<> Trend Micro, Inc. July 2013 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) OfficeScan(TM) Client Version 10.6 Service Pack 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notes: This readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at: http://docs.trendmicro.com/ Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation, or online at: http://olr.trendmicro.com Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp Contents ===================================================================== 1. About OfficeScan 2. What's New 3. Document Set 4. System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Contact Information 9. About Trend Micro 10. License Agreement ===================================================================== 1. About OfficeScan ======================================================================== Trend Micro(TM) OfficeScan(TM) protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of a client program that resides at the endpoint and a server program that manages all clients. The client guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every client. OfficeScan is powered by the Trend Micro Smart Protection Network, a next generation cloud-client infrastructure that delivers security that is smarter than conventional approaches. Unique in-the-cloud technology and a lighter-weight client reduce reliance on conventional pattern downloads and eliminate the delays commonly associated with desktop updates. Businesses benefit from increased network bandwidth, reduced processing power, and associated cost savings. Users get immediate access to the latest protection wherever they connect-within the company network, from home, or on the go. 2. What's New ======================================================================== OfficeScan includes the following new features and enhancements: 2.1 What's New in OfficeScan 10.6 Service Pack 3 ===================================================================== Data Protection Enhancements --------------------------------- Forensic Data Quarantine ------------------------ OfficeScan clients create and upload encrypted forensic data files to the server allowing companies to track and record the specific Data Loss Prevention incidents that occur on the network. OfficeScan generates a hash value for each forensic file for verification and integrity purposes. Enhanced DLP Log Details -------------------- Logs display more detailed records about each Data Loss Prevention incident. Details not only include the rules that triggered the incident, but also the exact template that identified the digital asset. Extended Non-storage Device Support ----------------------------------- Device Control can now monitor Bluetooth adaptors and Wireless NICs. Extended DLP Channel Support ---------------------------- Data Loss Prevention can now monitor the following: - 126.com Webmail - 139 Webmail - 163.com Webmail - Tencent QQ (files sent using instant messaging) - Tencent QQ Webmail - SINA Webmail - Sohu Webmail Command & Control Contact Alert Services ---------------------------------------- Trend Micro Command & Control (C&C) Contact Alert Services provides enhanced detection and alert capabilities to mitigate the damage caused by advanced persistent threats and targeted attacks. C&C Contact Alert Services are integrated with Web Reputation Services which determines the action taken on detected callback addresses based on the web reputation security level. The C&C IP list further enhances C&C callback detections using the Network Content Inspection Engine to identify C&C contacts through any network channel. Behavior Monitoring Scan Enhancement ------------------------------------ Behavior Monitoring works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications. After detecting a "newly encountered" file, administrators can choose to prompt users before executing the file. Trend Micro classifies a program as newly encountered based on the number of file detections or historical age of the file as determined by the Smart Protection Network. Virus Scan Performance Enhancement ---------------------------------- The OfficeScan Virus Scan Engine (VSAPI 9.713 or later) has been updated with a deferred scanning feature to improve file copying performance. 2.2 What's New in OfficeScan 10.6 Service Pack 2 ===================================================================== Platform Support ---------------- This version of OfficeScan provides support for client installations on Windows Server(TM) 2012. This version of OfficeScan also provides support for client installations on Windows 8(TM). Detection and Performance Enhancements -------------------------------------- MSI Installation ---------------- Real-time scanning now verifies the file signature of an MSI installation package before proceeding with an installation. Once OfficeScan receives verification that the file signature is trusted, real-time scan allows the installation to proceed without further file scanning. 