Frequently Asked Questions (FAQ)

This section covers some of the frequently asked questions and answers regarding PortalProtect features and functions.

Scanning

Content Filtering for Web Content or Web Reputation for Web Content is not working. Why?

Check the following:

1. Log on the PortalProtect Web console.

2. From the Summary screen, check whether Scan Web content is enabled. Click the icon in the Status column to enable or disable it. This option is a global hook switch for all the SharePoint servers in a farm.

3. If Web Content scanning is enabled and you create a new SharePoint list, you must first disable Scan Web content on the Summary screen and then re-enable it. Otherwise, Web Content scanning for newly created SharePoint lists will be enabled 12 hours later.

4. From the Content Filtering or Web Reputation screens, ensure the scanning options are enabled. For Content Filtering, ensure that at least one rule is enabled.

5. PortalProtect skips scanning files and Web content if the Web content author is the System account.

PortalProtect shows file “x.xxx” contains the following virus: “It has been blocked; final action is:[Block]." However, this file does not contain a virus. Why does the message tell me the file contains a virus?

Microsoft SharePoint Services provides this format and Trend Micro modifies the content within the quotation marks. Therefore, when the file is blocked by PortalProtect file blocking or content filtering it displays: contains the following virus, even though the file is not infected. To understand the message more clearly, disregard the message: contains the following virus, and note only the content inside the quotation marks.

I have not enabled “file blocking," but some files are never uploaded or downloaded. Why?

Check SharePoint Services block list settings. SharePoint Server blocks files with the suffixes you specified. Use the SharePoint Services Central Management Page to modify the configuration.

To remove a file blocking configuration from SharePoint Services 2007:

1. Select the Operations tab.

2. Select Blocked file types from Security Configuration.

3. Check the extension names listed in the dialog box. Any extension name that is included will be blocked by SharePoint Services when it is uploaded or downloaded.

To remove a file blocking configuration from SharePoint Services 2010:

1. Select Security Configuration.

2. Select Define blocked file types from General Security configuration.

3. Check the extension names listed in the dialog box. Any extension name that is included will be blocked by SharePoint Services when it is uploaded or downloaded.

For MOSS 2007, it sometimes takes a long time to create a log file when I upload or download files. Why?

If you use an access method other than a Web browser, it may take a little longer to generate the log; sometimes more than one-minute. This also occurs if the action for the files is set to PASS. Additionally, when the log is generated, the Author and Location for the upload/download will appear as N/A.

When I upload file containing a virus to SharePoint Services, PortalProtect does not detect it. Why?

Check the following for SharePoint Services 2007:

• Check the SharePoint Services 2007 antivirus settings:

1. Go to the SharePoint Central Administration page.

2. Select the Operations tab.

3. Select Configure antivirus settings in Security Configuration.

4. If Scan documents on upload is disabled, PortalProtect will not perform a scan when the file is uploaded.

5. If Scan documents on download is disabled, SharePoint Services will not pass the file to PortalProtect when the file is downloaded.

6. If Attempt to clean infected documents is disabled, PortalProtect will only scan the file, and will not clean the file if it is infected by a virus.

7. Then, check the PortalProtect real-time Security Risk Scan options:

1. Log on the PortalProtect Web console and select Security Risk Scan from the left menu.

2. Select Enable real-time security risk scan.

3. For SharePoint Services 2010, check the following antivirus settings:

1. Go to the SharePoint Central Administration page.

2. Select the Security Configuration.

3. Select Manage antivirus settings from General Security Configuration.

4. Same as SharePoint 2007.

PortalProtect cannot block the files that exist in a compressed file. When an infected file exists in a compressed file, how can PortalProtect find it?

Compressed files are regarded as a single file by PortalProtect for blocking operations. For Scan/Quarantine/Clean operation, PortalProtect deals with the files contained in the compressed file one by one. Therefore, infected files will not be omitted by PortalProtect.

Does PortalProtect scan .zip and .lzh compressed files differently than other compressed files?

PortalProtect uses VSAPI to deal with compressed files. VSAPI distinguishes compressed files by true file type rather than by file extension. That is, VSAPI can distinguish it even when a .zip file is renamed to .txt. VSAPI scans .zip and .lzh files in same way.

Scans may be configured to have a primary and secondary action. Is the secondary action executed only after the primary action fails, or can PortalProtect execute both actions?

The secondary action is executed only when the primary action fails. You can select a secondary action only when the primary action is clean.

Is there any record created when PortalProtect blocks a file?

Yes. When PortalProtect blocks a file, it sends out a notification (if you enabled that notification). When PortalProtect blocks a file in scanning, it creates a log.

