new worry-freetm remote managertm · 2011. 6. 8. · 1-1 chapter 1 introduction welcome to the...

85
Getting Started Guide for Resellers Worry-Free TM Remote Manager TM 1 for Small and Medium Business

Upload: others

Post on 24-Oct-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

  • Getting Started Guide for Resellers

    Worry-FreeTM

    Remote ManagerTM1for Small and Medium Business

  • Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes and the latest version of the applicable user docementation which are available from Trend Micro's Web site at:

    http://www.trendmicro.com/download/default.asp

    Trend Micro, the Trend Micro t-ball logo, TrendLabs, Trend Micro Damage Cleanup Services, TrendSecure, Worry-Free, Worry-Free Business Security Advanced, Worry-Free Business Security, OfficeScan, PC-cillin, and ScanMail are trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

    Copyright © 1998-2008 Trend Micro Incorporated. All rights reserved.

    Document Part No.: WREM13656/80523

    Release Date: June 2008

    http://www.trendmicro.com/download/default.asp

  • The Trend Micro Worry-Free Remote Manager™ Getting Started Guide for Resellers is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software.

    Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro’s Web site.

    Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:http://www.trendmicro.com/download/documentation/rating.asp

    http://www.trendmicro.com/download/documentation/rating.asp

  • ContentsChapter 1: Introduction

    What Is Worry-Free Remote Manager ............................................... 1-2Worry-Free Remote Manager Features .............................................. 1-2

    Live Security Status ....................................................................... 1-2Live System Status ......................................................................... 1-3Security Event Monitoring ............................................................. 1-3Network Management .................................................................... 1-3Reporting ........................................................................................ 1-3

    What’s New in this Release ............................................................... 1-4Overall Infrastructure ......................................................................... 1-4About CS/CSM and WFBS/WFBS-A ................................................ 1-5Key Terminology ............................................................................... 1-5About this Getting Started Guide for Resellers .................................. 1-6

    Chapter 2: Getting StartedAccessing the Console ....................................................................... 2-2

    Web Browser Requirements .......................................................... 2-2Adding the Console URL to Trusted Sites .................................... 2-3

    Getting Help While You Work .......................................................... 2-4Modifying Your Company Profile ..................................................... 2-4Modifying Your Account ................................................................... 2-5Coordinating with the Customer ........................................................ 2-6

    Chapter 3: Preparing the Service InfrastructureOverview ............................................................................................ 3-2Adding Customers .............................................................................. 3-2

    Agent GUID ................................................................................... 3-3Adding Additional Domains .......................................................... 3-3

    Adding Contacts ................................................................................. 3-4Installing the Agent ............................................................................ 3-4Verifying Agent Installation ............................................................... 3-6

    Agent Service ................................................................................. 3-6Start Menu Shortcuts ...................................................................... 3-6System Tray Icon ........................................................................... 3-6

    Verifying Agent/Server Connectivity ................................................ 3-7Viewing Installation Errors ................................................................ 3-7

    Chapter 4: Understanding the DashboardDashboard Overview .......................................................................... 4-2

    Normal Status Information ............................................................ 4-3Threat Status ....................................................................................... 4-4System Status ..................................................................................... 4-5Security Indicators .............................................................................. 4-5

    i

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Chapter 5: Monitoring Threat StatusOutbreak Defense Status .................................................................... 5-2

    Alert Status ..................................................................................... 5-2Vulnerable Computers ................................................................... 5-3Computers to Clean ........................................................................ 5-3

    Antivirus Status .................................................................................. 5-4Virus Threat Incidents .................................................................... 5-4Action Unsuccessful ...................................................................... 5-4Real-time Scan Disabled ................................................................ 5-5

    Anti-spyware Status ........................................................................... 5-5Spyware/Grayware Threat Incidents .............................................. 5-6Computer Restart Required ............................................................ 5-6

    Anti-spam Status ................................................................................ 5-6Web Reputation Status ....................................................................... 5-7Behavior Monitoring Status ............................................................... 5-7Network Virus Status ......................................................................... 5-8

    Chapter 6: Monitoring System StatusLicense Status ..................................................................................... 6-2Update Status ...................................................................................... 6-2System Status ..................................................................................... 6-3

    Chapter 7: Understanding Security Indicators / EventsSecurity Indicators .............................................................................. 7-2Understanding Events ........................................................................ 7-2

    Assessment Indexes ....................................................................... 7-3System Events ................................................................................ 7-4

    Viewing Events .................................................................................. 7-4Searching Events ............................................................................ 7-4

    Using Event Display Rules ......................................................... 7-5Handling Events ................................................................................. 7-5

    Changing Event Status ................................................................ 7-6Sending Notifications Manually .................................................... 7-6Adding Event Notes ....................................................................... 7-6

    Customizing Assessment Settings ...................................................... 7-7Subscribing to Event Notifications .................................................... 7-8Customizing Notification Content ..................................................... 7-8

    Attaching Reports .......................................................................... 7-8Listing Computers in Vulnerability Notifications ......................... 7-8

    Viewing Assessment History ............................................................. 7-9

    Chapter 8: Managing NetworksViewing Managed Networks .............................................................. 8-2

    Menu Bar ....................................................................................... 8-2Network Tree ................................................................................. 8-2Information Pane ............................................................................ 8-3

    Adding Customers .............................................................................. 8-4

    ii

  • Removing Customers ......................................................................... 8-4Understanding Network Commands .................................................. 8-4Submitting Network Commands ........................................................ 8-6

    Chapter 9: Managing AgentsManaging Agents from the Server ..................................................... 9-2

    Verifying Agent/Server Connectivity ............................................ 9-2Agent Status Types ........................................................................ 9-2Submitting Agent Commands ........................................................ 9-3

    Managing Agents from the Managed Server ..................................... 9-4Agent Status Messages .................................................................. 9-4Changing the Agent GUID ............................................................ 9-5Agent Configuration ...................................................................... 9-5

    Agent Configuration Menu ......................................................... 9-6Configuration Tool Main Dialog ................................................ 9-7Configuration Tool General Panel .............................................. 9-7

    Removing Agents ............................................................................... 9-8Removing Agents Locally ............................................................. 9-8Removing Agents Remotely ........................................................ 9-10

    Chapter 10: Managing ReportsUnderstanding Operational Reports ................................................. 10-2Supported Report Formats ............................................................... 10-2Generating and Exporting Reports ................................................... 10-3Subscribing to Reports ..................................................................... 10-3

    Chapter 11: Troubleshooting and Technical SupportIssues Dealing (largely) with the WFRM Console .......................... 11-2

    Domain Tree not Visible after Installing the Agent ..................... 11-2Node on tree Cannot Be Expanded .............................................. 11-2Page Cannot be Displayed ........................................................... 11-2Unable to Receive Notifications .................................................. 11-3Incorrect Information on the Dashboard ...................................... 11-3Unable to Deploy Commands ...................................................... 11-3Agent Status Is Abnormal ............................................................ 11-3

    Issues Dealing (largely) with the Agent: .......................................... 11-4Agent Does Not Match the CS/CSM Version ............................. 11-4Unable to Connect to the Server .................................................. 11-4

    Unable to Register with the Remote Server .............................. 11-5Other Issues ...................................................................................... 11-5

    Resetting a Lost Password ........................................................... 11-5Backing Up and Restoring Agent Settings .................................. 11-5Finding the Agent Build Number ................................................ 11-6Using Internet Explorer™ to View Reports ................................ 11-7

    Known Issues ................................................................................... 11-7Contacting Technical Support .......................................................... 11-9

    iii

  • Chapter 1

    Introduction

    Welcome to the Worry-Free Remote Manager Getting Started Guide for Resellers.

    Worry-Free Remote Manager (WFRM) is a monitoring and management console designed to work with the following products:• Client Server Security (CS) versions 3.5 or 3.6• Client Server Messaging Security (CSM) versions 3.5 or 3.6• Worry-Free Business Security (WFBS) (formally CS) version 5.0• Worry-Free Business Security Advanced (WFBS-A) (formally CSM) version 5.0

    Note: The above products will be collectively referred to as "managed server(s)" in this document.

    It enables you to monitor the health of multiple managed networks. It also lets you manage critical security aspects of these networks.

    This chapter, which will introduce you to Worry-Free Remote Manager, discusses the following topics:• What Is Worry-Free Remote Manager on page 1-2• Worry-Free Remote Manager Features starting on page 1-2• What’s New in this Release on page 1-4• Overall Infrastructure on page 1-4• About CS/CSM and WFBS/WFBS-A on page 1-5• Key Terminology on page 1-5• About this Getting Started Guide for Resellers on page 1-6

    1-1

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    What Is Worry-Free Remote ManagerWorry-Free Remote Manager provides infrastructure for centrally managing security in small- to medium-sized networks protected by CS/CSM and WFBS/WFBS-A. It is hosted on regional Trend Micro Data Center servers where resellers obtain an account. Resellers can use Worry-Free Remote Manager to establish customer accounts, monitor customer networks, and manage security using the WFRM console.

    Worry-Free Remote Manager has a monitoring dashboard that allows administrators to look into the following aspects of network security:• Virus, network virus, and spyware/grayware incidents• Spam and phishing incidents• Unauthorized computer changes• Outbreak situations• License and update status of security products• Disk usage on desktops, servers, and Exchange servers• Key security indicators

    Worry-Free Remote Manager also offers a view of managed networks and allows reseller administrators to issue commands to manage critical aspects of network security.

    Worry-Free Remote Manager FeaturesWorry-Free Remote Manager allows reseller administrators to monitor and manage multiple CS/CSM and WFBS/WFBS-A -protected networks from a single console by communicating with an Agent that runs on the managed servers. In addition, it offers event monitoring based on key security indicators.

    Worry-Free Remote Manager offers the following features:• Live Security Status• Live System Status• Security Event Monitoring• Network Management• Reporting

    Live Security StatusThe Worry-Free Remote Manager dashboard provides the status of the following aspects of network security:• Outbreak Defense• Antivirus• Anti-spyware• Anti-spam• Network Virus Protection• Behavior Monitoring• Web Reputation Services

    1-2

  • Introduction

    Worry-Free Remote Manager also provides details about these aspects including statistical data such as the number of infected computers and virus/malware incidents. Reseller administrators can also check detailed information including the names of affected computers or the threats.

    Live System StatusReseller administrators can check the following system-related aspects of network security through the Worry-Free Remote Manager dashboard:• License usage for security products• Update status of security components• Disk usage status on desktops, servers, and Exchange servers

    Security Event MonitoringWorry-Free Remote Manager supports events-based monitoring of the following key security indicators:• Number of computers infected by virus/malware and spyware/grayware• Number of computers found with the same virus which can indicate that an internal outbreak is in progress• Percentage of computers with outdated security components

    Network ManagementWorry-Free Remote Manager offers a structured view of managed networks and allows reseller administrators to issue commands and manage the following critical aspects of network security:• Component updates and updates to the managed server• Vulnerability assessment• Automatic outbreak response• Damage cleanup• Firewall and real-time scan settings• Manual scans

    ReportingIn addition to notifications for security events, Worry-Free Remote Manager can automatically generate and send reports at regular intervals. The Worry-Free Remote Manager operational report provides the following information:• Summary of computers in the domain and their update status• Assessment results distribution for infection and outbreak indicators• Latest assessment results for component currency indexes• Summary of virus, spyware/grayware, spam, and network virus incidents• Malware distribution• Major threats and affected files and computers

    1-3

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    What’s New in this ReleaseWorry-Free Remote Manager version 1.6 includes the following new features:• Worry-Free Remote Manager now utilizes High Availability (HA - secondary computers that take over

    immediately should the primary computers fail) on the servers for a more robust system.• Worry-Free Remote Manager now has the ability to manage Behavior Monitoring for WFBS and WFBS-A.

    Behavior Monitoring protects desktop and portable computers and servers from unauthorized changes to the operating system, registry entries, other software, or files and folders.

    • Worry-Free Remote Manager now has the ability to manage Location Awareness for desktop and portable computers when these are managed by WFBS/WFBS-A. With Location Awareness, administrators can control security settings depending on how the desktop or portable computer is connected to the network: In Office or Out of Office.

    Overall InfrastructureWorry-Free Remote Manager consists of three basic parts:• The Reseller• The Trend Micro Data Center• The Customer Network

    FIGURE 1-1 Worry-Free Remote Manager Overall Architecture

    The reseller connects remotely to the Trend Micro Data Center (currently on four different continents around the world) through the Worry-Free Remote Manager console via the Internet. No installation of the console is required by the reseller. From the console, the reseller can administer customer Networks.

    Internet

    Internet

    Data CenterTrend Micro

    Customer Network

    Reseller

    Reseller

    Web ConsoleWFRM

    Data CenterEngineer

    WFRM ServersManaged Serverwith WFRM Agent

    1-4

  • Introduction

    Each customer needs to be added and configured on the console by the reseller, and each CS/CSM and WFBS/WFBS-A server and Exchange server has an Agent installed which allows communication to and from the Worry-Free Remote Manager servers.

    The Agent runs on the CS/CSM and WFBS/WFBS-A servers inside the customer’s network. The Agent sends information to the Trend Micro Worry-Free Remote Manager server where you can access the data from your console 24/7 using an Internet connection

    Before you can start Worry-Free Remote Manager services, you must identify the computer where the managed server resides and install the Agent. This can be accomplished remotely from the WFRM console.

    About CS/CSM and WFBS/WFBS-AClient Server Security (CS) and Worry Free Business Security (WFBS) are comprehensive, centrally-managed solution for small- and medium-sized business. CS and WFBS provides client-side antivirus and firewall protection for desktops and servers. Client Server Messaging (CSM) and Worry Free Business Security Advanced (WFBS-A) includes the same features as CS and WFBS but provides an anti-spam solution for mail servers running Microsoft Exchange Server™. Both CS/CSM and WFBS/WFBS-A include a server-side component for monitoring and managing client protection from a central location.

    Worry-Free Remote Manager monitors and manages CS/CSM and WFBS/WFBS-A -protected networks by communicating with an Agent that runs on the CS/CSM and WFBS/WFBS-A server(s).

    Note: Version 5.0 of Client Server Security (CS) and Client Server Messaging (CSM) have been renamed to Worry Free Business Security (WFBS) and Worry Free Business Security Advanced (WFBS-A).

    Key TerminologyKnowing the following terms can help you work with this product more efficiently:• Agent—installed on CS/CSM and WFBS/WFBS-A servers, this small program allows the Worry-Free Remote

    Manager to monitor and manage customer networks through CS/CSM and WFBS/WFBS-A. New Agent types can allow the console to monitor and manage other security products.

    • Assessment—regular checks done on data collected from customer networks to determine the health of monitored networks; these checks use key indicators called assessment indexes.

    • Assessment indexes—the basis for security assessments; reseller administrators can customize these indexes individually to control assessment intervals, ranges, and notifications.

    • Client/Server Security Agent (CSA)—The Trend Micro Agent that reports to the CS/CSM and WFBS/WFBS-A server. The CSA sends event status information in real time. Agents report events such as threat detection, Agent startup, Agent shutdown, start of a scan, and completion of an update. The CSA provides three methods of scanning: Real-time Scan, Scheduled Scan, Manual Scan. Configure scan settings on Agents from the Web console.

    • Dashboard—the dashboard in Worry-Free Remote Manager is the leftmost, main page that displays a summary of each network aspect that the console monitors.

    • Detection—the discovery of a threat; a detection does not constitute a system infection, but simply indicates that malware has reached the computer. The detection of the same threat on different computers can constitute an outbreak.

    1-5

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    • Domain—a grouping defined for administrative purposes; currently, each domain is associated with a single Agent running on a CS/CSM and WFBS/WFBS-A server.

    • Event—the occurrence of a condition in a monitored domain; the results of assessments trigger events which can be customized. Reseller administrators can also configure the console to send notifications when certain events occur.

    • Infection—the condition in which a threat is able to run its payloads in a computer; Worry-Free Remote Manager considers an infection to have occurred whenever the antivirus scanner detects a virus/malware and is unable to clean, delete, or quarantine the threat. A spyware/grayware infection occurs when the computer cannot be completely cleaned unless it is restarted.

