solution-deployment-guide-tms

Document Sample
solution-deployment-guide-tms Powered By Docstoc
					Threat Management Solution
Deployment Guide

Endpoint Security

es

ns
Network Security

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at: http://www.trendmicro.com/download Trend Micro, the Trend Micro t-ball logo, Control Manager, VirusWall, and Network VirusWall are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright© 2008 Trend Micro Incorporated. All rights reserved. Document Part No. APEM03781/80807 Release Date: September 2008 Patents Pending

The Deployment Guide for Trend Micro Threat Management Solution provides

users with the information necessary to create a plan for deploying the Threat Management Solution to their network environment. You should read
it prior to installing or using the products. Detailed information about how to use specific features within the software are available in the online help file and online Knowledge Base at Trend Micro’s Web site. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp

Contents
Preface
About This Deployment Guide ............................................................ iv Intended Audience .................................................................................v Document Conventions ..........................................................................v

Chapter 1:

Introducing Threat Management Solution
Features .............................................................................................. 1-2 Benefits .............................................................................................. 1-2 What is Threat Management Solution? .............................................. 1-2 The Threat Discovery Suite ........................................................... 1-3 The Threat Mitigation Suite ........................................................... 1-4 Components in Threat Management Solution ................................... 1-5 Threat Management Solution Process Overview ............................... 1-7 Monitoring .................................................................................. 1-8 Mitigation Request ...................................................................... 1-9 Solution Deployment .................................................................. 1-9 Solution Results Reporting ......................................................... 1-9

Chapter 2:

Planning for Threat Management Solution Deployment
Threat Discovery Suite Introduction .................................................. 2-2 Threat Discovery Appliance—Monitoring .................................... 2-2 Threat Discovery Appliance—Range ............................................ 2-4 Threat Mitigation Suite Introduction ................................................. 2-5 Out-of-band mode solution: Threat Mitigator ............................... 2-5 Deployment with the policy enforcement functionality ................ 2-6 Components ................................................................................ 2-7 TMTM deployment without policy enforcement functionality ..... 2-7 Components ................................................................................ 2-8 In-line mode solution: Network VirusWall Enforcer .................... 2-9 Components .............................................................................. 2-10 Provide high availability for in-line solutions ............................. 2-10 Network VirusWall Enforcer - Range ......................................... 2-13 Management Network Considerations ............................................. 2-13

i

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Threat Management Agent deployment ...........................................2-15 Installing TM-Agent manually ..................................................2-15

Chapter 3:

Configuring Threat Management Solution Components
Configure Threat Discovery Appliance to Register TMTM or NVWe ...............................................................................3-2 Verifying connectivity for Threat Discovery Appliance and Trend Micro Threat Mitigator ..............................................3-3 Configure Threat Discovery Appliance and Trend Micro Threat Mitigator to register to Threat Management Services ........................3-3

Chapter 4:

Troubleshooting
Threat Discovery Appliance - Troubleshooting .................................4-2 Trend Micro Threat Mitigator - Troubleshooting ..............................4-3 Network VirusWall Enforcer - Troubleshooting ................................4-4 TM-Agent deployment limitations .....................................................4-4

Chapter 5:

Contacting Trend Micro
Contacting Trend Micro .....................................................................5-2 Trend Micro Support ..........................................................................5-2 Knowledge Base .............................................................................5-2 Contacting Technical Support ........................................................5-3 Using the Case Diagnostic Tool ..................................................5-3 Technical Support ...............................................................................5-4 Email Technical Support ....................................................................5-4 The Trend Micro Security Information Center ..................................5-5 About Trend Micro .............................................................................5-6

Appendix A: Table of Ports and Port Usage Appendix B: Glossary Index

ii

Preface

Preface
Welcome to the Trend Micro Threat Management Solution Deployment Guide. This guide provides users with the information necessary to create a plan for deploying the Threat Management Solution to their network environment. More specifically, this guide discusses network topology considerations, network traffic considerations, network growth considerations, and Threat Management Solution component placement. This guide also provides systematic instructions on how to configure each component of the Threat Management Solution so that it can communicate with other solution components.

iii

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

About This Deployment Guide
The Trend Micro Threat Management Solution Deployment Guide discusses the following topics:

Chapters
For a conceptual overview, including diagrams, of how the solution works and descriptions of the different components, see Introducing Threat Management Solution on page 1-1 For ideas, considerations, sizing requirements, and example network diagrams to use when planning the Threat Managment Solution deployment, see Planning for Threat Management Solution Deployment on page 2-1 For detailed instructions on configuring communication between Threat Management Solution components, see Configuring Threat Management Solution Components on page 3-1 For troubleshooting issues related to component connectivity, see Troubleshooting on page 4-1 For Trend Micro contact information, see Contacting Trend Micro on page 5-1

Appendixes
To view a table containing a list of ports and their usage, see Table of Ports and Port Usage on page A-1 To view the glossary, see Glossary on page B-1 This guide does not cover installation procedures for the individual software or hardware components that make up the Threat Management Solution. We have provided no component installation steps in this guide.

iv

Intended Audience
The Threat Management Solution documentation is written for IT managers and administrators in medium and large enterprises. The documentation assumes a basic knowledge of networking concepts and security systems, including: • • • • Antivirus and content security protection Network concepts (such as IP address, netmask, LAN settings) Network devices and their administration Network configuration (such as the use of VLAN, SNMP)

Document Conventions
To help you locate and interpret information easily, the documentation uses the following conventions.
Convention ALL CAPITALS Description Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and tasks References to other documentation Examples, sample command lines, program code, Web URL, file name, and program output Configuration notes Recommendations Reminders on actions or configurations that should be avoided

Bold
Italic Monospace

Note: Tip: WARNING!

v

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

vi

Chapter 1

Introducing Threat Management Solution
This chapter introduces Trend Micro Threat Management Solution and provides an overview of its components and deployment. Topics include: • • • • • Features on page 1-2 Benefits on page 1-2 What is Threat Management Solution? on page 1-2 Components in Threat Management Solution on page 1-5 Threat Management Solution Process Overview on page 1-7

1-1

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Features
Threat Management Solution has the following features: • • • • • Real time, network-layer monitoring and file level inspection Comprehensive detection of known and unknown threats and malicious activities Automatic threat response Intelligent threat behavior analysis using network content inspection technology Remote 24 hour, 7 day a week threat monitoring of the network environment

Benefits
The Threat Management Solution provides the following benefits: • • • • • Increased level of virus/malware threat detection Reduced administrative burden for threat response Increased user productivity and network uptime Consolidated threat monitoring and response Ease of deployment with little impact on network architecture

What is Threat Management Solution?
Trend Micro's Threat Management Solution provides organizations with a better, more effective way to discover, mitigate, and manage internal threats at the network level. This solution helps you respond to malware quickly and efficiently, minimizing data loss and significantly reducing damage containment costs while improving your overall security posture. The solution combines twenty years of Trend Micro IT security intelligence with in-the-cloud servers that are part of Trend Micro's Smart Protection Network to identify and respond to next-generation threats.

The Threat Management Solution consists of two product suites:
The Trend Micro Threat Discovery Suite monitors the network to uncover stealthy and zero-day internal threats that traditional security products fail to detect. The solution identifies a wide range of unauthorized applications and services that disrupt the network and pose security risks. Collaborating with in-the-cloud technology

1-2

Introducing Threat Management Solution

powered by Trend Micro's Smart Protection Network, the Threat Discovery Suite utilizes cutting-edge analysis of malware behavior and advanced threat correlation logic to provide accurate, timely, actionable threat reports and recommendations to improve knowledge of your network The Trend Micro Threat Mitigation Suite acts on information from the Threat Discovery Suite to contain and remediate threats and enforce policies. Using advanced, pattern-free clean-up technology, the Threat Mitigation Suite automatically removes threats from infected endpoints. Using root-cause analysis, the Mitigation Suite provides IT administrators with the event chain needed to diagnose why endpoint infections occurred.

The Threat Discovery Suite
Threat Discovery Appliance (TDA)—As a critical first step in Trend Micro's Threat Management Solution, the Threat Discovery Appliance provides accurate, timely, and actionable intelligence to manage network security. The Threat Discovery Appliance leverages Network Content Inspection Technology with extensive protocol and application intelligence to inspect network traffic. With comprehensive support for protocol layers two through seven, the Threat Discovery Appliance detects a wide range of potentially disruptive applications such as peer-to-peer and instant messaging (Bittorrent, Kazaa, eDonkey, MSN, Yahoo Messenger). This technology extracts embedded files from applications at the network layer then subjects the data to the Trend Micro Virus Scan Engine for content analysis. In addition, the Threat Discovery Appliance uses port spanning on a network switch to mirror network packets for content inspection while ensuring network services are not disrupted. Threat Management Services—Threat Management Services leverages the computing power of in-the-cloud servers to run advanced correlation for improved threat detection, root cause identification, forensics, and threat analytics. Integration with Trend Micro's Smart Protection Network ensures that the most up-to-date threat data is available to perform this analysis. Access to Trend Micro's global security intelligence also provides in-depth, real-time information based on twenty years of threat research, as well as new and emerging threats, for faster response to data loss and improved threat education and remediation.

1-3

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Threat Management Services provides advanced threat analysis and reporting capabilities that generate a clear view of an organization's state of security. IT administrators can generate daily administrative reports for incident response and remediation. In addition, executives can receive threat summary reports on the overall security posture of their company's networks.

The Threat Mitigation Suite
The Threat Mitigation Suite provides two deployment strategies: in-line and out-of-band. Out-of-band strategy: Trend Micro Threat Mitigator (TMTM)—A central remediation controller that receives mitigation requests from Threat Discovery Appliance, determines what actions need to be taken, and notifies the Threat Management Agent to performance mitigation tasks. The Threat Mitigator uses port spanning on a network switch to mirror network packets for content inspection and acts as an out-of-band device to ensure minimal interruption to existing services. In-line strategy: Network VirusWall Enforcer (NVWe)—The Network VirusWall Enforcer is an in-line network access control device, which is able to receive mitigation request from Threat Discovery Appliance and notify the Threat Management Agent to perform mitigation tasks. Threat Management Agent (TM-Agent)—An agent that resides on endpoints to perform baseline policy assessment and threat mitigation. TM-Agents perform the mitigation commands it receives from Threat Mitigator or Network VirusWall Enforcer. In addition, the TM-Agent enforces IT security compliancy on the endpoints as per the security policies defined by Threat Mitigator or Network VirusWall Enforcer.

Threat Mitigation
Threat Mitigation performs root-cause infection analysis to help IT administrators determine the event chains leading to malware infection. This analysis collaborates with Threat Management Services to provide incident reports detailing malicious behaviors detected. Threat Mitigation also ensures that all network endpoints have a baseline security posture before being allowed to connect to the network. An endpoint found lacking in

1-4

Introducing Threat Management Solution

service updates or security patches, or found to be infected, is quickly quarantined to a local network until updates or clean-up is performed. Forensic scanning uncovers malware components by analyzing behavior collected in real time during Threat Discovery. Automated, endpoint damage clean-up occurs after Threat Discovery detects a threat or an infection point. Pattern-free clean-up of both known and unknown malware occurs without impacting the host system. Scan, auto-clean, and custom-clean working modes allow for flexible clean-up options. Threat Mitigator provides two deployment strategies-in-line and out-of-band. Flexible, out-of-band deployment ensures minimal interruption to existing services.

Components in Threat Management Solution
Threat Discovery Appliance (TDA)—The Threat Discovery Appliance is situated at the core switch that monitors offline network behavior and detects known and unknown threats by scanning network application layers 2 through 7 of the OSI model. Enable registration with Threat Discovery Mitigation Server to be able to use the information gathered. Threat Management Services—Threat Discovery Appliance and Threat Mitigator can send the logs to Trend Micro hosted online threat management center. By collaborating with world renowned Smart Protection Network for further analysis, correlation and forensics, Threat Management Services provide comprehensive threat administration and executive summary reports. Trend Micro Threat Mitigator (TMTM)—A central remediation controller that receives mitigation request from Threat Discovery Appliance, determines what actions need to be taken, and instructs the different components on the actions they should take. By placing inline with DHCP server, it can also act as a out of band network access control device. It provides baseline policy enforcement such as Anti-Malware installation checking, Vulnerability assessment and so on. Network VirusWall Enforcer (NVWe)—Network VirusWall Enforcer is an in line network access control device and it can also prevent network malware. NVWe is also able to receive the mitigation request from Threat Discovery Appliance and notify the Threat Management Agent to performance mitigation tasks. Threat Management Agent TM-Agent—An agent that resides on an endpoint to perform baseline policy assessment and threat mitigation. It performs the mitigation

1-5

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

action by Threat Mitigator or Network VirusWall Enforcer commands. It also performs compliancy assessment on the endpoint per the policy defined on Network VirusWall Enforcer or Threat Mitigator.

1-6

Introducing Threat Management Solution

Threat Management Solution Process Overview

FIGURE 1-1.

Trend Micro Threat Mitigator (TMTM) scenario

1-7

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

FIGURE 1-2.

Network VirusWall Enforcer (NVWe) scenario

Monitoring
The Threat Discovery Appliance, deployed in parallel with the core switch, monitors both incoming and outgoing network traffic as it passes through the switch.

1-8

Introducing Threat Management Solution

Mitigation Request
When Threat Discovery Appliance detects suspicious activities at the network layer, it logs the event and sends a mitigation request to the Threat Mitigator or Network VirusWall Enforce.

Solution Deployment
The Threat Mitigator or Network VirusWall Enforcer use the information contained in the mitigation request and take action by transmitting the mitigation information to the Threat Management Agent residing on the affected endpoint. The mitigation engine in the Threat Management Agent then attempts to clean or remove the malware remnants from the affected endpoint. The mitigation engine reports the mitigation results of its actions to the Threat Mitigator or Network VirusWall Enforcer.

Solution Results Reporting
Threat Discovery Appliance sends the detection and mitigations logs to the Threat Management Services in-the-cloud for a root cause analysis.

1-9

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

1-10

Chapter 2

Planning for Threat Management Solution Deployment
This chapter provides tips, suggestions, and requirements for deploying the Threat Management Solution. Topics include: • • • • Threat Discovery Suite Introduction on page 2-2 Threat Mitigation Suite Introduction on page 2-5 Management Network Considerations on page 2-13 Threat Management Agent deployment on page 2-15

2-1

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

Threat Discovery Suite Introduction
Threat Discovery Appliance—Monitoring
In its most basic scenario, the Threat Management Solution can consist of only one Threat Discovery Appliance to monitor network activities. Single port monitoring—Threat Discovery Appliance's data port is connected to the mirror port of the core switch and mirrors the port to the firewall.

FIGURE 2-1.

Threat Discovery Appliance single port monitoring

Dual port monitoring—The Threat Discovery Appliance can monitor different network segments using its two data ports. In this scenario, The Threat Discovery

2-2

Planning for Threat Management Solution Deployment

Appliance data ports are connected to the mirror ports of access or distribution switches.

FIGURE 2-2.

Threat Discovery Appliance dual port monitoring

Asymmetric route—The Threat Discovery Appliance can be deployed in a 'high availability' network environment where asymmetric route is possible. In this scenario, the Threat Discovery Appliance's two data ports are connected to the mirror ports of the two redundant switches.

2-3

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

FIGURE 2-3.

Threat Discovery Appliance asymmetric route

Threat Discovery Appliance—Range
One Threat Discovery Appliance can accommodate up to 10,000 TCP sessions concurrently. To determine how many Threat Discovery Appliances to deploy, you need to know how many endpoints there are on your network and approximately how many sessions each endpoint is capable of generating. For example, if you have 2,000 endpoints in your network and each endpoint generates up to 8 sessions, then the maximum number of sessions that can be generated is 16,000. In this example, you would need two Threat Discovery Appliances.

2-4

Planning for Threat Management Solution Deployment

Threat Mitigation Suite Introduction
The Trend Micro Threat Mitigation Suite consist two mitigation appliances that support baseline policy enforcement and threat mitigation: Trend Micro Threat Mitigator The Trend Micro Threat Mitigator (TMTM) works as a DHCP proxy out-of-band with the DHCP server to intercept DHCP requests and responses to enforce mitigation actions upon policy violations. Network VirusWall Enforcer The Network VirusWall Enforcer (NVWe) works as an in-line device sitting between endpoints and core switches to intercept all network packets of endpoints.
TABLE 2-1.
Comparison of TMTM and NVWe
TMTM Out-of-band < 1000 Yes Optional and with limitations No 1 Yes In-line < 4096 No By policy setting. Strong access control. Yes Multiple No NVWE

FEATURES COMPARED Location Supported endpoints Threat Management Service support Network access control High availability support Devices needed in Threat Management Solution Virtual machine support

Out-of-band mode solution: Threat Mitigator
You can deploy Trend Micro Threat Mitigator (TMTM) in an out-of-band scenario to minimize interruptions in network availability and existing services. TMTM offers the possibility to use DHCP proxy technology for policy enforcement through network access control.

2-5

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

The TMTM can be installed on a VMWare ESX server. You need to install VMWare ESX 3.x in a bare metal machine, and then install TMTM in your VMWare ESX server.

Deployment with the policy enforcement functionality
The Trend Micro Threat Mitigator (TMTM) can support network access control functionality to enforce security policies on all endpoints. The underlying technology is to change the DHCP responses that are sent to all endpoints. To enable the technology, you must position the TMTM between the DHCP server and the endpoints. The endpoints must be configured in a fashion that they can obtain a dynamic IP address through a DHCP request. TMTM doesn't support endpoints with a static IP address.

FIGURE 2-4.

TMTM deployment with policy enforcement functionality

2-6

Planning for Threat Management Solution Deployment

Components
• • • • TDA VMWare ESX server TMTM—installed on ESX server DHCP Server
When TMTM is installed on a VMWare ESX server, it acts as a network bridge between endpoints and the DHCP server. You need to have two virtual switches inside the VMWare ESX server, and turn on the promiscuous mode setting of each virtual switch.

Note:

TMTM deployment without policy enforcement functionality
The Trend Micro Threat Mitigator (TMTM) can be deployed without baseline policy enforcement functionality powered by the DHCP proxy technology. Without this policy enforcement functionality, the TMTM can still provide its mitigation abilities and you may position the TMTM in any location that can reach endpoints through networking.

2-7

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

FIGURE 2-5.

TMTM deployment without policy enforcement functionality

Components
• • • TDA VMWare ESX server TMTM - installed in VMWare ESX server
The TMTM cannot deploy TM-Agents in endpoints remotely without DHCP proxy technology. You must use TM-Agent Manager in OfficeScan 8.0 or above to install the TM-Agents manually.

Note:

2-8

Planning for Threat Management Solution Deployment

In-line mode solution: Network VirusWall Enforcer
Network VirusWall Enforcer (NVWe) is a hardware appliance that uses a store-and-forward mechanism for its network bridge technology. The NVWe is placed between endpoints and the core switch. The NVWe works as an in-line device sitting between endpoints and core switches to intercept all network packets of endpoints. Whether you need multiple NVWe devices in the network depends on your network size. You need to configure your TDA and register all NVWe devices.

FIGURE 2-6.

NVWe in-line solution

2-9

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

Components
• • TDA NVWe
A TDA mitigation request will be sent to all NVWe devices. If more than one NVWe device tries to mitigate malware damages on the same endpoint, the other devices will not find any suspicious malware, and you will see a Target not found message in the Assessment / Cleanup logs in the NVWe's administration console.

Note:

Provide high availability for in-line solutions
Network VirusWall Enforcer supports several sophisticated mechanisms: Failopen NVWe supports Silicom Lanbypass Ethernet/Fiber cards. With the Lanbypass plug-in, the NVWe will preserve the traffic progress status during a reboot or shutdown. Link state failover When a link state failover situation occurs, the NVWe will turn off other interfaces in the same group of ports. This will force switches to faster re-compute the tree structure of network paths (a.k.a. the spanning tree) and then switch to the active link.

2-10

Planning for Threat Management Solution Deployment

Note:

In a high avaliability environment, an administrator uses dual links to ensure the network will always be available. In this configuration, only one link will be active and allow traffic to pass through the link. The way a switch decides which link will be active depends on the implemention of the Spanning Tree Protocol (STP).

Failover The NVWe supports a failover configuration with two NVWe devices in your network. In this configuration, one NVWe will be active, and the other one will be on standby. As soon as the active NVWe fails, the one on standby becomes the active NVWe and takes over the policy enforcement and mitigation tasks.

FIGURE 2-7.

High availability for in-line solution (simple)

2-11

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

The NVWe supports complex infrastructures based on the Hot Standby Router Protocol (HSRP) in which two NVWe devices are placed between the network's routers and switches. In this scenario, there are two groups of ports for each NVWe device to separate traffic from different routers.

FIGURE 2-8.

High availability for in-line solution (complex)

In an NVWe failover scenario, you must configure the TDA to register both NVWe devices.

2-12

Planning for Threat Management Solution Deployment

Network VirusWall Enforcer - Range
The number of NVWe devices you need is depends on the number of segments in your network, the number of endpoints per segment, and the version of NVWe that you are using. As a rule of thumb, deploy one NVWe between a core switch or router and a distribution or access switch for each segment in the network. This may reduce the spread of malware to other segments of the network. The NVWe 2500 series can accommodate 4.096 endpoints whereas the NVWe 1200 series can accommodate 1,024 endpoints. If the number of endpoints that NVWe is scanning reaches the maximum limit, it checks to see which endpoint has been inactive for the longest period. Once an NVWe identifies that endpoint, it stops scanning that particular endpoint and starts scanning the newer endpoints. To learn more about NVWe, please refer to the Trend Micro Network VirusWall Enforcer Administrator's Guide.

Management Network Considerations
Administrators may design a special network segment for device management purposes only. The intention is not only to serve security concerns, but also to separate management traffic from data traffic. In both NVWe and TMTM setups, an administrator can configure an IP address in the management segment especially for management purpose. An VMWare ESX server supports a virtual switch concept. Without a separate management interface, TMTM only needs two virtual switches for bridging. However, with a separate management interface, TMTM needs an additional third virtual switch, and to configure the virtual switch to attach it to its physical management network segment.

2-13

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

FIGURE 2-9.

Support for separate management network segment in NVWe

To support a separate management network segment in NVWe is slightly different to how this is done in TMTM. In NVWe, an administrator can configure each network interface's type, such as "regular," "failover," or "management." Therefore, if you want to modify one of the network interfaces for a separate management purpose, you need use the pre-configuration console to change its interface type, and then assign an IP address to it.

2-14

Planning for Threat Management Solution Deployment

Threat Management Agent deployment
TM-Agents reside on an endpoint to perform baseline policy assessments and threat mitigation. TM-Agents are to be installed on every endpoint in a network. The Threat Mitigator Suite supports three methods of TM-Agents deployments: Method 1: Through network access control TMTM and NVWe can deploy TM-Agents through network access control and redirect an endpoint's browsing pages to download a TM-Agent install program. Method 2: Through remote deployment TMTM and NVWe initially need an administrator's Windows domain account and password during setup. After setup, both TMTM and NVWe will trigger the deployment of a TM-Agent on an endpoint automatically as soon as an endpoint becomes online. Administrators won't need to logon to the console to activate deployment. Method 3: Through OfficeScan TM-Agent Manager You can also install TM-Agents through OfficeScan TM-Agent Manager. TM-Agent Manager requires OfficeScan server 8.0 or later. Use OfficeScan's server console and use TM-Agent Manager to install the TM-Agents on specific endpoints.

Installing TM-Agent manually
TM-Agent can also be installed manually. Download the TM-Agent installer program from the TMTM or NVWe administrator console and follow the on screen instructions to install the agents onto endpoints.

2-15

Trend Micro™ Threat Managment Solution 1.0 Deployment Guide

2-16

Chapter 3

Configuring Threat Management Solution Components
This chapter provides step-by-step instructions for registering Threat Management Solution components to other solution components. Topics include: • • Configure Threat Discovery Appliance to Register TMTM or NVWe on page 3-2 Configure Threat Discovery Appliance and Trend Micro Threat Mitigator to register to Threat Management Services on page 3-3

3-1

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Configure Threat Discovery Appliance to Register TMTM or NVWe
Register Threat Mitigator or Network VirusWall Enforcer to Threat Discovery Appliance to enable automatic threat mitigation and/or policy enforcement.
Note: You can register Threat Discovery Appliance to five Threat Mitigator or NVWe devices.

To register Threat Mitigation Suite devices:

1. 2. 3. 4. 5.

Click Mitigation on the main menu. A drop down menu appears. Click Mitigation Settings on the drop down menu. The Mitigation Settings screen will appear. Under Mitigation Settings, type the mitigation device server name or IP address and the port number. Click Register. The Cleanup Settings screen will appear. Select the types of security risks/threats to send to the mitigation device.
The following step in optional

Note:

6.

Under Exception list, type the IP address of any server to be exempted from the mitigation services.
There is a limit of 100 IP addresses.

Note:

7.

Click Add.

3-2

Configuring Threat Management Solution Components

Verifying connectivity for Threat Discovery Appliance and Trend Micro Threat Mitigator
On the Threat Discovery Appliance console, click Mitigation on the main menu. If the device is registered correctly, the "Unregister" button will appear. On the Trend Micro Threat Mitigator console, click Registered TDA on the main menu. If the device is registered correctly, the "Registered Threat Discovery Appliance (TDA)" screen will appear.

Configure Threat Discovery Appliance and Trend Micro Threat Mitigator to register to Threat Management Services
Start with verifying the connection between the Threat Discovery Appliance (TDA) and the Trend Micro Threat Mitigator (TMTM) device, and Threat Management Services. Log on to the TDA / TMTM administration console, and follow these steps to register on the Threat Management Services:
To register on the Threat Management Services:

1. 2. 3. 4. 5. 6. 7. 8.

Click Logs on the main menu. A drop down menu appears. Click Threat Mgmt Services in the drop down menu. The Threat Management Services settings screen appears. Select Enable Threat Management Services Log Transmission. Type the server name or IP address and port number of the server. Select the protocol. You can select either SSH or SSL. Type the user name and password you use to log on to the Threat Management Services portal. Type the email address you used to register to the Threat Management Services portal. Configure the proxy settings: a. b. Select the Use HTTP proxy server option. Type the server name or IP address and the port number. For example, 192.1.1.1 as the IP address and 1234 as the port number.

3-3

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

c. 9.

If your proxy server requires authentication, type the user name and password under Proxy server authentication.

Select the frequency of log transmissions.

10. Click Save.

3-4

Chapter 4

Troubleshooting
This chapter provides tips and suggestions for troubleshooting known problems. Topics include: • • • • Threat Discovery Appliance - Troubleshooting on page 4-2 Trend Micro Threat Mitigator - Troubleshooting on page 4-3 Network VirusWall Enforcer - Troubleshooting on page 4-4 TM-Agent deployment limitations on page 4-4

4-1

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Threat Discovery Appliance - Troubleshooting
The Threat Discovery Appliance pre-configuration console is not visible
Check serial setting configuration and verify that the Scroll Lock on the keyboard is on.

After deployment of the Threat Discovery Appliance the network appears to be down on some endpoints
The Threat Discovery Appliance installation should not affect the network traffic since the device connects to the mirror port of the network switch and not directly to the network. Check the configuration of the switch's mirror port.

All counters on the Threat Discovery Appliance summary screen remain zero after deployment
The counters reflect the number of threats that Threat Discovery Appliance detects. If the traffic is not properly mirrored, the Threat Discovery Appliance cannot analyze the traffic flow and the counters will remain zero • Check the configuration for the switch's mirror port and make sure that the entire traffic flow will be copied to the mirror port of the switch. The Threat Discovery Appliance can monitor the network traffic only if both directions of the same TCP session are available. Verify that the mirror port on the core switch is connected to the Threat Discovery Appliance's data port.

•

The threat detection number continues to be high
The Threat Discovery Appliance scans all incoming and outgoing traffic. Using the network configuration settings, you can better define the traffic that you want Threat Discovery Appliance to monitor. For example, Threat Discovery Appliance treats normal traffic (for example, traffic that the IT administrator considers to be safe) as malicious, which leads to a higher detection number and a larger number of logs. • Verify that network configuration settings, monitored network, registered domains, and registered services on the Threat Discovery Appliance are all correctly configured for your network environment. These settings identify

4-2

Troubleshooting

internal and external traffic and exclude some services and domains that you do not want to monitor.

Threat Mitigator is online but Threat Discovery Appliance fails to register to it
Registration is performed through HTTPS. Make sure the firewall is configured correctly to allow HTTPS traffic

Trend Micro Threat Mitigator - Troubleshooting
Endpoints cannot get IP address from DHCP server
• • Check if the TMTM's first and second network interfaces are attached to the virtual switches which connect the DHCP server and internal network. Check if the virtual switch's promiscuous mode setting is configured as "Accept" in your VMWare ESX management console.

Network looping
Check if the TMTM's first and second network interfaces are not attached to the same virtual switch, and whether physical adapters of virtual switches are not attached to the same physical switch.

User cannot connect to management Web console
• • • Check if the management Web console URL that you are trying to get access is: "https://<ip-address>/TMAdmin" If you enable the Access Control, check if the IP address of your computer is in the list of Access Control list If you enable the "Separate Management Interface", check if the IP address that you use to get access is the management IP address of TMTM.

User cannot perform Microsoft Update in endpoints
• TMTM does not support the Web proxy setting with an IP address in the internal network environment. The proxy setting in an endpoints' browser must be configured with the domain name. With an IP address, TMTM cannot redirect endpoint Web browsing traffic, and endpoint cannot perform Microsoft Update.

4-3

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

•

Some Microsoft Update servers are listed as an IP-range and deploy to endpoints' routing table. Windows 2000 and 98 operating systems do not accept such kind of IP-range in its routing table. TMTM does not support Windows 2000 and 98 to perform Microsoft Update.

Endpoints' network access ability cannot be quarantined
• • • Check if you enabled the product license. Without a proper product license the DHCP proxy will not be enabled. Check the TMTM's location between the DHCP server and endpoints. Make sure that the endpoint does NOT use a static IP address

Users cannot receive any mitigation request from the TDA
• • Refer to chapter 3 for verification of the TDA and TMTM connection. If you enable "Separate Management Interface," check if the IP address that you configured in the TDA administration console has a management IP address.

Network VirusWall Enforcer - Troubleshooting
Endpoints cannot access the Internet through NVWe
Check the endpoint status in the policy setting from "Summary" and "Endpoint Status."

Endpoints cannot download TM-Agent through ActiveX
• • • Check if the endpoints' security policy allows ActiveX execution or not. Check if the endpoints use Internet Explorer, and NOT Firefox or Opera browsers. If the endpoints' traffic is in a specific VLAN, check if you have added a "Bridge IP Address" with that VLAN's ID.

4-4

Troubleshooting

TM-Agent deployment limitations
• • • • TM-Agent cannot deploy static routing with IP-range in Windows 2000 and 98. Although TM-Agent is compatible with Windows 98/ME/NT, its mitigation functionality will not be available in these operating systems. If you use TMTM without DHCP proxy functionality, you must set up TM-Agent manually or through OfficeScan TM-Agent Manager. To set up TM-Agent requires Windows administrator account privileges. Using ActiveX also requires Windows administrator account privileges.

4-5

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

4-6

Chapter 5

Contacting Trend Micro
This chapter explains how to solve common problems and how to contact technical support. Topics include: • • • • Contacting Trend Micro on page 5-2 Trend Micro Support on page 5-2 The Trend Micro Security Information Center on page 5-5 About Trend Micro on page 5-6

5-1

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Contacting Trend Micro
Trend Micro has sales and corporate offices located in many cities around the globe. For global contact information, visit the Trend Micro Web site:
http://www.trendmicro.com/en/about/contact/overview.htm

Note:

The information on this Web site is subject to change without notice.

Trend Micro Support
Trend Micro Support can help you resolve queries relating to your Trend Micro products. Most queries have already been answered on the Knowledge Base (refer to Knowledge Base on page 5-2 for more information). If you cannot find your answer on the Knowledge Base, you can contact Trend Micro Technical Support for further assistance (refer to Contacting Technical Support on page 5-3 for more information).

Knowledge Base
The Trend Micro Knowledge Base is an online resource that contains thousands of do-it-yourself technical support procedures for Trend Micro products. Use the Knowledge Base, for example, if you are getting an error message and want to find out what to do. New solutions are added daily. Also available in the Knowledge Base are product FAQs, tips, advice on preventing virus infections, and regional contact information for support and sales. The Knowledge Base can be accessed by all Trend Micro customers as well as anyone using an evaluation version of a product. Visit: http://esupport.trendmicro.com/support

5-2

Contacting Trend Micro

Contacting Technical Support
When you contact Trend Micro Technical Support, to speed up your problem resolution, run the Case Diagnostic Tool (refer toUsing the Case Diagnostic Tool on page 5-3) or ensure that you have the following details available: • • • • • • • 1. 2. 3. Operating system Network type Brand and model of the computer and connected hardware Amount of memory and free hard disk space on your machine Detailed description of the installation environment Exact text of any error message Steps to reproduce the problem Run the Case Diagnostic Tool. For more information, refer to Using the Case Diagnostic Tool on page 5-3. Visit the following URL:
http://us.trendmicro.com/us/about/contact_us/

To contact Trend Micro Technical Support:

Click the link for the required region. Follow the instructions for contacting support in your region.

Using the Case Diagnostic Tool
Use the Case Diagnostic Tool to collect Trend Micro software settings and environment setup specifications from the computer. This information is used to troubleshoot problems related to the software. Download the Case Diagnostic Tool from:
http://www.trendmicro.com/download/product.asp?productid=25

5-3

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Technical Support
A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro’s then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at:
http://www.trendmicro.com

Email Technical Support
In addition to telephone support, Trend Micro provides the following resources: Email support
support@trendmicro.com

Help database—configuring the product and parameter-specific tips Readme—late-breaking product news, installation instructions, known issues, and version specific information Knowledge Base—technical information procedures provided by the Support team:
http://esupport.trendmicro.com/

Product updates and patches
http://www.trendmicro.com/download/

To locate the Trend Micro office nearest you, visit the following URL:
http://www.trendmicro.com/en/about/contact/overview.htm

5-4

Contacting Trend Micro

The Trend Micro Security Information Center
Comprehensive security information is available over the Internet, free of charge, on the Trend Micro Security Information Web site:
http://www.trendmicro.com/vinfo/

Visit the Security Information site to: • Read the Weekly Virus Report, which includes a listing of threats expected to trigger in the current week, and describes the 10 most prevalent threats around the globe for the current week View a Virus Map of the top 10 threats around the globe Consult the Virus Encyclopedia, a compilation of known threats including risk rating, symptoms of infection, susceptible platforms, damage routine, and instructions on how to remove the threat, as well as information about computer hoaxes Download test files from the European Institute of Computer Anti-virus Research (EICAR), to help you test whether your security product is correctly configured Read general virus information, such as: • • • • • • • • The Virus Primer, which helps you understand the difference between viruses, Trojans, worms, and other threats The Trend Micro Safe Computing Guide A description of risk ratings to help you understand the damage potential for a threat rated Very Low or Low vs. Medium or High risk A glossary of virus and other security threat terminology

• •

• •

Download comprehensive industry white papers Subscribe to Trend Micro’s Virus Alert service, to learn about outbreaks as they happen, and the Weekly Virus Report Learn about free virus update tools available to Web masters Read about TrendLabsSM, Trend Micro’s global antivirus research and support center

5-5

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

About Trend Micro
Trend Micro, Inc. is a global leader in network antivirus and Internet content security software and services. Founded in 1988, Trend Micro led the migration of virus protection from the desktop to the network server and the Internet gateway, gaining a reputation for vision and technological innovation along the way. Today, Trend Micro focuses on providing customers with comprehensive security strategies to manage the impact of threats to information by offering centrally controlled, server-based virus protection and content-filtering products and services. By protecting information that flows through Internet gateways, email servers, and file servers, Trend Micro enables companies and service providers worldwide to stop viruses and other malicious code from a central point, before they ever reach the desktop. To make this possible, TrendLabsSM, a global network of antivirus research and product support centers, provides continuous 24 hour, 7 days a week coverage to Trend Micro customers around the world. TrendLabsSM, modern headquarters has earned ISO 9002 certification for its quality management procedures—one of the first antivirus research and support facilities to be so accredited. We believe TrendLabsSM is the leading service and support team in the antivirus industry. Trend Micro is headquartered in Tokyo, Japan, with business units in North and South America, Europe, Asia, and Australia—a global organization with more than 3,000 employees in 25 countries. For more information, or to download evaluation copies of Trend Micro products, visit our award-winning Web site:
http://www.trendmicro.com

5-6

Appendix A

Table of Ports and Port Usage
The following table provides details about ports used by the Threat Management Solution components.
Port Number 22 Protocol(s) TCP, UDP Product(s) TDA, TMTM, NVWe TDA, TMTM, NVWe Description For SSH console Threat Discovery Appliance and TMTM send logs to Threat Management Services using port 22 if user chose SSH TMTM redirects endpoints' Web traffic of port 80, and administration Web console for NVWe. All products download updated pattern files and engines using TCP port 80. Products (TDA and TMTM) uses port 80 to check product license. TDA query WRS server for URL score using port 80.

80

TCP

A-1

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Port Number 443

Protocol(s) TCP

Product(s) TDA, TMTM, NVWe

Description Administration Web console for TDA, NVWe and TMTM. TDA also register on TMTM and NVWe through https. TDA sends logs to Threat Management Services using port 443 if user chose SSL Default port that products (Network VirusWall and TDA) use to register to and communicate with Control Manager.

5088 137 and 138 25

TCP TCP, UDP TCP

TMTM, NVWe TMTM, NVWe TDA, TMTM

TM-Agent communication protocol. Deploy TM-Agent through Netbios protocol. Products (Threat Discovery Appliance and Threat Mitigator) send notification mails to network administrator Products use port 123 to sync correct time from NTP server. Default port that products use when sending logs to the standalone Syslog server.

123

UDP

TDA, TMTM, NVWe TDA, TMTM, NVWe

513

UDP

A- 2

Appendix B

Glossary
Access Control Server (ACS)
Passes authentication requests from the Network Access Device to the Policy Server in order to validate end-user client security posture. The ACS server also passes the Posture token from the Policy Server to the Network Access Device. The ACS server can also be configured to carry out actions on the end-user client via the Network Access Device.

ACS Certificate
Used to establish trusted communication between the Access Control Server (ACS) and the Certificate Authority (CA) server. The Certificate Authority server signs the ACS certificate, and it is saved on the ACS server.

ActiveX malicious code
A type of virus that resides in Web pages that execute ActiveX controls.

Additional Threats
Files and programs, other than viruses, that can negatively affect the performance of the computers on your network. These include Spyware, Adware, Dialers, Joke program, Hacking tools, Remote access tools, Password cracking applications, and others.

B-1

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Adware
Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla. While not categorized as viruses or malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance. Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software. Adware is also often installed in tandem with spyware programs. Both programs feed off of each other’s functions — spyware programs profile users’ Internet behavior, while adware programs display targeted ads that correspond to the gathered user profiles.

Backdoor
A Backdoor is a program that opens secret access to systems, and is often used to bypass system security. A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications. For detailed removal instructions please view the virus description. See virus types for an explanation of Trend Micro virus-naming conventions.

Boot sector viruses
A type of virus that infects the boot sector of a partition or a disk.

Certificate Authority (CA)
An authority on a network that distributes Digital certificates for the purposes of performing authentication and securing connections between computers and/or servers.

COM and EXE file infectors
A type of virus that masquerades as an application by using a .exe or .com file extension.

Cookies
Cookies are text files that are created on computers when visiting Web sites. They contain information on user browsing habits. When a user returns to a Web site, a

B- 2

Glossary

cookie provides information on the user's preferences and allows the site to display in customized formats and to show targeted content such as advertising. Cookies can collect user information that can then be obtained by another site or program.

Dialers
Software that changes client Internet settings and can force the client to dial pre-configured phone numbers through a modem.

Digital certificates
An attachment that is used for security. Most commonly, certificates authenticate clients with servers, such as a Web server, and contain the following: user identity information, a public key (used for encryption), and a digital signature of a Certificate Authority (CA) to verify that the certificate is valid.

Dynamic Host Control Protocol (DHCP)
A device, such as a computer or switch, must have an IP address to be connected to a network, but the address does not have to be static. A DHCP server, using the Dynamic Host Control Protocol, can assign and manage IP addresses dynamically every time a device connects to a network.

Dynamic IP Address (DIP)
A Dynamic IP address is an IP address that is assigned by a DHCP server. The MAC address of a computer will remain the same, however, the computer may be assigned a new IP address by the DHCP server depending on availability.

File Transfer Protocol (FTP)
FTP is a standard protocol used for transporting files from a server to a client over the Internet. Refer to Network Working Group RFC 959 for more information.

Grayware
A general classification for applications that have behavior that is undisclosed or that some may find annoying or undesirable.

Hacking tools
Tools used to help hackers enter computers, often through open ports.

B-3

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Hypertext Transfer Protocol (HTTP)
HTTP is a standard protocol used for transporting Web pages (including graphics and multimedia content) from a server to a client over the Internet.

HTTPS
Hypertext Transfer Protocol using Secure Socket Layer (SSL).

HTML, VBScript, or JavaScript viruses
Viruses that reside in Web pages and are downloaded through a browser.

Internet Control Message Protocol (ICMP)
Occasionally a gateway or destination host uses ICMP to communicate with a source host, for example, to report an error in datagram processing. ICMP uses the basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP module. ICMP messages are sent in several situations: for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable.

Internet Protocol (IP)
"The internet protocol provides for transmitting blocks of data called datagrams from sources to destinations, where sources and destinations are hosts identified by fixed length addresses." (RFC 791)

Intrusion Detection System (IDS)
Intrusion Detection Systems are commonly part of firewalls. An IDS can help identify patterns in network packets that may indicate an attack on the client.

Java malicious code
Operating system-independent virus code written or embedded in Java.

B- 4

Glossary

Joke program
A Joke program is an ordinary executable program with normally no malicious intent. Virus authors create joke programs for making fun of computer users. They do not intend to destroy data but some inexperienced users may inadvertently perform actions that can lead to data loss (such as restoring files from an older backup, formatting the drive, or deleting files). Since joke programs are ordinary executable programs, they will not infect other programs, nor will they do any damage to the computer system or its data. Sometimes, joke programs may temporarily re-configure the mouse, keyboard, or other devices. However, after a joke program finishes its execution or the user reboots the machine, the computer returns to its original state. Joke programs, while normally harmless, can be costly to an organization.

Malware
Malware refers to any program that executes and performs activities that are outside of the user’s consent. A virus is a form of malware. Other examples of malware include Trojans, Worms, Backdoors, Denial of Service attacker agents, Joke programs, as well as several other smaller categories of malicious code.

Macro viruses
A type of virus encoded in an application macro and often included in a document.

Network Address Translation (NAT)
NAT is a function performed by gateway firewalls and routers. A table stored in the firewall or router records the IP addresses of devices on the inside of the gateway, and maps them to the external IP address of the gateway. A packet originating from within the network is stripped of its header and sent to its destination with a header containing the external IP address of the router or gateway. The destination IP address of the outbound packet is stored so that when a response arrives from the destination, the router may forward it to the correct internal IP address. In this manner, the IP addresses of devices on the internal network are hidden from the outside.

Network Access Device
Network access servers, firewalls, routers, or wireless access points that support Cisco NAC functionality.

B-5

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Network virus
A network virus is a self-contained program (or set of programs) that is capable of spreading copies of itself or its segments across the network, including the Internet. Propagation often takes place via shared resources, such as shared drives and folders, or other network ports and services. Network viruses are not limited to the usual form of files or email attachments, but can also be resident in a computer's memory space alone (often referred to as Memory-only Worms).

Password cracking applications
Software that can help hackers decipher account user names and passwords.

Ping
A utility that sends an Internet Control Message Protocol (ICMP) echo request to an IP address and waits for a response. The Ping utility can determine whether or not the machine with the specified IP address is online or not.

Post Office Protocol 3 (POP3)
POP3 is a standard protocol for storing and transporting email messages from a server to a client email application.

Posture token
The Policy Server creates the posture token after end-user client validation. It includes information that tells the program to perform a set of specified actions, such as enabling Real-time Scan or updating antivirus components. Cisco NAC devices also use the posture token to manage network access allowed to the client by Network Access Device.

Remote access tools
Tools used to help hackers remotely access and control a computer.

Secure Socket Layer (SSL)
SSL is a scheme proposed by Netscape Communications Corporation to use RSA public-key cryptography to encrypt and authenticate content transferred on higher level protocols such as HTTP, NNTP, and FTP.

B- 6

Glossary

SSL certificate
A digital certificate that establishes secure HTTPS communication between the Policy Server and the Access Control Server (ACS) server.

Security posture
The presence and currency of antivirus software installed on an end-user client. The security posture of OfficeScan clients refers to whether or not the OfficeScan client program is installed and how old the antivirus component versions are.

Simple Mail Transport Protocol (SMTP)
SMTP is a standard protocol used to transport email messages from server to server, and client to server, over the internet.

SOCKS 4
A Transmission Control Protocol (TCP) protocol used by proxy servers to establish a connection between clients on the internal network or LAN and computers or servers outside the LAN. The SOCKS 4 protocol makes connection requests, sets up proxy circuits and relays data at the Application layer of the OSI model.

Spyware
Software that installs components on a computer for the purpose of recording Web surfing habits (primarily for marketing purposes). Spyware sends this information to its author or to other interested parties when the computer is online. Spyware often downloads with items identified as 'free downloads' and does not notify the user of its existence or ask for permission to install the components. The information spyware components gather can include user keystrokes, which means that private information such as login names, passwords, and credit card numbers are vulnerable to theft.

Stateful inspection firewall
Stateful inspection firewalls monitor all connections to a computer and remember all connection states. They can identify specific conditions in any connection, predict what actions should follow, and detect when normal conditions are violated. This significantly increases the chances that a firewall can detect an attack on a client.

B-7

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

Telnet
Telnet is a standard method of interfacing terminal devices over TCP by creating a "Network Virtual Terminal". Refer to Network Working Group RFC 854 for more information.

Test virus
An inert file that acts like a real virus and is detectable by virus-scanning software. Use test viruses, such as the EICAR test script, to verify that your antivirus installation is scanning properly (see Testing the client installation).

Transmission Control Protocol (TCP)
A connection-oriented, end-to-end reliable protocol designed to fit into a layered hierarchy of protocols which support multi-network applications. TCP relies on IP datagrams for address resolution. Refer to DARPA Internet Program RFC 793 for information.

TrendLabsSM
TrendLabsSM is Trend Micro's global network of antivirus research and product support centers that provides 24 hour, 7 days a week coverage to Trend Micro customers around the world.

Trend Micro Management Communication Protocol (MCP)
MCP is Trend Micro's next generation agent for managed products. It applies the industry standard communication protocol (HTTP/HTTPS). As such, its default port for communication is TCP 80/443. It supports both uni-directional and bi-directional traffic.

Trend Micro Management Infrastructure (TMI)
Message-based system used for trafficking data and commands between TMS and other entities. TMI uses an application protocol based on XML, with encryption based on SSL. Its default port for communication is TCP/UDP port 10319 bi-directional traffic only.

Trojan horses
A Trojan is a destructive program that comes concealed in software that not only appears harmless, but also comes in a particularly attractive form (such as a game or

B- 8

Glossary

a graphics application). There may be instances when a Trojan does not have a destructive payload. Instead, it may contain routines that can compromise the security of your system or the entire network. These types of Trojans are often referred to as Backdoor Trojans. Trojans are non-replicating malware – they do not replicate by themselves and they rely on the user to send out copies of the Trojan to others. They sometimes achieve this by hiding themselves inside desirable software (that is, computer games or graphics software), which novice users often forward to other users.

User Datagram Protocol (UDP)
A connectionless communication protocol used with IP for application programs to send messages to other programs. Refer to DARPA Internet Program RFC 768 for information.

Virus
A virus is a program that replicates. To do so, the virus needs to attach itself to other program files and execute whenever the host program executes.

Worm
A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. Unlike viruses, worms do not need to attach themselves to host programs. Worms often use email and applications, such as Microsoft™ Outlook™, to propagate. They may also drop copies of themselves into shared folders or utilize file-sharing systems, such as Kazaa, under the assumption that users will likely download them, thus letting the worm propagate. In some cases, worms also use chat applications such as ICQ, AIM, mIRC, or other Peer-to-Peer (P2P) programs to spread copies of themselves.

B-9

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

B-10

Index

Index
A
About Trend Micro 5-6 Asymmetric route 2-3

T
Threat Discovery Appliance Monitoring 2-2 Asymmetric route 2-3 Dual port monitoring 2-2 Single port monitoring 2-2 range 2-4 Threat Discovery Appliance (TDA) 1-3, 1-5 Threat Discovery Suite 1-3, 2-2 Threat Discovery Appliance (TDA) 1-3 Threat Management Services 1-3 Threat Management Agent (TM-Agent) 1-4 Threat Management Agent TM-Agent 1-5 Threat Management Services 1-3, 1-5 Threat Management Solution 1-2 Mitigation Request 1-9 Monitoring 1-8 process overview 1-7 Solution Deployment 1-9 Solution Results Reporting 1-9 Threat Discovery Suite 1-2 Threat Mitigation Suite 1-3 Threat Mitigation 1-4 Threat Mitigation Suite 1-4 In-line strategy 1-4 Out-of-band strategy 1-4 Threat Management Agent (TM-Agent) 1-4 Total Discovery Solution conceptual overview 1-7 Trend Micro about 5-6 Trend Micro Threat Mitigator (TMTM) 1-5

C
Contact information 5-2

D
Dual port monitoring 2-2

G
Grayware B-3

I
In-line strategy 1-4 Install B-2, B-7–B-8

K
Knowledge Base 5-2

M
Microsoft Internet Explorer B-2 Mitigation Request 1-9 Monitoring 1-8

N
Network VirusWall Enforcer (NVWe) 1-5

O
Out-of-band strategy 1-4

R
register Threat Management Services 3-3 Threat Mitigation Suite 3-2

S
Single port monitoring 2-2 Solution Deployment 1-9 Solution Results Reporting 1-9

I–1

Trend Micro™ Threat Management Solution 1.0 Deployment Guide

I–2


				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:184
posted:12/17/2009
language:English
pages:65