<> Trend Micro, Inc. April 30, 2020 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro Safe Lock(TM) TXOne Edition 1.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTE: This readme file was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at: http://docs.trendmicro.com/ Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Please evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx Contents ======================================================================== 1. About Trend Micro Safe Lock 2. What's New 3. Documentation Set 4. System Requirements 5. Installation 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. About TXOne Networks 12. License Agreement ======================================================================== 1. About Trend Micro Safe Lock ======================================================================== Trend Micro Safe Lock consists of an agent program called Safe Lock that resides on endpoints and a server program called Safe Lock Intelligent Manager that manages agents. Trend Micro Safe Lock protects fixed-function computers like Industrial Control Systems (ICS), Point of Sale (POS) terminals, and kiosk terminals from malicious software and unauthorized use. By using fewer resources and without the need for regular software or system updates, Safe Lock can reliably secure computers in industrial and commercial environments with little performance impact or downtime. Trend Micro Safe Lock Intelligent Manager provides centralized monitoring and management of Trend Micro Safe Lock agent deployment, status, and events. For example, administrators can remotely deploy agents, deploy initial agent Approved Lists, and change agent Application Lockdown states. Additionally, Safe Lock Intelligent Manager performs malware scans and administrators can view root cause information on files blocked from running by Safe Lock agents, reducing the time and effort needed to verify events and allowing quick responses to incidents. 2. What's New ======================================================================== Trend Micro Safe Lock agent includes the following new features and benefits: - Safe Lock agents provide the scan function that you can start manually on endpoints to scan for malware. This function requires special licensing. - Safe Lock agent-server communication has been enhanced to support Safe Lock agents with a fixed IP address. - The enhanced Safe Lock data flow and system function processing increase system operation efficiency. - Safe Lock agent installation supports Microsoft Windows 10 May 2019 Update (19H1), November 2019 Update (19H2), and (20H1). 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying Trend Micro Safe Lock. - Administrator's Guide (AG): Provides post-installation instructions on how to configure the settings to help you get Trend Micro Safe Lock "up and running". Also includes instructions on performing other administrative tasks for the maintenance of Safe Lock. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ======================================================================== 4.1 Hardware Requirements ===================================================================== Trend Micro Safe Lock does not have specific hardware requirements beyond those specified by the operating system, with the following exceptions: - Available free disk space: 300MB - Monitor and resolution: VGA (640x480), 16 colors NOTE: Trend Micro Safe Lock supports only CPUs with Intel 64 and IA-32 Architectures. 4.2 Supported Operating Systems ===================================================================== Trend Micro Safe Lock can be installed on the following Microsoft Windows platforms: Windows Clients: - Windows 2000 (SP4) [Professional](32bit) - Windows XP (SP1/SP2/SP3) [Professional](32bit) - Windows Vista (NoSP/SP1/SP2) [Business/Enterprise/Ultimate](32bit) - Windows 7 (NoSP/SP1) [Professional/Enterprise/Ultimate](32/64bit) - Windows 8 (NoSP) [Pro/Enterprise](32/64bit) - Windows 8.1 (NoSP) [Pro/Enterprise/with Bing](32/64bit) - Windows 10 [Pro/Enterprise/IoT Enterprise](32/64bit) Anniversary Update, Creators Update, Fall Creators Update, April 2018 Update, October 2018 Update, May 2019 Update, November 2019 Update, 20H1 - Windows XP Embedded (SP1/SP2) (32bit) - Windows Embedded Standard 2009 (NoSP) (32bit) - Windows Embedded Standard 7 (NoSP/SP1) (32/64bit) - Windows Embedded 8 Standard (NoSP) (32/64bit) - Windows Embedded 8.1 (NoSP) [Pro/Industry Pro](32/64bit) - Windows XP Professional for Embedded Systems (SP1/SP2/SP3)(32bit) - Windows Vista for Embedded Systems (NoSP/SP1/SP2)(32bit) - Windows 7 for Embedded Systems (NoSP/SP1)(32/64bit) - Windows Embedded POSReady (32bit) - Windows Embedded POSReady 2009 (32bit) - Windows Embedded POSReady 7 (32/64bit) Windows Server: - Windows 2000 Server SP4 (32bit) - Windows Server 2003 (SP1/SP2) [Standard/Enterprise/Storage](32bit) - Windows Server 2003 R2 (NoSP/SP2) [Standard/Enterprise/Storage] (32bit) - Windows Server 2008 (SP1/SP2) [Standard/Enterprise/Storage] (32/64bit) - Windows Server 2008 R2 (NoSP/SP1) [Standard/Enterprise/Storage] (64bit) - Windows Server 2012 (NoSP) [Essentials/Standard](64bit) - Windows Server 2012 R2 (NoSP) [Essentials/Standard](64bit) - Windows Server 2016 (NoSP) [Standard](64bit) - Windows Storage Server 2016 (64bit) - Windows Server 2003 for Embedded Systems (SP1/SP2) (32bit) - Windows Server 2003 R2 for Embedded Systems (NoSP/SP2) (32bit) - Windows Server 2008 for Embedded Systems (SP1/SP2) (32/64bit) - Windows Server 2008 R2 for Embedded Systems (NoSP/SP1) (64bit) - Windows Server 2012 for Embedded Systems (NoSP) (64bit) - Windows Server 2012 R2 for Embedded Systems (NoSP) (64bit) - Windows Server 2019 (Standard) (64bit) 5. Installation ======================================================================== For information, see the Installation Guide. 6. Post-Installation Configuration ======================================================================== 6.1 Setting Up the Approved List ===================================================================== Set up the Approved List before using the Safe Lock Application Lockdown feature for the first time. For more information, see the Installation Guide. - Before setting up the Approved List, please remember to empty Recycle Bin first. 7. Known Issues ======================================================================== Known issues in this release are listed below: 7.1 Installation and Uninstallation ===================================================================== a. Safe Lock cannot be installed on endpoints when other Trend Micro products are already installed. b. When installed on English versions of Windows, the Japanese version of Safe Lock may not correctly display all characters. c. Safe Lock does not support changing language versions during Safe Lock upgrades. d. If Safe Lock is installed silently and the endpoint must be restarted, it must be restarted manually. e. After installing the Safe Lock agent on an endpoint running Windows Server 2008 without SP2, applications using IIS 7.0 may not work as expected. f. Safe Lock agents installed on tablets may be unable to resume from suspend mode using the quick start button due to an internal error. Contact Trend Micro support for further assistance. g. The Windows Event Log may contain garbled characters after uninstallation of Safe Lock. h. After uninstallation, the following files are not removed by Setup, but can be removed manually: - Temp files - C:\Windows\Temp\INST_WKMsi.log - C:\Windows\Temp\tmdbg.ini - C:\Windows\Temp\TmDbg32.dll - C:\Windows\Temp\TmDbg64.dll - C:\Windows\Temp\wksptl.ini - Log files - C:\Documents and Settings\\Local Settings\ Application Data\Trend Micro\Safe Lock\*.log - C:\Users\\AppData\LocalLow\Trend Micro\Safe Lock\*.log - Installation folder If the Safe Lock service was stopped before uninstallation, you must manually remove the Safe Lock installation folder. i. OneDrive integration in Windows 10 Fall Creators Update and April 2018 Update is not supported. Ensure that OneDrive integration is disabled before installing Safe Lock. j. Running Trend Micro Safe Lock in Windows 2000 may cause a BSOD error. To resolve this issue, install Update Roll Up 1 for Windows 2000 Service Pack 4 (KB891861). 7.2 General ===================================================================== a. Universal Windows Platform is not supported. b. Safe Lock does not support virtualized applications or applications encrypted at the file-system level. c. Safe Lock installed on Windows 2000 SP4 (without update rollup) or Windows XP SP1 does not support the following functions: DLL/Driver Lockdown, Script Lockdown, Integrity Monitoring, USB Malware Protection, Storage Device Blocking, Maintenance Mode, and Predefined Trusted Updater. To support these features, install Filter Manager: For Windows 2000 Service Pack 4, apply the update KB891861 from the Microsoft Update Catalog website. For Windows XP SP1, upgrade to Windows XP SP2. d. All Safe Lock features require Windows Administrator privileges. e. Safe Lock displays incorrectly at DPI settings other than the Windows default. f. Safe Lock only supports configuration files using UTF-8 encoding. g. Safe Lock has the following maximum path lengths. Maximum path length limitation: - Installation directory path: 180 - File path in the Approved List: 238 - File path of the Trusted Updater: 238 - File path to export the Approved List: 251 - File path to import the Approved List: 259 - File path to export settings: 259 - File path to import settings: 259 Note: The maximum length may be shorter if the path contains double-byte characters. h. If the system tray icon is enabled, local and remote users cannot open the Safe Lock console at the same time. i. The Safe Lock console and command line interface cannot be used at the same time