Importing multiple IPs into the user-defined IP list of OfficeScan

The data of user-defined IP list is stored in the ncieException.ini file located in C:\program files\trendmicro\officescan\PCCSRV\Admin folder under the OSCE server. From the server, the list is deployed to all the clients through the nciecp file in the OSCE client folder (C:\program files\trend micro\officescan client).

When you open the ncieException.ini file, you will see that each IP has four (4) lines indicating the following: IP, comments, description field, and unique GUID. Upon reaching the client, the ncieecp file will only have one line per IP.

The default limit for the approved and blocked list is 500 each. You can increase these limits with no negative side effects.

Both user-defined and global IP list have two actions by default: Block and Log. The traffic will only be blocked if the IP is included in the IP list and the action is Block.

The following are the possible scenarios which are considered as suspicious connection:

• Suspicious IP connection in Global/user-defined IP list
• Suspicious behavior with commands from suspicious server, such as malware downloading, which can be detected by our global pattern

To import multiple IPs, use the GenIPListTool.zip file. The file contains the following:

• GenIPListTool.exe which is the script to automate it
• test.txt which is a test file with the format of sample IPs
• ncieexception.ini which is the output file of the tool but this is not the final product

To use the GenIPListTool.zip file:

1. Extract the GenIPListTool.exe file to the machine.
2. Copy the wile with 1000 IPs listed. You can edit this file to make it similar with the test.txt file.
3. Paste the IP list file in the same folder where the GenIPListTool.exe is located.
4. Open a command prompt and go to the folder location of the tool.

5. Run the following command including the angle brackets:

    

   Replace the "inputfilename" and "outputfilename" with the actual names of your files.

   GenIpListTool.exe < inputfilename > outputfilename

6. Press ENTER and wait for it to finish.

    

   If the process loads too long and does not finish, there might be a typographical error in the command.
7. Open the output file, and then copy all the lines from it.
8. Stop the OfficeScan Master service.
9. Back up the ncieException.ini file in the OfficeScan server (C:\program files\trend micro\officescan\PCCSRV\Admin), and then open the file.
10. Under the Blocked list section, edit the "limit=500" to the number of IPs to be blocked.
11. Overwrite or add all the lines from the output file you open in Step 7.
12. Save and close the file.
13. Restart the OfficeScan Master service.
14. Open the OfficeScan console and check the user-defined IP list. All 1000 IPs should be present.
15. Perform an update to some clients and wait for a few minutes.
16. Check an OfficeScan client to verify if the ncieecp file in C:\program files\trend micro\officescan client folder also contains the 1000 IPs. This should shows one line per IP. The client is now following the user-defined IP list.