    • Messaging Security Agent (MSA)—The Trend Micro Agent that resides on Microsoft Exchange Servers and reports to CSM and WFBS-A servers. This Agent protects against virus/malware, Trojans, worms and other threats. It also provides spam blocking, content filtering, and attachment blocking.

    • Plug-in—a software program that installs on top of another software program to add functionality or customize the program for specific tasks; Worry-Free Remote Manager is a plug-in to Information Center.

    • Providers—generic term used in Information Center to refer to organizations that directly provide security monitoring and management services to customers; in Worry-Free Remote Manager; providers are referred to as resellers.

    • Reseller administrators—administrators in the reseller side that perform service-related tasks using Worry-Free Remote Manager.

    • Trend Micro Data Center—the Trend Micro monitoring and management center that hosts Worry-Free Remote Manager servers and provides support to reseller administrators.

    • Security Server—the CS/CSM and WFBS/WFBS-A server computer.• Virus alert—a state of vigilance that is declared by TrendLabs to prepare customer networks for a virus

    outbreak; TrendLabs alerts different Trend Micro products and delivers preventive solutions that IT administrators can implement as a first line of defense before a pattern becomes available.

    • Virus outbreak—the rapid propagation of a virus threat to different computers and networks; depending on the prevalence of the threat, an outbreak can be internal, regional, or global.

    About this Getting Started Guide for ResellersThis manual guides the Worry-Free Remote Manager administrator when providing monitoring and management services for customers. This guide covers the following tasks:

    • Setting up the service infrastructure• Monitoring network security and system health• Managing networks using supported commands• Event tracking, configuration, and notifications management• Report generation and subscription maintenance

    Trend Micro also provides the following documentation with this service:• Online Help—covers concepts, tasks, and interface items; accessible through the user interface• Quick Start Card for Resellers—quick overview of Worry-Free Remote Manager and reseller tasks• Agent Installation Guide—performing and troubleshooting Agent installation• Agent Readme—includes late breaking news, installation instructions, and known issues

    1-6

  • Chapter 2

    Getting Started

    Before you start using Worry-Free Remote Manager, ensure that you can access it without problems. Also, ensure that your customers understand the capabilities of the console and how you can use it to monitor and manage their networks.

    This chapter discusses the following topics:• Accessing the Console on page 2-2• Getting Help While You Work on page 2-4• Modifying Your Company Profile on page 2-4• Modifying Your Account on page 2-5• Coordinating with the Customer on page 2-6

    2-1

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Accessing the ConsoleYou access the Worry-Free Remote Manager console using a Web browser. The console URL varies between regions, but you can access all the regional consoles through a central landing page at:http://wfrm.trendmicro.com

    FIGURE 2-2 Worry-Free Remote Manager central landing page.

    After selecting the appropriate region, use the logon credentials that Trend Micro provides with the signing of a reseller agreement.

    Web Browser RequirementsTo access the console without problems, ensure that you have a supported and properly configured Web browser as follows:• Your Web browser is Internet Explorer 6 SP1, 6 SP2, or 7.• You have added the console URL to your list of trusted sites in Internet Explorer. See Adding the Console URL to

    Trusted Sites on page 2-3 for instructions.• Your Internet Explorer security level for Trusted sites is set to Medium or a lower level. A more restrictive

    security level may prevent the console from displaying correctly.

    2-2

    http://wfrm.trendmicro.com

  • Getting Started

    FIGURE 2-3 Internet Explorer 6.0 security settings

    • Pop-up blockers on your Web browser have been disabled or set to allow pop-ups from the console URL. Pop-up blockers can prevent some of the console’s pop-up windows from opening.

    Adding the Console URL to Trusted SitesAdd the console URL to your list of trusted sites in Internet Explorer to ensure that you can access all the console screens and features properly.

    To add the console URL as a trusted site in Internet Explorer:

    1. Open Internet Explorer.2. Click Tools > Internet Options.3. In the Internet Options window, click the Security tab.4. Select the Trusted sites zone.5. Click Sites. The Trusted Sites window opens.6. In Add this Web site to the zone, type the console URL and click Add.

    FIGURE 2-4 Internet Explorer 6.0 Trusted sites

    2-3

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    7. Click OK to close the Trusted sites window. 8. Click OK in the Internet Options window.

    Getting Help While You WorkWorry-Free Remote Manager provides two types of help—general help and context-specific help. To get context-specific help on the current screen, click the blue screen help icon at the upper right corner below the menu bar. For general help, select Contents and Index from the drop-down list at the upper right corner above the menu bar.

    FIGURE 2-5 Different methods to access help in the console

    Modifying Your Company ProfileYou can modify your company’s name, description and logo in Worry-Free Remote Manager. The console uses this information to customize customer-facing material which can include reports and notifications. Your company logo also replaces the default logo shown in the console banner beside the Trend Micro logo as shown below.

    General help

    Screen help

    2-4

  • Getting Started

    FIGURE 2-6 Your Company Logo

    To modify your company profile:

    1. Click Administration > Reseller Profile.2. Modify the name and description. To change the logo, click the displayed logo image in the Reseller Profile tab.3. In the pop-up window, type the path of the image file or click Browse to navigate local folders and select the

    image file. The logo image should be a .PNG, .JPG, .JPEG, or .BMP image with dimensions of 250x50 (width x height) pixels or less.

    Tip: To reset to the default logo, click Reset in the pop-up window.

    4. Click Upload.5. A message prompts you to log off to implement the logo change. Do either of the following:

    • Click OK to log off.• Click Cancel to stay logged on.

    The banner logo will update on your next logon.

    Modifying Your AccountYou can modify some details of your account, including changing your password, preferred interface language, and contact information.

    To modify the details of your account:

    1. Click Administration.2. Click My Account.3. Modify the details as necessary.

    Tip: For information on the fields, click the screen-level help button.

    4. Click Save.

    2-5

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Coordinating with the CustomerMonitoring and managing your customer’s network through Worry-Free Remote Manager provides many benefits for your customer. However, just like other remote management activities, actions made on the console can drastically affect the managed network.

    Before you start providing services, make sure that you have your customer’s consent to do the following remote management and monitoring activities:• View the list of computers on their network• View the following security information:

    • Virus, spyware/grayware, and network virus detections• Names and the number of infected computers• File names of infected files• Email addresses that have received infected files• Patch information for known vulnerabilities• License and system information on CS/CSM security products

    • Send notifications to individuals within the customer organization• Run the following actions:

    • Deploying security components• Starting Vulnerability Assessment scans• Starting or stopping Damage Cleanup Services• Starting or stopping manual scan• Update the CS/CSM server• Start or stop Outbreak Defense

    • Configure the following settings:• Automatic deployment of Outbreak Defense• Real-time scan settings• Firewall settings• Location Awareness• Behavior Monitoring• Web Reputation

    2-6

  • Chapter 3

    Preparing the Service Infrastructure

    To provide Worry-Free Remote Manager services to customer networks, you need to prepare the service infrastructure. This chapter presents the following:

    • Overview on page 3-2• Adding Customers on page 3-2• Agent GUID on page 3-3• Adding Additional Domains on page 3-3• Adding Contacts on page 3-4• Installing the Agent on page 3-4• Verifying Agent Installation on page 3-6• Verifying Agent/Server Connectivity on page 3-7• Viewing Installation Errors on page 3-7

    3-1

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    OverviewIn general, preparing the service infrastructure involves:1. Adding a new customer to the WFRM console2. Adding at least one domain to the customer (saving the unique GUID to be used by the Agent)3. Adding at least one customer contact4. Installing the Agent on the customer’s server5. Entering the GUID on the Agent

    Adding CustomersTo allow a customer to receive Worry-Free Remote Manager services, first add the customer to the WFRM console. You should identify basic customer information before you create the customer account. This includes:• Customer name as it will appear on reports and notifications• Customer description• Domain of the CS/CSM or WFBS/WFBS-A server(s) where the Agent will be installed

    Note: Before you add a customer and install the Agent on the managed server, make sure you have written approval to perform tasks to access, monitor, and manage the customer's resources. See Coordinating with the Customer on page 2-6.

    To add a customer:

    1. Click Customers. 2. Ensure that My Customers is selected in the left pane.3. Click the All Customers tab in the right pane.

    FIGURE 3-7 All Customers tab

    4. Click Add.5. Type the name and a description of the customer.

    WARNING! Do not use the characters in the parentheses (< & “ ‘ ? \).

    3-2

  • Preparing the Service Infrastructure

    6. Click Save. Worry-Free Remote Manager automatically creates a default domain for the new customer and opens the Domain Profile tab for the domain.

    Note: Save the globally unique identifier (GUID) from the Domain Profile tab. The GUID is required during the installation of the Agent on the managed server (This information is always available from the Agent section of the Domain Profile tab). See Installing the Agent on page 3-4.

    7. On the Domain Profile tab, modify the domain information as necessary and click Save.

    Agent GUIDTo distinguish between WFRM Agents, WFRM assigns a globally unique identifier (GUID) to each Agent. The person who installs the Agent on the managed server must input the GUID during installation to allow the Agent to register to the console. This GUID is always available under Customers > My Customers > {customer} > {customer domain} (all on the tree on the left) > Domain Profile (on the right)

    Example of a WFRM Agent GUID:

    4F6F0F8697C9-A1FFCF63-D833-84D9-1C35

    Adding Additional DomainsAll managed networks contain at least one domain. When you add a customer, Worry-Free Remote Manager automatically creates a default domain for the customer. Additional domains can be added.

    Each domain contains a managed server and all the groups and computers managed by this server. Domains are the largest administrative divisions that can receive commands.

    To add a domain to a managed network:

    1. Click Customers.2. In the left pane, click (+) beside My Customers. The network tree expands.3. In the expanded network tree, click the name of the customer.4. In the right pane, click the Domains tab.

    FIGURE 3-8 Domains tab for the selected customer

    5. Click Add.6. Type a name and description for the domain.7. Ensure that the Domain status is set to Enabled.

    3-3

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    8. Select the CS/CSM service (the only service currently provided through Worry-Free Remote Manager. CS/CSM in this context is also used for WFBS/WFBS-A).

    9. Click Save.

    Adding ContactsTo subscribe to event notifications and regular reports, users in your customer’s organization need to be added as contacts (this step is not required to actually install the Agent).

    To add a contact:

    1. Click Customers.2. In the network tree in the left pane, click the (+) next to My Customers.3. In the expanded network tree, select the name of the customer.4. In the right pane, click the Contacts tab.5. Click Add.6. In New Contact, provide the requested information. For a user to receive notifications through a particular

    communication medium, such as email or MSN, you must provide contact information for the medium.7. Click Save.

    Installing the Agent

    Note: Typically, the network administrator on the managed network handles the Agent installation. Provide these instructions to the network administrator with all the necessary information (This information is also included in the "Trend Micro Worry-Free Remote Manager Agent Installation Guide").

    Worry-Free Remote Manager monitors and manages protected networks. It does this by communicating with an Agent that is installed on servers on the managed network. The performance of WFRM depends highly on the proper installation and health of the Agent.

    Before installing the Agent, you will need the following:• The customer and domain must have already been registered on the WFRM server.• Agent GUID (available on the Domain Profile under Customers > My Customers > {customer name} >

    {customer domain} on the WFRM console)• Agent installer (WFRMAgentforCSM.exe)• The fully qualified domain name (FQDN) of the Worry-Free Remote Manager communication server. The

    FQDN varies in each region as follows:

    Asia Pacific - wfrm-apaca.trendmicro.comEurope and the Middle East - wfrm-emeaa.trendmicro.comLatin America - wfrm-lara.trendmicro.comNorth America - wfrm-usa.trendmicro.com

    3-4

  • Preparing the Service Infrastructure

    The managed server must meet the following requirements:• CS/CSM 3.5/3.6 or WFBS/WFBS-A 5.0• Active Internet connection• 50MB available hard disk spaceTo install the Agent:

    1. Copy the Agent installation file (WFRMAgentforCSM.exe) to the managed server (you should have received a link to this file when you signed up to use the WFRM service).

    2. Open the installation file.3. The InstallShield Wizard welcome screen opens. Click Next.4. The License Agreement screen opens. Read the license agreement carefully. If you disagree with the terms of

    the license agreement, click Cancel to exit the installation. If you agree with the terms, click I accept the terms of the license agreement and click Next.

    5. Provide your name and the name of your company and click Next. A pop-up opens informing you of the managed server version and the Agent version. Click OK.

    6. The Installation Location screen opens. To use the default location, click Next.7. Provide the FQDN of the Worry-Free Remote Manager server that corresponds to your region in the Server

    address field.8. Select a communication protocol and port, either HTTP on port 80 or HTTPS on port 443. HTTPS is

    recommended (Do not click HTTP authentication; it is not being used at this time). Click Next.9. If the managed server uses a proxy server to connect to the Internet, specify the necessary settings. Click Next.10. Type the GUID (see Agent GUID on page 3-3). Click Next.11. Review the installation settings and click Next.12. Click Finish to close the wizard after installation completes.

    If the installation is successful and settings are correct, the Agent should automatically register to the Worry-Free Remote Manager server. The Agent should show as online on the WFRM console.

    See Verifying Agent Installation on page 3-6 and Verifying Agent/Server Connectivity on page 3-7 for installation issues.

    Note: For information on managing Agents, see the chapter Managing Agents starting on page 9-1.

    Note: To remove the Agent, see Removing Agents on page 9-8.

    3-5

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Verifying Agent InstallationThere are three methods for verifying that the WFRM Agent has been installed correctly and is operating properly. Check:• Agent service• Start menu shortcuts• System tray icon

    Agent ServiceCheck if "Trend Micro Information Center for CSM" is started.1. Click Start > Settings > Control Panel > Administrative Tools > Services.2. Look for Trend Micro Worry-Free Remote Manager Agent.3. Check if the Status is Started.

    Start Menu ShortcutsCheck the Program Group in the Start Menu.1. Click Start > All Programs > Information Center for CSM2. Verify that the Program Group contains the following items:

    • Agent Configuration Tool• Readme• Remove Worry-Free Remote Manager Agent for CSM

    System Tray IconCheck for the WFRM Agent icon in the system tray. If for any reason the icon is not visible, you can start it by clicking Start > Programs > Worry-Free Remote Manager Agent > Agent Configuration Tool.

    Exiting the tool does not stop the WFRM service. It only closes the Configuration Tool and removes the icon from the task bar. The tool can be restarted at any time.

    Suspend the mouse over the icon for status information (see Managing Agents from the Managed Server on page 9-4):

    ICON MEANING

    A green icon indicates that the Agent is connected to WFRM’s communication server.

    A red icon indicates that the Agent isn’t connected to WFRM’s communication server or the ver-sion of the Agent is mismatched with the server and needs to be updated.

    An icon with a red arrow indicates that the Agent has logged off from WFRM

    3-6

  • Preparing the Service Infrastructure

    Verifying Agent/Server ConnectivityTo ensure that the Worry-Free Remote Manager service is running smoothly, make sure that Agents are online.

    To view the status of Agents:

    1. Log on to the WFRM console.2. Click the Customers tab and ensure that My Customers is selected in the left pane.3. Click the All Agents tab in the right pane. The tab lists the status of each Agent in the Status column. For

    details on each status, see Agent Status Types on page 9-2.

    Viewing Installation ErrorsThe Agent installation logs cover Agent installation activities. Collect these logs and send them to your service support provider if you encounter problems during installation. The Agent installation logs can be obtained from the following location on the managed server:

    C:\TMICAgentForCSM_Install.log

    See Troubleshooting and Technical Support on page 11-1 for further information.

    3-7

  • Chapter 4

    Understanding the Dashboard

    The Dashboard is the primary monitoring window into a customer's security problems which are collectively referred to as events. Access the Dashboard using Microsoft Internet Explorer. Log onto the Trend Micro Worry-Free Remote Manage site at wfrm.trendmicro.com using your user name and password. There you can access the the correct URL for your region.

    The dashboard is a quick way to review the health of monitored networks. The dashboard displays a summary of each network aspect that Worry-Free Remote Manager monitors.

    This chapter gives a brief overview of the following (see chapters 5, 6 and 7 for more detailed information):• Dashboard Overview on page 4-2• Threat Status on page 4-4• System Status on page 4-5• Security Indicators on page 4-5

    4-1

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Dashboard OverviewThe dashboard contains three sections:• Threat Status—an overview of the threat and security status (page 4-4)• System Status—an overview of system-related risk situations (page 4-5)• Security Indicators—the status of key indicators (page 4-5)

    FIGURE 4-9 The dashboard

    The dashboard uses the three status icons in the table below to indicate any issues or potential issues.

    TABLE 4-1. Dashboard status icons

    STATUS ICON DESCRIPTION

    Normal; no action required for all customer domains.

    Warning; some action may be required for some customer domains.

    Immediate action required; you need to check affected domains immediately.

    4-2

  • Understanding the Dashboard

    The dashboard lists only the domains that are not in normal status. To get threat and system status details for a listed domain, click the name of the domain. Note that the dashboard normally lists only up to 10 domains. To access the complete list of affected domains, click More at the bottom of the list.

    Normal Status InformationThe dashboard lists only the domains that are not in normal status. To get threat and system status details on any domain, including those that are not listed on the dashboard, go to the Customers tab and access the domain through the network tree.

    To use the network tree to get status details:

    1. Click Customers.2. In the network tree in the left pane, click (+) to expand My Customers.3. Click (+) to expand the customer that owns the domain.4. Select the domain. The right pane displays three tabs, including the Domain Status and the Products tab.

    FIGURE 4-10 Products tab for the selected domain

    5. Click either of the following tabs:• Products—contains system status details• Domain Status—contains threat status details

    The Customers tab complements the dashboard as a simple method for viewing the list of managed domains and the details of their security and threat status. The figure below shows the Customers tab with a domain selected in the network tree and the threat status for that domain showing on the right.

    4-3

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    FIGURE 4-11 Customer tab showing the threat status

    Threat StatusThe threat status section of the dashboard provides an overview of the threat and security status of domains. It includes the following sections:• Outbreak defense—indicates the current alert status• Antivirus—indicates the presence of a significant number of virus/malware threats and related potential risk

    situations• Anti-spyware—indicates the presence of a significant number of spyware/grayware threats and whether certain

    actions need to be taken to address spyware/grayware incidents• Anti-spam—warns of the increasing number of spam messages being processed on the Exchange server• Web Reputation—indicates the number of attempts to retrieve Web pages evaluated as a security risk• Behavior Monitoring—indicates the number of attempts against unauthorized changes to a computer• Network viruses—warns of any significant network virus activity

    Note: For details on how Worry-Free Remote Manager determines the status in each of the threat status sections, see Monitoring Threat Status on page 5-1.

    4-4

  • Understanding the Dashboard

    System StatusThe system status section warns of any system-related risk situations and contains the following sections:• License—warns of potential risk situations due to license usage issues• Updates—warns of potential risk situations due to outdated security components• System—warns of potential risk situations due to inadequate disk space

    Note: For details on how Worry-Free Remote Manager determines the status in each of the system status sections, see Monitoring System Status on page 6-1.

    Security IndicatorsThe security indicators section displays the status of the following key indicators: • Internal virus outbreak—number of computers where the same virus/malware is detected within a time range• Virus infection—number of computers infected with the same virus/malware within a time range (infection

    only occurs when a malware/virus is detected but is unable to be cleaned, deleted, or quarantined)• Spyware infection—number of computers infected with the same spyware/grayware within a time range (a

    spyware/grayware infection occurs when the computer cannot be completely cleaned unless it is restarted)• Outdated virus pattern—number of computers that do not have the latest virus pattern during assessment• Outdated spyware pattern—number of computers that do not have the latest spyware pattern during

    assessment

    The security indicators section is an overview of the results of security assessments conducted by Worry-Free Remote Manager. You can also monitor assessment results of events which can be set to trigger whenever an assessment result is a medium or critical risk.

    Note: For details on how Worry-Free Remote Manager determines the status of each of the security indicators, see Customizing Assessment Settings on page 7-7.

    4-5

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    The events list in the Events tab basically shows the details of the security indicators status shown on the dashboard. The figure below shows the Events tab with the list of events.

    FIGURE 4-12 Events tab showing the list of events

    Compare the Event Type column on the events list to match the events against the security indicators on the dashboard.

    Tip: Go to Notifications on the Events tab to customize assessment indexes, determine what constitutes critical or medium risk results and specify which risk level triggers an event. For more information, see Customizing Assessment Settings on page 7-7.

    4-6

  • Chapter 5

    Monitoring Threat Status

    Worry-Free Remote Manager lets you monitor the threat status of customer networks by tracking the status of key security components as shown in the Threat Status section of the dashboard.

    FIGURE 5-13 Threat Status on the dashboard

    This chapter covers these seven components in the following sections:• Outbreak Defense Status on page 5-2• Antivirus Status on page 5-4• Anti-spyware Status on page 5-5• Anti-spam Status on page 5-6• Web Reputation Status on page 5-7• Behavior Monitoring Status on page 5-7• Network Virus Status on page 5-8

    5-1

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Outbreak Defense StatusOutbreak Defense provides early warning of Internet threats and/or other world-wide outbreak conditions. Outbreak Defense automatically responds with preventative measures to keep computers and networks safe, followed by protective measures to identify the problem and repair the damage. While Outbreak Defense is protecting networks and clients, TrendLabs is creating a solution to the threat. As soon as TrendLabs finds a solution, they release updated components, and CS/CSM and WFBS/WFBS-A servers download and deploy the updated components to clients. Outbreak Defense then cleans any virus remnants and repairs files and directories that have been damaged by the threat.

    Outbreak Defense may take the following actions in the event of an outbreak:• Block ports• Write-protect certain files and directories• Block certain attachments

    The dashboard indicates the outbreak defense status for managed networks. To determine this status, Worry-Free Remote Manager checks whether TrendLabs has declared a virus alert. The table below shows the possible outbreak defense icons on the dashboard.

    The dashboard lists domains in alert condition. To get details, click the (+) icon next to Outbreak Defense and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For guidance on accessing details on domains that are not alert condition, see Normal Status Information on page 4-3.

    WFRM displays the following detailed information related to outbreak defense:• Alert status (this section does not display when there is no alert)• Vulnerable computers• Computers to clean

    Alert StatusAlert status information displays whenever there is a red or yellow alert. The console lists computers with Outbreak Defense enabled and disabled. Enable Outbreak Defense to ensure that preventive measures deploy automatically and protect the network before a pattern becomes available. When there are computers with Outbreak Defense disabled, clicking the value under Not Enabled will open the list of affected computers.

    TABLE 5-1. Outbreak defense status icons

    STATUS ICON DESCRIPTION

    No virus alert

    TrendLabs has declared a Yellow Alert.

    TrendLabs has declared a Red Alert.

    5-2

  • Monitoring Threat Status

    To enable Outbreak Defense or set Outbreak Defense to automatically deploy during alerts for all the computers in a domain, use OPS (Out Prevention Services) on the menu bar on the Customers tab. For detailed instructions, see Submitting Network Commands on page 8-6.

    Vulnerable ComputersVulnerable computers are computers that have not been patched for known software vulnerabilities. Because many viruses/malware make use of vulnerabilities to propagate, unpatched computers are more likely to get infected and become vectors for propagation.

    To handle vulnerable computers, contact the administrator of the affected domain and provide the names of the vulnerable computers and the vulnerabilities affecting them. To get this information, click the number of affected computers.

    Note: The number of affected computers only functions as a link to detailed information if there is at least one vulnerable computer.

    To ensure that the list of vulnerable computers is current, run a Vulnerability Assessment (VA) scan. For detailed instructions, see Submitting Network Commands on page 8-6.

    Computers to CleanComputers to clean are infected computers. Infected computers are those computers with a virus/malware that the security client did not successfully clean, delete, or quarantine upon detection. An infected computer likely contains a running copy of the virus/malware that has configured the computer to allow it to automatically start and stay running.

    To view a list of the infected computers and the names of the viruses, click the number of computers to clean. This number is clickable only when there is at least one infected computer.

    To address infected computers, deploy Damage Cleanup Services (DCS) to the domain. For detailed instructions, see Submitting Network Commands on page 8-6.

    5-3

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Antivirus StatusTo show the antivirus status, the dashboard displays status icons indicating the presence of any significant virus/malware-related threats. The table below shows how the icons correspond to different threats.

    To get details, click the (+) icon next to Antivirus and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing antivirus status details on domains that have normal status, see Normal Status Information on page 4-3.

    The console displays the following detailed information related to the antivirus status:• Virus threat incidents• Action unsuccessful• Real-time scan disabled

    Virus Threat IncidentsVirus threat incidents are the number of virus/malware detections in the domain. The console groups this statistical information into the following groups:• Desktop/Servers—virus/malware detected during manual scans or when files are accessed on desktop and

    server computers• Exchange servers—virus/malware detected in email messages that are processed by an Exchange server

    To view the list of affected computers, affected email addresses (for viruses found in email messages), and the names of the malware, click the number of incidents. This number is clickable only when there is at least one incident. To reset the current count, click Reset.

    WARNING! Do not click Reset unless you are sure that the incidents have been addressed and contained. To determine whether there are any unresolved incidents, see the Action Unsuccessful table discussed next.

    Action UnsuccessfulAntivirus scanners perform actions—typically clean, quarantine, and delete—on files found with malware/virus. Typically, the scanner performs an initial action. If it is unable to perform this action, the scanner performs a

    TABLE 5-2. Antivirus status icons

    STATUS ICON DESCRIPTION

    Normal. No significant virus/malware threats.

    This status icon displays if any of the following conditions occur:- There is a local outbreak.- The real-time scanner is disabled in at least one computer.

    This status icon displays if any of the following conditions occur:- The real-time scanner on the Exchange server is disabled.- A security client is unable to clean or quarantine a malware.

    5-4

  • Monitoring Threat Status

    secondary action. The console logs incidents where both actions are unsuccessful or if the first action is unsuccessful and the scanner does not perform a secondary action.

    Unsuccessful actions can indicate that a malware/virus has successfully circumvented antivirus defenses and has infected the computer. As with CS/CSM and WFBS/WFBS-A, Worry-Free Remote Manager assumes that computers with an unsuccessfully cleaned, quarantined, or deleted virus/malware are infected.

    To view a list of the infected computers and the names of the viruses, click the number of incidents. This number is clickable only when there is at least one incident.

    To address computers that have been infected due to unsuccessful antivirus actions, deploy Damage Cleanup Services (DCS) to the domain. For detailed instructions, see Submitting Network Commands on page 8-6.

    Real-time Scan DisabledComputers with disabled real-time scanners cannot scan files in real time (scheduled scans will continue). These computers are highly susceptible to virus/malware infection and can be vectors for the spread of viruses. Exchange servers with real-time scanners disabled let all viruses in email messages pass—leaving the customer network susceptible to mass-mailing worms.

    To view the list of computers with disabled real-time scanners, click the number of computers. This number is clickable only when there is at least one affected computer.

    To enable the real-time scanner on all computers and Exchange servers in the domain, click the corresponding Enable link.

    Anti-spyware StatusTo show the anti-spyware status, the dashboard displays status icons that indicate a relatively high spyware/grayware incident rate and the presence of computers that are infected with spyware/grayware. The table below shows how the icons indicate the anti-spyware status.

    To get details, click the (+) icon next to Anti-spyware and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing anti-spyware status details on domains that are in normal status, see Normal Status Information on page 4-3.

    The console displays the following detailed information related to the anti-spyware status:• Spyware/Grayware threat incidents• Computer restart required

    TABLE 5-3. Anti-spyware status icons

    STATUS ICON DESCRIPTION

    Normal. Few spyware/grayware threats found.

    15 or more spyware/grayware incidents have been found in the network.

    Action required. At least one computer needs to be restarted to completely remove a spyware/grayware infection.

    5-5

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Spyware/Grayware Threat IncidentsSpyware/Grayware threat incidents are the number of spyware/grayware detections in the domain. The console displays the total number of incidents for all computers in the domain.

    To view the list of affected computers and the names of the spyware/grayware threats, click the number of incidents. This number is clickable only when there is at least one incident. To reset the current count, click Reset.

    WARNING! Do not click Reset unless you are sure that the incidents have been addressed and contained. To determine whether there are any unresolved incidents, see Computer Restart Required on page 5-6.

    Computer Restart RequiredComputers for restart are computers that have been found infected with spyware/grayware and that have been partially cleaned. These computers remain infected because the spyware/grayware affecting them cannot be removed completely until after a restart. To complete the cleanup process on these computers, contact an administrator on the customer’s side to restart the computers manually.

    To view the list of affected computers and the names of the spyware/grayware threats, click the number of incomplete cleanup attempts. This number is clickable only when there is at least one incomplete attempt. To reset the current count, click Reset.

    Note: Do not click Reset unless you are sure that the affected computers have been restarted.

    Anti-spam StatusThe dashboard displays status icons to show whether the percentage of spam messages (out of all the messages processed by Exchange servers) has reached a certain threshold. The table below shows the relationship between the status icons and the spam percentage threshold.

    To get details, click the (+) icon next to Anti-spam and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instructions on accessing anti-spam status details on domains that are in normal status, see Normal Status Information on page 4-3.

    The console displays a table with the total number and percentage of the following messages:

    TABLE 5-4. Anti-spam status icons

    STATUS ICON DESCRIPTION

    Normal. Spam messages comprise less than 10% of the total messages processed by the Exchange server. Note that administrators can modify the 10% threshold on managed servers.

    Warning. Spam messages comprise 10% or more of the total messages processed by the Exchange server. Note that administrators can modify the 10% threshold on managed servers.

    This icon is not used to show the anti-spam status.

    5-6

  • Monitoring Threat Status

    • Spam messages—unsolicited and usually unwanted email messages sent out in bulk to different email addresses.

    • Phishing messages—messages designed to feign a legitimate message in order to draw users into logging on to a copy of a legitimate site. This attack is designed to steal logon credentials for banking and other important sites.

    Web Reputation StatusWeb Reputation evaluates the potential security risk of requested Web pages before displaying them. Depending on the rating returned by the database and the security level configured, the Client/Server Security Agent located on computers managed by WFBS/WFBS-A will either block or approve the request.

    To get details, click the (+) icon next to Web Reputation and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing web reputation status details on domains that have normal status, see Normal Status Information on page 4-3.

    The console displays a table with the total number of the following:

    Blocked URLs Detected—the number of blocked access attempts to URLs determined to be a security risk

    Behavior Monitoring StatusBehavior Monitoring constantly monitors the Client for attempts to modify the operating system and other programs. When a Client/Server Security Agent located on computers managed by WFBS/WFBS-A detects an attempt, it notifies the user of the change and the user can Allow or Block the request. WFBS/WFBS-A administrators (or users) can create exception lists that allow certain programs to run while violating a monitored change or completely block certain programs.

    The console displays a table with the total number of the following:

    Policy Violations Detected—the number of attempts against unauthorized changes to the computer

    TABLE 5-5. Web Reputation status icons

    STATUS ICON DESCRIPTION

    No action required.

    The clients are reporting numerous or frequent URL violations. Starting from the 200th incident, the status icon changes to display the warning.

    The client is trying to access blocked URLs multiple times. Have the administrator of the managed server contact the user of the Client. If the user has not attempted to access the URLs, the computer could be infected. Run a full computer scan immediately.

    5-7

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Network Virus StatusThe dashboard displays status icons under Network Viruses to indicate whether network virus activity in customer domains has reached a certain threshold.

    To get details, click the (+) icon next to Network Viruses and then click the name of the domain. This will display detailed status for this domain for all seven key security components under Threat Status. For instruction on accessing anti-spam status details on domains that are in normal status, see Normal Status Information on page 4-3.

    The console displays the number of network virus detections in the domain. To view the list of affected computers, IP addresses, and the names of the network virus threats, click the number of incidents. This number is clickable only when there is at least one incident.

    To address network virus incidents, contact the administrator from the customer network to ensure that the machine sending out the viruses is isolated and cleaned. Most network viruses can be removed by restarting the affected computer. To reset the current count, click Reset.

    WARNING! Do not click Reset unless you are sure that the incidents have been addressed and contained.

    TABLE 5-6. Network virus protection status icons

    STATUS ICON DESCRIPTION

    Normal. Few network virus threats found.

    Warning. Ten or more network virus threats have been found within 1 hour. The one-hour interval is the 60-minute period before the point of assessment.

    This icon is not used to show the network virus protection status.

    5-8

  • Chapter 6

    Monitoring System Status

    By monitoring the system status of managed servers, you can ensure that customer networks are continuously protected.

    FIGURE 6-14 System Status on the dashboard

    Worry-Free Remote Manager provides the following information in real time:• License Status on page 6-2• Update Status on page 6-2• System Status on page 6-3

    6-1

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    License StatusThe dashboard displays icons to indicate potential security issues due to license usage. The table below shows license usage problems associated with the status icons.

    To address license usage issues, you can do the following:• Contact the administrator of the affected domain.• Click the Renew License button to access the renewal page and renew the customer’s license.

    The dashboard lists domains whose statuses are not normal. To get details, click the (+) icon next to each section and then click the name of the domain. For instruction on accessing details on domains that are in normal status, see Normal Status Information on page 4-3.

    Update StatusThe table below shows how the dashboard displays icons to indicate any update problems.

    TABLE 6-1. License status icons

    STATUS ICON DESCRIPTION

    Normal

    Warning. This status icon appears if any of the following conditions occur:- Customer has exceeded 80% of the maximum seat count.- the managed product is running on a trial license that expires in 14 days.- the managed product is running on a full license that expires in 60 days.

    Action required. This status icon appears if either of the following conditions occurs:- Customer has exceeded the maximum seat count.- The managed product license has expired.

    TABLE 6-2. Update status icons

    STATUS ICON DESCRIPTION

    Normal

    Warning. This status icon appears if either of the following conditions occurs:- The managed product has not updated successfully for more than seven days.- The pattern and engine deploy rate on desktop and server computers is less than 90%.

    Action required. This status icon appears if any of the following conditions occur:- The managed product has not updated successfully for more than 14 days.- The pattern and engine deploy rate on desktop and server computers is less than 70%.- At least one Exchange server is running with outdated security components.

    6-2

  • Monitoring System Status

    To address update problems, you can run the following commands from the menu bar in the Customers tab:• Update Client Server Security Agent—deploys the latest security components, including the scan engine and

    pattern files, to all Client Server Security Agents in the domain.• Update Managed Server—deploys the latest security components, including the scan engine and pattern files,

    to the managed server.

    Note: Because Update Client Server Security Agent uses components already on the managed server, the effectiveness of this command relies on whether the managed server has updated successfully (which can be done by Update Managed Server).

    Once you have successfully updated the managed server and have deployed the latest components, consider running the Manual Scan command (under the Action menu). A scan can find threats that outdated components missed. For detailed instructions on running commands, see Submitting Network Commands on page 8-6.

    The dashboard lists domains whose statuses are not normal. To get details, click the (+) icon next to each section and then click the name of the domain. For instruction on accessing details on domains that are in normal status, see Normal Status Information on page 4-3.

    System StatusLack of disk space on the managed server can prevent it from implementing various tasks properly including hosting component updates and gathering security information. Desktops and other server computers may also experience problems due to inadequate disk space.

    The dashboard lets you monitor disk space usage problems on computers in the domain by displaying icons to indicate potential and current disk space problems. To understand what these icons mean, see the table below.

    To address disk usage issues, contact the administrator of the affected domain.

    The dashboard lists domains whose statuses are not normal. To get details, click the (+) icon next to each section and then click the name of the domain. For instruction on accessing details on domains that are in normal status, see Normal Status Information on page 4-3.

    TABLE 6-3. System (disk usage) status icons

    STATUS ICON DESCRIPTION

    Normal

    This icon is not used to indicate the disk usage status.

    Action required. This status icon appears if more than one computer has less than 1% disk space.

    6-3

  • Chapter 7

    Understanding Security Indicators / Events

    Security Indicators are a summary of events. Events are based on regular assessments. You can view event information on the table provided on the Events tab. Event thresholds can be customized for individual domains. You can subscribe individuals to event notifications which Worry-Free Remote Manager sends when an event occurs.

    FIGURE 7-1 Security Indicators on the dashboard

    The following sections in this chapter discuss events further:• Security Indicators on page 7-2• Security Indicators on page 7-2• Viewing Events on page 7-4• Handling Events on page 7-5• Customizing Assessment Settings on page 7-7• Subscribing to Event Notifications on page 7-8• Customizing Notification Content on page 7-8• Viewing Assessment History on page 7-9

    7-1

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Security IndicatorsThe Security Indicators that employ the Worry-Free Remote Manager assessment indexes include: • Internal Virus Outbreak—which should be addressed by quarantining the virus/malware, containing and

    removing the virus/malware from the affected computers and cleaning them. • Virus Infection—which should be addressed by quarantining and removing the virus/malware and cleaning

    the infected computer(s). • Spyware Infection—which should be handled by containing and removing the spyware and cleaning the

    infected computer(s). • Outdated Virus Pattern—which should be handled by identifying the computers that do not have the current

    virus/malware pattern files, determining which files require updating, and performing the update. • Outdated Spyware Pattern—which can be addressed by identifying the computers that do not have the

    current spyware/grayware pattern files, determining which files require updating, and performing the update.

    The Security Indicators assessment indexes combine two to three factors: an assessment frequency, a range of time for performing the assessment before triggering an event, and the risk levels associated with the assessment, which can all be configured through the WFRM console. Thus, you use index-based criteria for assessing your customer networks and monitoring the assessment results for security breaches.

    Understanding Events Events are based on regular assessments. Worry-Free Remote Manager assesses data at configurable intervals and matches this data to predefined risk levels. Specific risk levels are set as event triggers. When these risk levels are reached, an event occurs, and Worry-Free Remote Manager sends corresponding notifications. Assessment intervals, risk levels, event triggers, and notifications are defined separately for each event type.

    Whenever an event occurs in a domain, the console generates a unique ID to allow you to track that event.

    There are two groups of event types: • Assessment index-based events • System events

    7-2

  • Understanding Security Indicators / Events

    Assessment IndexesAssessment indexes are key security indicators that are the basis for assessments. The assessment indexes are the same Security Indicators shown on the dashboard. Worry-Free Remote Manager supports five assessment indexes, described in the table below (default values are shown).

    TABLE 7-1. Assessment indexes

    ASSESSMENT INDEX / SECURITY INDICATOR

    DESCRIPTION ASSESSMENT FREQUENCY RANGE RISK LEVELS

    Internal virusoutbreak

    Number of computers on which the same virus/malware is detected

    10 minutes 1 hour of data (customizable from 30 minutes to 24 hours)

    - Medium: 3- Critical: 5- Events are triggered at

    medium risk by default

    Virus infection

    Number of computers infected with the same virus/malware

    10 minutes 1 hour of data (customizable from 30 minutes to 24 hours)

    - Medium: 3- Critical: 5- Events are triggered at

    medium risk by default

    Spyware infection

    Number of computers infected with the same spyware/grayware

    10 minutes 1 hour of data (customizable from 30 minutes to 24 hours)

    - Medium: 3- Critical: 5- Events are triggered at

    medium risk by default

    Outdated viruspattern

    Percentage of computers that do not have the latest virus pattern

    30 minutes Not applicable; based on data gathered at the time of assessment

    - Medium: 5%- Critical: 10%- Events are triggered at

    medium risk by default

    Outdated spyware pattern

    Percentage of computers that do not have the latest spyware/grayware pattern

    30 minutes Not applicable; based on data gathered at the time of assessment

    - Medium: 5%- Critical: 10%- Events are triggered at

    medium risk by default

    7-3

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    System EventsSystem events are maintenance-related events (and can be viewed only under the Events tab). These events help ensure that the Agent and the managed servers are online. Another system event enables you to automatically notify customers whenever a software vendor announces a vulnerability.

    Worry-Free Remote Manager supports the following system events:• CSM server shutdown—the CS/CSM or WFBS/WFBS-A server computer has turned off.• Exchange server shutdown—the Exchange server computer has turned off.• Microsoft critical vulnerability—a security vendor has announced an important vulnerability.• Agent abnormal—the Agent appears offline and is not responding to the Worry-Free Remote Manager server

    but has not sent a logoff request.• Agent offline—the Agent has closed normally, having sent a logoff request to Worry-Free Remote Manager.• Agent online—the Agent has gone online and is now running normally.

    Note: For more information on Agent status types, see Agent Status Types on page 9-2.

    Viewing EventsIn addition to the security indicators on the dashboard, you can view the list of events as they occur. To view events, click the Events tab. The Overview tab lists all open events.

    For alternative ways to view events, see the following procedures:• Searching Events on page 7-4• Using Event Display Rules on page 7-5

    Searching EventsUse the search function to search for an event using the Event ID which is a unique identifier assigned to each unique event and used while the event remains open.

    To run a search:

    1. Type an event ID.2. Click Search.

    Tip: To reset the list, click Return.

    7-4

  • Understanding Security Indicators / Events

    Using Event Display RulesEvent display rules are customizable filtering rules that let you display only the events that match specific filters or combinations of filters. For example, you can create a rule that will display only certain event types.

    To create event display rules:

    1. Click the Events tab. The Overview tab is selected by default.2. Click Edit Display Rules.3. In the Display rule window, click Add at the bottom of the screen.4. Provide a name and configure the new rule.5. Click Save.

    To use a specific rule when viewing events, select the rule from the drop-down list on top of the events table as shown below.

    FIGURE 7-2 Event display rule drop-down

    Handling EventsBecause events typically indicate security problems that require attention, you may need to perform the following:• Changing Event Status on page 7-6• Sending Notifications Manually on page 7-6• Adding Event Notes on page 7-6

    7-5

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Changing Event StatusYou need to manually change the status of events depending on your progress with handling them. Events can have any of the following statuses:• New—the default status of events when they are triggered• In-progress—the event is currently being handled• Closed—the event has been handled, all related issues have been resolved, and conditions are back to normal

    Note: All new and in-progress events are considered open.

    To change the status of an event:

    1. Click Events. The Overview tab is selected by default.2. From the display rule drop-down list, select a display rule that covers the event or search for the event using the

    event ID.3. Click the event ID link on the table.4. In the pop-up window, select the status from the Status drop-down list.5. Click Change Status.

    Tip: Add a note every time you change an event's status to keep a record of the change.

    Sending Notifications ManuallyIn addition to automatic event notifications, you can send event notifications manually.

    To send an event notification manually:

    1. Click Events. The Overview tab is selected by default.2. From the display rule drop-down list, select a display rule that covers the event or search for the event using the

    event ID.3. Click the event ID link in the table.4. In the pop-up window, select a contact from the Contact drop-down list.5. Click Notify.

    Adding Event NotesEvent notes allow reseller administrators to track actions made in relation to an event, such as status changes.

    To add an event note:

    1. Click Events. The Overview tab is selected by default.2. From the display rule drop-down list, select a display rule that covers the event or search for the event using the

    event ID.3. Click the event ID link on the table.4. Under Add note, type the event note.5. Click Add.

    7-6

  • Understanding Security Indicators / Events

    Customizing Assessment SettingsYou can customize the following settings for each assessment index:• Risk levels—risk levels, what constitutes an event, and whether a report is attached to notifications• Assessment interval—data range covered by assessments

    To customize assessment settings:

    1. Click Events.2. Click Notifications.3. Select a service (Currently, Worry-Free Remote Manager supports only the CS/CSM and WFBS/WFBS-A

    service and supports all assessment indexes through this service).4. Select the customer.5. Select the domain.

    Assessment index settings

    Use the following settings for each individual Assessment Index (each corresponds to a column heading):• Enabled—enable or disable an index• Risk Levels—click Edit to define the risk levels and specify the risk levels that will trigger an event. A pop-up

    window (entitled Assessment Index Risk Levels) lets you define the following settings:• Critical risk—the assessment result that Worry-Free Remote Manager considers critical risk• Medium risk—the assessment result that Worry-Free Remote Manager considers medium risk• Event trigger level—the risk level that will trigger an event• Attach report on notification email—set Worry-Free Remote Manager to include a report in the

    notification email message

    Tip: Click Load Default to reset risk levels to default values.

    • Assessment interval—the period between each assessment; clicking Edit opens a pop-up window (entitled Assesment Interval) that lets you specify the following settings:• Assessment interval—the time between each assessment; this value is predefined for each assessment

    index • Assess data from_to_earlier—Worry-Free Remote Manager will run the assessment on data collected

    from this period. For example, if you specify the values 2 and 1 hour(s), Worry-Free Remote Manager will assess data collected during the period between 2 hours to 1 hour before the assessment. Therefore, for an assessment that runs at 3:00 PM, Worry-Free Remote Manager will assess data collected from 1:00 to 2:00 PM.

    • Notifications—click the Edit link that corresponds to an assessment index to subscribe contacts to event notifications for that index. In the pop-up window, select at least one of the listed notification methods to subscribe a contact. Worry-Free Remote Manager supports the following notification types:• Email—sent to the recipient's email address• MSN—sent to the recipient's MSN account• Pop-up message—displays a pop-up window to notify the recipient; the recipient receives this notification

    only if he or she is logged on to Worry-Free Remote Manager

    7-7

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    Subscribing to Event NotificationsThe console can send notifications every time an event occurs. To allow contacts to automatically receive these notifications, subscribe them to the notifications.

    To subscribe users to event notifications:

    1. Click Events.2. Click Notifications.3. Select the service (Currently, Worry-Free Remote Manager supports only the CS/CSM and WFBS/WFBS-A

    service and supports all assessment indexes through this service).4. Select the customer.5. Select the domain.6. Click the Edit link under Notifications that corresponds to the event type.7. In the pop-up window, select notification methods to subscribe the listed contacts.8. Click Save.

    Customizing Notification ContentYou can customize the content of event notifications by:• Attaching detailed Comma Separated Value (CSV) reports to email notifications for all assessment index events• Listing specific computers in notifications for the new critical vulnerability system event

    Attaching ReportsYou can configure the console to attach detailed reports to assessment index event notifications. These event reports are in CSV format and contain all the data associated with the event.

    To attach event reports to notifications:

    1. Click Events.2. Click Notifications.3. Select the service. Currently, Worry-Free Remote Manager supports only the CS/CSM and WFBS/WFBS-A

    service at this time and supports all assessment indexes through this service.4. Select the customer.5. Select the domain.6. Click the Edit link under Risk Levels that corresponds to the event type.7. Select Attach report on notification email.8. Click Save.

    Listing Computers in Vulnerability NotificationsThe Microsoft critical vulnerability event occurs when Microsoft announces an important software vulnerability. Worry-Free Remote Manager automatically sends a notification to all subscribed contacts. You can include a list of important computers in the notification so that notification recipients immediately know which computers to check.

    7-8

  • Understanding Security Indicators / Events

    To list a computer in vulnerability notifications:

    1. Click Customers.2. Expand the network tree until the computer is visible.3. Select the computer.

    FIGURE 7-3 List in vulnerability notifications option

    4. In the information pane on the right-hand side, select List in vulnerability notification email.5. Click Save.

    Viewing Assessment HistoryAssessment results that do not trigger events do not appear in the Events tab. However, you can view these assessment results in the Reports tab.

    To query assessment results:

    1. Click Reports.2. Click Assessment Logs.

    FIGURE 7-4 Assessment Logs tab under Reports

    3. Select the customer.

    7-9

  • Trend Micro™ Worry-Free Remote Manager™ Getting Started Guide for Resellers

    4. Select the domain name and assessment index.5. To specify the data range, select the start and end time in the From and To fields.6. Click Query.

    Tip: To start a new query, click the Back button at the bottom of the results table.

    7-10

  • Chapter 8

    Managing Networks

    Worry-Free Remote Manager enables you to effectively manage customer networks by providing a view of the structure of a