core protection for virtual machines1 - online help center...

Core Protection forVirtual Machines1Comprehensive Threat Protection for Virtual Environments.

Administrator’s Guide

Endpoint Securityd i t S

eeee

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at:

http://www.trendmicro.com/download

Trend Micro, Core Protection for Virtual Machines, and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Copyright ©2010 Trend Micro Incorporated. All rights reserved.

Document Part No. OSEM14002/90119

Release Date: January 2011

Version: 1.0

The user documentation for Trend Micro Core Protection for Virtual Machines is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software.

Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro’s Web site.

Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site:

http://www.trendmicro.com/download/documentation/rating.asp

Contents

Chapter 1: Introducing Trend Micro Core Protection for Virtual Machines

What is Core Protection for Virtual Machines? ......................................... 1-2

Features and Benefits ..................................................................................... 1-2

System Requirements ..................................................................................... 1-3

How CPVM Works ........................................................................................ 1-5

Overall Architecture ....................................................................................... 1-6

Real-time Scan versus Scan Now ................................................................. 1-9

VirusActions .................................................................................................. 1-10

Virus Logs ...................................................................................................... 1-11

Deploying Updates ....................................................................................... 1-11

Virus Detection Technology ....................................................................... 1-12Pattern Matching ...................................................................................... 1-12Compressed Files ..................................................................................... 1-13OLE Layer Scan ....................................................................................... 1-15IntelliScan .................................................................................................. 1-15ActiveAction ............................................................................................. 1-16

Chapter 2: Getting StartedAccessing the Web Console .......................................................................... 2-2

Navigating the Web Console ........................................................................ 2-3

CPVM Configuration Checklist .................................................................... 2-5

i

Trend Micro™ Core Protection for Virtual Machines Administrator’s Guide

Chapter 3: Monitoring Core Protection for Virtual MachinesOverview ...........................................................................................................3-2

Viewing System Information .........................................................................3-3

Viewing Virtual Machine Status ....................................................................3-3

Viewing Scan Results ......................................................................................3-4

Viewing Server Update Status .......................................................................3-4

Chapter 4: Managing Core Protection for Virtual MachinesManaging Groups ............................................................................................4-2

Viewing Group Information ....................................................................4-2Adding Groups ...........................................................................................4-3Renaming a Group .....................................................................................4-4Deleting a Group ........................................................................................4-4

Managing VC Inventory .................................................................................4-5

Managing Members .........................................................................................4-8Viewing Member Information .................................................................4-8

Adding a Member to a Group ...........................................................4-10Moving Members to Another Group ...............................................4-12Managing a Network Share ................................................................4-13

Performing Scans ..........................................................................................4-15Scan Types .................................................................................................4-15IntelliScan Scan Methods ........................................................................4-17

True File-type Detection ....................................................................4-17File Extension Checking ....................................................................4-17

Scan Agents ...............................................................................................4-17Real-time Agent ...................................................................................4-18CPVM Scanning Agent .......................................................................4-18

Initiating a QuickScan ...................................................................................4-18

Initiating Scan Now ......................................................................................4-21

Installing the Real-time Agent .....................................................................4-22

Installing the Scanning Agent ......................................................................4-23

ii

Contents

Uninstalling Agents ....................................................................................... 4-24

Upgrading Agents ......................................................................................... 4-25

Enabling and Disabling the Scanning Agent ............................................ 4-27

Configuring Scan Settings ............................................................................ 4-28ActiveAction versus Manual Settings ................................................... 4-29Configuring QuickScan Settings ............................................................ 4-29Configuring Real-time Scan Settings ..................................................... 4-34Configuring Scheduled Scan Settings ................................................... 4-39

Configuring Scan Now Settings ........................................................ 4-44

Viewing and Managing Logs ....................................................................... 4-48Manually Deleting Logs ..................................................................... 4-51

Chapter 5: Updating ComponentsComponents .................................................................................................... 5-2

Antivirus ...................................................................................................... 5-2Anti-spyware ............................................................................................... 5-2Component Duplication ........................................................................... 5-2

Viewing an Update Summary ........................................................................ 5-5

Configuring Scheduled Server Updates ....................................................... 5-8

Performing a Manual Server Update ........................................................... 5-9

Specifying a Server Update Source ............................................................. 5-10

Configuring Automatic Member Updates ................................................ 5-12

Performing Manual Member Updates ....................................................... 5-14

Rolling Back Updates ................................................................................... 5-15

Chapter 6: Viewing and Managing LogsOverview .......................................................................................................... 6-2

Logged Actions ............................................................................................... 6-3Actions Logged at the Agents .................................................................. 6-4

Viewing Member Logs ................................................................................... 6-6

iii


Viewing Server Logs .......................................................................................6-7

Viewing Virus/Malware Logs .......................................................................6-8

Viewing Spyware/Grayware Logs ................................................................6-9

Using the Log Viewer ...................................................................................6-10

Deleting Logs .................................................................................................6-11

Chapter 7: Managing NotificationsConfiguring Alert Notifications ....................................................................7-2

Configuring General Settings ...................................................................7-2Configuring Notification Triggers ...........................................................7-3

Chapter 8: Administering Core Protection for Virtual Machines

Setting the Web Console Password ..............................................................8-2

Configuring Proxy Settings ............................................................................8-4

Configuring Virtual Infrastructure Settings .................................................8-5

Configuring Compatible Products ................................................................8-6

Viewing and Updating Your Product License ............................................8-8

Appendix A: VMware Virtual Center IntegrationVirtual Center Plug-in ....................................................................................A-2

Virtual Center Reporting ...............................................................................A-3

Index

iv

PrefacePrefacePreface

Welcome to the Trend Micro™ Core Protection for Virtual Machines Administrator’s Guide. This book contains information about product settings and service levels.

This preface discusses the following topics: • Core Protection for Virtual Machines Documentation on page vi• Audience on page vi• Document Conventions on page vii

v

Preface

Core Protection for Virtual Machines Documentation

The Trend Micro Core Protection for Virtual Machines documentation consists of the following:

Installation Guide: Describes the system requirements and steps to install Core Protection for Virtual Machines.

Administrator’s Guide: Helps you plan for deployment and explains how to configure all product settings, and how to manage and administer the product.

Administrator Online Help: Helps you configure all features through the user interface. You can access the online help by opening the web console and then clicking the help icon ( ).

Readme File: Contains late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history.

The Core Protection for Virtual Machines documentation is available at:http://www.trendmicro.com/download

AudienceThe Core Protection for Virtual Machines documentation is written for IT managers, IT security managers, and virtual infrastructure managers. The documentation assumes that you have in-depth knowledge of virtualization technologies and networks, including details related to the following:• Antivirus and content security protection• Network concepts (such as IP address, Subnet Mask, LAN settings)• Network devices and their administration• Network configuration (such as the use of VLAN, SNMP)• VMware V13

vi

http://www.trendmicro.com/download

Preface

Document ConventionsTo help you locate and interpret information easily, the Core Protection for Virtual Machines documentation uses the following conventions.

CONVENTION DESCRIPTION

ALL CAPITALS Acronyms, abbreviations, and names of certain commands and keys on the keyboard

Bold Menus and menu commands, command buttons, tabs, options, and Core Protection for Virtual Machines tasks

Italics References to other documentation

Monospace Examples, sample command lines, program code, Web URLs, file names, and program output

Note:Configuration notes

Tip: Recommendations

WARNING!Reminders on actions or configurations that should be avoided

vii

Preface

viii

Chapter 1

Introducing Trend Micro Core Protection for Virtual Machines

This chapter provides an overview of Trend Micro™ Core Protection for Virtual Machines™ (CPVM).

Topics in this chapter: • What is Core Protection for Virtual Machines? on page 1-2• Features and Benefits on page 1-2• System Requirements on page 1-3• How CPVM Works on page 1-5• Overall Architecture on page 1-6• Real-time Scan versus Scan Now on page 1-9• VirusActions on page 1-10• Virus Logs on page 1-11• Deploying Updates on page 1-11• Virus Detection Technology on page 1-12

1-1


What is Core Protection for Virtual Machines?Trend Micro™ Core Protection for Virtual Machines™ (CPVM) improves and simplifies the implementation of corporate virus policy by enabling you to centrally manage the security of your virtual infrastructure. CPVM scans and cleans both online and powered off VMware Virtual Machine files within VMware Virtual Infrastructure 3 or VMware vSphere 4.0. CPVM senses changes in your virtual infrastructure, including provisioning of new virtual machines, and automatically protects the new machines.

Core Protection for Virtual Machines enables you to manage servers from a single administration web console. In addition, you can configure virtual machines in the same group simultaneously and generate integrated virus incident reports from all of them.

Features and Benefits• Security risk protection protects your virtualized servers from viruses/malware

and spyware/grayware. Scanning and real-time agents protect virtual servers, report events to the CPVM server, and receive updates from the CPVM server.

• Centralized management from the CPVM server web console offers transparent access to all virtualized servers on the network. You can coordinate automatic deployment of security policies, pattern files, and software updates on the virtualized server. You can download updates from an update source (such as the Trend Micro ActiveUpdate server) and initiate agent component updates. Core Protection for Virtual Machines also provides real-time monitoring, event notification, and comprehensive reporting.

• Configurable scanning tools offer greater security coverage and faster, more efficient scans. Scanning tools include ActiveAction, IntelliScan, and OLE layer scan.

• Viewable scanning statistics enable you to efficiently monitor your network antivirus security by providing the following details: total number of viruses found for the day and over the last seven days, status of the infections, total number of non-cleanable viruses, and more.

1-2


System RequirementsThe following tables describe sthe system requirements for the CPVM Server, CPVM Scanning Agents, and Real-time Agents.

TABLE 1-1. System Requirements for CPVM

SYSTEM REQUIREMENT DESCRIPTION

CPVM ServerOperating System

• Microsoft™ Windows™ 2003 32-bit Standard Server with Service Pack 1 or 2

• Microsoft™ Windows™ 2003 R2 32-bit Standard Edition with Service Pack 1 or 2

• Microsoft™ Windows™ 2003 32-bit Enterprise Server with Service Pack 1 or 2

• Microsoft™ Windows™ 2003 R2 32-bit Enterprise Edition with Service Pack 1 or 2

CPVM ServerHardware

Minimum Requirements• 800MHz Intel™ Pentium™ II processor or equivalent• 512MB of RAM• 1GB of available disk space• Network Interface Card (NIC)• Monitor that supports 800 x 600 resolution at 256

colors or higherRecommended Requirements• 2.4GHz Intel Pentium 4 or faster• 1GB of RAM• 2GB of disk space• Network Interface Card (NIC)• Monitor that supports 1024 x 768 resolution at 32-bit

colors or higher

Web Server • Microsoft Internet Information Server (IIS), Windows 2003 Server, Version 6.0

• Administrator or Domain Administrator access on the server machine

• Microsoft .NET Framework 2.0 (CPVM installs it if it is not present)

• File and printer sharing for Microsoft Networks installed on the server and client machine

1-3


Administration Web Console

• 300MHz Intel Pentium processor or equivalent• 128MB of RAM• 30MB of available disk space• Monitor that supports 800 x 600 resolution at 256

colors or higher• Microsoft Internet Explorer™ 6.0 or 7.0

Scanning Agents Operating System• Windows XP Professional with Service Pack 3 or

later, 32-bit and 64-bit versions• Windows 2003 (Standard, Enterprise Server) with

Service Pack 2 or later, 32-bit and 64-bit versions• Windows Server 2008 (Standard, Enterprise,

Datacenter and Web Editions) with Service Pack 1 or later

• Windows Server 2008 R2 (Standard, Enterprise, Datacenter and Web Editions), 64-bit versions

Required: Microsoft .NET Framework 2.0 SP2 or later

Real-time Agents Operating system• Windows XP Professional with Service Pack 3 or

later, 32-bit and 64-bit versions • Windows 2000 (Server, Advanced Server) with

Service Pack 4• Windows 2003 (Standard, Enterprise Server) with

Service Pack 2 or later, 32-bit and 64-bit versions • Windows Vista Ultimate Edition with Service Pack 1

or later, 32-bit and 64-bit versions• Windows Server 2008 (Standard, Enterprise,

Datacenter and Web Editions) with Service Pack 1 or later

• Windows Server 2008 R2 (Standard, Enterprise, Datacenter and Web Editions), 64-bit versions



1-4


How CPVM WorksCore Protection for Virtual Machines monitors all activity in your VMWare virtual environment through its real-time and scanning agents. Virtual Machines with real-time agents monitor file read/write activity and check for file infections. Scanning agents perform on-demand and scheduled scanning of target VMs for file infections.