by the logged on user or by simultaneously logged on Windows accounts. j. When the computer is restarted, the Service Stopped event (Event ID 1001) is not logged. k. Default value of Windows Event Log size is 10,240 KB for new installations. Upgrading the Safe Lock agent does not change any user-defined WEL_SIZE values set in the previous installation. l. Secure Boot is not supported in Windows 8 and 8.1. m. In Windows 10 April 2018 Update (Redstone 4) and later, Safe Lock has the following limitations when working with folders where the case sensitive attribute has been enabled: - Enabling the case sensitive attribute for a folder may prevent Safe Lock from performing certain actions (eg. prescan, quick scan, custom actions) on that folder. Folders that do not have the attribute enabled are not affected. - Safe Lock blocks all processes started from folders where the case sensitive attribute is enabled. Additionally, Safe Lock is unable to provide any information for the blocked processes, except for file path. - The Safe Lock agent cannot verify file signatures of files saved in folders where the case sensitive attribute is enabled. As a result, DAC exceptions related to signatures cannot work. n. After Trend Micro Portable Security scanning, the Safe Lock service cannot restart successfully. 7.3 Application Lockdown ===================================================================== a. Application Lockdown must be turned off to configure Windows screen saver. b. When a script is blocked, two messages are recorded in the Windows Event log. For example, *.bat will be blocked twice by Trend Micro Safe Lock and will therefore create two block events. c. If an EXE file is moved from one folder to another and the file is blocked, the old path is displayed in the Windows Event log and the Blocked Applications logs. d. Files to be added to the Approved List must have read access enabled when they are added. e. Safe Lock always resolves mapped drives to their UNC paths. For example, selecting a mapped drive Z: will actually select the UNC \\\ path. f. The message "The event log is full" may appear when creating or importing the Approved List for the first time. This message may not be accurate. g. Pop-up notifications do not support guest accounts on systems running Windows XP. h. The recycle bin may not function properly if it is protected by Write Protection settings. i. After upgrading Safe Lock agents, old blocking events without hash information may display as Hash: %6 in the Windows Event Viewer. j. On Windows Vista SP0 x86, Safe Lock can perform process chain checks only, but is unable to perform cmdline argument checks. Endpoints running Windows XP, Vista SP1, and above does not have this issue. k. When the path length of an executable file is longer than 260 characters, the executable file is blocked, but the blocked event (Event ID 2509) is not logged. l. The DAT partition of Trend Micro Portable Security is blocked by Device Access Control. 7.4 Custom Action ===================================================================== a. The Custom Action of "Quarantine" is not supported on Windows XP and Windows Server 2003. b. If the Custom Action of "Ask Server" is specified, Safe Lock is unable to send files on mapped drives or UNC paths to Trend Micro Safe Lock Intelligent Manager. c. Safe Lock is unable to restore quarantined files to encrypted folders. 7.5 USB Malware Protection ===================================================================== a. USB Malware Protection prevents Trend Micro Portable Security from running automatically. Run launcher.exe manually to scan the computer. 7.6 Network Virus Protection ===================================================================== a. Network Virus Protection can only be installed during the initial Safe Lock installation. To enable Network Virus Protection after installation, Safe Lock must be reinstalled. 7.7 Memory Randomization ===================================================================== a. Memory Randomization, API Hooking Prevention and DLL Injection Prevention are not supported on 64-bit platforms. b. The endpoint must be restarted for Memory Randomization to be enabled or disabled. c. Memory Randomization is not supported on systems running the latest version of Windows 10. 