These are the steps:

1. Generate Trial license

2. Download software

3. Prepare server

4. Install OfficeScan server

1. Generate Trial license

If you don’t have one, you’ll need valid license.

You can get a trial here:

http://forms.trendmicro.com/index.php?dom=us&productID=5


2. Download software

You then need to download the software.

Download the primary install file from:

http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=7&lang_loc=1

(I’ll try to cover service packs, patches and hotfixes in a later article).


3. Prepare the server

You’re most likely installing OfficeScan on a Windows Server 2003 or Windows Server 2008.

Before you start the OfficeScan installer you will need to install IIS on the Windows server.

(Press “Win + R” and type “appwiz.cpl” and add and remove Windows components/roles.)


4. Install the OfficeScan server

Simply move the install file to the OfficeScan server and double-click it.

Its pretty much straight forward (Next->Next->Next)

You may choose not to enable the firewall, enable spyware assessment mode, install OfficeScan to another location etc, but I’ll cover best practice configuration in another article.

When you’re finished installing, you can access the OfficeScan server console by typing the following in to your browser, on the server.

https//localhost:4343/officescan


Future topics related to this article:

- OfficeScan patch management, Service Packs, Patches and Hotfixes

- Best practice installation/configuration

And I’m simply not able to answer all the questions regarding installation and troubleshooting.

Therefore I have decided to write a series of posts/articles, to try to answer all of your questions, and to cover some general topics.

So, this is the articles I’ve planned to write:

Trend Micro OfficeScan: Installation

Trend Micro OfficeScan: Smart Scan Server

Trend Micro OfficeScan: Deployment

Trend Micro OfficeScan: Server Components

Trend Micro OfficeScan: Troubleshooting

If anyone has any request/wishes regarding content and topics, please feel free to leave a comment!

Read the original thoughts on OfficeScan 10 (just me ranting):

http://technoblog.org/2009/09/trend-micro-officescan-10-some-thoughts/

Security guides for Mac OS X 10.3, 10.4 and 10.5 are also available at the same site:

Mac OS X Security guides:

http://www.apple.com/support/security/guides/

Read Check Point SE Patrick Waters’ full blog post here:
http://fireverse.org/?p=468

And download the Migration Guide here:
http://www.fireverse.org/Discovery/Check_Point_EA_Discovery_MigrationGuide.pdf

Why You Should Migrate to Discovery (copied from the Migration Guide)
Check Point recommends that all customers upgrade from SecureClient to Discovery as soon as possible, because Discovery has these capabilities:
-  Supports both 32 and 64 bit Windows Vista and Windows 7
-  Uses less memory resources than SecureClient
-  Automatic disconnect/reconnect as clients move in and out of network range
-  Seamless connection experience while roaming
-  Automatic and transparent upgrades, with no administrator privileges required
-  Supports most existing features of SecureClient, including Office Mode, Desktop Firewall, Secure
Configuration Verification (SCV), Secure Domain Login (SDL), and Proxy Detection
-  Supports many additional new features, and will support even more new features in the near future
-  Does not require a SmartCenter server upgrade
-  Discovery and SecureClient can coexist on client systems during migration period

This is Trend Micro OfficeScan 8.0 SP1 Patch 5

Full readme can be found here:
http://www.trendmicro.com/ftp/documentation/readme/OSCE_80_Win_SP1_Patch5_en_readme.txt

It’s important to notice that only the following drivers are compatible with Windows 7:

Virus Scan Engine (8.952 or higher)
Virus Cleanup Engine (6.2.1016 or higher)
Anti-rootkit Driver (2.8.1063 or higher)
Common Firewall Driver (NSC) (5.8.1092 or higher)

Virus Scan Engine and Virus Cleanup Engine can be updated from the Active Update server.

Anti-rootkit Driver and the Common Firewall Driver (NSC) are included in this patch.

I haven’t had time to test if this actually works on Windows 7. If anyone has, please feel free to leave a comment. I will test it as soon as I can.

Trend Micro is now rolling back the VSAPI 9.000 from ActiveUpdate. Reason: “There have been reports of issues on the following products scanning certain malformed PDF files”.

The version available through ActiveUpdate is now 9.100.1001, this is essentially version 8.952.

The products affected are:
OfficeScan
ServerProtect
Worry-Free Business Security (WFBS)

Earlier, they sent out an advisory about VSAPI 9.000 and problems with Windows NT (think it was OfficeScan 7.3 and ServerProtect). The problems resulted in the Scan Engine being unable to load the pattern files.

