Alessandro Suin, Global Trainer January 2012 TTEC GO: Tivoli Endpoint Manager for Core Protection.
-
Upload
laureen-berry -
Category
Documents
-
view
215 -
download
0
Transcript of Alessandro Suin, Global Trainer January 2012 TTEC GO: Tivoli Endpoint Manager for Core Protection.
Alessandro Suin, Global TrainerJanuary 2012
TTEC GO: Tivoli Endpoint Managerfor Core Protection
not for distribution
Agenda Slide 1 of 3
Introduction
Core Protection Module components– TEM-CP for Windows
– TEM-CP for MAC
Understanding features– Fixlets vs. tasks
– File Reputation
– Web Reputation
– Behavior monitoring
– VDI
Basic troubleshooting
Q&A
not for distribution
Disclaimer
This training is developed and delivered prior to the completion of the product.
There may be changes in the GM version that will not be reflected in this training.
not for distribution
Introduction
Convention Description
TEM-CP Core Protection Module
TEM Tivoli Endpoint Management
VSAPI Virus Scanning API (Scan Engine)
TMUFE Trend Micro URL Filtering Engine
CRC Cyclic Redundancy Check
VDI Virtual Desktop Infrastructure
Server The computer where Security Server is installed.
not for distribution
Introduction
Convention Description
Smart Scan Server The Smart Scan Server
Global Smart Scan Server
The Trend Micro Global Smart Scan Server, hosted and maintained by Trend Micro data centers.
Smart Client A Security Agent that applies smart scanning.
Conventional Scan The traditional scan implemented by Trend Micro products.
MPM Mac Protection Module
WRS Web Reputations Services
AEGiS Original Name for BM and SP
AU ActiveUpdate
not for distribution
Introduction
6
not for distribution
IT Operations
Pain Points with Existing AntiVirus (AV)
Compliance
Lack of Evidence:•need proof of compliance across multiple
endpoints•Want single dashboard/view
IT Security
Security ineffective:•Too slow to deploy, missing endpoints•Not effective in detecting new threats
•Turned off by users due to performance issues
• Bloated AV consumes too much CPU, network bandwidth, too many servers
• Impacts virtualization costs, limits consolidation of VMs
• Too many tools, too much complexity• Can’t validate compliance, visibility
not for distribution
Tivoli Endpoint Manager for Core Protection Protecting endpoints from malware and other malicious threats
Overview
Delivers single-console, integrated cloud-based protection from malware and other malicious threats via capabilities such as file and web reputation, personal firewall, and behavior monitoring
Highlights
Delivers real-time endpoint protection against viruses, Trojan horses, spyware, rootkits and
other malware
Protects through cloud-based file and web reputation, behavior monitoring and personal
firewall
Provides virtualization awareness to reduce resource contention issues on virtual
infrastructures
Leverages industry-leading IBM® and Trend Micro™ technologies with a single-console
management infrastructure
not for distribution
Security That Fits: Threat Landscape
The Smart Protection Network infrastructure stops threats in the cloud, before they reach you
Security Made Smarter : Cloud Based Security Private Cloud Real Time Visibility
9
not for distribution
Market-Leading Protection with Trend Micro’s Cloud-Based Smart Protection Network
Source: Real World Corporate Endpoint Test Report, January 2011http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/av-test_january_2011_enterprise_endpoint_comparative_report_final.pdf
not for distribution
•33% •65 / 200
•53% •72 / 135
•19% •12/ 65
•200 threats •135 threats •65 threats •51 threats
•End-to-End
•75%•(149 of 200)
•average of all enterprise products
Trend Micro Microsoft Sophos McAfee SymantecExposure
Layer97% 2% 63% 1% 0%
(194 of 200) (3 of 200) (126 of 200) (2 of 200) (0 of 200)
InfectionLayer
67% 68% 19% 50% 54%(4 of 6) (134 of 197) (14 of 74) (99 of 198) (108 of 200)
DynamicLayer
100% 6% 23% 25% 16%(2 of 2) (4 of 63) (14 of 60) (25 of 99) (15 of 92)
All Layers 100% 71% 77% 63% 62%(200 of 200) (141 of 200) (154 of 200) (126 of 200) (123 of 200)
Threats prevented at each layer (of total threats that reached that layer)
97% of Threats Blocked at the First Layer of Defense
Source: Real World Corporate Endpoint Test Report, January 2011http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/av-test_january_2011_enterprise_endpoint_comparative_report_final.pdf
not for distribution
NOTE: Time-to-protect improvement is the percentage of threats missed in the first layer (exposure) at T=0 minutes that are subsequently prevented at T=60 minutes. For example, with Trend Micro OfficeScan, at T=0 minutes, 194 threats were prevented at the Exposure Layer,
while 6 threats were missed. Of the 6 threats missed at T=0 minutes, all 6 were prevented at T=60 minutes (6 of 6 equals 100%).
NOTE: Time-to-protect improvement is the percentage of threats missed in the first layer (exposure) at T=0 minutes that are subsequently prevented at T=60 minutes. For example, with Trend Micro OfficeScan, at T=0 minutes, 194 threats were prevented at the Exposure Layer,
while 6 threats were missed. Of the 6 threats missed at T=0 minutes, all 6 were prevented at T=60 minutes (6 of 6 equals 100%).
100% of Previously Unknown Threats Blocked within 60 Minutes
Source: Real World Corporate Endpoint Test Report, January 2011http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/av-test_january_2011_enterprise_endpoint_comparative_report_final.pdf
not for distribution
Trend Micro Products ProvideConsistent, High-Level Performance
Trend Micro consistently dominates in real-world benchmarktests from multiple labs, year over year.
Year Over Year Performance
Symantec
McAfee
Kaspersky
ESET
4th
3rd
–
–
3rd
5th
–
–
5th
4th
–
–
1st (TIE)
11th
7th
–
Corporate
Sept 2009
Consumer
Sept 2009
Corporate
Dec 2009
Corporate
Jun 2010
Corporate
Sept 2010
Consumer
Sept 2010
Corporate
Oct 2010
SMB
Oct 2010
Corporate
Jan 2011
Consumer
Jan 2011
3rd
4th
2nd
9th
3rd
4th
2nd
8th
7th
2nd
5th
6th
8th
2nd
9th
10th
5th
2nd
4th
3rd
5th
4th
–
–
(TIE)
NSS Labs - Sept 2009 Corporate Endpoint Test- Sept 2009 Consumer Endpoint Test- Sept 2010 Corporate Endpoint Test- Sept 2010 Corporate Endpoint Test
AV-Test- December 2009 Corporate Endpoint Test
- June 2010 Corporate Endpoint Test- October 2010 Corporate Endpoint Test
- October 2010 SMB Endpoint Test- January 2011 Corporate Endpoint Test
Dennis Technology Lab- Jan 2011 Consumer Endpoint Test
Source Data:Rankings based on highest percentage of threats blocked
not for distribution
Key Benefits of Tivoli Endpoint Manager for Core Protection
Reduces Hardware and Administration Costs
Reduces Hardware and Administration Costs
• Single management
server and console supports
multiple platforms and
functions
• Other vendors may require
many management and
signature distribution
servers; IBM needs only a
standard TEM server
• Single management
server and console supports
multiple platforms and
functions
• Other vendors may require
many management and
signature distribution
servers; IBM needs only a
standard TEM server
Provides FastTime to ValueProvides FastTime to Value
• Cloud-based content
delivery model rapidly
updates endpoints,
countering emerging threats
• Existing TEM customers
simply “turn on” Core
Protection through a license
key change; no additional
software/hardware required
• Cloud-based content
delivery model rapidly
updates endpoints,
countering emerging threats
• Existing TEM customers
simply “turn on” Core
Protection through a license
key change; no additional
software/hardware required
Reduces Risk,Protects ROI
Reduces Risk,Protects ROI
• Cloud-based file/web
reputation, behavior
monitoring, and personal
firewall reduce infection risk
• Virtualization awareness
protects ROI from VDI
investments by preventing
resource contention issues
• Small client footprint can
extend the useful life of PCs
• Cloud-based file/web
reputation, behavior
monitoring, and personal
firewall reduce infection risk
• Virtualization awareness
protects ROI from VDI
investments by preventing
resource contention issues
• Small client footprint can
extend the useful life of PCs
TEM is the industry’s only converged systems and security management solution, delivering value through a single console, single server, and single
management agent
not for distribution
Core Protection Module Components
TEM-CP for Windows
TEM-CP for MAC
not for distribution
TEM-CP 10.6 for Windows
not for distribution
TEM-CP Features
Malware prevention (including spyware)
Malware removal
File and application blocking for web content
Trend Micro reputation services via the Smart Protection Network– Web Reputation – File Reputation
not for distribution
TEM-CP Features
Uses fixlet technology to identify outdated protection
Provides these types of scanning– On-demand
– Real-time
– Scheduled
Includes the TEM-CP dashboard within the IBM console
not for distribution
Architecture
TEM Agent
TEM Server
not for distribution
TEM-CP 10.6 Smart Protection Architecture
InternetInternet
CorporateNetwork CorporateNetwork
TEM ServerTEM Server Trend SPSTrend SPS
Trend SPNTrend SPNTrend AUTrend AU
TEM RelayTEM RelaySPN AgentSPN Agent
not for distribution
TEM-CP 10.6 Smart Protection Architecture
InternetInternet
CorporateNetwork CorporateNetwork
TEM ServerTEM Server Trend SPSTrend SPS
Trend SPNTrend SPNTrend AU
TEM RelayTEM RelaySPN AgentSPN Agent
On accessing a file, TEM-CP queries
File Reputation via SPN agent, SPS and/or Trend SPN.
On accessing a file, TEM-CP queries
File Reputation via SPN agent, SPS and/or Trend SPN.
not for distribution
TEM-CP 10.6 Smart Protection Architecture
InternetInternet
CorporateNetwork CorporateNetwork
TEM ServerTEM Server Trend SPSTrend SPS
Trend SPNTrend SPNTrend AU
TEM RelayTEM RelaySPN AgentSPN Agent
On accessing a website, TEM-CP
queries Web Reputation
via SPN agent, SPS and/or Trend SPN.
On accessing a website, TEM-CP
queries Web Reputation
via SPN agent, SPS and/or Trend SPN.
not for distribution
TEM-CP 10.6 Smart Protection Architecture
InternetInternet
CorporateNetwork CorporateNetwork
TEM ServerTEM Server Trend SPSTrend SPS
Trend SPNTrend SPNTrend AU
TEM RelayTEM RelaySPN AgentSPN Agent
When Trend Micro identifies a new threat on a single customer,
the global threat database is updated.
When Trend Micro identifies a new threat on a single customer,
the global threat database is updated.
not for distribution
TEM-CP 10.6 Smart Protection Architecture
InternetInternet
CorporateNetwork CorporateNetwork
TEM ServerTEM Server Trend SPSTrend SPS
Trend SPNTrend AU
TEM RelayTEM RelaySPN AgentSPN Agent
Security admin can deploy, monitor, and
configure TEM-CP clients, SPN agents,
and SPS*.
Security admin can deploy, monitor, and
configure TEM-CP clients, SPN agents,
and SPS*.
not for distribution
TEM-CP 10.6 VDI Support Architecture
InternetInternet
CorporateNetwork CorporateNetwork
VMware/Citrix ServerVMware/Citrix Server
TEM ServerTEM Server Trend SPSTrend SPS
Trend SPNTrend AU
TEM RelayTEM RelayVDI Comp.VDI Comp.
On scan or update, check VDI component
for other ESX/Xen Server clients doing
the same.
On scan or update, check VDI component
for other ESX/Xen Server clients doing
the same.
not for distribution
VDI Support (VMware and Citrix)
VM awareness to prevent I/O congestion – Scan operations – Pattern updates
Optimized scans for virtual desktops– Clean file lists based on common templates (golden images)
Supported Environments– VMware View 5.0 and Vsphere 5.0– Citrix XenServer
not for distribution
TEM-CP for Mac
not for distribution
Introduction to TEM-CP for Mac
Created specifically for Mac platform users
Requires an existing Trend Micro TEM-CP deployment
TEM-CP 10.6 uses TEM-CP for Mac 1.6 agents, no update to Mac side
not for distribution
Introduction
Security Risk Protection– Scans, detects threats, and acts– Outbreak detection and response
Web Reputation– Proactive protection inside or outside the network – Breaks the infection chain; blocks malicious downloads
Centralized Management – TEM-integrated management tools– Coordinated, automated deployment of security policies, pattern
files, and software updates on every client.
not for distribution
Supported OS
Mac OS™ X version 10.4.11 (Tiger) or higher
Mac OS™ X version 10.5.5 (Leopard) or higher
Mac OS™ X version 10.6 (Snow Leopard)
Mac OS™ X version 10.7
not for distribution
not for distribution
Understanding Features
Fixlets vs. tasks
File Reputation
Web Reputation
Behavior monitoring
VDI
not for distribution
Fixlets vs. Tasks
not for distribution
Fixlets and Tasks
Central to the functionality of TEM.
Packaged with Action Script – To resolve issues– Change configuration parameters– Take other actions with a simple mouse-click.
For Default Actions, simply click to deploy.
not for distribution
Fixlets
Relevance clauses detect vulnerabilities.
Associated actions fix the problem.
When all clients are remediated:– The fixlet is no longer relevant to any clients.– It disappears from the list.
Propagation can be tracked using– TEM console– Web Reports – Visualization Tool.
If a fixed problem reappears, the
fixlet reappears, ready to be redeployed.
If a fixed problem reappears, the
fixlet reappears, ready to be redeployed.
not for distribution
Tasks
Include one or more Action Scripts – Adjust settings – Run maintenance tasks
Designed for continued vigilance, are often persistent.
Generally shown as relevant until the Action Script is completely executed
not for distribution
File Reputation
Note: a.k.a Smart Scanning
not for distribution
Smart Scan > Understanding the Need
New malware will flood networks faster than the
deployment of malware knowledge
More powerful patterns . . .
larger patterns
more bandwidth usage
higher resource consumption
not for distribution
Smart Scan > Understanding the Need
Most malware patterns are CRC-based.
Smart Scan relies on CRC-based patterns.
Non-CRC-based patterns are handled in conventional mode.
not for distribution
Smart Scan > How It Works
Example traditional file infector:
Part 1 – Appended to front to prevent re-infection
with a jump code to part 2
Part 2 – Main portion of the virus
Virus part 1(Jump code)
FileVirus part 2
(Main portion)
Jump code
Virus part 1(Jump code)
FileVirus part 2
(Main portion)
Jump code
not for distribution
Smart Scan > How It Works
CRC-pattern information can be separated in two parts:
Part 1: Used to identify potential malware
Part 2: Used to confirm that the file is malware
not for distribution
Smart Scan > How It Works > Scan Context Before Smart Scan, all information
was stored in the conventional virus pattern file:
– Both CRC parts 1 & 2
– Virus info table
– Non-CRC data
The data structure loaded in memory is called Scan Context.
Scan context
Scan engine
Existing pattern
CRC Part 1
CRC Part 2
Virus info
Non-CRC data
Scan context
Scan engine
Existing pattern
CRC Part 1
CRC Part 2
Virus info
Non-CRC data
not for distribution
Smart Scan > How It Works > New Patterns
Three new pattern files are created from the traditional file.
• Smart Query Filter (Client) = BF.ptn
• Smart Scan Agent Pattern (Client) = iCRC$OTH.xxx
• Smart Scan Pattern (Smart Scan Server) = iCRC$TBL.xxx
not for distribution
Smart Scan > Smart Query Filter …on the Client
Smart Query Filter or Bloom Filter: BF.ptn
Is an index to the Smart Scan pattern
Contains only CRC part 1
Performs file-reputation assessment: “Is the file potentially malware?”
Smart QueryFilter
Smart QueryFilter
Smart ScanPattern
Smart ScanPattern
not for distribution
Smart Scan > Smart Scan Pattern…on the Smart Server
File name: icrc$tbl.xxx
Contains both CRC Part 1 and CRC Part 2
Contains virus-information table (for clean/removal)
Provides information required for the – Confirmation action – Clean/removal action
Smart ScanPattern
Smart ScanPattern
not for distribution
Smart Scan > Smart Scan Agent Pattern…on the Client
File name: icrc$oth.xxx
Contains non-CRC-based patterns to I.D. and remove:– Script-based scan patterns– ScriptTrap– PETrap– EXE & COM cleaning patterns– Active action table– Other pre-CRC patterns– CRC and virus data for In-the-wild malware
(for details see http://www.wildlist.org/)
Smart ScanAgent Pattern
Smart ScanAgent Pattern
not for distribution
Step 1: TM Filter intercepts I/O event
Step 2: Pass information to scan engine
Step 3: Reference iCRC Handler
Step 4: iCRC queries the smart scan server for information (only when is needed)
Step 5: Information is returned to scan engine
Smart Scan > Malware Detection
TMFilteriCRC
handlerVSAPI scan
engine
Operating System I/O Manager
Scan server
TMFilteriCRC
handlerVSAPI scan
engine
Operating System I/O Manager
Scan server
not for distribution
Smart Scan > Step by StepCPM Client Scan Server
File Reputation Assessment
Cloud virus pattern query
(CRC)
Malware Identification
Determine CRCPtn. Applicability
CRC Query
Records that Match CRC
Local Verification
Virus ID Query
Cleaning Removal Instr. Virus Info table
Remove Malware
Cloud virus pattern query
(VirusInfo)
not for distribution
Smart Scan > Step by Step > Step 1
Smart Scan agent pattern is for:
In-the-wild verification
CRC-pattern applicability– Determines true file type– Evaluates CRC applicability for
the specific file type
not for distribution
Smart Scan > Step by Step > Step 2
A match indicates the file is potentially malware.
Confirmation occurs later in the process.
not for distribution
Smart Scan > Step by Step > Step 3
CRC Part 2 Virus InfoTable
Query 1
Query 2
CRC cache is checked twice before querying the scan server.
CRC cache file = cache.dat
not for distribution
Smart Scan > CRC cache
not for distribution
Smart Scan > Step by Step > Step 4
Query: CRC Part 1
Reply: CRC Part 2 is a set of records matching CRC Part 1
not for distribution
Smart Scan > Step by Step > Step 5
Upon receipt of data
End Step 4Pass
information to VSAPI
Receive result Query Virus IDMatch found?
Not malwareAdd
information the cache
No
YesEnd Step 4Pass
information to VSAPI
Receive result Query Virus IDMatch found?
Not malwareAdd
information the cache
No
Yes
not for distribution
Smart Scan > Step by Step > Step 6
Smart Scan Server is queried for clean/removal information for Virus ID = 4
not for distribution
Smart Scan > Step by Step > Step 7
VSAPI receives virus clean/removal informationthen removes the malware.
not for distribution
Smart Scan > Smart Scan Server Standalone
Supported virtual environments
Log on to the web console
not for distribution
Smart Scan Servers > Smart Scan Server
Available as an .iso image file
Compatible with:– VMware™ ESXi Server 3.5 Update 2– VMware ESX™ Server 3.5 or 3.0– VMware Server 2.0 or later (working also on previous versions but
not officially supported)
Requires EVT 64-bit Intel virtualization technology
Based on Linux Server CentOS release 5
Stores Smart Scan pattern & Smart Query filter
not for distribution
1. Open http://<server_ip>:8080 2. Logon as “admin” only
Smart Scan Servers > Logon Web Console
not for distribution
Web Reputation Services (WRS)
not for distribution
WRS Reputation Query Process TEM supports local SPN + global SPN
– “Proxy mode”– Client queries SPS first– If no match in local web-reputation database, query to SPN– Security levels supported : high, medium, and low
(Local SPN)
Trend Micro SPN
1. User Web Request
1. User Web Request
5. Local SPN or TM SPN Returns Rating
5. Local SPN or TM SPN Returns Rating
2. Query Local SPN2. Query Local SPN
Configuration
3. Forward Query If No attached
3. Forward Query If No attached
4. Returned Rating from TM SPN
4. Returned Rating from TM SPN
not for distribution
WRS Basics
not for distribution
WRS Basics
TEM-CP Agent
not for distribution
About Ratings
About credibility scores
URL rating process
Dealing with false positives
not for distribution
About Credibility Scores
Score Description
81 Safe sites
71 Unrated
51 Suspicious
49 Known malicious sites
not for distribution
URL Rating Process
not for distribution
Score Retrieval
TEM-CP Agent
TEM-CP Client
not for distribution
Score Retrieval
In-memory cache If a site has an existing rating in the cache, then TEM-CP uses this existing rating.
Rating server If the site visited is new, then TEM-CP queries the Trend Micro rating server.
not for distribution
Score Evaluation
not for distribution
Score Evaluation
73
72
71
70
69
68Block
Do not block
Threshold value
not for distribution
Behavior Monitoring
not for distribution
Behavior Monitoring
BM and SP are integrated in the AEGIS common module.
Behavior Monitor – Configure 13 events for different policies, including new service, new startup program, etc. On event, TEM-CP acts based on the policy you set.
Self Protection – The TEM-CP client protect its services, processes, and other resources it requires to function.
not for distribution
Behavior Monitoring
Configure related settings or retrieve logs via fixlet
not for distribution
Behavior Monitoring
not for distribution
Behavior Monitoring
not for distribution
VDI
not for distribution
VDI Support
Enhancement in Client
White Listing– Optimize scans on virtual
desktop
New in Architecture
VDI Component
VM Awareness– Supports VMware/Citrix
not for distribution
White Listing
Generate White List …Or clean-file list based on a common virtual-desktop template (golden image).
Create VMCreate VM
Install OS & IBM AgentInstall OS & IBM Agent
Install TEM-CP 10.6Install TEM-CP 10.6
Creation Process of Templates
Create White ListCreate White List
Convert to templateConvert to template
not for distribution
White Listing
Optimize scansFor VMs derived from a common template (golden image), scanning can be optimized.
Not HIT
Scan Process of VMs
Enumerate FilesEnumerate Files
Get file property and calculate fingerprintGet file property and calculate fingerprint
Find in White list
Find in White list
ScanScan
Scan CompleteScan CompleteHIT
not for distribution
VM Awareness
Concept– Only x-number of guest VM(s) may run on-demand
scans and updates simultaneously.
Customer Value– Prevent multiple I/O CPU intensive tasks– VDI environment resource saving
not for distribution
VM Awareness – Approach
TEM-CP Client– If TEM-CP is a running VM,see if any VMs on the same hardware are scanning or updating.
VDI Component– Get VM mapping from VDI– Allow/deny TEM-CP client’s request– Update the VM status with TEM-CP clients (re. scan and update)
not for distribution
ESX ServerESX Server
VM VM
Trend ClientTrend Client
IBM AgentIBM
AgentTrend ClientTrend Client
IBM AgentIBM
Agent
ESX ServerESX Server
VM VM
Trend ClientTrend Client
IBM AgentIBM
AgentTrend ClientTrend Client
IBM AgentIBM
Agent
VDI Server – Vendors
VMware VDI ServerVMware VDI Server
Xen ServerXen Server
VM
Trend ClientTrend Client
IBM AgentIBM
Agent
VM
Trend ClientTrend Client
IBM AgentIBM
Agent
vCenter vCenter
ESX ServerESX Server
VM VM
Trend ClientTrend Client
IBM AgentIBM
AgentTrend ClientTrend Client
IBM AgentIBM
Agent
Citrix VDI ServerCitrix VDI Server
not for distribution
VM Awareness – Interaction Integrate with IBM Relay
BigFix Relay
ESX Server
VM
VDIInfo
Trend VDI Component
VDI I/O Operation Manager (Daemon)
VM
Trend Client
BigFix Agent
Xen Server
VM
Trend Client
BigFix Agent
VM
Trend Client
BigFix Agent
Trend Client
BigFix Agent
Response
Request
I/O Operation Status
I/O Operation
Task
vCenter SOAP
XML-RPC
Download Plug-in
Response
HTTP Accessible Filesystem
I/O Operation Request
BigFix AgentIBM
IBM IBM IBM IBM
IBM
not for distribution
not for distribution
Outline of AutoUpdate Steps in TEM-CP
85
Run the CPM Automatic Update Setup script to create the CPM operator and custom
update site
Run the Core Protection Module - Enable Automatic Updates – Server fixlet as a one
time action targeting the ESP server
Run the Core Protection Module - Enable Automatic Updates – Endpoint fixlet as a policy
targeting any endpoints that should have automatic updates enabled
Run the Core Protection Module - Set ActiveUpdate Server Pattern Update Interval task as a policy targeting the ESP server and
running every hour with retry on failure settings enabled
Run the Core Protection Module – Apply Automatic Updates fixlet as a policy targeting any endpoints that should automatically apply updates and that has retry on failure settings
enabled
not for distribution
The TEM-CP Automatic Update Setup Script
Creates a custom TEM-CP automatic update site called CustomSite_FileOnlyCustomSite_CPMAutoUpdate– This custom site hosts a manifest file that contains information about all of the pattern files that are
available on the TEM-CP server. When automatic updates are enabled on an endpoint, it subscribes itself to this site and uses the manifest file to determine whether or not it needs to update its pattern files or scan engine.
Creates a custom TEM-CP operator account– In order to download files from the Trend Micro ActiveUpdate servers and propagate them to the
custom site, an operator account is required. This account only has write privileges on the custom TEM-CP update site. Its sole purpose is for propagating files to the site. The credentials for this user are, by default, stored in the <TrendMirrorScript Folder>\Credentials folder.
Authorizes the custom TEM-CP operator to propagate files to the custom TEM-CP update site– The script generates a certificate that authorizes the operator to propagate the updates. The
certificate is stored as <TEM-CP Server Folder>\FileOnlyCustomSiteAuthorization_CPMAutoUpdate.
86
not for distribution
The TEM-CP Automatic Update Setup Script
Make sure you use license.pvk and site admin password
87
not for distribution
Enable Automatic Updates - Server
Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module server components are installed– The PropagateManifest value in the registry is not set to 1
What it does:– Sets the PropagateManifest value under HKLM\SOFTWARE\BigFix\CPM\server to 1
Only needs to run once
88
not for distribution
Enable Automatic Updates - Endpoint
Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module client components are installed– The EnableAutoUpdate value in the registry is not set to 1
What it does:– Sets the EnableAutoUpdate value under HKLM\SOFTWARE\BigFix\CPM\client to 1– Subscribes the endpoint to the CustomSite_FileOnlyCustomSite_CPMAutoUpdate site
Make it a policy
89
not for distribution
Set ActiveUpdate Server Pattern Update Interval
Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module server components are installed– The TrendMirrorScript folder and executable are installed (installed from TEM-CP
Automatic Update Script)
What it does:– Runs TMCPMAuHelper to check if there are updates available from Trend Micro
ActiveUpdate servers– If updates are available, downloads them to the TEM-CP server– Runs TrendMirrorScript to propagate the new files to the
CustomSite_FileOnlyCustomSite_CPMAutoUpdate site
Make it a policy
90
not for distribution
Apply Automatic Updates
Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module 1 client components are installed– The EnableAutoUpdate value in the registry is set to 1– The endpoint is not in a rollback state– The Core Protection Module version is 1.5 or later– New pattern files or a new scan engine is available in the custom TEM-CP update site
What it does:– Calls TMCPMAuUpdater to download the necessary pattern files from the TEM-CP
server– Moves the files into an appropriate directory structure for updating– Calls TMCPMAuUpdater to apply the updates that were downloaded– Sets AverageUpdateTime, LastPatternUpdate, LastUpdateVersion, and
UpdateCount values under the HKLM\SOFTWARE\BigFix\CPM\client registry key which are all used for reporting purposes
– Checks to see if a driver was updated and requires a system reboot
Make it a policy
Set ActiveUpdate Server Pattern Update Interval must run at least once
91
not for distribution
Understanding the Automatic Update Process
92
Set ActiveUpdate Server Pattern Update Interval
task started on ESP server
Are updated patterns and/or engines are available from Trend
Micro ActiveUpdate Servers?
Download updates from Trend Micro using TMCPMAuHelper
Yes
Run TrendMirrorScript to propagate updated pattern and/or
engines to custom ESP site
Set ActiveUpdate Server Pattern Update Interval
task completed on ESP server
Apply Automatic Updatestask starts on endpoint(s)
Update Process Complete
No
Is endpoint in a rollback state? Call TMCPMAuUpdater to download patterns and/or engines from ESP server
Yes
No
Use TMCPMAuUpdater to apply updates to endpoint and then
update time statistics for reports
Was a driver that requires a reboot updated?
Trigger Core Protection Module – Restart Needed fixlet
Yes
Apply Automatic Updates task completed on endpoint(s)
No
not for distribution
Set ActiveUpdate Server Update Pattern Interval Overview
This is the first stage of the update process. The Set ActiveUpdate Server Update Pattern Interval task is configured to run periodically to check the Trend Micro ActiveUpdate servers for new pattern files and scan engines and then download them if they are available. It will then assemble the files and propagate them into a new custom site. Once this new custom site has been created and the files have been propagated, the Apply Automatic Updates task will become relevant on clients that have automatic updates enabled.
93
not for distribution
TMCPMAuHelper: Check for Updated Patterns/Engines
The first thing that the Set ActiveUpdate Server Update Pattern Interval task does is launch the TMCPMAuHelper tool.
The <TEM-CP Server Folder>\download\server.ini file contains version information for the pattern files and scan engines that have been downloaded and made available on the TEM-CP server. By comparing the local server.ini file with a similar file on the Trend Micro ActiveUpdate servers, TMCPMAuHelper is first able to determine whether or not a new update is available.
If there are no new pattern files available from the Trend Micro ActiveUpdate servers, the entire task completes without doing anything further. If, however, there are updates available, it will continue to the next step.
94
not for distribution
TMCPMAuHelper: Download Updates
When updates are available, TMCPMAuHelper will download them into several temporary folders under the <TEM-CP Server Folder>\bin\AU_Data folder. Once the download has completed, incremental update patterns are built and then the entire set of files is copied to the <TEM-CP Server Folder>\download folder. As previously mentioned, subsequent executions of TMCPMAuHelper use the information in this folder to determine if new updates are available.
Finally, the files are then assembled into the <TEM-CP Server Folder>\Components folder so that they can be transferred into a custom site by the TrendMirrorScript.
95
not for distribution
TrendMirrorScript: Propagate the Updates to Site
The next step in the task is for TrendMirrorScript to run. This tool is responsible for actually making the updates available to the endpoints. Because every set of updates is unique, a new revision of the CustomSite_FileOnlyCustomSite_CPMAutoUpdate Site is created each time a new set is downloaded. When the new revision is made available to the endpoints, an update is automatically triggered by the Apply Automatic Updates task.
TrendMirrorScript first takes the contents of the <TEM-CP Server Folder>\Components folder and moves them into the <TEM-CP Server Folder>\wwwrootbes\cpm\patterns\YYYYMMDD_hhmmss folder, where YYYYMMDD_hhmmss is a timestamp corresponding to the date updates were downloaded.
Once the pattern files have been moved, several files in the <TrendMirrorScript Folder>\propagation folder are updated with the latest file information.
96
not for distribution
TrendMirrorScript: Propagate the Updates to Site
Finally, TrendMirrorScript executes PropagateFiles.exe, which propagates the files to the custom site using the propagation credentials specified when configuring automatic updates. A new revision of the CustomSite_FileOnlyCustomSite_CPMAutoUpdate Site is created in the <TEM-CP Server Folder>\wwwrootbes\bfsites\CustomSite_FilesOnlyCustomSite_CPMAutoUpdate_X> folder, where X is the new revision number.
The folder will contain 3 files of importance:– filelist_srv.txt -- This is referenced in the Apply Automatic Updates task to determine whether or
not the client has out-of-date pattern files– server.ini -- This is used by the TEM-CP client updater for determining what updates need to be
applied (eg: incremental updates)– manifest.ini -- This file contains metadata about the pattern set
Once all of these steps have completed, the Set ActiveUpdate Server Update Pattern Interval task is complete.
97
not for distribution
Apply Automatic Updates Overview
Once the pattern files have been updated on the server and propagated to the CustomSite_FileOnlyCustomSite_CPMAutoUpdate Site, the Apply Automatic Updates Task will become relevant on any endpoint with outdated pattern files or an outdated scan engine that has automatic updates enabled. The task will then download the pattern files and/or scan engine and apply it on the endpoint.
98
not for distribution
Is the Endpoint in a Rollback State?
If a rollback task has been executed on an endpoint and the Core Protection Module - Clear Rollback Flag task has not been subsequently run, the endpoint is considered to be in a rollback state.
In order to prevent an update that may be causing problems in your environment from automatically re-deploying, the Apply Automatic Updates task will not become relevant on the endpoint until the Core Protection Module - Clear Rollback Flag has been executed on it.
99
not for distribution
TMCPMAuUpdater: Download/Apply Patterns to Client
The first step taken by the Apply Automatic Updates Task is to use TMCPMAuUpdater to download the pattern files and/or scan engine from the TEM-CP server using the standard TEM-CP relay architecture.
The pattern files are initially downloaded into the <TEM-CP Client Folder>\__BESData\actionsite\__Download folder and are then moved into appropriate subfolders. Incremental updates are downloaded wherever possible to keep the update size small.
Once the pattern files have been downloaded, TMCPMAuUpdater is then called a second time to apply the updates to the endpoint.
100
not for distribution
Update Statistics for Reporting
The Time to Protection report in the TEM-CP Dashboard provides reporting on the average amount of time it takes endpoints to receive and apply updates. In order to gather this information, the Apply Automatic Updates task writes update statistics to the registry. This information is then gathered through an analysis on the server and used for reporting.
101
not for distribution
Trigger a Reboot (if needed)
The final step taken of the Apply Automatic Updates Task is to determine if a reboot is required in order to update a particular driver used by TEM-CP. If the driver requires a reboot, the task will trigger the Core Protection Module - Restart Needed fixlet so that it becomes relevant on the endpoint.
102
not for distribution
Troubleshooting the Automatic Update Process
Manual Steps for TEM-CP Automatic Update Script
Verifying Custom Site and Operator creation
Re-Running the Setup Script
Verifying Automatic Updates are enabled on the server
Verify Set ActiveUpdate Server Pattern Update Interval is running
Verify Automatic Updates are enabled on the client
Verify the client is not in a rollback state
Verify updates are being downloaded on the client
Enabling Debug Mode for the server
Enabling Debug Mode for the client
103
not for distribution
Manual Steps for TEM-CP Automatic Updates Script
1. Open the TEM-CP Administration Tool and click the Add User buttona. Enter cpm_admin for the Username. You can choose another username if desired,
but cpm_admin is the recommended username. Note: The Automatic Update Setup Script will create a user with additional characters (the date the original user was created and some additional characters) at the end of the user name.
b. Enter an e-mail address for the user. This address is only used in the public key certificate for the user, so it does not need to be a legitimate e-mail address.
c. Enter and verify a password for the user.d. Uncheck “Give this user the ability to administer management rights”.e. Select “Do not show this user any unmanaged assets”.f. Select “Show this user only their own actions and action results”.g. Click OK.h. Make a note of the location where the credentials are being saved and click OK.i. Enter the site admin password and click OK.j. Click OK to close the window.k. Click Yes to propagate the action site.l. Enter the site admin password and click OK.
104
not for distribution
Manual Steps for TEM-CP Automatic Updates Script
2. Open Registry Editor and navigate to HKLM\SOFTWARE\BigFix\CPM\server.
3. Add a new string value called PropagationUser and set it to the username you used in step 1a.
4. Add a new string value called PropagationPassword and set it to the password you used in step 1c.
5. Add a new string value called CredentialsPVK and set it to <TrendMirrorScript Folder>\Credentials\publisher.pvk replacing <TrendMirrorScript Folder> with the appropriate path.
6. Copy the publisher.pvk and publisher.crt files from the credentials folder noted in step 1g to the <TrendMirrorScript Folder>\Credentials folder.
7. Locate the license.pvk file on the TEM-CP server.
105
not for distribution
Manual Steps for TEM-CP Automatic Updates Script
8. Open a Command Prompt and run the following command from the <TrendMirrorScript Folder>:
PropagateFiles.exe CreateFileOnlyCustomSiteUserAuthorization "<path to license.pvk>" "<site admin password>" bes_bfenterprise "<username from step 1a>" "<password from step 1g>" FileOnlyCustomSite_CPMAutoUpdate
–Be sure to replace the following parameters leaving quotation (") marks around each:• <path to license.pvk> -- The full path to the private key for the site admin account• <site admin password> -- The password for the site admin account; This is the same password you use when
opening the TEM-CP Administration Tool• <username from step 1a> -- This is the username you previously created• <username from step 1g> -- This is the password for the username you created
106
not for distribution
Verifying Custom Site and Operator Creation
Verify that the following keys exist under the HKLM\SOFTWARE\BigFix\CPM\server key in the registry:
107
Key Type Value
CredentialsPVK REG_SZ <TrendMirrorScript Folder>\Credentials\publisher.pvk
ManifestSiteName REG_SZ FileOnlyCustomSite_CPMAutoUpdate
PropagationDSN REG_SZ bes_bfenterprise
PropagationPassword REG_SZThe password for the TEM-CP operator account created for propagating files
PropagationUser REG_SZ
The username of the TEM-CP operator account created for propagating files; The default account name is cpm_admin_XXXXXX, where XXXXX is the date the account was created and some additional characters. Verify this account exists in the TEM-CP Administration Tool.
not for distribution
Verifying Custom Site and Operator Creation
Verify that the operator account has been created correctly– Open the TEM-CP Administration Tool and login using the site admin password.– Make sure that the operator account (cpm_admin_XXXXX by default) exists.– Close the TEM-CP Administration Tool.
Verify that publisher.pvk and publisher.crt exist in the <TrendMirrorScript Folder>\Credentials folder.
Verify that the FilesOnlyCustomSiteAuthorization_CPMAutoUpdate file exists in the <TEM-CP Server Folder>.
108
not for distribution
Re-Running the Setup Script
If you wish to re-run the script in order to try creating the TEM-CP operator account and/or the custom site again, you should perform the following steps beforehand:1. Open the TEM-CP Administration Tool and remove the operator account (cpm_admin_XXXXX by
default).2. Remove the following files and folders:
• Folder where the TEM-CP Administration Tool stored the credentials of the operator account (usually C:\Documents and Settings\<Windows login>\My Documents\BESCredentials\<operator account>)
• <TrendMirrorScript Folder>\Credentials folder• <TEM-CP Server Folder>\FileOnlyCustomSiteAuthorization_CPMAutoUpdate file
3. Remove the following registry keys from HKLM\SOFTWARE\BigFix\CPM\server:• CredentialsPVK• ManifestSiteName• PropagationDSN• PropagationPassword• PropagationUser
You should now be able to re-run the script.
109
not for distribution
Verifying Automatic Updates are enabled on the server
No updates will ever propagate if automatic updates are not properly enabled on the server. Make sure that the PropagateManifest value under the HKLM\SOFTWARE\BigFix\CPM\server key in the registry is set to 1. If it is not, change the value to 1.
110
not for distribution
Verify Set ActiveUpdate Server Pattern Update Interval is running
The Set ActiveUpdate Server Pattern Update Interval task is responsible for downloading new pattern files from the Trend Micro ActiveUpdate servers. If this task is not running or is not properly completing, endpoints may not properly update.
1. Make sure that the task is set up properly as a policy in TEM-CP. If you are unsure on how this should be configured, refer to the Run the "Set ActiveUpdate Server Pattern Update Interval" Task section in this document.
111
not for distribution
Verify Set ActiveUpdate Server Pattern Update Interval is running
2. Make sure the <TEM-CP Server Folder>\download folder exists and contains the latest engine and pattern files. a. If there are no files in the folder or the files are out of date, it may indicate either that
the task is not running or that there is a problem downloading the files from Trend Micro.
b. If a web gateway appliance is sitting between the TEM-CP server and the Internet, make sure it is not blocking access to the Trend Micro ActiveUpdate Servers. You may need to whitelist http://esp-p.activeupdate.trendmicro.com/activeupdate to allow access.
c. Check the LatestExitCode value under the HKLM\SOFTWARE\TrendMicro\CPMsrv key in the registry. If the value is 3, it means that TMCPMAuHelper ran but did not find any newer patterns on the Trend Micro ActiveUpdate servers. If the value is set to 0, it means that new patterns were succesfully downloaded. If it is set to any other code, there was an error checking for updates.
d. Check the <TEM-CP Server Folder>\bin\AU_Data\AU_Log\TmuDump.txt file for additional information on potential issues with the downloads. You can also enable debugging for this log. These steps are outlined below in the Enabling Debugging for Update Logs section.
112
not for distribution
Verify Set ActiveUpdate Server Pattern Update Interval is running
3. Verify the <TEM-CP Server Folder>\Components folder is empty. If the folder is not empty, it means that the TrendMirrorScript may not have executed properly and will need to be run manually (see below).
4. Verify a new folder with a recent timestamp has been created under the <TEM_CP Server Folder>\wwwrootbes\cpm\patterns folder. You should see folders named YYYYMMDD_hhmmss, which is a time stamp indicating when the pattern files were downloaded. If a recent folder does not exist, TrendMirrorScript may not have executed properly and will need to be run manually (see below).
113
not for distribution
Verify Set ActiveUpdate Server Pattern Update Interval is running
5. Verify a new folder named CustomSite_FilesOnlyCustomSite_CPMAutoUpdate_X with a recent timestamp has been created under the <TEM-CP Server Folder>\wwwrootbes\bfsites folder. X will be a number indicating the "revision" of the site. If there is no folder with roughly the same timestamp as when the patterns were updated, it most likely means that PropagateFiles.exe, which is launched by TrendMirrorScript, failed to propagate the appropriate files to the site. The most likely cause is an operator account/password mismatch issue. Verify that the propagation username and password are correct and re-run TrendMirrorScript (see below).
6. Cross-check the manifest file in the most recent folder identified from step 5 with the pattern set cache on the TEM-CP server to make sure they match.a. Open the manifest.ini file in the folder identified in step 5.b. Find the line beginning with version= and make a note of the value. This should be a
timestamp in the form YYYYMMDD_hhmmss.c. This value should match the most recent folder in the <TEM-CP Server Folder>\
wwwrootbes\cpm\patterns folder.d. If the two are out of sync, you should run the TrendMirrorScript manually (see
below).
114
not for distribution
Verify Set ActiveUpdate Server Pattern Update Interval is running
7. If the TrendMirrorScript did not execute, you can try running the command manually from the <TrendMirrorScript Folder>. It does not take any arguments.
8. TrendMirrorScript writes logging information to a file whose name matches the current day (YYMMDD.log) inside the <TrendMirrorScript Folder>\logs folder.
115
not for distribution
Verify Automatic Updates Are Enabled on the Client
No updates will ever be downloaded and applied on the client if automatic updates are not properly enabled. Make sure that the EnableAutoUpdate value under the HKLM\SOFTWARE\BigFix\CPM\client key in the registry is set to 1. If it is not, change the value to 1.
You should also check to make sure the <TEM-CP Client Folder>\__BESData\CustomSite_FileOnlyCustomSite_CPMAutoUpdate folder exists. When the client has successfully subscribed to the custom CPM update site, this folder will be present. You may need to wait until at least one Set ActiveUpdate Server Pattern Update Interval task completes on the TEM-CP server before this folder appears on the client. Once the folder appears, the key files that should exist inside this folder are filelist_srv.txt, server.ini, and manifest.ini.
If this folder does not exist and a significant amount of time (> 1 hour) has passed since a Set ActiveUpdate Server Pattern Update Interval task completed, you can run the Disable Automatic Updates - Endpoint task on the client followed by the Enable Automatic Updates - Endpoint task. This will re-subscribe the client to the custom TEM-CP update site.
116
not for distribution
Verify the Client is not in a rollback state
Pattern files will not deploy to an endpoint that has had a pattern rollback task run on it without subsequently having the Clear Rollback Flag task run. The Clear Rollback Flag task should be relevant for the endpoint if this is the case. Simply run the task targeting the client that is in the rollback state.
117
not for distribution
Verify Updates are Being Downloaded on Clients
If the Apply Automatic Updates task becomes relevant and executes on a client but the pattern files are still out-of-date when it completes, there may be a problem with the client downloading the pattern files from the TEM-CP server and/or applying them on the local system.
Check the <TEM-CP Client Folder>\bin\AU_Data\AU_Log\TmuDump.txt log file to see if it contains any errors. This file logs information when the client is downloading updates from the TEM-CP server.
Check the <TEM-CP Client Folder>\AU_Data\AU_Log\TmuDump.txt log file to see if it contains any errors. This file logs information when the client applies the updates on the system.
118
not for distribution
Enabling Debug Mode for the Server
To enable the logging of additional information in the <TEM-CP Server Folder>\bin\AU_Data\AU_Log\TmuDump.txt file on the TEM-CP server, do the following:1. Open the file <TEM-CP Server Folder>\Bin\aucfg.ini in Notepad.2. Find the section labeled [debug].3. Make sure the value level is set to -1 (eg: level=-1) in that section.4. Save the file.
119
not for distribution
Enabling Debug Mode for the Client To enable the logging of additional information in the <TEM-CP Client Folder>\bin\AU_Data\
AU_Log\TmuDump.txt file on the TEM-CP client, do the following:1. Open the file <TEM-CP Client Folder>\Bin\aucfg.ini in Notepad.2. Find the section labeled [debug].3. Make sure the value level is set to -1 (eg: level=-1) in that section.4. Save the file.
To enable the logging of additional information in the <TEM-CP Client Folder>\ AU_Data\AU_Log\TmuDump.txt file on the TEM-CP client, do the following:1. Open the file <TEM-CP Client Folder>\ aucfg.ini in Notepad.2. Add the following lines:3. [debug]
level=-1log_mode=2html=0
4. Save the file.
To enable the logging of additional information to the C:\ofcdebug.log file on the TEM-CP client, do the following:
Open a new file in Notepad.
Add the following lines:o [debug]o DebugLog=C:\ofcdebug.logo Debuglevel=9o Debuglevel_new=D
Save the file as <TEM-CP Client Folder>\ofcdebug.ini.
120
not for distribution
Enabling Debug Mode for the Client
To enable the logging of additional information to the C:\ofcdebug.log file on the TEM-CP client, do the following:1. Open a new file in Notepad.2. Add the following lines:
[debug]
DebugLog=C:\ofcdebug.log
Debuglevel=9
Debuglevel_new=D3. Save the file as <TEM-CP Client Folder>\ofcdebug.ini.
121
not for distribution
Contacting Support for Assistance
If you are still having issues, you can contact the Trend Micro Support Team for additional assistance. Trend Micro Support will ask you to retrieve and send them the following log files:
From the TEM-CP Server–<TEM-CP Server Folder>\bin\AU_Data\AU_Log\TmuDump.txt–<TrendMirrorScript Folder>\logs\*.log–<TEM-CP Server Folder>\wwwrootbes\cpm\patterns\*\server_bf_*.ini
From the TEM-CP Client–<TEM-CP Client Folder>\bin\AU_Data\AU_Log\TmuDump.txt–<TEM-CP Client Folder>\AU_Data\AU_Log\TmuDump.txt–C:\ofcdebug.log (if you have debugging enabled)–<TEM-CP Client Folder>\__BESData\__Global\Logs\*.log
122
not for distribution
Reference Materials TrendEdge Website
http://trendedge.trendmicro.com
TEM-CP Automatic Updateshttp://support.bigfix.com/cpm/cpm_update.html
Running the TEM-CP Automatic Update Setup scripthttp://support.bigfix.com/cgi-bin/kbdirect.pl?id=824
TEM-CP Automatic Updates - Manual Setup Processhttp://support.bigfix.com/cgi-bin/kbdirect.pl?id=825
Troubleshooting the Core Protection Module Automatic Update Process http://support.bigfix.com/cpm/cpm_autoupdate.html
BigFix Session Relevance Editorhttp://support.bigfix.com/labs/relevanceeditor.html
123
not for distribution
not for distribution
Basic Troubleshooting
not for distribution
Troubleshooting
What do you do if you lost your private key (license.pvk) file?
If you lose your site credential files or password, then no one – not even IBM – can recover your keys or your password. You will need to reinstall the entire system, including all the TEM-CP/TEM clients, with a freshly generated key.
not for distribution
Troubleshooting
What should I do if the installation is unsuccessful?
1.Take a screen capture of the error.
2.Download another set of installation files.
3.Open regedit : HKLM\Software\IBMCreate a String Data Reg_Sz "ScriptLoggingPath" = "c:\installer"
4.You can modify the path for the value without any problems just make sure the directory exists prior to running the installation generator. Debug files will be created under c:\installer folder in this example.
5.Run the installation again
not for distribution
Troubleshooting
How do you trigger the installation of TEM-CP agent on remote machines?
Use the TEM Installer and select Install TEM Components > Install TEM Clients > Install Locally, which will install the client on your local machine in the directory you specify.
Select to Install Remotely which will trigger the TEM Client Deploy Tool.
Manually copy C:\TEMInstallers\Client folder from the TEM installation computer to the local hard drive and run setup.exe
Use c:\TEMInstallers\ClientMSI\TEMClientMSI.msi to run login script or GPO or other software distribution tool.
not for distribution
Troubleshooting
What information is needed if the installation fails?
If installation fails or other issues are found on the TEM-CP client, please download IBM Client Diagnostics from http://support.IBM.com/TEM/install/downloadutility.html and run it on the client. Send the zip file collected.
not for distribution
Troubleshooting
Five options in the Troubleshooting node of the navigation tree enable you to resolve issues identified in the Health Status Chart under Deployment/Overview.
Three audit Fixlets detect machines ineligible for a TEM-CP installation:
The remaining two Fixlets identify machines where services are not running or configured correctly, or in need of a reboot.
A task to disable the Windows Firewall, which may conflict with the Common Firewall component is also included.
not for distribution
Troubleshooting
What is the definition of “healthy” in the endpoint Health Status Chart?
Relevant to at least one Fixlet/Task/Analysis in the TEM-CP site Not relevant to any of the following Fixlets:
– Deploy TEM-CP Endpoint – Improper service status – Ineligible (software) – Ineligible (hardware) – Ineligible (conflicting product) – Restart needed – Clear Rollback Flag
Patterns up-to-date
not for distribution
Troubleshooting
Why does my Health Status Chart show only three categories in the legend?
The Endpoint Health Status chart includes 11 categories shown below. If all of them are not displayed, try expanding the size of the dashboard window.
– Healthy – N/A – Unknown – Improper service status – Not installed – Ineligible (Hardware) – Ineligible (Software) – Conflicting Product – Restart Needed– In Rollback State – Patterns Out of Date
not for distribution
Troubleshooting
How do I create exclusions?
Go to the Scan Exclusion tab in the On Demand and Real Time wizards (Configuration node).
not for distribution
Troubleshooting
How do I configure an action when a virus is detected?
Go to the Scan Action tab in the On Demand and Real Time wizards (Configuration node).
not for distribution
Troubleshooting
How do I tune spyware detection?
You can set spyware detection to assessment mode in the “Spyware Grayware Scan Settings Only” section of the Global Settings wizard (Configuration node).
Instead of quarantining spyware, this feature allows you to simply report spyware. You can then view the infection reports and set appropriate exclusions.
not for distribution
Troubleshooting
Can I automatically flow updates through clients without operator approval?
Yes. However, you need to manually enable Automatic Updates.
not for distribution
Troubleshooting
How do I get notified when my system detects a new spyware or virus infection?
Using Web Reports, configure a Scheduled Report based on the Top 25 spyware and virus reports, and set it to email you anytime it changes
not for distribution
Troubleshooting
How can end users monitor infection information?
By enabling the Client Dashboard.
not for distribution
Troubleshooting
What is IntelliTrap, referenced in the On Demand Scan Wizard?
IntelliTrap helps reduce the risk of virus/malware entering your network by blocking files with real-time compressed executable files.
not for distribution
Troubleshooting
What is IntelliScan, referenced in the On Demand Scan Wizard?
IntelliScan is a Trend Micro feature that will only scan files known to potentially harbor malicious code, even those disguised by an innocuous-looking extension name.
not for distribution
Troubleshooting
Do the On Demand, Global, and Real Time settings features come with default settings, or do I need to set parameters on them before I use this product?
TEM-CP is packaged with default settings for each of these functions, but the wizards enable you to configure them with customized parameters.
For example, use the wizard to customize exclusions to a scan.
not for distribution
Troubleshooting
What is ActiveAction, as referenced in the Real Time Wizard Scan Action tab?
ActiveAction is a set of pre-configured scan actions for specific types of viruses/malware.
Use ActiveAction if you are not sure which scan action is suitable for each type of virus/malware.
not for distribution
Troubleshooting
What is the ActiveUpdate Server and what is it used for?
The Trend Micro ActiveUpdate (TMAU) server, is Trend
Micro’s “in-the-cloud” server from which our TEM-CP
server downloads pattern-set files.
not for distribution
not for distribution
Q & A