<> Trend Micro, Inc. November 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Endpoint Sensor(TM) Version 1.6 Update 3 Critical Patch Readme ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notes: This readme file was current as of the date above. However, all customers are advised to check Trend Micro's web site for documentation updates at: http://docs.trendmicro.com/ Contents =================================================================== 1. About Trend Micro Endpoint Sensor 2. What's New in Version 1.6 Update 3 Critical Patch 3. Documentation Set 4. System Requirements 4.1 Server 4.2 Agent 5. Installation 5.1 Installing the Trend Micro Endpoint Sensor Server 5.2 Installing the Trend Micro Endpoint Sensor Agent 5.3 Upgrading an existing Trend Micro Endpoint Sensor Server 5.4 Uninstalling the Trend Micro Endpoint Sensor Server 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement =================================================================== 1. About Trend Micro Endpoint Sensor ======================================================================== Trend Micro Endpoint Sensor is a context-aware endpoint security monitor designed to speed the discovery, investigation, and response to security incidents. 2. What's New in Version 1.6 Update 3 Critical Patch ======================================================================== Trend Micro Endpoint Sensor version 1.6 Update 3 Critical Patch offers the following new features and enhancements: 2.1 Security enhancements ===================================================================== Trend Micro Endpoint Sensor 1.6 Update 3 Critical Patch adds security enhancements for the following features: - Private keys - Authentication - SQL database 2.2 Agent improvements ===================================================================== Trend Micro Endpoint Sensor 1.6 Update 3 Critical Patch adds code improvements to enhance agent performance and crash prevention. 3. Documentation Set ======================================================================== The documentation set for Trend Micro Endpoint Sensor includes the following: - Administrator's Guide -- Contains detailed instructions on how to configure and manage Trend Micro Endpoint Sensor, and explanations on Trend Micro Endpoint Sensor concepts and features. - Installation Guide -- Discusses requirements and procedures for installing the Trend Micro Endpoint Sensor server and agent. - Online help -- Context-sensitive help screens that contain explanations of Trend Micro Endpoint Sensor components and features, as well as procedures needed to configure Trend Micro Endpoint Sensor. - Readme -- Contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history. - Support Portal -- Searches through an online database of problem- solving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: http://esupport.trendmicro.com View and download product documentation from the Trend Micro Documentation Center: http://docs.trendmicro.com/en-us/enterprise/trend-micro-endpoint -sensor.aspx 4. System Requirements ======================================================================== 4.1 Server =================================================================== Hardware RAM: - 4 GB minimum - 16 GB recommended CPU: At least 2GHz Intel Core2 Duo or compatible - AMD 64 processor - Intel 64 processor Available disk space: - 500 GB minimum - 1 TB recommended Software Operating system: - Windows Server 2008 R2 - Windows Server 2012 R2 Microsoft Internet Information Services (IIS) 7, 7.5 or 8.5 with the following role services: - Static Content - Default Document - Directory Browsing - HTTP Errors - HTTP Redirection - ASP.NET 4.5 - ASP - CGI - ISAPI Extensions - ISAPI Filters - Request Filtering - IIS Management Console - .NET Framework 4.5.1 - Net FX Extensibility - PHP version 5.4.38 Database: - Microsoft SQL Server 2008 R2 Express - Microsoft SQL Server 2008 R2 (Standard or Enterprise Edition) - Microsoft SQL Server 2012 Express - Microsoft SQL Server 2012 (Standard or Enterprise Edition) - Microsoft SQL Server 2014 Express - Microsoft SQL Server 2014 (Standard or Enterprise Edition) - Microsoft SQL Server 2016 Express - Microsoft SQL Server 2016 (Standard or Enterprise Edition) Web browsers: - Microsoft Internet Explorer 9 or later - The latest version of Google Chrome - The latest version of Mozilla Firefox 4.2 Agent =================================================================== Hardware RAM: - 512 MB minimum for Windows XP - 1 GB minimum for other operating systems CPU: - 2 GHz minimum Available disk space: - 3 GB minimum - 4 GB recommended Software Operating system: _ Windows XP Service Pack 3 (32-bit) _ Windows Vista Service Pack 2 (32-bit and 64-bit) _ Windows 7 Service Pack 1 (32-bit and 64-bit) _ Windows 8 (32-bit and 64-bit) _ Windows 8.1 (32-bit and 64-bit) _ Windows Server 2008 Service Pack 2 (32-bit and 64-bit) _ Windows Server 2008 R2 Service Pack 1 (64-bit) _ Windows Server 2012 (64-bit) _ Windows Server 2012 R2 (64-bit) - Windows 10 Redstone 2 and earlier(32-bit and 64-bit) 5. Installation ======================================================================== TIP: For installation considerations and post-installation details, refer to the Installation Guide. 5.1 Installing the Trend Micro Endpoint Sensor Server =================================================================== To install the Trend Micro Endpoint Sensor server, perform the following steps: a. Double-click or run endpointsensorsetup.exe. b. On the Welcome screen, click Next. NOTE: The Trend Micro Endpoint Sensor server supports PHP version 5.4.38. The server Setup program is unable to detect the following: - A PHP version that is installed manually - PHP version PHP 5.4 or later As a result, the server Setup program installs PHP version 5.4.38 and modifies the IIS handler to instruct all PHP related files or folder to use the newly installed PHP. c. On the License Agreement screen, select I accept, and then click Next. d. On the Installation Path screen, click Next. e. On the Product Activation screen, type/paste the correct Activation Code, and then click Next. f. On the Database Server screen, select whether to install Microsoft SQL Server 2008 R2 SP2 - Express Edition or connect to an existing SQL server. g. On the Web Console screen, provide new port number(s) or accept the default port(s) for the Trend Micro Endpoint Sensor web console, and then click Next. h. On the Server Identification screen, select between host name or IP address to determine how clients identify the Trend Micro Endpoint Sensor server, and then click Next. i. On the Certificate Import screen, specify a certificate to use with the server by either importing an existing certificate or generating a new one, and then click Next. j. On the Proxy Settings screen, if you intend to connect between the agents and server over a proxy connection, specify your proxy settings below, and then click Next. k. On the Administrator screen, provide the password that the admin account will use, and then click Next. l. On the Ready to Install the Program screen, click Install to start the server installation process. m. On the Installation Complete screen, click Finish. 5.2 Installing the Trend Micro Endpoint Sensor Agent =================================================================== There are 3 methods to install Trend Micro Endpoint Sensor agents: - Local agent installation: install the agent using an agent installation package shared or copied locally to the target endpoint. - Local agent silent installation: install the agent using an agent installation package shared or copied locally to the target endpoint, with no messages or windows shown during its progress This is ideal for a large-scale enterprise deployment, or if installation of the agent will be automated. - Agent installation using OfficeScan: use the OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in to deploy Trend Micro Endpoint Sensor agents to OfficeSCan managed endpoints. Refer to the Installation Guide for agent installation procedures. 5.3 Upgrading an existing Trend Micro Endpoint Sensor Server =================================================================== Existing installations of a Trend Micro Endpoint Sensor 1.6 Build 1290 (1.6.0.1290) server can directly upgrade to the 1.6 Update 3 Critical Patch version. Versions of Trend Micro Endpoint Sensor server earlier than 1.6 Build 1290 need to be upgraded to Build 1290 first before installing this version. It is possible to transfer the configuration and data of the old version to this version. For assistance on this procedure, contact Trend Micro Support for details. 5.4 Uninstalling the Trend Micro Endpoint Sensor Server =================================================================== To remove the Trend Micro Endpoint Sensor server program, perform the following steps: a. Go to Start > Control Panel > Programs and Features. b. Choose Trend Micro Endpoint Sensor, and then click Uninstall. c. On the Setup screen, click Uninstall. d. On the Uninstall Complete screen, click Finish. Trend Micro Endpoint Sensor is removed from the list of installed programs. 6. Post-Installation Configuration ======================================================================== Check whether you can access the Trend Micro Endpoint Sensor web console: https://:8000/ Use the administrator account and the password you set during installation. 7. Known Issues ======================================================================== Here are the known issues in this release: 7.1 Trend Micro Endpoint Sensor does not support pure IPv6 environments. =============================================================== The communication between Trend Micro Endpoint Sensor server and agents is through IPv4. The Trend Micro Endpoint Sensor server uses host names to identify endpoints having both IPv4 and IPv6 addresses. Agents using IPv6 addresses cannot connect to the server. 7.2 Trend Micro Endpoint Sensor server does not support installation on Squid proxy versions earlier than 3.2. =============================================================== Trend Micro Endpoint Sensor server has issues with earlier versions of Squid. However, this has been fixed in Squid versions 3.2 and later. 7.3 The Trend Micro Endpoint Sensor server does not support installation on endpoints used as a Domain Controller. =============================================================== A Domain Controller does not allow the installation of SQL Server or SQL Server Express. 7.4 The Trend Micro Endpoint Sensor agent program is incompatible with Trend Micro(TM) Internet Security and Trend Micro(TM) Titanium(TM). =============================================================== Do not install the Trend Micro Endpoint Sensor agent program on endpoints running any version of Trend Micro Internet Security or Trend Micro Titanium. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor agent will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. 7.5 Trend Micro Endpoint Sensor is incompatible with the OfficeScan Corporate Edition USB monitoring Plug-in Service POC build. =============================================================== Do not install the Trend Micro Endpoint Sensor server program on endpoints running OfficeScan Corporate Edition USB monitoring Plug-in Service POC build. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor server will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. 7.6 Trend Micro Endpoint Sensor is incompatible with Bitdefender. =============================================================== Do not install the Trend Micro Endpoint Sensor agent program on endpoints running Bitdefender. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor agent will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. 7.7 Trend Micro Endpoint Sensor is incompatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET) 4.1 and below. =============================================================== Do not install the Trend Micro Endpoint Sensor agent program on endpoints running a Microsoft Enhanced Mitigation Experience Toolkit version of 4.1 or lower. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor agent will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. To prevent the issue, it is recommended to upgrade to Microsoft Enhanced Mitigation Experience Toolkit version 5.5 or higher prior to installing. 7.8 Installation of a Trend Micro Endpoint Sensor agent and a Deep Security 10.0 Update 2 agent on one endpoint is supported only on Windows 2008 R2, Windows 2012 and Windows 2012 R2. =============================================================== The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor agent will still be installed on other operating systems but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. 7.9 The OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in tool is unable to update an agent if OfficeScan Corporate Edition cannot resolve the agent host name. =============================================================== If the OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in is unable to resolve the agent host name, it encounters a timeout error. To resolve this issue, check the DNS settings or manually add an IP address to the HOSTS file. 7.10 The OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in tool may be unable to update a Trend Micro Endpoint Sensor agent if the endpoint is going through a Windows update. =============================================================== Windows Update may prevent the OfficeScan Trend Micro Endpoint Sensor Deployment Tool from updating the agent. To ensure a successful agent update, wait for the Windows update to finish, reboot the endpoint, then try updating the agent again. 7.11 Officescan is unable to perform an install, uninstall or upgrade an endpoint's agent if another process locks the folder where the Trend Micro Endpoint Sensor agent is installed. =============================================================== The folder where the Trend Micro Endpoint Sensor agent is installed may be locked by another process during uninstallation. To resolve this issue, reboot the endpoint and try again. If the issue persists, contact Trend Micro support for assistance. 7.12 If OfficeScan Corporate Edition starts scanning during installation, it may cause high CPU usage. =============================================================== A scheduled scan initiated by OfficeScan Corporate Edition during agent installation may severely affect system performance. By default, OfficeScan Corporate Edition scans every new file added to the endpoint. As a workaround, configure OfficeScan to defer scanning until the installation is finished. 7.13 Enabling the FIPS compliant algorithm in Windows may prevent the Trend Micro Endpoint Sensor activation process from functioning properly. =============================================================== To prevent issues related to product activation, verify that the FIPS compliant algorithm is disabled in Windows before installing the Trend Micro Endpoint Sensor server. 7.14 The Trend Micro Endpoint Sensor agent is unable to monitor network events of objects that call Internet Explorer versions 10 and above for internet access. =============================================================== If Internet Explorer version 10 or above is installed in the target endpoint, objects that call on Internet Explorer for internet access may not appear in the monitoring results. Other Internet Explorer versions are not affected. 7.15 The Trend Micro Endpoint Sensor agent may not function correctly if installed in a virtual environment or in a virtual desktop infrastructure (VDI). =============================================================== Trend Micro does not recommend installing agents in a virtual environment or in a virtual desktop infrastructure (VDI). The Trend Micro Endpoint Sensor agent will still be installed but may encounter performance or compatibility issues. If you need to run the agent in a virtual environment or in a VDI, contact technical support for assistance. 7.16 Updating the server host address results in loss of connection between Trend Micro Endpoint Sensor server and agents. =============================================================== Trend Micro Endpoint Sensor requires a host address during installation. If the host address value is updated, agents still use the old host address and will no longer be able to contact the server. If you need to allocate a new name or IP address, reinstall the Trend Micro Endpoint Sensor server and agents. 7.17 If a Trend Micro Endpoint Sensor server runs a Retro Scan and YARA rule investigation on an Trend Micro Endpoint Sensor agent immediately after agent installation, the Trend Micro Endpoint Sensor agent may crash and restart automatically. =============================================================== The Trend Micro Endpoint Sensor agent needs some time to perform post-installation tasks before being fully capable of handling investigation requests. Allow some time to pass before including the endpoint in an investigation. 7.18 When running a YARA investigation, entries for applications which perform indexing and monitoring processes may appear in the investigation results. =============================================================== The Trend Micro Endpoint Sensor server saves a copy of the YARA rule on the target agent, which may be automatically read by applications which perform indexing and monitoring processes (for example, the Windows Search Indexer, Windows Security Essentials, etc). As a result, the agent may report that the strings specified in the YARA rule appear in these processes. 7.19 Trend Micro Endpoint Sensor skips calculation of hash values for files dropped by the legitimate explorer.exe. =============================================================== To improve performance, Trend Micro Endpoint Sensor does not calculate the hash values of files dropped by the legitimate explorer.exe. Trend Micro Endpoint Sensor still includes the dropped files in its investigation and shows all other attributes, but will display blank hash values for these files. 7.20 Trend Micro Endpoint Sensor server is unable to perform auto-purge on databases with sizes exceeding 4 GB if the server uses SQL Express. =============================================================== SQL Server Express is suitable only for a small number of connections. Due to the limitations of SQL Express, Trend Micro recommends Microsoft SQL Server Standard or Enterprise Edition for large networks. 7.21 If OfficeScan encounters an error deploying to a specific endpoint, the Trend Micro Endpoint Sensor Deployment tool may continue to show an 'installing' status for that endpoint until the timeout period is reached. =============================================================== This is because the error code sent by OfficeScan agent has not reached the Trend Micro Endpoint Sensor Deployment tool. As a result, the Trend Micro Endpoint Sensor Deployment tool will continue to show an 'installing' status until the timeout period is reached. If this occurs, try deploying again later. If the problem persist, contact Trend Micro support for assistance. 7.22 New agents are unable to retrieve investigation commands if a database is restored from backup or reverted to a previous snapshot. =============================================================== If a database is restored from backup or reverted to a previous snapshot, new agents that were not yet included in the records of the database backup will be unable to retrieve investigation commands. To resolve the issue, re-register the agent. 7.23 In the Monitoring Logs, endpoints running Trend Micro Endpoint Sensor agent versions lower than 1.6 Build 1290 are assigned to the 'Unknown' category. =============================================================== To resolve the issue, ensure that all endpoint agents are upgraded to the same version as the server. 7.24 Investigation results may include file, process, or module initialization events that were specified in the kernel whitelist. =============================================================== Trend Micro Endpoint Sensor loads the Endpoint Sensor Trusted Pattern to whitelist specific kernel mode events. However, this pattern will take some time to load. As a result, Trend Micro Endpoint Sensor includes all file, process, or module initialization events occurring during this delay, even those specified in the pattern. 7.25 In Control Manager, double-byte characters in the Object List tab of the Root Cause Chain screen are converted into garbage characters if exported to a CSV file. =============================================================== In Control Manager, double-byte characters appear normal on the Root Cause Chain screen. However, if the results are converted to CSV using the Object List tab's Export feature, double-byte characters are not converted properly. 7.26 Using the Custom range option in the New Investigation screen returns results that do not match the period specified. =============================================================== When creating a new Retro Scan investigation in the New Investigation screen, specifying a custom range returns results that do not match the period specified. This issue will be fixed in the next release. 7.27 On the Endpoint screen, Trend Micro Endpoint Sensor is unable to simultaneously use the "Filters" sidepanel and keyword search to filter the endpoint list. =============================================================== Trend Micro Endpoint Sensor filters the endpoint list using two methods: by using the typed keyword, or by applying the specified filters shown in the Filters sidepanel. However, only one method can be in effect at any time. 7.28 The root cause chain screen for investigations using multiple criteria displays API error messages, except for the first and last page. =============================================================== For investigations using multiple criteria, Trend Micro Endpoint Sensor correctly renders only the first and last pages of the root cause chain. All other pages display API error messages. 7.29 In environments that use a proxy server for internet access, the Trend Micro Endpoint Sensor management console may not show the correct license expiration date. =============================================================== The Trend Micro Endpoint Sensor server does not support the use of a proxy server to access the Trend Micro Online Registration System. As a result, Trend Micro Endpoint Sensor server may not be able to update the license expiration date. To update the license expiration date in environments that use a proxy server (or for isolated Trend Micro Endpoint Sensor server networks), contact Trend Micro support. 7.30 Trend Micro Endpoint Sensor agents are unable to retrieve files from network share folders if they do not have sufficient permissions to access the network share folders. =============================================================== When submitting files to Deep Discovery Analyzer, Trend Micro Endpoint Sensor agents are unable to retrieve files from network share folders if they have insufficient permissions. To avoid the issue, ensure that the endpoint where the agent is installed has sufficient permissions to access the share: a. Go to the endpoint where the shared folder is located. b. Right-click the shared folder, and then click Properties. c. Go to the Sharing Tab. d. Click Share. e. In the dialog that opens, specify the endpoint account, and click Add. For example, if the endpoint name is COMPUTER, the endpoint account will be called COMPUTER$. Do this for all endpoints that require access to the share. f. Click Share. g. Click Done. If problems persist, contact Trend Micro support for assistance. 7.31 The Trend Micro Endpoint Sensor Esclient service may not start successfully after a reboot initiated by a Windows update. =============================================================== Windows Update may prevent some services from starting while it updates its components. The Esclient service may not start. This is due to a time exceed timeout of 30 seconds alloted for services. To resolve this issue, manually start the Trend Micro Endpoint Sensor server service. As a workaround, you can edit the registry to increase the time exceed timeout for services: a. Click Start, click Run, type regedit, and then click OK. b. Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control. c. On the Edit menu, point to New, and then click DWORD Value. d. Type ServicesPipeTimeout, and then press ENTER. e. On the Edit menu, click Modify. f. In the Value data box, type '180000', and then click OK. g. Restart the system. 7.32 Other Trend Micro products which support integration with Trend Micro Endpoint Sensor may still refer to the software as "Deep Discovery Endpoint Sensor". =============================================================== Additionally, existing modules and documentation may still also refer to the software as "Deep Discovery Endpoint Sensor" in some places. This will be fixed in recent releases of the integrated product. Contact Trend Micro support to see if an upgrade or hotfix that fixes this issue is already available for your Trend Micro product. 8. Release History ======================================================================== Trend Micro Endpoint Sensor 1.6 Update 3 Critical Patch November, 2017 Trend Micro Endpoint Sensor 1.6 Update 3 September, 2017 Trend Micro Endpoint Sensor 1.6 Build 1290 February 24, 2017 Trend Micro Endpoint Sensor 1.6 Repack August 10, 2016 Trend Micro Endpoint Sensor 1.6 May 12, 2016 Deep Discovery Endpoint Sensor 1.5 December 20, 2015 Deep Discovery Endpoint Sensor 1.0 May 30, 2014 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 25 years' experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, and Trend Micro Endpoint Sensor are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://www.trendmicro.com/en/purchase/license