Trend Micro, Inc.
Trend Micro™ Worry-Free Business Security Services™
This readme file is current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at http://docs.trendmicro.com/en-us/smb/worry-free-business-security-services.aspx.
Trend Micro always seeks to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://docsstg.trendmicro.com/en-us/survey.aspx.
1. About Worry-Free Business Security Services
Trend Micro™ Worry-Free Business Security Services™ for small offices protects multiple Windows computers, Macs, and Android devices located in or out of the office from viruses and other threats from the web. Unique Web Threat Protection stops threats before they reach devices and inflict damage or steal data. This safer, smarter, simpler protection from web threats will not cause devices to slow down. You can centrally manage security from anywhere without the need to add a server, install server software, configure settings, or maintain updates. Trend Micro security experts host and constantly update the service for you. Trend Micro™ Worry-Free Business Security Services™ is:
Safer: Powered by XGen™ security, Worry-Free Business Security Services uses a blend of threat protection techniques to eliminate security gaps - in any activity, on any endpoint, anywhere. XGen security:
Goes beyond next-generation technologies and protects against the full range of threats. Progressively filters out threats using the most efficient technique for maximum detection without false positives.
Blends signatureless techniques, including machine learning, behavioral analysis, variant protection, census check, application control, and good-file check with file and web reputation.
Smarter: Stop viruses and other threats without configuring settings or maintaining updates.
Simpler: Centrally manage and check the status of protected devices anywhere (no server required).
Back to top
2. What's New
Worry-Free Business Security Services includes the following new features and enhancements:
Application Control Enhancements
Application Control now includes the ability to use advanced application blocking and endpoint lockdown. You can run application inventories and create policy rules that only allow specific applications to execute on your endpoints.
Device Control Enhancements
Administrators can now create user-based exceptions for Device Control policies. This feature makes it possible to allow specific users access to restricted devices.
Endpoint Detection and Response
You can now monitor, record, and perform current and historical threat investigations on your endpoints to determine the root cause analysis (RCA) across your entire environment.
This feature requires special licensing. For more information, contact your sales representative.
Enhanced Fileless Malware Protection
Worry-Free Business Security Services now uses the latest fileless malware prevention technologies to protect your endpoints against fileless attacks.
Enhanced Threat Analysis
Worry-Free Business Security Services now includes an enhanced graphical analysis of threat detection data that displays the threat detection history and root cause of a specific detection.
Mac Security Agent Enhancements
The Mac Security Agent now supports Predictive Machine Learning, Device Control, Smart Scan, and enhanced Manual Scan functionality.
This version also includes several usability enhancements and updates for administrators to manage Worry-Free Business Security Services even more efficiently.
Back to top
3. Document Set
The document set for the Worry-Free Business Security Services includes:
Download the latest versions of the PDF documents and readme at http://docs.trendmicro.com/en-us/smb/worry-free-business-security-services.aspx.
Back to top
4. Security Agent System Requirements
The Worry-Free Business Security Services Security Agent can be installed on Microsoft Windows, Mac OS, iOS, or Android platforms. The Security Agent is also compatible with various third-party products.
Visit the following website for a complete list of system requirements and compatible third-party products:
Back to top
5. Known Issues
Windows Security Agent Known Issues
Security Agent Deployment and Upgrade
When the following conditions apply, the proxy server information needs to be added to the firewall exception list in the Worry-Free Business Security Services web console.
Endpoints are installed on Windows 8, Windows Server 2012, or later and use a proxy server.
The firewall security level is set to High in the advanced mode in the Worry-Free Business Security Services web console.
Endpoints may lose network connection temporarily during installation.
Users cannot deploy the Security Agent program when Internet Explorer 10 or later is running in Metro mode on Windows 8 or later.
The email installation link does not work properly when users try to re-activate the Security Agent using Microsoft Edge. However, Microsoft intends to resolve this issue in a later release.
After users install the Security Agent and then open Firefox, sometimes the Firefox extension installation process does not start. Users need to manually enable the extension in Add-ons Manager.
