Professional Documents
Culture Documents
6
TC CSP/TC CSE T Trainin ng Course
Lab b Text tbook
Lab Textbook
Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. Portions of this manual have been reprinted from the Trend Micro OfficeScan 10.5 Installation and Upgrade Guide, copyright 1998-2010, Trend Micro, Inc.; Trend Micro OfficeScan 10.5 Administrators Guide, copyright 1998-2010, Trend Micro, Inc.; and the Trend Micro Smart Scan for OfficeScan Getting Started Guide, copyright 2009-2010, Trend Micro, Inc. Copyright 1998-2010 Trend Micro Incorporated. All rights reserved. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Trend Micro, the Trend Micro t-ball logo, TrendLabs, and OfficeScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other brand and product names are trademarks or registered trademarks of their respective companies or organizations. Program Manager: Tom Brandon Editorial: Alexander Sverdovskva Released: August 2010 v3.6
Administrator Track
Table of Contents
Exercise 1: Validate Lab Setup...................................................................................5
Activity 1.1 > LAN Requirements ............................................................................................................5 Activity 1.2 > Server Requirements ........................................................................................................5 Activity 1.3 > Lab Preparation ..................................................................................................................6
Lab Textbook
Administrator r Track
Your lab server should d meet these minimum op perating-system requiremen nts:
Wind dows Server 2 2003 with Ser rvice Pack 2 o or later, instal lled as a stand dalone server r / primary
Micr rosoft Interne et Information n Server (IIS) ) 6.0 or later ( (7.0 for Serve er 2008) Micr rosoft Interne et Explorer 7. .0 or later
NOTE
Because the OfficeScan client can run on the W Windows Server platform, you can demonstrate m most OfficeSca an features using g a single server machine. m It is als so possible to implement the serv ver configuration within a virtual ma achine. Your clas ssroom setup ma ay, additionally, p provide you with o one or more additional real or virt rtual machines s as clients. Follo ow your instructo ors guidance with h regard to modif fications and cav veats to the basic c lab setup.
Lab Textbook
The European Institute of Computer Anti-Virus Research (EICAR) test virus file Optional: SMTP server information (for your local machine or classroom server) and email
addresses
Administrator r Track
Lab Textbook k
Valid date network connectivity Verif fy and note IP P configuratio on (command d line: ipconf fig/all) Colle ect any other network serv vice informati ion that may be required from f your lab b instructor. For e example, ask your instruct tor to confirm m whether you u will need an ny proxy-serv ver infor rmation in ord der to configu ure OfficeSca an server to be b able to reac ch the Intern net. Ping the localhos st (command d line: pinglo ocalhost) and ping the ga ateway Verif fy basic brow wser functiona ality. Load int ternal class web page or ot ther site (www. .google.com, for example) ) as told by yo our instructor. Ensu ure DNS func ctionality by p pinging your w workstation b by name. If y your lab setup p includes one or o more separate client ma achines, ensur re that all of y your machine es can ping ea ach other by na ame. Verif fy location of f OfficeScan software, s acti ivation codes, and test viru us file. Conf firm that you have administrator login n name and pas ssword for yo our computer r. Colle ect and verify y Active Direc ctory informa ation as provi ided by your i instructor.
Result
You have e verified that t your lab com mputer is fun nctional and th hat is meets t the minimum m system requirem ments for insta alling OfficeScan server an nd client softw ware.
Selec ct to install th he OfficeScan n server softw ware on this c computer. To sa ave classroom m time, consid der skipping t the prescan (consult your instructor). Insta all to IIS using g the virtual w website optio on. (If your re eal-world orga anization requ uires the use of o Apache, br riefly consult with your ins structor to ide entify any issu ues that may be unique in the lab setup.) Enab ble SSL. Pay s special attenti ion to port nu umbers and note n those tha at your system m will be usin ng Selec ct for the serv ver to be iden ntified by dom main name. Th his will give y you more flex xibility for testin ng the possibi ilities for cust tom client gro ouping, but you y must also o ensure that DNS D is funct tioning prope erly before se electing this option. Note e that if you already a have a activation cod des, you will n not need to re egister online e. Selec ct to install th he integrated Smart S Scan se erver. Note th hat because y you are install ling to an IIS v virtual website e, the Smart S Scan server SS SL port will b be 4345. Selec ct to install th he integrated Web W Reputat tion Service n to the serve Selec ct to install th he OfficeScan n client softwa are in addition er software Do n not install any y of the Cisco o NAC components Parti icipate in the Trend Micro Smart Feedb back program m Enab ble the client firewall and s select to enab ble the firewal ll on server platforms Enab ble spyware/g grayware asse essment mode e for the mini imum numbe er of weeks
Result
You have e installed the e OfficeScan server and th he OfficeScan n client on you ur lab compu uter.
Lab Textbook
Now would be a good time to verify that these items are correctly listed in the system documentation. (You don't have to write all this information down for the lab activity. Simply, verify that the documentation is correct, note any discrepancies and prepare to provide this to your customer.
Validation Checklist
Launch the management console and login Verify that the client status icon appears in the system tray Verify the location of the OfficeScan program files
C:\ProgramFiles\TrendMicro\OfficeScan C:\ProgramFiles\TrendMicro\OfficeScanClient
View the list of services to identify OfficeScan services (Click: Start > Programs > Administrative Tools > Services or execute the command: services.msc/s )
OfficeScan Active Directory Integration Service (osceintegrationservice.exe) OfficeScan Control Manager Agent (OfcCMAgent.exe) OfficeScan Master Service (OfcService.exe) OfficeScan NT Listener (TmListen.exe) OfficeScan NT Proxy Service (TmProxy.exe) OfficeScan NT RealTime Scan (NTRtScan.exe) Trend Micro Local Web Classification Server (LWCSService.exe) Trend Micro Smart Scan Server (iCRCService.exe)
Launch the Windows registry editor (regedit.exe) and verify the registry keys
HKLM\Software\TrendMicroInc.\ServerSetup HKLM\Software\TrendMicro\DatabaseBackup HKLM\Software\TrendMicro\NSC HKLM\Software\TrendMicro\OfficeScan HKLM\Software\TrendMicro\PCcillinNTCorp HKLM\Software\TrendMicro\RemoteInstall HKLM\Software\TrendMicro\Solar
Optional: view the OFCMAS.LOG (server) and OFCNT.LOG (client) logs in the Windows directory.
10
Administrator Track
Result
You have verified the names and locations of OfficeScan components and demonstrated that OfficeScan was installed correctly on your lab computer.
11
Administrator r Track
A Activity y 3.2 > Configure Inte egrated d Serve er Settin ngs and an Upd date Sc chedule e
In this sc cenario, althou ugh you plan n to have a sta andalone Sma art Scan serve er, you also w want clients to be able e to query the e integrated S Smart Scan se erver as a back kup. You wan nt the server to update its pattern n file regularl ly, but not so frequently th hat updates co onsume too m much bandwi idth. Access th he Smart Pro otection > In ntegrated Server page and d set the follo owing: Enab ble the integra ated Smart Sc can server for r both file and d web reputation services. Enab ble scheduled d updates and set the frequ uency to every y hour. Leav ve the Update e Sources at th heir default se ettings for up pdating from the Trend Mi icro Activ veUpdate serv vers.
13
Administrator r Track
15
Lab Textbook
Result
You have configured and reviewed the status of clients using the client tree in the OfficeScan Management Console.
Validation Checklist
Use the Networked Computers > Client Management page to configure the Scan Now settings for all computers in the client tree. Make your configuration compliant with these specifications:
Use IntelliScan Scan only two layers of compression on compressed files Scan the boot area Scan hidden files Medium CPU usage Dont scan for spyware/grayware Use ActiveAction Apply to all OfficeScan clients
Select a single domain and configure real-time scan settings according to these specifications:
16
Administrator Track
Disable real-time scanning for spyware/grayware Scan files only as they are being read Dont use IntelliScan Dont scan compressed files Dont use IntelliTrap Use ActiveAction Make sure that clients back up files before they are cleaned
Discuss with the class and your instructor the risks and benefits of this configuration. Apply these configuration requirements for scheduled scans to all clients in the tree.
Enable virus/malware and spyware/grayware scanning Scan weekly every Sunday at a time of your choosing Scan all scannable files Set all other scan settings to create the most rigorous scan possible Use ActiveAction Disable user notifications
Result
You have configured a manual scan, a real-time scan, and a scheduled scan to meet the requirements of a given scenario.
