OSCE - 10 6 - ATL - 08august2011 - Letter Training Course Lab Textbook August 29 2011 - 634502343503368818

Tr rend d Micro M o O OfficeScan 10 0.
6
TC CSP/TC CSE T Trainin ng Course
Lab b Text tbook
Trend Micro OfficeScan 10.6
Lab Textbook
Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Portions of this manual have been reprinted from the Trend Micro OfficeScan 10.5 Installation and Upgrade Guide, copyright 1998-2010, Trend Micro, Inc.; Trend Micro OfficeScan 10.5 Administrators Guide, copyright 1998-2010, Trend Micro, Inc.; and the Trend Micro Smart Scan for OfficeScan Getting Started Guide, copyright 2009-2010, Trend Micro, Inc. Copyright 1998-2010 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Trend Micro, the Trend Micro t-ball logo, TrendLabs, and OfficeScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Program Manager: Tom Brandon Editorial: Alexander Sverdovskva Released: August 2010 v3.6
2010 Trend Micro Inc.
Administrator Track
Table of Contents
Exercise 1: Validate Lab Setup...................................................................................5
Activity 1.1 > LAN Requirements ............................................................................................................5 Activity 1.2 > Server Requirements ........................................................................................................5 Activity 1.3 > Lab Preparation ..................................................................................................................6
Exercise 2: Install OfficeScan .....................................................................................7

Activity 2.1 > Prepare to Install OfficeScan ........................................................................................7 Activity 2.2 > Install OfficeScan Server .................................................................................................8 Activity 2.3 > Verify the Installation.......................................................................................................9
Exercise 3: Configure Smart Scan .......................................................................... 13

Activity 3.1 > Configure Smart Protection Sources ..................................................................... 13 Activity 3.2 > Configure Integrated Server Settings and an Update Schedule .............. 13
Exercise 4: Configure Client Settings .................................................................... 15

Activity 4.1 > View Client Status and Configure the Client Tree .......................................... 15 Activity 4.2 > Configure Client Scan Settings ................................................................................ 16 Activity 4.3 > Change the Scan Mode for One or More Domains ...................................... 17 Activity 4.4 > Configure Client Privileges ......................................................................................... 18 Activity 4.5 > Enable and Configure WRS ....................................................................................... 19 Activity 4.6 > Enable and Configure Behavior Monitoring and Device Control ............ 20 Activity 4.7 > Export Client Management Data............................................................................. 21
Exercise 5: Configure Global Client Settings ....................................................... 23

Activity 5.1 > Configure Global Scan Settings ............................................................................... 23 Activity 5.2 > Configure Global Log Settings ................................................................................. 24 Activity 5.3 > Configure Active Directory Settings ...................................................................... 24 Activity 5.4 > Configure Custom Automated Client Groupings ............................................ 26
Exercise 6: Prevent Outbreaks ................................................................................ 29

Activity 6.1 > Configure Outbreak Prevention ............................................................................... 29 Activity 6.2 > Standard Notifications ................................................................................................. 30 Activity 6.3 > Outbreak Notifications ................................................................................................. 31
Lab Textbook
Activity 6.4 > Test the Alert Settings ................................................................................................. 31
Exercise 7: Configure Administration Settings ................................................... 33

Activity 7.1 > Create Custom Roles and Add a User Account ............................................... 33 Activity 7.2 > Configure Quarantine Manager............................................................................... 34
Exercise 8: Deploy OfficeScan Clients ................................................................... 35

Activity 8.1 > Modify the Server Login Script ................................................................................ 35 Activity 8.2 > Create a Client Setup Package................................................................................. 36
Exercise 9: Update and Deploy OfficeScan Components ................................. 37

Activity 9.1 > Manually Update and Deploy Components ...................................................... 37 Activity 9.2 > Configure an Update Agent ...................................................................................... 38
Exercise 10: Configure Settings on the Client Console ..................................... 41

Activity 10.1 > Configure Scan Options from the OfficeScan Client Console ................ 41 Activity 10.2 > Configure OfficeScan Firewall from the Client Console ............................ 42 Activity 10.3 > Test Your Settings........................................................................................................ 42
Exercise 11: Configure OfficeScan Firewall .......................................................... 45

Activity 11.1 > Create a Policy .............................................................................................................. 45 Activity 11.2 > Create a Profile ............................................................................................................. 46 Activity 11.3 > Test the OfficeScan Firewall Settings ................................................................. 46
Exercise 12: Detect Vulnerable Computers .......................................................... 49

Activity 12.1 > Manually Scan Computers ....................................................................................... 49 Activity 12.2 > Configure a Scheduled Task for Vulnerability Scans .................................. 50 Activity 12.3 > Perform a Security Compliance Query .............................................................. 51
Exercise 13: View OfficeScan Logs......................................................................... 53

Activity 13.1 > View Firewall Logs ....................................................................................................... 53 Activity 13.2 > View Virus/Malware Logs ......................................................................................... 53
Exercise 14: Creating a Client Update Package (Optional Activity) ............... 55

Activity 14.1 > Verify Connections ...................................................................................................... 56
Administrator r Track
Ex xercis se 1: Valid date Lab Setu up

This lab d demonstrates s Trend Micro o OfficeScan running on a Microsoft W Windows Serv ver 2003/200 08 operating system. In a production p en nvironment, y you can use o other platform ms and server ha ardware. For i information a about platform m and hardw ware support, p please visit th he Trend Micro we ebsite (http://www.trendmicro.com) o or refer to Of fficeScan doc cumentation.
A Activity y 1.1 > LAN Re equirem ments

Your lab LAN configu uration shoul ld meet these e minimum re equirements:
A un nique, static IP P address for r each lab com mputer Inter rnet access Hub or switch wit th sufficient ports p to inter rconnect lab e equipment Categ gory 5 Unshielded Twisted d Pair (UTP) cables to inte erconnect lab b equipment
A Activity y 1.2 > Server Requir rements s

Your lab server should d meet these minimum ha ardware requir rements:
1.86 GHz Intel Core2 Duo pro ocessor or eq quivalent 1 GB B of RAM 3.5 G GB hard-disk space Ethe ernet adapter card Keyb board, monito or (with at lea ast 1024 x 768 8 pixel resolu ution), and mo ouse
Your lab server should d meet these minimum op perating-system requiremen nts:
Wind dows Server 2 2003 with Ser rvice Pack 2 o or later, instal lled as a stand dalone server r / primary
domain controller r (PDC)
Micr rosoft Interne et Information n Server (IIS) ) 6.0 or later ( (7.0 for Serve er 2008) Micr rosoft Interne et Explorer 7. .0 or later
NOTE
Because the OfficeScan client can run on the W Windows Server platform, you can demonstrate m most OfficeSca an features using g a single server machine. m It is als so possible to implement the serv ver configuration within a virtual ma achine. Your clas ssroom setup ma ay, additionally, p provide you with o one or more additional real or virt rtual machines s as clients. Follo ow your instructo ors guidance with h regard to modif fications and cav veats to the basic c lab setup.
Lab Textbook
Activity 1.3 > Lab Preparation

Your lab instructor will provide:
OfficeScan installation files Valid activation codes for OfficeScan services IP address/domain name for the OfficeScan server Administrator rights (local or domain) to your lab computer Pre-configured Active Directory structure or instructions on how to configure your directory
for testing Active Directoryintegrated OfficeScan features.
The European Institute of Computer Anti-Virus Research (EICAR) test virus file Optional: SMTP server information (for your local machine or classroom server) and email
addresses
Ex xercis se 2: Insta all O OfficeS Scan n

A Activity y 2.1 > Prepare e to Ins stall Off ficeScan
Scenari io
You have e been hired as a a consultan nt to install a pilot-installat tion of Office eScan for a la arge customer r. Before you modify any o of your customers compu uters or any networking de evices in the existing e environment, your own co ompanys proc cedures requi ire you to doc cument and v validate all baseline functions f rela ated to your w work. Simple, w written notes will suffice fo or your docum mentation of IP addresses, domain nam mes, login informati ion, etc. You must also va alidate that the e system on w which you wil ll install Offic ceScan meets the e minimum h hardware and software requ uirements. For this a activity, and t those that foll low, use the v validation che ecklists that f follow the sce enario descriptio ons as a guide e for complet ting your task ks. Use your o own knowled dge, the studen nt textbook k, as well as th he aid of othe er classroom p participants to o fill in any m missing parts, explain specific procedures, p or troubleshoo ot problems y you may enco ounter.
Validati ion Checklist

Verif fy minimum host-system h r requirements for OfficeScan:
Windows W Serv ver 2003 with h Service Pack k 2 or above 1.86 GHz Inte el Core2 Duo o processor or r equivalent 1 GB of RAM M (2 GB recom mmended for r Server 2008 8) 3.5 GB availab ble hard-disk space Microsoft M Inte ernet Informa ation Server ( (IIS) 6.0 or ab bove (7.0 for Server 2008)
NOTE
To launch the IIS Console, click Star rt > Programs s > Administr rative Tools > Internet
S (IIS) Manger or run: : {windir}\system m32\inetsrv\iis.m msc Information Services
Microsoft M Inte ernet Explore er 7.0 or abov ve
Verif fy that IIS is running r
T Trend Micro O OfficeScan 10.6 6
Lab Textbook k
Valid date network connectivity Verif fy and note IP P configuratio on (command d line: ipconf fig/all) Colle ect any other network serv vice informati ion that may be required from f your lab b instructor. For e example, ask your instruct tor to confirm m whether you u will need an ny proxy-serv ver infor rmation in ord der to configu ure OfficeSca an server to be b able to reac ch the Intern net. Ping the localhos st (command d line: pinglo ocalhost) and ping the ga ateway Verif fy basic brow wser functiona ality. Load int ternal class web page or ot ther site (www. .google.com, for example) ) as told by yo our instructor. Ensu ure DNS func ctionality by p pinging your w workstation b by name. If y your lab setup p includes one or o more separate client ma achines, ensur re that all of y your machine es can ping ea ach other by na ame. Verif fy location of f OfficeScan software, s acti ivation codes, and test viru us file. Conf firm that you have administrator login n name and pas ssword for yo our computer r. Colle ect and verify y Active Direc ctory informa ation as provi ided by your i instructor.
Result
You have e verified that t your lab com mputer is fun nctional and th hat is meets t the minimum m system requirem ments for insta alling OfficeScan server an nd client softw ware.
A Activity y 2.2 > Install O OfficeS Scan Server

Scenari io
You have e successfully y validated the e baseline fun nctionality of your host t system and have docume ented all relev vant configura ation paramet ters. Next, loc cate your stud dent textbook k and its in nstructions for installing OfficeScan O ser rver software. . Use these e instructions s as a referenc ce for comple eting this activity.

Install the OfficeScan server softw ware using these checklist it tems as guide elines:
2010 0 Trend Micro Inc c.
Administrat tor Track
Exercise 2 2: Install OfficeSc Scan
Selec ct to install th he OfficeScan n server softw ware on this c computer. To sa ave classroom m time, consid der skipping t the prescan (consult your instructor). Insta all to IIS using g the virtual w website optio on. (If your re eal-world orga anization requ uires the use of o Apache, br riefly consult with your ins structor to ide entify any issu ues that may be unique in the lab setup.) Enab ble SSL. Pay s special attenti ion to port nu umbers and note n those tha at your system m will be usin ng Selec ct for the serv ver to be iden ntified by dom main name. Th his will give y you more flex xibility for testin ng the possibi ilities for cust tom client gro ouping, but you y must also o ensure that DNS D is funct tioning prope erly before se electing this option. Note e that if you already a have a activation cod des, you will n not need to re egister online e. Selec ct to install th he integrated Smart S Scan se erver. Note th hat because y you are install ling to an IIS v virtual website e, the Smart S Scan server SS SL port will b be 4345. Selec ct to install th he integrated Web W Reputat tion Service n to the serve Selec ct to install th he OfficeScan n client softwa are in addition er software Do n not install any y of the Cisco o NAC components Parti icipate in the Trend Micro Smart Feedb back program m Enab ble the client firewall and s select to enab ble the firewal ll on server platforms Enab ble spyware/g grayware asse essment mode e for the mini imum numbe er of weeks
Result
You have e installed the e OfficeScan server and th he OfficeScan n client on you ur lab compu uter.
A Activity y 2.3 > Verify t the Inst tallation n

Scenari io
After inst talling the Of fficeScan serv ver software, you will want t to validate t the installation n in a simple way, by launching the web bbased ma anagement co onsole, loggin ng in, and brie efly navigating g a few of its pag ges. In the ne ext few days, your y custome er will be add ding an IT inv ventory manag gement system m to the test envir ronment that monitors cha anges to syste em configurat tions and rep ports new soft tware installatio ons. The customer has ask ked for a list of o
Insta allation/progr ram directorie es Servi ices and executable names s that will be running r High h-level registry y keys.
Lab Textbook
Now would be a good time to verify that these items are correctly listed in the system documentation. (You don't have to write all this information down for the lab activity. Simply, verify that the documentation is correct, note any discrepancies and prepare to provide this to your customer.
Validation Checklist
Launch the management console and login Verify that the client status icon appears in the system tray Verify the location of the OfficeScan program files
C:\ProgramFiles\TrendMicro\OfficeScan C:\ProgramFiles\TrendMicro\OfficeScanClient
View the list of services to identify OfficeScan services (Click: Start > Programs > Administrative Tools > Services or execute the command: services.msc/s )
OfficeScan Active Directory Integration Service (osceintegrationservice.exe) OfficeScan Control Manager Agent (OfcCMAgent.exe) OfficeScan Master Service (OfcService.exe) OfficeScan NT Listener (TmListen.exe) OfficeScan NT Proxy Service (TmProxy.exe) OfficeScan NT RealTime Scan (NTRtScan.exe) Trend Micro Local Web Classification Server (LWCSService.exe) Trend Micro Smart Scan Server (iCRCService.exe)
Launch the Windows task manager to verify these additional modules:

CNTAoSMgr.exe (client plug-in service manager) DbServer.exe (server) PccNTMon.exe (client)
Launch the Windows registry editor (regedit.exe) and verify the registry keys
HKLM\Software\TrendMicroInc.\ServerSetup HKLM\Software\TrendMicro\DatabaseBackup HKLM\Software\TrendMicro\NSC HKLM\Software\TrendMicro\OfficeScan HKLM\Software\TrendMicro\PCcillinNTCorp HKLM\Software\TrendMicro\RemoteInstall HKLM\Software\TrendMicro\Solar
Optional: view the OFCMAS.LOG (server) and OFCNT.LOG (client) logs in the Windows directory.
10
Administrator Track
Exercise 2: Install OfficeScan
Result
You have verified the names and locations of OfficeScan components and demonstrated that OfficeScan was installed correctly on your lab computer.
11
Ex xercis se 3: Con nfigur re Sm mart Scan n

A Activity y 3.1 > Configure Sm mart Pro otection n Sourc ces
Suppose that you have e a standalon ne Smart Scan n server in add dition to your r integrated Smart Scan server, an nd that you w want to config gure internal c clients to con nnect to the st tandalone ser rver, first; the Trend d Micro Glob bal Smart Sca an Server, seco ond; and the integrated server, third. In n this activity, y you will add t the standalone server and t the Trend Mi icro Global S Smart Scan Se erver to your stan ndard list and put the serve ers in the corr rect order. Go t to the Smart Protection > Smart Prot tection Sour rces page and d click the sta andard list hype erlink to confi figure the list t to be used by y all internal c clients. Add the standalon ne server. For r the purpose e of this lab activity, you do not actually y have a stand dalone server. Invent a UR RL and do no ot click Test C Connection. Add the Trend M Micro Global S Smart Scan Se erver (osce10 05.icrc.tren ndmicro.com/ /tmcss), selec ct File Reput tation Service es and SSL, , enter port number n 443, and then test t the conn nection. Leave e Web Repu utation Services unchecke ed. Use t the arrows to o adjust the or rder of your l list.
A Activity y 3.2 > Configure Inte egrated d Serve er Settin ngs and an Upd date Sc chedule e
In this sc cenario, althou ugh you plan n to have a sta andalone Sma art Scan serve er, you also w want clients to be able e to query the e integrated S Smart Scan se erver as a back kup. You wan nt the server to update its pattern n file regularl ly, but not so frequently th hat updates co onsume too m much bandwi idth. Access th he Smart Pro otection > In ntegrated Server page and d set the follo owing: Enab ble the integra ated Smart Sc can server for r both file and d web reputation services. Enab ble scheduled d updates and set the frequ uency to every y hour. Leav ve the Update e Sources at th heir default se ettings for up pdating from the Trend Mi icro Activ veUpdate serv vers.
13
Ex xercis se 4: Con nfigur re Client Setti ings

A Activity y 4.1 > View C Client St tatus an nd Con nfigure the Clien nt Tree
Scenari io
The clien nt tree viewer on the Netw worked Com mputers > Client t Manageme ent page is a p powerful tool l for checking the status of f clients, grou uping clients, configuri ing client setti tings, executin ng various tas sks, including g scanning, un ninstallation, and displayin ng search results. l be presentin ng your pilot configuration n to your cust tomers IT In a few days, you will ment. To prep pare for this p presentation, y you want to d do several thi ings: managem
Beco ome familiar w with the detai ils provided in n the content t pane of the tree viewer Unde erstand how t to limit the vi iew of the de etails provided d and group t them (that is, how to
displ lay antivirus or o update stat tus ahead of o other details)

Create a number of o domains th hat are repres sentative of th he clients business

Loca ate your client t machine in the tree view on the Clien nt Managemen nt page Com mpare the deta ails provided i in the conten nt pane with t those provide ed on the mai in Summ mary page. Use t the Status bu utton to view details about your client. C Compare the information provided when n clicking to t the Status but tton to the in nformation displayed in the e content pan ne of the client tree viewer. Use t the drop-dow wn client tree e view contr rol to change the order and d type of info ormation displ layed in the co ontent pane o of the client t tree. Add some custom m OfficeScan domains to t the client tree e to represent t your custom mers busin ness. For exam mple, create O OfficeScan do omains name ed: Administr ration, Engine eering, Sales s, Marketing, IT-global. Yo ou can also cr reate your ow wn. Create at l least one mul lti-tiered struc cture (that is, one or more domains with hin a domain) ). Dele ete and renam me a few doma ains to practic ce for your up sentation. pcoming pres
15
Lab Textbook
Move your client from one domain to another.
Result
You have configured and reviewed the status of clients using the client tree in the OfficeScan Management Console.
Activity 4.2 > Configure Client Scan Settings

Scenario
Trend Micro announced the discovery of a virus with a very high destructive potential. The number of infections is on the rise, but a virus outbreak has not yet been declared. As a precautionary measure, you want to scan the network, using the latest available pattern, as soon as possible. Since this a new virus, you prefer to use ActiveAction scan actions, to leverage Trend Micro research into the virus, instead of your own customized settings. The announcement, however, went out in the middle of the business day. So you do not want your scan to affect productivity, so youve chosen to leverage CPU usage functionality. Changing the CPU usage reminds you that you have a small domain of clients with a number of older computers with limited RAM and CPU capacity and that real-time scanning may be impacting their productivity. You want to reconfigure the real-time scanning configuration for this domain. Finally, you want to make sure that scheduled scans for all your clients are set to run on the weekends.
Use the Networked Computers > Client Management page to configure the Scan Now settings for all computers in the client tree. Make your configuration compliant with these specifications:
Use IntelliScan Scan only two layers of compression on compressed files Scan the boot area Scan hidden files Medium CPU usage Dont scan for spyware/grayware Use ActiveAction Apply to all OfficeScan clients
Select a single domain and configure real-time scan settings according to these specifications:
16
Administrator Track
Exercise 4: Configure Client Settings
Disable real-time scanning for spyware/grayware Scan files only as they are being read Dont use IntelliScan Dont scan compressed files Dont use IntelliTrap Use ActiveAction Make sure that clients back up files before they are cleaned
Discuss with the class and your instructor the risks and benefits of this configuration. Apply these configuration requirements for scheduled scans to all clients in the tree.
Enable virus/malware and spyware/grayware scanning Scan weekly every Sunday at a time of your choosing Scan all scannable files Set all other scan settings to create the most rigorous scan possible Use ActiveAction Disable user notifications
Result
You have configured a manual scan, a real-time scan, and a scheduled scan to meet the requirements of a given scenario.
Activity 4.3 > Change the Scan Mode for One or More Domains
Scenario
You have piloted the Smart Scan scanning method on another OfficeScan server, and you are comfortable with accepting Smart Scan as the scan mode for most clients that will connect to this server. However, to keep network traffic to an absolute minimum for some clients, you want to have them use conventional scanning. The only scan setting that you want to change for the selected clients is the scan method, but you want to have all conventional-scan clients located in a new and separate domain from the one that they were in. You need to create a new domain for your conventional-scan clients, replicate the settings from their prior domain, change the Scan Method setting at the domain level and then move the clients you want to switch to conventional-scan mode into the new domain.
17
Lab Textbook
Create a new OfficeScan domain. For example, if you have an existing domain called Engineering, create a new domain called csEngineering. Use Settings > Export Settings on the drop-down menu of the client tree to export the scan settings from the existing domain. Use Settings > Import Settings on the drop-down menu of the client tree to import the scan settings you just exported and apply those settings to the target domain that you just created and all the computers that belong to it. Verify that the new domain and the existing domain have the same scan settings. Change the scan method of the new domain so that all clients that will be added to the domain will be configured to use Smart Scan. Select an existing client and move that client to your new conventional-scan domain. Allow your client software time enough to receive the notification of the new configuration and make the changes. Verify that the client is now using conventional-scan and that its scan settings are correct.
Result
You have exported and imported scan settings, configured the scan method for clients to use at the domain level, and have moved one or more clients from one domain to another for the purpose of applying new settings.
Activity 4.4 > Configure Client Privileges

Scenario
By default, OfficeScan assigns a relatively limited set of privileges to clients. However, you want to create a domain that will contain only experienced computer users who need to be able to configure their own scans. They also regularly work odd hours, and need to be able to stop a scheduled scan if it interrupts their work. You want to allow these users to configure their own scanning options. They need to be able unload the client, but you do not want them to be able to uninstall it or modify OfficeScan files and registries. You also do not want them to be able to deploy their own program upgrades and hot fixes, because it could consume a lot of bandwidth. You also need to create another domain into which you can move clients who need to have virtually all of their privileges automatically eliminated, except for the ability to enable roaming mode. To complete this activity, you may create two new domains, or use two that you already created in Activity 4.1.
18
Administrator Track
Select an existing domain, or create a new domain (named Power Users, for example) and ensure that they have at least these privileges:
Full configuration capability for all types of antivirus and anti-spyware scanning Full control over firewall settings Access to all client tabs Permission to perform Update Now No uninstallation, but allow unloading Enabled scheduled update Select to display notifications for as many services as possible (Web reputation, behavior
monitoring, etc.)
Restrict access to program files and registry entries
Select an alternate domain or create a new one (named Restricted, for example) and configure the OfficeScan client privileges and other settings for members of this domain to be as restrictive as possible, except for allowing the use of roaming mode. Right-click the client-icon in the system tray and launch the OfficeScan client console. Click the Settings on the drop-down menu and notice the options available. Notice also which tabs are visible on the main interface. Then, move your client to the restricted domain. Close the console and wait a few moments for the configuration to be updated. Then, open the console and inspect the changes. Similarly, move your client to the power users domain, and inspect the changes.
Result
You have configured client privileges for a given scenario.
Activity 4.5 > Enable and Configure WRS

Scenario
Web threats have been an ongoing concern at your company. You have already implemented several gateway devices to protect your internal network, but have no protection for mobile clients. Your boss would like you to stage a small demonstration of how you can apply different policies whenever a mobile client travels outside corporate network.
NOTE
To demonstrate Web Reputation Services, you will need open Internet access with Internet Explorer properly configured and your instructor will need to provide you with an acceptable URL that has been identified as likely to harbor web threats. It may not be possible to meet these requirements in all circumstances, please consult with your instructor on details for how to complete this exercise.
19
Lab Textbook
For the Networked Computers > Computer Location configuration, set the client to use Gateway IP address as its basis for location awareness, add a single, non-existent IP address to the list, and then save the configuration. The tray icon of the client software should subsequently change to show a small checkmark (or tick mark), indicating that its location is determined to be external. Enable WRS for external computers and set the security level to high.
Select to block pages that have not been tested by Trend Micro Add a custom URL (such as, Facebook or Google) to the blocked-URL list. Allow clients to send logs to the OfficeScan server.
Disable WRS for internal computers (if no locations are configured, all clients will automatically use the configuration for external computers). Access the following URLs:
A URL that appears on the approved list The URL you added to the blocked list http://Wr21.winshipway.com One or more other URLs to test and verify web functions.
Return to the Computer Location configuration and add the legitimate IP address of the current gateway to the configuration and save the configuration.
The client tray icon should change to reflect the change in location status. Attempt to access the same URLs as before and be prepared to explain why there is a
difference in results.
Result
You have enabled WRS and have demonstrated its functionality.
Activity 4.6 > Enable and Configure Behavior Monitoring and Device Control
Scenario
Although certain users require extra flexibility and extended privileges to be productive, you and your organization are becoming increasingly concerned about a number of users and a range of unauthorized applications that push the limits of acceptable system usage. You would like to demonstrate for your boss the extent to which OfficeScan behavior monitoring and device control capabilities can be configured to restrict user activity and monitor system activities for unauthorized system changes.
20
Administrator Track
Select an existing domain (Restricted, for example) or create a new one and configure the behavior monitoring settings of this domain to be as restrictive as possible.
Enable malware behavior blocking. Enable event monitoring then enable and deny all system events that can be
monitored.
Add WordPad to the custom list of blocked programs (find and enter the full path).
Select an existing domain (Restricted, for example) or create a new one and configure the OfficeScan device-control capability to monitor device access and deny access to all monitored devices except mapped drives and UNC paths. Refer to the section titled Post-Installation Considerations for Servers and x64 Desktop Platforms in Chapter 6 of the student manual for information on how to enable behavior monitoring and device control on Windows servers. Using this information, modify the registry of your lab computer to enable the full functionality of as many services as possible. Move your lab computer into the domain for which you configured behavior monitoring and device control. Attempt to launch WordPad and take note of the result. Attempt to access a restricted device and take note of the result. Move your client back to the domain in which it was located before the start of this activity. Attempt to launch WordPad and take note of the result.
Result
You have enabled and configured the behavior monitoring and device control capabilities of the OfficeScan client. You have also demonstrated the end-user experience of attempting to perform restricted actions.
Activity 4.7 > Export Client Management Data

Scenario
A fellow IT worker has been working on a management report and he wants to include some graphs based on the numbers of virus and spyware incidents that are displayed in the content pane of the OfficeScan client tree. She asks if you can get her the data in a format that she can manipulate.
21
Lab Textbook
Select the root icon in the client tree, or the domain to which your client is assigned, and click the Export button. Save the file to your desktop and use the Notepad application to validate that the exported file contains data about the computers in your selected domain(s).
Result
You have exported client status data in a raw-text format.
22
Ex xercis se 5: Con nfigur re Gl lobal l Clie ent Setti ings

A Activity y 5.1 > Configure Glo obal Sca an Sett tings
Scenari io
A numbe er of your mo obile users are e using the dr rag-and-drop method to sc can individua al files they think are suspicious. This T is very us seful when th hey are workin ng offsite and d frequently m must access files on e external netwo orks. One of them asks yo ou if you can add scanning g to the pop-u up menu when she e right-clicks on a file in W Windows Expl lorer. You sche eduled assessm ment mode fo for four weeks s, but it has b been two weeks, and so far r everythin ng is running fine. You wo ould like to en nd assessment t mode. You have just bee en reading your Offi ficeScan user guide and, ba ased on its rec commendatio ons, you also want to make e sure that the Offic ceScan server database is e excluded from m real-time scanning.

Revie ew the option ns available on o the Global Client Settin ngs page Selec ct the option to add manua al scanning to o the context (shortcut) m menu on client t comp puters. Disab ble assessmen nt mode. Enab ble the Certifi ied Safe Softw ware Service Save your settings s.
Result
You have e configured several key gl lobal client se ettings.
23
Lab Textbook k
A Activity y 5.2 > Configure Glo obal Log Settin ngs

Scenari io
You are a consultant a and are still co onducting a p pilot program m for a key customer. During this period, yo ou want to cr reate as much h log data as p possible for th he purposes o of demonstra ation and analysis.

On t the Global Cl lient Settings page, select all a those optio ons that will c create additional log data and/or send as much log data as possib ble to the Of fficeScan serv ver.
Scan for cooki ies and make sure they are e logged Send firewall l log data hourl ly Dont D consolid date repetitive e virus/malw ware logs
Result
You have e made chang ges to the glob bal client con nfiguration th hat affect how w log data is m managed.
A Activity y 5.3 > Configure Act tive Dir rectory Setting gs

Scenari io
The com mpany that you u are providin ng consulting g services to w wants to do more m to levera age its current in nvestment in Active Direc ctory configur ration and ma anagement. A Active Directo ory configura ation in Offic ceScan includes global con nfiguration pa arameters that t are used for r a number of feature es, including custom client t grouping, co ompliance ass sessment, and d user-accoun nt control. Active Directory D settin ngs are config gured using th he Administ tration > Act tive Director ry menu items in t the main navi igation colum mn. As part o of your lab set tup, you shou uld have at least on ne test structure within the Active Directory y domain on your server. R Rely on the direct tion provided d by your inst tructor to find, and if necessary, create and po opulate this struc cture with arti ificial client computer nodes. Your Y server co omputer is loc cated in the defau ult Domain C Controllers organizat tional unit fol lder.
2 24
Exercise 5: Configure Glo obal Client Settin ings

On t the Administ tration > Act tive Director ry > Active D Directory In ntegration pa age, add the Activ ve Directory d domain of yo our server and d enter the do omain creden ntials.
Encrypt E your A Active Direct tory credentia als with a sim mple password d (pass, for example)
an nd enter the path p to the de esktop and a filename such h as AD.key y, as in: C C:\Documents sandSettin ngs\Administ trator\Deskt top\AD.key.
Save and synchronize Ac ctive Directory settings. Notice N how pr rogress is rep ported at the b bottom of the e Active Dire ectory Integra ation page. Once O complet te, verify that the result rep ported to the right of the enter domain n
cr redentials bu utton is succe essful and tha at a green che eckmark (tick mark) appear rs. Use t the Schedule ed Synchron nization page e to configure e daily automa atic synchron nizations at 5 a.m m. Verif fy the result by b going to th he Networke ed Com mputers > Cl lient Groupin ng page, selec cting Custom m client grou ups, and the en clicki ing Add to di isplay the sho ort dropdown n menu u. Verify that t Active Dire ectory is not t graye ed out and is underlined. (Do (D not make e any a actual changes at this time.) Addi itionally verify fy Active Dire ectory integra ation settings by going to the t Administ tration User r Accounts p page. Click Ad dd, and then verify that th he Active Di irectory User or group optio on is selectabl lethat is, no ot grayed out t. (Do not ma ake any actual l changes at this t time.) Addi itionally verify fy Active Dire ectory integra ation settings by opening th he Security Com mpliance > Outside O Serve er Managem ment page.
Verify V that two o warning app pear: Active e Directory do omains or IP addresses ha ave not
been defined and The cu urrent outside e server mana agement repor rt is out of da ate (Do n make any actual change not es at this time e.)
In n the Active e Directory/IP P Address Sc cope box on the right, on n the Active D Directory
ta ab, verify that t the tree is populated with h Active Dire ectory data. C Click one of th he tree objects to expand it to test its baseline fu functionality. (Do not mak ke any actual c changes at his time.) th
Result
You have e configured the Active Directory integ gration setting gs for OfficeS Scan and have e verified that the O OfficeScan se erver can read d Active Directory informa ation from th he domain con ntroller.
25
Lab Textbook k
A Activity y 5.4 > Configure Custom A Automa ated Client Grou upings
Scenari io
By defaul lt, when you install the Of fficeScan clien nt software o on a new com mputer, the clie ent appears in the clie ent tree unde er its NetBIOS domain nam me. You can change group ping selection n on the Network ked Comput ters > Client t Grouping p page from Ne etBIOS-based d grouping to Active Directory y domain or r DNS doma ain, but with h these selecti ions, only new w clients added d to the tree are a affected. Selec cting custom m client group ps, however, , includes an automatic a reg grouping client fun nction based on o the Active e Directory gr rouping or IP P address assignment of th he client when it is initialized to th he OfficeScan se erver, for examp ple, on reboot or r unload and rel load.
NOTE
The baseline lab setup require es your server ma achine to functio on as the OfficeSc can server, an Of fficeScan client, an nd a domain cont troller for Active D Directory service es. Your server ma achine, as the do omain controller, will be placed in n the default Dom main Controllers o organizational un nit within Active Directory automa atically. Although h you can move this s computer objec ct from its defaul lt location to an alternate a organiz zational unit with hin a custom Active Directory tree struc cture, doing so ca an prevent your e existing setup fro om functioning pr roperly. Therefore e, when attempti ing to define rules that t affect your serv vers OfficeScan g group membersh hip it is a good idea to do so witho out also moving t the servers AD comp puter object.
You wou uld like to test t custom-clien nt grouping (and ( re-group ping) by creati ing one or mo ore groups determin ned by an exis sting Active D Directory stru ucture and by creating a gro oup based on n IP address th hat will includ de your serve er machine.

On t the Networked Compute ers > Client Grouping pa age, click to A Add an Active Direc ctorybased automatic a clie ent grouping. .
Select to enabl le the new gro ouping rule. Give G the group p a name that t is descriptiv ve of the
it tems in the Active Directo ory tree that you will se elect. D Directory tree display.
Select the test structure from within the Active Select to dupli icate the Activ ve Directory structure
nto the client tree. in

Create C a new g group beneath h the root-lev vel
OfficeScan Server icon.
Save the confi figured groupi ing rule. Verify V that the e new rule app pears in the automatica
cl lient-grouping g list.
2 26
Administrator Track
Exercise 5: Configure Global Client Settings
Add an IP-address-based automatic client grouping that includes your server client.
Select to enable the new grouping rule. Give the group a descriptive name, like Domain Controller Enter the IP address of your server client. Create a new OfficeScan group in the client tree with a descriptive name, like Domain
Controller.
Save the configured grouping rule. Verify that the new rule appears in the automatic-client-grouping list.
Make the IP-address-based grouping rule the first in the list.

Hover your mouse over the list entries to view the details section to the right be
populated with additional profile information about the rule.

Verify that the status column reflects that both rules are enabled.
Enable scheduled domain creation to occur daily at 5:30 a.m. Click Save and Create Domain Now.
Monitor the progress of the task as reported dynamically to the console page. Verify the task completes successfully and note the reported finish date and time.
Return to the Networked Computers > Client Management page and note the changes.
Verify that the Active Directory structure is created beneath the proper group name. Verify the existence of the separate group that is to include your server client. Verify that your server client is still located in the group that it was prior to configuring
the grouping rules.

Click to view the Manage Client Tree dropdown menu and notice that the options to add
and rename domains are grayed out.

Attempt to drag your server client to a different location within the client tree and verify
that this action is no longer allowed.
Unload and reload the client software on your server and verify that when it reconnects to the OfficeScan server that its group membership is automatically changed. Remove the OfficeScan groups that you created before you enabled the custom client grouping feature. Perform and additional testing steps as directed by your instructor and be prepared to discuss the meaning of the differences between using custom client grouping and any one of the three other options for grouping clients.
Result
You have changed the way that clients are grouped by default in the client tree and have enabled the automated regrouping of clients based on either IP address and/or Active Directory container.
27
Ex xercis se 6: Prev vent Outb break ks

A Activity y 6.1 > Configure Ou utbreak Preven ntion
Scenari io
You have e discovered a new and qu uickly spreadin ng threat that t is using port t 21 and 2121 10 to propagate.

On t the Networked Compute ers > Outbre eak Prevention page, sele ect the root of f the client tree and a click Star rt Outbreak P Prevention. Enab ble the Outbr reak Preventio on Policy to block ports. Use t the Outbreak k Prevention n Settings > Port Blocking page to
Add A port num mber 21210 (in ncoming and outgoing) for TCP and UDP U Select port 21 File Transfer r (FTP) and th he added por rt number 212 210 Save your configuration set ttings
ble user notifi fication and m modify the me essage that wi ill be sent to users. u Enab Start t outbreak pre evention Notice the display y of the user m message. urn to the clien nt tree view, select you do omain in whic ch your client t resides, and verify that Retu a gre een tick mark appears in th he OPP colum mn.
Result
You have e configured the Outbreak k Prevention settings to blo ock traffic on n port 21 and d 21210.
29
Lab Textbook
Activity 6.2 > Standard Notifications

Scenario
As you continue to test your pilot OfficeScan deployment, you want to receive notifications sent to administrators as often as possible and in as many ways as possible. But you want to reduce the amount of information given to users about threat detections.
NOTE
To receive email alerts, your lab configuration must include an SMTP server and your instructor will need to provide you with the SMTP server IP address, port number and an email address. This setup will not be available in all situations; consult your instructor for details.
If your lab setup supports it (see the note above), use the Notifications > Administrator Notifications > General Settings page to enter SMTP information in the Email Notification section. Use the Notifications > Administrator Notifications > Standard Notifications page to:
Set the criteria to send notifications as often as possible. Enable and configure Email notifications Enable NT Event log notifications
Use the Notifications > Client User Notifications page make these modifications:
Remove the second sentences in the default messages for virus/malware detections and
infection source notifications, for the spyware/grayware notification, and for the firewall violation notification.
Replace the deleted sentences with a request that the user immediately contact you for
assistance. Include your cell phone and pager numbers: Contact {Your name} immediately for assistance! Cell: {Your cell phone number} Pager: {Your pager number}
Result
You have configured standard alerts and have customized client notification messages.
30
Administrator Track
Exercise 6: Prevent Outbreaks
Activity 6.3 > Outbreak Notifications

Scenario
During the last two years, virus attacks have increased during the months of September and October. To provide extra protection during these months, you want to configure the threshold for Outbreak Notifications to three viruses being detected within a one-hour interval.
Use the Notifications > Administrator Notifications > Outbreak Notifications page to:
Set the virus/malware outbreak criteria to three detections in one hour Enable Email notification for all outbreak notifications Enable system event logging for virus/malware and spyware/grayware outbreaks.
Result
You have configured OfficeScan to alert you if three viruses are detected during a 60-minute interval.
Activity 6.4 > Test the Alert Settings

Scenario
In this activity, you will use the European Institute of Computer Anti-Virus Research (EICAR) virus to test the alert settings that you configured in Activity 6.1.
Copy the EICAR virus to the desktop. Use the Windows system Event Viewer (launch eventvwr.msc /s or click Start > Programs > Administrative Tools > Event Viewer) to find the log entry for the virus event. Copy the EICAR file to the desktop two more times Use the Event Viewer to find the log entry for the outbreak event.
Result
You have used the EICAR virus to the desktop to test your notification settings.
31
Ex xercis se 7: Con nfigur re Adm minist tratio on Se etting gs

A Activity y 7.1 > Create Custom m Roles and A Add a U User Acco ount
Scenari io
In this ac ctivity you wil ll create at lea ast two custom m user roles, and then create a user acc count and assign it to t that role. First F you wan nt to add a new w role called Top-level A Admin and assign to that role all of the righ hts and privile eges across th he entire clien nt tree. Next you y want to c create a at has access t to only a port tion of the cli ient tree and h has only role for a View-only Auditor tha enough privileges p to a allow view acc cess to overal ll status and log data.

Click k Administra ation > User r Roles and th hen Add to b begin.
Name N your role and give it a description n. Click C Define C Client Tree Scope S , make the appropri iate selection( (s), and then click Save. Select/deselec ct view and co onfigure right ts according t to the needs o of the role tha at you are
reating and Save. cr

Repeat R the pro ocess for the second role.
Add a user accoun nt using the A Administrati ion > User A Accounts pag ge.
Click C Add from m Active Di irectory. Query Q your loc cal domain fo or the admini istrator accou unt (or other valid v user acc count) Assign A the acc count to one of o the roles th hat you just created. c
Test your account t by logging in n to the management console with the username an nd word you gav ve it. Note any y differences in the manag gement conso ole when logg ged in as passw this u user instead of o as the root administrato or. Thin nk about the t types of roles that would b be suitable for r your particu ular company, or one that y you know about. Be prepa ared to share your ideas ab bout possible user types an nd how ing the OfficeScan tools a they might be imp plemented usi available.
33
Lab Textbook
Result
You have configured custom user roles and added one or more Active Directory users to the system.
Activity 7.2 > Configure Quarantine Manager

Scenario
Whenever a client detects malware in a file and the scan configurations for that type of malware are set to Quarantine, OfficeScan encrypts the infected file and sends it to the quarantine folder on the server. You can configure the capacity of the quarantine folder and the maximum file size for every infected file that can be stored in it. In this activity, you will increase the size of the quarantine folder because you manage a large network that includes 4000 workstations.
Use the Administration > Quarantine Manager page to increase the capacity of the quarantine folder to 20480 MB. Click the Save Quarantine Settings button. Click OK in response to the dialog box to confirm that you want to modify the quarantine settings.
Result
You have doubled the amount of server hard disk space reserved for quarantined files.
34
Ex xercis se 8: Dep ploy O OfficeSca an Clien nts

OfficeSca an provides tools t for conf figuring, deplo oying, and up pdating OfficeScan clients across the enterprise. In this exer rcise, you will l:
Mod dify the Windo ow Server log gin script to automate a Off ficeScan Clien nt installations and
upda ates for all clie ents that log into i the Wind dows network k
Create a client set tup package to o deploy the OfficeScan C Client to users s at a remote office Verif fy OfficeScan n Client funct tionality on yo our computer r
A Activity y 8.1 > Modify y the Se erver Lo ogin Sc cript

Scenari io
Login scr ripts enable y you to automa ate OfficeSca an Client insta allations for u unprotected c computers that logon to the netw work, and to a automatically update virus pattern files and client pro ogram ents when exi isting OfficeS Scan clients lo ogon to the n network. In th his activity, yo ou will use compone the Login n Script Setup p tool to auto omatically mo odify the Wind dows login sc cript.

Laun nch the Login n Script Setup p program by clicking Star rt > Program ms > Trend Micro M Offic ceScan Serve er-{Server Name} N > Log gin Script Se etup. Selec ct the local se erver from the e domain/wo orkgroup tree to create an OfficeScan lo ogin script. Ente er the appropr riate usernam me in the Con nnect As fie eld and enter the correspon nding passw word in the Password fi ield. Add Guest and IU USR_{YourSe erverName} to the selecte ed users list, and a then click k Apply. The Login Script t Modified d dialog box appears to conf firm the login n script modif fications. Click k OK and the en Exit. The s selected users s and user gro oups will now w automaticall ly receive Offic ceScan client installations and updates. Verif fy that Office eScan created the C:\WINNT T\SYSVOL\DOM MAIN\SCRIPTS S\OFCSCAN.B BAT file that conta ains the login n script modif fications.
35
Lab Textbook k
Result
You have e modified th he login script t to install the e OfficeScan client.
A Activity y 8.2 > Create a Clien nt Setup p Packa age

Scenari io
Client Pa ackager can cr reate executab ble (.exe) files s and Microso oft Installer Package P Form mat (.msi) files. In this ac ctivity, you wi ill use the Client Packager to create a se etup file in th he .msi format t for deployme ent to a remo ote office with h Windows XP X clients.

Laun nch the file C: :\ProgramFi iles\TrendMicro\Offic ceScan\PCCSR RV\Admin\Uti ility\ ClientPackager\ClnPack.exe.
Selec ct to create an n MSI pack kage for Wind dows 32-bit o operating systems. Click k next to o the Outpu ut file text bo ox and select to save the fi file to the desk ktop with the n name of Off ficeScanSetup p.msi Click S Save. Click k Create. Lo ook for the pr rogress indica ator. Click k OK in respo onse to the co onfirmation that t the packa age was succe essfully create ed. Click Clos se, and then v verify the MSI file appears on your desk ktop.
NOTE
In your lab en nvironment, you m may not be able e execute the clien nt setup package e because the Off ficeScan Client is a already installed d on your server computer. c In addition, you will not t be able to emai il the client setup p package because if an SMTP serve er is not available e. In a production n environment, yo ou can make the client setup pac ckage available e to users by plac cing it in a shared d network directo ory or you can em mail it by pressing g the Send Mail b button in the Client Pa ackager dialog bo ox.
Result
You have e created a cli ient setup pac ckage.
3 36
Ex xercis se 9: Upd date and Deploy Offic ceSca an Co omp ponen nts
A Activity y 9.1 > Manua ally Upd date an nd Deploy Com mponents
Scenari io
There are e times, such as after a viru us outbreak, when w you sho ould manually y update the O OfficeScan compone ents and deploy these com mponents to al ll OfficeScan n clients. You should also m manually update th he server after r it is initially installed.

Upda ate the server r
Verify V that the e Trend Micro o ActiveUpda ate server is li isted as the update u source on the
U Updates > Se ever > Upda ate Source pa age.

Use U the Upda ates > Server r > Manual U Updates page to select all components s and
update the serv ver. page.
Monitor M the progress of the e update proc cess as shown n on the Man nual Update P Progress
After r the server is s updated, dep ploy the upda ates.

Use U the Upda ates > Netwo orked Comp puters < Man nual Update e page to upda ate all
co omponents o on all clients with w outdated d components s

Click C Initializ ze Update an nd then OK to o confirm the e action.
o view the Use U the Logs > Networke ed Compute er Logs > Co omponent Up pdate page to progress and t the details of the notificatio on event.
Result
You have e manually up pdated the Of fficeScan com mponents and d manually de eployed the up pdates to your Offi ficeScan client t.
37
Lab Textbook
Activity 9.2 > Configure an Update Agent

Scenario
You manage a company that recently opened a branch office in another city. To decrease the amount of traffic that is sent over the WAN link between the main office and the branch office, you want to configure an update agent at the branch office. Updates for OfficeScan will then be sent only once over the WAN link. You have assigned the following range of IP addresses to the workstations at the branch office: 192.168.115.80to 192.168.115.100.
Use the client tree viewer on the Networked Computers > Client Management page to select your client.
On the toolbar, click Settings > Update Agent Settings and select to enable update-
agent functionality on the selected client. Click Save and then Close.
A green tick mark will appear in the Update Agent column in the content pane of the
client tree viewer and the computer icon will change when update-agent functionality is enabled.
Use the Updates > Networked Computers > Update Source page to configure clients to use the new update agent.
Select Customized Update Source radio button and click the Add button under the
heading Customized update source list.
On the Add IP Range and Update Source page, enter the range 192.168.115.80 to
192.168.115.100 and select Update agent as the update source and select your lab computer using the drop-down menu. Click Save. notified. Then, click Back.
Click Notify All Clients. A message appears, reporting that the clients have been On the Update Source (Networked Computers) page verify that option Update Agent:
always update from standard update source (OfficeScan server) is selected and click Save. Use the Updates > Server > Scheduled Updates page to enable scheduled updates for all components daily and to start update notifications at midnight and update for a period of two hours. Use the Updates > Networked Computers > Automatic Update page to initiate component updates on clients immediately after the OfficeScan server downloads a new component.
38
Administrator Track
Exercise 9: Update and Deploy OfficeScan Components
Result
You have configured an update agent and specified which clients should download updated
components from the update agent. deployment.
You have automated server updates and have enabled an event-triggered, automatic
39
Ex xercis se 10 0: Co onfigu ure S Settin ngs o on the C Clien nt Co onsole

In this lab b exercise, yo ou will use the e OfficeScan Client Conso ole to configu ure scan optio ons and to configure e the Enterpr rise Client Fir rewall. You w will also test yo our settings.
A Activity y 10.1 > Config gure Sc can Op ptions fr rom the OfficeScan Client C Console e
Scenari io
Because y you are a kno owledgeable computer c user, the networ rk administrat tor at your co ompany has granted you y the client privileges yo ou need to con nfigure your o own scan opt tions. Your computer was infec cted by a virus just last mo onth, and you lost time clea aning the infe ected files and d restoring all the ser rvices on you ur computer. T To prevent th his from happ pening again, you want to configure OfficeSca an to scan ev very file and to o scan for all types of thre eats.

Use t the Network ked Compute ers > Client Managemen nt page to en nable all featu ures and all right ts possible for r your OfficeScan client. Open n the OfficeS Scan client console and con nfigure the op ptions for rea al-time scans according these e criteria:
Scan all scanna able files and apply real-tim me scanning t to files as the ey are being
cr reated/modif fied and as th hey are receive ed. s many layers s deep as you can. as
Scan the flopp py disk at shutdown, enabl le IntelliTrap, , and select to o scan compressed files If f you can, app ply this same level of scann ning to anti-s spyware scann ning Use U the clean action for ant ti-spyware For F antivirus s scanning, use customized scan s actions a and apply a sp pecific action n for each
vi irus/malware e type: o For Joke, select s Clean a and Quarant tine n, select Quar rantine o For Trojan
41
Lab Textbook
o For Virus, select Clean and Quarantine o For Test Virus, select Quarantine o For Packer, select Quarantine o For Other, select Clean and Quarantine
Result
You have configured the scan options using the OfficeScan Client Console.
Activity 10.2 > Configure OfficeScan Firewall from the Client Console
Scenario
In this activity, you will use the OfficeScan Client Console to enable the OfficeScan firewall and configure it to block inbound and outbound Telnet connections.
Launch the client console and click the Firewall tab to display the current firewall settings. Select enable the firewall, intrusion detection systems (IDS), and notifications. Select the network card from the network card list, and click Edit to access the exception rule list.
Click Add and use the exception rule dialog box to add a Block Telnet rule that denies
inbound and outbound network traffic on the specified TCP port 23 for all computer addresses.
Apply the new rule to the firewall traffic filter and click Yes to confirm the action.
Result
You have used the OfficeScan client console to configure the firewall.
Activity 10.3 > Test Your Settings

Scenario
In this activity, you will test your scan and firewall settings.
42
Administrator Track
Exercise 10: Configure Settings on the Client Console
Test the scan options.
Copy the European Institute of Computer Anti-Virus Research (EICAR) test virus to the
desktop. An alert appears, reporting that OfficeScan detected a virus.

Click the virus name to view details about the virus, including the action taken.
Test your firewall settings:

Open a Command Prompt Try to launch a telnet session by entering the following command:
telnetLab_Computer_IP_Address
A message appears at the command line, reporting that a telnet session could not be established. Then an OfficeScan alert message appears, reporting that OfficeScan detected a problemsuch as a firewall violation or a network virus. Your lab computer is now blocked.
Navigate to the logs tab and view the firewall logs to inspect the details of the blocked
connection.
Result
You have tested the scan options that you configured from the OfficeScan client console. You have tested the OfficeScan firewall settings that you configured using the OfficeScan
client console.
43
Ex xercis se 11 1: Co onfigu ure O Office eScan Firew wall

In this lab b exercise, yo ou will config gure the Offic ceScan firewal ll using the O OfficeScan ma anagement console.
A Activity y 11.1 > Create e a Policy

Scenari io
You man nage the netw work for a com mputer softwa are company that is workin ng on a new product. You have e been asked to secure the e lab compute ers so that on nly the software engineer can access them.

Use t the Network ked Compute ers > Firewa all > Policies s page to ope en the Policy Editor by clicki ing Add in th he toolbar. Create and save a new policy th hat meets the ese specificati ions:
Name: N Lab C Computers Default D securit h ty level: High Enable E the fire ewall, IDS, an nd notificatio on options Enable E the loc cal and global l Certified Saf fe Software li ists. Remove/delet R te all exceptio ons except for r DNS, HTT TP and HTTP PS Edit E the HTTP P, and HTTP PS policies to limit allowed d inbound/ou utbound HTT TP and
H HTTPS traffic c to a range o of IP address ses that inclu udes your clie ent/server.
Verif fy that your n new policy appears in the li ist on the Fir rewall Policies s for Network ked Com mputers page.
Result
You have e configured a policy for a given scenar rio.
45
Lab Textbook
Activity 11.2 > Create a Profile

Scenario
In this activity, you will create a profile for the scenario outlined at the beginning of this lab exercise.
Use the Networked Computers > Firewall > Profiles page to open to add a profile by clicking Add in the toolbar. Configure and save a new profile that meets these criteria.
Name : Test Computers Description: Profile for computers testing new software. Policy: The Lab Computers policy you created in the previous activity IP address: a range of IP addresses that includes your lab computer Platform: Windows Server (Server 2003, Server 2008)
Assign the profile to clients.
Result
You have applied a custom firewall policy to a specific set of computers.
Activity 11.3 > Test the OfficeScan Firewall Settings

Scenario
In this activity, you will test the profile and the policy you created in the activities above.
Open a Command Prompt and attempt to start a Telnet session by entering:
telnetLab_Computer_IP_Address
A message appears at the command line, reporting that a telnet session could not be established. Then an OfficeScan alert message appears, reporting that OfficeScan detected a problemsuch as a firewall violation or a network virus. Your lab computer is now blocked. Open the OfficeScan client console, click the Logs tab, select Firewall Logs, and click View Logs to view details about the event.
46
Administrator Track
Exercise 11: Configure OfficeScan Firewall
Return to the web-based management console and use the Networked Computers > Firewall > Profiles page to disable the Lab Computers profile.
Click the name Lab Computers to edit the profile. Deselect the Enable this profile option and click Save. Assign the profile to clients.
Result
You have tested the policy and profile you created in prior activities. You have disabled the profile you created in Activity 11.2.
47
Ex xercis se 12 2: De etect Vuln nerab ble Com mpute ers

A Activity y 12.1 > Manu ually Scan Com mputers s
Scenari io
You have e just been hi ired as the net twork admini istrator for th he Toys.com company. Th he company president t is concerned d about the number n of viru us infections that the com mpany has exp perienced in the past a and has been reading abou ut network vir ruses such as Blaster and SQL S Slamme er. To reassu ure the company president t, you want to o figure out w which comput ters are not ru unning antivirus software and d immediately y install it. Yo ou also want to t send the pr resident a rep port, showing him detailed information about each co omputer on t the network. F Finally, you want w to receive an n email messa age when the e vulnerability y scan is comp pleted.

Usin ng Windows E Explorer, brow wse to the C:\ProgramFi iles\TrendM Micro\Office eScan\ PCCSRV\Admin\Utility\TMVSfolder. Doub ble-click the T TMVS.exe fil le. In th he From and To T fields, ent ter a range of f IP addresses s that includes s the IP addre ess of your lab computer. figure the sett tings for the s scan by clicki ing the Settin ngs button. T The Settings w window Conf appe ears.
Accept A the def fault settings for the Prod duct Query section. As yo ou can see, O OfficeScan
ch hecks for thir rd-party prod ducts as well as a Trend Micr ro products.
For F Method for retrieving g computer de escriptions, select Normal. Configure C Not tifications.
o Select Em mail results to the system ad dministrator and click Co onfigure. E Alert d dialog box app pears, enter A Admin@Toys.c com in the To and From o When the Email fields. TP field, enter Toysemail. o In the SMT Subject line to t read: Vulne erabilitySc cannerresul lts. o Edit the S o Click OK.
49
Lab Textbook
For Save As CSV File, select Automatically save the results to a CSV file and accept
the default location.
Accept the default Ping Settings. Select Auto-install OfficeScan Client for unprotected computer. Click OK.
Click Start. After the Vulnerability Scanner checks your lab computer, it displays a detailed series of results. Check the C:\ProgramFiles\TrendMicro\OfficeScan\PCCSRV\Admin\Utility\ TMVSfolder to see if the CSV file was created.
Result
You have configured the settings for the Vulnerability Scanner and have run a manual scan. You have viewed the results in a CSV file.
Activity 12.2 > Configure a Scheduled Task for Vulnerability Scans

Scenario
The president of Toys.com is pleased by the report that you sent him. However, he wants to know how you will ensure that the computersboth existing and newremain protected by antivirus software.
Configure a scheduled task.
In the Vulnerability Scanner console, click Add/Edit under Scheduled Tasks. The
Scheduled Task dialog box appears. Use these settings:

Task Name: Security Policy check IP Address Range: a range that includes the IP address of your lab computer. Start time: 02:00 Frequency: weekly, every Sunday Settings: Use current settings. Click OK. You are returned to the main window of the Vulnerability Scanner.
Configure a DHCP scan.

Click the DHCP tab under Results.
50
Exercise 12: Detect Vuln nerable Comput ters
Click C the DHC CP Start butt ton. The Vuln nerability Sca anner will now w check any c computer
th hat requests an a IP address from the DH HCP server.
Click C Exit.
Result
You have configu ured a schedu uled vulnerabi ility scan. You have configu ured a DHCP P scan.
A Activity y 12.3 > Perfor rm a Se ecurity Compl liance Q Query

Scenari io
Theres a new CIO at Toys.com. He H wants to understand u wh hich managem ment product ts you are using work with Activ ve Directory. You explain the single-sig gn-on integrat tion for admin nistrative an. You also want w to show him the Secu urity Complia ance dashboar accounts in OfficeSca rd after mpliance quer ry. running a security com

Use t the Security Compliance e > Outside Server Mana agement page to define th he Active Direc ctory domain n / IP address s scope to in nclude everyth hing in the do omain. Click Save only. Not the change in n the appearan nce of the Ou utside Server Management t page. orm a server m management Perfo query y to get the la atest informat tion abou ut your domai in by clicking g Query Now. Veri ify the Securit ty Status of th he comp puters in the domain. Com mputer objects s that you hav ve defin ned in the Act tive Directory y tree that t do not ac ctually exist will w appe ear as unreac chable. Usin ng the client console interfa ace, disable th he firewall an nd scheduled u update featur res Use t the Security Compliance e > Complia ance Assessm ment > Com mpliance Rep port page to run a new assessm ment on all co omputers in th he client tree.
Note N the resul lts. The client t you modifie ed should be reported r as having settings s that are
in nconsistent w with the doma ain settings to o which the cl lient belongs.
Select the clien nt and click A Apply Domai in Settings. Verify V that the e settings hav ve been restor red, except fo or the firewall. Note that th he firewall
is s not part of t the tabbed Se ettings report on the Comp pliance Repor rt page.
Re-enable R the firewall manu ually. And rea assess the dom main.
51
Lab Textbook
Result
You have run an Active Directory-based Security Compliance query and have tested the results.
52
Ex xercis se 13 3: Vie ew O Office eScan n Log gs

A Activity y 13.1 > View Firewal ll Logs
Scenari io
In this ac ctivity, you wi ill notify the OfficeScan O cl lient to uploa ad its firewall logs, and you u will view those log gs.

In th he OfficeScan n managemen nt console, use e the Logs > Networked d Computer L Logs > Secu urity Risks page to select the domain in n which your r client resides s. On t the toolbar, cl lick View Lo ogs > Firewa all Logs to di isplay the Fire ewall Log Cri iteria page. Click k Notify Clie ents, and then n click OK in n response to the confirma ation. Wait t a few minute es for the clie ent to upload the logs to th he OfficeScan n server, click k View Firew wall Logs, th hen review th he details abou ut the recorded events.
Result
You notified the c client to send d its Firewall l logs to the ser rver. You viewed the cl lients Firewa all log.
A Activity y 13.2 > View Virus/M Malware e Logs

Scenari io
In this ac ctivity, you wi ill view the vi irus logs that were generat ted when you u tested the sc can settings in this lab b.

In th he OfficeScan n managemen nt console, use e the Logs > Networked d Computer L Logs > Secu urity Risks page to select the domain in n which your r client resides s.
53
Lab Textbook k
On t the toolbar, cl lick View Lo ogs > Virus M Malware Log gs to display the criteria se election page. ct these log di isplay criteria a Selec
Time T period: L Last 24 hours s Scan Types: se elect all types Sort by: Scan T Types.
Click k Display Log gs.
Result
You have viewed the virus log. You have viewed the details fo or one record in the virus l log.
5 54
Ex xercis se 14 4: Cre eatin ng a C Clien nt Upd date Packa P age (Opt tional Activ vity)
In this ac ctivity, you wi ill use the Client Packager to create an u update file in n the .exe form mat for deployme ent to a remo ote office. The kage will inclu ude Common n Firewall Dri iver and e update pack Network k Virus Pattern n updates, as well as Wirel less Protectio on for all Palm m wireless c clients at the remo ote office. 1. From m the Window ws desktop, d double-click th he My Comp puter Icon. T The My Comp puter wind dow appears. 2. In th he My Compu uter window, navigate to L Local Disk (C:)\ProgramFiles\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\ClientPackager. The C Client Package er window appe ears.
ble-click the C ClnPack.exe e icon. The C Client Package er dialog box appears. 3. Doub 4. In th he package ty ype section, select Updat te. 5. In th he Windows operating sys stem type dr rop down list t, select 32-bi it. 6. In th he Componen nts section, cli ick the Progr ram check bo ox to de-selec ct it. The gray yed out optio ons in the Components section become e available. 7. In th he Componen nt section, clic ck the Scan E Engine, Viru us pattern/A Additional th hreats patte ern, and DCE E/DCT chec ck boxes to d de-select them m. (The Comm mon Firewa all Driver and N Network Vir rus Pattern c components s should now b be the only co omponents se elected.) 8. In th he Client Utili ities section, s select the Wir reless Protec ction check b box.
55
Lab Textbook
9. Click the (ellipses) button next to the output file field. The Save As window appears with the Windows desktop as the default destination. Enter Update in the file name field. Click the Save button. 10. In the Client Packager dialog box, click the Create button to create the Update.exe file on the desktop of your lab computer. 11. A dialog box appears to confirm that the client package was successfully created. Click the OK button. 12. In the Client Packager dialog box, click the Close button.
NOTE
In a production environment, you can make the client update package available to users by placing it in a
shared network directory, or you can email it by pressing the Send Mail button in the Client Packager dialog box.
Activity 14.1 > Verify Connections

OfficeScan displays the connection status of clients in the OfficeScan client tree. However, certain conditions may prevent the client tree from correctly displaying the connection status of clients. For example, the network cable may become unplugged, You can use the OfficeScan Management Console to verify client connections manually or automatically. In this exercise, you will schedule OfficeScan to verify the connection status of all OfficeScan clients. 1. In the sidebar of the OfficeScan Management Console, click Clients. The Clients page displays the OfficeScan client tree in the right pane of the window. 2. Select the OfficeScan server and click Verify Connection in the sidebar of the OfficeScan Management Console. The Verify Connection page appears. 3. Click the Scheduled Verification tab. 4. Select Enable scheduled verification. 5. Select Daily and enter 24 00 as the start time. 6. Click Save.
Result
You configured a scheduled verification event.
56

OSCE - 10 6 - ATL - 08august2011 - Letter Training Course Lab Textbook August 29 2011 - 634502343503368818

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OSCE - 10 6 - ATL - 08august2011 - Letter Training Course Lab Textbook August 29 2011 - 634502343503368818

Uploaded by

Copyright:

Available Formats

Tr rend d Micro M o O OfficeScan 10 0.

Trend Micro OfficeScan 10.6

2010 Trend Micro Inc.

Exercise 2: Install OfficeScan .....................................................................................7

Exercise 3: Configure Smart Scan .......................................................................... 13

Exercise 4: Configure Client Settings .................................................................... 15

Exercise 5: Configure Global Client Settings ....................................................... 23

Exercise 6: Prevent Outbreaks ................................................................................ 29

2010 Trend Micro Inc.

Trend Micro OfficeScan 10.6

Activity 6.4 > Test the Alert Settings ................................................................................................. 31

Exercise 7: Configure Administration Settings ................................................... 33

Exercise 8: Deploy OfficeScan Clients ................................................................... 35

Exercise 9: Update and Deploy OfficeScan Components ................................. 37

Exercise 10: Configure Settings on the Client Console ..................................... 41

Exercise 11: Configure OfficeScan Firewall .......................................................... 45

Exercise 12: Detect Vulnerable Computers .......................................................... 49

Exercise 13: View OfficeScan Logs......................................................................... 53

Exercise 14: Creating a Client Update Package (Optional Activity) ............... 55

2010 Trend Micro Inc.

Ex xercis se 1: Valid date Lab Setu up

A Activity y 1.1 > LAN Re equirem ments

A Activity y 1.2 > Server Requir rements s

domain controller r (PDC)

2010 Trend Micro Inc.

Trend Micro OfficeScan 10.6

Activity 1.3 > Lab Preparation

for testing Active Directoryintegrated OfficeScan features.

2010 Trend Micro Inc.

Ex xercis se 2: Insta all O OfficeS Scan n

Validati ion Checklist

S (IIS) Manger or run: : {windir}\system m32\inetsrv\iis.m msc Information Services

Microsoft M Inte ernet Explore er 7.0 or abov ve

Verif fy that IIS is running r

2010 Trend Micro Inc.

T Trend Micro O OfficeScan 10.6 6

A Activity y 2.2 > Install O OfficeS Scan Server

Validati ion Checklist

2010 0 Trend Micro Inc c.

Administrat tor Track

Exercise 2 2: Install OfficeSc Scan

A Activity y 2.3 > Verify t the Inst tallation n

2010 Trend Micro Inc.

Trend Micro OfficeScan 10.6

Launch the Windows task manager to verify these additional modules:

2010 Trend Micro Inc.

Exercise 2: Install OfficeScan

2010 Trend Micro Inc.

Ex xercis se 3: Con nfigur re Sm mart Scan n

2010 Trend Micro Inc.

Ex xercis se 4: Con nfigur re Client Setti ings

displ lay antivirus or o update stat tus ahead of o other details)

Validati ion Checklist

Trend Micro OfficeScan 10.6

Move your client from one domain to another.

Activity 4.2 > Configure Client Scan Settings

2010 Trend Micro Inc.

Exercise 4: Configure Client Settings

2010 Trend Micro Inc.

Trend Micro OfficeScan 10.6

Activity 4.4 > Configure Client Privileges

2010 Trend Micro Inc.