3. Click Settings and select Scan Now Settings. FIGURE Configure Scan Now Target tab 4. On the Target tab configure the scan target: f. Select one of the options under Files to Scan. Some notes on the options: To learn more about IntelliScan, see IntelliScan on page If you choose to scan files based on extensions, you can add or delete extensions from the default set of extensions. g. Select additional settings under Scan Settings. 4-35

88 Managing Core Protection for Virtual Machines h. Specify the directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions. i. There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed. Note: You can also use * as a wildcard when specifying extensions. j. Click Save. 5. To configure scan actions: a. Click the Action tab. FIGURE Configure Scan Now Action tab 4-36

89 Managing Core Protection for Virtual Machines b. Specify virus/malware scan action(s). You can: Use ActiveAction. For more information, see ActiveAction on page Manually select a specific scan action for each virus/malware type. Note: If you manually select a scan action and choose Clean, you need to specify a second action that Core Protection for Virtual Machines takes if cleaning is unsuccessful. c. To specify a different virus/malware quarantine directory, enter the path in the field provided. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found. Specify the quarantine directory as absolute file path format on the member. For example, C:\temp. WARNING! If you specify an incorrect quarantine directory, the Core Protection for Virtual Machines client keeps the files in the \Virus folder until a correct quarantine directory is specified. In the server's virus/malware logs, the scan result is "Unable to send the quarantined file to the designated quarantine folder." d. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location. e. Click Save. 4-37

90 Managing Core Protection for Virtual Machines Enabling and Disabling the Scanning Agent You can enable or disable the Scanning Agent for any members in your Core Protection for Virtual Machines environment. For example, you will disable scanning prior to virtual infrastructure maintenance. To enable the scanning agent: 1. From the Core Protection for Virtual Machines main menu, click Security Management. 2. Select the group where you want to enable the Scanning Agent. 3. Select the machines on which you want to enable the Scanning Agent. 4. From the Settings menu, select Enable Scanning Agent. FIGURE Enable Scanning Agent window 5. Enter your user name and password. 6. Click Enable. To disable the Scanning Agent: 1. From the Core Protection for Virtual Machines main menu, click Security Management. 2. Select the group where you want to disable the Scanning Agent. 3. Select the members on which you want to disable the Scanning Agent. 4-38

91 Managing Core Protection for Virtual Machines 4. From the Settings menu, select Disable Scanning Agent. FIGURE Disable Scanning Agent window 5. Enter your user name and password. 6. Click Disable. Managing Agents This section describes how to manage agents, including: Installing the Real-time Agent Installing the Scanning Agent Uninstalling Agents Upgrading Agents Installing the Real-time Agent To install the Real-time Agent: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. In the Security Groups pane, click on the group that includes the members where you want to install the Real-time Agent. 4-39

92 Managing Core Protection for Virtual Machines 3. Select one or more members on which you want to install the Real-time Agent. Note: The members you select must be online and connected. Also these must not include members that already have a Real-time Agent installed and must not be a network share. 4. Click Install and select Install Real-time Agent from the drop-down list to open the Install Real-time Agent window. FIGURE Install Real-time Agent window 5. Enter the user name and password. The account must have administrator privileges on the target VMs. 6. Click Install. Installing the Scanning Agent To install the Scanning Agent: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. In the Security Groups pane, click on the group that includes the members where you want to install the Real-time Agent. 4-40

93 Managing Core Protection for Virtual Machines 3. Select one or more members on which you want to install the Scanning Agent. Note: The members you select must be online and connected. Also these must not include members that already have the Scanning Agent installed and must not be a network share. 4. Click Install and select Install Scanning Agent from the drop-down list to open the Install Scanning Agent window. FIGURE Install Scanning Agent window 5. Enter the user name and password. The account must have administrator privileges on the target VMs. 6. Click Install. 4-41

94 Managing Core Protection for Virtual Machines Uninstalling Agents To uninstall agents: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. In the Security Groups pane, click on the group that includes the members where you want to uninstall the agent. Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot uninstall a mixed group that includes both SAs and RTAs. 3. Click Install and select Uninstall Agent from the drop-down list. FIGURE Uninstall Agent window 4. Enter the user name and password. The account must have administrator privileges on the target VMs. 5. Click Uninstall. 4-42

95 Managing Core Protection for Virtual Machines Upgrading Agents Note: To upgrade agents, you must have administrator privileges on the target VMs and the VMs must all have the same username and password. To upgrade agents: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click the Security Group with the members that contain the agent to be upgraded. Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot upgrade a mixed group that includes both SAs and RTAs. 3. Click Install > Upgrade Agent. The Upgrade Agent dialog box is displayed. FIGURE Upgrade Agent Dialog Box 4. Enter the Username and Password for the target VMs. 5. Click Upgrade. A system message is displayed, "Upgrade Agent installation is initiated in the selected machine(s)." 4-43

