<> Trend Micro, Inc. December 15, 2014 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro Safe Lock(TM) 2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTE: This readme file was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at: http://docs.trendmicro.com/ Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp Contents =================================================================== 1. About Safe Lock 2. What's New 3. Documentation Set 4. System Requirements 4.1 Hardware Requirements 4.2 Supported Operating Systems 5. Installation 6. Post-Installation Configuration 6.1 Setting Up the Approved List 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement =================================================================== 1. About Trend Micro Safe Lock ======================================================================== Trend Micro Safe Lock consists of an agent program called Safe Lock that resides on endpoints and a server program called Safe Lock Intelligent Manager that manages agents. Trend Micro Safe Lock protects fixed-function computers like Industrial Control Systems (ICS), Point of Sale (POS) terminals, and kiosk terminals from malicious software and unauthorized use. By using fewer resources and without the need for regular software or system updates, Safe Lock can reliably secure computers in industrial and commercial environments with little performance impact or downtime. Trend Micro Safe Lock Intelligent Manager provides centralized monitoring and management of Trend Micro Safe Lock agent deployment, status, and events. For example, administrators can remotely deploy agents, deploy initial agent Approved Lists, and change agent Application Lockdown states. Additionally, Safe Lock Intelligent Manager performs malware scans and administrators can view root cause information on files blocked from running by Safe Lock agents, reducing the time and effort needed to verify events and allowing quick responses to incidents. 2. What's New ======================================================================== Trend Micro Safe Lock 2.0 includes the following new features and benefits. - Upgrade from Trend Micro Safe Lock 1.1 can be performed without manual uninstallation of older version. - Prescan during installation detects malware before installation of Safe Lock agent. - Approved List and Predefined Trusted Updater allow load or launch of files with digital signatures. - Write Protection prevents write access to files, folders, or the registry. - Integrity Monitoring monitors change events for files, folders, and the registry. - Trusted Updater monitors installers or updaters that require system reboot. - Exception paths allow load or launch of files from a specified path without adding each specific file to the Approved List. - Actions taken on blocked files can be customized. For example, specify that Safe Lock do any one of the following: - Ignore - Quarantine - Ask Server (requires Safe Lock Intelligent Manager) - Root Cause Analysis provides root cause information and diagrams to help administrators investigate blocked files (requires Safe Lock Intelligent Manager). 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: - Installation Guide (IG): Provides product overview, deployment plan, installation steps, and basic information intended to help you deploy Trend Micro Safe Lock. - Administrator's Guide (AG): Provides post-installation instructions on how to configure the settings to help you get Trend Micro Safe Lock "up and running". Also includes instructions on performing other administrative tasks for the maintenance of Safe Lock. - Knowledge Base: Provides a searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== 4.1 Hardware Requirements ===================================================================== Trend Micro Safe Lock does not have specific hardware requirements beyond those specified by the operating system, with the following exceptions: - Available free disk space: 300MB - Monitor and resolution: VGA (640x480), 16 colors 4.2 Supported Operating Systems ===================================================================== Trend Micro Safe Lock can be installed on the following Microsoft Windows platforms: Windows Clients: - Windows 2000 (SP4) [Professional] (32bit) - Windows XP (SP1/SP2/SP3) [Professional] (32bit) - Windows Vista (NoSP/SP1/SP2) [Business/Enterprise/Ultimate] (32bit) - Windows 7 (NoSP/SP1) [Professional/Enterprise/Ultimate] (32/64bit) - Windows 8 (NoSP) [Enterprise] (32/64bit) - Windows 8.1 (NoSP) [Enterprise] (32/64bit) - Windows XP Embedded (SP1/SP2) (32bit) - Windows Embedded Standard 2009 (NoSP) (32bit) - Windows Embedded Standard 7 (NoSP/SP1) (32/64bit) - Windows Embedded 8 Standard (NoSP) (32/64bit) - Windows Embedded 8.1 Pro (NoSP) (32/64bit) - Windows XP Professional for Embedded Systems (SP1/SP2/SP3) (32bit) - Windows Vista for Embedded Systems (NoSP/SP1/SP2) (32bit) - Windows 7 for Embedded Systems (NoSP/SP1) (32/64bit) - Windows Embedded POSReady (32bit) - Windows Embedded POSReady 2009 (32bit) - Windows Embedded POSReady 7 (32/64bit) Windows Server: - Windows 2000 Server SP4 (32bit) - Windows Server 2003 (SP1/SP2) [Standard/Enterprise/Storage] (32bit) - Windows Server 2003 R2 (NoSP/SP2) [Standard/Enterprise/Storage] (32bit) - Windows Server 2008 (SP1/SP2) [Standard/Enterprise/Storage] (32/64bit) - Windows Server 2008 R2 (NoSP/SP1) [Standard/Enterprise/Storage] (64bit) - Windows Server 2012 (NoSP) [Essentials/Standard] (64bit) - Windows Server 2012 R2 (NoSP) [Essentials/Standard] (64bit) - Windows Server 2003 for Embedded Systems (SP1/SP2) (32bit) - Windows Server 2003 R2 for Embedded Systems (NoSP/SP2) (32bit) - Windows Server 2008 for Embedded Systems (SP1/SP2) (32/64bit) - Windows Server 2008 R2 for Embedded Systems (NoSP/SP1) (64bit) - Windows Server 2012 for Embedded Systems (NoSP) (64bit) - Windows Server 2012 R2 for Embedded Systems (NoSP) (64bit) 5. Installation ======================================================================== For information, see the Installation Guide. 6. Post-Installation Configuration ======================================================================== 6.1 Setting-Up the Approved List ===================================================================== You must set up the Approved List before using the Safe Lock Application Lockdown feature for the first time. For information on setting-up the Approved List, see the Installation Guide. 7. Known Issues ======================================================================== - DLL/Driver Lockdown, Integrity Monitoring, and the Predefined Trusted Updater are not supported on Windows XP SP1 or Windows 2000 SP4 (without Update Rollup). - Memory Randomization, API Hooking Prevention and DLL Injection Prevention are not supported on 64-bit platforms. - The Custom Action of "Quarantine" is not supported on Windows XP and Windows Server 2003. - If the Custom Action of "Ask Server" is specified, Safe Lock is unable to send files on mapped drives or UNC paths to Trend Micro Safe Lock Intelligent Manager. - All Safe Lock features require Windows Administrator privileges. - The recycle bin may not function properly if it is protected by Write Protection settings. - Safe Lock cannot be installed on endpoints with other Trend Micro products already installed. - Network Virus Protection can only be installed during the initial Safe Lock installation. To enable Network Virus Protection after installation, Safe Lock must be reinstalled. - When installed on English versions of Windows, the Japanese version of Safe Lock may not correctly display all characters. - Safe Lock does not support changing language versions during Safe Lock upgrades. - Safe Lock Trusted Updater or Predefined Trusted Updater do not support the installation of Trend Micro Safe Lock Intelligent Manager. Remove Safe Lock from the endpoint before installing Safe Lock Intelligent Manager. Safe Lock can be installed after installation of Safe Lock Intelligent Manager is complete. - Safe Lock only supports configuration files using UTF-8 encoding. - Safe Lock has the following maximum path lengths (total bytes): - Install: 180 Unable to support DBCS for installation path on English platforms. - ADD/TU: 238 - Export DB: 251 - Import DB: 259 - Export/Import Configuration: 259 - If Safe Lock is installed silently, and the computer must be restarted, it must be restarted manually. - The computer must be restarted for Memory Randomization to be enabled or disabled. - If the Internet Explorer proxy setting is modified, import the Managed Mode configuration to apply that proxy setting (under Managed Mode). - Safe Lock does not support virtualized applications or applications encrypted at the file-system level. - Safe Lock is unable to restore quarantined files to encrypted folders. - Safe Lock displays incorrectly at DPI settings other than the Windows default. - The Safe Lock management console and command line interface cannot be used at the same time by the logged on user or by simultaneously logged on Windows accounts. - If the system tray icon is enabled, local and remote users cannot open the Safe Lock console at the same time. - Files to be added to the Approved List must have read access enabled when they are added. - Application Lockdown must be turned off to configure Windows screen saver. - When the computer is restarted, the Service Stopped event (Event ID 1001) is not logged. - Safe Lock always resolves mapped drives to their UNC paths. For example, selecting a mapped drive Z: will actually select the UNC \\\ path. - Using the Trusted Updater with an MSI file located on a network will result in high CPU usage. Copy MSI files to a local drive before using them with the Trusted Updater. - USB Malware Protection will prevent Trend Micro Portable Security from running automatically. Run launcher.exe manually to scan the computer. - When a script is blocked, two messages are recorded in the Windows Event Log. For example, *.bat will be blocked twice by Trend Micro Safe Lock and will therefore create two block events. - If an EXE file is moved from one folder to another, and the file is blocked, the old path is displayed in the Windows Event log and the Blocked Applications logs. - The message "The event log is full" may appear when creating or importing the Approved List for the first time. This message may not be accurate. - If the Safe Lock administrator loses the Safe Lock administrator password, the only way to remove or disable Safe Lock is to reinstall Windows. - By default, no troubleshooting logs are collected. To collect diagnostic information, enable debug logging in the Diagnostic Toolkit. - Troubleshooting logs cannot be stored using mapped drive paths or UNC paths. - Extracting the log archive located in the installation folder appears to require a password. To access the archive's contents, copy the ZIP file to another folder, extract it, and leave the password field blank. - The computer must be restarted after uninstalling Safe Lock to remove the Diagnostic Toolkit. - The Windows Event Log may contain garbled characters after uninstallation of Safe Lock. - After uninstallation, the following files are not removed by Setup, but can be removed manually: - Temp files - C:\Windows\Temp\INST_WKMsi.log - C:\Windows\Temp\tmdbg.ini - C:\Windows\Temp\TmDbg32.dll - C:\Windows\Temp\TmDbg64.dll - C:\Windows\Temp\wksptl.ini - Log files - C:\Documents and Settings\\Local Settings\ Application Data\Trend Micro\Safe Lock\*.log - C:\Users\\AppData\LocalLow\Trend Micro\ Safe Lock\*.log - Installation folder If the Safe Lock service was stopped before uninstallation, you must manually remove the Safe Lock installation folder. - After installing the Safe Lock agent on an endpoint running Windows Server 2008 without SP2, applications using IIS 7.0 may not work as expected. 8. Release History ======================================================================== Trend Micro Safe Lock 1.0 - November 30, 2012 Trend Micro Safe Lock 1.1 - June 7, 2013 Trend Micro Safe Lock 2.0 - December 15, 2014 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2014, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo and OfficeScan are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed by selecting the "About" option in the application user interface.