- Installing the server on a local computer
- Installing on one or more remote computers
- Installing on the local computer and one or more remote computers
- Installing Cisco NAC software
- Open the Windows Task Manager.
- Look for the mmc.exe process.
- Click the mmc.exe process to highlight it and then click the End Process button.
- Locate and launch the Setup program.
- You can do choose to:
- Insert the OfficeScan CD installer; or
- Download and extract the installer file from the Download Center.
- Launch the setup.exe file
After the installation program is unpacked and started, the Welcome screen appears. Click Next on this screen to continue.
- Accept the Software License Agreement.
- Select I accept the terms of the license agreement and then click Next.
- Select I accept the terms of the license agreement and then click Next.
- Review the installation requirements and Access Usage Guides.
- Client Deployment
There are several methods for installing or upgrading the OfficeScan clients. This screen lists the different deployment methods and approximate network bandwidth needed. These measurements will change if the OfficeScan server is updated because the OfficeScan components currently available in the server will be included in the client installation package.
- Usage Guide
If you are upgrading to this version of OfficeScan, Trend Micro recommends creating a backup of the OfficeScan database from the OfficeScan management console. The OfficeScan server database contains all the settings, including scan settings and privileges. When creating the database backup, OfficeScan automatically defragments the databases and repairs any possible corruption in the index file.
- Client Deployment
You can refer to this Knowledge Base article for more details: Important files to back up before upgrading to OfficeScan 10/10.5.
You can also use Control Manager (TMCM) to back up or replicate the server settings. Use these server settings to either restore the OfficeScan server if any issue occurs during upgrade, or to copy the server settings to another OfficeScan server.
You can refer to the Control Manager Administrator's Guide for more information.
To start the analysis, click Analyze. Setup may require you to provide the administrator username and password used to log on to the target computer. After the analysis, Setup displays the result in the screen.
After reviewing the information on each of these pages, click Next to proceed.
- Select an installation destination.
You will be prompted for an installation destination. You may select from two locations:- On this computer
- To a remote computer or multiple computers simultaneously
After selection an option, click Next.
- Select whether to pre-scan target computer(s) or not.
You can choose to scan the target computer for security risks before installing the software. The Setup will scan for virus/malware, spyware/grayware, and Trojan programs. However, pre-scanning only scans the most vulnerable areas of the computer. These include:- Boot area and boot directory (for boot viruses)
- Windows folders
- Program Files folder
- Delete - Deletes an infected file.
- Clean - Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file.
- Rename - Changes the infected file's extension to "vir". Users cannot open the file initially, but can do so if there associate the file with a certain application. Virus/Malware may execute when opening the renamed infected file.
- Pass - Allows full access to the infected file without doing anything to the file. A user may copy/delete/open the file.
- Specify an Installation Path.
Accept the default installation path or specify a new one. Click Next to continue. - Enable/Specify the Proxy Server Configuration.
The OfficeScan server uses HTTP for client-server communication and for downloading updates from the Trend Micro Active Update server.
If your network does not require a proxy server configuration, leave the option box unmarked and then click Next.
- Select/Configure the Web Server Options
The OfficeScan web server hosts the web console, allows the administrator to run the Common Gateway Interfaces (CGIs), and accepts commands from clients. The web server coverts these commands to client CGIs and forwards them to the OfficeScan Master Service.
If the Setup detects both IIS and Apache Web servers installed on the target computer, you may choose between the two web servers. If neither exists on the target machine, you cannot select IIS. OfficeScan server will automatically install Apache Web Server 2.0.63.
Apache web server 2.0.x is required and can only be used on Windows XP, 2003, and 2008. If Apache web server exists on the computer, but is not in version 2.0.x, then OfficeScan will install using version 2.0.63. The existing Apache web server will not be removed.
IIS Web Server
Microsoft Internet Information Server (IIS) version 6.0 for Windows Server 2003, version 7.0 for Windows Server 2008, version 7.5 for Windows Server 2008 R2.
The SSL version used depends on the version that the web server supports.
When you select SSL, Setup automatically creates an SSL certificate, which is a requirement for SSL connections. The certificate contains server information, public key, and private key.
Each SSL certificate has a validity period of three years. The administrator can still use the certificate after it expires. However, a warning message appears every time the SSL connection is invoked using the same certificate.
This is how the communication through SSL works:
- The administrator sends information from the web console to the web server through SSL connection.