96 Managing Core Protection for Virtual Machines Viewing and Managing Logs Logs help you analyze your infrastructure protection, troubleshoot, and manage security risks in your network. Log actions include: View Virus/Malware logs View Software/Grayware logs Delete logs Viewing Virus/Malware Logs To view Virus/Malware logs: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. In the Security Groups pane, click on the group for which you want to view the logs. 3. Within the group select the members for which you want to view the logs. 4-44

97 Managing Core Protection for Virtual Machines 4. Click Logs and select Virus/Malware Logs from the drop-down list to open the Virus/Malware Log Criteria window, where you can specify the criteria for log viewing. FIGURE Virus/Malware Log Criteria window 5. To specify a time period to include in the log, click on the Time Period drop-down box and select a time period. 6. To enter a start date and an end date, click on the Range option and do the following. Click the Calendar icon next to the From box. Select the month from the drop-down list or move backwards or forwards through the months by clicking on the Arrow buttons. Enter the year and select a day. If you leave the Start Date field blank, all logs from the earliest date will be searched for. 4-45

98 Managing Core Protection for Virtual Machines 7. To enter the latest date to include, click the Calendar icon next to the To box and follow the same steps as described above for From. If you leave the To box empty, all logs up to the present date will be included. 8. Specify the type of logs to view, by selecting All Scan Types or any combination of the following: QuickScan Real-time Scan Scheduled Scan Scan Now 9. Click Display Logs. Viewing the Spyware/Grayware Logs To view the Spyware/Grayware logs: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. Click the group for which you want to view the logs. 3. Within the group select the members for which you want to view the logs. 4-46

99 Managing Core Protection for Virtual Machines 4. Click Logs and select Virus/Malware Logs from the drop-down list to open the Spyware/Grayware Log Criteria window, where you can specify the criteria for log viewing. FIGURE Spyware/Grayware Log Criteria window 5. To specify a time period to include in the log, click on the Time Period drop-down box and select a time period. 6. To enter a start date and an end date, click on the Range option and do the following. Click the Calendar icon next to the From box. Select the month from the drop-down list or move backwards or forwards through the months by clicking on the Arrow buttons. Enter the year and select a day. If you leave the Start Date field blank, all logs from the earliest date will be searched for. 4-47

100 Managing Core Protection for Virtual Machines 7. To enter the latest date to include, click the Calendar icon next to the To box and follow the same steps as described above for From. If you leave the To box empty, all logs up to the present date will be included. 8. Click Display Logs. Manually Deleting Logs You can specify a schedule for deleting logs. You can choose which logs you want to delete, and whether to delete them daily, weekly, or monthly. To manually delete logs: 1. From the main Core Protection for Virtual Machines menu, click Security Management. 2. In the Security Groups pane, click on the group for which you want to delete logs. 4-48

101 Managing Core Protection for Virtual Machines 3. Click Logs and select Delete Logs from the drop-down list to open the Log Maintenance window. FIGURE Log Maintenance window 4. Select the log types to delete, as follows: All Member logs: Virus/Malware logs Spyware/Grayware logs Member Update logs Other logs - deletes the server logs. 5. Choose whether to delete all selected logs or only logs older than the specified number of days, as follows: Delete all logs selected above Delete logs selected above older than x days 4-49

102 Managing Core Protection for Virtual Machines 6. Click Delete. 4-50

103 Chapter 5 Updating Components The Updates pages allow you to: Components on page 5-2 Viewing an Update Summary on page 5-5 Configuring Scheduled Server Updates on page 5-8 Performing a Manual Server Update on page 5-9 Specifying a Server Update Source on page 5-10 Configuring Automatic Member Updates on page 5-12 Performing Manual Member Updates on page 5-14 Rolling Back Updates on page

104 Trend Micro Core Protection for Virtual Machines Administrator s Guide Components The following are the Core Protection for Virtual Machines components. Antivirus Virus Pattern: A file that helps Core Protection for Virtual Machines identify virus signatures, unique patterns of bits and bytes that signal the presence of a virus. Virus Scan Engine: The engine that scans for and takes appropriate action on viruses/malware; supports 32-bit and 64-bit platforms. Note: You can roll back both the Virus Pattern and Virus Scan Engine. Anti-spyware Spyware Pattern: The file that identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts. Spyware Scan Engine: The engine that scans for and takes appropriate action on spyware/grayware; supports 32-bit and 64-bit platforms. Component Duplication When the latest version of a full pattern file is available for download from the Trend Micro ActiveUpdate server, fourteen "incremental patterns" also become available. The Core Protection for Virtual Machines server compares its current full pattern version with the latest version on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions. Incremental patterns are smaller versions of the full pattern file that account for the difference between the latest and previous full pattern file versions. For example, if the latest version is 175, incremental pattern v_ contains signatures in version 175 not found in version 173 (version 173 is the previous full pattern version since pattern numbers are released in increments of 2. Incremental pattern v_ contains signatures in version 175 not found in version

