Professional Documents
Culture Documents
There are four major OSCE environment components that should be identified when designing the
deployment. Each component is described below.
OfficeScan Server: A server that provides the OSCE management console and stores
information in a local CodeBase database, or a local or remote SQL. It uses standard HTTP or HTTPS
protocols for communication and for managed agent updates. The three basic functions of an OfficeScan
server are:
OfficeScan Agent: A host reporting to a particular OSCE server. It can be configured to get
update information from an OfficeScan server, an update agent, or directly from the internet via Trend
Micro ActiveUpdate server. Moreover, the OfficeScan agent has the function to protect the system where
it is installed. It can be configured to use a standalone or Integrated Smart Protection Server for Smart
Scan instead of conventional scan. Through cloud technology, this method minimizes the total amount of
pattern download.
Update Agent: A regular OfficeScan agent that is designated to copy update information from an
OfficeScan server to distribute these information to other OfficeScan agents. Any OfficeScan agent can
be configured as an update agent using the OfficeScan server management console. OfficeScan agent IP
address ranges are then assigned to get update information from specific update agents. Update agents can
push component updates, setting updates, and program/hotfix updates to agents. Older agent versions can
receive program upgrades from OSCE 11.0 update agents as long as they report to the OSCE 11.0 update
agents.
Smart Protection Server (SPS): The Smart Protection Server provides the file reputation and
web reputation through a local cloud service. When users opt to employ Smart Scan technology, agents
send a query to SPS in their scanning files. When they use web reputation protection, agents send URLs to
SPS. Thus, SPS works as a local file reputation server and as a local web rating server as well.
These are the two types of Smart Protection Server:
The following sections show the recommended software and hardware specifications for an
OfficeScan environment.
For the full list of minimum system requirements, refer to the Installation and Deployment Guide
or OfficeScan Readme. For the recommended set up based on number of agents, check the sizing
section in Chapter 3.
The OfficeScan agent with the best available resources at a particular site should be designated as
an update agent. Since this agent will serve updates to the other agents in the remote office, it
must be reliable. This can be a domain controller on the site, a file server, print server, or any type
of server that is always online. To serve its function, this agent should have an additional 700 MB
of free disk space for engines and patterns storage, an additional 160 MB for programs/hot fix
updates, and an additional 20 KB for every domain setting updates. Minimum requirements for
update agents should follow the minimum hardware requirements of OfficeScan agents.
The minimum hardware specifications for this server are the same as the recommended
requirements for the OfficeScan server.
Dual 2.0 GHz Intel Core 2 Duo 64-bit processor supporting Intel Virtualization
Technology, or equivalent
2 GB of RAM
Microsoft Windows Server 2003 (Standard, Enterprise, and Datacenter Editions) with Service
Pack 2 or later, 32-bit and 64-bit versions
Microsoft Windows Server 2003 R2 (Standard, Enterprise, and Datacenter Editions) with
Service Pack 2 or later, 32-bit and 64-bit versions
Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise, and Workgroup
Editions) with Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise and Workgroup
Editions) with Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, and Web Editions) with
Service Pack 1 or 2, 32-bit and 64-bit versions
Windows Server 2008 R2 (Standard, Enterprise, Datacenter, and Web Editions), 64-bit
version
Windows Storage Server 2008 (Basic, Standard and Enterprise Edition), 32-bit version
Windows Storage Server 2008 (Basic, Standard, Enterprise and Workgroup Edition), 64-bit
version
Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup Editions), 64bit version
Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit version
Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit version
Windows Storage Server 2012 (Standard and Workgroup Editions), 64-bit version
OfficeScan supports server installation on guest operating systems hosted on the following
virtualization applications:
XenClient 2.1
VDI-in-a-Box 5.1
Microsoft Windows XP (Home, Professional, Professional for Embedded Systems Editions, and
Tablet PC) with Service Pack 3, 32-bit version
Microsoft Windows Vista (Business, Enterprise, Ultimate, Home Premium, Home Basic, Business
for Embedded Systems, and Ultimate for Embedded Systems) with Service Pack 1 or Service Pack
2, 32-bit and 64-bit versions
Microsoft Windows 8 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions
Microsoft Windows 8.1 (Standard, Pro, and Enterprise Editions), 32-bit and 64-bit versions
Microsoft Windows Server 2003 (Standard, Enterprise, Datacenter, and Web Editions) with
Service Pack 2, 32-bit and 64-bit version
Microsoft Windows Server 2003 R2 (Standard, Enterprise, and Datacenter) with Service Pack 2,
32-bit and 64-bit versions
Microsoft Windows Storage Server 2003 (Basic, Standard, Enterprise, and Workgroup) with
Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows Storage Server 2003 R2 (Basic, Standard, Enterprise, and Workgroup) with
Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows Compute Cluster Server 2003 (Active/Passive), 32-bit and 64-bit versions
Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, Web Editions, and Server
Core) with Service Pack 1 or Service Pack 2, 32-bit and 64-bit versions
Microsoft Windows Storage Server 2008 (Basic Edition), 32-bit and 64-bit versions
Microsoft Windows Storage Server 2008 (Standard, Enterprise, and Workgroup Editions) with or
without Service Pack 1, 64-bit version
Microsoft Windows Server 2008 R2 (Standard, Enterprise, Datacenter, Web Editions, and Server
Core), 64-bit version
Microsoft Windows Storage Server 2008 R2 (Basic, Standard, Enterprise, and Workgroup
Editions), 64-bit version
Microsoft Windows Server 2008 Failover Clusters (Active/Passive), 32-bit and 64-bit versions
Microsoft Windows MultiPoint Server 2011 (Standard and Premium Editions), 64-bit
version
Microsoft Windows Server 2012 (Standard, Datacenter, and Server Core Editions), 64-bit
version
Microsoft Windows Storage Server 2012 (Workgroup and Standard Editions), 64-bit
version
Microsoft Windows MultiPoint Server 2012 (Standard and Premium Editions), 64-bit
version
Microsoft Windows Server 2012 R2 (Standard, Datacenter, and Server Core Editions), 64bit version
The administrator will not be able to remotely install OfficeScan agent to Windows 7 x86
platforms without enabling the default administrator account. Use the systematic guide below to
resolve this issue:
1. Enable the Remote Registry service on the Windows 7 machine. By default, Windows 7
machines disable this feature.
2. Use the domain administrator account to remotely install OfficeScan 10.6 Service Pack 1
agents into Windows 7 computers. As another option, use the default administrator
account:
a.
The following requirements are recommended for Trend Micro Smart Protection Server as a virtual
machine:
If you are using VMware, use CentOS 5 64-bit (Guest Operating System).
If you are using a VMware version, such as 3.5 and 4.0, that does not support CentOS, use Red
Hat Enterprise Linux 5 64-bit.
If you are using Citrix XenServer, create a new virtual machine using the Other install media
template.
If you are using Hyper-V, create a new virtual machine and add a Legacy Network Adapter.
Allocate at least 2 GB RAM and two (2) virtual processors for the virtual machine.
Create a new virtual disk image that will be sufficient for the logging requirements (specify at
least 30 GB of disk space).
Allocate one (1) physical network card for the virtual switch where Trend Micro Smart
Protection Server is connected.
Account
Ports
Bandwidth
Approximately 50 MB, which may vary depending on current virus pattern file size
Others
The OfficeScan server may receive and establish multiple HTTP sessions to communicate with its
agents. The TCP properties of Windows can be modified to prevent delays and slowdowns caused
by TCP time-wait accumulation and port exhaustion.
Add or modify the following registry keys to improve TCP performance:
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
Data type: REG_DWORD
Default value: 5000
Range: 5,000 - 65,534 (port number)
Purpose: Determines the highest port number TCP can assign when an application requests
an available user port from the system
Trend Recommendation: 65,534
Key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay
Data type: REG_DWORD
Default value: 0xF0 (240 seconds = 4 minutes)
Range: 0x1E 0x12C (30300 seconds)
Purpose: Determines the time that must elapse before TCP can release a closed connection and
reuse its resources
Trend Recommendation: 30
The OfficeScan server uses either Apache or Windows IIS to communicate with its agents. The
applications CGI timeout can be increased to allow more time for the server and agent communication.
The Remote Install deployment method is dependent on this timeout as well. Copying the installation files
over a slow link may cause installation failures.
To modify IIS CGI settings, download and install MetaEdit or Metabase Explorer depending on the
version of IIS in use.
1. Download and install the Microsoft Administration Pack for IIS 7.0 using this link:
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1682
As an option, use the default IIS Manager that comes with IIS 7.0.
2. Open the IIS Manager.
3. In Connections view, select the server and select the OfficeScan site.
4. In Features view, double-click CGI.
5. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER,
and click Apply.
For Microsoft IIS 7.5, 8.0, 8.5
1. Open the IIS Manager.
2. In the Connections view, select the server and select the OfficeScan site.
3. In Features view, double-click CGI.
4. Type the appropriate time-out value in Timeout (hh:mm:ss) text box, 01:00:00, press ENTER,
and click Apply.
Apache
Follow the procedure below to modify the Apaches CGI timeout:
1. Open <drive>: \Program Files\Trend Micro\OfficeScan\PCCSRV\apache2\conf
\httpd.conf configuration file.