What is considered to be an unscannable file?

Unscannable files are files that VSAPI cannot scan. For example, encrypted or password protected files.

Can PortalProtect scan encrypted files?

No. Encrypted files are an individual threat type covered in scan settings. Users can customize the action for encrypted files.

I can scan viruses from my Portal Protect server, but cannot update the engine and pattern file. Why?

It is possible that your Activation Code has expired. Please contact a reseller to renew your license. Refer to the Administrator’s Guide for more information.

What do compliance expression occurrences mean?

A compliance expression occurrence indicates that something from a document or Web content triggered an occurrence in a compliance expression. For example: A data protection policy contains a compliance expression and the number of occurrences is set to “3”. For this scenario, when occurrences of the compliance expression are less than “3”, documents and Web content posted to SharePoint sites will not trigger the corresponding data protection policy.

Why doesn’t Portal Protect have Data Protection for file or Data Protection for Web Content Filtering?

Carefully check your Activation Code (AC) for PortalProtect. The AC for PortalProtect Suite is the only code that provides these functionalities. If you change your AC from the PortalProtect Web console, you can log off and log on again to check your data protection related features.

How can I skip some of the file type scans performed by Content Filtering, Data Protection, and Web Reputation?

PortalProtect provides the following registry key to implement this capability:

• Name: FileTypeBypassMask

• Type: string

• Description: This hidden key can be used to exclude specific file types for Data Protection, Content Filtering and Web Reputation file scans. When it is set to: “docx;pptx”, PortalProtect will skip docx and pptx files in Data Protection, Content Filter and Web Reputation file scans.

• Changes to this hidden key will take effect after you restart your service.

How can I customize the file scan size in Content Filtering, Data Protection and URL in documents?

PortalProtect provides the following registry key to implement this function:

• Name: FileSizeThreshold

• Type: REG_DWORD

• Description: Data Protection, Content Filtering and Web Reputation File Scan Size Thresholds. This hidden key indicates the file scan threshold in Megabytes. The default value is 1000-MB. A key setting of zero (0) indicates no limitation.

• Changes to this hidden key will take effect after you restart your service.

Active Update

Why was the update unsuccessful from the Automatic Update server?

If your system requires a proxy to connect to Internet, check to ensure the settings are correct.

Does ActiveUpdate deliver the virus pattern file and the scan engine in the same way?

Yes. In fact, PortalProtect does not care about how ActiveUpdate downloads these files. PortalProtect sends the current engine/pattern version to ActiveUpdate module, ActiveUpdate checks if there is any more recent version available. It then downloads the files (in zip format), and unzips them automatically after a successful download. Finally, PortalProtect loads the new engine/pattern to use.

When PortalProtect uses an intranet source to receive updates, how is the central location updated?

ActiveUpdate supports downloading the latest components from an intranet machine. Put the update packages on that machine and enable the folder to be shared for other intranet machines to download.

How does the component package get updated?

After a successful download, ActiveUpdate extracts the packages and notifies PortalProtect to load new modules.

How do I update the engine or pattern using another PortalProtect server’s component package source?

Choose Updates > Download Source and select Other Update Source, then type the following URL:

http://<SERVERNAME>:<PORTNUMBER>/PortalProtect/activeupdate

where:

• SERVERNAME is the server hostname or IP address that contains the component package source.

• PORTNUMBER is the port number of PortalProtect Web console.

General Issues

Alert Issues

What the difference between the alert “PortalProtect service did not start successfully” and “PortalProtect service is unavailable?”

• PortalProtect service did not start successfully: occurs after an unsuccessful attempt to start the Trend Micro PortalProtect for Microsoft SharePoint Master Service.

• PortalProtect service is unavailable: occurs if the PortalProtect main service is already started and stops suddenly.

Why can I receive SNMP alerts but no email alerts?

PortalProtect sends email alerts to SMTP servers. If other alert types can be received, and only email alerts are missed, check that the SMTP server and port number are properly configured. If you have configured multiple email address to receive alerts, be sure to use a semicolon to separate them.

Notification Issues

I uploaded a file that triggered a file blocking rule and did not receive an email notification. Why?

Email notification settings for file blocking are set to provide consolidated notifications every two-hours by default. This means PortalProtect will send only one email notification for all files blocked within a two-hour time period. You can change this setting as per your requirement.

Other Issues

I am unable to query information from remote servers in Server Management console. What should I do?

• Make sure affected PortalProtect servers are all in the same farm.

• Make sure PortalProtect 2.1 is installed and started on your Web front end servers.

• Make sure the service PortalProtect_Master is started with the user who has local administrator and domain user privileges.

