Trend Micro, Inc.

December 2018

Trend Micro Apex One™ as a Service

Version 2019

This readme file is current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx.

Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation, or online at http://olr.trendmicro.com.

Trend Micro always seeks to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx.

Contents

1. About Apex One as a Service
2. What's New
3. Document Set
4. System Requirements
5. Installation
6. Known Issues
   • Apex Central Known Issues
   • Apex One and Security Agent Known Issues
   • Apex One (Mac) Known Issues
7. Contact Information
8. About Trend Micro
9. License Agreement

1. About Apex One as a Service

Trend Micro Apex One™ as a Service protects endpoints, on or off the corporate network, against malware, Trojans, worms, spyware, and ransomware with protection that adapts against new unknown variants as they emerge.

Apex One as a Service provides the following full-featured product benefits:

• More efficient use of endpoint resources

  Delivered via an architecture that uses endpoint resources more effectively and optimizes CPU and network utilization

• High-fidelity machine learning (pre-execution and runtime)

  A blend of threat protection techniques that help eliminate security gaps across any user activity and any endpoint

• Behavioral analysis

  Safeguards against scripts, injection, ransomware, memory and browser attacks

• Available as a service

  Rapid deployment and simplified administration and maintenance with the same comprehensive enterprise threat protection as Trend Micro on-premises OfficeScan

For more information, go to:

http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx

Back to top

2. What's New

Apex One as a Service includes the following new features and enhancements:

• Single, Integrated Security Agent

  The upgraded Security Agent has combined all the integrated product agents to provide your complete security requirements in a single agent program.

• Endpoint Sensor Integration

  Integration with Endpoint Sensor allows you to monitor, record, and perform both current and historical security investigations on your Apex One endpoints. Use the Apex Central console and perform preliminary investigations to locate at-risk endpoints before executing an in-depth Root Cause Analysis to identify the attack vectors.

• Application Control Integration

  Integration with Application Control provides Apex One users with advanced application blocking and endpoint lockdown capabilities. You can run application inventories and create policy rules that only allow specific applications to execute on your endpoints. You can also create application control rules based on application category, vendor, or version.

• Vulnerability Protection Integration

  Integration with Vulnerability Protection protects Apex One users by automating the application of virtual patches before official patches become available. Trend Micro provides protected endpoints with recommended Intrusion Prevention rules based on your network performance and security priorities.

• Offline Predictive Machine Learning

  Predictive Machine Learning has been upgraded to provide offline protection against portable executable files. The lightweight, offline model helps protect all endpoints against unknown threats when a functional Internet connection is unavailable.

• Fileless Attack Protection

  Security Agent policies provide increased real-time protection against the latest fileless attack methods through enhanced memory scanning for suspicious process behaviors. Security Agents can terminate suspicious processes before any damage can be done.

• Apex One Sandbox as a Service Integration

  Subscription to the cloud Virtual Analyzer allows you to perform sample submission, synchronize suspicious object lists, and take action on user-defined suspicious objects.

• Customized Threat Intelligence

  Apex Central allows you to customize your threat intelligence capabilities by manually adding suspicious objects, uploading OpenIOC and STIX files from trusted sources, or automating investigations with the new Apex Central APIs.

• Managed Detection and Response

  The Managed Detection and Response Service brings together the power of the Trend Micro Threat Investigation Center and industry-leading user protection solutions to further protect your network. Improve your threat detection, incident response, and continuous monitoring capabilities, even with limited resources on hand.

Back to top

3. Document Set

The document set includes:

• Apex One as a Service documents

  • Readme: Contains a list of known issues and may also contain late-breaking product information not found in the Online Help or printed documentation.
  • Knowledge Base: An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com

• Apex Central as a Service documents

  • Administrator's Guide: A PDF document that provides detailed instructions for how to configure and manage the Apex Central™ as a Service console and features.
  • Data Protection Lists (Chapter 1 only): A PDF document that lists predefined data identifiers and templates for Data Loss Prevention.
  • Widget and Policy Management Guide: Explains how to configure Dashboard widgets and Policy Management widgets on the Apex Central as a Service console.
  • Automation API Guide: A PDF document that explains how to use Apex Central Automation APIs.
  • Online Help: Provides "how to's", usage advice, and field-specific information. The Help is also accessible from the Apex Central as a Service console.

• Apex One server documents

  • Administrator's Guide: A PDF document that discusses getting started information and Apex One server administration.
  • Online Help: Provides "how to's", usage advice, and field-specific information for Apex One server console. The Help is accessible from the Apex One as a Service console.

• Apex One (Mac) server documents

  • Administrator's Guide: A PDF document that discusses getting started information and Apex One (Mac) server administration.
  • Online Help: Provides "how to's", usage advice, and field-specific information for Apex One (Mac) server console. The Help is also accessible from the Apex One (Mac) as a Service console.

• Security Agent documents

  • Apex One Security Agent Readme: Contains a list of known issues and may also contain late-breaking product information not found in the Online Help or printed documentation.
  • Apex One Security Agent Online Help: Discusses getting started information, Apex One Security Agent installation procedures, and Apex One Security Agent management.
  • Apex One (Mac) Security Agent Online Help: Discusses getting started information, Apex One (Mac) Security Agent installation procedures, and Apex One (Mac) Security Agent management.

Download the latest versions of the PDF documents and readme at http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx.

Back to top

4. System Requirements

• Apex One as a Service supports the following web browsers:

  • Microsoft™ Internet Explorer™ 11
  • Microsoft™ Edge™
  • Google™ Chrome™

• The Apex One Security Agent can be installed on endpoints running Microsoft Windows platforms. The Security Agent is also compatible with various third-party products.

  Visit the following website for a complete list of system requirements and compatible third-party products:

  http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx

  Size of Deployment Package

  Note: All of the following deployment package sizes are for packages that do not include the Data Protection feature.

  For the fully-functional Security Agent MSI Setup Package:

  • 32-bit Setup Package (Smart Scan) = 234 MB
  • 64-bit Setup Package (Smart Scan) = 288 MB

  For the coexist Security Agent MSI Setup Package:

  • 32-bit Setup Package (Smart Scan) = 234 MB
  • 64-bit Setup Package (Smart Scan) = 288 MB

• The Apex One (Mac) Security Agent can be install on endpoints running supported Mac platforms.

  Visit the following website for a complete list of system requirements:

  http://docs.trendmicro.com/en-us/enterprise/apex-one-as-a-service.aspx

  Size of Deployment Package

  For the Apex One (Mac) Security Agent ZIP Setup Package: 90.6 MB

Back to top

5. Installation

For Security Agent installation instructions, refer to the following documents:

• Apex One Security Agent Administrator's Guide
• Apex One (Mac) Security Agent Administrator's Guide

Back to top

6. Known Issues

Apex Central Issues

The following are the known issues related to the Apex Central management console in this release:

• Active Directory
• Endpoint Isolation
• Data Loss Prevention
• Policy Management
• Suspicious Objects
• Additional Release Notes

Active Directory

1. If Apex Central is unable to synchronize Active Directory group information from the Active Directory server, manually add the Active Directory user accounts.

2. The Active Directory agent synchronization tool does not support IPv6 proxy servers.

Endpoint Isolation

1. After isolating an endpoint using the Apex Central web console, the Security Agent program can no longer connect to the Apex One server if a proxy server is required.

   To resolve this issue, add the required proxy server to the Allowed Traffic exceptions before isolating the endpoint.

Data Loss Prevention

1. If you click Export incident details on the Incident Information screen for the DLP Incidents by Severity and Status widget and then change the number of rows that display per page, no data displays on the DLP Incidents by User widget or the DLP Incident Trends by User widget.

Policy Management

1. When clicking a number on the Policy Management screen, the Apex Central console may log out if the Data Loss Prevention policy is not deployed successfully.

2. When specifying targets by searching for operating systems, or filtering policies by operating system, Windows Server 2019 is not available.

3. Apex Central Policy Tracking displays commands to older versions of the OfficeScan agent as "Pending" regardless of the actual command status. To resolve this issue, upgrade all older versions of the OfficeScan agent program to the Apex One Security Agent.

Suspicious Objects

1. If this version of Apex Central is configured as the hub server for a node server running a previous version of Control Manager, the Control Manager node server cannot send Suspicious Object lists to the Apex Central hub server.

Additional Release Notes

1. If the web session times out when navigating to another screen, the web console does not automatically redirect to the Log On screen. Refresh the web browser to load the Log On screen and log on to the web console again.

Back to top

Apex One and Security Agent Known Issues

The following are the known issues related to the Apex One server and Security Agents in this release:

• Agent Installation and Upgrade
• Scanning
• Server Update
• Agent Update
• Server Management
• Agent Management
• Device Control
• Data Loss Prevention
• Application Control
• Vulnerability Protection
• Apex One Firewall
• Smart Scan
• Web Reputation
• Predictive Machine Learning
• Cloud Synchronization Channel Support
• Apex Central Integration
• Additional Release Notes

Agent Installation and Upgrade

1. When an application that locks the Windows Service Control Manager (SCM) is launched, the Security Agent cannot be installed or upgraded. Before upgrading or installing the Security Agent, ensure that no SCM-locking application is running.
2. The Security Agent (operating in fully-featured mode) may not install correctly if Norton SystemWorks™ antivirus is installed on the endpoint. Uninstall it before installing Security Agent.
3. If the Security Agent is installed using the "per-user" method, the Security Agent shortcut will still show on all the users' Windows Start menu.
4. After a Security Agent in a VPN environment is uninstalled successfully, the agent is not removed on the web console's agent tree and its status is offline.
5. Installing Security Agents to Windows 7 or Windows Server 2008 R2 using a GUEST OS running on VMware Workstation 6.x and below may cause the system to stop responding. This is because of compatibility issues with the Intel™ Network Adapter Driver.
6. If you add the Security Agent program to the Microsoft Software Restriction Policy list using the user interface, you may need to restart the endpoint before subsequent additions to the list take effect.

7. You are unable to migrate OfficeScan XG SP1 agents to the Apex One server successfully if the agents used the GlobalSettings.ini "ASE=0" setting to force an HTTP connection with the previous OfficeScan server.

   To resolve this issue, modify the GlobalSettings.ini ASE value to "1" and deploy to all agents on the OfficeScan XG SP1 server before migrating agents to the Apex One server.

8. The Common Client Solution Framework service may not start if “Microsoft Visual C++ 2017 Redistributable” was not installed successfully.

   To resolve this issue, ensure that you install the following Windows update to properly install Microsoft Visual C++ 2017 Redistributable:

   https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

Scanning

1. When specifying the scan target for Scheduled Scan, Scan Now and Real-time Scan, spyware/grayware scan can be disabled. However, for Manual Scan, there is no option for disabling spyware/grayware scan, which means that during Manual Scan, the Security Agent will always scan for spyware/grayware.
2. When the Security Agent is configured to scan mapped drives during Manual Scan, the mapped drive may not get scanned when scanning is initiated through Terminal Service client.
3. When an email containing an attachment with spyware/grayware is retrieved through Eudora email client and POP3 Mail Scan is disabled, the Security Agent's Real-time Scan denies access to the email even if the scan action is "clean". The email does not appear on the inbox and the Eudora client displays a message informing the user that access to the email is denied.
4. After the Damage Cleanup Engine cleans a malicious file, the infection channel always displays as "Local or network drive" regardless of the actual source of the infection.

Server Update

1. When updating Apex One patterns and engines from Apex Central, administrators are not notified of the update status even if notifications are enabled. The update status can be viewed from the Apex Central console.

Agent Update

1. Security Agents can only download settings from the Apex One server, not Update Agents.
2. An Update Agent running a 64-bit platform is unable to generate incremental patterns. Therefore, the Update Agent always downloads all incremental patterns available in the ActiveUpdate server, regardless of how many of these patterns it has previously downloaded.
3. When the server and agent endpoints are located on geographical locations with different time zones, the agent cannot be configured to update based on the server's time zone.

Server Management

1. When the endpoint's date/time format is changed, the date/time format on the Apex One console does not automatically change.

Agent Management

1. Agent names in the Security Agent tree supports only 15 characters and truncates the succeeding characters.
2. Double-byte characters (characters typically used in East Asian languages) cannot be used when specifying the notification message for virus/malware infection source (Administration > Notifications > Agents > Virus/Malware tab).
3. The Prompt users before executing newly encountered programs downloaded through web or email application channels (Server platforms excluded) feature only monitors ports 80, 81, and 8080 on certain Windows platforms that require the TmProxy.exe service.

Device Control

1. If the Device Control permission for USB storage devices is changed from "Allow" to "Block" when USB storage device files are already opened on the agent endpoint, access to the opened files is still permitted. The Block permission is updated the next time that the USB device is plugged in, or the agent endpoint is restarted.
2. Device management applications (such as iTunes, HTCSync, and SamSung Kies) for devices blocked by Device Control are also blocked from user access.

Data Loss Prevention

1. Data transmitted through Instant Messaging applications are not detected if the applications use a non-transparent proxy server.
2. Data Loss Prevention logs can only display the first 1000 bytes of characters in the Source and Destination columns due to a buffer overflow issue with long file names.
3. Security Agents with Data Loss Prevention enabled may encounter a high CPU usage issue when uploading large files through Box Sync.

Application Control

1. Security Agents do not update the Certified Safe Software Pattern if no other components have updates available.

   To resolve this issue, perform a manual update by clicking Update Now from the Security Agent console.

2. When matching applications using a certificate rule, Application Control can only perform property and attribute matching on the first digital signature listed on the certificate.

Vulnerability Protection

1. Apex One Vulnerability Protection is not compatible with the standalone Trend Micro Vulnerability Protection agent. Uninstall the standalone Vulnerability Protection agent before deploying Apex One Vulnerability Protection policy settings.

Apex One Firewall

1. The Firewall rule for outgoing traffic will not work as expected if a machine has several IP addresses with different Firewall policies.

2. When the security level on a Citrix server is medium or high, perform the following steps:

   1. On the Apex One web console, create a new firewall policy.
   2. Add the following port numbers to the policy's exclusion list: 1494, 2598
   3. Go to Agents > Firewall > Profiles and click Assign Profile to Agents.
3. The Apex One firewall service and driver cannot be installed if a previous version of the firewall driver exists and is running but there is no Trend Micro Common Firewall in the network protocol.

Smart Scan

1. Only Internet Explorer is supported for configuring proxy settings used by agents to connect to the Global Smart Protection Server. If proxy settings are configured in other browsers, agents will not be able to connect to the Global Smart Protection Server.

Web Reputation

1. If you enable the option Check HTTPS URLs in a Web Reputation policy, select the option Enable third-party browser extensions in Internet Explorer. If this option is disabled, agents will not be able to check the reputation of HTTPS websites.

2. Agents can browse blocked sites if using Juniper Networks VPN and proxy servers to connect to the Internet. To resolve this issue:

   1. Connect to the network using Juniper Networks VPN.
   2. Open Internet Option > Connection > LAN Settings.
   3. Disable Automatic configuration settings.
   4. Enable Proxy server and specify the IP address and port of your proxy server.
   5. Click Ok.
3. If users access the Internet using Firefox and a proxy server, be sure that proxy settings in Internet Explorer have been configured. If proxy settings have not been configured in Internet Explorer, Web Reputation will not work, even if proxy settings have been configured in Firefox.
4. On the Security Agent endpoint, Web Reputation automatic proxy detection in Internet Explorer does not work if the administrator enables the Security Agent Access Restriction option on the Apex One web console's Privileges and Other Settings screen.

Predictive Machine Learning

1. The logged "User Account" may display inaccurate data. If another user logs onto an endpoint before a Predictive Machine Learning query result completes, the Security Agent logs the newly logged on user as the event owner when the query returns.

Cloud Synchronization Channel Support

1. Apex One does not provide support of the Windows 8.1 pre-installed OneDrive (SkyDrive) synchronization folder. The Security Agent logs malware infections for OneDrive (SkyDrive) as being in the "Local or network drive" channel.
2. If you disable the Unauthorized Change Prevention Service, the Security Agent may lock files during the synchronization process and prevent the files from synchronizing to the sync folder. To resolve this issue, enable the Unauthorized Change Prevention Service.
3. The Security Agent logs malicious files that do not include a portable executable extension as being in the "Local or network drive" channel.
4. The Security Agent logs malicious files synchronized to mounted drives as being in the "Local or network drive" channel.

Apex Central Integration

1. The Integrated Windows Authentication protocol is not supported when registering Apex One to Apex Central and specifying web server authentication credentials for the IIS server. Only basic access authentication is supported.

Additional Release Notes

1. Download the latest components after upgrading to keep your security risk protection current.

Back to top

Apex One (Mac) Known Issues

1. When Endpoint Sensor processes more than one file of the same file name with different capitalization from Apex One (Mac) Security Agents, the Apex Central as a Service console displays only the latest record for preliminary investigations.
2. After enabling the Scan Time Machine option for Manual Scan and Scheduled Scan, Apex One (Mac) cannot perform any actions (clean, quarantine, or delete) on detected malware threats due to a permission limitation in Mac OS. Configured scan actions are displayed as unsuccessful in the product logs.

Back to top

7. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.

http://www.trendmicro.com/us/about-us/contact/index.html

Note: This information is subject to change without notice.

Back to top

8. About Trend Micro

Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit http://www.trendmicro.com.

Copyright 2018, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, OfficeScan, Trend Micro Security (for Mac), Control Manager, Trend Micro Apex One, and Trend Micro Apex Central are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners.

Back to top

9. License Agreement

View information about your license agreement with Trend Micro at:

http://www.trendmicro.com/us/about-us/legal-policies/license-agreements

Third-party licensing agreements can be viewed:

• By selecting the "About" option in the application user interface
• By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide

Back to top