Activity 4.3 > Change the Scan Mode for One or More Domains
Scenario
You have piloted the Smart Scan scanning method on another OfficeScan server, and you are comfortable with accepting Smart Scan as the scan mode for most clients that will connect to this server. However, to keep network traffic to an absolute minimum for some clients, you want to have them use conventional scanning. The only scan setting that you want to change for the selected clients is the scan method, but you want to have all conventional-scan clients located in a new and separate domain from the one that they were in. You need to create a new domain for your conventional-scan clients, replicate the settings from their prior domain, change the Scan Method setting at the domain level and then move the clients you want to switch to conventional-scan mode into the new domain.
17
Lab Textbook
Validation Checklist
Create a new OfficeScan domain. For example, if you have an existing domain called Engineering, create a new domain called csEngineering. Use Settings > Export Settings on the drop-down menu of the client tree to export the scan settings from the existing domain. Use Settings > Import Settings on the drop-down menu of the client tree to import the scan settings you just exported and apply those settings to the target domain that you just created and all the computers that belong to it. Verify that the new domain and the existing domain have the same scan settings. Change the scan method of the new domain so that all clients that will be added to the domain will be configured to use Smart Scan. Select an existing client and move that client to your new conventional-scan domain. Allow your client software time enough to receive the notification of the new configuration and make the changes. Verify that the client is now using conventional-scan and that its scan settings are correct.
Result
You have exported and imported scan settings, configured the scan method for clients to use at the domain level, and have moved one or more clients from one domain to another for the purpose of applying new settings.
18
Administrator Track
Validation Checklist
Select an existing domain, or create a new domain (named Power Users, for example) and ensure that they have at least these privileges:
Full configuration capability for all types of antivirus and anti-spyware scanning Full control over firewall settings Access to all client tabs Permission to perform Update Now No uninstallation, but allow unloading Enabled scheduled update Select to display notifications for as many services as possible (Web reputation, behavior
monitoring, etc.)
Restrict access to program files and registry entries
Select an alternate domain or create a new one (named Restricted, for example) and configure the OfficeScan client privileges and other settings for members of this domain to be as restrictive as possible, except for allowing the use of roaming mode. Right-click the client-icon in the system tray and launch the OfficeScan client console. Click the Settings on the drop-down menu and notice the options available. Notice also which tabs are visible on the main interface. Then, move your client to the restricted domain. Close the console and wait a few moments for the configuration to be updated. Then, open the console and inspect the changes. Similarly, move your client to the power users domain, and inspect the changes.
Result
You have configured client privileges for a given scenario.
19
Lab Textbook
Validation Checklist
For the Networked Computers > Computer Location configuration, set the client to use Gateway IP address as its basis for location awareness, add a single, non-existent IP address to the list, and then save the configuration. The tray icon of the client software should subsequently change to show a small checkmark (or tick mark), indicating that its location is determined to be external. Enable WRS for external computers and set the security level to high.
Select to block pages that have not been tested by Trend Micro Add a custom URL (such as, Facebook or Google) to the blocked-URL list. Allow clients to send logs to the OfficeScan server.
Disable WRS for internal computers (if no locations are configured, all clients will automatically use the configuration for external computers). Access the following URLs:
A URL that appears on the approved list The URL you added to the blocked list http://Wr21.winshipway.com One or more other URLs to test and verify web functions.
Return to the Computer Location configuration and add the legitimate IP address of the current gateway to the configuration and save the configuration.
The client tray icon should change to reflect the change in location status. Attempt to access the same URLs as before and be prepared to explain why there is a
difference in results.
Result
You have enabled WRS and have demonstrated its functionality.
Activity 4.6 > Enable and Configure Behavior Monitoring and Device Control
Scenario
Although certain users require extra flexibility and extended privileges to be productive, you and your organization are becoming increasingly concerned about a number of users and a range of unauthorized applications that push the limits of acceptable system usage. You would like to demonstrate for your boss the extent to which OfficeScan behavior monitoring and device control capabilities can be configured to restrict user activity and monitor system activities for unauthorized system changes.
20
Administrator Track
Validation Checklist
Select an existing domain (Restricted, for example) or create a new one and configure the behavior monitoring settings of this domain to be as restrictive as possible.
Enable malware behavior blocking. Enable event monitoring then enable and deny all system events that can be
monitored.
Add WordPad to the custom list of blocked programs (find and enter the full path).
Select an existing domain (Restricted, for example) or create a new one and configure the OfficeScan device-control capability to monitor device access and deny access to all monitored devices except mapped drives and UNC paths. Refer to the section titled Post-Installation Considerations for Servers and x64 Desktop Platforms in Chapter 6 of the student manual for information on how to enable behavior monitoring and device control on Windows servers. Using this information, modify the registry of your lab computer to enable the full functionality of as many services as possible. Move your lab computer into the domain for which you configured behavior monitoring and device control. Attempt to launch WordPad and take note of the result. Attempt to access a restricted device and take note of the result. Move your client back to the domain in which it was located before the start of this activity. Attempt to launch WordPad and take note of the result.
Result
You have enabled and configured the behavior monitoring and device control capabilities of the OfficeScan client. You have also demonstrated the end-user experience of attempting to perform restricted actions.
21
Lab Textbook
Validation Checklist
Select the root icon in the client tree, or the domain to which your client is assigned, and click the Export button. Save the file to your desktop and use the Notepad application to validate that the exported file contains data about the computers in your selected domain(s).
Result
You have exported client status data in a raw-text format.
22
Administrator r Track
Result
You have e configured several key gl lobal client se ettings.
23
Lab Textbook k
Result
You have e made chang ges to the glob bal client con nfiguration th hat affect how w log data is m managed.
2 24
an nd enter the path p to the de esktop and a filename such h as AD.key y, as in: C C:\Documents sandSettin ngs\Administ trator\Deskt top\AD.key.
Save and synchronize Ac ctive Directory settings. Notice N how pr rogress is rep ported at the b bottom of the e Active Dire ectory Integra ation page. Once O complet te, verify that the result rep ported to the right of the enter domain n
cr redentials bu utton is succe essful and tha at a green che eckmark (tick mark) appear rs. Use t the Schedule ed Synchron nization page e to configure e daily automa atic synchron nizations at 5 a.m m. Verif fy the result by b going to th he Networke ed Com mputers > Cl lient Groupin ng page, selec cting Custom m client grou ups, and the en clicki ing Add to di isplay the sho ort dropdown n menu u. Verify that t Active Dire ectory is not t graye ed out and is underlined. (Do (D not make e any a actual changes at this time.) Addi itionally verify fy Active Dire ectory integra ation settings by going to the t Administ tration User r Accounts p page. Click Ad dd, and then verify that th he Active Di irectory User or group optio on is selectabl lethat is, no ot grayed out t. (Do not ma ake any actual l changes at this t time.) Addi itionally verify fy Active Dire ectory integra ation settings by opening th he Security Com mpliance > Outside O Serve er Managem ment page.
Verify V that two o warning app pear: Active e Directory do omains or IP addresses ha ave not
been defined and The cu urrent outside e server mana agement repor rt is out of da ate (Do n make any actual change not es at this time e.)
In n the Active e Directory/IP P Address Sc cope box on the right, on n the Active D Directory
ta ab, verify that t the tree is populated with h Active Dire ectory data. C Click one of th he tree objects to expand it to test its baseline fu functionality. (Do not mak ke any actual c changes at his time.) th
Result
You have e configured the Active Directory integ gration setting gs for OfficeS Scan and have e verified that the O OfficeScan se erver can read d Active Directory informa ation from th he domain con ntroller.
25
Lab Textbook k
A Activity y 5.4 > Configure Custom A Automa ated Client Grou upings
Scenari io
By defaul lt, when you install the Of fficeScan clien nt software o on a new com mputer, the clie ent appears in the clie ent tree unde er its NetBIOS domain nam me. You can change group ping selection n on the Network ked Comput ters > Client t Grouping p page from Ne etBIOS-based d grouping to Active Directory y domain or r DNS doma ain, but with h these selecti ions, only new w clients added d to the tree are a affected. Selec cting custom m client group ps, however, , includes an automatic a reg grouping client fun nction based on o the Active e Directory gr rouping or IP P address assignment of th he client when it is initialized to th he OfficeScan se erver, for examp ple, on reboot or r unload and rel load.
NOTE
The baseline lab setup require es your server ma achine to functio on as the OfficeSc can server, an Of fficeScan client, an nd a domain cont troller for Active D Directory service es. Your server ma achine, as the do omain controller, will be placed in n the default Dom main Controllers o organizational un nit within Active Directory automa atically. Although h you can move this s computer objec ct from its defaul lt location to an alternate a organiz zational unit with hin a custom Active Directory tree struc cture, doing so ca an prevent your e existing setup fro om functioning pr roperly. Therefore e, when attempti ing to define rules that t affect your serv vers OfficeScan g group membersh hip it is a good idea to do so witho out also moving t the servers AD comp puter object.
You wou uld like to test t custom-clien nt grouping (and ( re-group ping) by creati ing one or mo ore groups determin ned by an exis sting Active D Directory stru ucture and by creating a gro oup based on n IP address th hat will includ de your serve er machine.
it tems in the Active Directo ory tree that you will se elect. D Directory tree display.
Select the test structure from within the Active Select to dupli icate the Activ ve Directory structure
Save the confi figured groupi ing rule. Verify V that the e new rule app pears in the automatica
cl lient-grouping g list.
2 26
Administrator Track
Add an IP-address-based automatic client grouping that includes your server client.
Select to enable the new grouping rule. Give the group a descriptive name, like Domain Controller Enter the IP address of your server client. Create a new OfficeScan group in the client tree with a descriptive name, like Domain
Controller.
Save the configured grouping rule. Verify that the new rule appears in the automatic-client-grouping list.
Enable scheduled domain creation to occur daily at 5:30 a.m. Click Save and Create Domain Now.
Monitor the progress of the task as reported dynamically to the console page. Verify the task completes successfully and note the reported finish date and time.
Return to the Networked Computers > Client Management page and note the changes.
Verify that the Active Directory structure is created beneath the proper group name. Verify the existence of the separate group that is to include your server client. Verify that your server client is still located in the group that it was prior to configuring
Unload and reload the client software on your server and verify that when it reconnects to the OfficeScan server that its group membership is automatically changed. Remove the OfficeScan groups that you created before you enabled the custom client grouping feature. Perform and additional testing steps as directed by your instructor and be prepared to discuss the meaning of the differences between using custom client grouping and any one of the three other options for grouping clients.
Result
You have changed the way that clients are grouped by default in the client tree and have enabled the automated regrouping of clients based on either IP address and/or Active Directory container.
27
Administrator r Track
ble user notifi fication and m modify the me essage that wi ill be sent to users. u Enab Start t outbreak pre evention Notice the display y of the user m message. urn to the clien nt tree view, select you do omain in whic ch your client t resides, and verify that Retu a gre een tick mark appears in th he OPP colum mn.
Result
You have e configured the Outbreak k Prevention settings to blo ock traffic on n port 21 and d 21210.
29
Lab Textbook
Validation Checklist
If your lab setup supports it (see the note above), use the Notifications > Administrator Notifications > General Settings page to enter SMTP information in the Email Notification section. Use the Notifications > Administrator Notifications > Standard Notifications page to:
Set the criteria to send notifications as often as possible. Enable and configure Email notifications Enable NT Event log notifications
Use the Notifications > Client User Notifications page make these modifications:
Remove the second sentences in the default messages for virus/malware detections and
infection source notifications, for the spyware/grayware notification, and for the firewall violation notification.
Replace the deleted sentences with a request that the user immediately contact you for
assistance. Include your cell phone and pager numbers: Contact {Your name} immediately for assistance! Cell: {Your cell phone number} Pager: {Your pager number}
Result
You have configured standard alerts and have customized client notification messages.
30
Administrator Track
Validation Checklist
Use the Notifications > Administrator Notifications > Outbreak Notifications page to:
Set the virus/malware outbreak criteria to three detections in one hour Enable Email notification for all outbreak notifications Enable system event logging for virus/malware and spyware/grayware outbreaks.
Result
You have configured OfficeScan to alert you if three viruses are detected during a 60-minute interval.
Validation Checklist
Copy the EICAR virus to the desktop. Use the Windows system Event Viewer (launch eventvwr.msc /s or click Start > Programs > Administrative Tools > Event Viewer) to find the log entry for the virus event. Copy the EICAR file to the desktop two more times Use the Event Viewer to find the log entry for the outbreak event.
Result
You have used the EICAR virus to the desktop to test your notification settings.
31
Administrator r Track
Add a user accoun nt using the A Administrati ion > User A Accounts pag ge.
Click C Add from m Active Di irectory. Query Q your loc cal domain fo or the admini istrator accou unt (or other valid v user acc count) Assign A the acc count to one of o the roles th hat you just created. c
Test your account t by logging in n to the management console with the username an nd word you gav ve it. Note any y differences in the manag gement conso ole when logg ged in as passw this u user instead of o as the root administrato or. Thin nk about the t types of roles that would b be suitable for r your particu ular company, or one that y you know about. Be prepa ared to share your ideas ab bout possible user types an nd how ing the OfficeScan tools a they might be imp plemented usi available.
2010 Trend Micro Inc.
33
Lab Textbook
Result
You have configured custom user roles and added one or more Active Directory users to the system.
Validation Checklist
Use the Administration > Quarantine Manager page to increase the capacity of the quarantine folder to 20480 MB. Click the Save Quarantine Settings button. Click OK in response to the dialog box to confirm that you want to modify the quarantine settings.
Result
You have doubled the amount of server hard disk space reserved for quarantined files.
34
Administrator r Track
upda ates for all clie ents that log into i the Wind dows network k
Create a client set tup package to o deploy the OfficeScan C Client to users s at a remote office Verif fy OfficeScan n Client funct tionality on yo our computer r
35
Lab Textbook k
Result
You have e modified th he login script t to install the e OfficeScan client.
Selec ct to create an n MSI pack kage for Wind dows 32-bit o operating systems. Click k next to o the Outpu ut file text bo ox and select to save the fi file to the desk ktop with the n name of Off ficeScanSetup p.msi Click S Save. Click k Create. Lo ook for the pr rogress indica ator. Click k OK in respo onse to the co onfirmation that t the packa age was succe essfully create ed. Click Clos se, and then v verify the MSI file appears on your desk ktop.
NOTE
In your lab en nvironment, you m may not be able e execute the clien nt setup package e because the Off ficeScan Client is a already installed d on your server computer. c In addition, you will not t be able to emai il the client setup p package because if an SMTP serve er is not available e. In a production n environment, yo ou can make the client setup pac ckage available e to users by plac cing it in a shared d network directo ory or you can em mail it by pressing g the Send Mail b button in the Client Pa ackager dialog bo ox.
Result
You have e created a cli ient setup pac ckage.
3 36
Administrator r Track
Ex xercis se 9: Upd date and Deploy Offic ceSca an Co omp ponen nts
A Activity y 9.1 > Manua ally Upd date an nd Deploy Com mponents
Scenari io
There are e times, such as after a viru us outbreak, when w you sho ould manually y update the O OfficeScan compone ents and deploy these com mponents to al ll OfficeScan n clients. You should also m manually update th he server after r it is initially installed.
Monitor M the progress of the e update proc cess as shown n on the Man nual Update P Progress
o view the Use U the Logs > Networke ed Compute er Logs > Co omponent Up pdate page to progress and t the details of the notificatio on event.
Result
You have e manually up pdated the Of fficeScan com mponents and d manually de eployed the up pdates to your Offi ficeScan client t.
37
Lab Textbook
Validation Checklist
Use the client tree viewer on the Networked Computers > Client Management page to select your client.
On the toolbar, click Settings > Update Agent Settings and select to enable update-
agent functionality on the selected client. Click Save and then Close.
A green tick mark will appear in the Update Agent column in the content pane of the
client tree viewer and the computer icon will change when update-agent functionality is enabled.
Use the Updates > Networked Computers > Update Source page to configure clients to use the new update agent.
Select Customized Update Source radio button and click the Add button under the
On the Add IP Range and Update Source page, enter the range 192.168.115.80 to
192.168.115.100 and select Update agent as the update source and select your lab computer using the drop-down menu. Click Save. notified. Then, click Back.
Click Notify All Clients. A message appears, reporting that the clients have been On the Update Source (Networked Computers) page verify that option Update Agent:
always update from standard update source (OfficeScan server) is selected and click Save. Use the Updates > Server > Scheduled Updates page to enable scheduled updates for all components daily and to start update notifications at midnight and update for a period of two hours. Use the Updates > Networked Computers > Automatic Update page to initiate component updates on clients immediately after the OfficeScan server downloads a new component.
38
Administrator Track
Result
You have configured an update agent and specified which clients should download updated
You have automated server updates and have enabled an event-triggered, automatic
39
Administrator r Track
A Activity y 10.1 > Config gure Sc can Op ptions fr rom the OfficeScan Client C Console e
Scenari io
Because y you are a kno owledgeable computer c user, the networ rk administrat tor at your co ompany has granted you y the client privileges yo ou need to con nfigure your o own scan opt tions. Your computer was infec cted by a virus just last mo onth, and you lost time clea aning the infe ected files and d restoring all the ser rvices on you ur computer. T To prevent th his from happ pening again, you want to configure OfficeSca an to scan ev very file and to o scan for all types of thre eats.
cr reated/modif fied and as th hey are receive ed. s many layers s deep as you can. as
Scan the flopp py disk at shutdown, enabl le IntelliTrap, , and select to o scan compressed files If f you can, app ply this same level of scann ning to anti-s spyware scann ning Use U the clean action for ant ti-spyware For F antivirus s scanning, use customized scan s actions a and apply a sp pecific action n for each
vi irus/malware e type: o For Joke, select s Clean a and Quarant tine n, select Quar rantine o For Trojan
2010 Trend Micro Inc.
41
Lab Textbook
o For Virus, select Clean and Quarantine o For Test Virus, select Quarantine o For Packer, select Quarantine o For Other, select Clean and Quarantine
Result
You have configured the scan options using the OfficeScan Client Console.
Activity 10.2 > Configure OfficeScan Firewall from the Client Console
Scenario
In this activity, you will use the OfficeScan Client Console to enable the OfficeScan firewall and configure it to block inbound and outbound Telnet connections.
Validation Checklist
Launch the client console and click the Firewall tab to display the current firewall settings. Select enable the firewall, intrusion detection systems (IDS), and notifications. Select the network card from the network card list, and click Edit to access the exception rule list.
Click Add and use the exception rule dialog box to add a Block Telnet rule that denies
inbound and outbound network traffic on the specified TCP port 23 for all computer addresses.
Apply the new rule to the firewall traffic filter and click Yes to confirm the action.
Result
You have used the OfficeScan client console to configure the firewall.
42
Administrator Track
Validation Checklist
Test the scan options.
Copy the European Institute of Computer Anti-Virus Research (EICAR) test virus to the
A message appears at the command line, reporting that a telnet session could not be established. Then an OfficeScan alert message appears, reporting that OfficeScan detected a problemsuch as a firewall violation or a network virus. Your lab computer is now blocked.
Navigate to the logs tab and view the firewall logs to inspect the details of the blocked
connection.
Result
You have tested the scan options that you configured from the OfficeScan client console. You have tested the OfficeScan firewall settings that you configured using the OfficeScan
client console.
43
Administrator r Track
H HTTPS traffic c to a range o of IP address ses that inclu udes your clie ent/server.
Verif fy that your n new policy appears in the li ist on the Fir rewall Policies s for Network ked Com mputers page.
Result
You have e configured a policy for a given scenar rio.
45
Lab Textbook
Validation Checklist
Use the Networked Computers > Firewall > Profiles page to open to add a profile by clicking Add in the toolbar. Configure and save a new profile that meets these criteria.
Name : Test Computers Description: Profile for computers testing new software. Policy: The Lab Computers policy you created in the previous activity IP address: a range of IP addresses that includes your lab computer Platform: Windows Server (Server 2003, Server 2008)
Result
You have applied a custom firewall policy to a specific set of computers.
Validation Checklist
Open a Command Prompt and attempt to start a Telnet session by entering:
telnetLab_Computer_IP_Address
A message appears at the command line, reporting that a telnet session could not be established. Then an OfficeScan alert message appears, reporting that OfficeScan detected a problemsuch as a firewall violation or a network virus. Your lab computer is now blocked. Open the OfficeScan client console, click the Logs tab, select Firewall Logs, and click View Logs to view details about the event.
46
Administrator Track
Return to the web-based management console and use the Networked Computers > Firewall > Profiles page to disable the Lab Computers profile.
Click the name Lab Computers to edit the profile. Deselect the Enable this profile option and click Save. Assign the profile to clients.
Result
You have tested the policy and profile you created in prior activities. You have disabled the profile you created in Activity 11.2.
47
Administrator r Track
ch hecks for thir rd-party prod ducts as well as a Trend Micr ro products.
For F Method for retrieving g computer de escriptions, select Normal. Configure C Not tifications.
o Select Em mail results to the system ad dministrator and click Co onfigure. E Alert d dialog box app pears, enter A Admin@Toys.c com in the To and From o When the Email fields. TP field, enter Toysemail. o In the SMT Subject line to t read: Vulne erabilitySc cannerresul lts. o Edit the S o Click OK.
2010 Trend Micro Inc.
49
Lab Textbook
For Save As CSV File, select Automatically save the results to a CSV file and accept
Accept the default Ping Settings. Select Auto-install OfficeScan Client for unprotected computer. Click OK.
Click Start. After the Vulnerability Scanner checks your lab computer, it displays a detailed series of results. Check the C:\ProgramFiles\TrendMicro\OfficeScan\PCCSRV\Admin\Utility\ TMVSfolder to see if the CSV file was created.
Result
You have configured the settings for the Vulnerability Scanner and have run a manual scan. You have viewed the results in a CSV file.
Validation Checklist
Configure a scheduled task.
In the Vulnerability Scanner console, click Add/Edit under Scheduled Tasks. The
50
Click C the DHC CP Start butt ton. The Vuln nerability Sca anner will now w check any c computer
Click C Exit.
Result
You have configu ured a schedu uled vulnerabi ility scan. You have configu ured a DHCP P scan.
in nconsistent w with the doma ain settings to o which the cl lient belongs.
Select the clien nt and click A Apply Domai in Settings. Verify V that the e settings hav ve been restor red, except fo or the firewall. Note that th he firewall
is s not part of t the tabbed Se ettings report on the Comp pliance Repor rt page.
Re-enable R the firewall manu ually. And rea assess the dom main.
51
Lab Textbook
Result
You have run an Active Directory-based Security Compliance query and have tested the results.
52
Administrator r Track
Result
You notified the c client to send d its Firewall l logs to the ser rver. You viewed the cl lients Firewa all log.
53
Lab Textbook k
On t the toolbar, cl lick View Lo ogs > Virus M Malware Log gs to display the criteria se election page. ct these log di isplay criteria a Selec
Time T period: L Last 24 hours s Scan Types: se elect all types Sort by: Scan T Types.
Result
You have viewed the virus log. You have viewed the details fo or one record in the virus l log.
5 54
Administrator r Track
Ex xercis se 14 4: Cre eatin ng a C Clien nt Upd date Packa P age (Opt tional Activ vity)
In this ac ctivity, you wi ill use the Client Packager to create an u update file in n the .exe form mat for deployme ent to a remo ote office. The kage will inclu ude Common n Firewall Dri iver and e update pack Network k Virus Pattern n updates, as well as Wirel less Protectio on for all Palm m wireless c clients at the remo ote office. 1. From m the Window ws desktop, d double-click th he My Comp puter Icon. T The My Comp puter wind dow appears. 2. In th he My Compu uter window, navigate to L Local Disk (C:)\ProgramFiles\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\ClientPackager. The C Client Package er window appe ears.
ble-click the C ClnPack.exe e icon. The C Client Package er dialog box appears. 3. Doub 4. In th he package ty ype section, select Updat te. 5. In th he Windows operating sys stem type dr rop down list t, select 32-bi it. 6. In th he Componen nts section, cli ick the Progr ram check bo ox to de-selec ct it. The gray yed out optio ons in the Components section become e available. 7. In th he Componen nt section, clic ck the Scan E Engine, Viru us pattern/A Additional th hreats patte ern, and DCE E/DCT chec ck boxes to d de-select them m. (The Comm mon Firewa all Driver and N Network Vir rus Pattern c components s should now b be the only co omponents se elected.) 8. In th he Client Utili ities section, s select the Wir reless Protec ction check b box.
55
Lab Textbook
9. Click the (ellipses) button next to the output file field. The Save As window appears with the Windows desktop as the default destination. Enter Update in the file name field. Click the Save button. 10. In the Client Packager dialog box, click the Create button to create the Update.exe file on the desktop of your lab computer. 11. A dialog box appears to confirm that the client package was successfully created. Click the OK button. 12. In the Client Packager dialog box, click the Close button.
NOTE
In a production environment, you can make the client update package available to users by placing it in a
shared network directory, or you can email it by pressing the Send Mail button in the Client Packager dialog box.
Result
You configured a scheduled verification event.
56