2. Set Timeout 300 to Timeout 600.
3. Restart the Apache service.
The following are recommended permission settings to the OfficeScan folders and files. These are
already set as default during installation:
There are times when the permission might have been changed accidentally.
To reset the permissions back to default:
1. Open the command prompt.
2. Browse to the OfficeScan Servers PCCSRV folder (i.e drive:\Program Files\Trend
Micro\OfficeScan\PCCSRV).
3. Run the following command:
SVRSVCSETUP.EXE setprivilege
To perform authentication, OfficeScan server signs its data using a private key while the
OfficeScan agent decrypts this data using a public key. These keys are uniquely generated during
the installation or upgrade of any OfficeScan server.
If for some reason, the OfficeScan server and agents have mismatched keys, agents will reject the
notification from this server. This may happen if the OfficeScan server had an irrecoverable crash
and needs to be replaced.
When managing multiple OfficeScan servers, it is recommended to use one key for all to
simplify and lessen the complexity in management.
On the original OfficeScan server, keep a secure copy of the key (C:\Program
Files\Trend Micro\OfficeScan\AuthCertBackup\OfficeScanAuth.dat). Whenever you
upgrade or install an OfficeScan 11.0 server, import the same file.
For more details on generating and restoring certificates, refer to OfficeScan 11.0 Admin
Guide: http://docs.trendmicro.com/all/ent/officescan/v11.0/en-us/osce_11.0_ag.pdf.
OfficeScan 11.0 has new features that will assist the user in migration or upgrade.
Hot Fix Detection: When upgrading from a previous OfficeScan server version, installation process will
check and prompt you for hot fixes that are currently installed, but are not merged to OfficeScan 11.0.
If you see the pop-up message above, review the hotfix list under ...\PCCSRV\TEMP\RollbackHotfix.txt.
If you have important hotfixes in the list, you can consider delaying the upgrade, or requesting for an
OfficeScan 11.0 equivalent hot fix(es) before proceeding.
Patch Availability Notifications: OfficeScan 11.0 will prompt new updates that are available. It is
advisable to update to the latest patch or service pack once available on the management console.
The recommendations below can be used as a guideline to determine the location and number of
OfficeScan servers needed to effectively manage the LAN or WAN.
A single OfficeScan server can manage up to 30,000 agents depending on the machine
specifications. Below is a quick summary.
Recommended Setups
CPU: 4 Cores
RAM: 8 GB
CPU: 8 Cores
RAM: 16 GB
CPU: 12 Cores*
RAM: 32 GB
10,000
15,000
15,000
15,000
20,000
20,000
15,000
20,000
30,000
(OSCE+iSPS+CodeBase)
(2 Servers)
Another point for consideration is the database size. Depending on the number of logs generated, disk
space usage increases as well.
Here is a quick reference for SQL database size given the certain number of logs and agent counts:
The table above helps to determine the initial database size of OfficeScan. These estimates are based on
following assumptions:
Default log maintenance is applied while the log deletion is performed on 7-day older logs on a
weekly basis.
The above log types are generally major contributors in terms of the log count and data sizes.
OfficeScan servers that manage agents across the WAN is recommended to be installed on sites with the
healthiest bandwidth, which are typically datacenters or head offices.
Consider installing a local OfficeScan server for sites with approximately 500 or more agents. This is highly
recommended if the WAN bandwidth is limited for a particular site.
An update agent is a regular OfficeScan agent that is designated to replicate update information
from an OfficeScan server for the purpose of distributing the update information to other
OfficeScan agents.
Here is a reference on the number of agents that an update agent can handle:
This table can be used as a template to scope the different sites and generate architecture proposal:
Smart Protection Servers are placed in the local network, making them available to users who have
access to their local corporate network. These servers are designed to localize operations within
the corporate network to optimize efficiency. This network-based solution hosts majority of the
malware pattern definitions and web reputation scores. The Smart Protection Server makes these
definitions available to other endpoints on the network for verifying potential threats.
Queries are only sent to Smart Protection Servers if the risk of the file or URL cannot be
determined at the endpoint.
Endpoints leverage file reputation and web reputation technology to query the Smart Protection
Servers and Trend Micro Smart Protection Network as part of their regular system protection
activities. In this solution, agents only send identification details determined by Trend Micro
technology to Smart Protection Servers. Agents never send the entire file when using file
reputation technology. Risk is determined using the file identification details only.
The integrated Smart Protection Server can be pre-installed in the OfficeScan server if the user
included it during the OfficeScan server installation. These are the main reasons to install a
Standalone Smart Protection Server:
Load can be distributed by adding more Standalone Smart Protection Servers. Check the load
balancing section below for more details:
If the latency is huge between the branch office and the main office, it is recommended to install a
Standalone Smart Protection Server on the branch office. If the Standalone Smart Protection Server
cannot be installed, or there is no available hardware, it is best to switch the agents to conventional scan.
Below are the hardware specifications used to install virtualization platforms and the guest virtual machine
resource allocation for the Standalone Smart Protection Server:
The following table and graph show the number of agents handled by an individual Standalone
Smart Protection Server meeting these performance criteria:
The amount of endpoints shows the maximum supported iCRC v2.0 agents for one (1) TMSPS,
taking into consideration that there are two (2) other TMSPS with the same load running within
the same virtualized host.
The transaction rate is the sum of the FRS transaction rate and the WRS transaction rate per
second.
The performance of TMSPS 3.0 has improved dramatically compared to the previous version. TMSPS 3.0
has increased the scalability by reducing the traffic between agents and TMSPS. Under the same test
scenario, with three (3) TMSPS running on the same host, it could support more than twice the number of
agents compared to the previous release, TMSPS 2.5.
For organizations desiring the maximum transaction rate from FRS and WRS and can accept 100% of
CPU usage, the CPU capability becomes the bottleneck.
Disk I/O speed is another important factor. Currently, the pattern updates will cause a lot of disk I/O
operations. Therefore, if the customers environment uses external storage and shares the disk I/O
bandwidth with many other VMs (or the disk I/O bandwidth is poor), the overall performance may suffer.
The disk could be monitored using performance counter provided by virtualization platform. The ESXi
Server provides the following disk-related performance counters:
Kernel Latency: 0-1 ms is ideal. If > 4 ms, check the CPU usage and queue latency
If the TMSPS virtual machine shares resources with many other VMs on the same VM host, then
TMSPS must compete with other VMs for disk I/O, network traffic, CPU, and memory. TMSPS
performance will suffer as a result.
Despite the competition for resources, hypervisors from different vendors can deliver different
performance. This might be caused by emulated device drivers that are required to provide an
interface between the physical hardware and the virtual machine. Generally speaking, TMSPS
running on ESXi server has the best performance, compared to Xen Server and Hyper-V.
Smart Protection Servers can be setup in order to achieve load balancing. Load balancing will help
ensure that HTTP requests are distributed among the Smart Protection Servers.
There are two (2) ways to achieve load balancing using the OfficeScan web console:
Random OfficeScan agent randomly chooses a Smart Protection Server from the Smart
Protection Server list.
Based on IP range OfficeScan agent connects to its assigned server from the Smart
Protection Server list.
Smart Protection Servers should always be installed in redundant pairs to avoid WAN saturation during a
hardware failure.
Initial scans require more requests to the Smart Protection Server. Agents should set their first scheduled
scan in phases, especially when their Smart Protection Server is centrally located. Running scheduled scans
in batches will increase capacity and normalize iCRC network utilization.
Use this table as a guideline to determine how many Smart Protection Server you need inside your
environment. Even when one (1) Smart Protection Server is more than enough to cater to all agents, it is
still a best practice to install at least two (2) standalone Smart Protection Server for redundancy and load
balancing purposes.
One of the new features in OfficeScan 11.0 is the ability to migrate an existing database (CodeBase) to an
SQL server database. This is done using the SQL Server Migration tool.
The migration tool currently supports three (3) types of migrations:
OfficeScan SQL database (previously migrated) that was moved to another location
When you choose to migrate to a new SQL server express database, note that OfficeScan will
install SQL Server 2008 R2 SP2 Express. This is required to be installed in a Windows 2003 or
Windows 2008 SP2 server. Installing it on a Windows 2003 SP1 server would result in failure.
Refer to this Microsoft article for more details: http://msdn.microsoft.com/enus/library/ms143506(v=sql.105).aspx
OfficeScan 11.0 supports both SQL 2008 and SQL 2012. For SQL 2008, note that
Microsoft .NET Framework 3.5 SP1 is required and that Microsoft .NET Framework 4.0 is not
compatible with SQL Server 2008.
Microsoft SQL server cannot be installed on Domain Controller machines. Consider this before
choosing the server to install the database or OfficeScan. For more information, refer to this link:
http://support.microsoft.com/kb/2032911.
User Account Control needs to be turned off before running the SQL migration tool on
Windows Server 2008 or later, when using Windows Authentication credentials. Refer to this
article for more details on disabling this option: http://windows.microsoft.com/enus/windows/turn-user-account-control-on-off#1TC=windows-7.
Make sure that the OfficeScan Master Service is not running using the same domain user account
used to log on to the SQL server. This could cause the service to fail in starting after the
migration.
Back up the existing OfficeScan CodeBase database for recovery in case there are problems
encountered during the migration. Refer to this article for more details:
http://esupport.trendmicro.com/solution/en-US/1039284.aspx
OfficeScan automatically creates the new database on the SQL server, there is no need to precreate a blank database.
Make sure to click the Test Connection option on the SQL migration tool before proceeding. This
confirms that the settings entered are correct and verifies that the connection is possible.
When using the Windows Account to log on to the server:
To verify the type of database used, check the ofcserver.ini file under the OfficeScan servers Private
directory (Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private).
Look for [INI_DBE_ENGINE_SECTION] and note the value defined for DBE_ENGINE.
DBE_ENGINE=1001
; CodeBase
DBE_ENGINE=1002
; SQL Server
When opting to use the Integrated Smart Protection Server, make sure that it is actually installed and
running. If the Integrated Smart Protection Server is not properly installed, Smart Scan agents disconnect
and cannot utilize the cloud technology properly.
The integrated server is intended for mid-scale deployments of OfficeScan, in which the number of agents
does not exceed 20,000. For larger deployments, the standalone Smart Protection Server is recommended.
In OfficeScan11.0, the Integrated Smart Protection Server (ISPS) ports have changed. Note the new ports
used below:
Make sure the setting Do not save encrypted pages to disk is not enabled in IE in order to
check for whether Integrated Smart Protection Server is running or not.
After checking the setting above, type the URL below into your browser:
https://OfficeScan_server:port/tmcss/?LCRC=08000000BCB3080092000080C4F01936DD
430000
You should see the following pop-up window, which will confirm that the Integrated Smart
Protection Server is running.
Ensure that OfficeScan agents can query at least two (2) scan servers. This prevents having a single point
of failure in the event that the Smart Protection Server is unreachable. In order to take full advantage of
the cloud technology, all agents must be online and connected to a Smart Protection Server.
To add Smart Protection Servers:
1. Go to Administration > Smart Protection > Smart Protection Sources.
2. Choose Internal Agents tab and select the standard list or custom list based on IP address.
3. Click Notify All Agents to push this setting.
Because the integrated server and the OfficeScan server run on the same computer, the computers
performance may reduce significantly during peak traffic. When possible, consider using a standalone
Smart Protection Server as the primary source for agents and the integrated server as a backup.
Do not use Smart Scan as the default scanning method at the root level. Always use Conventional
Scan as the root level scanning method. When selecting OfficeScan agents to use Smart Scan, always
choose a regular domain instead of a root level. If the root level is defined to use the Smart Scan method,
and if it is placed in a domain where it uses Conventional Scan, it will download Conventional Scan
components.
Make sure Computer Location settings have correct settings defined. Computer Location setting can be
reached under Agents > Endpoint Location.
The default setting is Agent connection status. This means that OfficeScan agents use the reference
server list defined to determine if it is an external or internal agent.
An agent that can connect to the OfficeScan server or any of the reference servers listed, is recognized as
internal agent. Therefore, this agent connects to the Smart Protection Server defined under Internal
Agents for Smart Protection Sources.
If a connection cannot be established, the agent is classified as an external agent. This agent uses the
settings set under External Agents for Smart Protection Sources. By default, external agent uses the global
Smart Protection Network (https://osce11.icrc.trendmicro.com/tmcss).
If Gateway IP address setting is applied, and the client computers gateway IP address matches any of the
gateway IP addresses specified on the Endpoint Location screen, the computers location will be classified
as internal. Otherwise, the computers location is external.
Avoid performing Manual Scans and Scheduled Scans simultaneously. Stagger the scans in
groups.
Customize Smart Protection Servers for slower network connections, about 512Kbps, by
making changes to the ptngrowth.ini file.
1. Open the ptngrowth.ini file in <Server installation folder>\PCCSRV\WSS\.
2. Modify the ptngrowth.ini file using the recommended values below:
[COOLDOWN]
ENABLE=1
MAX_UPDATE_CONNECTION=1
UPDATE_WAIT_SECOND=360
3. Save the ptngrowth.ini file.
4. Restart the Trend Micro Smart Protection Server service.
Majority of the product default configurations provide substantial security with a consideration on
server or network performance. The information noted below are different recommendations,
and can be used as an additional reference to either enhance security or achieve better
performance.
The following notifications in the UI shows these features are turned off by default.
To turn on these features, administrators should go to Agents > Agent Management > Settings >
Additional Service Settings and enable the service for the feature they intend to use.
Administrators can enable the Unauthorized Change Prevention Service on a single server
platform through Additional Service Settings. Administrators can also enable or disable the
Unauthorized Change Prevention Service on workstations by selecting a root/domain/single
agent/multi-select agent.
Meerkat is used to prevent zero-day attack from a software program. It pops out a notification or
alert if a user downloads a zero-day program through HTTP channel or email applications and
then executes the program within 24 hours.
Defer scan improves the performance of file copy operations. This feature is integrated with VSAPI
9.713 or higher version. Originally, OfficeScans scan engine performs two (2) scans during a file copy
operations. The defer scan option adds one file scanning into the scan queue, and defer the other file
scanning. File copy performance will improve by enabling this.
SECURITY
COMPLIANCE
Enabled
Scheduled Report
SECURITY
COMPLIANCE
Scheduled Report
Define
Scope
UNMANAGED
Advanced
ENDPOINTS
Settings
Active
Directory
Scope
IP Address
Scope
Specify
Ports
Declare a
computer
unreachable
by checking
port
Port 135
Another port can be chosen but make sure it is a common
port that will be available on all the computers.
Enabled
Settings
Conventional Scan
SCAN
METHOD
Smart Scan
Enabled
Selecting All Scannable Files improves security by only
scanning all known to potentially carry malicious code.
Using this setting also allows you to utilize True File Type
scanning.
Files to scan:
All Scannable
Scan Hidden
Folders
Enabled
Enabled
Scan Network
Drive
Scan
Settings
Enabled
Scan compressed
files
MANUAL
SCAN
SETTINGS
Detect exploit
code in OLE files
Virus/Malware Settings only |
Scan Boot Area
Scan
Exclusions
Enable Scan
Exclusion
Enabled
Apply scan
exclusion settings
to all scan types
Disabled
Exclude
directories where
Trend Micro
products are
installed
Enabled
Enabled
Use Active Action
Virus/
Malware
MANUAL
SCAN
SETTINGS
Damage
Cleanup
Services
Customize action
for probable
virus/malware
Back up files
before cleaning
Enabled
Advanced cleanup
Enabled
Enabled
Spyware/Grayware | Clean
Enabled
Enabled
Enabled
Created/modified and retrieved
REALTIME
SCAN
SETTING
Disabled
Scan Network
Drive
Enabled
Enabled
Scan
Settings
Scan Compressed
Files
REALTIME
SCAN
SETTING
Detect exploit
code in OLE files
Scan
Exclusion
Enable Scan
Exclusion
Enabled
Apply scan
exclusion settings
to all scan types
Disabled
Exclude
directories where
Trend Micro
products are
installed
Enabled
Enabled
Use Active Action
Customize action
for probable
virus/malware
Virus/
Malware
Display a
notification
message on the
agent computer
when
virus/malware is
detected
Display a
notification
message on the
agent computer
when probable
virus/malware is
detected
REALTIME
SCAN
SETTING
Disabled
Turn off this setting to avoid end users to see popup
messages, which can generate helpdesk calls.
Disabled
Turn off this setting to avoid end users to see popup
messages, which can generate helpdesk calls.
Enabled
Enabled
Clean
Enabled
Spyware/
Grayware
Display a
notification
message on the
agent computer
when
virus/malware is
detected
Disabled
Turn off this setting to avoid end users to see popup
messages, which can generate helpdesk calls.
Enabled
Enable Virus / Malware Scan
SCHEDULED
SCAN
SETTINGS
Scan compressed
files
Scan
settings
Enabled
Enabled
CPU Usage | Medium
Scan
Exclusions
Enabled
Disabled
Enabled
Enabled
Use Active Action
Virus/
Malware
Display a notification
message on the agent
computer when
virus/malware is detected
Display a notification
message on the agent
computer when probable
virus/malware is detected
Damage
Cleanup
Services
Enabled
Advanced cleanup
Enabled
Enabled
SCHEDULED
SCAN
SETTINGS
Spyware/
Grayware
Clean
Enabled
Display a notification
message on the agent
computer when
virus/malware is
detected
Enabled
Turn off this setting to avoid end users to see
popup messages which can generate helpdesk
calls.
Enabled
Enabled
Enabled
SCAN NOW
SETTINGS
Scan
Settings
Scan
Exclusion
Enabled
Disabled
Exclude directories
where Trend Micro
products are installed
Enabled
Enabled
Use Active Action
SCAN NOW
SETTINGS
Virus/
Malware
Enabled
Customize action for
probable virus/malware
Damage
Cleanup
Services
UPDATE
AGENT
SETTINGS
Advanced Cleanup
Enabled
Enabled
Spyware/Grayware |Clean
Enabled
Component Updates
Enabled
Domain Settings
Enabled
Enabled
Disabled
Roaming
Enable Scan Exclusion | Enable
Roaming mode
Scans
PRIVILEGES
AND
OTHER
SETTINGS
Disabled
Skip and stop scheduled
Scan
Firewall
(if you
have
firewall
activated)
Enabled
Allow users to
enable/disable the firewall,
Intrusion Detection
System, and the firewall
violation notification
message
Disabled
Disabled
Disabled
Mail Scan | Display the Mail Scan tab
on the agent console
PRIVILEGES
AND
OTHER
SETTINGS
Enabled
Update Settings
OfficeScan agents
download updates
from the Trend
Micro ActiveUpdate
Server
Enable Scheduled
Updates on
OfficeScan agents
PRIVILEGES
AND
OTHER
SETTINGS
OfficeScan agents
can update
components but not
upgrade the agent
program or deploy
hot fixes
OfficeScan
agent Selfprotection
Protect OfficeScan
agent services
Enabled
Enabled
Protect OfficeScan
agent registry keys
Enabled
Protect OfficeScan
agent processes
Enabled
PRIVILEGES
AND
OTHER
SETTINGS
Disabled
Disabled
Enable the ondemand scan cache
Disabled
PRIVILEGES
AND OTHER
SETTINGS
Enabled
Enabled
Firewall Service
ADDITIONAL
SERVICES
Enabled
Enable Web
Reputation Policy
on the following
operating systems
External
Agents Tab
Enable
assessment
Check HTTPS
URLs
Enabled
Disabled
WEB
REPUTATION
SETTINGS
Scan common
HTTP ports only
Enabled
Agent Log | Allow agents to Send
Logs to the OfficeScan Server
Internal
Agents
Tab
WEB
REPUTATION
SETTINGS
Enable Web
Reputation Policy
on the operating
systems
Enabled
If there is already a web security on the gateway, this may
be turned off.
Enable assessment
Disabled
Administrator can enable assessment to monitor the type
of detections before deploying Web Reputation. When
assessment is turned on OfficeScan will not take any
action.
Enabled
Scan common
HTTP ports only
Disabled
When disabled, WRS will scan all HTTP URLs regardless
of their port information. If enabled, only URLs with no
port information or those that point to ports 80, 81, or
8080 will be scanned.
Send queries to
Smart Protection
Servers
Enabled
Agents will send queries to Smart Protection Servers.
Make sure they are available. If this option is disabled
then agents will need internet access to reach Trend
Micro Smart Protection Network, if agent does not have
web access then it will use approved/blocked web site list
as the only web reputation date.
Enabled
Internet traffic usage is lowest and browsing info is kept
in house. When combine with Use only Smart
Protection Servers, do not send queries to Smart
Protection Network checked, Security level is always
Low.
Enabled
Enabled
Enabled
Enabled
Depending on security requirements, you may or may not
want to monitor what sites are being blocked on the agent
side. On the other hand, turning this on will generate
traffic between server and agents.
Enabled
Disabled
Known Threats
Enable Malware Behavior Blocking for known
and potential threats
Exceptions (Approve/Block)
The Assess action will log events that violate the policy
but will not take action. To avoid interfering with normal
activity, it is recommended that administrators start with
this action set for all policies. This would help them
define the proper action they need to take once data is
available.
Assess
Assess
Suspicious Behavior
Assess
Assess
Assess
Assess
Assess
Shell Modification
Assess
New Service
Assess
Assess
Assess
Assess
Assess
Enabled
Enabled Device Control
Storage
Devices
CD/DVD
Full Access
Floppy Disks
Full Access
Network Drives
Full Access
Full Access
Program
Lists
External
Agents
Tab
Programs on storage
devices that are
allowed to execute
Enabled
Enable this when Device Control Access is not set
to Full Access to avoid causing confusion to users
as to why they cannot access their drives fully.
Enabled
Internal
Agents
Tab
Storage
Devices
Program Lists
CD/DVD
Full Access
Floppy Disks
Full Access
Network Drives
Full Access
USB storage
devices
Full Access
Programs on
storage devices that
are allowed to
execute
Enabled
Enable this when Device Control Access is not set
to Full Access to avoid causing confusion to users
as to why they cannot access their drives fully.
DNS domain
In Automatic Agent Grouping, administrators can create agent grouping according to Active Directory or
IP. On the other hand, performing scheduled domain creation creates a domain in the agent tree. This may
take a long time to complete, especially if the scope is broad. However, this does not move existing agents
to this domain. Custom agent grouping must be used.
To move the agents, refer to manual sort agent or OfficeScan can automatically move agents when the
following events occur:
Agent installation
Agent reload
Scan
Settings
Disabled
Enable this function to allow users to right-click on files or
folders to perform a manual scan.
Enabled
Prevent OfficeScan database from getting corrupted.
Enabled
Prevent OfficeScan from interfering with the mails being
processed by the Exchange server and the antivirus that
scans the mail traffic.
Disabled
This option can be enabled to help improve performance
of file copy operation.
Enabled
Configure scan settings for large
compressed files
Real-time scan
Manual Scan/
Scheduled Scan/
Scan Now
Scan
Settings for
Large
Compressed
Files
2 MB
In a compressed file,
scan only the first X
files
10 files
30 MB
In a compressed file,
scan only the first X
files
100 files
Enabled
Enabled
Scheduled
Scan
Settings
Disabled
Enabled
Enabled
Enabled
Firewall
Settings (If
you have
firewall
activated)
30
Automatically allow program if agent
does not respond within X seconds.
Behavior
Monitoring
Settings
Disabled
Enabled
10
60
Heartbeat
Enabled
Show the alert icon on the Windows
taskbar if the virus pattern file is not Only agents in the unreachable network should
send heartbeats since other agents would be
updated after X days
connected to the server.
Enabled
Alert Settings
Display a notification message if the
agent computer needs to restart to
load a kernel mode driver
OfficeScan
Service
Restart
Enabled
1 minute
6 times
1 hour
Enabled
Endpoint
Location
Optional
Enabled Daily at 10:30am
Connection
Verification
Enable
Log
Maintenance
Logs to Delete
Update Schedule
Initiate component
update on agents
immediately after
the OfficeScan
Server downloads a
new component
Enabled
Disabled
Updates |
Agents
Agent
Automatic
Updates
Include roaming
agent(s)
Let agents initiate
component update
when they restart
and connect to the
OfficeScan Server
(roaming agents are
excluded)
Enabled Disabled
Perform Scan Now after update
(excluding roaming agents)
Schedule-based Update
Standard Update
Source
Customized Update
Source | Update
Agents update
components, domain
settings, and agent
programs and hot fixes,
only from the
OfficeScan server
Updates |
Agents
Agent
Update
Source
Enabled
Enable this to have Update Agents always update
from the OfficeScan server.
Disabled
Components
Domain Settings
OfficeScan agent
programs and hot fixes
Standard
Notifications
Virus/Malware | Send
notifications only when the
action on the virus/malware is
unsuccessful
Enable
Spyware/Grayware | Send
notifications only when the
action on the virus/malware is
unsuccessful
Enable
Virus/
Malware
Spyware/
Grayware
Outbreak
Notifications
Firewall
Violations
Shared Folder
Session
Unique Sources
Detections
100
Time Period
24 hrs.
Unique Sources
Detections
100
Time Period
24 hrs.
Monitor
Firewall
violations on
networked
computers
Enabled
IDS Logs
100
Firewall Logs
100
Network Virus
Logs
100
Time Period
1 hr.
Monitor Shared
Folder session
on your
network
Enabled
Shared Folder
Sessions
100
Time Period
3 min
User Accounts are used to logon to OfficeScan web console. These accounts are assigned privileges
as deemed appropriate. Use this section to add custom accounts or Active Directory accounts.
User Roles define a list of operations that a user can perform. These operations are roughly tied to
the navigation menu. Use this section to assign/create/modify roles for a user or a windows group.
This would give the account permission to perform operations defined in that group.
Internal
Agents
Integrated Server
Enabled
Enabled
Enabled
Enabled
Enabled
Update Settings | Enable scheduled updates
Disabled
Active
Directory
Integration
Internal
Proxy
Settings
Disabled
This should be disabled all the time unless the
OfficeScan agents require connection to an intranet
proxy to communicate with the OfficeScan server.
Disabled
This should be disabled all the time unless the
OfficeScan agents require connection to an intranet
proxy to communicate with the local Smart
Protection Server.
Enabled
Enable this option and fill out the fields when a proxy
server is required to download updates from the
internet.
Enabled
Fill this out if the proxy server used requires
authentication credentials.
Enabled
Inactive
Agents
7 days
10240 MB
5 MB
Quarantine
Manager
Web
Console
Settings
Enabled
Set it for 30 seconds.
Enabled
Set it for 30 minutes.
Daily at 3 AM
Database
Backup
OfcScan.ini
The parameters below can be added or edited to further improve the performance of the OSCE server.
The following sections only apply to OfficeScan itself. This does not include plug-ins and
Integrated Scan Server backup. Customers who have OfficeScan with Integrated Scan Server
should not follow these steps.
The OfficeScan server can be set to automatically back up the agent database information. This is
configurable via web-based management console under Administration > Database Backup
section. This process copies all database files under [ <drive>: \ Program Files \ Trend Micro \
OfficeScan \ PCCSRV \ HTTPDB ] to either a local or remote location.
It is recommended to do a daily back up especially during agent deployment. The schedule can be
changed to weekly after the deployment is complete. It is also recommended to configure the
back up to start at 2:00 AM when agent interaction is minimal and the process does not coincide
with other OfficeScan scheduled tasks. It is recommended to use the OfficeScan built-in backup
function to back up the database. Using third-party application to back up the database may cause
system instability or database corruption.
It is also recommended to manually back up the OfficeScan server configuration files which can
be used to recover from a server disaster.
In an event of server corruption, the OfficeScan server settings can be restored by following the procedure
below. This procedure assumes that the OfficeScan server is being restored to the same host, using the
same FQDN and IP address.
1. Stop the OfficeScan Master Service and WWW Publishing Service.
2. Restore the backup database files under [ <drive>: \ Program Files \ Trend Micro \ OfficeScan \
PCCSRV \ HTTPDB ].
3. Restore the OfficeScan server and Firewall policy configurations:
\ Private \ vdi.ini
4. On the command prompt, go to \Program Files\Trend Micro\ OfficeScan folder and run the
command srvsvcsetup.exe setprivilege.
5. Restart the OfficeScan Master Service and WWW Publishing Service. Restore OfficeScan
certificate by importing it during installation. In the example above, certificate.zip is the file that
needs to be selected to import the certificates.
Trend Micro OfficeScan protects enterprise networks from malware, network viruses, web-based
threats, spyware, and mixed threat attacks. Behavior Monitoring and Device Control are some of
the new OfficeScan features that proactively aim to prevent malware attacks.
This document aims to increase knowledge about Behavior Monitoring and Device Control and
help readers avoid potential issues during deployment.
Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating
system or installed software. Behavior Monitoring is composed of the following sub-features:
Event Monitoring
Malware Behavior Blocking provides a necessary layer of additional threat protection from
programs that exhibit malicious behavior. It observes system events over a period of time and as
programs execute different combinations or sequences of actions, Malware Behavior Blocking
detects known malicious behavior and blocks the associated programs. Use this feature to ensure
a higher level of protection against new, unknown, and emerging threats.
A new option, Known and potential threats, provides a more aggressive scan mode to detect
malwares which has higher detection rate.
Under this mode, system will query DCE and Census. The product calls DCE to perform
memory scan and decides the scan action. It also queries the Census backend server and then
feedbacks the action.
Path: \PC-cillinNTCorp\CurrentVersion\AEGIS
Key: EnableTDC (Value: 1-Aggressive; 0-Normal)
Event Monitoring provides a more generic approach in protecting against unauthorized software
and malware attacks. It uses a policy-based approach where system areas are monitored for certain
changes, allowing administrators to regulate programs that cause such changes.
Refer to the Event Monitoring policies and perform the configured action
Use the Event Monitoring if you have specific system protection requirements that are
above and beyond what is provided by Malware Behavior Blocking
Administrators can choose to perform one of the following actions to respond to monitored
events:
Assess: Always allow processes associated with an event but record this action in the logs for
assessment
Here is s a sample log while Shell Modification event was violated by a process:
2012/2/12 12:31 ComputerName Shell Modification Assess Process Low C:\kh\notes\nlnotes.exe
Create HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
1. Go to Agent > Agent Management > Settings > Behaviors Monitoring Settings.
2. Select the following options to enable Malware Behavior Blocking or Event Monitoring:
Enable Malware Behavior Blocking for known and potential threats (workstation
default: on; server default: off )
3. Behavior Monitoring settings can be applied to specific entities in the client tree or all entities
(root). If you are applying settings to the root, select one of the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client
added to an existing/future domain (domains not yet created during configuration).
Apply to Future Domains Only: Applies settings only to clients added to future
domains. This option will not apply settings to new clients added to an existing
domain.
To enable this feature on a server computer, select an individual server and go to Agent > Agent
Management > Settings > Additional Services Settings.
In OfficeScan 11.0, AEGIS provides an enhancement called Light-Weight Solution which focuses
on all agents self-protection including agents services, processes and registry keys.
Device Control regulates access to external storage devices and network resources. Device
Control helps prevent the propagation of malware on removable drives and network shares. As
combined with file scanning, it helps guard against security risks.
Notification messages are displayed on the endpoints when device control violations occur.
Administrators can modify the default notification message.
In OfficeScan 11.0 , Device Control function integrates both AEGIS feature and DLP feature to
control storage devices. AEGIS device control and DLP device control play different roles. For
instance, different privileges can be set on USB storage devices. AEGIS device control handles
the following privileges: Modify, Read and execute, Read, and List device content only. The block
privilege is handled by DLP Device Control.
Furthermore, DLP Device Control supports one more device type: mobile devices. This
includes smartphones and pads, sync app such as iTunes and htcsync.
Device Control supports several kinds of devices, here takes USB as sample to introduce how it
works in the following environments:
To activate this feature, user must enable the Unauthorized Change Prevention Service (Agents >
Agent Management > Ssettings > Additional Service Settings) and Device Control (Settings >
Device Control Settings) for the OfficeScan agent. OfficeScan only monitors USB storage devices
when DLP module is not activated.
Here are what Device Control can do with an USB device:
Enabled Block the auto-run function on USB storage devices option could let OfficeScan
prohibits USB storage auto-run. It does not permit USB storage to execute autorun.inf and pop
the content of the storage. Some virus could use autorun.inf to infect the system.
Select the permission for accessing USB storage devices, Device Control only provides Full
access, Modify, Read and execute, Read and List device content only access permissions to
choose.
For detailed information about the action of different permission, refer to Permissions for storage
devices in OfficeScan Online Help.
Use Program List to exempt the permission to some specified programs and certificate providers.
Put local programs on storage devices into Programs with read and write access to storage
devices to give them read and write access permission. For example, add
c:\windows\system32\notepad.exe into Programs with read and write access to storage
devices list so users could open and modify it.
For detailed usage of this functionality and how users could add the file path, refer to Advanced
Permissions for Storage Devices Parent topic and Specifying a Program Path and Name in
OfficeScan Online Help.
Put programs on storage devices into Programs on storage devices that are allowed to execute
so that users or the system can execute.
Select whether to display a notification message on the client computer when OfficeScan detects
unauthorized device access.
If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the
domain(s) or client(s). If you selected the root icon, choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client added to an
existing/future domain. Future domains are domains not yet created at the time you configure
the settings.
Apply to Future Domains Only: Applies settings only to clients added to future domains.
This option will not apply settings to new clients added to an existing domain.
To enable this feature, user must install OfficeScan Data Protection plug-in and activate it, then
enable the Unauthorized Change Prevention Service and Device Control for the OfficScan agent.
The UI of Device Control Settings is different from the previous one.
Block permission is activated by iDLP. This sector focuses on the function that iDLP has added
to Device Control Settings for USB devices.
With Data Protection (iDLP) installed, OfficeScan offers more functionality for USB access.
Besides keeping the function of Device Control, iDLP add the following items.
Allow or block access to mobile devices. It means that iDLP adds one control item for
smartphone and pad. The major purpose of adding mobile device is to allow iDLP to disable the
access when people use sync app (or not use any sync tools) to connect smartphone or pad.
For detailed support mobile device list, refer to Device Control Settings console and click the
Supported Device Models > Data Protection List.
Permissions for USB storage devices allows to block the access to USB Storage devices.
However, two permissions in this list, the Read and Block permissions, are controlled by iDLP.
Since iDLP takes the control of these two permissions, users can add whitelist into them.
Select Read permission and click Advanced permissions and notifications.
It provides the user a way to add a specified device by using its vendor, model, and serial ID from
the system device management to iDLP whitelist. If the device is in the whitelist, all the access
action for this device will be allowed.
Trend Micro also provides a tool called listDeviceInfo.exe containing the parameters for a USB storage
device. It shows the device information on a pop-up web page. Users can find the listDeviceInfo.exe on
the server folder ..\pccsrv\admin\utility.
To add the specified device, vendor parameter is required on the page. However, if the system cannot read
the devices vendor information, add * and other parameter that listDeviceInfo provides. It also helps to
put the device in the whitelist.
If users choose the Block permission, users can add specified USB storage devices into whitelist by
clicking Approved devices on the right side.
Users can configure the permission (except Full access) they want for a device by clicking Advanced
permissions and notifications. It also has Program lists function for the devices.
When the Unauthorized Change Prevention Service is disabled while the Device Control is
enabled, only the functionality of iDLP will work.
For USB storage devices, the following permissions in the list work: Full access, Read, and Block.
The Advanced permissions and notifications of the Read permission will all work properly.
The Approved devices of Block permission will partly work. It means that users can add the
specified device to whitelist (vendor, model, and serial ID). However, user cannot assign other
permissions to this device except Full access.
Since other permissions are controlled by Unauthorized Change Prevention Service, Program list
under Advanced permissions and notifications cannot also work.
If OfficeScan encounters a violation of USB access and Display a notification on endpoints when
OfficeScan detects unauthorized device access is checked, OfficeScan agent will pop an alert for this
access action.
Logs of the USB access violation will appear similar to the image below:
The Behavior Monitoring and Device Control features both use the Trend Micro Unauthorized
Change Prevention Service (running under the process name TMBMSRV.EXE). These features
use TMBMSRV.EXE to monitor for system events and check these events against rules to
determine whether certain application activities are unwanted.
TMBMSRV.EXE delivers highly beneficial behavior-based security functionality, particularly the
capability to check applications for suspicious behavior (Behavior Monitoring) and control access
to storage devices (Device Control). Its monitoring mechanism, however, can strain system
resources, especially when the computer is running applications that cause numerous system
events. To prevent impacting system performance, Trend Micro recommends configuring
OfficeScan so that these system-intensive applications are not monitored by TMBMSRV.EXE.
Running TMBMSRV.EXE and system-intensive applications on the same computer can affect
system performance and disrupt critical applications. Thus, a properly managed deployment of
Behavior Monitoring and Device Control is recommended.
To ensure smooth deployment of OfficeScan with Behavior Monitoring and Device Control:
Better understanding of the implications of deploying the new Behavior Monitoring and
Device Control features
List of applications that can be added to the Behavior Monitoring exception list
When setting up the pilot environment, prepare an environment that matches the production
environment as closely as possible.
Business applications
Custom applications
All network applications used by groups or individuals (such as payroll, inventory, accounting,
and database applications)
Deploy the OfficeScan agents into the pilot environment with the features intended to be enabled. For
example, Behavior Monitoring and Device Control may both be enabled.
Allow the pilot environment to run for a reasonable amount of time (give sufficient soak time) with the
standard applications running and with average daily use.
Trend Micro provides a standalone performance tuning tool to help identify applications that could
potentially cause a performance impact. The TMPerfTool tool, available from Trend Micro Technical
Support, should run on a standard workstation image and/or a few target workstations during the pilot
process to preempt performance issues in the actual deployment of Behavioral Monitoring and Device
Control.
To identify system intensive applications:
1. Unzip the TMPerfTool.zip file.
2. Place the TMPerfTool.exe file in the OfficeScan default installation folder
(%ProgramDir%/Trend Micro/OfficeScan agent) or in the same folder as the TMBMCLI.dll file.
3. Double-click TMPerfTool.exe.
4. Click Analyze when the system or applications start to slow down. If a red highlighted row
appears, it means that the TMPerfTool found the system-intensive process.
5. Select the highlighted row and click Exclude.
6. After excluding the process, verify if the system or application performance improves. If the
performance improves, select the process row again and click Include.
7. If the performance drops again, it means you found a system-intensive application. Perform the
following:
a) Note the name of the application.
b) Click Stop.
c) Click Report and save the .xml file in your specified folder.
d) Review the applications that have been identified as conflicting and add the applications
to the Behavior Monitoring exception list.
The Behavior Monitoring exception list is a user-configurable list of approved and blocked
programs that are not monitored by Behavior Monitoring and Device Control. These features
automatically allow approved programs to continue. Approved programs are still checked by other
OfficeScan features. Blocked programs are never allowed to run.
Trend Micro strongly recommends adding system-intensive applications to the Behavior
Monitoring exception list to reduce the likelihood of performance issues from occurring. Systemintensive applications can cause TMBMSRV.EXE to consume very high amounts of CPU
resources and disrupt critical applications.
4. If you selected domain(s) or client(s) on the client tree, click Save to apply settings to the
domain(s) or client(s). If you selected the root icon, choose from the following options:
Apply to All Clients: Applies settings to all existing clients and to any new client
added to an existing/future domain. Future domains are domains not yet created at
the time you configure the settings.
Apply to Future Domains Only: Applies settings only to clients added to future
domains. This option will not apply settings to new clients added to an existing
domain.
To prevent TMBMSRV.EXE from affecting performance, disable the service itself or disable both
Behavior Monitoring and Device Control.
1. Go to Agents > Agent Management > Settings > Behavior Monitoring Settings.
2. Deselect the following options:
Enable Malware Behavior Blocking for known and potential threats.
Enable Event Monitoring
3. If you selected domains or clients on the client tree, click Save to apply settings to those. If
you selected the root icon, choose from the following options:
Disable Behavior Monitoring and Device Control by stopping the Trend Micro Unauthorized
Change Prevention Service (TMBMSRV.EXE). Perform this task directly on each endpoint.
DLP agents should be deployed without any policies enabled. Proper testing of policies is suggested
before pushing it out to production environment. Poorly configured and tested policies may lead to
disruption of daily work routine and might end up in computers flooding OfficeScan server with large
numbers of false positives.
To determine the amount of disk space needed for the server, you must decide if there is a need to
capture the files when a policy violation occurs. The files captured during the violation are referred as
forensic data. The benefit of capturing forensic data allows you to identify quickly why the alert
occurred and if it was a false positive. While the forensic data function is helpful when tuning policies,
user can still gather this information by reviewing the alerts. The alerts contain the path to the file that
triggered it.
The Data Protection module can be installed on a pure IPv6 Plug-in Manager. However, only the Device
Control feature can be deployed to pure IPv6 agents. The Data Loss Prevention feature does not work on
pure IPv6 agents.
3. On the Plug-in Manager screen, go to the plug-in program section and click Manage Program.
The Product License New Activation Code screen appears. Activating the OfficeScan Data
Protection License is required right after the installation.
4. A message displays, indicating the number of agents that have not installed the module.
Click Yes to start the deployment. OfficeScan agents start to download the module.
By default, the module is disabled on Windows Server 2003, Windows Server 2008, and Windows Server
2012 to prevent affecting the performance of the host machine.
Data Protection now supports x64 environment.
Online agents install the Data Protection module immediately. Offline and roaming agents install the
module when they become online.
Users must restart their computers to finish installing Data Loss Prevention drivers. Inform users about
the restart ahead of time.
In the agent tree, select a domain or an agent, check the Data Protection Status column. The deployment
status should be "Running".
Exercise 1: On the OfficeScan client, open CMD with an administrator privilege and run the command "sc
query dsasvc", the state should be "Running".
Configure data identifiers first, then define your own Templates. Navigate to Agents > Agent
Management > Select the targets > Settings > DLP settings.
Data identifiers include the following:
Choose a data identifier or use a pre-defined data identifier. Afterwards, OfficeScan can
import or export templates by doing any of the following:
Go to Agents > Agent Management > Select the targets > DLP settings > Templates
> Add > Add Template.
Go Agents > Data Loss Prevention > DLP Templates > Add.
To investigate the forensic data blocked by OfficeScan, a Control Manager 6.0 server is required.
Only users who have appropriate permission in Control Manager server have access to forensic
data.
Follow the Control Manager Administrators Guide to setup a Control Manager server.
1. Register OfficeScan 11.0 to Control Manager server via Administration > Settings > Control
Manager. A successful OfficeScan registration should show a page similar to the following:
Create a DLP policy by following the OfficeScan Online Help section about Creating a
Data Loss Prevention Policy.
7. Log on with an account with DLP review permission to check the forensic data.
Forensic data in OfficeScan server is encrypted and placed in the folder
..\PCCSRV\Private\DLPForensicData. The data will also be uploaded in DLP Incident
Investigation tab on Control Manager Dashboard.
8. Widgets show a number of incidents detected. Click the number to see the details.
9. Click Edit on the Incident Information pop-up that you want to investigate.
You can view the details of the incidents and download the blocked file:
10. Click the Incident Information link, which leads to the detailed logs of the incidents.
IPv6 support for OfficeScan starts in this version. Previous OfficeScan versions do not support IPv6
addressing. IPv6 support is automatically enabled after installing or upgrading the OfficeScan server and
agents that satisfy the IPv6 requirements.
The agent must be installed on: Windows 7, Windows 8 or 8.1, Windows Server 2008, Windows Server 2008
R2, Windows Server 2012 , Windows Server 2012 R2, and Windows Vista.
It cannot be installed on Windows Server 2003 and Windows XP because these operating systems only
support IPv6 addressing partially.
The process starts with the OfficeScan server downloading update packages. The server can be configured to
get updates from several locations:
Trend Micro Active Update Server (Internet) This is the default method. It uses standard HTTP GET
request to download update packages from the Internet. This only requires the HTTP port (80) to be open
from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly,
Daily, Weekly, or Monthly). Recommended setting is Hourly.
Trend Micro Control Manager (TMCM) server Control Manager notifies the OfficeScan server when
an update is available for download. OfficeScan will then check its Update Source (Updates > Server Update
> Update Source ) setting to know where it should download the package via HTTP. By default, the Update
Source is set to the Internet (Trend Micro Active Update server). This can be pointed to the Control
Manager server if desired (i.e. http://<server fqdn or ip address>/tvcsdownload/activeupdate).
Custom Update Source (Other update source). This is similar to the Internet update method, except that
the admin re-creates an Active Update (web) server and sets the OfficeScan server to point to the HTTP
location (i.e. http://<server fqdn or ip address>/activeupdate). Control Manager and peer OfficeScan
servers can service such request.
When the update package has been downloaded, the OfficeScan server notifies its Update Agents first that a
new package is available. The Update Agents would then compare version information and download the
package from its designated OfficeScan server as needed. The server waits for an acknowledgement
command to verify or download/update process. If no acknowledgement is received, the OfficeScan server
will wait to reach a timeout value before notifying the rest of its clients. Default timeout is 10 minutes and is
configurable in Timeout for Update Agent parameter using SvrTune.exe. All communications are done
through CGI commands via HTTP protocol. The OfficeScan server listens on its web server management
port (typically 80 or 8080) while the Update Agents listen on its pre-configured port (randomly generated or
manually defined during the OfficeScan Server installation).
Once the Update Agent notification process is completed, the OfficeScan Server notifies the rest of its
clients. Notification process is done by batches. The number by batch is configurable in Maximum Client
Connections using SvrTune.exe ( Tools | Administrative Tools | Server Tuner ) utility. Once notified,
clients would check for updates in the following order:
1. Update Agent
2. OfficeScan server
3. Trend Micro Active Update Server (Internet)
Privileges can be set to allow clients to update from the OfficeScan server when its Update Agent is
unavailable. This setting is global and can be enabled under Updates > Client Deployment > Update Source
> Update from OfficeScan server if all customized sources are not available or not found.
SvrTune.exe only controls the number of clients notified by the OfficeScan server at a given time after the
OfficeScan server completed an update. When OfficeScan agents are the ones who initiated the update, for
example via Scheduled Update, the OfficeScan server handles the client update request and the ones it cannot
is queued in IIS for later processing. IIS can process concurrently 256 CGI requests at a time, this is the
default configuration.
Individual or group of clients (OfficeScan domain) can also be given privileges to download updates directly
from the Internet. Highlight the client or domain from the Clients main window and enable the option under
Clients > Client Privileges/Settings > Update Settings > Download from the ActiveUpdate Server.
Trend Micro Active Update Server (Internet) This is the default method. It uses standard HTTP GET
request to download update packages from the Internet. This only requires the HTTP port (80) to be open
from the OfficeScan server to the Internet. This can be triggered manually or on scheduled basis (Hourly or
every 15 minutes). Recommended setting is Hourly.
Trend Micro Control Manager (TMCM) server Control Manager notifies the OfficeScan server when
an update is available for download. OfficeScan will then check its Update Source setting to know where it
should download the package via HTTP. By default, the Update Source is set to the Internet (Trends Active
Update server). This can be pointed to the Control Manager server if desired (i.e. http://<server fqdn or ip
address>/tvcsdownload/activeupdate).
Custom Update Source (Other update source) Similar to the Internet update method, except that the
admin recreates an Active Update (web) server and sets the OfficeScan Server to point to the HTTP location
(i.e. http://<server fqdn or ip address>/OfficeScan/download).
OfficeScan generates network traffic when the server and client communicate with each other. Serverinitiated communications are mainly CGI commands sent through HTTP protocol and are only a few
kilobytes in size. The clients, on the other hand, generate traffic as they upload information and pull
component updates. Below is a summary of the different types of communications within OfficeScan.
Probably, the most significant data transfer is when a client performs a pattern file update. To reduce
network traffic generated during this process, OfficeScan uses a feature called incremental updates. Instead
of downloading the full pattern every time, only the differences (deltas) are downloaded for up to 14 previous
versions for virus definitions and 7 previous versions for spyware, network, and damage cleanup patterns.
These new patterns are merged with the old pattern file as they are received by the OfficeScan agent. An
incremental pattern may range from 1 kilobyte to several megabytes (i.e. 3 MB) depending on version
increment or how far the delta is to the latest version.
To further save WAN bandwidth, specific clients can be promoted as an Update Agent to service peer clients.
This implies that each client wont have to individually pull incremental updates from the OfficeScan server.
The Update Agent host replicates the complete engine and pattern packages (full version and increments).
The engine and pattern packages are downloaded every time an update is available. To verify the latest size,
simply log in to the OfficeScan server and view the size property of the folders below:
The Engine and Pattern subfolders in the OfficeScan server are copied over to the Update Agent host under
the <drive> : \ Program Files \ Trend Micro \ OfficeScan agent \ ActiveUpdate folder.
For locations with limited bandwidth connectivity, ini flag (UADuplicationOptValue) can be enabled in the
OfficeScan server to change the behavior of the Update Agent. Instead of downloading the complete engine
and pattern packages, only the latest increment (one version older) is downloaded. The Update Agent then
generates its own full pattern file as well as the 7 incremental files.
OfficeScan 10.6 supports three types of VDI environment: Citrix XenServer, VMWare VCenter Server, and
Microsoft Hyper-V Platform. In OfficeScan 11.0, the following features have been added:
VM Awareness This prevents all VM clients in the same physical machine to do on-demand scan
or component update at the same time.
When deploying VDI, the following tasks need to be completed on the Golden Image.
1. Copy the TcacheGen.exe utility to the Golden Image.
2. Use TcacheGen to create a whitelist of files and folders in the Golden Image. The tool scans the
files and folders in the Golden Image and add them into the OfficeScan Whitelist to reduce scanning
load on the machine.
3. Use TcacheGen to clear the GUID key found in the OfficeScan agent registry hive:
HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\GUID.
4. Set the value of VDIEnabled=1 in OfficeScan registry hive:
HKEY_Local_Machine\Software\TrendMicro\Pc-cillinNTCorp\CurrentVersion\MISC\.
5. Proceed to complete the Golden Image creation.
4. Choose between VMWare vCenter Server, Citrix XenServer, Microsoft Hyper-V Platform, or Other
virtualization application. This will only simulate a virtual hypervisor.
5. Enter the server connection information.
To mitigate performance issue, comply with the best practices below when running OfficeScan 11.0 agents in
VDI environment.
Suggest to first set scan mode to Smart Scan, and then deploy OfficeScan agent to VDI.
Do not switch between Conventional Scan and Smart Scan on VDI guest environment. This is because scan
type change will trigger full pattern update immediately on the guest environment causing Disk I/O
congestion if occurring on multiple VM images at the same time.
When Smart Protection Server is offline, OfficeScan agents will add files into a queue list (suspicious list).
When the Smart Protection Server comes back online, all the machines will perform a scan base on this list
and can cause performance issue. Make sure to have a backup Smart Protection Server to ensure the Smart
Scanning is available at all times.
Pattern Update rollback is very Disk I/O intensive and should be done as seldom as possible.
Take special caution deploying program updates or hotfix to VDI Agents. Deploy to few machines at a time
to minimize performance impact.
AEGIS should be disabled in VDI environment and this should be done when the golden image is prepared.
This improves the performance in VDI environment.
Enable/Disable firewall should not be performed on all agents at the same time, otherwise it will cause heavy
disk I/O usage.
If many agents are enabled to act as Update Agent at the same time, it will have heavy disk I/O and CPU,
and will need a long time to enable. It is recommended to avoid enabling many agents to act as Update
Agents at the same time.
Newly installed agent might not appear in the server console agent tree because the GUID has a duplicate.
To prevent this, log on to the OfficeScan console and perform Connection Verification under Networked
Computers.
Disable the Scheduled Scan because simultaneous scanning in several guest OS will cause the host machine
performance drop.
In the OfficeScan console, go to Tools > Administrative Tools and use Server Tuner to configure the
allowed concurrent pattern Update Agents to a small number. The suitable value depends on the HDD
speed. Trend Micro recommends setting this value to 3 and then increasing it if the I/O usage is low
during pattern update.
Central Quarantine Restore triggers the restoration of the quarantined files from the OfficeScan server.
Below are some considerations:
The quarantined viruses need to be available in the \Suspect\Backup folder of the OSCE agent
program folder.
You have to determine the file name, security threat, or path of file from the virus logs.
The following sample shows the mask for file name of several files to restore.
Central restore works from single machine up to domains/root level of the OfficeScan server.
When selecting a file to restore, put the file in the exclusion list of the respective domain level.
If you do NOT select this, the file will be restored properly but redetected at next trigger.
4. Click Manage Agent Tree > Add Domain. Move the Citrix servers to the group.
5. Select the group and click Settings > Privileges and other Settings > Other Settings tab.
6. Under Agent Access Restriction, select Do not allow users to access the agent console from the
system tray or Windows Start menu.
7. Click Save.
*.LOG
*.DAT
*.TMP
*.POL
*.PF
To allow users to access the OfficeScan agent, publish the Citrix Server desktop through the Citrix Access
Management Console (CMC). When published, users need to:
1. Launch the desktop from the Citrix client web interface.
2. In the Citrix desktop session, open the OfficeScan agent program from Start > Programs >
Trend Micro OfficeScan Agent > OfficeScan Agent.
3. Launch the OfficeScan agent console from the system tray icon.
CSA installs drivers (Scan Engine, Firewall, TDI driver) and its services need to collaborate with these drivers.
This means that some functions may appear to execute properly from the client console but may actually not
run anything in the backend. This does not affect other programs published and streamed on Citrix server.
A drive or folder on a computer running Windows 2003 contains a file infected with virus/malware and the
drive or folder is mapped to the Citrix Server. When the infected file is opened during a Citrix client session,
Real-time Scan may be unable to detect the virus/malware on the file if the mapped drive has the same drive
name, for example (C:), in a multi-user environment.
To resolve this issue:
1. Launch the desktop from the Citrix client Web interface.
2. Open the Registry Editor and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add the
following value:
Type: Multi-string value (REG_MULTI_SZ)
Name: DependOnService
Value: Cdm
3. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter\Parameters
and add the following value:
Type: DWORD value (REG_DWORD)
Name: CitrixOn2003Support
Value: Any number except zero
4. If you are using remote desktop, add the following value to the same key:
Type: DWORD value (REG_DWORD)
Name: MsRemoteDesktopSupport
Value: Any number except zero
5. Restart the computer for the changes to take effect.
In a Citrix environment, when the OfficeScan agent detects a security risk during a particular user session, the
notification message for the security risk displays on all active user sessions.
Security risk can be any of the following:
Virus/Malware
Spyware/Grayware
Trend Micro recommends disabling Update Now privileges from the OfficeScan web console. This prevents
users from manually starting an update. Make sure, however, that scheduled updates and event-triggered
updates are still in place. To disable Update Now privileges, do the following:
1. On the OfficeScan management console, go to Agents > Agent Management.
2. Select the group, go to Settings > Privileges and other Settings > Privileges tab.
3. Under Component Updates, uncheck Perform Update Now and click Save.
Refer to section 7.6 Recommended Scan-Exclusion List for suggested files and directories to exclude.
Refer to section 7.7 Some Server Common Ports for recommendations on Citrix ports to open.
5. Click Save.
4. Click Save.
Delay the startup of Realtime Scan service by making it dependent on Call Manager service
1. Open the Registry Editor.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmPreFilter and add
the follwing value:
Type: Multi-string value (REG_MULTI_SZ)
Name: DependOnService
Value: <Type the name or names of the services that you prefer to start before this service with
one entry for each line. The name of the service you would enter in the Data dialog box is the
exact name of the service as it appears in the registry under the Services key.>
3. Restart the computer for the changes to take effect.
Database and encrypted type files should generally be excluded from scanning to avoid performance and
functionality issues. Below are exclusions to consider depending on the type of machine you are installing the
OfficeScan agent on.
Pagefile.sys
*.pst
%systemroot%\System32\Spool (replace %systemroot% with actual directory)
%systemroot%\SoftwareDistribution\Datastore (replace %systemroot% with actual directory)
%allusersprofile%\NTUser.pol
%Systemroot%\system32\GroupPolicy\registry.pol
Refer to the Knowledgebase article: Appian Enterprise slows down or hangs when installed with OfficeScan
or ServerProtect (http://esupport.trendmicro.com/solution/en-US/1035660.aspx).
Refer to the Acronis article: Acronis Backup & Recovery: Exclude Program Folders and Executables from
Security Programs (https://kb.acronis.com/content/36429).
How to exclude Arcserve RHA spool folder from the antivirus scans (http://www.arcserveknowledgebase.com/index.php?View=entry&EntryID=2184)
On Citrix systems, the following extensions have been causing performance problems. Exclude these file
extensions to avoid any performance problems: *.LOG, *.DAT, *.TMP, *.POL, *.PF.
Below are the general Citrix exclusions:
*\Users\*\ShareFile\
*\Citrix Resource Manager\LocalDB
*\ICAClient\Cache
*\SoftwareDistribution\Datastore
*\System32\Spool
*\Users\*\ShareFile
*\Program Files (x86)\Citrix\Deploy
*\Program Files (x86)\Citrix\Independent Management Architecture
*\Program Files (x86)\Citrix\RadeCache
*\Windows\System32\spool\PRINTERS
For more information, refer to the Citrix articles:
The data directory is used to store Domino email messages. Repeated scanning of this folder while it is being
updated with new messages is not an efficient way to scan locally stored email. Use virus scanning
applications such as ScanMail for Domino to handle email viruses. By default, the Domino data directory for
a non-partitioned installation is <drive>: \ Lotus \ Domino \ Data.
Exclude the directory or partition where MS Exchange stores its mailbox. Use virus scanning applications
like ScanMail for Exchange to handle email viruses. Installable File System (IFS) drive must also be excluded
to prevent the corruption of the Exchange Information Store.
Exchange 5.5
<drive>: \ EXCHSRVR \ IMCData
<drive>: \ EXCHSRVR \ MDBData
Exchange 2000
<drive>: \ EXCHSRVR \ MDBData
<drive>: \ EXCHSRVR \ MTAData
<drive>: \ EXCHSRVR \ Mailroot
<drive>: \ EXCHSRVR \ SrsData
<drive>: \ WINNT \ system32 \ InetSrv
Exchange 2003
<drive>: \ EXCHSRVR \ MDBData
<drive>: \ EXCHSRVR \ MTAData
<drive>: \ EXCHSRVR \ Mailroot
<drive>: \ EXCHSRVR \ SrsData
<drive>: \ WINNT \ system32 \ InetSrv
<drive>: \ EXCHSRVR \ MdbDataUtility
Exchange 2007
Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx
Exchange 2010
Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/bb332342(v=exchg.141).aspx
Exchange 2013
Refer to this Microsoft article: http://technet.microsoft.com/en-us/library/bb332342.aspx
Refer to this Microsoft article: Review hardware and software requirements FAST Search Server 2010 for
SharePoint (http://technet.microsoft.com/en-us/library/ff381239(v=office.14).aspx)
This option is best disabled. If it is enabled, it creates unnecessary network traffic when the end users access
remote paths or mapped network drives. It can severely impact the users experience. Consider disabling this
function if all workstations have OfficeScan agent installed, and updated to the latest virus signature.
Web Server log files should be excluded from scanning. By default, IIS logs are saved in:
<drive>: \ WINNT \ system32 \ LogFiles
<drive>: \ WINNT \ system32 \ IIS Temporary Compressed Files
Web Server log files should be excluded from scanning. By default, IIS logs are saved in:
<drive>:\inetpub\logs\
<drive>: \ Documents and Settings \ All Users \ Application Data \ Microsoft \ Microsoft
Operations Manager
<drive>: \ Program Files \ Microsoft Operations Manager 2005
Because scanning may hinder performance, large databases should not be scanned. Since Microsoft SQL
Server databases are dynamic, they exclude the directory and backup folders from the scan list. If it is
necessary to scan database files, a scheduled task can be created to scan them during off-peak hours.
<drive>:\ WINNT \ Cluster (if using SQL Clustering)
<drive>: \ Program Files \ Microsoft SQL Server \ MSSQL \ Data
Q:\ (if using SQL Clustering)
C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data
File extensions to exclude: .mdf, .ldf, .ndf, .bak, .tm
You can run antivirus software on a SQL Server cluster. However, you must make sure that the antivirus
software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and
interoperability.
If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus
scanning:
Q:\ (Quorum drive)
C:\Windows\Cluster
<drive:>\ WSUS
<drive:>\ WsusDatabase
<drive:>\MSSQL$WSUS
You can refer to the following Microsoft article for additional information:
http://support.microsoft.com/kb/900638
C:\Program Files\Novell\Zenworks
C:\Program Files\Novell\ZENworks\logs\ExternalStore
C:\Program Files\Novell\ZENworks\cache\zmd\ZenCache\metaData
C:\Program Files\Novell\ZENworks\cache\zmd
Exclude the following files: NalView.exe, RMenf.exe, ZenNotifyIcon.exe, ZenUserDaemon.exe, casa.msi,
dluenf.dll, fileInfo.db, lcredmgr.dll, objInfo.db
Exclude the following extensions: .APPSTATE, .LOG, .TMP, .ZC
.dbf
- Database file
..\Smex\Temp
..\Smex\Storage
..\Smex\ShareResPool\
File Exclusions:
java.exe
notebook-express.exe
C:\WINDOWS\Prefetch\NOTEBOOK-EXPRESS.EXE*
C:\WINDOWS\Prefetch\JAVA.EXE*
Folder Exclusions:
*\smarttech
*\notebook-express-server
C:\Documents and Settings\*\Local Settings\Temp\Jetty*
C:\Program Files\SMART Technologies
~\Symantec\Backup Exec\beremote.exe
~\Symantec\Backup Exec\beserver.exe
~\Symantec\Backup Exec\bengine.exe
~\Symantec\Backup Exec\benetns.exe
~\Symantec\Backup Exec\pvlsvr.exe
~\Symantec\Backup Exec\BkUpexec.exe
Other file extension types that should be added to the exclusion list include large flat and designed files, such
as VMware disk partition. Scanning VMware partitions while attempting to access them can affect session
loading performance and the ability to interact with the virtual machine. Exclusions can be configured for the
directories that contain the virtual machines, or by excluding *.vmdk and *.vmem files.
Backup process takes longer to finish when real-time scan is enabled. There are also instances when real-time
scan detects an infected file in the volume shadow copy but cannot enforce the scan action because volume
shadow copies have read-only access.
You can refer to the Knowledgebase article: Excluding Volume Shadow copies from OfficeScan agent realtime scans (http://intkb.trendmicro.com/solution/en-US/1034730.aspx).
It is also advisable to apply the latest Microsoft patches for the Volume Shadow Copies service. Refer to this
Microsoft article: A Volume Shadow Copy Service (VSS) update package is available for Windows Server
2003 (http://support.microsoft.com/kb/833167).
Make sure the checkbox for "Do not scan the directories where Trend Micro products are installed" is
enabled in WFBSs Exclusion List settings (Security Settings > Antivirus/Anti-spyware > Exclusions).