Trend Micro, Inc.

October 2019

Trend Micro Apex One™ as a Service

Version 2019

This readme file is current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx.

Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation, or online at http://olr.trendmicro.com.

Trend Micro always seeks to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx.

Contents

1. About Apex One as a Service
2. What's New
   • Previous Releases
   • Resolved Known Issues
3. Document Set
4. System Requirements
5. Installation
6. Known Issues
   • Apex Central Known Issues
   • Apex One and Security Agent Known Issues
   • Apex One (Mac) Known Issues
   • Apex One (Linux) Known Issues
7. Contact Information
8. About Trend Micro
9. License Agreement

1. About Apex One as a Service

Trend Micro Apex One™ as a Service protects endpoints, on or off the corporate network, against malware, Trojans, worms, spyware, and ransomware with protection that adapts against new unknown variants as they emerge.

Apex One as a Service provides the following full-featured product benefits:

• More efficient use of endpoint resources

  Delivered via an architecture that uses endpoint resources more effectively and optimizes CPU and network utilization

• High-fidelity machine learning (pre-execution and runtime)

  A blend of threat protection techniques that help eliminate security gaps across any user activity and any endpoint

• Behavioral analysis

  Safeguards against scripts, injection, ransomware, memory and browser attacks

• Available as a service

  Rapid deployment and simplified administration and maintenance with the same comprehensive enterprise threat protection as the on-premises Trend Micro Apex One

For more information, go to:

http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx

Back to top

2. What's New

This release of Apex One as a Service includes the following new features and enhancements:

• Always available Root Cause Analysis

  Security Agents continuously upload activity data to Trend Micro so you can generate up-to-date RCA chains regardless of endpoint status.

• Automated troubleshooting

  If you grant the necessary permissions, Trend Micro engineers can take proactive, preventative measures to ensure the continuity of your business operations without interrupting you with numerous email messages and notifications.

• Dashboard enhancements

  The name of the Operation Center tab has changed to Security Posture, the name of the Threat Detection tab has changed to Threat Statistics, and the widgets on the former DLP Incident Investigation tab have moved to the Data Loss Prevention tab.

• Enhanced platform support

  Apex One as a Service extends sensor capabilities for investigations to managed servers running on a supported Linux operating system.

• Fileless attack protection enhancement

  Integration with the Windows Antimalware Scan Interface (AMSI) enhances protection against malicious scripts.

• Historical Investigation support

  You can specify specific URLs to search for while performing a Historical Investigation.

• Impact Analysis enhancement

  The Affected Users screen automatically refreshes every 60 seconds when running an Impact Analysis.

• Performance enhancements

  You can configure Application Control to limit the number of logs that each Security Agent uploads each hour.

• Root Cause Analysis enhancement

  Apex One as a Service supports Root Cause Analysis in Historical Investigations on Apex One (Mac) endpoints.

• Threat Investigation dashboard

  Tailor-made for security analysts performing EDR, the tab allows you to start Historical Investigations, view Attack Discovery detections, and identify critical threats.

• Web Console Auto Refresh enhancement

  You can configure the Apex Central management console to automatically refresh the screen every 600 seconds (enabled by default).

Back to top

Previous Releases

Previous releases included the following features:

• July 2019
• June 2019
• December 2018

July 2019

• Correlation Events

  Cloud App Security integration allows you to investigate protected mailboxes, correlate user information, and generate Analysis Chains in Apex Central to understand threat vectors.

Back to top

June 2019

• New system notices

  The bell icon in the top right corner of the Apex Central management console provides information about new system updates, including when Apex One as a Service will be offline for scheduled maintenance.

• Syslog forwarding

  The Syslog Settings screen allows you to configure Apex Central as a Service to automatically forward supported log types to a syslog server.

• Enhanced Attack Discovery log information

  Attack Discovery logs include MITRE™ Tactics and Techniques information and Windows Antimalware Scan Interface (AMSI) data.

• Direct access to third-party intelligence

  Links to the third-party intelligence sites Threat Connect and VirusTotal on the Preliminary Investigation, Root Cause Analysis, and Detailed Investigation screens.

