<> Trend Micro, Inc. December 15, 2014 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro Safe Lock(TM) 2.0 with Intelligent Manager ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTE: This readme file was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates at: http://docs.trendmicro.com/ Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp Contents =================================================================== 1. About Safe Lock 2. What's New 2.1 Safe Lock Intelligent Manager 2.2 Safe Lock agents 3. Documentation Set 4. System Requirements 4.1 Safe Lock Intelligent Manager 4.1.1 Hardware Requirements 4.1.2 Supported Operating Systems 4.1.3 IIS Requirements 4.1.4 SQL Server Requirements 4.1.5 Browser Requirements (for web console) 4.2 Safe Lock agents 4.2.1 Hardware Requirements 4.2.2 Supported Operating Systems 5. Installation 6. Known Issues 6.1 Safe Lock Intelligent Manager 6.2 Safe Lock agents 7. Contact Information 8. About Trend Micro 9. License Agreement =================================================================== 1. About Trend Micro Safe Lock ======================================================================== Trend Micro Safe Lock consists of an agent program called Safe Lock that resides on endpoints and a server program called Safe Lock Intelligent Manager that manages agents. Trend Micro Safe Lock Intelligent Manager provides centralized monitoring and management of Trend Micro Safe Lock agent deployment, status, and events. For example, administrators can remotely deploy agents, deploy initial agent Approved Lists, and change agent Application Lockdown states. Additionally, Safe Lock Intelligent Manager performs malware scans and administrators can view root cause information on files blocked from running by Safe Lock agents, reducing the time and effort needed to verify events and allowing quick responses to incidents. Trend Micro Safe Lock agents protects fixed-function computers like Industrial Control Systems (ICS), Point of Sale (POS) terminals, and kiosk terminals from malicious software and unauthorized use. By using fewer resources and without the need for regular software or system updates, Safe Lock agents can reliably secure computers in industrial and commercial environments with little performance impact or downtime. 2. What's New ======================================================================== 2.1 Safe Lock Intelligent Manager ===================================================================== NOTE: The agent program that resides on endpoints is referred to as Safe Lock agent, and the server program that manages agents is referred to as Safe Lock Intelligent Manager. Trend Micro Safe Lock 2.0 Intelligent Manager is a new feature of Trend Micro Safe Lock that includes the following features and benefits: - Safe Lock Intelligent Manager provides centralized monitoring and management of Trend Micro Safe Lock agent deployment, status, and events. - The web console dashboard provides summarized information about monitored Safe Lock agents. - Administrators can check deployed Safe Lock agent status easily, and can generate security reports related to Safe Lock agent activity for specified periods. - Administrators can monitor Safe Lock agent status, examine connection status, view configurations, collect agent logs on-demand or by policy, and remotely turn agent Application Lockdown on or off. - Administrators can monitor events and status reports and respond when files are blocked from running - When blocked file events happen, administrators can determine if they are the result of a significant incident or not. Safe Lock Intelligent Manager provides malware scanning features and root cause information and diagrams to help administrators investigate blocked files quickly. - Operations performed by Safe Lock Intelligent Manager web console accounts are logged. Safe Lock Intelligent Manager records an operating log for each account, tracking who logs on, who deletes event logs, and more. 2.2 Safe Lock agents ===================================================================== NOTE: The agent program that resides on endpoints is referred to as Safe Lock agent, and the server program that manages agents is referred to as Safe Lock Intelligent Manager. Safe Lock agent includes the following new features and benefits: - Upgrade from Trend Micro Safe Lock 1.1 can be performed without manual uninstallation of older version. - Prescan during installation detects malware before installation of Safe Lock agent. - Approved List and Predefined Trusted Updater allow load or launch of files with digital signatures. - Write Protection prevents write access to files, folders, or the registry. - Integrity Monitoring monitors change events for files, folders, and the registry. - Trusted Updater monitors installers or updaters that require system reboot. - Exception paths allow load or launch of files from a specified path without adding each specific file to the Approved List. - Actions taken on blocked files can be customized. For example, specify that Safe Lock agents do any one of the following: - Ignore - Quarantine - Ask Server (requires Safe Lock Intelligent Manager) - Root Cause Analysis provides root cause information and diagrams to help administrators investigate blocked files (requires Safe Lock Intelligent Manager). 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: - Installation Guide (IG): Provides product overview, deployment plan, installation steps, and basic information intended to help you deploy Trend Micro Safe Lock Intelligent Manager. - Administrator's Guide (AG): Provides post-installation instructions on how to configure the settings to help you get Trend Micro Safe Lock Intelligent Manager "up and running". Also includes instructions on performing other administrative tasks for the maintenance of Trend Micro Safe Lock Intelligent Manager and for the deployment and maintenance of Trend Micro Safe Lock agents. - Knowledge Base: Provides a searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== 4.1 Safe Lock Intelligent Manager ===================================================================== 4.1.1 Hardware Requirements ================================================================= NOTE: Trend Micro Safe Lock Intelligent Manager has specific requirements that vary based on other software running on the server endpoint. - Safe Lock Intelligent Manager: - Minimum - RAM: 2GB - Processor: 1 CPU core - Available Disk Space: 10GB - Recommended - RAM: 4GB or more - Processor: 1 CPU core or more - Available Disk Space: 20GB - Safe Lock Intelligent Manager (with Safe Lock agent) - Minimum - RAM: 2GB - Processor: 1 CPU core - Available Disk Space: 10GB - Recommended - RAM: 4GB or more - Processor: 2 CPU cores or more - Available Disk Space: 20GB - Safe Lock Intelligent Manager + Microsoft SQL Server 2008 R2 Express SP2 (with or without Safe Lock agent) - Minimum - RAM: 4GB - Processor: 1 CPU core - Available Disk Space: 30GB - Recommended - RAM: 8GB or more - Processor: 2 CPU cores or more - Available Disk Space: 50GB - Safe Lock Intelligent Manager + Microsoft SQL Server 2008/2012 (with or without Safe Lock agent) - Minimum - RAM: 32GB - Processor: 2 CPU cores - Available Disk Space: 1TB - Recommended - RAM: 32GB or more - Processor: 4 CPU cores or more - Available Disk Space: 2TB or more - Monitor and resolution: XGA (1024x768), 16 bit colors 4.1.2 Supported Operating Systems =============================================================== Trend Micro Safe Lock Intelligent Manager can be installed on the following Microsoft Windows platforms: - Windows Clients: - Windows XP (SP2/SP3) [Professional] (32bit) - Windows 7 (NoSP/SP1) [Enterprise/Ultimate] (32/64bit) - Windows 8 (NoSP) [Enterprise] (32/64bit) - Windows 8.1 (NoSP) [Enterprise] (32/64bit) - Windows Server: - Windows Server 2003 (NoSP/SP1/SP2) [Standard/ Enterprise/Storage] (32/64bit) - Windows Server 2003 R2 (NoSP/SP2) [Standard/ Enterprise/Storage] (32/64bit) - Windows Server 2008 (SP1/SP2) [Standard/Enterprise/ Storage] (32/64bit) - Windows Server 2008 R2 [Standard/Enterprise/Storage] (NoSP/SP1) (64bit) - Windows Server 2012 (NoSP) [Foundation/Essentials/ Standard/Datacenter] (64bit) - Windows Server 2012 R2 (NoSP) [Foundation/Essentials/ Standard/Datacenter] (64bit) 4.1.3 IIS Requirements =============================================================== NOTE: Safe Lock Intelligent Manager has specific requirements for IIS that vary based on other software running on the server endpoint. - Windows Clients: - Windows XP (32bit): IIS 5.1 - Windows 7: IIS 7.5 - Windows 8: IIS 8.0 - Windows 8.1: IIS 8.5 - Windows Server: - Windows Server 2003: IIS 6.0 - Windows Server 2003 R2: IIS 6.0 - Windows Server 2008: IIS 7.0 - Windows Server 2008 R2: IIS 7.5 - Windows Server 2012: IIS 8.0 - Windows Server 2012 R2: IIS 8.0 4.1.4 SQL Server Requirements =============================================================== Safe Lock Intelligent Manager requires one of the following versions of SQL Server: - Microsoft SQL Server 2008 R2 Express SP2 An installer is included in the Safe Lock Intelligent Manager Setup package. NOTE: Microsoft SQL Server 2008 R2 Express SP2 requires Microsoft .NET Framework 3.5 Service Pack 1. - Microsoft SQL Server 2008/2012 (recommended) NOTE: Safe Lock Intelligent Manager without Microsoft SQL Server 2008 R2 Express SP2 requires Microsoft .NET Framework 2.0 Service Pack 2. 4.1.5 Browser Requirements (for web console) =============================================================== Safe Lock Intelligent Manager web console access requires one of the following web browsers: - Microsoft Internet Explorer 7.0, 8.0, 9.0, 10.0, 11.0 (32/64bit) - The latest version of Google Chrome / Chrome Portable - Mozilla Firefox 6 or later 4.2 Safe Lock agents ===================================================================== 4.2.1 Hardware Requirements =============================================================== Trend Micro Safe Lock agents does not have specific hardware requirements beyond those specified by the operating system, with the following exceptions: - Available free disk space: 300MB - Monitor and resolution: VGA (640x480), 16 colors 4.2.2 Supported Operating Systems =============================================================== Safe Lock agents can be installed on the following Microsoft Windows platforms: Windows Clients: - Windows 2000 (SP4) [Professional] (32bit) - Windows XP (SP1/SP2/SP3) [Professional] (32bit) - Windows Vista (NoSP/SP1/SP2) [Business/Enterprise/ Ultimate] (32bit) - Windows 7 (NoSP/SP1) [Professional/Enterprise/ Ultimate] (32/64bit) - Windows 8 (NoSP) [Enterprise] (32/64bit) - Windows 8.1 (NoSP) [Enterprise] (32/64bit) - Windows XP Embedded (SP1/SP2) (32bit) - Windows Embedded Standard 2009 (NoSP) (32bit) - Windows Embedded Standard 7 (NoSP/SP1) (32/64bit) - Windows Embedded 8 Standard (NoSP) (32/64bit) - Windows Embedded 8.1 Pro (NoSP) (32/64bit) - Windows XP Professional for Embedded Systems (SP1/SP2/ SP3) (32bit) - Windows Vista for Embedded Systems (NoSP/SP1/SP2) (32bit) - Windows 7 for Embedded Systems (NoSP/SP1) (32/64bit) - Windows Embedded POSReady (32bit) - Windows Embedded POSReady 2009 (32bit) - Windows Embedded POSReady 7 (32/64bit) Windows Server: - Windows 2000 Server SP4 (32bit) - Windows Server 2003 (SP1/SP2) [Standard/Enterprise/ Storage] (32bit) - Windows Server 2003 R2 (NoSP/SP2) [Standard/ Enterprise/Storage] (32bit) - Windows Server 2008 (SP1/SP2) [Standard/Enterprise/ Storage] (32/64bit) - Windows Server 2008 R2 (NoSP/SP1) [Standard/Enterprise/ Storage] (64bit) - Windows Server 2012 (NoSP) [Essentials/Standard] (64bit) - Windows Server 2012 R2 (NoSP) [Essentials/Standard] (64bit) - Windows Server 2003 for Embedded Systems (SP1/SP2) (32bit) - Windows Server 2003 R2 for Embedded Systems (NoSP/SP2) (32bit) - Windows Server 2008 for Embedded Systems (SP1/SP2) (32/ 64bit) - Windows Server 2008 R2 for Embedded Systems (NoSP/SP1) (64bit) - Windows Server 2012 for Embedded Systems (NoSP) (64bit) - Windows Server 2012 R2 for Embedded Systems (NoSP) (64bit) 5. Installation ======================================================================== For information, see the Installation Guide. 6. Known Issues ======================================================================== 6.1 Safe Lock Intelligent Manager ===================================================================== - Installed Safe Lock 1.x agents block and prevent the installation of Trend Micro Safe Lock Intelligent Manager. Trend Micro Safe Lock Intelligent Manager must be installed before Trend Micro Safe Lock agent when installing both on the same endpoint. Safe Lock agent can be installed after installation of Safe Lock Intelligent Manager is complete. - During Safe Lock Intelligent Manager re-installations using an existing Microsoft SQL Server, any mismatch between the original Safe Lock Intelligent Manager server IP address and the new Safe Lock Intelligent Manager server IP address results in the original Safe Lock Intelligent Manager database being erased and a new database being used. - Safe Lock agents Trusted Updater or Predefined Trusted Updater do not support the installation of Trend Micro Safe Lock Intelligent Manager. Remove Safe Lock agent from the endpoint before installing Safe Lock Intelligent Manager. Safe Lock agents can be installed after installation of Safe Lock Intelligent Manager is complete. - Safe Lock Intelligent Manager remote installations to endpoints running Windows 2000 Server may not automatically reboot even if the reboot is needed. - Safe Lock Intelligent Manager remote installations may not succeed because the svchost.exe process can end unexpectedly in the following versions of Windows: - Windows 2000 (SP4) - Windows Server 2003 (SP1/SP2) - Windows XP (SP1/SP2/SP3) - When a script is blocked, two messages are recorded in the Windows Event Log. For example, *.bat will be blocked twice by Safe Lock agents and will therefore create two block events. - Root cause analysis is unable to indicate information for blocked files located on mapped network drives. - Safe Lock agents are unable to upload their debug log to Trend Micro Safe Lock Intelligent Manager if that debug log is over 2GB. - Network antivirus software may prevent files containing known malicious content from being sent from Safe Lock agents to Safe Lock Intelligent Manager for scanning. - In some cases, if a Safe Lock agent is unable to send a blocked file to Safe Lock Intelligent Manager for scanning, Safe Lock Intelligent Manager reports the status of the file as "Pending Scan". However, in these cases, the file is never sent and the status is permanently reported as "Pending Scan". - Safe Lock Intelligent Manager is unable to sync license status to agents after the Safe Lock Intelligent Manager license expires. Specify a valid Activation Code in Trend Micro Safe Lock Intelligent Manager to keep licenses consistent if your Activation Code expires. - IIS server 7.0 or below is associated with a delay (typically 10 seconds) during the first Trend Micro Safe Lock Intelligent Manager web console log on. - When Safe Lock Intelligent Manager uses a local server requiring authentication (UNC) for updates, Windows XP, 7, 8, and 8.1 are sometimes unable maintain enough simultaneous network connections to update all specified components. - Google Chrome blocks downloaded packages of Trend Micro Safe Lock agent from the web console. - Safe Lock Intelligent Manager is unable to remotely uninstall Safe Lock agents on Windows 7 or later version from Windows Server 2008. Windows Server 2008 R2 does not have an issue. - After installing the Safe Lock agent and Safe Lock Intelligent Manager together on an endpoint running Windows Server 2008 without SP2, then specifying IIS 7.0 as the web server, the Safe Lock Intelligent Manager web console and applications using IIS 7.0 may not work as expected. 6.2 Safe Lock agents ===================================================================== For information, see Readme file for Safe Lock agents. 7. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 8. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro(TM) Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2014, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo and OfficeScan are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 9. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed by selecting the "About" option in the application user interface.