Issue: The Security Agent cannot upgrade to version 6.6 if Microsoft Visual C++ 2017 Runtime cannot install successfully on the endpoint. Operating systems that do not meet the prerequisites for the Universal C Runtime (CRT) update might take a long time to complete Microsoft Visual C++ 2017 Runtime installation. For more information on the update, see https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows.
Workaround: Install the latest Windows Update or the Universal CRT update (2999226) on the endpoint so that Microsoft Visual C++ 2017 Runtime can install successfully during the regular Security Agent upgrade process.
If the Security Agent is enabled and a malware program resides in the Security Agent folder before Real-time Scan starts, the Security Agent cannot restrict that malware from updating the registry.
On Windows 10 endpoints, Worry-Free Business Security Services alerts may be hidden behind the Microsoft Edge browser window. Users must check for any unauthorized event or threat alerts that may appear.
If the Security Agent is installed on a Windows endpoint running Enhanced Mitigation Experience Toolkit (EMET), there might be some performance and conflict issues. Trend Micro recommends not installing the Security Agent and Microsoft EMET on the same endpoint.
Issue: If users have installed Windows Update KB3076895 (MS15-084), the Msxml6.dll 6.20.5008.0 file included in the update might cause issues in the TmListen.exe service and policy setting deployments.
Workaround: Install Windows Update KB3092627 or later to update the Msxml6.dll file.
When multiple logon sessions exist on an endpoint, some agent process files might crash after an agent upgrade. Users might need to manually start the Security Agent.
Security Agents running Windows Server 2019 cannot report security statuses to Windows Security Center because Windows Server 2019 does not provide the Windows Security Center service. If Windows Defender is enabled on Windows Server 2019 with the Security Agent installed, performance issues may occur. Trend Micro recommends disabling Windows Defender before installing the Security Agent.
During Security Agent installation or firewall driver uninstallation, the endpoint may temporarily lose its network connection. Some applications, such as Secure Shell (SSH), Terminal Services Client, or Remote Desktop could be affected by the disconnection. If the network connection is lost, restart the application after installing the Security Agent or after disabling the firewall.
The Security Agent firewall may conflict with other firewall applications. Trend Micro recommends uninstalling or disabling other firewall applications.
On VMware clients, the Security Agent firewall may block all incoming packets.
To address this issue, add the following value to the VMware client registry:
The firewall feature does not support IPv6.
Web Reputation and URL Filtering
When running Internet Explorer 9 or later with Internet Explorer Enhanced Security Configuration, the Web Reputation plug-in module (TmIEPlugInBHO Class) cannot be automatically applied. Risky URLs using SSL cannot be blocked.
Web Reputation Services and URL Filtering are not supported when Internet Explorer 10 or later is running in Metro mode on Windows 8 or later.
Issue: If Chrome is open while the Security Agent updates Web Reputation Services and URL Filtering components, the Security Agent will not be able to block HTTPS websites.
Workaround: Restart Chrome to resolve the issue.
HTTPS Web Threat Protection does not support Mac Security Agents.
Windows Small Business Server Dashboard Add-In Tool
Dashboard Add-in is not compatible with Internet Explorer Enhanced Security Configuration. Ensure this option is disabled before opening the Dashboard.
Login Script Setup Tool
Endpoints installed on Windows Vista or later and have User Account Control (UAC) enabled cannot run automatic installation.
Multiple log entries appear when a user tries to access or copy files to a USB device. Device Control detects each instance as a single policy violation but includes multiple entries in the logs to differentiate the OS versions.
Device Control supports all 32-bit operating systems and only the following 64-bit platforms: Windows Vista SP1 x64 and later.
New folders can still be created on restricted USB storage devices when the permission is set to List device content only.
When using HTML tags that might be exploited by Cross-Site Scripting (XSS) attacks to search in the Certified Safe Software List, the search function ignores the tags to prevent script injections.
When multiple logon sessions exist on an endpoint, the Application Control feature will increase CPU usage for a while.
Full Disk Encryption
BitLocker cannot encrypt endpoints that run multiple operating systems when users install Windows 7 first and then install Windows 10. In this scenario, the default system partition size on both operating systems will be 100 MB, but BitLocker requires at least 350 MB of system partition size on Windows 10.