105 Updating Components To reduce network traffic generated when downloading the latest pattern, Core Protection for Virtual Machines performs component duplication, a component update method where the Core Protection for Virtual Machines server or Update Agent downloads only incremental patterns. Component duplication applies to the following components: Virus pattern Spyware pattern Updating a component as soon as a new version is available reduces the impact of component duplication on server performance. Therefore, make sure you download components regularly. To help explain component duplication for the server, refer to the following scenario: Full patterns on the Core Protection for Virtual Machines Server Current version: 171 Other versions available: Latest version on the ActiveUpdate server Full pattern version: 175 Incremental patterns: Component duplication process for the Core Protection for Virtual Machines server 1. The Core Protection for Virtual Machines server compares its current full pattern version with the latest version on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions. Note: If the difference is more than 14, the server automatically downloads the full version of the pattern file and 14 incremental patterns. 5-3

106 Trend Micro Core Protection for Virtual Machines Administrator s Guide To illustrate based on the example: The difference between versions 171 and 175 is 2. In other words, the server does not have versions 173 and 175. The server downloads incremental pattern This incremental pattern accounts for the difference between versions 171 and The server merges the incremental pattern with its current full pattern to generate the latest full pattern. To illustrate based on the example: On the server, Core Protection for Virtual Machines merges version 171 with incremental pattern to generate version 175. The server has 1 incremental pattern ( ) and the latest full pattern (version 175). 3. The server generates incremental patterns based on the other full patterns available on the server. If the server does not generate these incremental patterns, clients that missed downloading earlier incremental patterns automatically downloads the full pattern file, which will consequently generate more network traffic. To illustrate based on the example: Because the server has pattern versions 169, 167, 165, 163, 161, 159, it can generate the following incremental patterns: The server does not need to use version 171 because it already has the incremental pattern The server now has 7 incremental patterns: The server keeps the last 7 full pattern versions (versions 175, 171, 169, 167, 165, 163, 161). It removes any older version (version 159). 5-4

107 Updating Components 4. The server compares its current incremental patterns with the incremental patterns available on the ActiveUpdate server. The server downloads the incremental patterns it does not have. To illustrate based on the example: The ActiveUpdate server has 14 incremental patterns: The Core Protection for Virtual Machines server has 7 incremental patterns: The Core Protection for Virtual Machines Server downloads an additional 7 incremental patterns: The server now has all the incremental patterns available on the ActiveUpdate server. 5. The latest full pattern and the 14 incremental patterns are made available to clients. Viewing an Update Summary The Update Summary screen displays the overall component update status. You can view the following information for each component: Current version Date and time of latest update Number of members with updated components Number of members with outdated components Total members, members online, and members offline Tip: Refresh the page periodically for an accurate picture of your component update status. The Update Summary screen displays the overall component update status. 5-5

108 Trend Micro Core Protection for Virtual Machines Administrator s Guide To view the update summary: 1. From the Core Protection for Virtual Machines main menu, select Updates > Summary. FIGURE 5-1. Update Summary page 2. In the Update Status for Members table, you can view the update status for each component. 5-6

109 Updating Components 3. For each component, you can view its current version and the last update date. You can also view members with out-of-date components. The Update Status for Members section displays the following current update status for all members in your infrastructure, broken down by category: Component Version The current version and date/time of the last update. Member Update Status The total number of members currently online and offline that have been updated, along with those that need to be updated. The chart provides a graphical representation of members updated and not yet updated. Click on the Offline, Online, or Total value for Outdated Status to go to the Manual Update page where you can update member components. 4. The above information is displayed for each of the following components: Antivirus Shows the current status of virus pattern and virus scan engine updates for all members in your environment. Virus Pattern Virus Scan Engine (32-bit) Virus Scan Engine (64-bit) Anti-spyware Shows the current status of anti-spyware pattern and scan engine updates for all members in your environment. Spyware Pattern Spyware Scan Engine (32-bit) Spyware Scan Engine (64-bit) 5-7

110 Trend Micro Core Protection for Virtual Machines Administrator s Guide Configuring Scheduled Server Updates Configure the Core Protection for Virtual Machines server to regularly check its update source and automatically download any available updates. Because members normally get updates from the server, using automatic scheduled update is an easy and effective way of ensuring that your protection against security risks is always current. To configure a server update schedule: 1. From the main Core Protection for Virtual Machines menu, click Updates > Scheduled Update. FIGURE 5-2. Server Scheduled Update page 2. Select Enable scheduled update of the Core Protection for Virtual Machines server. 5-8

111 Updating Components 3. Specify the update schedule. For daily, weekly and monthly updates, the period of time is the number of hours during which Core Protection for Virtual Machines will perform the update. Core Protection for Virtual Machines updates at any given time during this time period. 4. Specify the action to take if the update is unsuccessful. 5. Click Save. Performing a Manual Server Update You can perform a manual server update at any time. To update the server manually: 1. From the main Core Protection for Virtual Machines menu, click Updates > Server Manual Update. FIGURE 5-3. Server Manual Update page 5-9