• Check the firewall of the remote PortalProtect servers and make sure port 139 and 445 for TCP are open.

• Make sure the following Windows services are running on remote servers:

1. Remote Procedure Call (PRC)

2. Server

3. Workstation

I cannot automatically replicate configurations to other PortalProtect servers in the farm. Why?

Do the following:

• Ensure the check box Automatically replicate settings to other servers in Server Management is selected.

• Ensure the information for remote PortalProtect servers can be queried.

• Ensure PortalProtect licensing is current and fully activated (not trial or expired).

• Ensure all PortalPortect servers have same version.

• Ensure all PortalProtect servers are NOT in the OPP state (Outbreak Prevention Policy).

I cannot search AD user(s)/group(s) in PortalProtect. Why?

• PortalProtect only searches AD user(s)/group(s) from the current forest. Make sure the user exists in the current forest.

• PortalProtect only searches the AD user(s)/group(s) for the beginning characters in a search string.

• If your are searching for the string: “test”, then entering the characters “te” will produce a hit. However, a search using the characters: “es” will not produce a hit for the string “test”.

I cannot access the Web console. My browser displays a 404 error. What can I do to fix this problem?

Internet Explorer security settings on Windows 2003 does not include localhost or hostname as a trusted site when security level is set to high. Please add 127.0.0.1 or hostname to the list to solve this problem (http://127.0.0.1:16372).

1. Open Internet Explorer

2. Click Tools > Internet Options and select the Security tab.

3. Click Trusted Sites > Sites.

4. In the field for trusted zones, type the IP address: 127.0.0.1 or hostname.

5. Click Add.

I can access the PortalProtect Web console from the local server, but I cannot access it from a remote machine. Why?

Check the following:

• Whether there are network firewalls that block access to the PortalProtect Web Console through the HTTP (default is 16372) or HTTPS (default is 16373) port you specified during installation.

• Whether the Windows firewall on the PortalProtect server blocks the HTTP (default is 16372) or HTTPS (default is 16373) port you specified during installation.

Internet Explorer shuts down with a Data Execution Prevention alert when accessing the PortalProtect management console. What can I do to fix this problem?

• Select Tools > Internet Options > Advanced tab. Scroll to Security, and clear the checkbox Enable memory protection to help mitigate online attacks.

Which folders should I exclude for other Trend Micro Products?

The following four (3) folders should be excluded for other Trend Micro products:

• Backup folder

• Temp folder

• Sharedrespool folder

You can change the location of the Backup folders. The following indicates the default

locations:

• Default Backup folder:

Drive:\Program Files\Trend Micro\PortalProtect\storage\backup

• Temp folder:

Drive:\Program Files\Trend Micro\PortalProtect\Temp

• Sharedrespool folder:

Drive:\Program Files\Trend Micro\PortalProtect\SharedResPool

How does PortalProtect read a file to know if it has an extension?

When a user uploads a file to the SharePoint Server, SharePoint Server calls PortalProtect to detect whether the file has any virus in it. PortalProtect gets the file name and the extension from SharePoint Services.

After PortalProtect reads the extension, how does it determine whether there is a match; is there a database that contains all the user-configurations to which it compares the extensions?

All the user configurations are saved in a database. PortalProtect compares the file extension to see if there is a match.

Why does the Windows event log show: “Unable to connect to the PortalProtect database. Check your network settings and make sure the network connection between PortalProtect and the database server is available.”

PortalProtect monitors the database connection and will stop the PortalProtect service when it is unable to connect to it. When this happens, PortalProtect creates an entry in the Windows event log. PortalProtect will continue to monitor the database connection, and when the connection is restored, PortalProtect creates another entry in the Windows event log indicating that the database connection was restored.

The PortalProtect single sign on was unable to log on the Web console of a Windows 2003 server. Why?

If you use mstsc to connect to a remote server, try:

• Changing the connection mode to: mstsc/admin and re-connecting

• Or change the URL from localhost to hostname or use 127.0.0.1

What is the difference between the Smart Protection Server query order AS LISTED and RANDOM?

The query order is only for available to the Smart Protection Server List. When the query order is As listed, PortalProtect will use the first available Smart Protection Server. When the query order is Random, PortalProtect will select from the available Smart Protection Server at random.

Accessing PortalProtect Web console is slow on Windows server 2008 R2 standalone. Why?

This occurs because IPv6 is enabled and there is only one line “::1 localhost” for localhost in the file “%windir%\system32\drivers\etc\hosts”. PortalProtect does not support IPv6. You can resolve this issue by adding the following new line in the previously mentioned file:

“127.0.0.1 localhost”