Microsoft

SolutionBase: Stopping spyware with Trend Micro Anti-Spyware Enterprise Edition 3.0

Spyware is an ever increasing problem for IT professionals. The hardest part in business is finding a centrally managable solution to the spyware problem. Here's a look at Trend Micro's answer.

Recently, Trend Micro released a new version of their antispyware product, which includes a powerful web-based administration console, automatic client deployment, frequent updates, and real-time protection from spyware.

In this article, I will go over the installation and configuration for this product on both the server and on a client. I will also demonstrate how Trend Micro's automatic deployment works and will show you how to manually install the client on problem or non-domain machines you want to protect.

System requirements

As you would expect from an enterprise-level spyware product, Trend Micro Anti-Spyware Enterprise Edition 3.0 has multiple components, including a server component and a desktop client. The server side of the equation is managed via a web console, and the desktop portion can be installed either automatically, if you have the right privileges, or by using an MSI file.

Your servers and workstations should meet some minimum specifications to use this product. While the workstations specifications remain constant, server requirements may change depending on how many workstations you plan to support.

Workstation

The basic thing to keep in mind with Trend Micro's enterprise antispyware solution is "older operating systems need not apply". By this point, though, if you're still running Windows 95, 98, or ME in your organization, you're getting used to hearing this, so Trend Micro's choice not to support these operating systems is really not a surprise. Here's a list of what Trend Micro does support:

  • Windows 2003 Standard, Enterprise, and Web with no service pack, or with SP1
  • Windows XP Home and Professional with no service pack, or with SP1 or SP2.
  • Windows 2000 Professional, Server and Advanced Server with SP3 or SP4.

As for system requirements, Trend Micro doesn't require a whole lot and asks only that your system have at least 128MB of RAM and 10MB of available disk space.

If you want to be able to install the software without using an MSI file, your workstation should be a member of your corporate domain, or you should know the local administrator password for each client. Further, if the client is running Windows XP Service Pack 2, you must either disable the internal firewall or configure it so it does not block the ports required by Trend Micro Anti-Spyware. Specifically, allow these ports:

  • 137
  • 138
  • 139
  • 445 (NetBIOS)
  • 8088 (Apache management)
  • 54447
  • 54448
  • 54449

If you don't want to allow these firewall exceptions, you will need to use the MSI file and manually install (or deploy using your typical method) the client software. If you use client firewall software that requires you to provide a list of allowed executables, make sure to allow cwshredder.dll, imclntinst.exe, ssengine.dll, tmasca.exe, and tmasea.exe.

Server

The server requirements are significantly heftier than the workstation list, and change depending on how many clients you plan to support. First, make sure the server you select is not currently running MySQL, since Trend Micro will install this software for its own use. Trend Micro also recommends the following minimal requirements for your server:

  • Processor: 2.4GHz for up to 12,500 clients; dual 3GHz for up to 25,000; and Quad 3.4GHz for up to 60,000 clients
  • RAM: 512MB for up to 12,500 clients; 1GB for up to 25,000; and 2GB for up to 60,000 clients
  • Disk space: 5GB
  • A static IP address
  • Windows 2003 Standard or Enterprise
  • Windows 2000 Server or Advanced Server with SP4
  • If you plan to use IIS, make sure to install the IIS components, or the IIS role, depending on your version of Windows. You can also choose to use the Apache web server, if you like. I'm using IIS in my examples.
  • Internet Explorer 5.5 or better (to access the management console; if you prefer not to do this from the server, you can access the management console from a workstation)
  • Sun Microsystems' Java Virtual Machine (for viewing reports)

If you need to allow specific access to certain applications on a software-based server firewall, make sure that the executables tmassa.exe and reminst.exe are allowed. They support the automatic client installation. If you use the MSI installer, you don't need to worry about this.

Server installation

Before beginning your server installation, make sure it meets the requirements noted above. Next, from whatever location that is appropriate (either an installation CD or an expanded ZIP file), execute the TMAS-EE.exe file to begin the installation of the product.

I'll take you step-by-step through a typical installation that uses IIS as the web server.

The first screen (not shown) is a typical software license screen. You should read the contents to make sure there are no surprises. When you're done, click the 'I Accept' button to move on.

The next couple of screens ask you for registration information gathered when you either purchased or registered the product. This registration window is shown below in Figure A. If you have not registered your product, you need to. At the end of the registration process, you will be provided an activation code, required to complete the installation. Click the Register Online button if you have not yet registered. If you have, just click Next.