112 Trend Micro Core Protection for Virtual Machines Administrator s Guide 2. To view component details, click in front of Antivirus or Anti-spyware. 3. Click Update. The server downloads the updated components. Note: If you did not specify a component deployment schedule on the Automatic Update screen, the server downloads the updates but does not deploy them to the members. Specifying a Server Update Source There are two events that can trigger members to perform component updates. One is after the server downloads the latest components and the other is when members restart and then connect to the server. To trigger component update when these events occur, click Updates >Members > Automatic Update and go to the Event-triggered Update section. To configure the server update source: 1. From the main Core Protection for Virtual Machines menu, click Updates > Server Update Source. FIGURE 5-4. Server Update Source page 5-10

113 Updating Components 2. Select the location from where you want to download component updates. You can choose to download from the Trend Micro ActiveUpdate server, a specific update source, or a location on your company intranet. 3. To use an intranet location containing a copy of the current files, specify the location and credentials for the Server Update source files: UNC path: The location where the update files are stored. User name: The user name to access the shared folder. Password: The password to access the shared folder. Domain: The domain where the CPVM server is installed. If in a workgroup, leave this text box empty. User name: The user name to access the CPVM server. Password: The password to access the CPVM server. Note: Core Protection for Virtual Machines uses component duplication when downloading components from the update source. 4. Click Save. 5-11

114 Trend Micro Core Protection for Virtual Machines Administrator s Guide Configuring Automatic Member Updates Trend Micro recommends that you always use automatic update. It removes the burden placed on members of performing manual updates and eliminates the risk of members not having up-to-date components. To configure automatic member updates: 1. From the main Core Protection for Virtual Machines menu, click Updates > Automatic Update. FIGURE 5-5. Automatic Update page Note: If the Core Protection for Virtual Machines server is unable to successfully send an update notification to members after it downloads components, it automatically resends the notification after 15 minutes. The server continues to send update notifications up to a maximum of five times until the client responds. If the fifth attempt is unsuccessful, the server stops sending notifications. If you select the option in this screen to update components when members restart and then connect to the server, component update will still proceed. 5-12

115 Updating Components 2. Select how often members will perform scheduled update by selecting either of the following. Select Minute(s) or Hour(s) for updates. Select Daily or Weekly and specify the time of the update and the time period the Core Protection for Virtual Machines server will notify members to update components. For example, if your start time is 12pm and the time period is 2 hours, Core Protection for Virtual Machines will randomly notify all online members to update components from 12pm until 2pm. This setting prevents all online members from simultaneously connecting to the server at the specified start time, significantly reducing the amount of traffic directed to the server. Offline members will not be notified. Offline members will be updated as part of the scheduled scan process, when they come online, or if you initiate manual update. This is dependent on which takes place first. 3. Click Save. 5-13

116 Trend Micro Core Protection for Virtual Machines Administrator s Guide Performing Manual Member Updates Use the Manual Updates page to manually update components for members and view the date and time of the last component updates. Members can also update components if you configure automatic component update settings. To configure manual member updates: 1. From the main Core Protection for Virtual Machines menu, click Updates > Manual Updates. FIGURE 5-6. Manual Update page 5-14

117 Updating Components 2. Choose the target members. You can update only members with outdated components or manually select members. To update all members with outdated components, select Select members with outdated components. To Manually select members, search for the members using the Search for members option, or navigate through the Security Groups tree and place a check mark in front of each member to update. 3. Click Update. The server starts notifying each member to download updated components. Rolling Back Updates Rolling back refers to reverting to the previous version of the Virus Pattern or Virus Scan Engine. If these components do not function properly, roll them back to their previous versions. Core Protection for Virtual Machines retains the current and the previous versions of the Virus Scan Engine and the last five versions of the Virus Pattern. Note: You can only roll back the Virus Pattern and Virus Scan Engine. Note: When you roll back updates, the rollback applies to all components. Core Protection for Virtual Machines uses different scan engines for members running 32-bit and 64-bit platforms. You need to roll back these scan engines separately. The rollback procedure for all types of scan engines is the same. 5-15

118 Trend Micro Core Protection for Virtual Machines Administrator s Guide To roll back the Virus Pattern or Virus Scan Engine: 1. From the main Core Protection for Virtual Machines menu, click Updates > Rollback. FIGURE 5-7. Rollback page 2. Select the component versions to roll back by selecting the components. 3. Antivirus Click to view the current antivirus component versions and the date and time of the latest update. 4. Anti-spyware Click to view the anti-spyware component versions and the date and time of the latest update. 5. Click Rollback Member Versions. 6. To cancel the rollback, click Cancel. 5-16

119 Chapter 6 Viewing and Managing Logs This chapter describes how to get timely information about Core Protection for Virtual Machines activity by generating and viewing logs. Topics in this chapter include: Overview on page 6-2 Viewing Member Logs on page 6-5 Viewing Server Logs on page 6-6 Configuring a Log Deletion Schedule on page 6-6 Logged Actions on page