2.3 What's New in OfficeScan 10.6 Service Pack 1 ===================================================================== Policy Management from Control Manager 6.0 ------------------------------------------ Control Manager 6.0 allows administrators to create and deploy policies to the OfficeScan servers that Control Manager manages. Behavior Monitoring 64-bit Support ---------------------------------- The Behavior Monitoring capabilities of OfficeScan now support 64-bit versions of the following platforms: - Windows Server 2008(TM) - Windows 7(TM) - Windows Vista(TM) with SP1 (or later) Client Self-protection 64-bit Support ------------------------------------- Client Self-protection now supports 64-bit versions of the following platforms: - Windows Server 2008(TM) - Windows 7(TM) - Windows Vista(TM) with SP1 (or later) Device Control 64-bit Support for Unauthorized Change Prevention ---------------------------------------------------------------- The Device Control capabilities of OfficeScan now support 64-bit versions of the following platforms during Unauthorized Change Prevention monitoring: - Windows Server 2008(TM) - Windows 7(TM) - Windows Vista(TM) with SP1 (or later) Note: Device Control for Data Protection provides support for all 64-bit versions of Windows platforms. Data Protection Enhancements ---------------------------- The Data Protection enhancements in OfficeScan 10.6 SP1 include the following support and upgrades: - Data Loss Prevention and Device Control support for 64-bit versions of Windows platforms - Over 100 new pre-configured Data Loss Prevention templates and data identifiers Virtual Desktop Infrastructure Enhancements ------------------------------------------- This version of OfficeScan enhances Virtual Desktop Infrastructure (VDI) support and capabilities. - Microsoft Hyper-V(TM) Support: Administrators can now manage virtual clients using the Microsoft Hyper-V(TM) Server in addition to VMware vCenter(TM) server and the Citrix XenServer(TM). - Non-persistent Environment Enhancement: OfficeScan now identifies virtual clients by Media Access Control (MAC) address. This prevents OfficeScan from assigning multiple globally unique identifiers (GUIDs) to the same client in nonpersistent environments. Extended Web Reputation Port Scanning ------------------------------------- OfficeScan can now scan HTTP traffic on all ports for web reputation policy violations. If administrators do not want to scan traffic on all ports, OfficeScan provides the option of scanning traffic on the default 80, 81, and 8080 HTTP ports. 2.4 What's New in OfficeScan 10.6 ===================================================================== Data Protection --------------- The Data Protection module provides Data Loss Prevention and expands the range of devices monitored by Device Control. Data Loss Prevention safeguards an organization's digital assets against accidental or deliberate leakage. Data Loss Prevention policies limit or prevent the transmission of digital assets through common transmission channels, such as email and external devices. OfficeScan out-of-the-box has a Device Control feature that regulates access to USB storage devices, CD/DVD, floppy disks, and network drives. Device Control that is part of the Data Protection module expands the range of devices by regulating access to the following devices: * Imaging devices * Modems * Ports (COM and LPT) * Infrared devices * PCMCIA cards * Print screen key * IEEE 1394 interface Cache Files for Scans --------------------- The OfficeScan client now builds cache files, which contain information about safe files that have been scanned previously and files that Trend Micro deems trustworthy. Cache files provide a quick reference during on-demand scans, thus reducing the usage of system resources. On-demand scans (Manual Scan and Scheduled Scan) are now more efficient, providing up to 40% improvement to speed performance. Damage Cleanup Services Enhancement ----------------------------------- Damage Cleanup Services can now run in advanced cleanup mode to stop activities by rogue security software, also known as FakeAV. The client also uses advanced cleanup rules to proactively detect and stop applications that exhibit FakeAV behavior. Web Reputation HTTPS Support ---------------------------- Clients can now scan HTTPS traffic for web threats. Other Enhancements ------------------ Smart scan clients now run Outlook Mail Scan in smart scan mode. In previous versions, smart scan clients run Outlook Mail Scan in conventional scan mode. 3. Document Set ======================================================================== The document set for the OfficeScan client includes: * Readme file - Contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Help or printed documentation. * Help - HTML files compiled in WebHelp format that provide "how to's", usage advice, and field-specific information. The Help is accessible from the OfficeScan client console. * Knowledge Base - An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com 4. System Requirements ======================================================================== The OfficeScan client can be installed on computers running Microsoft Windows platforms. The OfficeScan client is also compatible with various third-party products. Visit the following website for a complete list of system requirements and compatible third-party products: http://docs.trendmicro.com/en-us/enterprise/officescan.aspx 5. Installation ======================================================================== The OfficeScan administrator in your organization is responsible for installing and upgrading OfficeScan. Contact the administrator if you have questions or concerns about the installation or upgrade. 6. Post-Installation Configuration ======================================================================== If your OfficeScan administrator grants you the privileges to modify scan settings, you can specify how OfficeScan will handle security risks on your computer. To determine if you have the privileges to modify scan settings, open the OfficeScan client console and check if the "Settings" menu is active. You can open the console from the Start menu or from the icon in the system tray. * To open the console from the Start menu, select "Programs > Trend Micro OfficeScan Client > OfficeScan Client". * To open the console from the system tray, right-click the OfficeScan icon and then select "OfficeScan Console". 7. Known Issues ======================================================================== The following are the known issues in this release: Client Installation, Upgrade, and Uninstallation ==================================================================== 1. Upgrade may fail if using an MSI package to upgrade an OfficeScan client that was originally installed also using an MSI package. Perform the following steps: a. Ensure that the new MSI package has the same file name as the original package. If you do not know the file name of the original MSI package, check the following registry keys: HKEY_CLASSES_ROOT\Installer\Products\ 8787AECE0012525419D50B19473E9617\SourceList\PackageName b. Install the new MSI package. Use command prompt to execute the package with the parameter "/fvo". For example, msiexec /fvo c:\temp\package.msi. 2. The OfficeScan client is unable to query the web reputation servers after performing a fresh installation or upgrade. To resolve the issue, ensure that clients restart their computers if a restart notification appears. 3. Installing OfficeScan clients to Windows 7 or Windows Server 2008 R2 using a GUEST OS running on VMware Workstation 6.x and below may cause the system to stop responding. This is because of compatibility issues with the Intel(TM) Network Adapter Driver. 4. When installing the client from the web install page, users may get an error message stating that ActiveX setup controls did not download information needed for installation. When users retry the installation, the error message no longer displays and installation proceeds. To avoid seeing the error message, enable "Automatic prompting for ActiveX controls" in Internet Explorer. 5. After upgrading OfficeScan, the following issues occur: * If upgrading from OfficeScan 8.0 patch 2, the OfficeScan firewall service may sometimes not start even if this service and the Common Firewall Driver are up-to-date. The following error appears in the Setupapi.log file found under %systemroot%: "0x800b0100: No signature was present in the subject." * If upgrading from version 8.0 Service Pack 1 by moving a client to an OfficeScan 10.6 server, the OfficeScan firewall service cannot be started and the Common Firewall Pattern version is 0. * When upgrading by moving a client to an OfficeScan 10.6 server, the Common Firewall Pattern version is "N/A". To resolve these issues, perform the following steps: a. Stop the Cryptographic Services from the Microsoft Management Console. b. Navigate to C:\Windows\system32 and rename the "catroot2" folder to "oldcatroot2". c. Start the Cryptographic Services. d. Open a command prompt (cmd.exe) and run the following commands: regsvr32 wintrust.dll regsvr32 netcfgx.dll e. Restart the computer. 6. When an application that locks the Windows Service Control Manager (SCM) is launched, the OfficeScan client cannot be installed or upgraded. Before upgrading or installing OfficeScan, ensure that no SCM-locking application is running. 7. The OfficeScan client unloads and then reloads three times when upgraded to this version. This happens if the client upgrades, applies smart scan as its scan method, and then applies the domain level scan method. 8. When installing the OfficeScan client on Windows 8 and Windows Server 2012 platforms using the browser-based installation method, the installation is unsuccessful if the user is currently in Windows UI mode. This is due to Internet Explorer 10 not allowing ActiveX controls to run. To resolve this issue: Switch to desktop mode on Windows 8 and Windows Server 2012 platforms while performing a browser-based installation of the OfficeScan client. 9. If the OfficeScan server computer or a client endpoint has not properly updated its root certificate (for example, the computer does not have an Internet connection), OfficeScan cannot verify the computer's digital signatures during Inter-Process Communication (IPC). To solve this issue, you must manually update the root certificate or perform a Windows Update. Scanning ==================================================================== 1. A Microsoft Hyper-V virtual machine might not be able to start if the host computer has OfficeScan client installed. This is because the OfficeScan client and Hyper-V virtual machine accesses the same Hyper-V xml file and causes file access violation. As a workaround: * Set exclusion folder for the virtual machine xml file located in C:\ProgramData\Microsoft\Virtual Machine Manager\. * Turn off file mapping scan by modifying the TmFilter/TmxpFilter registry value. 2. When specifying the scan target for Scheduled Scan, Scan Now and Real-time Scan, spyware/grayware scan can be disabled. However, for Manual Scan, there is no option for disabling spyware/ grayware scan, which means that during Manual Scan, OfficeScan will always scan for spyware/grayware. 3. When scanning is complete, OfficeScan displays a notification page. On a Windows Server 2008 computer, the background color of the page does not conform to the standard color for OfficeScan notification pages. 4. When OfficeScan is configured to scan mapped drives during Manual Scan, the mapped drive may not get scanned when scanning is initiated through Terminal Service client. 5. When an email containing an attachment with spyware/grayware is retrieved through Eudora email client and POP3 Mail Scan is disabled, OfficeScan's Real-time Scan denies access to the email even if the scan action is "clean". The email does not appear on the inbox and the Eudora client displays a message informing the user that access to the email is denied. 6. In a Citrix environment, when the OfficeScan client detects a security risk during a particular user session, the notification message for the security risk displays on all active user sessions. Security risk can be any of the following: * Virus/Malware * Spyware/Grayware * Firewall policy violation * Web Reputation policy violation * Unauthorized access to external devices 7. When OfficeScan detects virus/malware and computer restart is required to clean the infected file, a notification message prompts the user to restart. If the user did not restart the computer and generic virus/malware was detected, the restart notification displays again even if a restart is not required for the generic virus/malware detection. 8. After updating the client program, the "Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded)" setting does not take effect until the client program or endpoint is restarted. Client Update ==================================================================== 1. OfficeScan clients with client-level settings can only download settings from the OfficeScan server, not Update Agents. 2. An Update Agent running a 64-bit platform is unable to generate incremental patterns. Therefore, the Update Agent always downloads all incremental patterns available in the ActiveUpdate server, regardless of how many of these patterns it has previously downloaded. Client Management ==================================================================== 1. Select the "Show icon and notifications" option to display the OfficeScan icon in the Windows 7 and 8 system tray. The default option for Windows 7 and 8 is "Only show notification". 2. If the client security level configured on the web console is set to "High", connection through Nortel VPN client cannot be established. 3. Some client console screens include a Help button, which, when clicked, opens context-sensitive, HTML-based Help. Because Windows Server Core 2008 lacks a browser, the Help will not be available to the user. To view the Help, the user must install a browser. Device Control ==================================================================== 1. When the permission for plug-in devices (USB) is "read only", users can still create a new folder on the device but the folder cannot be renamed and no file can be saved to the folder. 2. The Device Control feature is unable to block recording of files (or "file burning") to optical disks. Data Loss Prevention ==================================================================== 1. Data transmitted through Instant Messaging applications are not detected if the applications use a non-transparent proxy server. 2. Data Loss Prevention cannot monitor Gmail messages on the following browsers: - FireFox v14 3. After upgrading the OfficeScan client to OfficeScan 10.6 SP3, the preexisting client-side Data Loss Prevention logs are deleted (unless updating from the OfficeScan 10.6 SP2 DLP Enhancement Patch). OfficeScan Firewall ==================================================================== 1. For Windows XP and Windows Server 2003 platforms, incoming packets to a computer on a VMware client are dropped if the computer has OfficeScan client installed. Workaround: a. On the client computer, open Registry Editor. b. Add the following registry value: Key: [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ PC-cillinNTCorp\CurrentVersion\PFW for x64 computers: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432\TrendMicro\ PC-cillinNTCorp\CurrentVersion\PFW Name: EnableBypassRule Type: REG_DWORD Value: 1 c. Reload the client for settings to take effect. 2. OfficeScan does not support specific application exceptions on Windows 8 and Windows Server 2012 platforms. OfficeScan allows or denies all application traffic on computers with these platforms. Web Reputation ==================================================================== 1. Clients can browse blocked sites if using Juniper Networks VPN and proxy servers to connect to the Internet. To resolve this issue: a. Connect to the network using Juniper Networks VPN. b. Open Internet Option > Connection > LAN Settings. c. Disable Automatic configuration settings. d. Enable Proxy server and specify the IP address and port of your proxy server. e. Click Ok. 2. Due to the blocking of add-ons in Internet Explorer 10, HTTPS scanning only supports Windows 8 or Windows 2012 platforms operating in desktop mode. Cisco Trust Agent ==================================================================== 1. Computer restart is required after the Cisco Trust Agent 2.x Supplicant package is deployed. 8. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2013, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo and OfficeScan are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing information can be viewed from the OfficeScan web console.