First of all, before performing a full system scan, OfficeScan will check with the server if other systems in the environment are also running a full scan. In order to avoid multiple full system scans in the same environment.

Second, they implemented the option to scan a virtual machine template. And save the results as a cache (which will be used when performing a full system scan).

First, what’s changed in OfficeScan from version 10.0 SP1?

- Active Directory Integration
- Smart Protection Solutions
- Security Compliance
- Virtual Desktop Support
- Role-based administration
- General Product enhancements

So, what is my experience with the new features?

Active Directory Integration
Closer integration with active directory. Personally not tested.

Smart Protection Solutions
I guess this is enhancements to the file reputation and the implementation of a “local” web reputation server.
Tested this one, works fine. Good idea to include a local alternative, instead of having all your clients talk to “the cloud”. The new version of the TMCSS (Cloud Scan Server) also works with OfficeScan 10.0 SP1.

You can either perform a fresh install, or upgrade from 1.x.

Security Compliance
Not tested.

Virtual Desktop Support
According to Trend, OfficeScan is now “VDI”-aware. And supports VMware View 4 and Citrix XenDesktop 4.
Anyone running those products tested?

Granular Role-based Administration
Pretty much standard role based administration, with the possibility to use Active Directory user accounts. Also single sign on support.

General Product enhancements
Just a bunch of smaller product enhancements.

They fixed stuff related to:
- Update Agent
- Exception list
- Firewall
- Logs
- Scan Settings
- Web Reputation
- Plug in program updates

Update Agent
You can now have update agents separately download components, settings and program updates. A new report tool for update agents has also been implemented.

Exception list
There are now separate lists for Behavior Monitoring and Device control exceptions. In 10.0 they were the same.

Firewall
It is now possible to make exceptions for software on the Certified Software List, or block specific applications.

Also, when installing OfficeScan server from scratch, you will be asked if you want to enable the OfficeScan firewall, AND if you want to enable the firewall for server platforms. Earlier, if you enabled the firewall, it would be enabled both for workstations/laptops AND servers. This is great, because the firewall is not recommended for server platforms, but for client platforms. So you can get away with just one OfficeScan server (if you want to). In other words, no need to have dedicated server without the firewall enabled. You might of course still want to do this, so you can patch the client server, separate from the server server (server server server? ).

Logs
Enhancements of the logging feature will ensure consistency between time settings on OfficeScan clients, server and Control Manager. In other words “unified time stamping”.

Scan Settings
The following configuration options are now available on the local client (as long as the client has privileges to configure scan exclusions):
- Add, remove or overwrite files and directories from the client scan exclusion list.
- configure OLE exploit detection settings
- Configure settings for action on probable virus malware (scan actions on heuristic and generic detection)
- Clean Spyware/grayware in zipped files setting
- Use wildcards in the scan exclusion lists.

They also added additional options in the web gui. These are not listed in the release notes. But I’ve found some of them, and the most important one is the option to configure actions on generic/heuristic while using Active Action.
But I’m bit confused, since this is not an option if you use “use the same actions for all”.
Even if you configure the same actions for all types, you will have to specify “1st” and “2nd” scan action in the ofcscan.ini file.

As far as I know OfficeScan will still “Pass” potential security threats, if not configured with “1st” and “2nd” action when using the same actions for all types.

Web reputation settings
You can now configure web reputation policies and assign them to one, multiple or all OfficeScan clients.

Plug in program updates
OfficeScan can now automagically download plug in program updates from the first source in the server update source list. This includes Trend Micro Control Manager.

So, except from the GUI-bug mentioned in an earlier post, it should be safe to upgrade to version 10.5. I have not experienced any other problems. Have you?

Codename “Avatar”, if you want to know more, you could read more at Check Point’s product page:
http://www.checkpoint.com/products/security-gateway-virtual-edition/index.html

Or head over to fireverse.org.

In short, Security Gateway Virtual Edition (Avatar) is a VMWare virtual appliance (for vSphere) that uses the VMSafe API. Same as IBM ISS Virtual Server Security and Trend Micro Deep Security.

The new release includes over 50 bugfixes + security fixes.
And:
- Support for Live Debugging with Visual Studio 2010
- Fixed issues with Windows 7 SP1 Beta, RHEL 6.0 Beta and Fedora 13.
- Its also supposed to be improved performance with “NAT”.
- And its tested with VMware Converter 4.3

The release notes can be found here.

By using tar and SCP, you should be able to get at least 30 MB/s.

But, netcat is NOT included in VMware ESX 3.5. It is included in 2.5 and 4.x.

So how do you install netcat on VMware ESX 3.5?

1. Grab the RPM here:
http://netcat.sourceforge.net/download.php

(Don’t use any newer versions, like 1.10, because you will run into dependencies problems, like this:
[root@vmware-esx]# rpm -ivh netcat-1.10-980.1.i586.rpm
warning: netcat-1.10-980.1.i586.rpm: V3 DSA signature: NOKEY, key ID 9c800aca
error: Failed dependencies:
libc.so.6(GLIBC_2.3.4) is needed by netcat-1.10-980.1
rpmlib(PayloadIsLzma) <= 4.4.2-1 is needed by netcat-1.10-980.1
[root@vmware-esx]

2. Install the RPM: rpm -ivh netcat-0.7.1-1.i386.rpm

[root@vmware-esx bin]# rpm -ivh netcat-0.7.1-1.i386.rpm
warning: netcat-0.7.1-1.i386.rpm: V3 DSA signature: NOKEY, key ID b2d79fc1
Preparing… ########################################### [100%]
1:netcat ########################################### [100%]
[root@vmware-esx]

And you’re done!

These are the steps:

1. Generate Trial license

2. Download software

3. Prepare server

4. Install OfficeScan server

1. Generate Trial license

If you don’t have one, you’ll need valid license.

You can get a trial here:

http://forms.trendmicro.com/index.php?dom=us&productID=5


2. Download software

You then need to download the software.

Download the primary install file from:

http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=7&lang_loc=1

(I’ll try to cover service packs, patches and hotfixes in a later article).


3. Prepare the server

You’re most likely installing OfficeScan on a Windows Server 2003 or Windows Server 2008.

Before you start the OfficeScan installer you will need to install IIS on the Windows server.

(Press “Win + R” and type “appwiz.cpl” and add and remove Windows components/roles.)


4. Install the OfficeScan server

Simply move the install file to the OfficeScan server and double-click it.

Its pretty much straight forward (Next->Next->Next)

You may choose not to enable the firewall, enable spyware assessment mode, install OfficeScan to another location etc, but I’ll cover best practice configuration in another article.

When you’re finished installing, you can access the OfficeScan server console by typing the following in to your browser, on the server.

https//localhost:4343/officescan


Future topics related to this article:

- OfficeScan patch management, Service Packs, Patches and Hotfixes

- Best practice installation/configuration

And I’m simply not able to answer all the questions regarding installation and troubleshooting.

Therefore I have decided to write a series of posts/articles, to try to answer all of your questions, and to cover some general topics.

So, this is the articles I’ve planned to write:

Trend Micro OfficeScan: Installation

Trend Micro OfficeScan: Smart Scan Server

Trend Micro OfficeScan: Deployment

Trend Micro OfficeScan: Server Components

Trend Micro OfficeScan: Troubleshooting

If anyone has any request/wishes regarding content and topics, please feel free to leave a comment!

Read the original thoughts on OfficeScan 10 (just me ranting):

http://technoblog.org/2009/09/trend-micro-officescan-10-some-thoughts/

Security guides for Mac OS X 10.3, 10.4 and 10.5 are also available at the same site:

Mac OS X Security guides:

http://www.apple.com/support/security/guides/

Read Check Point SE Patrick Waters’ full blog post here:
http://fireverse.org/?p=468

And download the Migration Guide here:
http://www.fireverse.org/Discovery/Check_Point_EA_Discovery_MigrationGuide.pdf

Why You Should Migrate to Discovery (copied from the Migration Guide)
Check Point recommends that all customers upgrade from SecureClient to Discovery as soon as possible, because Discovery has these capabilities:
-  Supports both 32 and 64 bit Windows Vista and Windows 7
-  Uses less memory resources than SecureClient
-  Automatic disconnect/reconnect as clients move in and out of network range
-  Seamless connection experience while roaming
-  Automatic and transparent upgrades, with no administrator privileges required
-  Supports most existing features of SecureClient, including Office Mode, Desktop Firewall, Secure
Configuration Verification (SCV), Secure Domain Login (SDL), and Proxy Detection
-  Supports many additional new features, and will support even more new features in the near future
-  Does not require a SmartCenter server upgrade
-  Discovery and SecureClient can coexist on client systems during migration period

This is Trend Micro OfficeScan 8.0 SP1 Patch 5

Full readme can be found here:
http://www.trendmicro.com/ftp/documentation/readme/OSCE_80_Win_SP1_Patch5_en_readme.txt

It’s important to notice that only the following drivers are compatible with Windows 7:

Virus Scan Engine (8.952 or higher)
Virus Cleanup Engine (6.2.1016 or higher)
Anti-rootkit Driver (2.8.1063 or higher)
Common Firewall Driver (NSC) (5.8.1092 or higher)

Virus Scan Engine and Virus Cleanup Engine can be updated from the Active Update server.

Anti-rootkit Driver and the Common Firewall Driver (NSC) are included in this patch.

I haven’t had time to test if this actually works on Windows 7. If anyone has, please feel free to leave a comment. I will test it as soon as I can.