Data Loss Prevention
When uninstalling the Security Agent with Data Loss Prevention enabled, users must restart the endpoints to completely remove the Data Loss Prevention components. Currently there is no reminder of the requirement.
If users try to reinstall the Security Agent without restarting the endpoints, the Data Loss Prevention components cannot be installed until users restart the endpoints. After reinstalling the Data Loss Prevention components, users must restart the endpoints again.
The Device List Tool only supports the following languages:
Data Loss Prevention cannot detect violations triggered from Google Backup and Sync that is version 3.42.9858.3671 or later.
If a Command line criteria contains spaces in an assessment, the endpoint that triggered the command cannot be matched.
After Endpoint Sensor is enabled, Security Agents constantly send metadata to the Worry-Free Business Security Services server. Once Endpoint Sensor is disabled, administrators can still perform root cause analysis tasks using existing assessments or event logs. However, Security Agents cannot report analysis results to the server because Endpoint Sensor is disabled.
The root cause analysis view cannot display in Internet Explorer when Compatibility View is enabled.
Although fileless malware detection includes Windows Management Instrumentation (WMI), IOC does not support WMI. Running a threat investigation from WMI logs does not return matched objects.
On-Premises Server Migration Tool
Because Worry-Free Business Security Services does not support IPv6, only IPv4 addresses can be migrated from an on-premises server.
Mac Security Agent Known Issues
The Security Agent does not support root accounts.
Issue: After upgrading from macOS Sierra (10.12) to macOS High Sierra (10.13), users must click the Allow button in System Preferences > Security & Privacy > General within 30 minutes. Otherwise the button will disappear.
Workaround: Restart the endpoint so that the Allow button can reappear.
Mac Device Control detailed logs cannot display device information (vendor, model, and serial ID).
Android Security Agent Known Issues
Worry-Free Business Security Services cannot be installed on rooted Android devices.
On an Android device, if the user goes to Settings > Apps > Worry-Free Security > Storage and taps CLEAR CACHE, the Security Agent might not be able to connect to the server to receive updates. The user would need to re-enroll the device.
If other installed apps interfere with the device's network connection, the Security Agent might not be able to connect to the server to receive updates.
When using the "Remote Locate" feature to find a mobile device, the language code (for example: en, jp, fr) that displays in the browser for the embedded Google Maps may not be the same as the language used by the web console.
Worry-Free Business Security Services uses Firebase Cloud Messaging (FCM) for Android mobile device management commands. Commands sent to Android devices can take some time to be received, or the commands may be unsuccessful.
If multiple device administrators manage a single Android device, some commands may not be successful (for example: reset password). Worry-Free Business Security Services uses the Android Device Administrator for mobile device management commands. When more than one Device Administrator exists for the same Android device, the stricter policy on the device has priority. For example, if two apps both require users to follow a password policy, only the stricter policy is applied.
For Android devices that contain multiple user profiles, the Security Agent can only be installed in the owner's profile. An error occurs when users try to install the Security Agent in other user profiles.
The Reset Password command can only apply once to Android 7 or later devices that have not set up a password.
iOS Security Profile Known Issues
Worry-Free Business Security Services uses the Apple Push Notification service (APNs) for iOS mobile device management commands. Commands sent to iOS devices can take some time to be received, or the commands may be unsuccessful.
If the Private Browsing feature in Safari is enabled (https://support.apple.com/en-ph/HT203036), iOS devices may not successfully complete device enrollment.
Users cannot install the Security Profile when the iOS device uses a proxy server to connect to the Internet.
Back to top
6. Contact Information
A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.
Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.
Note: This information is subject to change without notice.
Back to top
7. About Trend Micro
Smart, simple, security that fits
As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information
Copyright 2019, Trend Micro Incorporated. All rights reserved.
Trend Micro, Worry-Free Business Security Services, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.
Back to top
8. License Agreement
Information about your license agreement with Trend Micro can be viewed at http://us.trendmicro.com/us/about/company/user_license_agreements/.
License Attributions can be viewed from the Worry-Free Business Security Services web console.
Back to top