If a scanning agent finds an infected file, the scanning agent notifies pre-defined recipients and takes action on the virus according to your configured virus response settings. An activity log records all activities of the system.

Core Protection for Virtual Machines lets you design personal scanning profiles, saving you from having to re-configure frequently-needed settings. You can even assign multiple scanning options to a profile and use the profile for special circumstances, such as scanning incoming files only.

VMWare One of the following VMware configurations:• VI3 (ESXi 3.5/ESX 3.5 and vCenter)• vSphere 4 (ESXi 4.0/ESX 4.0 and vCenter)

Note: Core Protection for Virtual Machines must be connected to the vCenter that manages your Virtual Infrastructure. If you are not using vCenter to manage your ESX/ESXi hosts, Core Protection for Virtual Machines will not work with a direct connection to ESX/ESXi hosts.



1-5


Overall ArchitectureThe following diagram shows a typical deployment of Core Protection for Virtual Machines within a VMware Virtual Infrastructure:

FIGURE 1-1. Core Protection for Virtual Machines Typical Deployment

The diagram shows active, scanning, and dormant VMs with the Real-Time Agent installed. You can install the CPVM Scanning Agent on a VM or on a physical machine (as indicated in the figure by the machine enclosed by a dotted line on the left).

1-6


The VI infrastructure consists of VMware VirtualCenter , which is virtual infrastructure management software that centrally manages an enterprise’s virtual machines as a single, logical pool of resources. The heart of VirtualCenter is the VirtualCenter server, which collects and stores persistent data in a dedicated database that contains per-system and environmental information. Core Protection for Virtual Machines is deployed within VI infrastructure.

TABLE 1-1. Major Components of a CPVM Deployment

COMPONENT DESCRIPTION

VirtualCenter Client A user interface that runs locally on a Windows machine with network access to the VirtualCenter server. You can run the VirtualCenter client on the same machine as the VirtualCenter Server or on another machine with network access.

VirtualCenter Server The VirtualCenter server acts as a central adminis-trator for VMware servers connected on a network. The server directs actions on the virtual machines and the virtual machine hosts. The VirtualCenter server is deployed as a Windows service and runs continuously. The server collects and stores persis-tent data in a dedicated database that contains per-system and environmental information.

VirtualCenter Agent The VirtualCenter agent is installed on each man-aged host. The agent installs automatically the first time that you add a host to the VirtualCenter inven-tory. The VirtualCenter agent collects, communi-cates, and executes the actions received from the VirtualCenter server.

VirtualCenter Database The VirtualCenter database (SQL Server or Oracle) provides a persistent storage area for maintaining the status of each virtual machine, host, and user managed in the VirtualCenter environment. The database can be local or remote from the Virtual-Center server machine.

1-7


VirtualCenter Web service You can optionally install the VirtualCenter web service with the VirtualCenter server. The web ser-vice is a required application programming inter-face for third-party applications that communicate over HTTP using the VMware SDK application pro-grammer interface (API).

Core Protection for Virtual Machines Server

The CPVM server is a service that acts as a central administrator for scanning agent virtual machines connected to the network. The CPVM server is deployed as a Windows service and runs continu-ously. The CPVM server directs actions on the vir-tual machines. The CPVM server must have network access to the VirtualCenter server and all scanning agents that it manages. In addition, the CPVM server must be available for network access from any machine where the Administration web console runs.

CPVM Scanning Agent The CPVM Scanning Agent is a service that runs on a host and scans dormant VMDK files or live VMs as specified by the schedule and policy that you configure on the CPVM server. The CPVM server pushes the schedule and policies to all scanning agents.

Note: The scanning agent can only scan offline VMDK files that are visible to the host machine where the agent is running.

Real-Time Agent The Real-Time Agent service monitors all disk I/O and ensures that no disk writes result in possible malware. The Real-time Agent receives the latest signature updates from the CPVM server. You can install the Real-time Agent on any VM or physical machine.



1-8


Real-time Scan versus Scan NowCore Protection for Virtual Machines features two powerful scan functions: Real-time Scan and Scan Now.

Real-time Scan runs continuously on a server and provides the maximum level of virus protection. Real-time Scan agents monitor all file I/O events on the server prevent infected files from being copied to or from the server.

Scan Now is a manual, on-demand virus scan (that is, it occurs immediately after being invoked). Use Scan Now to check a server that you suspect may have been exposed to a computer virus or about which you want immediate information.

Tip: To ensure maximum protection, Trend Micro recommends using both Real-time Scan and Scan Now.

Administration web console The Administration web console is a web-based user interface to the CPVM server. The web con-sole enables you to configure and run scans, con-figure logs and notifications, and view a summary of activity for Core Protection for Virtual Machines. The web console can be on the same machine as the VirtualCenter server or on another machine with network access.



1-9


Real-time Scan and Scan Now benefits include:• Redundant File Scan: If a file containing a virus is accidentally downloaded or

copied, Real-time Scan stops it. However, if for any reason Real-time Scan is disabled, Scan Now will detect it.

• Efficient File Scan: By default, Real-time Scan is configured to scan files reliably, while minimizing the impact on system resources.

• Effective and Flexible File Scan: Core Protection for Virtual Machines offers effective and numerous scan configuration options to protect your networks based on your individual needs.

VirusActionsCore Protection for Virtual Machines enables you to configure the action for the system to take on infected files. Different actions work best with different virus types.

TABLE 1-2. Configurable Virus Actions

VIRUS ACTION DESCRIPTION

Bypass/Ignore For a manual scan, CPVM skips the file without taking any cor-rective action. However, the virus detection is still recorded in the program’s log entries. For Real-time Scan, CPVM treats the file as "deny-write," protecting it from duplication or modifi-cation.

Delete Deletes the infected file.

Rename Renames the infected file extension to .vir. This prevents the file from being executed or opened. If a file of that name with the .vir extension already exists, the file is renamed to .v01, .v02, and so on until .v99.

Quarantine Moves the infected file to a folder of your choice. You can also change the file extension of the moved file to prevent it from being inadvertently opened or executed.

1-10


All virus events and associated courses of action are recorded in the log file.

Note: On a 64-bit operating system, Core Protection for Virtual Machines detects both 32-bit viruses and 64-bit viruses.

Virus LogsFrom the web console, Core Protection for Virtual Machines (CPVM) provides comprehensive information about the results of scanning, file updating and deploying. Furthermore, CPVM saves the information in a log file that you can retrieve or export. You can view the following virus scan statistics: scan start times, machines scanned, detected viruses and types, and infected virtual servers. In addition, you can export the log information to a comma-separated value (CSV) file for further analysis.

Deploying UpdatesCore Protection for Virtual Machines simplifies the maintenance of Trend Micro software by enabling you to configure scheduled server updates and automatic member updates.

Note: Trend Micro releases new versions of these update files on a regular basis.

Clean Attempts to clean the virus code from the file. Since the cleaning process sometimes corrupts the file and makes it unusable, you can back up the file before cleaning.

Note: You can specify a secondary action if the cleaning process is unsuccessful.

TABLE 1-2. Configurable Virus Actions

VIRUS ACTION DESCRIPTION

1-11


Core Protection for Virtual Machines update features include:• Unattended scheduled update: Core Protection for Virtual Machines can

perform updates of all servers and members automatically based on a schedule that you specify.

• Centralized update deployment: You can deploy updates to servers in your virtual infrastructure from the web console.

• Proxy server compatibility: Core Protection for Virtual Machines works with the majority of existing proxy servers.

• Update activity logging: Core Protection for Virtual Machines records all update activity in a log file for future reference.

• Update Roll-back option: If you encounter a problem while deploying an update, you can roll back a deployed pattern and scan engine file to the previous version.

Virus Detection TechnologyCore Protection for Virtual Machines uses advanced virus detection technology, including the following technologies: • Pattern Matching• Compressed Files• OLE Layer Scan• IntelliScan• ActiveAction

Pattern MatchingUsing a process called "pattern matching," Core Protection for Virtual Machines draws on an extensive database of virus patterns to identify known virus signatures. Key areas of suspect files are examined for tell-tale strings of virus code and compared against tens of thousands of virus signatures that Trend Micro has on record.

For polymorphic or mutating viruses, the Core Protection for Virtual Machines scan engine permits suspicious files to execute in a protected area where they are decrypted. Core Protection for Virtual Machines then scans the entire file, including the freshly decrypted code, and looks for strings of mutation-virus code.

1-12


If such a virus is found, Core Protection for Virtual Machines performs the virus actions that you pre-configure, such as clean (autoclean), delete, bypass (ignore), quarantine (move), or rename. You can customize virus actions for both boot and file viruses.

Note: It is important to keep the virus pattern file up-to-date. More than a thousand new viruses are created each year. Trend Micro makes it easy to update the pattern file by supporting scheduled updates.

Compressed FilesCompressed file archives (that is, a single file composed of many separate compressed files) are often distributed via email and the Internet. Since some antivirus software cannot scan these types of files, compressed file archives are sometimes used as a way to "smuggle" a virus into a protected network or computer.

Core Protection for Virtual Machines can scan files inside compressed archives, even compressed files composed of other compressed files. CPVM can scan up to a maximum of five compression layers.

1-13


The Trend Micro scan engine used in Core Protection for Virtual Machines can detect viruses in files compressed using the following algorithms:• PKZIP (.zip) & PKZIP_SFX (.exe) • LHA (.lzh) & LHA_SFX (.exe) • ARJ (.arj) & ARJ_SFX (.exe) • CABINET (.cab) • TAR • GNU ZIP (.gz) • RAR (.rar) • PKLITE (.exe or .com) • LZEXE (.exe) • DIET (.com) • UNIX PACKED (.z) • UNIX COMPACKED (.z) • UNIX LZW (.Z) • UUENCODE • BINHEX • BASE64

Note: If a virus is found in an archive using other algorithms, they must first be decompressed in a temporary directory, then cleaned.

1-14


OLE Layer ScanMicrosoft™ Object Linking and Embedding (OLE) enables embedding Microsoft Office™ files. This means that you could have a Microsoft Word document inside an Excel sheet, and in turn this Excel sheet could be embedded in a Microsoft PowerPoint presentation.

Although OLE offers a large number of benefits to developers, OLE can lead to potential infection. To address this issue, Core Protection for Virtual Machines includes the OLE Layer Scan feature, which complements state-of-the-art Core Protection for Virtual Machines virus protection.

Tip: OLE layer scan offers five layers of protection. Trend Micro recommends a setting of 2 OLE layers for Scan Now and a setting of 1 for Real-time Scan. A lower setting will improve server performance.

IntelliScanIntelliScan identifies which files to scan for more secure and efficient scanning than the standard "scan all files" option.

For executable files, such as .exe, the true file type is determined from the file content. If a file is not executable (i.e. txt), IntelliScan uses the file header to verify the true file type.

The following are just a couple of the benefits IntelliScan offers: • Performance optimization: Server system resources allotted to a scan will be

minimal. Therefore, IntelliScan will not interfere with other crucial applications running on the server.

• Time saving: Since IntelliScan uses true file type identification, IntelliScan scan time is significantly less than an "all files" scan. Only files with a greater risk of being infected are scanned. This time difference is noticeable when you use IntelliScan with Scan Now.

1-15


ActiveActionActiveAction is a set of pre-configured scan actions that can be performed on viruses and other types of malware. You can configure ActiveAction for both Scan Now and Real-time Scan.

Tip: Trend Micro recommends that you select ActiveAction if you are not familiar with virus actions or if you are unsure of which scan action is most suitable for a certain virus.

Viruses vary significantly from one another; this requires appropriate virus actions for each virus type. Customizing scan actions for file viruses requires knowledge of viruses and can be a tedious task. For this reason, Trend Micro recommends the use of ActiveAction.

Some advantages of using ActiveAction versus customized scan actions are:• Time saving: You spend no time customizing virus actions.• Worry-free maintenance: ActiveAction uses Trend Micro recommended scan

actions so you can concentrate on other tasks and not worry about making mistakes.• Updateable scan actions: Trend Micro includes new ActiveAction scan actions

with every new pattern. Viruses constantly change how they attack, thus scan actions should be frequently modified to prevent possible infection.

1-16

Chapter 2

Getting Started

This chapter describes how to get started using Trend Micro Core Protection for Virtual Machines.

Topics in this chapter: • Accessing the Web Console on page 2-2• Navigating the Web Console on page 2-3• CPVM Configuration Checklist on page 2-5

2-1

Getting Started

Accessing the Web ConsoleThe Core Protection for Virtual Machines Administrator web console enables you to monitor ongoing activity, configure and run scans, update components, view logs, generate notifications, and administer CPVM.

Note: To access the Administrator web console, you must have a Trend Micro CPVM Administrator account.

To start the web console:

1. Open your browser and navigate to the web console using local or remote access:• Local access: If you are accessing the web console from the machine where

CPVM resides, double-click on the CPVM Console icon created during installation, or open a web browser and enter the following URL:https://<hostname>/WebUI/login.aspx

• Remote access: If you configured the CPVM machine for network access, enter either of the following, where <hostname> is the hostname and <ip_address> is the IP address of the CPVM machine:https://<hostname>/WebUI/login.aspx

https://<ip_address>/WebUI/login.aspx

The Logon screen appears.2. Enter your password and click Logon.

The web console Summary screen appears with the current CPVM status.

2-2

Getting Started

Navigating the Web ConsoleThe Summary screen aggregates system information and status information for virtual machines, scan results, and component updates.

FIGURE 2-1 Web Console Summary Screen

These are the menu options on the CPVM console:

TABLE 2-1.

MENU OPTION DESCRIPTION

Summary This screen provides system information and a summary of the current status of your virtual machines, scan results, and component updates.

2-3

Getting Started

Security Manage-ment

This screen enables you to:• Manage groups and members in your virtual

installation.• Manage VC inventory.• Configure and perform scans.• Install/uninstall CPVM Scanning Agents and

Real-Time Agents.• Configure logs.• Sync from VC directly.

Updates This screen enables you to configure CPVM to update server or members automatically or manually update them at any time. Available actions include:• View an update summary.• Configure the server update schedule.• Update the server manually.• Configure the server update source.• Update members automatically.• Update members manually.• Rollback components.

Logs This screen enables you to configure and view logs to analyze your infrastructure protection and troubleshoot and manage security risks in your network. You can con-figure and view the following logs:• Virus/malware• Spyware/grayware• Member update• Server• System events

Additional log options are available on the Logs screen. Log configuration actions include:• Configure the Virus/Malware Log Criteria• Configure the Spyware/Grayware Log Criteria• Delete Logs

TABLE 2-1.


2-4

Getting Started

CPVM Configuration ChecklistAfter installing Trend Micro Core Protection for Virtual Machines (CPVM) and setting the web console password, perform the following tasks to set up the product features and ensure that the system is working properly:

Notifications This screen enables you to configure CPVM to send an alert when virus/malware or spyware/grayware is detected or a system event occurs. You can configure the specific events that trigger a notification, notification recipients, and notification methods (email and SNMP traps).

Administration These screens enable you to configure Core Protection for Virtual Machines settings, including the following:• Set the console password• Configure proxy settings• Configure virtualization infrastructure settings• Configure compatible products• View and update your product license

TABLE 2-2.

STEP WEB CONSOLE SCREEN ACTION TO TAKE

1 Administration Change Web console password.Configure proxy settings.Configure virtual infrastructure settings.Configure compatible products updates.

2 Security Management Configure groups and members.Install agents.

3 Logs Configure logs.4 Notifications Configure notifications.5 Update Update components.6 Security Management Configure scans.

TABLE 2-1.


2-5

Getting Started

2-6

Chapter 3

Monitoring Core Protection for Virtual Machines

This chapter describes how to monitor Core Protection for Virtual Machines status using the Summary screen.

Topics in this chapter: • Overview on page 3-2• Viewing System Information on page 3-3• Viewing Virtual Machine Status on page 3-3• Viewing Scan Results on page 3-4• Viewing Server Update Status on page 3-4

3-1


OverviewThe Summary screen provides current information on Core Protection for Virtual Machines activity and status. The Summary screen shows:• System information• Status of virtual machines• Current scan results• Server update status

To open the Summary screen:

• On the Core Protection for Virtual Machines navigation bar, click Summary.

FIGURE 3-1. Viewing the Core Protection for Virtual Machines Summary

3-2


Viewing System InformationThe System Information area shows the status and details of all of the Core Protection for Virtual Machines system. The following information is provided:• Product Version: The version of the Core Protection for Virtual Machines

software installed on your server • Platform: The hardware platform of your Core Protection for Virtual Machines

Server • OS: The operating system install on your Core Protection for Virtual Machines

Server.

For information on updating your Core Protection for Virtual Machines software, see Updating Components starting on page 5-1.

Viewing Virtual Machine StatusThe Virtual Machine Status area shows the current status of the components in your Core Protection for Virtual Machines installation.• PoweredOn Virtual Machines• PoweredOff Virtual Machines• Real-Time Agents• CPVM Scanning Agents• Virtual Machines Scanned• Virtual Machines Infected/Cleaned

3-3


Viewing Scan ResultsThe Scan Results For area displays a summary of the scan results for the day and the total for the week. The number of viruses and spyware/grayware detected for the day appears in the right corner of the Scan results for title bar.

To view scan results:

• Select Scan results for > Virus or Scan Results for > Spyware/Grayware.Scan results for today and the last seven days are displayed. This includes the numbers that are:• Uncleanable• Quarantined• Deleted• Passed• Cleaned• Renamed

Viewing Server Update StatusThe Server Update Status area shows the status of each component in your installation for the followings:• Antivirus• Anti-spyware

3-4


To view update status details:

1. On the Core Protection for Virtual Machines navigation bar, click Summary.

FIGURE 3-2. Viewing a Component Update Summary

3-5


2. Click in front in front of the Member Component name to expand the display.The list expands to show the current version, latest version, and last update for any of the following:• Antivirus

• Virus Pattern• Virus Scan Engine (32-bit)• Virus Scan Engine (64-bit)

• Anti-spyware• Spyware Pattern• Spyware Scan Engine (32-bit)• Spyware Scan Engine (64-bit)

3. To perform updates of all the components for the server, click Update Now.

For information on updating the Core Protection for Virtual Machines components, see Updating Components starting on page 5-1.

3-6

Chapter 4

Managing Core Protection for Virtual Machines

This chapter describes how to manage Core Protection for Virtual Machines.

Topics in this chapter: • Managing Groups on page 4-2• Managing VC Inventory on page 4-5• Managing Members on page 4-8• Performing Scans on page 4-15• Installing the Real-time Agent on page 4-22• Installing the Scanning Agent on page 4-23• Uninstalling Agents on page 4-24• Upgrading Agents on page 4-25• Configuring Scan Settings on page 4-28• Viewing and Managing Logs on page 4-48

4-1


Managing GroupsYou can manage groups from the Security Management screen. Setting up groups enables you to organize the members in your virtual infrastructure and set separate scanning rules for the different groups. Members are the virtual machines or network shares in your virtual infrastructure.

Viewing Group InformationThe Security management screen enables you to view group information, such as the number of members and an overview of component updates and scans.

To view group information:

1. On the Core Protection for Virtual Machines navigation bar, click Security Management.Current group information appears.

FIGURE 4-1. View group information

4-2


The list in the right pane provides the following information for each group:• Groups: The current groups on your site.• Members: The number of members in the group.• Scanning Agents: The number of scanning agents in the group.• Real-Time Agents: The number of real-time agents in the group.• Last Scheduled Security Scan: The last time a scheduled scan was run on the

group members.

Adding GroupsTo create a group, create the group first and then add or move members to the group.

To add a group:

1. On the Core Protection for Virtual Machines navigation bar, click Security Management.The Security Management screen appears.

2. On the Current Groups toolbar, click Manage Security Groups > Add Group.The Add Group screen appears.

FIGURE 4-2. Add Group screen

3. Type a Group name and click Add.

You can now add members to the group. For instructions on how to add members, see Adding a Member to a Group on page 4-10.

4-3


Renaming a GroupTo rename a group:


2. In the Current Groups list, select the group to rename.3. On the Current Groups toolbar, click Manage Security Groups > Rename

Group.The Rename Group screen appears..

FIGURE 4-3. Rename Group screen

4. Type the new group name and click Save.

Deleting a GroupTo delete a group:


2. In the Current Groups list, select the group to delete.

4-4


3. On the Current Groups toolbar, click Manage Security Groups > Delete Group.The system asks if you are sure you want to delete the select group(s).

FIGURE 4-4. Delete Group screen

4. Click Delete.

Managing VC InventoryThe VirtualCenter inventory provides a single point for viewing members and related information, moving machines among groups, and managing licenses.

Note: Individual VMDK files on a network share are not displayed in the VC inventory list, but the network share appears.

4-5


To manage VC inventory:


2. Click VC Inventory.The VC Inventory screen displays a list of members in your site, along with the group, host, and license status.

FIGURE 4-5. VC Inventory screen

Note: Do not move members between groups while a scan, including a scheduled scan, is in progress.

3. Select the members you want to move, and click Move.

4-6


4. In the Move selected member(s) to drop-down list, select the group where you want to move the members to.

FIGURE 4-6. Move Members screen

5. To apply the settings of the group to the members, select Apply settings of new group to selected members.

4-7


Managing MembersMembers are virtual machines or network shares in your Core Protection for Virtual Machines environment. Adding members to groups helps you to logically manage your security tasks. Actions you can take on group members include:• View member information• Add members• Move members• Search for a member• Add network share• Remove network share

Viewing Member InformationThe Security management screen enables you to view member information in each group, such as power status and scan results.

To view member information:

1. On the Core Protection for Virtual Machines navigation bar, click Security Management.

2. Expand Security Groups to view the current groups.

4-8


3. Select the group whose member information you want to view.

FIGURE 4-7. View Member information

The list in the right pane provides the following information for each member in the selected group:• Category• Power Status• Scan Status• Scan Results• IP Address

4-9


Adding a Member to a GroupVirtual machine inventory is obtained directly from the Virtual Center, but if you want to set up a physical machine to perform the scanning function, you must explicitly add it as a member. When you add the physical machine as a member, the Scanning Agent is automatically installed on that machine.

Note: Physical Scanning Agent (SA) members are allowed only in the Default group. If you add or move a physical SA to any other group, the physical SA is moved back to the Default group. When you uninstall the Scanning Agent from the physical machine using Install->Uninstall Agent, the member is automatically removed from the list of members.

To add a physical machine as a member:


2. Expand Security Groups to view the current groups.3. Select the group to which to add a member.

4-10


4. Click Member Management > Add Member. The Add Physical SA screen appears.

FIGURE 4-8. Add Physical SA screen

5. Type the IP address or hostname in IP/Hostname field.6. Type the Username and Password.7. Click Add.

The Physcial SA member is added to the Default Group.

4-11


Moving Members to Another GroupMembers are virtual machines in your Core Protection for Virtual Machines environment. You can move members from one group to another to help you logically manage your security tasks. When CPVM senses new virtual machines, the virtual machines are initially placed under the Default security group and automatically assigned the default policy for scanning. You can then move those virtual machines to other groups to apply a different group security policy.

Note: Do not move members between groups while a scan, including a scheduled scan, is in progress. Otherwise, there could be a problem synchronizing with the CPVM server.

To move a member:


2. Expand Security Groups to view the current groups.3. Select the group that includes the members you want to move.4. In the Members list, select the members to move.5. Click Member Management > Move Member.

The Move Member(s) screen appears.

FIGURE 4-9. Move Member(s) screen

6. Select the group to which you want to move the member.7. Click Move.

4-12


Managing a Network ShareCore Protection for Virtual Machines enables you to scan VMDK files that are not in the VirtualCenter inventory but are located on a network share. You can add a network share by specifying a network path as a root folder which could contain more than one subfolder that contains VMDK files.

When you add the network share that stores the VMDK files, and if there are multiple VMDK files, all the VMDK files share the same security policy as defined by either the group policy or the actual network share policy.

The group policy is used for scanning each VMDK. You can define a specific scan policy for each on the Security Management screen. CPVM logs any events associated with these files and includes the network path as part of the log. If you remove members, the members are removed from the VC inventory list.

Note: Snapshots on dormant VMs on a network share are not scanned and cleaned during a scan.

To add a network share:


2. Expand Security Groups to view the current groups.3. Click the group to which you want to add a network share.

4-13


4. Click Member Management > Add Network Share.The Add Network Share screen appears.

FIGURE 4-10. Add Network Share screen

5. Type a name for the network share.6. Type the path to the network share. For example, if your vmdk files are located on

both \\10.1.1.1\vmdk\winxp and \\10.1.1.1\vmdk\win2003, you could specify \\10.1.1.1\vmdk as your network share.

7. Enter the user name and password of the network share.8. Click Test Connection to test the network share information you entered.9. Click Add.

To remove a network share:


2. Expand Security Groups to view the current groups.3. Select the group to which you want to remove a network share.4. In the Members list, select the network share you want to remove.5. Click Member Management > Remove Network Share.6. Click OK.

4-14


Performing ScansBefore you can perform scans with Core Protection for Virtual Machines, you must perform the following tasks:• Install the scanning and real-time agents. • Configure scan settings.

Scan TypesCore Protection for Virtual Machines enables you to perform the following scans:

TABLE 4-1. Scan Types

SCAN TYPE DESCRIPTION

Scan Now Performs a full on-demand scan.

4-15


QuickScan Performs a limited scan of the disk based on information from the Windows Registry. QuickScan loads the Regis-try to identify what files need to be scanned and per-forms a scan and clean operation on those files. If QuickScan detects malware, an attempt is made to clean the malware. If the clean operation is unsuccessful, QuickScan quarantines the file and modifies the Registry accordingly.Core Protection for Virtual Machines takes the following actions based on user settings when it detects malware during QuickScan:

• If you configured CPVM to perform a full scan if malware is detected, CPVM performs a full scan on the member and logs the event with the following details: malware type, whenthe malware was detected, and the results of the clean operation or file quarantine.

• If you configured CPVM to simply log the event when detecting malware, CPVM logs the event with the following details: malware type, when the malware was detected and the result of the clean operation or file quarantine.

Note: QuickScan is allowed only on dormant machines as it may require modifications to the registry if malware is detected.

Real-time Scan Runs continuously in the background to monitor all file I/O events, preventing malware files from being copied to or from the server.

Scheduled Scan Initiates a full scan based on a set schedule for selected members. CPVM sequentially performs a full scan of each selected member. Since the CPVM Scanning Agent may be deployed on multiple hosts, multiple scanning agents can perform full scans on different members at the same time.

TABLE 4-1. Scan Types

SCAN TYPE DESCRIPTION

4-16


Note: VirtualCenter periodically sends VC inventory updates to the CPVM Server. If CPVM identifies a new VM that was previously not on its list, it performs a QuickScan on the VM (if the VM is in a dormant state).

For information on configuring scans, see Configuring Scan Settings on page 4-28.

IntelliScan Scan MethodsRather than relying on the file name alone, Core Protection for Virtual Machines uses IntelliScan to identify the true file type and determine whether the file is a type that Core Protection for Virtual Machines should scan.

True File-type DetectionUsing true file-type identification, IntelliScan examines the header of the file first and checks if the file is an executable, compressed, or other type of file that may be a threat. IntelliScan examines all files to ensure that they were not renamed. The extension must conform to the file's internally registered data type.

For example, Microsoft Word documents are file extension independent. Even if you rename a document from "legal.doc" to "legal.lgl", Word still recognizes and opens the document along with any macro viruses it contains. IntelliScan identifies the file as a Word document regardless of the file extension and scans it accordingly.

File Extension CheckingIntelliScan also uses extension checking, that is, the file name itself. An updated list of extension names is available with each new pattern file. For example, the discovery of a new ".jpg" file vulnerability prompts Trend Micro to add the ".jpg" extension to the extension-checking list in the next pattern update.

Scan AgentsCPVM provides two agents for performing scanning tasks:• Real-time Agent• Scanning Agent

4-17


Real-time AgentThe Real-time Agent provides real-time protection for live members. The Real-time Agent does not perform full scans. It provides the following protection:• Performs pattern signature and engine updates based on your specified schedule or

when it receives a specific notification from the CPVM server.• Monitors disk I/O and protects the files being written to.• When the CPVM Scanning Agent performs a full scan of the live member and finds

malware, it notifies the CPVM Server. The CPVM Server informs the Real-time Agent and requests that the virus be cleaned or files quarantined. When the action is complete, the Real-time Agent informs the server about the result (success/failure).

Note: If the Real-time Agent cannot see the virus (such as root kit), then the agent sends a failure event to the CPVM Server as an error. You will need to turn the member off and perform a full scan/clean when the member is dormant. If you have not installed the Real-time Agent in a live member, because there is an instance of ServerProtect, OfficeScan, or some other competitor product running in the member, cleaning is not an option and the CPVM Server sends an event to the administrator informing him or her to take appropriate action.

CPVM Scanning AgentThe CPVM Scanning Agent is a service that runs on a host and scans dormant or live Virtual Machines as specified by the schedule and policy set on the Core Protection for Virtual Machines Server. The schedule and the policies are pushed to each of the Scanning Agent Servers by the Core Protection for Virtual Machines Server.

Initiating a QuickScanA QuickScan performs a limited scan of the disk based on information from the Windows Registry. QuickScan loads the Registry to identify what files need to be scanned and performs a scan and clean operation on those files. If malware is detected, QuickScan attempts to clean the malware. If the clean operation fails, QuickScan quarantines the file and modifies the Registry accordingly. A QuickScan scans only dormant VMs.

4-18


The Core Protection for Virtual Machines server receives updates to the VC inventory periodically from the VirtualCenter. If the server identifies a new VM that was previously not on its list, the server performs a QuickScan on the new VM if it is in dormant state.

Note: To avoid performance impact on your network, the scan progress is updated every 60 seconds and may not immediately reflect the actual scan progress. To see the actual scan progress, click Refresh to refresh the screen.

To initiate a QuickScan:


Note: To change the pre-configured QuickScan settings before initiating the scan, click Settings > QuickScan Settings and modify settings as needed.

4-19


2. Click Tasks > QuickScan Now.

The QuickScan Now screen appears.

FIGURE 4-11. QuickScan Now screen

3. Select the members to scan and click Initiate QuickScan Now. The server notifies the scanning agents for that group to perform a scan on those members.

4. On the Security Management screen, verify the scan status of member machines.

Note: If you select multiple members to scan and then stop the scan, scans for all members that are still in a Pending or Scanning state are aborted. Their scan progress displays as 0 and scan status displays as "Stopped."

4-20


Initiating Scan NowIn addition to turning on Real-time Scan and configuring Scheduled Scan, Trend Micro recommends initiating Scan Now on members that you suspect are infected.

To perform a Scan Now:


Note: To change the pre-configured Scan Now settings before initiating the scan, click Settings > Scan Now settings. The Scan Now Settings screen opens so you can make changes.

2. Click Tasks > Scan Now.The Scan Now screen appears.

FIGURE 4-12. Scan Now screen

3. Select the target members to scan. Use the Search box to search for a specific member.

4-21


4. Click Initiate Scan Now. The server notifies the Scanning Agent in that group to perform a scan on the target members.

5. For members already in the process of scanning, click Stop Scan Now if you want them stop scanning.

Note: Stop Scan Now does not terminate the scan for a member (VM or network share) whose scan status is Pending.

Installing the Real-time AgentTo install the Real-time Agent:


2. Under Security Groups, click the group that has members on which to install the Real-time Agent.

3. Select one or more members on which you want to install the Real-time Agent.

Note: The members you select must be online and connected. The members cannot already have a Real-time Agent installed and cannot be a network share.

4-22


4. Click Install > Install Real-time Agent.The Install Real-time Agent screen appears.

FIGURE 4-13. Install Real-time Agent screen

5. Enter the user name and password. The account must have administrator privileges on the target VMs.

6. Click Install.

Installing the Scanning AgentTo install the Scanning Agent:


2. Under Security Groups pane, click the group that has the members on which to install the Real-time Agent.

3. Select one or more members on which to install the Scanning Agent.

Note: The members you select must be online and connected. They cannot be members that already have the Scanning Agent installed and cannot be a network share.

4-23


4. Click Install > Install Scanning Agent.The Install Scanning Agent screen appears.

FIGURE 4-14. Install Scanning Agent screen


6. Click Install.

Uninstalling AgentsTo uninstall agents:


2. Under Security Groups, click the group that has the members from which to uninstall the agent.

Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot uninstall a mixed group that includes both SAs and RTAs.

4-24


3. Click Install > Uninstall Agent.

FIGURE 4-15. Uninstall Agent screen


5. Click Uninstall.

Upgrading Agents

Note: To upgrade agents, you must have administrator privileges on the target VMs and the VMs must all have the same username and password.

To upgrade agents:


2. Under Security Groups, select the group that has the members to be upgraded.

4-25


3. Select the members that contain the agent to be upgraded.

Note: The members you select must have the same type of agents, either all Scanning Agents (SA) or all Real-time Agents (RTA). You cannot upgrade a mixed group that includes both SAs and RTAs.

4. Click Install > Upgrade Agent.

The Upgrade Agent screen appears.

FIGURE 4-16. Upgrade Agent screen

5. Enter the Username and Password for the target VMs. 6. Click Upgrade.

A system message appears, "Upgrade Agent installation is initiated in the selected machine(s)."

4-26


Enabling and Disabling the Scanning AgentYou can enable or disable the Scanning Agent for any member in your Core Protection for Virtual Machines environment. For example, you can disable scanning prior to virtual infrastructure maintenance.

To enable the scanning agent:


2. Select the group that has the machines on which to enable the Scanning Agent.3. Select the machines on which to enable the Scanning Agent.4. From the Settings menu, select Enable Scanning Agent.

The Enable Scanning Agent screen appears.

FIGURE 4-17. Enable Scanning Agent screen

5. Enter your user name and password.6. Click Enable.

To disable the Scanning Agent:


2. Select the group that has the machines on which to disable the Scanning Agent.3. Select the members on which to disable the Scanning Agent.

4-27


4. From the Settings menu, select Disable Scanning Agent.

The Disable Scanning Agent screen appears.

FIGURE 4-18. Disable Scanning Agent screen

5. Enter your user name and password.6. Click Disable.

Configuring Scan SettingsCore Protection for Virtual Machines provides a number of options for scanning members in a group. You can perform a full scan at anytime, or perform a limited scan of the disk based on information from the Windows Registry. You can also configure a Real-time Scan or a Scheduled Scan. Scan actions you can take on groups include:• QuickScan settings• Real-time Scan settings• Scheduled Scan settings• Scan Now settings

You can set Scan settings at the group level and member level. Group level settings represent all generic settings that apply to all members within a group. Member level settings override specific settings defined at the group level.

You can only set a scan schedule at the group level. All members within that group are scanned according to the schedule of the Scanning Agents within that group.

4-28


Scan exclusion settings are global. If scan exclusion settings are defined for one type of scan, such as Real-time Scans, they are automatically applied to all other types of scans.

ActiveAction versus Manual SettingsActiveAction is a set of pre-configured scan actions for specific types of viruses and malware. Trend Micro recommends using ActiveAction if you are not sure which scan action is suitable for each type of virus and malware. With ActiveAction, you do not have to spend time customizing the scan actions.

The following table illustrates how ActiveAction handles each type of virus/malware.

Configuring QuickScan SettingsTo configure a QuickScan, specify the scan targets and the actions to take when security risks are encountered.

TABLE 4-1. ActiveAction Virus/malware Handling

VIRUS/MALWARE TYPE REAL-TIME SCAN MANUAL SCAN/SCHEDULED

SCAN/SCAN NOW

FIRST ACTION

SECOND ACTION

FIRST ACTION

SECOND ACTION

Joke Quarantine N/A Quarantine N/A

Virus Clean Quarantine Clean Quarantine

Test Virus Pass N/A Pass N/A

Packer Quarantine N/A Quarantine N/A

Others Clean Quarantine Clean Quarantine

Generic Pass N/A Pass N/A

4-29


To configure a QuickScan:


2. Expand Security Groups to view the current groups.3. Click the group for which to configure QuickScan Settings. 4. Click Settings > QuickScan Settings.

The QuickScan Settings screen appears.

FIGURE 4-19. QuickScan Target tab

5. On the Target tab, select whether to initiate a QuickScan when a new virtual machine is added.

6. Click Save.

4-30


7. Click the Action tab.

FIGURE 4-20. QuickScan Action tab

8. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate:For Virus/Malware, select from the following actions:

TABLE 4-2. Virus/Malware Scan Actions

SCAN ACTION DESCRIPTION

Delete Deletes an infected file.

4-31


For Spyware/Grayware, select from the following actions:

Quarantine Moves an infected file to the member’s quarantine direc-tory found in {Core Protection for Virtual Machines mem-ber folder}\Virus. The default quarantine directory is {Core Protection for Virtual Machines server folder}\Virus, which you can change by going to Security Management > (Group Name) > Settings > {Scan Type} > Action tab.

Clean Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an unclean-able file.

Note: If you manually select a scan action and select Clean, you must specify a second action for CPVM to take if cleaning fails.

Rename Changes the infected file’s extension to "vir". Users can-not open the file initially, but can do so if they associate the file with a certain application. A virus/malware may execute when opening the renamed infected file.

Pass Enables full access to the infected file without doing any-thing to the file. A user may copy/delete/open the file.If you select Pass, you may allow a VM to become infected.






4-32


9. Type a Quarantine Directory, if you want to specify a different virus/malware quarantine directory. Core Protection for Virtual Machines stores quarantined files local to the member on which the virus was found.Use an absolute file path format for the quarantine directory, such as C:\temp.

WARNING! If you specify an incorrect quarantine directory, the CPVM client keeps the files in the \Virus folder until a correct quarantine direc-tory is specified. In the virus/malware logs of the server, the scan result is "Unable to send the quarantined file to the designated quar-antine folder."

10. Trend Micro recommends that you back up files before cleaning them. The backup directory on the member is C:\Program Files\Trend Micro\CPVM\Quarantine. Backup files are stored in the quarantine directory so that all files are stored in a single location.

11. Select whether to perform a full scan when malware is detected.12. Click Save.

Clean Terminates processes or delete registries, files, cookies and shortcuts.


Pass Logs the spyware/grayware detection for assessment.

WARNING! If you select Pass, you may allow a VM to become infected.



4-33


Configuring Real-time Scan SettingsTo configure a Real-time Scan, specify the scan targets and the actions to take when security risks are encountered.

To configure a Real-time Scan:


2. Under Security Groups, click the group to configure.3. Click Settings > Real-time Scan Settings.

The Real-time Scan Settings screen appears.

FIGURE 4-21. Real-time Scan Target tab

4-34


4. On the Target tab, configure the scan target. Select whether to Enable Real-time scan for virus/malware.

5. Select the files to scan based on user activity.

6. Select the Files to Scan. If you choose to scan files based on extensions, add or delete extensions from the default set of extensions. Use a comma to separate entries.

Note: To learn more about IntelliScan, see IntelliScan Scan Methods on page 4-17.

7. Select additional settings under Scan Settings. Specify any directories, files, or file extensions to exclude from scanning. You can specify a maximum of 256 directories, files and file extensions.

Tip: You can also use * as a wildcard when specifying extensions.

TABLE 4-2. User Actions

ACTIVITY IF THE OPTION SELECTED IS...

SCAN FILES BEING CREATED/MODIFIED

SCAN FILES BEING RETRIEVED

SCAN FILES BEING CREATED/MODIFIED AND RETRIEVED

Open a read-only file

Real-time Scan does not scan the file.

Real-time Scan scans the file.

Real-time Scan scans the file.

Copy or move a file from a directory excluded from scanning

Real-time Scan scans the file in the destination directory (if CPVM does not exclude this directory from scanning).

Real-time Scan does not scan the file in the desti-nation directory

Real-time Scan scans the file in the destination directory (if CPVM does not exclude this directory from scanning).

4-35


There are some Trend Micro product directories that you need to manually add to the scan exclusion list. To exclude these directories, select Exclude directories where Trend Micro products are installed.

8. Click Save.9. Click the Action tab.

FIGURE 4-22. Real-time Scan Action tab

10. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate:

4-36


For Virus/Malware, select from the following actions:













4-37





13. Click Save.







4-38


Configuring Scheduled Scan SettingsTo configure a Scheduled Scan, specify the scan targets and the actions to take when security risks are encountered.

Note: The schedule can only be set at the group level. The scanning agents scan all members within that group according to the group schedule.

To configure a Scheduled Scan:


2. Under Security Groups, click the group to configure.3. Click Settings > Scheduled Scan Settings.

The Scheduled Scan Settings screen appears.

FIGURE 4-23. Scheduled Scan Target tab

4-39


4. On the Target tab, configure a schedule for the scan.5. Select the Files to Scan. If you choose to scan files based on extensions, add or

delete extensions from the default set of extensions. Use a comma to separate entries.





7. Click Save.

4-40


8. Click the Action tab.

FIGURE 4-24. Configure Scheduled Scan Action tab

9. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate:For Virus/Malware, select from the following actions:




4-41













4-42





12. Click Save.







4-43


Configuring Scan Now SettingsTo configure a Scan Now, specify the scan targets and the actions to take when security risks are encountered.

To configure a Scan Now:


2. Under Security Groups, click the group you want to configure.3. Click Settings > Scan Now Settings.

The Scan Now Settings screen.

FIGURE 4-25. Configure Scan Now Target tab

4. Select the Files to Scan. If you choose to scan files based on extensions, add or delete extensions from the default set of extensions. Use a comma to separate entries.


4-44





6. Click Save.7. Click the Action tab.

FIGURE 4-26. Configure Scan Now Action tab

8. Specify virus/malware scan actions, either using ActiveAction or manually selecting an action for each virus/malware type. Use ActiveAction if you are unsure on how to handle the different virus types. If you know which scan actions are suitable for each type of virus/malware, you can set the following actions, as appropriate:

4-45


For Virus/Malware, select from the following actions:













4-46





11. Click Save.







4-47


Viewing and Managing LogsCore Protection for Virtual Machines enable you view and delete virus/malware and spyware/grayware logs.

To view Virus/Malware logs:


2. Expand Security Groups and click the group whose logs you want to view.3. Select the members whose logs you want to view.4. Click Logs > Virus/Malware Logs.

The Virus/Malware Log Criteria screen appears.

FIGURE 4-27. Virus/Malware Log Criteria screen

5. Specify the Time Period. If you select a range of dates, set the From and To dates (start date and end dates) for the logs.

4-48


Note: If you select a range and leave the From field blank, CPVM includes all logs from the earliest date. If you select a range and leave the To field blank, CPVM includes all logs up to the present date.

6. Specify the Scan Type for the logs and click Display Logs.

To view the Spyware/Grayware logs:


2. Expand Security Groups and click the group whose logs you want to view.3. Select the members whose logs you want to view.

4-49


4. Click Logs > Virus/Malware Logs. The Spyware/Grayware Log Criteria screen appears.

FIGURE 4-28. Spyware/Grayware Log Criteria screen

5. Specify the Time Period.

Note: If you select a range of dates and leave the From date blank, CPVM includes all logs from the earliest date. If you leave the To field blank, CPVM includes all logs up to the present date.

6. Click Display Logs.

4-50


Manually Deleting LogsYou can specify a schedule for deleting logs. You can specify which logs to delete, and whether to delete them daily, weekly, or monthly.

To manually delete logs:


2. Expand Security Groups and click the group to delete logs for.3. Click Logs > Delete Logs.

The Log Maintenance screen appears.

FIGURE 4-29. Log Maintenance screen

4. Select the Log Types to Delete. Other logs deletes the server logs.5. Choose whether to delete all selected logs or only logs older than the specified

number of days.6. Click Delete.

4-51


4-52

Chapter 5

Updating Components

The Updates screens enable you to schedule, perform and rollback component updates.

Topics in this chapter: • Components on page 5-2• Viewing an Update Summary on page 5-5• Configuring Scheduled Server Updates on page 5-8• Performing a Manual Server Update on page 5-9• Specifying a Server Update Source on page 5-10• Configuring Automatic Member Updates on page 5-12• Performing Manual Member Updates on page 5-14• Rolling Back Updates on page 5-15

5-1


ComponentsThe following are the Core Protection for Virtual Machines components.

AntivirusVirus Pattern: A file that helps Core Protection for Virtual Machines identify virus signatures, unique patterns of bits and bytes that signal the presence of a virus.

Virus Scan Engine: The engine that scans for and takes appropriate action on viruses/malware; supports 32-bit and 64-bit platforms.

Note: You can roll back both the Virus Pattern and Virus Scan Engine.

Anti-spywareSpyware Pattern: The file that identifies spyware/grayware in files and programs, modules in memory, Windows registry and URL shortcuts.

Spyware Scan Engine: The engine that scans for and takes appropriate action on spyware/grayware; supports 32-bit and 64-bit platforms.

Component DuplicationWhen the latest version of a full pattern file is available for download from the Trend Micro ActiveUpdate server, fourteen "incremental patterns" also become available.

The Core Protection for Virtual Machines server compares its current full pattern version with the latest version on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions.

Incremental patterns are smaller versions of the full pattern file that account for the difference between the latest and previous full pattern file versions. For example, if the latest version is 175, incremental pattern v_173.175 contains signatures in version 175 not found in version 173. Version 173 is the previous full pattern version since pattern numbers are released in increments of 2. Incremental pattern v_171.175 contains signatures in version 175 not found in version 171.

5-2

Updating Components

To reduce network traffic generated when downloading the latest pattern, Core Protection for Virtual Machines performs component duplication, a component update method where the Core Protection for Virtual Machines server or Update Agent downloads only incremental patterns.

Component duplication applies to both virus and spyware patterns.

Updating a component as soon as a new version is available reduces the impact of component duplication on server performance. Therefore, ensure that you download components regularly.

To help explain component duplication for the server, refer to the following scenario:• Full patterns on the Core Protection for Virtual Machines Server• Current version: 171• Other versions available: 169 167 165 163 161 159• Latest version on the ActiveUpdate server• Full pattern version: 175• Incremental patterns: 173.175 171.175 169.175 167.175 165.175 163.175

161.175 159.175 157.175 155.175 153.175 151.175 149.175 147.175

Component duplication process for the Core Protection for Virtual Machines server

1. The Core Protection for Virtual Machines server compares its current full pattern version (171) with the latest version (175) on the ActiveUpdate server. If the difference between the two versions is 14 or less, the server only downloads the incremental pattern that accounts for the difference between the two versions.

Note: If the difference is more than 14, the server automatically downloads the full version of the pattern file and 14 incremental patterns.

5-3


To illustrate based on the example:• The difference between versions 171 and 175 is 2. In other words, the server

does not have versions 173 and 175.• The server downloads incremental pattern 171.175. This incremental pattern

accounts for the difference between versions 171 and 175.2. The server merges the incremental pattern with its current full pattern to generate

the latest full pattern.To illustrate based on the example:• On the server, Core Protection for Virtual Machines merges version 171 with

incremental pattern 171.175 to generate version 175.• The server has 1 incremental pattern (171.175) and the latest full pattern

(version 175).3. The server generates incremental patterns based on the other full patterns available

on the server. If the server does not generate these incremental patterns, clients that missed downloading earlier incremental patterns automatically downloads the full pattern file, which will consequently generate more network traffic.To illustrate based on the example:• Because the server has pattern versions 169, 167, 165, 163, 161, 159, it can

generate the following incremental patterns:169.175 167.175 165.175 163.175 161.175 159.175

• The server does not need to use version 171 because it already has the incremental pattern 171.175.

• The server now has 7 incremental patterns:171.175 169.175 167.175 165.175 163.175 161.175 159.175

• The server keeps the last 7 full pattern versions (versions 175, 171, 169, 167, 165, 163, 161). It removes any older version (version 159).

5-4

Updating Components

4. The server compares its current incremental patterns with the incremental patterns available on the ActiveUpdate server. The server downloads the incremental patterns it does not have.To illustrate based on the example:• The ActiveUpdate server has 14 incremental patterns:

173.175 171.175 169.175 167.175 165.175 163.175 161.175 159.175 153.175 151.175 149.175 147.175

• The Core Protection for Virtual Machines server has 7 incremental patterns:171.175 169.175 167.175 165.175 163.175 161.175 159.175

• The Core Protection for Virtual Machines Server downloads an additional 7 incremental patterns:173.175 157.175 155.175 153.175 151.175 149.175 147.175

• The server now has all the incremental patterns available on the ActiveUpdate server.

5. The latest full pattern and the 14 incremental patterns are made available to clients.

Viewing an Update SummaryThe Update Summary screen displays the overall component update status. You can view the following information for each component:• Current version• Date and time of latest update• Number of members with updated components• Number of members with outdated components• Total members, members online, and members offline

Tip: Refresh the page periodically for an accurate picture of your component update status.

The Update Summary screen displays the overall component update status.

5-5


To view the update summary:

1. On the Core Protection for Virtual Machines navigation bar, select Updates > Summary.The Update Summary screen appears.

FIGURE 5-1. Update Summary screen

2. In the Update Status for Members table, view the update status for each component.

5-6

Updating Components

3. For each component, you can view its current version and the last update date. You can also view members with out-of-date components.The Update Status for Members pane displays the following current update status for all members in your infrastructure, separated by category:• Component Version: The current version and date/time of the last update.• Member Update Status: The total number of members currently online and

offline that have been updated, along with those that need to be updated. Click the Offline, Online, or Total value for Outdated Status to go to the Manual Update screen where you can update member components.

4. View update information for the following components:• Antivirus: Shows the current status of virus pattern and virus scan engine

updates for all members in your environment.• Virus Pattern

• Virus Scan Engine (32-bit)

• Virus Scan Engine (64-bit)

• Anti-spyware: Shows the current status of anti-spyware pattern and scan engine updates for all members in your environment.• Spyware Pattern

• Spyware Scan Engine (32-bit)

• Spyware Scan Engine (64-bit)

5-7


Configuring Scheduled Server UpdatesConfigure the Core Protection for Virtual Machines server to regularly check its update source and automatically download any available updates. Use automatic scheduled updates for an easy and effective way of ensuring that your protection against security risks is always current.

To configure a server update schedule:

1. On the Core Protection for Virtual Machines navigation bar, click Updates > Scheduled Update.

FIGURE 5-2. Server Scheduled Update screen

2. Select Enable scheduled update of the Core Protection for Virtual Machines server.

5-8

Updating Components

3. Specify the update schedule. For daily, weekly and monthly updates, the period of time is the number of hours during which Core Protection for Virtual Machines will perform the update. Core Protection for Virtual Machines performs updates at any given time during this time period.

4. Specify the action to take if the update is unsuccessful.5. Click Save.

Performing a Manual Server UpdateYou can perform a manual server update at any time.

To update the server manually:

1. On the Core Protection for Virtual Machines navigation bar, click Updates > Server > Manual Update.The Server Manual Update screen appears.

FIGURE 5-3. Server Manual Update screen

5-9


2. To view component details, click in front of Antivirus or Anti-spyware.3. Click Update. The server downloads the updated components.

Note: If you did not specify a component deployment schedule on the Automatic Update screen, the server downloads the updates but does not deploy them to the members.

Specifying a Server Update SourceThere are two events that can trigger members to perform component updates. One is after the server downloads the latest components and the other is when members restart and then connect to the server. To trigger component update when these events occur, click Updates >Members > Automatic Update and go to the Event-triggered Update section.

5-10

Updating Components

To configure the server update source:

1. On the Core Protection for Virtual Machines navigation bar, click Updates > Server > Update Source.The Server Update Source screen appears.

FIGURE 5-4. Server Update Source screen

2. Select the location from which to download component updates. You can choose to download from the Trend Micro ActiveUpdate server, a specific update source, or a location on your company intranet.

3. To use an intranet location containing a copy of the current files, specify the location and credentials for the Server Update source files:• UNC path: The location where the update files are stored.• User name: The user name to access the shared folder.• Password: The password to access the shared folder.• Domain: The domain where the CPVM server is installed. If in a workgroup,

leave this text box empty.• User name: The user name to access the CPVM server.• Password: The password to access the CPVM server.

5-11


Note: Core Protection for Virtual Machines uses component duplication when downloading components from the update source.

4. Click Save.

Configuring Automatic Member UpdatesTrend Micro recommends that you always use automatic update. Automatic update removes the burden of performing manual updates on members and eliminates the risk of members not having up-to-date components.

To configure automatic member updates:

1. On the Core Protection for Virtual Machines navigation bar, click Updates > Automatic Update.

FIGURE 5-5. Automatic Update screen

5-12

Updating Components

Note: If the Core Protection for Virtual Machines server is unable to successfully send an update notification to members after it downloads components, it automatically resends the notification after 15 minutes. The server continues to send update notifications up to a maximum of five times until the client responds. If the fifth attempt is unsuccessful, the server stops sending notifications. If you select the option in this screen to update components when members restart and then connect to the server, component update will still proceed.

2. Specify the schedule for performing updates. If you select Daily or Weekly and specify the time of the update and the time period for updating components. For example, if your start time is 12pm and the time period is 2 hours, Core Protection for Virtual Machines will randomly notify all online members to update components from 12pm until 2pm. This setting prevents all online members from simultaneously connecting to the server at the specified start time, significantly reducing the amount of traffic directed to the server.Offline members are not notified. Offline members are updated as part of the scheduled scan process, when they come online, or if you initiate manual update, depending on which takes place first.

3. Click Save.

5-13


Performing Manual Member UpdatesUse the Manual Updates screen to manually update components for members and view the date and time of the last component updates. Members can also update components if you configure automatic component update settings.

To configure manual member updates:

1. On the Core Protection for Virtual Machines navigation bar, click Updates > Manual Updates.The Manual Update (Members) screen appears.

FIGURE 5-6. Manual Update screen

5-14

Updating Components

2. Select the target members :• To update all members with outdated components, select Select members

with outdated components.• To Manually select members, search for the members using the Search for

members option, or navigate through the Security Groups tree and select each member to update.

3. Click Update.The server starts notifying each member to download updated components.

Rolling Back UpdatesRolling back refers to reverting to the previous version of the Virus Pattern or Virus Scan Engine. If these components do not function properly, roll them back to their previous versions. Core Protection for Virtual Machines retains the current and the previous versions of the Virus Scan Engine and the last five versions of the Virus Pattern.

Note: You can only roll back the Virus Pattern and Virus Scan Engine. When you roll back updates, the rollback applies to all components.

Core Protection for Virtual Machines uses different scan engines for members running 32-bit and 64-bit platforms. You need to roll back these scan engines separately. The rollback procedure for all types of scan engines is the same.

5-15


To roll back the Virus Pattern or Virus Scan Engine:

1. On the Core Protection for Virtual Machines navigation bar, click Updates > Rollback.The Rollback screen appears.

FIGURE 5-7. Rollback screen

2. Click next to Antivirus to view the current antivirus component versions and the date and time of the latest update. Select component versions to roll back.

3. Click next to Anti-spyware to view the anti-spyware component versions and the date and time of the latest update. Select component versions to roll back.

4. Click Rollback Member Versions.5. To cancel the rollback, click Cancel.

5-16

Chapter 6

Viewing and Managing Logs

This chapter describes how to get timely information about Core Protection for Virtual Machines activity by generating and viewing logs.

Topics in this chapter:• Overview on page 6-2• Logged Actions on page 6-3• Viewing Member Logs on page 6-6• Viewing Server Logs on page 6-7• Viewing Virus/Malware Logs on page 6-8• Viewing Spyware/Grayware Logs on page 6-9• Deleting Logs on page 6-11

6-1


OverviewCore Protection for Virtual Machines keeps comprehensive logs about security risk detections, events, and updates. Use these logs to assess your organization's protection policies and to identify clients at a higher risk of infection or attack. Also, use these logs to check client-server connections and verify if the component update is successful or not.

You can configure, view, and delete the following logs:

TABLE 6-1. Core Protection for Virtual Machine Logs

LOGS DESCRIPTION

Component Update CPVM clients send virus pattern update logs to the server. In the Component Update Progress screen, you can view the number of members updated for every 15-minute interval and the total number of members updated.

Spyware/Grayware After cleaning spyware/grayware, Core Protection for Virtual Machine clients back up spyware/grayware data, which you can restore anytime if you consider the spy-ware/grayware safe.

Virus/Malware Core Protection for Virtual Machines keeps logs of events related to virus/malware, such as a virus detected by a manual scan or a Virtual Center inventory change after a virus is detected by QuickScan.

Server Update Core Protection for Virtual Machines keeps logs for all events related to component updates on the Core Pro-tection for Virtual Machines server. View the logs to ver-ify that Core Protection for Virtual Machines successfully downloaded the components required to keep your pro-tection current.

6-2


Logged ActionsCore Protection for Virtual Machines logs different information depending on the type of log and where the event is logged. Events are logged in server logs, at the Scanning Agent, and at the Real-time Agent.

System Events Core Protection for Virtual Machines records events related to the server program, such as shutdown and startup. Use these logs to verify that the Core Protection for Virtual Machines server and services work properly. Core Protection for Virtual Machines logs the following events:

• Trend Micro Virtualization Service is started• Trend Micro Virtualization Service is stopped• Virus pattern out of date! Expire days• Scan start and stop times and the number of files

scanned

TABLE 6-1. Core Protection for Virtual Machine Logs

LOGS DESCRIPTION

6-3


Actions Logged at the AgentsThe following member logs are recorded at the Scanning Agent and at the Real-time Agent:• Member system event log• Virus/malware• Spyware/grayware• Member update

TABLE 6-2.

MEMBER ACTIONS LOGGED AT THE SCANNING AGENT

MEMBER ACTIONS LOGGED AT THE REAL-TIME AGENT

System event logs:• Virus pattern out-of-date• Scheduled purge start/stop• Real-time Agent service start/stop• CPVM service start/stop• Spyware pattern out-of-date• VC Inventory change (such as add

or remove) when a new VM detected if QuickScan is enabled and a QuickScan Summary is generated

• Scanning Agent start/stop

System event logs:• Virus pattern out-of-date• Scheduled Purge start/stop• Real-time Agent service start/stop• CPVM service start/stop (Real-time

Agent start/stop)• Virus/Spyware caught by Real-time

Scan logs details about viruses caught in a zip file, if any

Scanning agent logs include the fol-lowing group level information:• Scheduled Scan start/stop for a

group• Start/stop for scanning individual

VMs within a group• Information about any files that

could not be scanned on the Scanning Agent

• Details about viruses caught in a zip file, if any, on the Scanning Agent

6-4


Target VMs in a group include the fol-lowing:• Start/stop of Scheduled Scan• Summary of the number of files

scanned, not scanned, and infected

• Information about any files that could not be scanned

• Details about viruses detected in zip files, if any

MEMBER VIRUS/MALWARE LOGS:• VC Inventory change (such as add

and remove) if a virus is detected by QuickScan

• Logs virus/spyware detected by a Manual Scan

• Scheduled Scan if individual VMs in the group have the following an entry for each virus/spyware file that might be detected. There will be only one entry for a zip file even if it contains multiple viruses

MEMBER VIRUS/MALWARE LOG :• Manual Scan if virus/spyware is

detected by a manual scan• Scheduled Scan logs an entry for each

virus/spyware file that might be detected. There will be only one entry for a zip file even if it contains multiple viruses

• Real-time Scan logs details about viruses detected in a zip file, if any

SPYWARE/GRAYWARE LOGS:• VC Inventory change (such as add

and remove) if spyware or grayware is detected by QuickScan

• QuickScan (dormant VMs only) if spyware is detected by QuickScan

MEMBER UPDATE LOGRecords all member updates.

MEMBER UPDATE LOGSRecords all member updates.

TABLE 6-2.

MEMBER ACTIONS LOGGED AT THE SCANNING AGENT

MEMBER ACTIONS LOGGED AT THE REAL-TIME AGENT

6-5


Viewing Member LogsTo view member logs:

1. From the left navigation bar, click Logs > Member Logs.

The Security Risk Logs for Members page appears.

FIGURE 6-1 Security Risk Logs for Members page

2. Expand Security Groups and click the group that the member belongs to.

Note: To search for a specific member, enter the member name in the Search for members text box and click Search.

3. Select the member whose logs you want to view.4. Select View Logs > {log type}.5. Specify log criteria and click Display Logs.6. For details about the log, click View.7. To save the log as a comma-separated value (CSV) data file, click Export to CSV.8. Open the file or save it to a specific location. A CSV file usually opens with a

spreadsheet application (such as Microsoft Excel).

6-6


Viewing Server LogsThe server logs show the date/time, result, member name involved, and the server action. The following actions are recorded in the Server Log:• Administrator Web console login/logout• Scanning agent install/uninstall• Real-time agent install/uninstall• Administrator Web console password change• Server update• CPVM service start/stop (MCS start/stop)

To view the server log:

From the left navigation bar, click Logs > Server Logs.

The Server Logs screen appears.

FIGURE 6-2 Server Logs screen

Tip: To export the logs to CSV format, click Export to CSV.

6-7


Viewing Virus/Malware LogsTo view Virus/Malware logs:

1. From the left navigation bar, click Security Management.2. Expand Security Groups and click the group to which the member belongs.3. Select the members for which to view the logs.4. Click Logs > Virus/Malware Logs.

The Virus/Malware Log Criteria screen appears.

FIGURE 6-3 Virus/Malware Log Criteria screen

5. Select a time period for the log.

Tip: Leave the Start Date field blank to search for all logs from the earliest date. Leave the To field empty to search for all logs to the present.

6. Specify the type of scan that generated the log.7. Click Display Logs.

6-8


Viewing Spyware/Grayware LogsTo view the Spyware/Grayware logs:

1. From the left navigation bar, click Security Management.2. Click the group to which the members belong.3. Select the members for which to view the logs.4. Click Logs > Spyware/Grayware Log.

The Spyware/Grayware Log Criteria screen appears.

FIGURE 6-4 Spyware/Grayware Log Criteria Dialog Box

5. Specify a time period for the logs.

Tip: Leave the Start Date field blank to search for all logs from the earliest date. Leave the To field empty to search for all logs to the present.

6. Click Display Logs.

6-9


Using the Log ViewerThe Log Viewer enables you to view, independently from the Web console, logs on each machine with installed agents.

To view logs:

1. Go to the folder where the agent is installed. For example:C:\Program Files\Trend Micro\CPVM Scanning Agent or C:\Program Files\Trend Micro\CPVM Real-Time Agent

2. Copy the VSLog\vslog.dbf file to the above directory.

Note: You cannot open the vslog.dbf file directly from the VSLog folder because the agent service is using it. You can only open a copy of the file.

3. Start the LogViewer.exe tool. 4. From the LogViewer File menu, select the vslog.dbf file.

The following shows a typical view, which displays the logs in the DB file.

FIGURE 6-5 Log View tool

6-10


Deleting LogsCore Protection for Virtual Machines can automatically purge logs if you configure a deletion schedule. Otherwise, you will need to manually delete logs.

To delete logs based on a schedule:

1. From the left navigation bar, click Logs > Log Maintenance.The Log Maintenance screen appears.

FIGURE 6-6 Log Maintenance page

2. Select Enable scheduled deletion of logs.3. Select one or more log types to delete.

Note: Infection logs include all virus/malware and spyware/grayware logs.

4. Specify the log deletion schedule, and click Save.

To manually delete logs:

1. From the left navigation bar, click Security Management.The Security Management screen appears.

6-11


2. Click the group for which you want to delete logs.3. Click Logs > Delete Logs. The Log Maintenance screen appears.

FIGURE 6-7 Log Maintenance window

4. Select the log types to delete.5. Select the logs to delete, and click Delete.

6-12

Chapter 7

Managing Notifications

This chapter explains how to configure notifications to be sent for threats or system events.

Topics in this chapter: • Configuring Alert Notifications on page 7-2

• Configuring General Settings on page 7-2• Configuring Notification Triggers on page 7-3

7-1


Configuring Alert NotificationsTo configure notifications to be sent in response to security threats or system events, configure notification general settings and notification triggers.

Configuring General SettingsGeneral settings define the notificaton mode (Email, SNMP or NT Event Log) and apply to all Core Protection for Virtual Machines notification messages.

To configure general notification settings:

1. From the left navigation bar, click Notifications > General Settings.The General Settings screen appears.

FIGURE 7-1 General Notifications Settings

2. Select one or more notification methods and type the associated information. • Enable notification via email• Enable notification via SNMP• Enable notification by NT Event log - sends to the NT Trap log

3. Click Save.

7-2


Configuring Notification TriggersNotification triggers define the threat and /or event that triggers an alert:• Standard Settings define security threat triggers plus the message data for the

notification.• System Notification Settings define system events that trigger a notification.

