Installing an OfficeScan 10.6 server

Before installing the OfficeScan 10.6 software, make sure that the Microsoft Management Console or MMC is closed.

Open the Windows Task Manager.
Look for the mmc.exe process.
Click the mmc.exe process to highlight it and then click the End Process button.

To install the OfficeScan 10.6 server:

Locate and launch the Setup program.
1. You can do choose to:
- Insert the OfficeScan CD installer; or
- Download and extract the installer file from the Download Center.
1. Launch the setup.exe file
  After the installation program is unpacked and started, the Welcome screen appears. Click Next on this screen to continue.
Accept the Software License Agreement.
1. Select I accept the terms of the license agreement and then click Next.
Review the installation requirements and Access Usage Guides.
1. Client Deployment
  
  There are several methods for installing or upgrading the OfficeScan clients. This screen lists the different deployment methods and approximate network bandwidth needed. These measurements will change if the OfficeScan server is updated because the OfficeScan components currently available in the server will be included in the client installation package.
2. Usage Guide
  
  If you are upgrading to this version of OfficeScan, Trend Micro recommends creating a backup of the OfficeScan database from the OfficeScan management console. The OfficeScan server database contains all the settings, including scan settings and privileges. When creating the database backup, OfficeScan automatically defragments the databases and repairs any possible corruption in the index file.

You can refer to this Knowledge Base article for more details: Important files to back up before upgrading to OfficeScan 10/10.5.

You can also use Control Manager (TMCM) to back up or replicate the server settings. Use these server settings to either restore the OfficeScan server if any issue occurs during upgrade, or to copy the server settings to another OfficeScan server.

You can refer to the Control Manager Administrator's Guide for more information.

To start the analysis, click Analyze. Setup may require you to provide the administrator username and password used to log on to the target computer. After the analysis, Setup displays the result in the screen.

OfficeScan Server Settings

After reviewing the information on each of these pages, click Next to proceed.

Select an installation destination.
You will be prompted for an installation destination. You may select from two locations:
1. On this computer
2. To a remote computer or multiple computers simultaneously
  After selection an option, click Next.
Select whether to pre-scan target computer(s) or not.

You can choose to scan the target computer for security risks before installing the software. The Setup will scan for virus/malware, spyware/grayware, and Trojan programs. However, pre-scanning only scans the most vulnerable areas of the computer. These include:
- Boot area and boot directory (for boot viruses)
- Windows folders
- Program Files folder

The Setup can perform the following actions against detected virus/malware and Trojan horse programs:

Delete - Deletes an infected file.
Clean - Cleans a cleanable file before allowing full access to the file, or lets the specified next action handle an uncleanable file.
Rename - Changes the infected file's extension to "vir". Users cannot open the file initially, but can do so if there associate the file with a certain application. Virus/Malware may execute when opening the renamed infected file.
Pass - Allows full access to the infected file without doing anything to the file. A user may copy/delete/open the file.

If you are performing a local installation, scanning occurs when you click Next.

If you are performing a remote installation, scanning occurs right before the actual installation.

Specify an Installation Path.
Accept the default installation path or specify a new one. Click Next to continue.
Enable/Specify the Proxy Server Configuration.
The OfficeScan server uses HTTP for client-server communication and for downloading updates from the Trend Micro Active Update server.

If your OfficeScan server will need to use a proxy server to access the Internet, you can enter your proxy settings as part of the installation configuration. You may also enter or change these settings using the OfficeScan management console after the installation.

If your network does not require a proxy server configuration, leave the option box unmarked and then click Next.

OfficeScan 10.6 Proxy Server Configuration

Select/Configure the Web Server Options
The OfficeScan web server hosts the web console, allows the administrator to run the Common Gateway Interfaces (CGIs), and accepts commands from clients. The web server coverts these commands to client CGIs and forwards them to the OfficeScan Master Service.

If the Setup detects both IIS and Apache Web servers installed on the target computer, you may choose between the two web servers. If neither exists on the target machine, you cannot select IIS. OfficeScan server will automatically install Apache Web Server 2.0.63.

Apache Web Server

Apache web server 2.0.x is required and can only be used on Windows XP, 2003, and 2008. If Apache web server exists on the computer, but is not in version 2.0.x, then OfficeScan will install using version 2.0.63. The existing Apache web server will not be removed.

When enabling SLL and Apache web server 2.0.x, the Apache web server must have the SSL settings preconfigured.

By default, the administrator account is the only account created on the Apache web server.

Note: Trend Micro recommends creating another account from which to run the server. Otherwise, the OfficeScan server may be compromised if a malicious hacker takes control of the Apache server.

Before installing the Apache web server, refer to the Apache website for the latest information on upgrades, patches, and security issues.

IIS Web Server

Microsoft Internet Information Server (IIS) version 6.0 for Windows Server 2003, version 7.0 for Windows Server 2008, version 7.5 for Windows Server 2008 R2.

Do not install the web server on a computer running IIS-locking applications because this can prevent a successful installation. see the IIS documentation for more information.

HTTP Port

The web server listens for client requests on the HTTP port and forwards these requests to the OfficeScan Master Service. This service returns information to clients at the designated client communication port. Setup randomly generates the client communication port number during installation.

OfficeScan uses the same port number that the HTTP server uses for TCP traffic. In many organizations, this port is 80 or 8080. The OfficeScan default port is 8080.

If you enable SSL, OfficeScan uses the SSL port (4343 by default) instead of the HTTP port.

SSL Port

Enable the Secure Sockets Layer (SSL) if you want a secure communication between the web console and the server. SSL provides an extra layer of protection against hackers. Although OfficeScan encrypts the passwords specified on the web console before sending them to the OfficeScan server, hackers can still sniff the packet and, without decrypting the packet, "replay" it to gain access to the console. SSL tunneling prevents hackers from sniffing packets traversing the network.

The SSL version used depends on the version that the web server supports.

When you select SSL, Setup automatically creates an SSL certificate, which is a requirement for SSL connections. The certificate contains server information, public key, and private key.

Each SSL certificate has a validity period of three years. The administrator can still use the certificate after it expires. However, a warning message appears every time the SSL connection is invoked using the same certificate.

This is how the communication through SSL works:

The administrator sends information from the web console to the web server through SSL connection.
The web server responds to the web console with the required certificate.
The browser performs key exchange using RSA encryption.
The web console sends data to the Web server using RC4 encryption.

RSA encryption is more secure, but it can slow down the communication flow. Therefore, it is only used for key exchange, and RC4, a faster alternative, is used for data transfer.

Select a Computer Identification Method

Specify if the OfficeScan clients will identify the server computer by its domain name or IP address.

If the server computer is identified by the IP address and you change its IP address, then the OfficeScan server and clients will not be able to communicate. The only way to restore communications is to redeploy all the clients. The same situation applies if the server computer is identified by a domain name and you change its domain name.

In most networks, the server computer's IP address is more likely to change than its domain name. Therefore, it is usually preferable to identify the server computer by a domain name. Changing the IP address is also not recommended if OfficeScan obtains the IP address from a DHCP server.

If you use static IP addresses, identify the server by its IP address. In addition, if the server computer has multiple network interface cards (NICs), consider using one of the IP addresses instead of the domain name to ensure successful client-server communication.

Note: If you have already registered and have received the Activation Codes, then skip this step.

OfficeScan 10.6 Product Activation

If you do not have the Activation Codes, click Register Online. Setup will direct you to the Trend Micro registration web site.

If you already have the Activation Codes, continue with the installation process and specify the codes. The Activation Codes are case-sensitive.

OfficeScan 10.6 Enter Activation Code

Choose to install the Integrated Smart Scan Server

The OfficeScan Smart Protection Network (SPN) solutions make use of lightweight patterns that work together to provide the same protection provided by conventional anti-malware and anti-spyware patterns. These patterns are from the Trend Micro Active Update server and are made available to Smart Protection Servers and the OfficeScan server.

A Smart Protection Server hosts the Smart Scan Pattern, which is updated hourly and contains majority of the pattern definitions. Smart scan clients do not download this pattern. Clients verify potential threats against the pattern by sending scan queries to the Smart Protection Server.

Install several standalone Smart Protection Servers for failover purposes. A standalone Smart Protection Server is also available for installation on a VMware server. The standalone server has the same functions and capabilities as the integrated server. It has a separate management console and is not managed from the OfficeScan web console.

You can refer to the Trend Micro Smart Protection for OfficeScan Getting Started Guide for more information on the standalone server.

Note: Because the integrated Smart Protection server and the OfficeScan server run on the same computer, the computer's performance may reduce significantly during peak traffic for the two servers.

To reduce the traffic directed to the OfficeScan server computer, assign a standalone Smart Protection server as the primary scan source and the integrated server as a backup source. Refer to the Administrator's Guide for information on how to configure scan sources for the clients.

Licenses

Activate the licenses for the following services to use smart scan

Antivirus
Web Reputation and Anti-spyware

If you do not activate the licenses, you can still install the integrated Smart Protection server, but the clients will not be able to use smart scan or connect to any Smart Protection server.

Contact your Trend Micro representative for license and activation concerns.

Client Connection Protocols

Clients can connect to the integrated Smart Protection server using HTTP and HTTPS protocols. HTTPS allows for a more secure connection, while HTTP uses less bandwidth. The SSL port number used for secure connections depends on the web server (Apache or IIS) that you want to use for the OfficeScan server.

SSL port numbers for the OfficeScan server and integrated Smart Protection server:

OfficeScan Web Server Settings	OfficeScan Server SSL Port	Integrated Smart Protection Server SSL Port
Apache web server SSL enabled	4343	4343
Apache web server SSL disabled	N/A	4345
IIS default website SSL enabled	443	443
IIS default website SSL disabled	N/A	443
IIS virtual website SSL enabled	4343	4345
IIS virtual website SSL disabled	N/A	4345

If clients connect to the integrated server through a proxy server, you need to configure the internal proxy settings from the web console.

Refer to the Administrator's Guide for more information on how to configure the proxy settings.

Choose to install the Integrated Web Reputation Service

In OfficeScan 10.6, WRS is automatically installed by default.

Web Reputation Service (WRS) evaluates the potential security risk of all the requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, Web Reputation either blocks or approves the request. The Integrated Smart Protection Server automatically installed with the OfficeScan server provides this service.

By enabling the integrated Web Reputation Service, OfficeScan clients will send queries locally instead of the Smart Protection Network. This can reduce overall bandwidth consumption.

If the listed port number is already in use by another application on your network, you can change it to a custom number before clicking Next.

Indentify and validate the remote/multiple installation destinations

Note: Skip this procedure if you chose On the computer on which have launched the setup program in Step 4.

To specify the target computer(s):
UNC-type host name or IP address

You may also click Browse to use Microsoft networking to search for and select computer(s).

You can also import the computer name(s) from a text file by clicking Import List. If you install to multiple computers simultaneously and all the computers pass the analysis, then Setup installs the OfficeScan server in the order by which they are listed in the text file.

In the text file, specify one computer name per line. Use UNC format. For example: \\ms - server - name or \\fqdn.company.com or file://192.168.0.12/.

Only these characters are allowed: a-z, A-Z, period (.), and hyphen (-).

Tips to ensure that remote installation can proceed:

Make sure that you have administrator rights to the target computer
Record the computer's hostname and log on credentials (username and password).
Verify that the target computers meet the system requirements for installing the OfficeScan server.
Ensure that the computer has Microsoft IIS server 5.0 or later if you are using this as the web server. If you chose to use Apache web server, then Setup
Automatically installs this server if it is not present in the target computer.

Do not specify the computer where you launched the Setup as a target computer. Instead, run a local installation on that computer. When you have specified the target computer(s), click Next. Setup checks if the computer(s) meet the OfficeScan installation requirements.

To start the analysis, click Analyze. Setup may require you to provide the administrator username and password used to log on to the target computer. After the analysis, Setup displays the result in the screen.

If you install to multiple computers, installation proceeds if at least one of the computers pass the analysis. Setup installs OfficeScan server to that computer and ignores the ones that did not pass the analysis.

During remote installation, the installation progress only displays in the computer where you launched Setup, and not on the target computer(s).

When the setup program completes the analysis of all the targets, click Next.

Install the additional software components

Select whether to install the OfficeScan client, policy server for Cisco NAC, and Cisco Trust Agent for Cisco NAC or not. Click Next.

The client program provides the actual protection against security risks. Therefore, to protect the OfficeScan server computer against security risks, it needs to have the client program. Choosing to install the client during server installation is a convenient way to ensure that the server is automatically protected. It also removes the additional task of installing the client after server installation.

Note: Install the client to other computers on the network after the server installation. Refer to the Administrator's Guide for the client installation methods.

If you are upgrading OfficeScan, the screen will not be displayed.

If a Trend Micro or a third-party endpoint security software is currently installed on the server computer, OfficeScan may or may not be able to automatically uninstall the software and replace it with the OfficeScan client. Contact your support provider for a list of software that OfficeScan automatically uninstalls. If the software cannot be uninstalled automatically, manually uninstall it before proceeding with the OfficeScan installation.

Cisco Network Admission Control (NAC) Programs

Cisco NAC focuses on controlling security risks inside the network by enforcing admission privileges and antivirus and security policies. It allows client computers to communication with the network about security issues.

Similar to OfficeScan, Cisco NAC has a server component (Policy Server for Cisco NAC) and a client component (Cisco Trust Agent or CTA). To use Cisco NAC, you need to have Cisco routers that support it and you need to connect to the Cisco Admission Control Server (ACS).

Note: Cisco NAC programs are unavailable if you do not activate the Antivirus service. You cannot install/upgrade the Policy Server or CTA when performing a remote server installation.

After performing a remote installation, install the CTA to clients from the OfficeScan management console, and the Policy Server by running the Policy Server installer from the OfficeScan Setup package. Refer to the Administrator's Guide for more information about Cisco NAC.

Policy Server for Cisco NAC

Like the OfficeScan web console, the Policy Server for Cisco NAC is a web-based console where you configure network admission policies. The Policy Server continuously verifies that client pattern files and scan engines are up-to-date.

You may run the OfficeScan server and Policy Server on the same computer and on the same default website, or install them on different computers. If you want to install them on the same computer, Setup can install them simultaneously during server installation or you can install the Policy Server later. If you want to install the Policy Server to another computer, run the Policy Server installer on that computer.

Access the Policy Server installer form the OfficeScan setup package.

Cisco Trust Agent (CTA) for Cisco NAC

CTA is a program hosted within the OfficeScan server and installed to clients. It enables the OfficeScan client to report antivirus information to Cisco ACS.

If you select this option during server installation, the OfficeScan server automatically installs CTA to all clients that the server will manage. In the next screen, Setup prompts you whether to install Cisco Trust Agent or Cisco Trust Agent Supplicant. The only difference between the two versions is that the Supplicant package provides layer 2 authentication for the computer and end user.

If you do not select this option, you can still install CTA to clients from the management console (Cisco NAC > Agent Deployment). However, you need to do this every time a new client is added to the server. Refer to the OfficeScan Server Help for information on installing CTA from the management console.

Participate in the Smart Feedback Program

The Trend Micro™ Smart Protection Network is a next-generation cloud-client content security infrastructure designed to protect customers from security risks and web threats. It powers both local and hosted solutions to protect users, whether they are on the network, at home, or on the go, using light-weight clients to access its unique in-the-cloud correlation of email, web and file reputation technologies, and threat databases.

Your protection is automatically updated and strengthened as more products, services and users access the network, creating a real-time neighborhood watch protection service for its users. The smart protection network solution leverages Smart Protection Network for in-the-cloud protection.

Smart Feedback

Trend Micro Smart Feedback provides communication between Trend Micro products and the company's 24/7 threat research centers and technologies. Each new threat identified through a single customer's routine reputation check automatically updates all of Trend Micro's threat databases, blocking any subsequent customer encounters of a given threat.

For example, routine reputation checks sent to Trend Micro Smart Protection Network.

By continuously processing the threat intelligence gathered through its extensive global network of customers and partners, Trend Micro delivers automatic, real-time protection against the latest threats and provides "better together" security. This is much like an automated neighborhood watch that involves the community in protection of others.T

he privacy of a customer's personal or business information is always protected because the threat information gathered is based on the reputation of the communication source.

Trend Micro Smart Feedback is designed to collect and transfer relevant data from clients' Trend Micro Smart Protection Server to Trend Micro back-end server side. This is so that further analysis can be conducted, and consequently, advanced solutions can evolve and be deployed to protect clients.

Set the console and client-install/uninstall passwords.

Specify the passwords to perform the following:

Access the management console

Setup creates a root account during installation. The root account has full access to all the OfficeScan management console functions. Logging on using this account also allows the administrator to create custom user accounts that other users can use to log on to the console. Users can configure or view one or several web console functions, depending on the access privileges for their accounts.

Specify a password known only to you and other OfficeScan administrators. If you forgot the password, contact your support provider for assistance in resetting the password

Unload and uninstall the OfficeScan client

Specify a password to prevent unauthorized uninstallation or unloading of the OfficeScan client. Uninstall or unload the client only if there are problems with client functions and promptly install/reload it.

Specify the Client Install Path, Listening Port and Security Level

Accept the default client installation settings or specify a different client installation path. Change the path if there is insufficient disk space on the installation directory. Trend Micro recommends using the default settings.

When specifying a different installation path, type a static path or use variables. If the path you type includes a directory that does not exist on the client, Setup creates the directory automatically during client installation.

To type a static client installation path, type the drive path, including the drive letter. For example, C:\Program Files\Trend Micro\OfficeScan Client.

Note: You can no longer modify the client installation path once you are finished installing the OfficeScan server. All the OfficeScan clients that will be installed will use the same installation path.

Use the following to specify variables for the client installation path:

$BOOTDISK: The drive letter of the hard disk that the computer boots from (by default is C:\).
$WINDIR: The Windows directory (by default C:\Windows)
$ProgramFiles: The Program Files directory automatically set up in Windows and usually used for installing software (by default C:\Program Files).

You should also configure the following on the same screen:

Port number: Setup randomly generates this port number, which the OfficeScan server uses to communicate with clients. You can specify a different port number.
Client security level: After installing OfficeScan, you can change the security level from the OfficeScan console (Networked Computers > Client Management > Settings >Privileges and Other Settings > Other Settings)

Normal: Allows clients read/write access to the OfficeScan client folders, files, and registries on client computers.
High: Restricts clients from accessing OfficeScan client folders, files, and registries (default). If you select High, the access permissions settings of the OfficeScan folders, files, and registries are inherited from the Program Files folder.

Enable or disable the Client Firewall

The OfficeScan firewall protects clients and servers on the network using stateful inspections, high performance network virus scans, and elimination.

Create rules to filter connections by IP address, port number, or protocol, and then apply the rules to different groups of users. You can choose to disable the firewall and enable it later from the OfficeScan server web console.

You have the option to enable the firewall on server platforms. If the server platform already enables the firewall service, select this option to ensure that OfficeScan does not disable the firewall service.
Select whether to temporarily assess the anti-spyware feature or not.

When in assessment mode, all clients managed by the server will log spyware/grayware detected during Manual Scan, Scheduled Scan, Real-time Scan, and Scan Now, but will not clean spyware/grayware components. Cleaning terminates processes or deletes registries, files, cookies, and shortcuts.

Trend Micro provides assessment mode to allow you to evaluate items that Trend Micro detects as spyware/grayware and then configure the appropriate action based on your evaluation. For example, detected spyware/grayware that you do not consider a security risk can be added to the spyware/grayware approved list.

After the installation, refer to the Administrator's Guide for some recommended actions to take during assessment mode.

Configure the assessment mode to take effect only for a certain period of time by specifying the number of weeks in this screen. After the installation, you can change assessment mode settings from the web console (Networked Computers > Global Client Settings > Spyware/Grayware Settings).
Web Reputation Policy

Web reputation policies dictate whether OfficeScan will block or allow access to a
website.
Selecting Enable web reputation policy enables policies for internal and external clients installed on desktop platforms, such as Windows XP, Vista, and 7. Select Enable web reputation policy on server platforms if server platforms, such as Windows Server 2003 and Windows Server 2008, require the same level of web threat protection as desktop platforms.

Clients use the location criteria you have set in the web console’s Computer Location screen to determine their location and the policy to apply. Clients switch policies each time the location changes.

You can configure web reputation policy settings from the web console after installation. OfficeScan administrators typically configure a stricter policy for external clients.

Web reputation policies are granular settings in the OfficeScan client tree. You can enforce specific policies to client groups or individual clients. You can also enforce a single policy to all clients.

If you enable web reputation policies, be sure to install Smart Protection Servers (integrated or standalone) and add them to the smart protection source list on the OfficeScan web console. Clients send web reputation queries to the servers to verify the safety of websites that users are accessing.
Specify the Programs Folder for shortcuts.

Accept the default folder name or specify a new one. You can also select an existing folder to which Setup adds the program shortcuts.
Review the Installation Configuration
This screen provides a summary of the installation settings. Review the installation information and click Back to change any of the settings or options. To start the installation, click Install.
Policy Server for Cisco NAC Installer

This screen displays when installing Policy Server for Cisco NAC. The settings and options on the Policy Server installation screens that display are similar to most settings specified during OfficeScan server installation.
- License Agreement: Accept the terms of the license agreement to proceed.
- Installation Path: Accept the default installation path or specify a location on the local computer where Policy Server installs.
- Web Server: Specify whether to use an IIS or Apache web server
- Web Server Configuration: Specify settings for the selected web server.OfficeScan 10.6 SP2 Installation and Upgrade Guide
- Web Console Password: Specify the password to access the Policy Server console. The console is separate from the OfficeScan server console, although administrators can launch the console from OfficeScan.
- ACS Server Authentication: An ACS server receives OfficeScan client antivirus data from the client through the Network Access Device and passes it to an external user database for evaluation. Later in the process, the ACS server also passes the result of the evaluation, which may include instructions for the OfficeScan client, to the Network Access Device.
- Installation Information: Review the installation information
Complete the installation. the "Installation Complete" notification appears once you are done installing the server.
You will also be given the options to:
- View the Readme file.
- Open the web-based management console.
Select the action(s) that you want to take and then click Finish.
Note: The options above are not available for remote installation. In this case, click OK when the installation has been completed.
If the installation fails, refer to this article: Best practices and troubleshooting OfficeScan server installation and upgrade.
If the issue persists, collect the following and submit them to Trend Micro Technical Support.
- Copy of System Information. To generate this:
  1. Go to Start > Programs > Accessories > System Tools > System Information.
  2. Click Files > Save. Save it in *NFO format.
- Copy of Application and event logs in *.EVT format
- Copy of %windir%\OFCMAS.log
- Screenshot of the error

Need More Help?

Installing the OfficeScan 10.6 server