- The web server responds to the web console with the required certificate.
- The browser performs key exchange using RSA encryption.
- The web console sends data to the Web server using RC4 encryption.
- Select a Computer Identification Method
If the server computer is identified by the IP address and you change its IP address, then the OfficeScan server and clients will not be able to communicate. The only way to restore communications is to redeploy all the clients. The same situation applies if the server computer is identified by a domain name and you change its domain name.
In most networks, the server computer's IP address is more likely to change than its domain name. Therefore, it is usually preferable to identify the server computer by a domain name. Changing the IP address is also not recommended if OfficeScan obtains the IP address from a DHCP server.
If you use static IP addresses, identify the server by its IP address. In addition, if the server computer has multiple network interface cards (NICs), consider using one of the IP addresses instead of the domain name to ensure successful client-server communication.
- Register the product and obtain the Activation Keys
- Choose to install the Integrated Smart Scan Server
The OfficeScan Smart Protection Network (SPN) solutions make use of lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns. These patterns are from the Trend Micro Active Update server and are made available to Smart Protection Servers and the OfficeScan server.
A Smart Protection Server hosts the Smart Scan Pattern, which is updated hourly and contains majority of the pattern definitions. Smart scan clients do not download this pattern. Clients verify potential threats against the pattern by sending scan queries to the Smart Protection Server.
Install several standalone Smart Protection Servers for failover purposes. A standalone Smart Protection Server is also available for installation on a VMware server. The standalone server has the same functions and capabilities as the integrated server. It has a separate management console and is not managed from the OfficeScan web console.
You can refer to the Trend Micro Smart Protection for OfficeScan Getting Started Guide for more information on the standalone server.
Note: Because the integrated Smart Protection server and the OfficeScan server run on the same computer, the computer's performance may reduce significantly during peak traffic for the two servers.
- Antivirus
- Web Reputation and Anti-spyware
If you do not activate the licenses, you can still install the integrated Smart Protection server, but the clients will not be able to use smart scan or connect to any Smart Protection server.
Contact your Trend Micro representative for license and activation concerns.
Clients can connect to the integrated Smart Protection server using HTTP and HTTPS protocols. HTTPS allows for a more secure connection, while HTTP uses less bandwidth. The SSL port number used for secure connections depends on the web server (Apache or IIS) that you want to use for the OfficeScan server.
OfficeScan Web Server Settings | OfficeScan Server SSL Port | Integrated Smart Protection Server SSL Port |
Apache web server SSL enabled | 4343 | 4343 |
Apache web server SSL disabled | N/A | 4345 |
IIS default website SSL enabled | 443 | 443 |
IIS default website SSL disabled | N/A | 443 |
IIS virtual website SSL enabled | 4343 | 4345 |
IIS virtual website SSL disabled | N/A | 4345 |
If clients connect to the integrated server through a proxy server, you need to configure the internal proxy settings from the web console.
Refer to the Administrator's Guide for more information on how to configure the proxy settings.
- Choose to install the Integrated Web Reputation Service
Web Reputation Service (WRS) evaluates the potential security risk of all the requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, Web Reputation either blocks or approves the request. The Integrated Smart Protection Server automatically installed with the OfficeScan server provides this service.
By enabling the integrated Web Reputation Service, OfficeScan clients will send queries locally instead of the Smart Protection Network. This can reduce overall bandwidth consumption.
If the listed port number is already in use by another application on your network, you can change it to a custom number before clicking Next.
- Indentify and validate the remote/multiple installation destinations
To specify the target computer(s):
UNC-type host name or IP address
You can also import the computer name(s) from a text file by clicking Import List. If you install to multiple computers simultaneously and all the computers pass the analysis, then Setup installs the OfficeScan server in the order by which they are listed in the text file.
In the text file, specify one computer name per line. Use UNC format. For example: \\ms - server - name or \\fqdn.company.com or file://192.168.0.12/.
Only these characters are allowed: a-z, A-Z, period (.), and hyphen (-).
Tips to ensure that remote installation can proceed:
- Make sure that you have administrator rights to the target computer
- Record the computer's hostname and log on credentials (username and password).
- Verify that the target computers meet the system requirements for installing the OfficeScan server.
- Ensure that the computer has Microsoft IIS server 5.0 or later if you are using this as the web server. If you chose to use Apache web server, then Setup
- Automatically installs this server if it is not present in the target computer.

When the setup program completes the analysis of all the targets, click Next.
- Install the additional software components
Select whether to install the OfficeScan client, policy server for Cisco NAC, and Cisco Trust Agent for Cisco NAC or not. Click Next.
The client program provides the actual protection against security risks. Therefore, to protect the OfficeScan server computer against security risks, it needs to have the client program. Choosing to install the client during server installation is a convenient way to ensure that the server is automatically protected. It also removes the additional task of installing the client after server installation.
Note: Install the client to other computers on the network after the server installation. Refer to the Administrator's Guide for the client installation methods.
Cisco Network Admission Control (NAC) Programs
Cisco NAC focuses on controlling security risks inside the network by enforcing admission privileges and antivirus and security policies. It allows client computers to communication with the network about security issues.
Similar to OfficeScan, Cisco NAC has a server component (Policy Server for Cisco NAC) and a client component (Cisco Trust Agent or CTA). To use Cisco NAC, you need to have Cisco routers that support it and you need to connect to the Cisco Admission Control Server (ACS).
Note: Cisco NAC programs are unavailable if you do not activate the Antivirus service. You cannot install/upgrade the Policy Server or CTA when performing a remote server installation.
After performing a remote installation, install the CTA to clients from the OfficeScan management console, and the Policy Server by running the Policy Server installer from the OfficeScan Setup package. Refer to the Administrator's Guide for more information about Cisco NAC.
Access the Policy Server installer form the OfficeScan setup package.
If you select this option during server installation, the OfficeScan server automatically installs CTA to all clients that the server will manage. In the next screen, Setup prompts you whether to install Cisco Trust Agent or Cisco Trust Agent Supplicant. The only difference between the two versions is that the Supplicant package provides layer 2 authentication for the computer and end user.
If you do not select this option, you can still install CTA to clients from the management console (Cisco NAC > Agent Deployment). However, you need to do this every time a new client is added to the server. Refer to the OfficeScan Server Help for information on installing CTA from the management console.
- Participate in the Smart Feedback Program
Your protection is automatically updated and strengthened as more products, services and users access the network, creating a real-time neighborhood watch protection service for its users. The smart protection network solution leverages Smart Protection Network for in-the-cloud protection.
For example, routine reputation checks sent to Trend Micro Smart Protection Network.
By continuously processing the threat intelligence gathered through its extensive global network of customers and partners, Trend Micro delivers automatic, real-time protection against the latest threats and provides "better together" security. This is much like an automated neighborhood watch that involves the community in protection of others.T
he privacy of a customer's personal or business information is always protected because the threat information gathered is based on the reputation of the communication source.
Trend Micro Smart Feedback is designed to collect and transfer relevant data from clients' Trend Micro Smart Protection Server to Trend Micro back-end server side. This is so that further analysis can be conducted, and consequently, advanced solutions can evolve and be deployed to protect clients.
- Set the console and client-install/uninstall passwords.
- Access the management console
Specify a password known only to you and other OfficeScan administrators. If you forgot the password, contact your support provider for assistance in resetting the password
- Unload and uninstall the OfficeScan client
- Specify the Client Install Path, Listening Port and Security Level
Accept the default client installation settings or specify a different client installation path. Change the path if there is insufficient disk space on the installation directory. Trend Micro recommends using the default settings.
When specifying a different installation path, type a static path or use variables. If the path you type includes a directory that does not exist on the client, Setup creates the directory automatically during client installation.
To type a static client installation path, type the drive path, including the drive letter. For example, C:\Program Files\Trend Micro\OfficeScan Client.
Note: You can no longer modify the client installation path once you are finished installing the OfficeScan server. All the OfficeScan clients that will be installed will use the same installation path.
$BOOTDISK: The drive letter of the hard disk that the computer boots from (by default is C:\).
$WINDIR: The Windows directory (by default C:\Windows)
$ProgramFiles: The Program Files directory automatically set up in Windows and usually used for installing software (by default C:\Program Files).
Port number: Setup randomly generates this port number, which the OfficeScan server uses to communicate with clients. You can specify a different port number.
Client security level: After installing OfficeScan, you can change the security level from the OfficeScan console (Networked Computers > Client Management > Settings >Privileges and Other Settings > Other Settings)
- Normal: Allows clients read/write access to the OfficeScan client folders, files, and registries on client computers.
- High: Restricts clients from accessing OfficeScan client folders, files, and registries (default). If you select High, the access permissions settings of the OfficeScan folders, files, and registries are inherited from the Program Files folder.