To configure standard notification settings:

1. From the left navigation bar, click Notifications > Standard Notifications.The Standard Notifications screen appears.

FIGURE 7-2 Standard Notifications Settings

2. Specify which events will trigger the system to send notifications. 3. Select the message and token variables for the Message field. Token variables

represent the data that you want to display in the notification message.For example, at %y, Core Protection for Virtual Machines found the following virus on member %m%s: virus %v, location: %p. Core Protection for Virtual Machines performed the following action on the infected computer: %a.

7-3


Note: Pattern Update has only the %s option. Virus malware can have additional options, such as %f, %l, %i and %y.

Note: The Subject field does not accept token variables.

4. Click Save.

TABLE 7-1. Token Variables for Standard Notifications

VARIABLE DESCRIPTION

%s Member with security risk

%n Name of the user logged on to the infected computer

%m Domain of the computer

%p File path of the computer

%v Security risk name

%y Date and time of security risk detection

%a Action taken on the security risk

%T Spyware/Grayware and scan result

7-4


To configure notifications for system events:

1. From the left navigation bar, click Notifications > System Notifications.The System Notifications screen appears.

FIGURE 7-3 System Notifications Settings

2. Specify the system events that will trigger notification messages.3. Select the message and token variables for the Message field and click Save. Token

variables represent the data that you want to display in the notification message.

TABLE 7-2. Token Variables for System Event Notifications


%CV Total number of security risks detected

%CC Total number of computers with security risks

7-5


Note: The Subject field does not accept token variables.

%A Log type exceeded

%M Time period in minutes

TABLE 7-2. Token Variables for System Event Notifications


7-6

Chapter 8

Administering Core Protection for Virtual Machines

The Administration screens enable you to perform general administrative configurations such as the web console password, proxy settings, and virtual infrastructure settings.

Topics in this chapter: • Setting the Web Console Password on page 8-2• Configuring Proxy Settings on page 8-4• Configuring Virtual Infrastructure Settings on page 8-5• Configuring Compatible Products on page 8-6• Viewing and Updating Your Product License on page 8-8

8-1


Setting the Web Console PasswordThe web console is password-protected to prevent unauthorized users from modifying Core Protection for Virtual Machines settings. During installation, the Core Protection for Virtual Machines Setup program requires you to specify a web console password; however, you can modify your password from the web console.

The following guidelines can help you create an effective password:• Include both letters or special characters as well as numbers in your password• Avoid words found in any dictionary, of any language• Intentionally misspell words• Use phrases or combine words• Use both uppercase and lowercase letters

Note: If you forget the console password, contact Trend Micro technical support for instructions on how to gain access to the Web console. The only other alternative is to uninstall and reinstall Core Protection for Virtual Machines.

8-2


To change your password:

1. On the Core Protection for Virtual Machines navigation bar, click Administration > Change Password

The Console Password screen appears.

FIGURE 8-1. Change Password screen

2. In the Old Password box, enter your password.3. Enter a new password in the New Password box. The password must contain a

mixture of numbers, letters (upper and lower case), and special characters. The password can range from 7 to 14 characters.

4. Re-enter the password in the New Password Confirm box.5. Click Change Password.

The message "Your password was changed" appears if the reset was successful.

8-3


Configuring Proxy SettingsIf the Internet connection for your network is routed through a proxy server, you need to enter the proxy server information to retrieve updates from the Internet.

To configure a proxy server:

1. On the Core Protection for Virtual Machines navigation bar, click Administration > Proxy Settings.The Proxy Settings screen appears.

FIGURE 8-2. Proxy Settings screen

2. Select Use a proxy server for pattern, engine, and license updates.3. Choose a protocol type, either HTTP or Socks 4.4. Type Server name or IP address.5. Type the Port number.6. Type the proxy User ID and Password.7. Click Save.

8-4


Configuring Virtual Infrastructure SettingsFrom the Virtual Infrastructure Settings screen, you can configure the information required to connect to the Virtual Center.

To configure the Virtual Center:

1. On the Core Protection for Virtual Machines navigation bar, click Administration > Virtual Infrastructure Settings.The Virtual Infrastructure Settings screen appears.

FIGURE 8-3. Virtual Infrastructure Settings screen

8-5


2. Type the following settings:• Virtual Center Address

• Virtual Center User Name

• Virtual Center Password

• Virtual Center Verify Password

• Auto-sync with Virtual Center every - this is the frequency for automatically synchronizing with Virtual Center to update virtual machine information.

Note: The time it takes to synchronize with the Virtual Center depends on the number of virtual machines in the Virtual Center. Synchronization could take awhile, up to thirty minutes, if you have a lot of virtual machines.

3. Select Register VC Core Protection for Virtual Machines plug in to register the plug-in.

4. To test the settings you have entered, click Test Connection.5. Click Save.

Configuring Compatible ProductsUse the Compatible Products screen to define the products that you want to operate in your Core Protection for Virtual Machines environment and the products that Core Protection for Virtual Machines will keep updated. Products that you can configure include the following:• Trend Micro OfficeScan• Trend Micro ServerProtect

8-6


To configure compatible products:

1. On the Core Protection for Virtual Machines navigation bar, click Administration > Compatible Products.The Compatible Products screen appears.

FIGURE 8-4. Compatible Products screen

2. To allow OfficeScan to be updated, select Trend Micro OfficeScan and type the Update Agent URL. This is the URL of the update server, which could be one of the following server URLs:• The installed Agent Update server URL for OfficeScan, such as:

http://osce10-p.activeupdate.trendmicro.com/activeupdate

• Your own OfficeScan AU update server URL:http://<hostname>:8080/officescan/download

• Your AU update server URL (if you configured a client as the AU server from the OfficeScan setting): http://<ip-address>:[port]/activeupdate.

8-7


3. To allow ServerProtect to be updated, select ServerProtect and type the following settings:• Information Server IP Address: The IP address of the installed

ServerProtect.• Username: The username to access ServerProtect.• Password: The password to access ServerProtect.

4. Click Save.

Viewing and Updating Your Product LicenseThe Product License screen displays the current status of your Core Protection for Virtual Machines product license and enables you to update your license as needed.

Note: The product supports user-based license and CPU-based license. Depending on your purchase, CPVM displays the number of seats or number of CPUs licensed for your product.

8-8


To update your license information:

1. On the Core Protection for Virtual Machines navigation bar, click Administration > Product License.

FIGURE 8-5. Product License screen

The Product License screen displays the following information:• Status: Your current product license status, Active, Inactive, or Expired.• Version: Either "Full" or "Evaluation" version. If you have both full and

evaluation versions, the version that displays is "Full."• Expiration Date: The date your current license will expire.

8-9


2. In the Services column, click the name of the product to view or update.

FIGURE 8-6. Antivirus for Servers screen

The Product License screen shows the following product information:• Status: "Activated", "Not Activated" or "Expired". If a product service has

multiple licenses, and at least one license is still active, "Activated" displays.• Version: Either "Full" or "Evaluation" version. If you have both full and

evaluation versions, the version that displays is "Full".• License Type: This can either be a "User based" or "CPU based" license

depending on which you have purchased.• Seats or Number of CPUs: This can be either the seat count purchased or the

number of CPU licenses purchased.• Expiration Date: If a product service has multiple licenses, the latest

expiration date displays. For example, if the license expiration dates are 12/31/2008 and 06/30/2009, 06/30/2009 displays.

• Activation Code

8-10


Note: The version and expiration date of product services not activated is "N/A”.

3. To update your activation code, click New Activation Code.The Enter a New Code appears.

FIGURE 8-7. Enter a New Code screen

4. Type your new Activation Code.5. Click Activate.

Note: You must register a service before you can activate it. Contact your Trend Micro representative for more information about your Registration Key and Activation Code.

6. On the Product License Details screen, and click Update Information to refresh the screen with the new license details and the status of the service. This screen also provides a link to your detailed license available on the Trend Micro web site.

8-11


8-12

Appendix A

VMware Virtual Center Integration

To enable management from within VMware Virtual Center, Core Protection for Virtual Machines is integrated with the Virtual Center interface. This topic explains two management options for the VMWare Virtual Center integration.

Topics in this chapter: • Virtual Center Plug-in on page A-2• Virtual Center Reporting on page A-3

A-1


Virtual Center Plug-inIf the Virtual Center plug-in was enabled during CPVM installation or enabled from the web console, the CPVM Administration console is available from the Virtual Infrastructure client as a tab. The plug-in enables full CPVM management as if you were accessing the standalone CPVM Administrator web console.

FIGURE A-1. Virtual Center Virtual Machines tab

A-2


Virtual Center ReportingVirtual Center reporting is implemented in the Virtual Center interface without any action required. The CPVM server creates and updates a custom attribute as part of the Summary screen Annotation section, providing the scan status of any VM in your inventory.

FIGURE A-2. Virtual Center Virtual Machines tab

Note: If you do not see the custom attribute being updated when viewing virtual machines, press F5 to refresh your screen.

A-3

Index
AActiveAction 1-16, 4-29
advantages 1-16adding groups 4-3administration 8-1Administrator Web console 2-2agents 4-17

CPVM Scanning Agent 4-18Real-time Agent 4-18uninstalling 4-24

anti-spyware patterns 5-2antivirus patterns 5-2

Ccompatible products 8-6component duplication 5-2components 5-2compressed files 1-13Core Protection for Virtual Machines

architecture 1-6how it works 1-5

CPVM Scanning Agent 4-18

Ddeleting groups 4-4deleting logs 4-51

Ffile extension checking 4-17

Ggroup information 4-2groups

adding 4-3deleting 4-4renaming 4-4

IIntelliScan 1-15, 4-17

Llicense 8-8logs 1-11, 6-1, 1-1

deleting 4-51managing 4-48, 6-8

Security Risk logs 6-3spyware/grayware 6-9

Mmembers

managing 4-8moving 4-12viewing member information 4-8

moving members 4-12

Nnetwork share 4-13notifications 7-1

OOLE layer scan 1-15

Ppassword 8-2pattern matching 1-12

QQuickScan 4-16

configuring 4-29initiating 4-18

RReal-time Agent 4-18

installing 4-22Real-time Scan 4-16

configuring 4-34Real-time Scan versus on-demand scan (Scan Now) 1-9renaming groups 4-4

SScan Now 4-15

configuring 4-44initiating 4-21

scan results 3-4scanning

OLE layer 1-15Scanning Agent

enabling and disabling 4-27installing 4-23uninstalling 4-24

IN–1

Trend Micro™ Message Archiver Administrator’s Guide

scansconfiguring 4-28performing 4-15

Scheduled Scan 4-16configuring 4-39

Security Risk logs 6-3, 6-6server update

status 3-4spyware/grayware logs 6-9Summary 3-2system information 3-3System Requirements 1-3

Ttrue file-type detection 4-17

Uupdates

deploying 1-11

VVC inventory 4-5Virtual Infrastructure settings 8-5virtual machine status 3-3virus

actions 1-10detection technology 1-12

virus actions 1-10VMware Virtual Center integration A-1

IN–2

core protection for virtual machines1 - online help center...

Documents