120 Viewing and Managing Logs Overview Core Protection for Virtual Machines keeps comprehensive logs about security risk detections, events, and updates. Use these logs to assess your organization's protection policies and to identify clients at a higher risk of infection or attack. Also, use these logs to check client-server connections and verify if the component update is successful or not. Component Update Logs Core Protection for Virtual Machines clients send virus pattern update logs to the server. In the Component Update Progress screen, you can view the number of members updated for every 15-minute interval and the total number of members updated. Spyware/Grayware Logs After cleaning spyware/grayware, Core Protection for Virtual Machines clients back up spyware/grayware data, which you can restore anytime if you consider the spyware/grayware safe. Virus/Malware Logs Core Protection for Virtual Machines keeps logs of events related to virus/malware, such as a virus detected by a manual scan or a Virtual Center inventory change after a virus is detected by QuickScan. Server Update Logs Core Protection for Virtual Machines keeps logs for all events related to component updates on the Core Protection for Virtual Machines server. View the logs to verify that Core Protection for Virtual Machines successfully downloaded the components required to keep your protection current. 6-2

121 Viewing and Managing Logs System Event Logs Core Protection for Virtual Machines also records events related to the server program, such as shutdown and startup. Use these logs to verify that the Core Protection for Virtual Machines server and services work properly. Core Protection for Virtual Machines logs the following events: Trend Micro Virtualization Service is started Trend Micro Virtualization Service is stopped Virus pattern out of date! Expire days Scan start and stop times and the number of files scanned Log Deletion To keep the size of your logs from occupying too much space on your hard disk, you can delete logs manually or configure Core Protection for Virtual Machines to delete logs based on a schedule. Viewing Security Risk Logs To view the security risk log for a member: 1. To search for a specific member, enter the member name in the Search for members text box and click Search. 2. Under Security Groups, click on a security group name. 3. In the member list in the left pane, select the members whose logs you want to view. 4. Click View Logs and select the type of logs you want to view. To view virus/malware logs: 1. Specify log criteria and click Display Logs. 2. View logs. For details about the virus/malware log, click View. Note: Scan results display under the Result column. Check which of the results require your attention. 6-3

122 Viewing and Managing Logs 3. To save the log as a comma-separated value (CSV) data file, click Export to CSV. 4. Open the file or save it to a specific location. A CSV file usually opens with a spreadsheet application such as Microsoft Excel. To view spyware/grayware logs: 1. Specify log criteria and click Display Logs. 2. View the logs. Note: Scan results display under the Result column. Check which of the results require your attention. 3. To save the log as a comma-separated value (CSV) data file, click Export to CSV. 4. Open the file or save it to a specific location. A CSV file usually opens with a spreadsheet application such as Microsoft Excel. 6-4

123 Viewing and Managing Logs Viewing Member Logs The Member Update logs show the date/time for each incident and the component involved. To view the update log for a member: 1. From the main CCPVM menu, click Logs > Member Logs. FIGURE 6-1. Security Risk Logs for Members page 2. Select the desired group. 3. Within the group select the desired member. 4. Click View Logs and select the type of log to view 5. To sequence through the list, click the navigation buttons. 6. To increase the number of rows on the page, click on the Results per page drop-down list box and select a new number. 7. To export the logs to CSV format, click Export to CSV. 6-5

124 Viewing and Managing Logs Viewing Server Logs The server logs show the date/time, result, member name involved, and the server action. To view the server log: 1. From the main Core Protection for Virtual Machines menu, click Logs > Server Logs. FIGURE 6-2. Server Logs page 2. To sequence through the list, click the navigation buttons. 3. To increase the number of rows on the page, click on the Results per page drop-down list box and select a new number. 4. To export the logs to CSV format, click Export to CSV. Configuring a Log Deletion Schedule To keep the size of your logs from occupying too much space on your hard disk, you can configure Core Protection for Virtual Machines to delete logs manually or based on a schedule. To manually delete logs, see Manually Deleting Logs on page

125 Viewing and Managing Logs To delete logs based on a schedule: 1. From the main Core Protection for Virtual Machines menu, click Logs > Log Maintenance. FIGURE 6-3. Log Maintenance page 2. Select Enable scheduled deletion of logs if you want to periodically delete logs according to a schedule you specify. 3. To delete one or more specific log types, select the logs as follows: All Member logs Infection logs - deletes all virus/malware and spyware/grayware logs. System Event logs Member Update logs 4. Choose whether to delete all selected logs or delete them after a specified number of days, as follows: Delete all logs selected above Delete logs selected above older than x days 5. Specify a time period to include in the log, click on the Time Period drop-down box and select a time period, as follows: 6-7

126 Viewing and Managing Logs Daily - if selected, specify a start time. Weekly, every - if selected, specify the day of the week and a start time. Monthly, on day - if selected, specify the day of the month and a start time. 6. Click Save. Logged Actions The following sections describe the actions that are logged for the CPVM logs, including server logs, logs recorded at the Scanning Agent, and logs recorded at the Real-time Agent. Note: Logs generated by a manual scan of target VMs, including those with the Real-time Agent installed, are stored at the Scanning Agent. The specific log where an event is stored is based on the agent that is running on a specific VM. If the Real-time Agent is running on a VM, the log data will be recorded at the Real-time Agent. Because manual scan logs are stored on the Scanning Agent, those logs are stored at the Scanning Agent. Server Logs The following actions are recorded in the Server Log: Administrator Web console login/logout Scanning Agent install/uninstall Real-time Agent install/uninstall Administrator Web console password change Server update CPVM service start/stop (MCS start/stop) 6-8