7.8 Trusted Updater and Predefined Trusted Updater ===================================================================== a. Safe Lock Trusted Updater or Predefined Trusted Updater do not support the installation of Trend Micro Safe Lock Intelligent Manager. Remove Safe Lock from the endpoint before installing Safe Lock Intelligent Manager. Safe Lock can be installed after installation of Safe Lock Intelligent Manager is complete. b. Using the Trusted Updater with an MSI file located on a network will result in high CPU usage. Copy MSI files to a local drive before using them with the Trusted Updater. c. The Trusted Updater is used to trace descendant processes of an installer. The Trusted Updater ensures that all files created/updated by the installer process and all files created/updated by the descendant processes of the installer are added to the Approved List. However, the Trusted Updater does not support an installer which delegates the installation to another process which is not the descendant process, and all files resulting from this installation are not added to the Approved List. 7.9 Windows Update Support ===================================================================== a. Known issues related to Windows Update Support: - Windows Update Support does not support OS upgrades. - Windows Update Support does not support major updates for systems running Windows 10. For example, updating Windows 10 from Anniversary Update to Creators Update is not supported. - Windows Update Support is not applicable to Trend Micro Safe Lock installed on endpoints running systems older than Windows Vista. - Windows Update Support may not work properly if Microsoft KB2862330, KB3110329, or a part of .NET Framework is applied. - Windows Update Support may not work properly if a Windows Service Pack is applied. We recommend installing Trend Micro Safe Lock after the Windows Service Pack is installed. - Windows application updates may be blocked on systems running Windows 10. b. Files added by Windows Update may not be added to the Approved List and may remain blocked on the managed endpoints. Manually add these files to the Approved List or contact Trend Micro support for further assistance. c. Safe Lock might encounter issues if Windows Defender update is in progress. 7.10 Managed Mode ===================================================================== a. If the Internet Explorer proxy setting is modified, import the Managed Mode configuration to apply that proxy setting (under Managed Mode). 7.11 Diagnostic Toolkit ===================================================================== a. By default, no troubleshooting logs are collected. To collect diagnostic information, enable debug logging in the Diagnostic Toolkit. b. Troubleshooting logs cannot be stored using mapped drive paths or UNC paths. c. Extracting the log archive located in the installation folder requires a password. To access the archive's contents, copy the ZIP file to another folder, extract it, and leave the password field blank. d. The endpoint must be restarted after uninstalling Safe Lock to remove the Diagnostic Toolkit. e. Windows 2000 SP4 does not support debug log collection using the Diagnostic Toolkit. To solve this issue, apply Update Rollup to the managed endpoint or disable Self Protection of the Safe Lock agent while collecting debug logs. f. Windows 10 environments where Windows Defender real-time protection is enabled may experience performance issues if agent debug mode is enabled. To avoid this issue, add the agent modules below to Windows Defender's exception process before enabling debug mode: C:\Program Files\Trend Micro\Safe Lock\WKSrv.exe C:\Program Files\Trend Micro\Safe Lock\SLCmd.exe NOTE: The module path may vary depending on the environment. 7.12 API Hooking Prevention ===================================================================== a. When API Hooking Prevention is enabled, Trend Micro Safe Lock blocks Google Chrome web browser. 7.13 Maintenance Mode ===================================================================== a. When the agent is about to leave Maintenance Mode, restarting the agent endpoint prevents Safe Lock from adding files in the queue to the Approved List. b. During the maintenance period, you cannot perform agent patch updates on endpoints. c. When Maintenance Mode is enabled, Safe Lock does not support Windows updates that require restarting an endpoint during the maintenance period. 7.14 Scan for Malware ===================================================================== a. For agent component updates, make sure that Safe Lock agents can connect to an update source without using a proxy server. b. After a component update is complete, you cannot roll back the component to a previous version. 8. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Trend Micro Safe Lock TXOne Edition - October 09, 2019 Trend Micro Safe Lock TXOne Edition 1.1 - April 30, 2020 9. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years of experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2020, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo and Safe Lock are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 11. About TXOne Networks ======================================================================== TXOne Networks Inc. is a joint-venture between Trend Micro Inc. and Moxa Inc. TXOne Network Inc. offers cybersecurity solutions to protect industrial control systems (ICS) and ensure reliability and safety from cyberattacks. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide