alessandro suin, global trainer january 2012 ttec go: tivoli endpoint manager for core protection

Alessandro Suin, Global TrainerJanuary 2012

TTEC GO: Tivoli Endpoint Managerfor Core Protection

not for distribution

Agenda Slide 1 of 3

Introduction

Core Protection Module components– TEM-CP for Windows

– TEM-CP for MAC

Understanding features– Fixlets vs. tasks

– File Reputation

– Web Reputation

– Behavior monitoring

– VDI

Basic troubleshooting

Q&A


Disclaimer

This training is developed and delivered prior to the completion of the product.

There may be changes in the GM version that will not be reflected in this training.


Introduction

Convention Description

TEM-CP Core Protection Module

TEM Tivoli Endpoint Management

VSAPI Virus Scanning API (Scan Engine)

TMUFE Trend Micro URL Filtering Engine

CRC Cyclic Redundancy Check

VDI Virtual Desktop Infrastructure

Server The computer where Security Server is installed.


Introduction

Convention Description

Smart Scan Server The Smart Scan Server

Global Smart Scan Server

The Trend Micro Global Smart Scan Server, hosted and maintained by Trend Micro data centers.

Smart Client A Security Agent that applies smart scanning.

Conventional Scan The traditional scan implemented by Trend Micro products.

MPM Mac Protection Module

WRS Web Reputations Services

AEGiS Original Name for BM and SP

AU ActiveUpdate


Introduction

6


IT Operations

Pain Points with Existing AntiVirus (AV)

Compliance

Lack of Evidence:•need proof of compliance across multiple

endpoints•Want single dashboard/view

IT Security

Security ineffective:•Too slow to deploy, missing endpoints•Not effective in detecting new threats

•Turned off by users due to performance issues

• Bloated AV consumes too much CPU, network bandwidth, too many servers

• Impacts virtualization costs, limits consolidation of VMs

• Too many tools, too much complexity• Can’t validate compliance, visibility


Tivoli Endpoint Manager for Core Protection Protecting endpoints from malware and other malicious threats

Overview

Delivers single-console, integrated cloud-based protection from malware and other malicious threats via capabilities such as file and web reputation, personal firewall, and behavior monitoring

Highlights

Delivers real-time endpoint protection against viruses, Trojan horses, spyware, rootkits and

other malware

Protects through cloud-based file and web reputation, behavior monitoring and personal

firewall

Provides virtualization awareness to reduce resource contention issues on virtual

infrastructures

Leverages industry-leading IBM® and Trend Micro™ technologies with a single-console

management infrastructure


Security That Fits: Threat Landscape

The Smart Protection Network infrastructure stops threats in the cloud, before they reach you

Security Made Smarter : Cloud Based Security Private Cloud Real Time Visibility

9


Market-Leading Protection with Trend Micro’s Cloud-Based Smart Protection Network

Source: Real World Corporate Endpoint Test Report, January 2011http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/av-test_january_2011_enterprise_endpoint_comparative_report_final.pdf


•33% •65 / 200

•53% •72 / 135

•19% •12/ 65

•200 threats •135 threats •65 threats •51 threats

•End-to-End

•75%•(149 of 200)

•average of all enterprise products

Trend Micro Microsoft Sophos McAfee SymantecExposure

Layer97% 2% 63% 1% 0%

(194 of 200) (3 of 200) (126 of 200) (2 of 200) (0 of 200)

InfectionLayer

67% 68% 19% 50% 54%(4 of 6) (134 of 197) (14 of 74) (99 of 198) (108 of 200)

DynamicLayer

100% 6% 23% 25% 16%(2 of 2) (4 of 63) (14 of 60) (25 of 99) (15 of 92)

All Layers 100% 71% 77% 63% 62%(200 of 200) (141 of 200) (154 of 200) (126 of 200) (123 of 200)

Threats prevented at each layer (of total threats that reached that layer)

97% of Threats Blocked at the First Layer of Defense



NOTE: Time-to-protect improvement is the percentage of threats missed in the first layer (exposure) at T=0 minutes that are subsequently prevented at T=60 minutes. For example, with Trend Micro OfficeScan, at T=0 minutes, 194 threats were prevented at the Exposure Layer,

while 6 threats were missed. Of the 6 threats missed at T=0 minutes, all 6 were prevented at T=60 minutes (6 of 6 equals 100%).

NOTE: Time-to-protect improvement is the percentage of threats missed in the first layer (exposure) at T=0 minutes that are subsequently prevented at T=60 minutes. For example, with Trend Micro OfficeScan, at T=0 minutes, 194 threats were prevented at the Exposure Layer,

while 6 threats were missed. Of the 6 threats missed at T=0 minutes, all 6 were prevented at T=60 minutes (6 of 6 equals 100%).

100% of Previously Unknown Threats Blocked within 60 Minutes



Trend Micro Products ProvideConsistent, High-Level Performance

Trend Micro consistently dominates in real-world benchmarktests from multiple labs, year over year.

Year Over Year Performance

Symantec

McAfee

Kaspersky

ESET

4th

3rd

–

–

3rd

5th

–

–

5th

4th

–

–

1st (TIE)

11th

7th

–

Corporate

Sept 2009

Consumer

Sept 2009

Corporate

Dec 2009

Corporate

Jun 2010

Corporate

Sept 2010

Consumer

Sept 2010

Corporate

Oct 2010

SMB

Oct 2010

Corporate

Jan 2011

Consumer

Jan 2011

3rd

4th

2nd

9th

3rd

4th

2nd

8th

7th

2nd

5th

6th

8th

2nd

9th

10th

5th

2nd

4th

3rd

5th

4th

–

–

(TIE)

NSS Labs - Sept 2009 Corporate Endpoint Test- Sept 2009 Consumer Endpoint Test- Sept 2010 Corporate Endpoint Test- Sept 2010 Corporate Endpoint Test

