Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

OfficeScan XG and OfficeScan as a Service Feature Testing

    • Updated:
    • 10 May 2018
    • Product/Version:
    • OfficeScan as a Service All.All
    • OfficeScan XG.All
    • Platform:
    • Windows 10
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2012
    • Windows 2012 Server R2
    • Windows 2016
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Server 2012 32-Bit
    • Windows Server 2012 64-Bit
Summary

Learn how to evaluate the following modules of OfficeScan:

  • Anti-Malware
  • Web Reputation Services
  • Update
  • Scan
  • Predictive Machine Learning
  • Two-Factor Authentication (OSaaS Only)
  • Cloud Sync Protection
Details
Public

OfficeScan as a Service Agent System Requirements

Download and view the Office Scan as a Service Agent System Requirements documentation.

 
  • OfficeScan agent will not support Windows Vista.
  • Ensure that the agent endpoints can communicate with the server through port 443 and port 80.

OfficeScan as a Service browser support

ItemMinimum Specifications
Web Console 
Web browser
  • Microsoft™ Internet Explorer™ 11.0 (32 and 64 bit), Edge
  • Google Chrome
DisplayA high-color display with resolution of 1366 x 768 or higher

AD Synchronization Agent

ItemMinimum Specifications
OS
  • l Windows 7 SP1 (32/64 bit) and above
  • l Windows Server 2008 R2 SP1 (64bit) and above
CPU1 GHz
RAM512 MB
DISK4.5 GB
Network
  • Open outbound 443 port (For AD sync agent connects to TMCM server).
  • Can connect to both Office Scan as a service server and Active Directory server.
OtherMicrosoft .NET Framework 4.6.1
  1. Log into the OfficeScan Web Console.
  2. Go to Administration > Settings > Proxy.
  3. Configure the proxy settings for Server and/or Agents then click Save.

    For Server

    Configure Proxy settings for Server - On Prem

    For Agent

    Configure Proxy settings for Agents - On Prem

  1. Log in to the OfficeScan as a Service console.
  2. Go to Administration > Managed Servers > Server Registration.
  3.  From the Server Type drop-down list, select OfficeScan.

    Choose OfficeScan as Server type

  4. Click the OfficeScan Server URL link to log in using single-sign-on to the OfficeScan server console.
  5. Go to Administration > Settings > Proxy.
  6. Configure the proxy settings for Server and/or Agents then click Save.

    For Server

    Configure Proxy Settings for Server - Cloud

    For Agent

    Configure Proxy Settings for Agents - Cloud

Test requirements

Before testing this module, make sure you have the following:

  • One or more physical or virtual machines (VMs) protected by an OfficeScan Agent.

Test procedure for anti-malware

  1. Activate a physical or virtual machine with OfficeScan Agent installed.
  2. Download the EICAR test file on the virtual machine.

    The file should be quarantined.

    File should be quarantined

  3. Click on the number next to the detection or on the OfficeScan Agent, click Logs.

    Click on the number next to detection

  4. Verify the detection showing in the agent logs.

    Verify the detection

  5. On the OfficeScan Web Console, go to Logs > Agents > Security Risks to verify the record of the malware detection.

    1. Select the Server, group, or navigate to and select the individual agent.
    2. Choose View Logs > Virus/Malware Logs.

      Click Virus Malware Logs

    3. Choose an appropriate time frame. For this test, the default of Last 7 days is acceptable then click Display Logs.

      Virus malware Log Criteria

    4. Verify the detection log.

      Verify detection log

  6. Set up a scheduled scan.

    1. On the OfficeScan Web console, go to Agents > Agent Management.
    2. Select Server, group, or test endpoint.
    3. Click Settings > Scan Settings > Scheduled Scan Settings.
    4. Select Enable virus/malware scan then click Save.

      Enable virus malware scan

    5. Open the Agent on the endpoint.
    6. Click the padlock icon to unlock the Agent then click the gear icon to open Settings.

      Unlock the agent and open Settings

    7. On the Protection tab, select Scheduled Scan from the drop-down and confirm that it has been enabled.

      Select Scheduled Scan

  7. Demonstrate file exclusions.

    1. On the OfficeScan Web console, go to Agents > Agent Management.
    2. Select Server, group, or test endpoint.
    3. Go to Settings > Scan Settings > Real-Time Scan Settings.
    4. Go to the Scan Exclusion tab.
    5. Navigate to the Scan Exclusion List (Directories) and choose Add paths to from the drop-down list.
    6. Specify the path of the directory you want to exclude from the scan. For example, C:\Test Folder. Click the plus (+) button then Save.

      Scan Exclusion - Anti Malware On-Prem

    7. Open notepad.exe and type in the following:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H

    8. Save the file in C:\Test Folder as eicar.com.

      The file should save successfully and show a size of 1 KB. Due to the exclusion, no detection should occur.

      File should save

    9.  Attempt to copy the file to another folder, such as C:\temp

      As the other folder is not excluded, the file should immediately be detected by OfficeScan and quarantined.

Test requirements

Before testing this module, make sure you have the following:

  • One or more physical or virtual machines (VMs) protected by an OfficeScan Cloud Agent.

Test procedure for anti-malware

  1. Activate a physical or virtual machine with OfficeScan Cloud Agent installed.
  2. Download the EICAR test file on the virtual machine. The file should be quarantined.

    File should be quarantined

  3. Click on the number next to the detection, or on the OfficeScan Agent, click Logs.

    Click on the number next to detection

  4. Verify the detection showing in the agent logs.

    Verify the detection

  5. On the OfficeScan as a Service console, go to Logs > Logs Query > Virus/Malware Detections.

    Choose additional filters if needed to narrow down results if product has been active for a while.

  6. After a few minutes you will be able to see the detection in the logs.

    View the detection in the logs

  7. Set up a scheduled scan.

    1. On the OfficeScan as a Service Web console, go to Policies > Policy Management  then click Create (verify OfficeScan Agent is selected as the product).

      We will be creating a single machine test policy to only apply to our test machine.

    2. Click Specify Targets > Select.

      Select Specify Targets

    3. Use Search to specify a machine, or use Browse to navigate to the machine and select it.

      Search and Browse tabs

    4. Expand Scheduled Scan Settings.
    5. Tick the Enable virus/malware scan checkbox.

      Select Enable virus malware scan

    6. Expand Privileges and Other Settings.
    7. Set the Unlock password for the agent.
    8. Click the Deploy button at the bottom of the page.
    9. Run a manual update on the agent located on the endpoint.
    10. Open the Agent on the endpoint.
    11. Click the padlock icon to unlock the Agent, then click the gear icon to open Settings.

      Unlock the agent and open Settings

    12. On the Protection tab, select Scheduled Scan from the drop-down list and confirm that it has been enabled.

      Select Scheduled Scan

  8. Demonstrate file exclusions.

    1. On the OfficeScan as a Service web console, re-open the Single-Machine Test policy by clicking on it.
    2. Expand Real-Time Scan Settings.
    3. Click the Scan Exclusion tab.
    4. Go to Scan Exclusion List (Directories).
    5. Specify the path of the directory you want to exclude from the scan. For example, C:\Test Folder. Then click the plus (+) button.

      configure Real-Time Scan Settings

    6. Click Deploy at the bottom of the page.
    7. Run a manual update on the agent located on the endpoint.
    8. Open the Agent on the endpoint.
    9. Unlock the Agent then open Settings.

      Unlock the agent and open Settings

    10. Select Real-Time Scan from the drop-down and confirm it has the exclusion.

      Select Real Time Scan

    11. On the Endpoint, open notepad.exe and type in the following:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    12. Save the file in C:\Test Folder as eicar.com.

      The file should save successfully and show a size of 1 KB. Due to the exclusion, no detection should occur.

      File should save

    13. Attempt to copy the file to another folder, such as C:\temp

      As the other folder is not excluded, the file should immediately be detected by OfficeScan and quarantined.

Configure

  1. Log in to the OfficeScan Web Console.
  2. Go to Agents > Agent Management.
  3. Click the test agent, then choose Settings > Additional Service Settings.

    For the Browser Exploit Prevention portion of Web Reputation, Advanced Protection Service needs to be enabled.

    Advanced Protection Service

  4. Click Save.
  5. Click the test agent and this time go to Settings > Web Reputation Settings.
  6. Go to the External Agents tab:

    • Set the security level to Medium.
    • Enable Block pages containing malicious script.

      External Agents settings

    • Enable Allow agents to send logs to the OfficeScan Server.

      Enable Allow agents to send logs to the OfficeScan Server

  7. Go to the Internal Agents tab:

    • Verify Check HTTPS URLs is checked.
    • Verify Scan common HTTP ports only is unchecked.
    • Set security level to Low.
    • Enable Block pages containing malicious script.

      Internal Agents tab

    • Enable Allow agents to send logs to the OfficeScan Server.

      Enable Allow agents to send logs to the OfficeScan Server

  8. Click Save.
  9. Click Update Now on the test agent.

Test

  1. On the test agent open Internet Explorer.
  2. Go to Internet Options > Advanced and verify that Enable third-party browser extensions is enabled then click OK.

    Enable third party browser extensions

  3. Go to Internet Options > Programs > Manage Add-ons and verify that Trend Micro Osprey Plug-in and Trend Micro IE Protection are enabled.

    Trend Micro Osprey Plugin and Trend Micro IE Protection

  4. Click OK to close Internet Options.
  5. If Enable third-party browser extensions had to be enabled, restart Internet Explorer.
  6. Go to http://wrs21.winshipway.com.

    The browser should open a Website Blocked page and OfficeScan will pop up a Malicious URL notification.

    Malicious URL notification

  7. Go to https://wrs31.winshipway.com

    This time the connection is over HTTPS on port 443, however it should be blocked the same as before. This time however, the URL will change to reflect being blocked by the Osprey plug-in that handles HTTPS traffic.

    URL will change to reflect being blocked by the Osprey plugin

  8. On the OfficeScan Web Console, go to Logs > Agents > Security Risk.
  9. Choose the test agent, click View Logs > Web Reputation Logs > Display Logs.
  10. Review the log content and verify that the blocked URLs appear.

    Web Reputation Logs

Control Manager

  1. If OfficeScan is registered to a Control Manager server, wait 10 minutes then log into Control Manager.
  2. Go to Logs > Log Query.
  3. Choose Network Events > Web Violation.

    Web Violation

  4. Click on All Products and select Specified Products from the drop-down list. Click Type, select OfficeScan from the drop-down list and tick the OfficeScan as a Service checkbox. Click OK then click Search.

    Select OfficeScan

  5. Verify the logs have been added and display on the Control Manager.

    Verify the logs

Configure

  1. Log in to the OfficeScan as a Service Console.
  2. Go to Policies > Policy Management.
  3. Select OfficeScan Agent for the Product and click Create.

    Select OfficeScan Agent

  4. Name the policy "TEST_OSCE_Web_Policy".
  5. For Targets choose Specify Target(s) then click Select.
  6. Find and specify the test agent then click OK.
  7. Expand Additional Service Settings.
  8. Enable Advanced Protection Service for both Desktop and Server platforms.

    Enable Advanced Protection Service

  9. Expand Web Reputation Settings.

    • Go to the External Agents tab.

      • Set the security level to Medium.
      • Enable Block pages containing malicious script.

        External Agents tab

      • Enable Allow agents to send logs to the OfficeScan Server.

        Enable Allow agents to send logs to the OfficeScan Server

    • Go to the Internal Agents tab.

      • Verify that Check HTTPS URLs is checked.
      • Verify that Scan common HTTP ports only is unchecked.
      • Set security level to Low.
      • Enable Block pages containing malicious script.

        Internal Agents tab

      • Enable Allow agents to send logs to the OfficeScan Server.

        Enable Allow agents to send logs to the OfficeScan Server

  10. Click Deploy.
  11. Wait until it shows deployed or run Update Now on the agent.

Testing

  1. On the test agent, open Internet Explorer.
  2. Go to Internet Options > Advanced and verify that Enable third-party browser extensions is enabled.

    Enable third party browser extensions

  3. Go to Internet Options > Programs > Manage Add-ons then verify that Trend Micro Osprey Plug-in and Trend Micro IE Protection are enabled.

    Trend Micro Osprey Plugin and Trend Micro IE Protection

  4. Click OK to close Internet Options.
  5. If Enable third-party browser extensions had to be enabled, restart Internet Explorer.
  6. Go to http://wrs21.winshipway.com

    The browser should open a Website Blocked page, and OfficeScan will pop-up a Malicious URL notification.

    Malicious URL notification

  7. Go to https://wrs31.winshipway.com

    This time the connection is over HTTPS on port 443, however it should be blocked the same as before. This time however, the URL will change to reflect being blocked by the Osprey plug-in that handles HTTPS traffic.

    URL will change to reflect being blocked by the Osprey plugin

  8. Wait 10 minutes.
  9. From the OfficeScan as a Service console, click Logs > Log Query.
  10. Choose Network Events > Web Violation.

    Web Violation

  11. Click on All Products and select Specified Products from the drop-down list. Click Type, select OfficeScan from the drop-down list and tick the OfficeScan as a Service checkbox. Click OK then click Search.

    Select OfficeScan as a Service

  12. Verify and check the times and URL shown in the logs for the test agent.

    Check URL in logs_OfficeScan as a Service

Manually Update Agents

  1. Log in to the OfficeScan Web Console.
  2. Go to Updates > Agents > Manual Update.
  3. Under Target Agents, choose Manually Selected Agents then click Select.

    Manually Selected Agents

  4. Select OfficeScan Server to manually update on all endpoints then click Initiate Update.

    click Initiate Update

  5. Go to Updates > Summary and check the Notification Status to see the number of agents being notified and queued to be notified.

    check Notification Status

Configure what portions of OfficeScan Agent should update

  1. Go to Agents > Agent Management.
  2. Choose the groups or agents you want to configure.
  3. Click Settings > Privileges and Other Settings > Other Settings tab.
  4. Under Update Settings section, on the OfficeScan agents only update the following components dropdown list, select any of the following:

    • Pattern files
    • Pattern files, engines, drivers
    • All components (including hotfixes and agent program)

    The default setting is All components (including hot fixes and agent program).

    Update Settings section

  5. Click Save.
  6. After a few minutes go to one of the target endpoints.
  7. Open regedit.
  8. Go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.

    • Value of NoProgramUpgrade will be 1 for Pattern and Pattern files, engines, drivers. Value will be 0 if All components (including hotfixes and agent program) is selected.
    • Value of NoEngineUpgrade will be 1 for Pattern Files. Value will be 0 for Pattern files, engines, drivers and All components (including hotfixes and agent program).

Download new components and deploy to the OfficeScan Server

  1. Log in to the OfficeScan as a Service console.
  2. Go to Updates > Manual Update.
  3. Select only OfficeScan server in the Products drop-down list.

    Select only OfficeScan server

  4. On the Types drop-down list, unselect Program and then click Apply.

    Types dropdown

  5. Select Deploy to all selected managed products and Immediately then click Download Now.
  6. Deployment Plan

    A manual update bar will appear at the top of the screen

    manual update bar

  7. Click Administration > Command Tracking.

    A Manual Download will be listed and show successful and unsuccessful updates.

    A Manual Download is listed

  8. Click Dashboard > Compliance tab to check the status of the components.

Configure what portions of OfficeScan Agent should update

  1. Log in to the OfficeScan as a Service console.
  2. Go to Policies > Policy Management.
  3. Select OfficeScan Agent for the Product then click Create.
  4. Name the policy, select Specify Targets and add the target endpoints.
  5. Expand Privilege and Other Settings then go to Other settings.

    Privilege and Other Settings

  6. Under the Update Settings section, select any one of the items from the drop-down list:

    • Pattern files
    • Pattern files, engines, drivers
    • All components (including hotfixes and agent program)

    The default setting is All components (including hotfixes and agent program).

    Update Settings section

  7. Click Deploy.
  8. Go to one of the target endpoints.
  9. Open regedit.
  10. Go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.

    • Value of NoProgramUpgrade will be 1 for Pattern and Pattern files, engines, drivers. Value will be 0 if All components (including hotfixes and agent program) is selected.
    • Value of NoEngineUpgrade will be 1 for Pattern Files. Value will be 0 for Pattern files, engines, drivers and All components (including hotfixes and agent program).

Configure

  1. Log in to the OfficeScan Web Console.
  2. Go to Agents > Agent Management.
  3. Choose the test agent or domain, choose Settings > Predictive Machine Learning Settings.
  4. Configure the following Detection Settings:

    • File: Quarantine
    • Process: Terminate
     
    These are the default settings.

    Detection Settings

  5. Click Save.
  6. To verify prerequisite services, again choose Settings > Additional Service Settings.
  7. Under Unauthorized Change Prevention Service, verify it is enabled for the required platforms (not enabled for Servers by default).
  8. Under Advanced Protection Service, verify it is enabled for the required platforms (not enabled for Servers by default).
  9. Click Save.

    Additional Service Settings

Agent Procedure

  1. After update has ran, run "taskmgr.exe" on the machine.
  2. Verify that TMBMSRV.exe and TMCCSF.exe are running on the agent.

Logs

  1. On the OfficeScan Web Console go to Logs > Agents > Security Risks.
  2. Click View Logs > Predictive Machine Learning Logs.

    Predictive Machine Learning Logs

  3. Click Display Logs.

    Display Logs

  4. Any detections will show here.

    View detections

Control Manager

  1. Open Control Manager.
  2. Logs > Logs Query.
  3. Select Security Logs > System Events > Detailed Predictive Machine Learning Information.

    Detailed Predictive Machine Learning Information

  4. Click on All Products and select Specified Products from the drop-down list. Click Directory then expand the Control Manager as a Service > Local folder. Select OfficeScan then click OK.

    choose OfficeScan

  5. Click Search.

    Click Search

Configure

  1. Log in to the OfficeScan as a Service Console.
  2. Go to Policies > Policy Management.
  3. Select OfficeScan Agent for the Product then click Create.
  4. Specify/Add Target machine(s).
  5. Expand the Predictive Machine Learning Settings section and configure the following Detection Settings:

    • File: Quarantine
    • Process: Terminate
     
    These are the default settings.

    Expand Predictive Machine Learning Settings

  6. Click Deploy.

Optional for servers:

To enable on Servers, the Unauthorized Change Prevention Service and the Advanced Protection Service will also need to be enabled for servers.

  1. On the same policy, Expand Additional Service Settings.
  2. Under the Unauthorized Change Prevention Service section, select Windows Server Platforms.
  3. Under the Advanced Protection Service section, select Windows Server Platforms.

    select Windows Server platforms

  4. Click Deploy.

Agent Procedure

  1. After policy has deployed, run "taskmgr.exe" on the machine.
  2. Verify that TMBMSRV.exe and TMCCSF.exe are running on the agent.

Logs

  1. Log in to the OfficeScan as a Service console.
  2. Go to Logs > Log Query.
  3. Select Security Logs > System Events > Detailed Predictive Machine Learning Information.

    Detailed Predictive Machine Learning Information

  4. Click on All Products and select Specified Products from the drop-down list. Click Directory then expand the Control Manager as a Service > Local folder. Select OfficeScan then click OK.

    choose OfficeScan

  5. Click Search.

    Click Search

  6. Go to Directories > Users/Endpoints.
  7. In Advanced Search Criteria, specify the following then click Search:

    • Users
    • Threat Type
    • Predictive Machine Learning Logs

    Click Advanced

    Select Predictive Machine Learning Logs

  8. Click the number in the Threats column for a user (only if threats have been found).
  9. Click View.

Configure

  1. Open the OfficeScan as a Service Web Console.
  2. Go to Administration > Account Management > User Accounts.
  3. Create a new account or open an existing account.
  4. Configure email address for the added user account then click Next.

    Go to User Accounts

  5. Return to Administration > Account Management > User Accounts.
  6. Click Enable Two-Factor Authentication and click Enable on the pop-up screen.

    Enable Two Factor Authentication

    Click Enable

  7. The link will change to Disable Two-Factor Authentication.

    Disable Two-Factor Authentication

    All users added in "User Accounts" will receive Two-Factor instructions via email. This will generally take 5 -1 0 minutes.

  8. Open Google Authenticator, or another compatible two-factor app and scan the QR code in the received email.

    Open a compatible two factor app

  9. Log off and open the OfficeScan as a Service log in page.
  10. Enter your credentials then click Login.
  11. Type the verification code generated from Google authenticator then click Submit.

Generate Emergency Code

  1. Open the OfficeScan as a Service log in page.
  2. Enter Credentials then click Login.
  3. Click Email me an emergency access code.
  4. Click Send Email.
  5. An email with an emergency access code will be sent.

    email with an emergency access code

  6. Type the access code received via email then click Submit.

Testing

  1. Have 2 machines - 1 with OfficeScan installed and 1 without protection.
  2. Configure Box or OneDrive on both machines to the same account.
  3. Move an EICAR or other test file to the sync folder on the unprotected server and wait for it to sync.
  4. The Agent will detect the test sample with a pop-up notification.

    test sample popup notification

  5. The virus detail logs on the agent display the detection and the Infection channel is "Cloud synchronization".
  6. The detection also appears on the Behavior Monitoring Log, Predictive Machine Learning Log, and Spyware/Grayware Log.

Threat Report

  1. Log in to the Control Manager web console.
  2. Go to Reports > One-time Reports.
  3. Click Add.
  4. Specify a Name and select Static Templates > Executive Summary.

    Executive Summary

  5. Choose the following report contents:

    • Top users with threats
    • Top endpoints with threats
    • Users and endpoints overview
    • Threat detections by channel and product
  6. Select Adobe PDF and click Next.
  7. Select OfficeScan as a Service for the Target.
  8. Click Next.
  9. Specify the time range.
  10. Click Finish.

    Select report content

 
 It may take some time for the report to generate.

Testing

  1. Have 2 machines - 1 with OfficeScan installed and 1 without protection.
  2. Configure Box or OneDrive on both machines to the same account.
  3. Move an EICAR or other test file to the sync folder on the unprotected server and wait for it to sync.
  4. The Agent will detect the test sample with a pop-up notification.

    test sample popup notification

  5. The virus detail logs on the agent display the detection and the Infection channel is "Cloud synchronization".
  6. The detection also appears on the Behavior Monitoring Log, Predictive Machine Learning Log, and Spyware/Grayware Log.

Threat Report

  1. Log in to the OfficeScan as a Service web console.
  2. Go to Reports > One-time Reports.
  3. Click Add.
  4. Specify a Name and select Static Templates > Executive Summary.

    Executive Summary

  5. Choose the following report contents:

    • Top users with threats
    • Top endpoints with threats
    • Users and endpoints overview
    • Threat detections by channel and product
  6. Select Adobe PDF and click Next.
  7. Select OfficeScan as a Service for the Target.
  8. Click Next.
  9. Specify the time range.
  10. Click Finish.

    Select report content

 
It may take some time for the report to generate.
Premium
Internal
Rating:
Category:
Update
Solution Id:
1119763
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.