Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

OfficeScan XG Feature Testing

    • Updated:
    • 24 Apr 2019
    • Product/Version:
    • OfficeScan XG
    • Platform:
    • Windows 10
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2012
    • Windows 2012 Server R2
    • Windows 2016
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Server 2012 32-Bit
    • Windows Server 2012 64-Bit
Summary

Learn how to evaluate the following modules of OfficeScan:

  • Anti-Malware
  • Web Reputation Services
  • Update
  • Scan
  • Predictive Machine Learning
  • Two-Factor Authentication (OSaaS Only)
  • Cloud Sync Protection
Details
Public
  1. Log into the OfficeScan Web Console.
  2. Go to Administration > Settings > Proxy.
  3. Configure the proxy settings for Server and/or Agents then click Save.

    For Server

    Configure Proxy settings for Server - On Prem

    For Agent

    Configure Proxy settings for Agents - On Prem

Test requirements

Before testing this module, make sure you have the following:

  • One or more physical or virtual machines (VMs) protected by an OfficeScan Agent.

Test procedure for anti-malware

  1. Activate a physical or virtual machine with OfficeScan Agent installed.
  2. Download the EICAR test file on the virtual machine.

    The file should be quarantined.

    File should be quarantined

  3. Click on the number next to the detection or on the OfficeScan Agent, click Logs.

    Click on the number next to detection

  4. Verify the detection showing in the agent logs.

    Verify the detection

  5. On the OfficeScan Web Console, go to Logs > Agents > Security Risks to verify the record of the malware detection.

    1. Select the Server, group, or navigate to and select the individual agent.
    2. Choose View Logs > Virus/Malware Logs.

      Click Virus Malware Logs

    3. Choose an appropriate time frame. For this test, the default of Last 7 days is acceptable then click Display Logs.

      Virus malware Log Criteria

    4. Verify the detection log.

      Verify detection log

  6. Set up a scheduled scan.

    1. On the OfficeScan Web console, go to Agents > Agent Management.
    2. Select Server, group, or test endpoint.
    3. Click Settings > Scan Settings > Scheduled Scan Settings.
    4. Select Enable virus/malware scan then click Save.

      Enable virus malware scan

    5. Open the Agent on the endpoint.
    6. Click the padlock icon to unlock the Agent then click the gear icon to open Settings.

      Unlock the agent and open Settings

    7. On the Protection tab, select Scheduled Scan from the drop-down and confirm that it has been enabled.

      Select Scheduled Scan

  7. Demonstrate file exclusions.

    1. On the OfficeScan Web console, go to Agents > Agent Management.
    2. Select Server, group, or test endpoint.
    3. Go to Settings > Scan Settings > Real-Time Scan Settings.
    4. Go to the Scan Exclusion tab.
    5. Navigate to the Scan Exclusion List (Directories) and choose Add paths to from the drop-down list.
    6. Specify the path of the directory you want to exclude from the scan. For example, C:\Test Folder. Click the plus (+) button then Save.

      Scan Exclusion - Anti Malware On-Prem

    7. Open notepad.exe and type in the following:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H

    8. Save the file in C:\Test Folder as eicar.com.

      The file should save successfully and show a size of 1 KB. Due to the exclusion, no detection should occur.

      File should save

    9.  Attempt to copy the file to another folder, such as C:\temp

      As the other folder is not excluded, the file should immediately be detected by OfficeScan and quarantined.

Configure

  1. Log in to the OfficeScan Web Console.
  2. Go to Agents > Agent Management.
  3. Click the test agent, then choose Settings > Additional Service Settings.

    For the Browser Exploit Prevention portion of Web Reputation, Advanced Protection Service needs to be enabled.

    Advanced Protection Service

  4. Click Save.
  5. Click the test agent and this time go to Settings > Web Reputation Settings.
  6. Go to the External Agents tab:

    • Set the security level to Medium.
    • Enable Block pages containing malicious script.

      External Agents settings

    • Enable Allow agents to send logs to the OfficeScan Server.

      Enable Allow agents to send logs to the OfficeScan Server

  7. Go to the Internal Agents tab:

    • Verify Check HTTPS URLs is checked.
    • Verify Scan common HTTP ports only is unchecked.
    • Set security level to Low.
    • Enable Block pages containing malicious script.

      Internal Agents tab

    • Enable Allow agents to send logs to the OfficeScan Server.

      Enable Allow agents to send logs to the OfficeScan Server

  8. Click Save.
  9. Click Update Now on the test agent.

Test

  1. On the test agent open Internet Explorer.
  2. Go to Internet Options > Advanced and verify that Enable third-party browser extensions is enabled then click OK.

    Enable third party browser extensions

  3. Go to Internet Options > Programs > Manage Add-ons and verify that Trend Micro Osprey Plug-in and Trend Micro IE Protection are enabled.

    Trend Micro Osprey Plugin and Trend Micro IE Protection

  4. Click OK to close Internet Options.
  5. If Enable third-party browser extensions had to be enabled, restart Internet Explorer.
  6. Go to http://wrs21.winshipway.com.

    The browser should open a Website Blocked page and OfficeScan will pop up a Malicious URL notification.

    Malicious URL notification

  7. Go to https://wrs31.winshipway.com

    This time the connection is over HTTPS on port 443, however it should be blocked the same as before. This time however, the URL will change to reflect being blocked by the Osprey plug-in that handles HTTPS traffic.

    URL will change to reflect being blocked by the Osprey plugin

  8. On the OfficeScan Web Console, go to Logs > Agents > Security Risk.
  9. Choose the test agent, click View Logs > Web Reputation Logs > Display Logs.
  10. Review the log content and verify that the blocked URLs appear.

    Web Reputation Logs

Control Manager

  1. If OfficeScan is registered to a Control Manager server, wait 10 minutes then log into Control Manager.
  2. Go to Logs > Log Query.
  3. Choose Network Events > Web Violation.

    Web Violation

  4. Click on All Products and select Specified Products from the drop-down list. Click Type, select OfficeScan from the drop-down list and tick the OfficeScan as a Service checkbox. Click OK then click Search.

    Select OfficeScan

  5. Verify the logs have been added and display on the Control Manager.

    Verify the logs

Manually Update Agents

  1. Log in to the OfficeScan Web Console.
  2. Go to Updates > Agents > Manual Update.
  3. Under Target Agents, choose Manually Selected Agents then click Select.

    Manually Selected Agents

  4. Select OfficeScan Server to manually update on all endpoints then click Initiate Update.

    click Initiate Update

  5. Go to Updates > Summary and check the Notification Status to see the number of agents being notified and queued to be notified.

    check Notification Status

Configure what portions of OfficeScan Agent should update

  1. Go to Agents > Agent Management.
  2. Choose the groups or agents you want to configure.
  3. Click Settings > Privileges and Other Settings > Other Settings tab.
  4. Under Update Settings section, on the OfficeScan agents only update the following components dropdown list, select any of the following:

    • Pattern files
    • Pattern files, engines, drivers
    • All components (including hotfixes and agent program)

    The default setting is All components (including hot fixes and agent program).

    Update Settings section

  5. Click Save.
  6. After a few minutes go to one of the target endpoints.
  7. Open regedit.
  8. Go to HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.

    • Value of NoProgramUpgrade will be 1 for Pattern and Pattern files, engines, drivers. Value will be 0 if All components (including hotfixes and agent program) is selected.
    • Value of NoEngineUpgrade will be 1 for Pattern Files. Value will be 0 for Pattern files, engines, drivers and All components (including hotfixes and agent program).

Configure

  1. Log in to the OfficeScan Web Console.
  2. Go to Agents > Agent Management.
  3. Choose the test agent or domain, choose Settings > Predictive Machine Learning Settings.
  4. Configure the following Detection Settings:

    • File: Quarantine
    • Process: Terminate
     
    These are the default settings.

    Detection Settings

  5. Click Save.
  6. To verify prerequisite services, again choose Settings > Additional Service Settings.
  7. Under Unauthorized Change Prevention Service, verify it is enabled for the required platforms (not enabled for Servers by default).
  8. Under Advanced Protection Service, verify it is enabled for the required platforms (not enabled for Servers by default).
  9. Click Save.

    Additional Service Settings

Agent Procedure

  1. After update has ran, run "taskmgr.exe" on the machine.
  2. Verify that TMBMSRV.exe and TMCCSF.exe are running on the agent.

Logs

  1. On the OfficeScan Web Console go to Logs > Agents > Security Risks.
  2. Click View Logs > Predictive Machine Learning Logs.

    Predictive Machine Learning Logs

  3. Click Display Logs.

    Display Logs

  4. Any detections will show here.

    View detections

Control Manager

  1. Open Control Manager.
  2. Logs > Logs Query.
  3. Select Security Logs > System Events > Detailed Predictive Machine Learning Information.

    Detailed Predictive Machine Learning Information

  4. Click on All Products and select Specified Products from the drop-down list. Click Directory then expand the Control Manager as a Service > Local folder. Select OfficeScan then click OK.

    choose OfficeScan

  5. Click Search.

    Click Search

Testing

  1. Have 2 machines - 1 with OfficeScan installed and 1 without protection.
  2. Configure Box or OneDrive on both machines to the same account.
  3. Move an EICAR or other test file to the sync folder on the unprotected server and wait for it to sync.
  4. The Agent will detect the test sample with a pop-up notification.

    test sample popup notification

  5. The virus detail logs on the agent display the detection and the Infection channel is "Cloud synchronization".
  6. The detection also appears on the Behavior Monitoring Log, Predictive Machine Learning Log, and Spyware/Grayware Log.

Threat Report

  1. Log in to the Control Manager web console.
  2. Go to Reports > One-time Reports.
  3. Click Add.
  4. Specify a Name and select Static Templates > Executive Summary.

    Executive Summary

  5. Choose the following report contents:

    • Top users with threats
    • Top endpoints with threats
    • Users and endpoints overview
    • Threat detections by channel and product
  6. Select Adobe PDF and click Next.
  7. Select OfficeScan as a Service for the Target.
  8. Click Next.
  9. Specify the time range.
  10. Click Finish.

    Select report content

 
 It may take some time for the report to generate.
Premium
Internal
Rating:
Category:
Update
Solution Id:
1119763
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.