127 Viewing and Managing Logs Actions Logged at the Scanning Agent The following member logs are recorded at the Scanning Agent: System event Virus/malware Spyware/grayware Member update The following sections describe the actions that are recorded in each of the logs. Member System Event Logs The following actions are recorded in System Event logs at the Scanning Agent: Virus pattern out of date Spyware pattern out of date VC Inventory change (such as add or remove) when a new VM detected if QuickScan is enabled and a QuickScan Summary is generated Scheduled purge start/stop Real-time Agent service start/stop CPVM service start/stop Scanning Agent start/stop Scanning Agent logs include the following group level information: Scheduled Scan start/stop for a group Start/stop for scanning individual VMs within a group Information about any files that could not be scanned on the Scanning Agent Details about viruses caught in a zip file, if any, on the Scanning Agent Target VMs in a group include the following: Start/stop of Scheduled Scan Summary of the number of files scanned, not scanned, and infected Information about any files that could not be scanned Details about viruses detected in zip files, if any 6-9

128 Viewing and Managing Logs Member Virus/Malware Logs The following actions are recorded in Member Virus/Malware logs: VC Inventory change (such as add and remove) if a virus is detected by QuickScan When a virus/spyware is detected by a Manual Scan Scheduled Scan if individual VMs in the group have the following an entry for each virus/spyware file that might be detected. There will be only one entry for a zip file even if it contains multiple viruses Member Spyware/Grayware Logs The following actions are recorded in Spyware/Grayware logs: VC Inventory change (such as add and remove) if spyware or grayware is detected by QuickScan QuickScan (dormant VMs only) if spyware is detected by QuickScan Member Update Logs The Member Update log records all member updates. Actions Logged at the Real-time Agent The following member logs are recorded at the Real-time Agent: System event Virus/malware Spyware/grayware Member update 6-10

129 Viewing and Managing Logs Member System Event Logs The following actions are recorded in System Event logs at the Real-time Agent: Virus pattern out of date Scheduled Purge start/stop Real-time Agent service start/stop CPVM service start/stop (Real-time Agent start/stop) Virus/Spyware caught by Real-time Scan logs details about viruses caught in a zip file, if any Member Virus/Malware Logs The Member Virus/Malware Log records the following actions and events the Real-time Agent: Manual Scan if virus/spyware is detected by a manual scan Scheduled Scan logs an entry for each virus/spyware file that might be detected. There will be only one entry for a zip file even if it contains multiple viruses Real-time Scan logs details about viruses detected in a zip file, if any Member Update Logs The Member Update Log records all member updates at the Real-time Agent. 6-11

130 Viewing and Managing Logs Using the Log Viewer The Log Viewer enables you to view, independently from the CPVM Web console, logs on each machine that has installed agents. To view the logs: 1. Go to the folder where the agent is installed. For example, C:\Program Files\Trend Micro\CPVM Scanning Agent or C:\Program Files\Trend Micro\CPVM Real-Time Agent. 2. Copy the VSLog\vslog.dbf file to the above directory. 3. Start the LogViewer.exe tool 4. From the File menu, select the vslog.dbf file. The following shows a typical view, which displays the logs in the DB file. FIGURE 6-4. Log View tool Note: It is not possible to open the vslog.dbf file directly from the VSLog folder because the agent service is using it. Only a copy of the file can be opened. 6-12

131 Chapter 7 Managing Notifications You can configure Core Protection for Virtual Machines to alert an administrator when virus/malware or spyware/grayware is detected or a system event occurs. Core Protection for Virtual Machines enables you to configure the specific events that will trigger a notification and to whom the notifications will be sent. You can configure Core Protection for Virtual Machines to send notifications when through , SNMP traps, or NT Event. Available actions include: Configuring General Settings on page 7-2 Configuring Standard Notifications on page 7-3 Configuring System Notifications on page 7-5 Token Variables on page

132 Managing Notifications Configuring General Settings You can specify the settings Core Protection for Virtual Machines will use when sending notifications through and SNMP traps. The General settings apply to all the Core Protection for Virtual Machines notification messages. To configure general notification settings: 1. From the main Core Protection for Virtual Machines menu, select Notifications > General Settings. FIGURE 7-1. General Notifications Settings 7-2

133 Managing Notifications 2. To configure notifications, select Enable notification via and specify the following: SMTP server Port number From To - separate multiple recipients by a comma (,). Subject 3. To send SNMP trap notifications, select Enable notification via SNMP and specify the following: Server IP address Community name 4. To send notifications to the NT Trap log, select Enable notification by NT Event log. 5. Click Save. Configuring Standard Notifications You can configure the server to notify you and other Core Protection for Virtual Machines administrators of security risks detected on members. You can allow Core Protection for Virtual Machines to send standard notification messages through the following: SNMP trap Windows NT Event Log 7-3

134 Managing Notifications To configure standard notifications: 1. From the main Core Protection for Virtual Machines menu, select Notifications > Standard Notifications. FIGURE 7-2. Standard Notifications Settings 2. Specify one or more of the options listed below and type the message(s) to be sent. You can use token variables within the message. Send notifications when CPVM detects virus/malware and spyware/grayware, or only when the action on these security risks is unsuccessful. Send notifications when the virus and spyware patterns are out of date or only when the action on these security risks is unsuccessful. Send notifications when the virus and /or spyware pattern pattern is out-of-date. Note: Use only token variables to represent data in the Message field. The Subject field does not accept token variables. 7-4

135 Managing Notifications 3. Click Save. To enable notifications and specify delivery methods, see Configuring General Settings on page 7-2. Configuring System Notifications You can configure Core Protection for Virtual Machines to notify you and other Core Protection for Virtual Machines administrators when a system event is detected. On this page, you need to define the event criteria that will trigger a notification message, and then configure Core Protection for Virtual Machines to send notification messages through the following: SNMP trap Windows NT Event Log 7-5

136 Managing Notifications To configure system notifications: 1. From the main Core Protection for Virtual Machines menu, select Notifications > System Notifications. FIGURE 7-3. System Notifications Settings 2. Specify the events that will trigger security notification messages: When Scanning Agent is unable to access specified machine When Scanning Agent is unable to complete scheduled scan in the specified time When there is a Scanning Agent connection failure When there is a Real-Time Agent connection failure Fill in the Message text box with the specific message to be sent. You can use token variables within the message. Note: Use only token variables to represent data in the Message field. The Subject field does not accept token variables. 3. Click Save. 7-6

137 Managing Notifications Token Variables Use token variables to represent data in the Message field of standard and system notifications. Token variables are not allowed in the Subject field. Note: Pattern Update has only the %s option. Virus malware can have additional options, such as %f, %l, %i and %y. TABLE 7-1. Standard Notifications VARIABLE DESCRIPTION %s Member with security risk %n Name of the user logged on to the infected computer %m Domain of the computer %p File path of the computer %v Security risk name %y Date and time of security risk detection %a Action taken on the security risk %T Spyware/Grayware and scan result TABLE 7-2. System Notifications VARIABLE %CV %CC DESCRIPTION Total number of security risks detected Total number of computers with security risks %A Log type exceeded 7-7

138 Managing Notifications TABLE 7-2. System Notifications VARIABLE DESCRIPTION %M Time period, in minutes For example, at %y, Core Protection for Virtual Machines found the following virus on member %m%s: virus %v, location: %p. Core Protection for Virtual Machines performed the following action on the infected computer: %a. 7-8

139 Chapter 8 Administering Core Protection for Virtual Machines The Administration pages allow you to: Setting the Web Console Password on page 8-2 Configuring Proxy Settings on page 8-4 Configuring Virtual Infrastructure Settings on page 8-5 Configuring Compatible Products on page 8-6 Viewing and Updating Your Product License on page

140 Administering Core Protection for Virtual Machines Setting the Web Console Password The Web console is password-protected to prevent unauthorized users from modifying Core Protection for Virtual Machines settings. During installation, the Core Protection for Virtual Machines Setup program requires you to specify a Web console password; however, you can modify your password from the Web console. The following guidelines can help you create an effective password: Include both letters or special characters as well as numbers in your password Avoid words found in any dictionary, of any language Intentionally misspell words Use phrases or combine words Use both uppercase and lowercase letters Note: If you forget the console password, contact Trend Micro technical support for instructions on how to gain access to the Web console. The only other alternative is to uninstall and reinstall Core Protection for Virtual Machines. 8-2

141 Administering Core Protection for Virtual Machines To change your password: 1. From the main Core Protection for Virtual Machines menu, click Administration > Change Password. FIGURE 8-1. Change Password page 2. In the Old Password box, enter your password. 3. Enter a new password in the New Password box. The password must contain a mixture of numbers, letters (upper and lower case), and special characters. The password can range from 7 to 14 characters. 4. Re-enter the password in the New Password Confirm box. 5. Click Change Password. The message "Your password was changed" is displayed if the reset was successful. 8-3

142 Administering Core Protection for Virtual Machines Configuring Proxy Settings If your network s Internet connection is routed through a proxy server, you need to enter the proxy server information before you will be able to retrieve updates from the Internet. To configure a proxy server: 1. From the main Core Protection for Virtual Machines menu, click Administration > Proxy Settings. FIGURE 8-2. Proxy Settings page 2. Select Use a proxy server for pattern, engine, and license updates. 3. Choose a protocol type either HTTP or Socks Under Proxy Settings, in the Server name or IP address and Port text boxes, enter the name of the proxy server and the port number. 5. In the User ID and Password text boxes, enter the proxy server user name and password. 6. Click Save. 8-4

143 Administering Core Protection for Virtual Machines Configuring Virtual Infrastructure Settings From the Virtual Infrastructure Settings page, you can configure the information required to connect to the Virtual Center. To configure the Virtual Center: 1. From the main Core Protection for Virtual Machines menu, click Administration > Virtual Infrastructure Settings. FIGURE 8-3. Virtual Infrastructure Settings page 8-5

144 Administering Core Protection for Virtual Machines 2. Enter the following settings: Virtual Center Address Virtual Center User Name Virtual Center Password Virtual Center Verify Password Auto-sync with Virtual Center every - this is the frequency for automatically synchronizing with Virtual Center to update virtual machine information. Note: The time it takes to synchronize with the Virtual Center depends on the number of virtual machines in the Virtual Center. Synchronization could take awhile, up to thirty minutes, if you have a lot of virtual machines. 3. Select Register VC Core Protection for Virtual Machines plug in to register the plug-in. 4. To test the settings you have entered, click Test Connection. 5. Click Save. Configuring Compatible Products Using the Compatible Products page, you can define the products you want to allow to operate in your Core Protection for Virtual Machines environment and the products that Core Protection for Virtual Machines will keep updated. Products that you can configure are: Trend Micro OfficeScan Trend Micro ServerProtect 8-6

145 Administering Core Protection for Virtual Machines To configure compatible products: 1. From the main Core Protection for Virtual Machines menu, click Administration > Compatible Products. FIGURE 8-4. Compatible Products page 2. To allow OfficeScan to be updated, enter the Update Agent URL. This is the URL of the update server, which could be one of the following server URLs: The installed Agent Update server URL for OfficeScan, such as: Your own OfficeScan AU update server URL: Your AU update server URL (if you configured a client as the AU server from the OfficeScan setting): 8-7

146 Administering Core Protection for Virtual Machines 3. To allow ServerProtect to be updated, enter the following settings: Information Server IP Address: The IP address of the installed ServerProtect. Username: The username to access ServerProtect. Password: The password to access ServerProtect. 4. Click Save. Viewing and Updating Your Product License The Product License page displays the current status of your current Core Protection for Virtual Machines product license and allows you to update your product license when necessary. Note: The product supports user-based license and CPU-based license. Depending on your purchase, it will display the number of seats or number of CPUs licensed for your product. 8-8

147 Administering Core Protection for Virtual Machines To update your license information: 1. From the main Core Protection for Virtual Machines menu, click Administration > Product License. FIGURE 8-5. Product License page The Product License page displays: Status: Your current product license status, Active, Inactive, or Expired. Version: Either "Full" or "Evaluation" version. If you have both full and evaluation versions, the version that displays is "Full". Expiration Date: The date your current license will expire. 8-9

148 Administering Core Protection for Virtual Machines 2. In the Services column, click on the name of the product to view or update. FIGURE 8-6. Antivirus for Servers page The Product License page shows the following product information: Status: "Activated", "Not Activated" or "Expired". If a product service has multiple licenses, and at least one license is still active, "Activated" displays. Version: Either "Full" or "Evaluation" version. If you have both full and evaluation versions, the version that displays is "Full". License Type: This can either be a "User based" or "CPU based" license depending on which you have purchased. Seats or Number of CPUs: This can be either the seat count purchased or the number of CPU licenses purchased. Expiration Date: If a product service has multiple licenses, the latest expiration date displays. For example, if the license expiration dates are 12/31/2008 and 06/30/2009, 06/30/2009 displays. Activation Code Note: The version and expiration date of product services not activated is "N/A. 8-10

149 Administering Core Protection for Virtual Machines 3. To update your activation code: a. Click New Activation Code. FIGURE 8-7. Enter a New Code page 4. Enter your new activation code in the New Activation Code box. 5. Click Activate. Note: You must register a service before you can activate it. Contact your Trend Micro representative for more information about your Registration Key and Activation Code. 6. Back in the Product License Details screen, click Update Information to refresh the page with the new license details and the status of the service. This screen also provides a link to your detailed license available on the Trend Micro Web site. 8-11

150 Appendix A VMware Virtual Center Integration To allow management from within VMware Virtual Center, Core Protection for Virtual Machines is integrated with Virtual Center interface. There two management options provided: Virtual Center Plug-in on page A-2 Virtual Center Reporting on page A-3 A-1

151 VMware Virtual Center Integration Virtual Center Plug-in If the Virtual Center plug-in was enabled during CPVM installation or enabled from the Web-based console, the CPVM Administration console will be available from the Virtual Infrastructure client as a tab. The plug-in allows full CPVM management as if you were accessing the standalone CPVM Administrator Web console. FIGURE A-1. Virtual Center Virtual Machines tab A-2

152 VMware Virtual Center Integration Virtual Center Reporting Virtual Center reporting is implemented in the Virtual Center interface without any action required. The CPVM server creates and updates a custom attribute as part of the Summary page Annotation section, providing the scan status of any VM in your inventory as shown in the figure below. FIGURE A-2. Virtual Center Virtual Machines tab Note: If you do not see the custom attribute being updated when viewing virtual machines use F5 to refresh your page. A-3