AV-Test- December 2009 Corporate Endpoint Test

- June 2010 Corporate Endpoint Test- October 2010 Corporate Endpoint Test

- October 2010 SMB Endpoint Test- January 2011 Corporate Endpoint Test

Dennis Technology Lab- Jan 2011 Consumer Endpoint Test

Source Data:Rankings based on highest percentage of threats blocked


Key Benefits of Tivoli Endpoint Manager for Core Protection

Reduces Hardware and Administration Costs

Reduces Hardware and Administration Costs

• Single management

server and console supports

multiple platforms and

functions

• Other vendors may require

many management and

signature distribution

servers; IBM needs only a

standard TEM server

• Single management

server and console supports

multiple platforms and

functions

• Other vendors may require

many management and

signature distribution

servers; IBM needs only a

standard TEM server

Provides FastTime to ValueProvides FastTime to Value

• Cloud-based content

delivery model rapidly

updates endpoints,

countering emerging threats

• Existing TEM customers

simply “turn on” Core

Protection through a license

key change; no additional

software/hardware required

• Cloud-based content

delivery model rapidly

updates endpoints,

countering emerging threats

• Existing TEM customers

simply “turn on” Core

Protection through a license

key change; no additional

software/hardware required

Reduces Risk,Protects ROI

Reduces Risk,Protects ROI

• Cloud-based file/web

reputation, behavior

monitoring, and personal

firewall reduce infection risk

• Virtualization awareness

protects ROI from VDI

investments by preventing

resource contention issues

• Small client footprint can

extend the useful life of PCs

• Cloud-based file/web

reputation, behavior

monitoring, and personal

firewall reduce infection risk

• Virtualization awareness

protects ROI from VDI

investments by preventing

resource contention issues

• Small client footprint can

extend the useful life of PCs

TEM is the industry’s only converged systems and security management solution, delivering value through a single console, single server, and single

management agent


Core Protection Module Components

TEM-CP for Windows

TEM-CP for MAC


TEM-CP 10.6 for Windows


TEM-CP Features

Malware prevention (including spyware)

Malware removal

File and application blocking for web content

Trend Micro reputation services via the Smart Protection Network– Web Reputation – File Reputation


TEM-CP Features

Uses fixlet technology to identify outdated protection

Provides these types of scanning– On-demand

– Real-time

– Scheduled

Includes the TEM-CP dashboard within the IBM console


Architecture

TEM Agent

TEM Server


TEM-CP 10.6 Smart Protection Architecture

InternetInternet

CorporateNetwork CorporateNetwork

TEM ServerTEM Server Trend SPSTrend SPS

Trend SPNTrend SPNTrend AUTrend AU

TEM RelayTEM RelaySPN AgentSPN Agent



InternetInternet



Trend SPNTrend SPNTrend AU


On accessing a file, TEM-CP queries

File Reputation via SPN agent, SPS and/or Trend SPN.

On accessing a file, TEM-CP queries

File Reputation via SPN agent, SPS and/or Trend SPN.



InternetInternet





On accessing a website, TEM-CP

queries Web Reputation

via SPN agent, SPS and/or Trend SPN.

On accessing a website, TEM-CP

queries Web Reputation

via SPN agent, SPS and/or Trend SPN.



InternetInternet





When Trend Micro identifies a new threat on a single customer,

the global threat database is updated.

When Trend Micro identifies a new threat on a single customer,

the global threat database is updated.



InternetInternet



Trend SPNTrend AU


Security admin can deploy, monitor, and

configure TEM-CP clients, SPN agents,

and SPS*.

Security admin can deploy, monitor, and

configure TEM-CP clients, SPN agents,

and SPS*.


TEM-CP 10.6 VDI Support Architecture

InternetInternet


VMware/Citrix ServerVMware/Citrix Server


Trend SPNTrend AU

TEM RelayTEM RelayVDI Comp.VDI Comp.

On scan or update, check VDI component

for other ESX/Xen Server clients doing

the same.

On scan or update, check VDI component

for other ESX/Xen Server clients doing

the same.


VDI Support (VMware and Citrix)

VM awareness to prevent I/O congestion – Scan operations – Pattern updates

Optimized scans for virtual desktops– Clean file lists based on common templates (golden images)

Supported Environments– VMware View 5.0 and Vsphere 5.0– Citrix XenServer


TEM-CP for Mac


Introduction to TEM-CP for Mac

Created specifically for Mac platform users

Requires an existing Trend Micro TEM-CP deployment

TEM-CP 10.6 uses TEM-CP for Mac 1.6 agents, no update to Mac side


Introduction

Security Risk Protection– Scans, detects threats, and acts– Outbreak detection and response

Web Reputation– Proactive protection inside or outside the network – Breaks the infection chain; blocks malicious downloads

Centralized Management – TEM-integrated management tools– Coordinated, automated deployment of security policies, pattern

files, and software updates on every client.


Supported OS

Mac OS™ X version 10.4.11 (Tiger) or higher

Mac OS™ X version 10.5.5 (Leopard) or higher

Mac OS™ X version 10.6 (Snow Leopard)

Mac OS™ X version 10.7


Understanding Features

Fixlets vs. tasks

File Reputation

Web Reputation

Behavior monitoring

VDI


Fixlets vs. Tasks


Fixlets and Tasks

Central to the functionality of TEM.

Packaged with Action Script – To resolve issues– Change configuration parameters– Take other actions with a simple mouse-click.

For Default Actions, simply click to deploy.


Fixlets

Relevance clauses detect vulnerabilities.

Associated actions fix the problem.

When all clients are remediated:– The fixlet is no longer relevant to any clients.– It disappears from the list.

Propagation can be tracked using– TEM console– Web Reports – Visualization Tool.

If a fixed problem reappears, the

fixlet reappears, ready to be redeployed.

If a fixed problem reappears, the

fixlet reappears, ready to be redeployed.


Tasks

Include one or more Action Scripts – Adjust settings – Run maintenance tasks

Designed for continued vigilance, are often persistent.

Generally shown as relevant until the Action Script is completely executed


File Reputation

Note: a.k.a Smart Scanning


Smart Scan > Understanding the Need

New malware will flood networks faster than the

deployment of malware knowledge

More powerful patterns . . .

larger patterns

more bandwidth usage

higher resource consumption


Smart Scan > Understanding the Need

Most malware patterns are CRC-based.

Smart Scan relies on CRC-based patterns.

Non-CRC-based patterns are handled in conventional mode.


Smart Scan > How It Works

Example traditional file infector:

Part 1 – Appended to front to prevent re-infection

with a jump code to part 2

Part 2 – Main portion of the virus

Virus part 1(Jump code)

FileVirus part 2

(Main portion)

Jump code

Virus part 1(Jump code)

FileVirus part 2

(Main portion)

Jump code


Smart Scan > How It Works

CRC-pattern information can be separated in two parts:

Part 1: Used to identify potential malware

Part 2: Used to confirm that the file is malware


Smart Scan > How It Works > Scan Context Before Smart Scan, all information

was stored in the conventional virus pattern file:

– Both CRC parts 1 & 2

– Virus info table

– Non-CRC data

The data structure loaded in memory is called Scan Context.

Scan context

Scan engine

Existing pattern

CRC Part 1

CRC Part 2

Virus info

Non-CRC data

Scan context

Scan engine

Existing pattern

CRC Part 1

CRC Part 2

Virus info

Non-CRC data


Smart Scan > How It Works > New Patterns

Three new pattern files are created from the traditional file.

• Smart Query Filter (Client) = BF.ptn

• Smart Scan Agent Pattern (Client) = iCRC$OTH.xxx

• Smart Scan Pattern (Smart Scan Server) = iCRC$TBL.xxx


Smart Scan > Smart Query Filter …on the Client

Smart Query Filter or Bloom Filter: BF.ptn

Is an index to the Smart Scan pattern

Contains only CRC part 1

Performs file-reputation assessment: “Is the file potentially malware?”

Smart QueryFilter

Smart QueryFilter

Smart ScanPattern

Smart ScanPattern


Smart Scan > Smart Scan Pattern…on the Smart Server

File name: icrc$tbl.xxx

Contains both CRC Part 1 and CRC Part 2

Contains virus-information table (for clean/removal)

Provides information required for the – Confirmation action – Clean/removal action

Smart ScanPattern

Smart ScanPattern


Smart Scan > Smart Scan Agent Pattern…on the Client

File name: icrc$oth.xxx

Contains non-CRC-based patterns to I.D. and remove:– Script-based scan patterns– ScriptTrap– PETrap– EXE & COM cleaning patterns– Active action table– Other pre-CRC patterns– CRC and virus data for In-the-wild malware

(for details see http://www.wildlist.org/)

Smart ScanAgent Pattern

Smart ScanAgent Pattern


Step 1: TM Filter intercepts I/O event

Step 2: Pass information to scan engine

Step 3: Reference iCRC Handler

Step 4: iCRC queries the smart scan server for information (only when is needed)

Step 5: Information is returned to scan engine

Smart Scan > Malware Detection

TMFilteriCRC

handlerVSAPI scan

engine

Operating System I/O Manager

Scan server

TMFilteriCRC

handlerVSAPI scan

engine

Operating System I/O Manager

Scan server


Smart Scan > Step by StepCPM Client Scan Server

File Reputation Assessment

Cloud virus pattern query

(CRC)

Malware Identification

Determine CRCPtn. Applicability

CRC Query

Records that Match CRC

Local Verification

Virus ID Query

Cleaning Removal Instr. Virus Info table

Remove Malware

Cloud virus pattern query

(VirusInfo)


Smart Scan > Step by Step > Step 1

Smart Scan agent pattern is for:

In-the-wild verification

CRC-pattern applicability– Determines true file type– Evaluates CRC applicability for

the specific file type



A match indicates the file is potentially malware.

Confirmation occurs later in the process.



CRC Part 2 Virus InfoTable

Query 1

Query 2

CRC cache is checked twice before querying the scan server.

CRC cache file = cache.dat


Smart Scan > CRC cache



Query: CRC Part 1

Reply: CRC Part 2 is a set of records matching CRC Part 1



Upon receipt of data

End Step 4Pass

information to VSAPI

Receive result Query Virus IDMatch found?

Not malwareAdd

information the cache

No

YesEnd Step 4Pass

information to VSAPI

Receive result Query Virus IDMatch found?

Not malwareAdd

information the cache

No

Yes



Smart Scan Server is queried for clean/removal information for Virus ID = 4



VSAPI receives virus clean/removal informationthen removes the malware.


Smart Scan > Smart Scan Server Standalone

Supported virtual environments

Log on to the web console


Smart Scan Servers > Smart Scan Server

Available as an .iso image file

Compatible with:– VMware™ ESXi Server 3.5 Update 2– VMware ESX™ Server 3.5 or 3.0– VMware Server 2.0 or later (working also on previous versions but

not officially supported)

Requires EVT 64-bit Intel virtualization technology

Based on Linux Server CentOS release 5

Stores Smart Scan pattern & Smart Query filter


1. Open http://<server_ip>:8080 2. Logon as “admin” only

Smart Scan Servers > Logon Web Console


Web Reputation Services (WRS)


WRS Reputation Query Process TEM supports local SPN + global SPN

– “Proxy mode”– Client queries SPS first– If no match in local web-reputation database, query to SPN– Security levels supported : high, medium, and low

(Local SPN)

Trend Micro SPN

1. User Web Request

1. User Web Request

5. Local SPN or TM SPN Returns Rating

5. Local SPN or TM SPN Returns Rating

2. Query Local SPN2. Query Local SPN

Configuration

3. Forward Query If No attached

3. Forward Query If No attached

4. Returned Rating from TM SPN

4. Returned Rating from TM SPN


WRS Basics


WRS Basics

TEM-CP Agent


About Ratings

About credibility scores

URL rating process

Dealing with false positives


About Credibility Scores

Score Description

81 Safe sites

71 Unrated

51 Suspicious

49 Known malicious sites


URL Rating Process


Score Retrieval

TEM-CP Agent

TEM-CP Client


Score Retrieval

In-memory cache If a site has an existing rating in the cache, then TEM-CP uses this existing rating.

Rating server If the site visited is new, then TEM-CP queries the Trend Micro rating server.


Score Evaluation


Score Evaluation

73

72

71

70

69

68Block

Do not block

Threshold value


Behavior Monitoring


Behavior Monitoring

BM and SP are integrated in the AEGIS common module.

Behavior Monitor – Configure 13 events for different policies, including new service, new startup program, etc. On event, TEM-CP acts based on the policy you set.

Self Protection – The TEM-CP client protect its services, processes, and other resources it requires to function.


Behavior Monitoring

Configure related settings or retrieve logs via fixlet


Behavior Monitoring


VDI


VDI Support

Enhancement in Client

White Listing– Optimize scans on virtual

desktop

New in Architecture

VDI Component

VM Awareness– Supports VMware/Citrix


White Listing

Generate White List …Or clean-file list based on a common virtual-desktop template (golden image).

Create VMCreate VM

Install OS & IBM AgentInstall OS & IBM Agent

Install TEM-CP 10.6Install TEM-CP 10.6

Creation Process of Templates

Create White ListCreate White List

Convert to templateConvert to template


White Listing

Optimize scansFor VMs derived from a common template (golden image), scanning can be optimized.

Not HIT

Scan Process of VMs

Enumerate FilesEnumerate Files

Get file property and calculate fingerprintGet file property and calculate fingerprint

Find in White list

Find in White list

ScanScan

Scan CompleteScan CompleteHIT


VM Awareness

Concept– Only x-number of guest VM(s) may run on-demand

scans and updates simultaneously.

Customer Value– Prevent multiple I/O CPU intensive tasks– VDI environment resource saving


VM Awareness – Approach

TEM-CP Client– If TEM-CP is a running VM,see if any VMs on the same hardware are scanning or updating.

VDI Component– Get VM mapping from VDI– Allow/deny TEM-CP client’s request– Update the VM status with TEM-CP clients (re. scan and update)


ESX ServerESX Server

VM VM

Trend ClientTrend Client

IBM AgentIBM

AgentTrend ClientTrend Client

IBM AgentIBM

Agent


VM VM


IBM AgentIBM


IBM AgentIBM

Agent

VDI Server – Vendors

VMware VDI ServerVMware VDI Server

Xen ServerXen Server

VM


IBM AgentIBM

Agent

VM


IBM AgentIBM

Agent

vCenter vCenter


VM VM


IBM AgentIBM


IBM AgentIBM

Agent

Citrix VDI ServerCitrix VDI Server


VM Awareness – Interaction Integrate with IBM Relay

BigFix Relay

ESX Server

VM

VDIInfo

Trend VDI Component

VDI I/O Operation Manager (Daemon)

VM

Trend Client

BigFix Agent

Xen Server

VM

Trend Client

BigFix Agent

VM

Trend Client

BigFix Agent

Trend Client

BigFix Agent

Response

Request

I/O Operation Status

I/O Operation

Task

vCenter SOAP

XML-RPC

Download Plug-in

Response

HTTP Accessible Filesystem

I/O Operation Request

BigFix AgentIBM

IBM IBM IBM IBM

IBM


Outline of AutoUpdate Steps in TEM-CP

85

Run the CPM Automatic Update Setup script to create the CPM operator and custom

update site

Run the Core Protection Module - Enable Automatic Updates – Server fixlet as a one

time action targeting the ESP server

Run the Core Protection Module - Enable Automatic Updates – Endpoint fixlet as a policy

targeting any endpoints that should have automatic updates enabled

Run the Core Protection Module - Set ActiveUpdate Server Pattern Update Interval task as a policy targeting the ESP server and

running every hour with retry on failure settings enabled

Run the Core Protection Module – Apply Automatic Updates fixlet as a policy targeting any endpoints that should automatically apply updates and that has retry on failure settings

enabled


The TEM-CP Automatic Update Setup Script

Creates a custom TEM-CP automatic update site called CustomSite_FileOnlyCustomSite_CPMAutoUpdate– This custom site hosts a manifest file that contains information about all of the pattern files that are

available on the TEM-CP server. When automatic updates are enabled on an endpoint, it subscribes itself to this site and uses the manifest file to determine whether or not it needs to update its pattern files or scan engine.

Creates a custom TEM-CP operator account– In order to download files from the Trend Micro ActiveUpdate servers and propagate them to the

custom site, an operator account is required. This account only has write privileges on the custom TEM-CP update site. Its sole purpose is for propagating files to the site. The credentials for this user are, by default, stored in the <TrendMirrorScript Folder>\Credentials folder.

Authorizes the custom TEM-CP operator to propagate files to the custom TEM-CP update site– The script generates a certificate that authorizes the operator to propagate the updates. The

certificate is stored as <TEM-CP Server Folder>\FileOnlyCustomSiteAuthorization_CPMAutoUpdate.

86


The TEM-CP Automatic Update Setup Script

Make sure you use license.pvk and site admin password

87


Enable Automatic Updates - Server

Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module server components are installed– The PropagateManifest value in the registry is not set to 1

What it does:– Sets the PropagateManifest value under HKLM\SOFTWARE\BigFix\CPM\server to 1

Only needs to run once

88


Enable Automatic Updates - Endpoint

Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module client components are installed– The EnableAutoUpdate value in the registry is not set to 1

What it does:– Sets the EnableAutoUpdate value under HKLM\SOFTWARE\BigFix\CPM\client to 1– Subscribes the endpoint to the CustomSite_FileOnlyCustomSite_CPMAutoUpdate site

Make it a policy

89


Set ActiveUpdate Server Pattern Update Interval

Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module server components are installed– The TrendMirrorScript folder and executable are installed (installed from TEM-CP

Automatic Update Script)

What it does:– Runs TMCPMAuHelper to check if there are updates available from Trend Micro

ActiveUpdate servers– If updates are available, downloads them to the TEM-CP server– Runs TrendMirrorScript to propagate the new files to the

CustomSite_FileOnlyCustomSite_CPMAutoUpdate site

Make it a policy

90


Apply Automatic Updates

Relevant when:– Windows 2000 SP3 or later is installed– The TEM-CP agent is version 7.2 or later– The Core Protection Module 1 client components are installed– The EnableAutoUpdate value in the registry is set to 1– The endpoint is not in a rollback state– The Core Protection Module version is 1.5 or later– New pattern files or a new scan engine is available in the custom TEM-CP update site

What it does:– Calls TMCPMAuUpdater to download the necessary pattern files from the TEM-CP

server– Moves the files into an appropriate directory structure for updating– Calls TMCPMAuUpdater to apply the updates that were downloaded– Sets AverageUpdateTime, LastPatternUpdate, LastUpdateVersion, and

UpdateCount values under the HKLM\SOFTWARE\BigFix\CPM\client registry key which are all used for reporting purposes

– Checks to see if a driver was updated and requires a system reboot

Make it a policy

Set ActiveUpdate Server Pattern Update Interval must run at least once

91


Understanding the Automatic Update Process

92


task started on ESP server

Are updated patterns and/or engines are available from Trend

Micro ActiveUpdate Servers?

Download updates from Trend Micro using TMCPMAuHelper

Yes

Run TrendMirrorScript to propagate updated pattern and/or

engines to custom ESP site


task completed on ESP server

Apply Automatic Updatestask starts on endpoint(s)

Update Process Complete

No

Is endpoint in a rollback state? Call TMCPMAuUpdater to download patterns and/or engines from ESP server

Yes

No

Use TMCPMAuUpdater to apply updates to endpoint and then

update time statistics for reports

Was a driver that requires a reboot updated?

Trigger Core Protection Module – Restart Needed fixlet

Yes

Apply Automatic Updates task completed on endpoint(s)

No


Set ActiveUpdate Server Update Pattern Interval Overview

This is the first stage of the update process. The Set ActiveUpdate Server Update Pattern Interval task is configured to run periodically to check the Trend Micro ActiveUpdate servers for new pattern files and scan engines and then download them if they are available. It will then assemble the files and propagate them into a new custom site. Once this new custom site has been created and the files have been propagated, the Apply Automatic Updates task will become relevant on clients that have automatic updates enabled.

93


TMCPMAuHelper: Check for Updated Patterns/Engines

The first thing that the Set ActiveUpdate Server Update Pattern Interval task does is launch the TMCPMAuHelper tool.

The <TEM-CP Server Folder>\download\server.ini file contains version information for the pattern files and scan engines that have been downloaded and made available on the TEM-CP server. By comparing the local server.ini file with a similar file on the Trend Micro ActiveUpdate servers, TMCPMAuHelper is first able to determine whether or not a new update is available.

If there are no new pattern files available from the Trend Micro ActiveUpdate servers, the entire task completes without doing anything further. If, however, there are updates available, it will continue to the next step.

94


TMCPMAuHelper: Download Updates

When updates are available, TMCPMAuHelper will download them into several temporary folders under the <TEM-CP Server Folder>\bin\AU_Data folder. Once the download has completed, incremental update patterns are built and then the entire set of files is copied to the <TEM-CP Server Folder>\download folder. As previously mentioned, subsequent executions of TMCPMAuHelper use the information in this folder to determine if new updates are available.

Finally, the files are then assembled into the <TEM-CP Server Folder>\Components folder so that they can be transferred into a custom site by the TrendMirrorScript.

95


TrendMirrorScript: Propagate the Updates to Site

The next step in the task is for TrendMirrorScript to run. This tool is responsible for actually making the updates available to the endpoints. Because every set of updates is unique, a new revision of the CustomSite_FileOnlyCustomSite_CPMAutoUpdate Site is created each time a new set is downloaded. When the new revision is made available to the endpoints, an update is automatically triggered by the Apply Automatic Updates task.

TrendMirrorScript first takes the contents of the <TEM-CP Server Folder>\Components folder and moves them into the <TEM-CP Server Folder>\wwwrootbes\cpm\patterns\YYYYMMDD_hhmmss folder, where YYYYMMDD_hhmmss is a timestamp corresponding to the date updates were downloaded.

Once the pattern files have been moved, several files in the <TrendMirrorScript Folder>\propagation folder are updated with the latest file information.

96


TrendMirrorScript: Propagate the Updates to Site

Finally, TrendMirrorScript executes PropagateFiles.exe, which propagates the files to the custom site using the propagation credentials specified when configuring automatic updates. A new revision of the CustomSite_FileOnlyCustomSite_CPMAutoUpdate Site is created in the <TEM-CP Server Folder>\wwwrootbes\bfsites\CustomSite_FilesOnlyCustomSite_CPMAutoUpdate_X> folder, where X is the new revision number.

The folder will contain 3 files of importance:– filelist_srv.txt -- This is referenced in the Apply Automatic Updates task to determine whether or

not the client has out-of-date pattern files– server.ini -- This is used by the TEM-CP client updater for determining what updates need to be

applied (eg: incremental updates)– manifest.ini -- This file contains metadata about the pattern set

Once all of these steps have completed, the Set ActiveUpdate Server Update Pattern Interval task is complete.

97


Apply Automatic Updates Overview

Once the pattern files have been updated on the server and propagated to the CustomSite_FileOnlyCustomSite_CPMAutoUpdate Site, the Apply Automatic Updates Task will become relevant on any endpoint with outdated pattern files or an outdated scan engine that has automatic updates enabled. The task will then download the pattern files and/or scan engine and apply it on the endpoint.

98


Is the Endpoint in a Rollback State?

If a rollback task has been executed on an endpoint and the Core Protection Module - Clear Rollback Flag task has not been subsequently run, the endpoint is considered to be in a rollback state.

In order to prevent an update that may be causing problems in your environment from automatically re-deploying, the Apply Automatic Updates task will not become relevant on the endpoint until the Core Protection Module - Clear Rollback Flag has been executed on it.

99


TMCPMAuUpdater: Download/Apply Patterns to Client

The first step taken by the Apply Automatic Updates Task is to use TMCPMAuUpdater to download the pattern files and/or scan engine from the TEM-CP server using the standard TEM-CP relay architecture.

The pattern files are initially downloaded into the <TEM-CP Client Folder>\__BESData\actionsite\__Download folder and are then moved into appropriate subfolders. Incremental updates are downloaded wherever possible to keep the update size small.

Once the pattern files have been downloaded, TMCPMAuUpdater is then called a second time to apply the updates to the endpoint.

100


Update Statistics for Reporting

The Time to Protection report in the TEM-CP Dashboard provides reporting on the average amount of time it takes endpoints to receive and apply updates. In order to gather this information, the Apply Automatic Updates task writes update statistics to the registry. This information is then gathered through an analysis on the server and used for reporting.

101


Trigger a Reboot (if needed)

The final step taken of the Apply Automatic Updates Task is to determine if a reboot is required in order to update a particular driver used by TEM-CP. If the driver requires a reboot, the task will trigger the Core Protection Module - Restart Needed fixlet so that it becomes relevant on the endpoint.

102


Troubleshooting the Automatic Update Process

Manual Steps for TEM-CP Automatic Update Script

Verifying Custom Site and Operator creation

Re-Running the Setup Script

Verifying Automatic Updates are enabled on the server

Verify Set ActiveUpdate Server Pattern Update Interval is running

Verify Automatic Updates are enabled on the client

Verify the client is not in a rollback state

Verify updates are being downloaded on the client

Enabling Debug Mode for the server

Enabling Debug Mode for the client

103


Manual Steps for TEM-CP Automatic Updates Script

1. Open the TEM-CP Administration Tool and click the Add User buttona. Enter cpm_admin for the Username. You can choose another username if desired,

but cpm_admin is the recommended username. Note: The Automatic Update Setup Script will create a user with additional characters (the date the original user was created and some additional characters) at the end of the user name.

b. Enter an e-mail address for the user. This address is only used in the public key certificate for the user, so it does not need to be a legitimate e-mail address.

c. Enter and verify a password for the user.d. Uncheck “Give this user the ability to administer management rights”.e. Select “Do not show this user any unmanaged assets”.f. Select “Show this user only their own actions and action results”.g. Click OK.h. Make a note of the location where the credentials are being saved and click OK.i. Enter the site admin password and click OK.j. Click OK to close the window.k. Click Yes to propagate the action site.l. Enter the site admin password and click OK.

104



2. Open Registry Editor and navigate to HKLM\SOFTWARE\BigFix\CPM\server.

3. Add a new string value called PropagationUser and set it to the username you used in step 1a.

4. Add a new string value called PropagationPassword and set it to the password you used in step 1c.

5. Add a new string value called CredentialsPVK and set it to <TrendMirrorScript Folder>\Credentials\publisher.pvk replacing <TrendMirrorScript Folder> with the appropriate path.

6. Copy the publisher.pvk and publisher.crt files from the credentials folder noted in step 1g to the <TrendMirrorScript Folder>\Credentials folder.

7. Locate the license.pvk file on the TEM-CP server.

105



8. Open a Command Prompt and run the following command from the <TrendMirrorScript Folder>:

PropagateFiles.exe CreateFileOnlyCustomSiteUserAuthorization "<path to license.pvk>" "<site admin password>" bes_bfenterprise "<username from step 1a>" "<password from step 1g>" FileOnlyCustomSite_CPMAutoUpdate

–Be sure to replace the following parameters leaving quotation (") marks around each:• <path to license.pvk> -- The full path to the private key for the site admin account• <site admin password> -- The password for the site admin account; This is the same password you use when

opening the TEM-CP Administration Tool• <username from step 1a> -- This is the username you previously created• <username from step 1g> -- This is the password for the username you created

106


Verifying Custom Site and Operator Creation

Verify that the following keys exist under the HKLM\SOFTWARE\BigFix\CPM\server key in the registry:

107

Key Type Value

CredentialsPVK REG_SZ <TrendMirrorScript Folder>\Credentials\publisher.pvk

ManifestSiteName REG_SZ FileOnlyCustomSite_CPMAutoUpdate

PropagationDSN REG_SZ bes_bfenterprise

PropagationPassword REG_SZThe password for the TEM-CP operator account created for propagating files

PropagationUser REG_SZ

The username of the TEM-CP operator account created for propagating files; The default account name is cpm_admin_XXXXXX, where XXXXX is the date the account was created and some additional characters. Verify this account exists in the TEM-CP Administration Tool.


Verifying Custom Site and Operator Creation

Verify that the operator account has been created correctly– Open the TEM-CP Administration Tool and login using the site admin password.– Make sure that the operator account (cpm_admin_XXXXX by default) exists.– Close the TEM-CP Administration Tool.

Verify that publisher.pvk and publisher.crt exist in the <TrendMirrorScript Folder>\Credentials folder.

Verify that the FilesOnlyCustomSiteAuthorization_CPMAutoUpdate file exists in the <TEM-CP Server Folder>.

108


Re-Running the Setup Script

If you wish to re-run the script in order to try creating the TEM-CP operator account and/or the custom site again, you should perform the following steps beforehand:1. Open the TEM-CP Administration Tool and remove the operator account (cpm_admin_XXXXX by

default).2. Remove the following files and folders:

• Folder where the TEM-CP Administration Tool stored the credentials of the operator account (usually C:\Documents and Settings\<Windows login>\My Documents\BESCredentials\<operator account>)

• <TrendMirrorScript Folder>\Credentials folder• <TEM-CP Server Folder>\FileOnlyCustomSiteAuthorization_CPMAutoUpdate file

3. Remove the following registry keys from HKLM\SOFTWARE\BigFix\CPM\server:• CredentialsPVK• ManifestSiteName• PropagationDSN• PropagationPassword• PropagationUser

You should now be able to re-run the script.

109


Verifying Automatic Updates are enabled on the server

No updates will ever propagate if automatic updates are not properly enabled on the server. Make sure that the PropagateManifest value under the HKLM\SOFTWARE\BigFix\CPM\server key in the registry is set to 1. If it is not, change the value to 1.

110



The Set ActiveUpdate Server Pattern Update Interval task is responsible for downloading new pattern files from the Trend Micro ActiveUpdate servers. If this task is not running or is not properly completing, endpoints may not properly update.

1. Make sure that the task is set up properly as a policy in TEM-CP. If you are unsure on how this should be configured, refer to the Run the "Set ActiveUpdate Server Pattern Update Interval" Task section in this document.

111



2. Make sure the <TEM-CP Server Folder>\download folder exists and contains the latest engine and pattern files. a. If there are no files in the folder or the files are out of date, it may indicate either that

the task is not running or that there is a problem downloading the files from Trend Micro.

b. If a web gateway appliance is sitting between the TEM-CP server and the Internet, make sure it is not blocking access to the Trend Micro ActiveUpdate Servers. You may need to whitelist http://esp-p.activeupdate.trendmicro.com/activeupdate to allow access.

c. Check the LatestExitCode value under the HKLM\SOFTWARE\TrendMicro\CPMsrv key in the registry. If the value is 3, it means that TMCPMAuHelper ran but did not find any newer patterns on the Trend Micro ActiveUpdate servers. If the value is set to 0, it means that new patterns were succesfully downloaded. If it is set to any other code, there was an error checking for updates.

d. Check the <TEM-CP Server Folder>\bin\AU_Data\AU_Log\TmuDump.txt file for additional information on potential issues with the downloads. You can also enable debugging for this log. These steps are outlined below in the Enabling Debugging for Update Logs section.

112



3. Verify the <TEM-CP Server Folder>\Components folder is empty. If the folder is not empty, it means that the TrendMirrorScript may not have executed properly and will need to be run manually (see below).

4. Verify a new folder with a recent timestamp has been created under the <TEM_CP Server Folder>\wwwrootbes\cpm\patterns folder. You should see folders named YYYYMMDD_hhmmss, which is a time stamp indicating when the pattern files were downloaded. If a recent folder does not exist, TrendMirrorScript may not have executed properly and will need to be run manually (see below).

113



5. Verify a new folder named CustomSite_FilesOnlyCustomSite_CPMAutoUpdate_X with a recent timestamp has been created under the <TEM-CP Server Folder>\wwwrootbes\bfsites folder. X will be a number indicating the "revision" of the site. If there is no folder with roughly the same timestamp as when the patterns were updated, it most likely means that PropagateFiles.exe, which is launched by TrendMirrorScript, failed to propagate the appropriate files to the site. The most likely cause is an operator account/password mismatch issue. Verify that the propagation username and password are correct and re-run TrendMirrorScript (see below).

6. Cross-check the manifest file in the most recent folder identified from step 5 with the pattern set cache on the TEM-CP server to make sure they match.a. Open the manifest.ini file in the folder identified in step 5.b. Find the line beginning with version= and make a note of the value. This should be a

timestamp in the form YYYYMMDD_hhmmss.c. This value should match the most recent folder in the <TEM-CP Server Folder>\

wwwrootbes\cpm\patterns folder.d. If the two are out of sync, you should run the TrendMirrorScript manually (see

below).

114



7. If the TrendMirrorScript did not execute, you can try running the command manually from the <TrendMirrorScript Folder>. It does not take any arguments.

8. TrendMirrorScript writes logging information to a file whose name matches the current day (YYMMDD.log) inside the <TrendMirrorScript Folder>\logs folder.

115


Verify Automatic Updates Are Enabled on the Client

No updates will ever be downloaded and applied on the client if automatic updates are not properly enabled. Make sure that the EnableAutoUpdate value under the HKLM\SOFTWARE\BigFix\CPM\client key in the registry is set to 1. If it is not, change the value to 1.

You should also check to make sure the <TEM-CP Client Folder>\__BESData\CustomSite_FileOnlyCustomSite_CPMAutoUpdate folder exists. When the client has successfully subscribed to the custom CPM update site, this folder will be present. You may need to wait until at least one Set ActiveUpdate Server Pattern Update Interval task completes on the TEM-CP server before this folder appears on the client. Once the folder appears, the key files that should exist inside this folder are filelist_srv.txt, server.ini, and manifest.ini.

If this folder does not exist and a significant amount of time (> 1 hour) has passed since a Set ActiveUpdate Server Pattern Update Interval task completed, you can run the Disable Automatic Updates - Endpoint task on the client followed by the Enable Automatic Updates - Endpoint task. This will re-subscribe the client to the custom TEM-CP update site.

116


Verify the Client is not in a rollback state

Pattern files will not deploy to an endpoint that has had a pattern rollback task run on it without subsequently having the Clear Rollback Flag task run. The Clear Rollback Flag task should be relevant for the endpoint if this is the case. Simply run the task targeting the client that is in the rollback state.

117


Verify Updates are Being Downloaded on Clients

If the Apply Automatic Updates task becomes relevant and executes on a client but the pattern files are still out-of-date when it completes, there may be a problem with the client downloading the pattern files from the TEM-CP server and/or applying them on the local system.

Check the <TEM-CP Client Folder>\bin\AU_Data\AU_Log\TmuDump.txt log file to see if it contains any errors. This file logs information when the client is downloading updates from the TEM-CP server.

Check the <TEM-CP Client Folder>\AU_Data\AU_Log\TmuDump.txt log file to see if it contains any errors. This file logs information when the client applies the updates on the system.

118


Enabling Debug Mode for the Server

To enable the logging of additional information in the <TEM-CP Server Folder>\bin\AU_Data\AU_Log\TmuDump.txt file on the TEM-CP server, do the following:1. Open the file <TEM-CP Server Folder>\Bin\aucfg.ini in Notepad.2. Find the section labeled [debug].3. Make sure the value level is set to -1 (eg: level=-1) in that section.4. Save the file.

119


Enabling Debug Mode for the Client To enable the logging of additional information in the <TEM-CP Client Folder>\bin\AU_Data\

AU_Log\TmuDump.txt file on the TEM-CP client, do the following:1. Open the file <TEM-CP Client Folder>\Bin\aucfg.ini in Notepad.2. Find the section labeled [debug].3. Make sure the value level is set to -1 (eg: level=-1) in that section.4. Save the file.

To enable the logging of additional information in the <TEM-CP Client Folder>\ AU_Data\AU_Log\TmuDump.txt file on the TEM-CP client, do the following:1. Open the file <TEM-CP Client Folder>\ aucfg.ini in Notepad.2. Add the following lines:3. [debug]

level=-1log_mode=2html=0

4. Save the file.

To enable the logging of additional information to the C:\ofcdebug.log file on the TEM-CP client, do the following:

Open a new file in Notepad.

Add the following lines:o [debug]o DebugLog=C:\ofcdebug.logo Debuglevel=9o Debuglevel_new=D

Save the file as <TEM-CP Client Folder>\ofcdebug.ini.

120


Enabling Debug Mode for the Client

To enable the logging of additional information to the C:\ofcdebug.log file on the TEM-CP client, do the following:1. Open a new file in Notepad.2. Add the following lines:

[debug]

DebugLog=C:\ofcdebug.log

Debuglevel=9

Debuglevel_new=D3. Save the file as <TEM-CP Client Folder>\ofcdebug.ini.

121


Contacting Support for Assistance

If you are still having issues, you can contact the Trend Micro Support Team for additional assistance. Trend Micro Support will ask you to retrieve and send them the following log files:

From the TEM-CP Server–<TEM-CP Server Folder>\bin\AU_Data\AU_Log\TmuDump.txt–<TrendMirrorScript Folder>\logs\*.log–<TEM-CP Server Folder>\wwwrootbes\cpm\patterns\*\server_bf_*.ini

From the TEM-CP Client–<TEM-CP Client Folder>\bin\AU_Data\AU_Log\TmuDump.txt–<TEM-CP Client Folder>\AU_Data\AU_Log\TmuDump.txt–C:\ofcdebug.log (if you have debugging enabled)–<TEM-CP Client Folder>\__BESData\__Global\Logs\*.log

122


Reference Materials TrendEdge Website

http://trendedge.trendmicro.com

TEM-CP Automatic Updateshttp://support.bigfix.com/cpm/cpm_update.html

Running the TEM-CP Automatic Update Setup scripthttp://support.bigfix.com/cgi-bin/kbdirect.pl?id=824

TEM-CP Automatic Updates - Manual Setup Processhttp://support.bigfix.com/cgi-bin/kbdirect.pl?id=825

Troubleshooting the Core Protection Module Automatic Update Process http://support.bigfix.com/cpm/cpm_autoupdate.html

BigFix Session Relevance Editorhttp://support.bigfix.com/labs/relevanceeditor.html

123


Basic Troubleshooting


Troubleshooting

What do you do if you lost your private key (license.pvk) file?

If you lose your site credential files or password, then no one – not even IBM – can recover your keys or your password. You will need to reinstall the entire system, including all the TEM-CP/TEM clients, with a freshly generated key.


Troubleshooting

What should I do if the installation is unsuccessful?

1.Take a screen capture of the error.

2.Download another set of installation files.

3.Open regedit : HKLM\Software\IBMCreate a String Data Reg_Sz "ScriptLoggingPath" = "c:\installer"

4.You can modify the path for the value without any problems just make sure the directory exists prior to running the installation generator. Debug files will be created under c:\installer folder in this example.

5.Run the installation again


Troubleshooting

How do you trigger the installation of TEM-CP agent on remote machines?

Use the TEM Installer and select Install TEM Components > Install TEM Clients > Install Locally, which will install the client on your local machine in the directory you specify.

Select to Install Remotely which will trigger the TEM Client Deploy Tool.

Manually copy C:\TEMInstallers\Client folder from the TEM installation computer to the local hard drive and run setup.exe

Use c:\TEMInstallers\ClientMSI\TEMClientMSI.msi to run login script or GPO or other software distribution tool.


Troubleshooting

What information is needed if the installation fails?

If installation fails or other issues are found on the TEM-CP client, please download IBM Client Diagnostics from http://support.IBM.com/TEM/install/downloadutility.html and run it on the client. Send the zip file collected.


Troubleshooting

Five options in the Troubleshooting node of the navigation tree enable you to resolve issues identified in the Health Status Chart under Deployment/Overview.

Three audit Fixlets detect machines ineligible for a TEM-CP installation:

The remaining two Fixlets identify machines where services are not running or configured correctly, or in need of a reboot.

A task to disable the Windows Firewall, which may conflict with the Common Firewall component is also included.


Troubleshooting

What is the definition of “healthy” in the endpoint Health Status Chart?

Relevant to at least one Fixlet/Task/Analysis in the TEM-CP site Not relevant to any of the following Fixlets:

– Deploy TEM-CP Endpoint – Improper service status – Ineligible (software) – Ineligible (hardware) – Ineligible (conflicting product) – Restart needed – Clear Rollback Flag

Patterns up-to-date


Troubleshooting

Why does my Health Status Chart show only three categories in the legend?

The Endpoint Health Status chart includes 11 categories shown below. If all of them are not displayed, try expanding the size of the dashboard window.

– Healthy – N/A – Unknown – Improper service status – Not installed – Ineligible (Hardware) – Ineligible (Software) – Conflicting Product – Restart Needed– In Rollback State – Patterns Out of Date


Troubleshooting

How do I create exclusions?

Go to the Scan Exclusion tab in the On Demand and Real Time wizards (Configuration node).


Troubleshooting

How do I configure an action when a virus is detected?

Go to the Scan Action tab in the On Demand and Real Time wizards (Configuration node).


Troubleshooting

How do I tune spyware detection?

You can set spyware detection to assessment mode in the “Spyware Grayware Scan Settings Only” section of the Global Settings wizard (Configuration node).

Instead of quarantining spyware, this feature allows you to simply report spyware. You can then view the infection reports and set appropriate exclusions.


Troubleshooting

Can I automatically flow updates through clients without operator approval?

Yes. However, you need to manually enable Automatic Updates.


Troubleshooting

How do I get notified when my system detects a new spyware or virus infection?

Using Web Reports, configure a Scheduled Report based on the Top 25 spyware and virus reports, and set it to email you anytime it changes


Troubleshooting

How can end users monitor infection information?

By enabling the Client Dashboard.


Troubleshooting

What is IntelliTrap, referenced in the On Demand Scan Wizard?

IntelliTrap helps reduce the risk of virus/malware entering your network by blocking files with real-time compressed executable files.


Troubleshooting

What is IntelliScan, referenced in the On Demand Scan Wizard?

IntelliScan is a Trend Micro feature that will only scan files known to potentially harbor malicious code, even those disguised by an innocuous-looking extension name.


Troubleshooting

Do the On Demand, Global, and Real Time settings features come with default settings, or do I need to set parameters on them before I use this product?

TEM-CP is packaged with default settings for each of these functions, but the wizards enable you to configure them with customized parameters.

For example, use the wizard to customize exclusions to a scan.


Troubleshooting

What is ActiveAction, as referenced in the Real Time Wizard Scan Action tab?

ActiveAction is a set of pre-configured scan actions for specific types of viruses/malware.

Use ActiveAction if you are not sure which scan action is suitable for each type of virus/malware.


Troubleshooting

What is the ActiveUpdate Server and what is it used for?

The Trend Micro ActiveUpdate (TMAU) server, is Trend

Micro’s “in-the-cloud” server from which our TEM-CP

server downloads pattern-set files.


Q & A


THANK YOU!

[email protected][email protected]