  Important: As of October 2019, the name of the Preliminary Investigation screen has changed to Historical Investigation and the name of the Detailed Investigation screen has changed to Live Investigation.

• Faster metadata collection

  Security Agents with Endpoint Sensor enabled upload data to the server every 15 minutes to ensure that Preliminary Investigations return up-to-date results.

• Enhanced Root Cause Analysis reports

  Root Cause Analysis reports provide a clear indication of objects with invalid signatures and display further explanation for detected Suspicious Objects.

• Preliminary Investigation enhancements

  File queries enhanced to support SHA-256 and MD5 values.

  Important: As of October 2019, the name of the Preliminary Investigation screen has changed to Historical Investigation.

• Enhanced platform support

  Trend Micro Apex One Security Agents with or without the Endpoint Sensor feature enabled support the Windows 10 May 2019 (1903/19H1) release.

• Detailed Investigation searches

  You can search for specific One-Time or Scheduled Investigation tasks using task name, criteria, method, or creator.

  Important: As of October 2019, the name of the Detailed Investigation screen has changed to Live Investigation.

Back to top

December 2018

• Single, integrated Security Agent

  The upgraded Security Agent has combined all the integrated product agents to provide your complete security requirements in a single agent program.

• Endpoint Sensor integration

  Integration with Endpoint Sensor allows you to monitor, record, and perform both current and historical security investigations on your Apex One endpoints. Use the Apex Central console and perform preliminary investigations to locate at-risk endpoints before executing an in-depth Root Cause Analysis to identify the attack vectors.

• Application Control integration

  Integration with Application Control provides Apex One users with advanced application blocking and endpoint lockdown capabilities. You can run application inventories and create policy rules that only allow specific applications to execute on your endpoints. You can also create application control rules based on application category, vendor, or version.

• Vulnerability Protection integration

  Integration with Vulnerability Protection protects Apex One users by automating the application of virtual patches before official patches become available. Trend Micro provides protected endpoints with recommended Intrusion Prevention rules based on your network performance and security priorities.

• Offline Predictive Machine Learning

  Predictive Machine Learning has been upgraded to provide offline protection against portable executable files. The lightweight, offline model helps protect all endpoints against unknown threats when a functional Internet connection is unavailable.

• Fileless attack protection

  Security Agent policies provide increased real-time protection against the latest fileless attack methods through enhanced memory scanning for suspicious process behaviors. Security Agents can terminate suspicious processes before any damage can be done.

• Apex One Sandbox as a Service integration

  Subscription to the cloud Virtual Analyzer allows you to perform sample submission, synchronize suspicious object lists, and take action on user-defined suspicious objects.

• Customized threat intelligence

  Apex Central allows you to customize your threat intelligence capabilities by manually adding suspicious objects, uploading OpenIOC and STIX files from trusted sources, or automating investigations with the new Apex Central APIs.

• Managed Detection and Response

  The Managed Detection and Response Service brings together the power of the Trend Micro Threat Investigation Center and industry-leading user protection solutions to further protect your network. Improve your threat detection, incident response, and continuous monitoring capabilities, even with limited resources on hand.

Back to top

Resolved Known Issues

For information regarding hotfix solutions and the enhancements available in this release of Apex One as a Service, go to:

https://success.trendmicro.com/solution/1121835-maintenance-schedule-for-trend-micro-apex-one-as-a-service-in-2019

Back to top

3. Document Set

The document set includes:

• Apex One as a Service Documents

  • Readme: Contains a list of known issues and may also contain late-breaking product information not found in the Online Help or printed documentation.
  • Knowledge Base: An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com

• Apex Central as a Service Documents

  • Administrator's Guide: A PDF document that provides detailed instructions for how to configure and manage the Apex Central as a Service console and features.
  • Data Protection Lists (Chapter 1 only): A PDF document that lists predefined data identifiers and templates for Data Loss Prevention.
  • Widget and Policy Management Guide: Explains how to configure Dashboard widgets and Policy Management widgets on the Apex Central as a Service console.
  • Automation API Guide: A PDF document that explains how to use Apex Central Automation APIs.
  • Online Help: Provides "how to's", usage advice, and field-specific information. The Help is also accessible from the Apex Central as a Service console.

• Apex One Server Documents

  • Administrator's Guide: A PDF document that discusses getting started information and Apex One server administration.
  • Online Help: Provides "how to's", usage advice, and field-specific information for Apex One server console. The Help is accessible from the Apex One as a Service console.

• Apex One (Mac) Server Documents

  • Administrator's Guide: A PDF document that discusses getting started information and Apex One (Mac) server administration.
  • Online Help: Provides "how to's", usage advice, and field-specific information for Apex One (Mac) server console. The Help is also accessible from the Apex One (Mac) as a Service console.

• Security Agent Documents

  • Apex One Security Agent Readme: Contains a list of known issues and may also contain late-breaking product information not found in the Online Help or printed documentation.
  • Apex One Security Agent Online Help: Discusses getting started information, Apex One Security Agent installation procedures, and Apex One Security Agent management.
  • Apex One (Mac) Security Agent Online Help: Discusses getting started information, Apex One (Mac) Security Agent installation procedures, and Apex One (Mac) Security Agent management.

Download the latest versions of the PDF documents and readme at http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx.

Back to top

4. System Requirements

• Apex One as a Service supports the following web browsers:

  • Microsoft™ Internet Explorer™ 11
  • Microsoft™ Edge™
  • Google™ Chrome™

• The Apex One Security Agent can be installed on endpoints running Microsoft Windows platforms. The Security Agent is also compatible with various third-party products.

  Visit the following website for a complete list of system requirements and compatible third-party products:

  http://docs.trendmicro.com/en-us/enterprise/apex-central-saas/Downloading-Security

  Size of Deployment Package

  Note: All of the following deployment package sizes are for packages that do not include the Data Protection feature.

  For the fully-functional Security Agent MSI Setup Package:

  • 32-bit Setup Package (Smart Scan) = 270 MB
  • 64-bit Setup Package (Smart Scan) = 331 MB

  For the coexist Security Agent MSI Setup Package:

  • 32-bit Setup Package (Smart Scan) = 270 MB
  • 64-bit Setup Package (Smart Scan) = 331 MB

• The Apex One (Mac) Security Agent can be install on endpoints running supported Mac platforms.

  Visit the following website for a complete list of system requirements:

  http://docs.trendmicro.com/en-us/enterprise/apex-central-saas/Downloading-Security

  Size of Deployment Package

  For the Apex One (Mac) Security Agent ZIP Setup Package: 113.4 MB

• The Apex One (Linux) Security Agent can be install on endpoints running supported Linux platforms.

  Visit the following website for a complete list of system requirements:

  http://docs.trendmicro.com/en-us/enterprise/apex-central-saas/Downloading-Security

Back to top

5. Installation

For Security Agent installation instructions, refer to the following website:

http://docs.trendmicro.com/en-us/enterprise/apex-central-saas/Downloading-Security

Back to top

6. Known Issues

Apex Central Issues

The following are the known issues related to the Apex Central management console in this release:

• Active Directory
• Data Loss Prevention
• Endpoint Isolation
• One-time or Scheduled Reports
• Policy Management
• Suspicious Objects
• Additional Release Notes

Active Directory

1. If Apex Central is unable to synchronize Active Directory group information from the Active Directory server, manually add the Active Directory user accounts.

2. The Active Directory agent synchronization tool does not support IPv6 proxy servers.

Data Loss Prevention

1. If you click Export incident details on the Incident Information screen for the DLP Incidents by Severity and Status widget and then change the number of rows that display per page, no data displays on the DLP Incidents by User widget or the DLP Incident Trends by User widget.

Endpoint Isolation

1. After isolating an endpoint using the Apex Central web console, the Security Agent program can no longer connect to the Apex One server if a proxy server is required.

   To resolve this issue, add the required proxy server to the Allowed Traffic exceptions before isolating the endpoint.

One-time or Scheduled Reports

1. The file name of the attached ZIP file for a generated report does not display properly if the report name contains non-alphanumeric characters.

2. The attached ZIP file for a generated report cannot be opened if the report name contains Traditional Chinese characters.

Policy Management

1. When clicking a number on the Policy Management screen, the Apex Central console may log out if the Data Loss Prevention policy is not deployed successfully.

2. When specifying targets by searching for operating systems, or filtering policies by operating system, Windows Server 2019 is not available.

3. Apex Central Policy Tracking displays commands to older versions of the OfficeScan agent as "Pending" regardless of the actual command status.

   To resolve this issue, upgrade all older versions of the OfficeScan agent program to the Trend Micro Apex One Security Agent.

Suspicious Objects

1. If this version of Apex Central is configured as the hub server for a node server running a previous version of Control Manager, the Control Manager node server cannot send Suspicious Object lists to the Apex Central hub server.

Additional Release Notes

1. If the web session times out when navigating to another screen, the web console does not automatically redirect to the Log On screen.

   To resolve this issue, refresh the web browser to load the Log On screen and log on to the web console again.

Back to top

Apex One and Security Agent Known Issues

The following are the known issues related to the Apex One server and Security Agents in this release:

• Agent Installation and Upgrade
• Scanning
• Server Update
• Agent Update
• Server Management
• Agent Management
• Device Control
• Data Loss Prevention
• Endpoint Sensor
• Application Control
• Apex One Firewall
• Smart Scan
• Web Reputation
• Predictive Machine Learning
• Cloud Synchronization Channel Support
• Apex Central Integration
• Additional Release Notes

Agent Installation and Upgrade

1. When an application that locks the Windows Service Control Manager (SCM) is launched, the Security Agent cannot be installed or upgraded. Before upgrading or installing the Security Agent, ensure that no SCM-locking application is running.
2. The Security Agent (operating in fully-featured mode) may not install correctly if Norton SystemWorks™ antivirus is installed on the endpoint. Uninstall it before installing Security Agent.
3. If the Security Agent is installed using the "per-user" method, the Security Agent shortcut will still show on all the users' Windows Start menu.
4. After a Security Agent in a VPN environment is uninstalled successfully, the agent is not removed on the web console's agent tree and its status is offline.
5. Installing Security Agents to Windows 7 or Windows Server 2008 R2 using a GUEST OS running on VMware Workstation 6.x and below may cause the system to stop responding. This is because of compatibility issues with the Intel™ Network Adapter Driver.
6. If you add the Security Agent program to the Microsoft Software Restriction Policy list using the user interface, you may need to restart the endpoint before subsequent additions to the list take effect.

7. You are unable to migrate OfficeScan XG SP1 agents to the Apex One server successfully if the agents used the GlobalSettings.ini "ASE=0" setting to force an HTTP connection with the previous OfficeScan server.

   To resolve this issue, modify the GlobalSettings.ini ASE value to "1" and deploy to all agents on the OfficeScan XG SP1 server before migrating agents to the Apex One server.

8. The Common Client Solution Framework service may not start if “Microsoft Visual C++ 2017 Redistributable” was not installed successfully.

   To resolve this issue, ensure that you install the following Windows update to properly install Microsoft Visual C++ 2017 Redistributable:

   https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

9. Security Agent consoles running build 13.95 display an incorrect policy name.

   To resolve this issue, upgrade the Security Agent to 14.0. After the Security Agent contacts the server, the policy name displays correctly.

Scanning

1. When specifying the scan target for Scheduled Scan, Scan Now and Real-time Scan, spyware/grayware scan can be disabled. However, for Manual Scan, there is no option for disabling spyware/grayware scan, which means that during Manual Scan, the Security Agent will always scan for spyware/grayware.
2. When the Security Agent is configured to scan mapped drives during Manual Scan, the mapped drive may not get scanned when scanning is initiated through Terminal Service client.
3. When an email containing an attachment with spyware/grayware is retrieved through Eudora email client and POP3 Mail Scan is disabled, the Security Agent's Real-time Scan denies access to the email even if the scan action is "clean". The email does not appear on the inbox and the Eudora client displays a message informing the user that access to the email is denied.
4. After the Damage Cleanup Engine cleans a malicious file, the infection channel always displays as "Local or network drive" regardless of the actual source of the infection.

Server Update

1. When updating Apex One patterns and engines from Apex Central, administrators are not notified of the update status even if notifications are enabled. The update status can be viewed from the Apex Central console.

Agent Update

1. Security Agents can only download settings from the Apex One server, not Update Agents.
2. An Update Agent running a 64-bit platform is unable to generate incremental patterns. Therefore, the Update Agent always downloads all incremental patterns available in the ActiveUpdate server, regardless of how many of these patterns it has previously downloaded.
3. When the server and agent endpoints are located in geographical locations with different time zones, the agent cannot be configured to update based on the server's time zone.

4. Off-premises and Security Agents in Independent mode cannot update the Certified Safe Software Pattern from external update sources.

   Security Agents must connect directly to the Apex One server to receive the Certified Safe Software Pattern updates.

Server Management

1. When the endpoint's date/time format is changed, the date/time format on the Apex One console does not automatically change.

Agent Management

1. Agent names in the Security Agent tree supports only 15 characters and truncates the succeeding characters.
2. Double-byte characters (characters typically used in East Asian languages) cannot be used when specifying the notification message for virus/malware infection source (Administration > Notifications > Agents > Virus/Malware tab).
3. The Prompt users before executing newly encountered programs downloaded through web or email application channels (Server platforms excluded) feature only monitors ports 80, 81, and 8080 on certain Windows platforms that require the TmProxy.exe service.

Device Control

1. If the Device Control permission for USB storage devices is changed from "Allow" to "Block" when USB storage device files are already opened on the agent endpoint, access to the opened files is still permitted. The Block permission is updated the next time that the USB device is plugged in, or the agent endpoint is restarted.
2. Device management applications (such as iTunes, HTCSync, and SamSung Kies) for devices blocked by Device Control are also blocked from user access.

Data Loss Prevention

1. Data transmitted through Instant Messaging applications are not detected if the applications use a non-transparent proxy server.
2. Data Loss Prevention logs can only display the first 1000 bytes of characters in the Source and Destination columns due to a buffer overflow issue with long file names.
3. Security Agents with Data Loss Prevention enabled may encounter a high CPU usage issue when uploading large files through Box Sync.

Endpoint Sensor

1. Coexist mode Security Agents on endpoints with Windows Defender may experience installation issues or be unable to upload data to the Apex One server due to a file locking issue.

   To resolve this issue, add Endpoint Sensor (ESEServiceShell.exe and ESClient.exe) in the exclusions list of Windows Defender to prevent the locking issue.

2. After copying a file to a remote server using a relative path as the source, Apex One is unable to translate the relative path into the full system directory.

   You can attempt to run an assessment using more criteria, such as cmd line or file name, to obtain matched details about the file path.

3. Long running processes may generate a lot of similar event data on Windows endpoints, such as "svchost.exe" events, which may cause assessments to be unable to fully process and correlate process chains.

4. The quality of analysis chain image files is reduced when viewing the files using Windows 10 Photo Viewer.

   Use another image viewer to resolve this issue.

Application Control

1. Security Agents do not update the Certified Safe Software Pattern if no other components have updates available.

   To resolve this issue, perform a manual update by clicking Update Now from the Security Agent console.

2. When matching applications using a certificate rule, Application Control can only perform property and attribute matching on the first digital signature listed on the certificate.

Apex One Firewall

1. The Firewall rule for outgoing traffic will not work as expected if a machine has several IP addresses with different Firewall policies.

2. When the security level on a Citrix server is medium or high, perform the following steps:

   1. On the Apex One web console, create a new firewall policy.
   2. Add the following port numbers to the policy's exclusion list: 1494, 2598
   3. Go to Agents > Firewall > Profiles and click Assign Profile to Agents.
3. The Apex One firewall service and driver cannot be installed if a previous version of the firewall driver exists and is running but there is no Trend Micro Common Firewall in the network protocol.

Smart Scan

1. Only Internet Explorer is supported for configuring proxy settings used by agents to connect to the Global Smart Protection Server. If proxy settings are configured in other browsers, agents will not be able to connect to the Global Smart Protection Server.

Web Reputation

1. If you enable the option Check HTTPS URLs in a Web Reputation policy, select the option Enable third-party browser extensions in Internet Explorer. If this option is disabled, agents will not be able to check the reputation of HTTPS websites.

2. Agents can browse blocked sites if using Juniper Networks VPN and proxy servers to connect to the Internet. To resolve this issue:

   1. Connect to the network using Juniper Networks VPN.
   2. Open Internet Option > Connection > LAN Settings.
   3. Disable Automatic configuration settings.
   4. Enable Proxy server and specify the IP address and port of your proxy server.
   5. Click Ok.
3. If users access the Internet using Firefox and a proxy server, be sure that proxy settings in Internet Explorer have been configured. If proxy settings have not been configured in Internet Explorer, Web Reputation will not work, even if proxy settings have been configured in Firefox.
4. On the Security Agent endpoint, Web Reputation automatic proxy detection in Internet Explorer does not work if the administrator enables the Security Agent Access Restriction option on the Apex One web console's Privileges and Other Settings screen.

Predictive Machine Learning

1. The logged "User Account" may display inaccurate data. If another user logs onto an endpoint before a Predictive Machine Learning query result completes, the Security Agent logs the newly logged on user as the event owner when the query returns.

Cloud Synchronization Channel Support

1. Apex One does not provide support of the Windows 8.1 pre-installed OneDrive (SkyDrive) synchronization folder. The Security Agent logs malware infections for OneDrive (SkyDrive) as being in the "Local or network drive" channel.
2. If you disable the Unauthorized Change Prevention Service, the Security Agent may lock files during the synchronization process and prevent the files from synchronizing to the sync folder. To resolve this issue, enable the Unauthorized Change Prevention Service.
3. The Security Agent logs malicious files that do not include a portable executable extension as being in the "Local or network drive" channel.
4. The Security Agent logs malicious files synchronized to mounted drives as being in the "Local or network drive" channel.

Apex Central Integration

1. The Integrated Windows Authentication protocol is not supported when registering Apex One to Apex Central and specifying web server authentication credentials for the IIS server. Only basic access authentication is supported.

Additional Release Notes

1. Download the latest components after upgrading to keep your security risk protection current.

Back to top

Apex One (Mac) Known Issues

1. After enabling the Scan Time Machine option for Manual Scan and Scheduled Scan, Apex One (Mac) cannot perform any actions (clean, quarantine, or delete) on detected malware threats due to a permission limitation in Mac OS. Configured scan actions are displayed as unsuccessful in the product logs.

2. When performing a historical investigation on Apex One (Mac) endpoints, the system replaces a backslash (/) with a colon (:) in file names, preventing users from searching for file names that contain backslashes in investigation results.

   To resolve this issue, use a colon (:) to search for the files.

Back to top

Apex One (Linux) Known Issues

1. Apex Central administrators cannot filter Apex One (Linux) Security Agent endpoints in the User/Endpoint Directory by IP address if DHCP is enabled on the Apex One (Linux) Security Agent endpoint.

   You can use other criteria to filter or select Apex One (Linux) Security Agents in the User/Endpoint Directory.

Back to top

7. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.

http://www.trendmicro.com/us/about-us/contact/index.html

Note: This information is subject to change without notice.

Back to top

8. About Trend Micro

Smart, simple, security that fits

As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information

Copyright 2019, Trend Micro Incorporated. All rights reserved.

Trend Micro, Trend Micro Apex One, Trend Micro Apex Central, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.

Back to top

9. License Agreement

View information about your license agreement with Trend Micro at:

http://www.trendmicro.com/us/about-us/legal-policies/license-agreements

Third-party licensing agreements can be viewed:

• By selecting the "About" option in the application user interface
• By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide

Back to top