Read the entire Customer Notification here:

CUSTOMER NOTIFICATION Rollback of VSAPI Version 9.000 from ActiveUpdate

- The files are not available

- The notes are referring to files not available on the Finjan web site

- The instructions are incomplete, and doesn’t work.

(http://www.finjan.com/objects/NGupdates/OSupdates/vs_ng_os_update_9.2_release_notes.htm)

Here are working instructions on how to install Vital Security v. 9.2 on a NG-appliance.

1. Download the USB Flash Drive Creator v 1.0.6

2. Download the 9.2 ISO image.

3. Create a bootable device using the USB Flash Drive Creator v 1.0.6

To install this Release using USB key on NG-5000 (this should also work on newer NG appliances):

1. Attach the bootable USB flash device, and a USB keyboard and VGA monitor to the appliance while it is still switched off.

2. Power on the appliance. The appliance will read automatically from the USB disk-on-key.

3. When the Finjan screen appears, type 9.2-vs to continue with this process.

4. Let the installation run – it will take approximately 20 minutes. After this time, the appliance will reboot. Remove the USB key when the appliance reboots.

5. During the first boot, the setup will complete the installation. Dont power off the unit. Log in to the console with admin/finjan and run the “setup” by typing “setup”.

Important: You don’t need the “USB Root files” from Finjan.

Exploitation of the exploit crashes the system. This is done by sending a NetBios header that specifies that the SMB-packet is 1, 2 or 4 bytes larger or smaller than what it actually is.

When the system crashes, there is no BSOD, the system simply freezes. And there is no traces in the event logs (after reboot).

When the system receives the packet, it goes into an infinite loop.

The crash itself happens in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() (which is caused by an infinite loop).

The vulnerability could possibly be exploited through IE.

And the proof of concept works by:

1. Running the python code on a *nix box, and ensuring port 445 is open.
2. Connecting through SMB to the *nix box.

Read more:
http://isc.sans.org/diary.html?storyid=7573
http://blog.trendmicro.com/new-smb-zero-day-exploit/
http://praetorianprefect.com/archives/2009/11/how-to-crash-windows-7-and-server-2008/
http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

On November 16, 2009, Trend Micro will make the VSAPI 9.000 available through ActiveUpdate (AU).

It will be released for the following products:
- OfficeScan
- Client Server Messaging Suite / Client Server Suite
- Worry Free Business Security
- ServerProtect for NT
- Trend Micro Control Manager

And it will include the following new features:
- Support for the detection of files that contain known PDF exploits
- Support for shellcode detection
- Recognition of the following additional file types:
- Flash Video (FLV)
- Microsoft Document Imaging (MDI)
- Moving Picture Experts Group (MPEG)
- QuickTime (MOV)
- RIFF
- SITX
- ZIP64
- Support for the detection of exploits to Microsoft Office vulnerabilities

Edit: The entire Advisory has been posted on the TCSE community – from ACAPacific blog.

In my opinion:
It depends on your values.
You should upgrade if the new features appeals to you. The Device Control, and the Smart Network stuff.

But, performance wise, there are still some issues. E.g.: Extracting a Windows XP cd (from an ISO file) takes at least 50% more time with OfficeScan 10 (using Winrar). This is with conventional scan mode, I get about the same results with Smart Scan, but you can’t really compare it, since its not cached.

In addition, the Trend Micro Unauthorized Change Prevention Service (tmbsrv.exe) is a nice feature, but I believe it requires a bit more resources than the old Watchdog service.

So what about the stand alone scan server? I haven’t had time to test this one properly, at least not performance wise. So if anyone has done any real performance testing, with 100-500+ clients, I would really like to know. At least Trend Micro managed to get something right with the new Smart Scan feature. If what I’m seeing is correct, the impact on the network is really low. Sending those hashes back and fourth doesn’t consume that much bandwidth. Yay!

And just one last tip: When you install OfficeScan 10, install the integrated scan server. Even though you`re not planning to use it. Why? Because its really complicated to install it after you`ve finished the installation of the OfficeScan server. Just install it, and remove it from the list of scan servers in the GUI.

Anyway, if my sense of time is correct, its about two weeks left, until the Service Pack 1 of OfficeScan 10 is released to the public. The beta looked okay, but I`m really curious whether or not they managed to fix some of those performance issues.