Figure A

The registration information is required in the next step to continue the installation.

If you completed the registration portion of the installer, you should have the activation code requested on this next step, as shown below in Figure B. You can either type the code manually, or copy and paste it from your browser window. Click Next when you're done.

Figure B

Enter your activation code provided during the registration process.

The third screen of the installation asks you to provide, and to verify, your email address.

Figure C

Trend Micro says they use this to provide information about product updates.

Now, you're getting to real product installation options. First, decide to what location you would like to install the antispyware product. The default location is C:\Program Files\Trend Micro\Antispyware. Click the Browse button to choose a different location. Once you've chosen, click the Next button.

Figure D

Click Next after you've selected the location to which you want to install the server components.

Next, provide a domain account that you will use to administer the client software process. As you can see in Figure E, I've created an account using Active Directory Users and Computer named 'tmadmin' and added it to the Domain Administrators group for this purpose. Click the Next button when you're done.

Figure E

The account you use needs to have domain administrative rights in order to be able to access the individual domain clients.

Likewise, you need to specify an account to use to access the web console on the server. Check the box next to "Use Domain Administrator settings from previous screen" if you want to use the same account you previously specified. Otherwise, uncheck this box and provide appropriate credentials. Click Next when you're done.

Figure F

You can use the same credentials from the previous screen, or provide new ones.

The web administration portion of the installation is important since you'll use it for all administrative activity. On this next screen, you need to decide which web server—IIS or Apache—you want to use, and on which port it will run. You can also indicate that you want a secure connection using an SSL certificate, by selecting the "Use secure connection" option.

For this installation, I'm using IIS. If you opt for Apache, version 2.0 of Apache is shipped with Trend Micro's product. In Figure G, I've shown you the web server configuration. Note that, when you start Internet Services Manager now, you'll see an AntiSpyware site now. The installer adds and configures it automatically. The default port for administration is 8088, and I have maintained this default in this example.

Figure G

Choose your web server and port, and decide if you want SSL enabled.

Next, you can optionally choose to install the Control Manager Agent, which is useful for larger installations as seen in Figure H. I will not be going over the Control Manager in this article, but will be using the web-based administration console.

Figure H

Choose whether or not to install the Control Manager Agent.

Once you make these selections, the software installer completes the installation and configuration of the product, after which you are provided with a summary screen on which you can opt to launch the web console. You can see this in Figure I.

Figure I

Do you want to start administering the product right away?

Administration

With the server-side installation completed, you can move on to administering the product and getting it deployed to workstations in your organization. During this part, I will go over both the automatic and manual installation of the antispyware product onto your client computers.

The first step, Figure J, is to log into the web administrator using either the account you created during the installation, or any domain administrator account.

Figure J

Log in to the administration console using an account with administrative rights.

There is really only one step you've required to take in the administration tool before you get started. That is to identify which domain, or domains, you will be administering with this tool. Keep in mind that, if you administer multiple domains, you should add your administrative account to the Enterprise Admins group instead. See Figure K for a sample. To add a domain to Trend Micro Antispyware, select it in the Discovered Domains column and click the Add button, placing it into Active Domains. In this example, I've moved the domain named 'example' to this area.

Figure K

Choose the domain(s) you want to administer.

Now, click on the "My Enterprise Network" tab at the top of the screen. Clicking on this tab brings up a list of machines that have been discovered in your managed domain. Note in the screen shot shown in Figure L that my server has discovered two clients with a status of "not installed", meaning that the client software has not yet been deployed. One of these machines, W2K3-STD, is my Trend Micro Antispyware server, while the other, XPP1, is a Windows XP desktop machine.

Figure L

You can get at-a-glance facts from the My Enterprise Network tab.

In order to demonstrate both installation methods, I will automatically deploy the client software to the Windows Server machine, and install the client from the MSI file on the XP machine. Both methods are discussed later in this article.

Policies

You can create multiple policies that allow the antispyware software to work differently on different machines in your organization. For example, if you choose to run a daily scan of each machine a la antivirus software, you can create different schedules for different work shifts.

Trend Micro Antispyware comes with a default policy that enables a quick machine scan every night at 11:00 P.M., along with a startup scan. Other options, including automatic product and definition updates, are not enabled. Trend Micro's Active Application Monitoring, a process that proactively prevents spyware from infecting your system, is also disabled by default.

For this article, I'm going to create a new, stricter policy. To create a new policy, click the Policies option at the top of the administration screen and click the New Policy button at the bottom, as seen in Figure M.

Figure M

Click the Policies button to see what policies you already have. Click the New Policy button to create a new policy.

Each policy requires a name and selection of the various option you want to include in the policy. For this example, I have created a policy name 'TR example' and enabled automatic installation of the antispyware client, automatic updates of both the product and spyware definitions, strict active application monitoring, and enabled a full scan of machines included in this policy every night at 11:00, except Sundays. You can see all of this in Figure N. Once you create and configure a new policy, click the Save button.

Figure N

You can use different policies for different classes of computers.

Your new policy now shows up in the list of available policies, as you can see in Figure O.

Figure O

If you want to edit your policy, just click its name. To delete a policy, select it using the radio button and choose Remove Policy.

If you want specific machines to be included under a certain policy, you need to add machines to it by adding said machines to the policy's member list. From the Policies window, open the policy and choose the Policy Members tab. This tab shows you a list of computers associated with a particular policy. By default, all new computers are associated with the Global Default policy.

If you open up a new policy, you won't see any computers in the list. Click the Add Members button to add a computer to the Policy Members list. The screen shown in Figure P below shows the two machines I have in my example.com domain in my lab. To add the W2K3-STD machine to the 'TR example' policy I created, I would select the highlighted check box and click the Add Members button.

Figure P

Select the check box and click Add Members.

Now, you can deploy client software to your desktops with machines in the right policy.

Deploy client software from the administration console

If you place a client into a policy for which you have enabled Automatic Installation, Trend Micro Antispyware will automatically install the client, assuming you have provided an appropriate user name and password for the client. In fact, after waiting a couple of minutes after adding W2K3-STD to the 'TR example' policy, the client was installed with no intervention required on my part. The W2K3-STD machine now has the client installed and is actively cleaning.

To see the status of your installation, click on the My Enterprise Network option at the top of the administration window. The green dots next to the version number indicate that the software and definitions are current.

If, for whatever reason, Trend Micro Antispyware can't automatically deploy the client (perhaps you did not enable automatic client installation in your policy, for example), you can still manually deploy the client without having to use the MSI installer file. To do so, from the My Enterprise Network window, click the check box next to the computer to which you want to deploy the software and click the Install button at the bottom of the window.

If you have machines that are not a part of your domain, you can't use this automated deployment method and will need to use the MSI method instead.

Deploy client software using an MSI installer

As I mentioned, if you have machines on which you can't use the domain installer, or if you already have a software distribution system in place, you should consider using the MSI client installer included with the Trend Micro Antispyware software.

To use the MSI file, you need to provide it with some parameters that allow the installed client to communicate with your server. On my XPP1 machine, I used the MSI installer with the following switches, most of which are pretty self-explanatory.

msiexec /i tmasclnt.msi ALLUSERS=1 RebootYesNo=No /Lve tmasclnt.log /qn SERVERIP=192.168.160.128

  • The /qn switch indicates that the installation should proceed quietly, with no notice to the user.
  • The /Lve switch is always followed by the name of the file to which an installation log should be written.
  • SERVERIP is fairly self-explanatory, but is critical.

The default MSI-based installation installs the software in "socket mode", which is one of three possible modes in which you can run the software. You can also run in "domain mode", which uses administrative shares to communicate with the server. Or, you can opt to use a polling method in which the client occasionally polls the server for updates. I won't be going over these last two options here. By omitting this switch (called CMDMODE), I implicitly choose CMDMODE=1, which is the default—socket mode. Socket mode requires that ports 54447, 54448 & 54449 be accessible.

Also note that, if you use the MSI method to install the client, you need to manually allocate a license to the client machines, or else it will stay in a "scan-only" mode until you do so. I'll go over this step in the next section.

Viewing client status

From here, your use of Trend Micro Antispyware is beyond the installation basics. During your use of the product, you will have machines that are exposed to spyware and are cleaned with the software. You can see exactly what is happening by using the same console you used to install the software and create policies.

For example, right after I installed the client into W2K3-STD, seven potentially problematic items were cleaned from the machine. In this case, they were all cookies.

If you used the MSI method to install the client, you also need to allocate a license for the client, or it will only be able to scan, not take corrective action.

Trending away from spyware

Trend Micro has a good product on their hands with this version 3.0 of their Antispyware product. It's pretty easy to use, powerful, and from the centralized management console you can perform most functions, as long as your machines are part of a domain. With the ability to support multiple policies, you can handle differing workloads and requirements across your enterprise.

Editor's Picks

Free Newsletters, In your Inbox