- Enable or disable the Client Firewall
The OfficeScan firewall protects clients and servers on the network using stateful inspections, high performance network virus scans, and elimination.
Create rules to filter connections by IP address, port number, or protocol, and then apply the rules to different groups of users. You can choose to disable the firewall and enable it later from the OfficeScan server web console.
You have the option to enable the firewall on server platforms. If the server platform already enables the firewall service, select this option to ensure that OfficeScan does not disable the firewall service. - Select whether to temporarily assess the anti-spyware feature or not.
When in assessment mode, all clients managed by the server will log spyware/grayware detected during Manual Scan, Scheduled Scan, Real-time Scan, and Scan Now, but will not clean spyware/grayware components. Cleaning terminates processes or deletes registries, files, cookies, and shortcuts.
Trend Micro provides assessment mode to allow you to evaluate items that Trend Micro detects as spyware/grayware and then configure the appropriate action based on your evaluation. For example, detected spyware/grayware that you do not consider a security risk can be added to the spyware/grayware approved list.
After the installation, refer to the Administrator's Guide for some recommended actions to take during assessment mode.
Configure the assessment mode to take effect only for a certain period of time by specifying the number of weeks in this screen. After the installation, you can change assessment mode settings from the web console (Networked Computers > Global Client Settings > Spyware/Grayware Settings). - Web Reputation PolicyWeb reputation policies dictate whether OfficeScan will block or allow access to awebsite.Selecting Enable web reputation policy enables policies for internal and external clients installed on desktop platforms, such as Windows XP, Vista, and 7. Select Enable web reputation policy on server platforms if server platforms, such as Windows Server 2003 and Windows Server 2008, require the same level of web threat protection as desktop platforms.Clients use the location criteria you have set in the web console’s Computer Location screen to determine their location and the policy to apply. Clients switch policies each time the location changes.You can configure web reputation policy settings from the web console after installation. OfficeScan administrators typically configure a stricter policy for external clients.Web reputation policies are granular settings in the OfficeScan client tree. You can enforce specific policies to client groups or individual clients. You can also enforce a single policy to all clients.If you enable web reputation policies, be sure to install Smart Protection Servers (integrated or standalone) and add them to the smart protection source list on the OfficeScan web console. Clients send web reputation queries to the servers to verify the safety of websites that users are accessing.
- Specify the Programs Folder for shortcuts.
Accept the default folder name or specify a new one. You can also select an existing folder to which Setup adds the program shortcuts. - Review the Installation Configuration
This screen provides a summary of the installation settings. Review the installation information and click Back to change any of the settings or options. To start the installation, click Install. - Policy Server for Cisco NAC InstallerThis screen displays when installing Policy Server for Cisco NAC. The settings and options on the Policy Server installation screens that display are similar to most settings specified during OfficeScan server installation.
- License Agreement: Accept the terms of the license agreement to proceed.
- Installation Path: Accept the default installation path or specify a location on the local computer where Policy Server installs.
- Web Server: Specify whether to use an IIS or Apache web server
- Web Server Configuration: Specify settings for the selected web server.OfficeScan 10.6 SP2 Installation and Upgrade Guide
- Web Console Password: Specify the password to access the Policy Server console. The console is separate from the OfficeScan server console, although administrators can launch the console from OfficeScan.
- ACS Server Authentication: An ACS server receives OfficeScan client antivirus data from the client through the Network Access Device and passes it to an external user database for evaluation. Later in the process, the ACS server also passes the result of the evaluation, which may include instructions for the OfficeScan client, to the Network Access Device.
- Installation Information: Review the installation information
- Complete the installation. the "Installation Complete" notification appears once you are done installing the server.
You will also be given the options to:- View the Readme file.
- Open the web-based management console.
Select the action(s) that you want to take and then click Finish.
Note: The options above are not available for remote installation. In this case, click OK when the installation has been completed. - If the installation fails, refer to this article: Best practices and troubleshooting OfficeScan server installation and upgrade. If the issue persists, collect the following and submit them to Trend Micro Technical Support.
- Copy of System Information. To generate this:
- Go to Start > Programs > Accessories > System Tools > System Information.
- Click Files > Save. Save it in *NFO format.
- Copy of Application and event logs in *.EVT format
- Copy of %windir%\OFCMAS.log
- Screenshot of the error
- Copy of System Information. To generate this: