Frequently Asked Questions (FAQ)

This section covers some of the frequently asked questions and answers regarding PortalProtect features and functions.

Scanning

Content Filtering for Web Content or Web Reputation for Web Content is not working. Why?

Check the following:

1. Log on the PortalProtect Web console.

2. From the Summary screen, check whether Scan Web content is enabled. Click the icon in the Status column to enable or disable it. This option is a global hook switch for all the SharePoint servers in a farm.

3. If Web Content scanning is enabled and you create a new SharePoint list, you must first disable Scan Web content on the Summary screen and then re-enable it. Otherwise, Web Content scanning for newly created SharePoint lists will be enabled 12 hours later.

4. From the Content Filtering or Web Reputation screens, ensure the scanning options are enabled. For Content Filtering, ensure that at least one rule is enabled.

5. PortalProtect skips scanning files and Web content if the Web content author is the System account.

PortalProtect shows file ”x.xxx” contains the following virus: ”It has been blocked; final action is:[Block]." However, this file does not contain a virus. Why does the message tell me the file contains a virus?

Microsoft SharePoint Server provides this format and Trend Micro modifies the content within the quotation marks. Therefore, when the file is blocked by PortalProtect file blocking or content filtering it displays: contains the following virus, even though the file is not infected. To understand the message more clearly, disregard the message: contains the following virus, and note only the content inside the quotation marks.

I have not enabled ”file blocking," but some files are never uploaded or downloaded. Why?

Check SharePoint Server block list settings. SharePoint Server blocks files with the suffixes you specified. Use the SharePoint Server Central Management Page to modify the configuration.

To remove a file blocking configuration from SharePoint Server:

1. Select Security Configuration.

2. Select Define blocked file types from General Security configuration.

3. Check the extension names listed in the dialog box. Any extension name that is included will be blocked by SharePoint Server when it is uploaded or downloaded.

PortalProtect cannot block the files that exist in a compressed file. When an infected file exists in a compressed file, how can PortalProtect find it?

Compressed files are regarded as a single file by PortalProtect for blocking operations. For Scan/Quarantine/Clean operation, PortalProtect deals with the files contained in the compressed file one by one. Therefore, infected files will not be omitted by PortalProtect.

Does PortalProtect scan .zip and .lzh compressed files differently than other compressed files?

PortalProtect uses VSAPI to deal with compressed files. VSAPI distinguishes compressed files by true file type rather than by file extension. That is, VSAPI can distinguish it even when a .zip file is renamed to .txt. VSAPI scans .zip and .lzh files in same way.

Scans may be configured to have a primary and secondary action. Is the secondary action executed only after the primary action fails, or can PortalProtect execute both actions?

The secondary action is executed only when the primary action fails. You can select a secondary action only when the primary action is clean.

Is there any record created when PortalProtect blocks a file?

Yes. When PortalProtect blocks a file, it sends out a notification (if you enabled that notification). When PortalProtect blocks a file in scanning, it creates a log.

What is considered to be an unscannable file?

Unscannable files are files that VSAPI cannot scan. For example, encrypted or password protected files.

Can PortalProtect scan encrypted files?

No. Encrypted files are an individual threat type covered in scan settings. Users can customize the action for encrypted files.

I can scan viruses from my Portal Protect server, but cannot update the engine and pattern file. Why?

It is possible that your Activation Code has expired. Please contact a reseller to renew your license. Refer to the Administrator’s Guide for more information.

What do data loss prevention expression occurrences mean?

A data loss prevention (DLP) expression occurrence indicates that something from a document or Web content triggered an occurrence in a DLP expression. For example: A DLP policy contains an expression and the number of occurrences is set to ”3”. For this scenario, when occurrences of the expression are less than ”3”, documents and Web content posted to SharePoint sites will not trigger the corresponding DLP policy.

Why doesn’t PortalProtect have Data Loss Prevention for file or Data Loss Prevention for Web Content Filtering?

Carefully check your Activation Code (AC) for PortalProtect. The AC for PortalProtect Suite is the only code that provides these functionalities. If you change your AC from the PortalProtect Web console, you can log off and log on again to check your data loss prevention related features.

How can I skip some of the file type scans performed by Content Filtering, Data Loss Prevention, and Web Reputation?

PortalProtect provides the following registry key to implement this capability:

• Name: FileTypeBypassMask

• Type: string

• Description: This hidden key can be used to exclude specific file types for Data Loss Prevention, Content Filtering and Web Reputation file scans. When it is set to: ”docx;pptx”, PortalProtect will skip docx and pptx files in Data Loss Prevention, Content Filter and Web Reputation file scans.

• Changes to this hidden key will take effect after you restart your service.

How can I customize the file scan size in Content Filtering, Data Loss Prevention and URL in documents?

PortalProtect provides the following registry key to implement this function:

• Name: FileSizeThreshold

• Type: REG_DWORD

• Description: Data Loss Prevention, Content Filtering and Web Reputation File Scan Size Thresholds. This hidden key indicates the file scan threshold in Megabytes. The default value is 1000-MB. A key setting of zero (0) indicates no limitation.

• Changes to this hidden key will take effect after you restart your service.

Active Update

Why was the update unsuccessful from the Automatic Update server?

If your system requires a proxy to connect to Internet, check to ensure the settings are correct.

Does ActiveUpdate deliver the virus pattern file and the scan engine in the same way?

Yes. In fact, PortalProtect does not care about how ActiveUpdate downloads these files. PortalProtect sends the current engine/pattern version to ActiveUpdate module, ActiveUpdate checks if there is any more recent version available. It then downloads the files (in zip format), and unzips them automatically after a successful download. Finally, PortalProtect loads the new engine/pattern to use.

When PortalProtect uses an intranet source to receive updates, how is the central location updated?

ActiveUpdate supports downloading the latest components from an intranet machine. Put the update packages on that machine and enable the folder to be shared for other intranet machines to download.

How does the component package get updated?

After a successful download, ActiveUpdate extracts the packages and notifies PortalProtect to load new modules.

How do I update the engine or pattern using another PortalProtect server’s component package source?

Choose Updates > Download Source and select Other Update Source, then type the following URL:

https://<SERVERNAME>:<PORTNUMBER>/PortalProtect/activeupdate

where:

• SERVERNAME is the server hostname or IP address that contains the component package source.

• PORTNUMBER is the port number of PortalProtect Web console.

General Issues

Alert Issues

What the difference between the alert ”PortalProtect service did not start successfully” and ”PortalProtect service is unavailable?”

• PortalProtect service did not start successfully: occurs after an unsuccessful attempt to start the Trend Micro PortalProtect for Microsoft SharePoint Master Service.

• PortalProtect service is unavailable: occurs if the PortalProtect_Master service is already started and stops suddenly.

Why can I receive SNMP alerts but no email alerts?

PortalProtect sends email alerts to SMTP servers. If other alert types can be received, and only email alerts are missed, check that the SMTP server and port number are properly configured. If you have configured multiple email address to receive alerts, be sure to use a semicolon to separate them.

Notification Issues

I uploaded a file that triggered a file blocking rule and did not receive an email notification. Why?

Email notification settings for file blocking are set to provide consolidated notifications every two-hours by default. This means PortalProtect will send only one email notification for all files blocked within a two-hour time period. You can change this setting as per your requirement.

Other Issues

I am unable to query information from remote servers in Server Management console. What should I do?

• Make sure affected PortalProtect servers are all in the same farm.

• Make sure PortalProtect is installed and started on your Web front end servers.

• Make sure the service PortalProtect_Master is started with the user who has local administrator and domain user privileges.

• Check the firewall of the remote PortalProtect servers and make sure port 139 and 445 for TCP are open.

• Make sure the following Windows services are running on remote servers:

1. Remote Procedure Call (PRC)

2. Server

3. Workstation

I cannot automatically replicate configurations to other PortalProtect servers in the farm. Why?

Do the following:

• Ensure the check box Automatically replicate settings to other servers in Server Management is selected.

• Ensure the information for remote PortalProtect servers can be queried.

• Ensure PortalProtect licensing is current and fully activated (not trial or expired).

• Ensure all PortalPortect servers have same version.

• Ensure all PortalProtect servers are NOT in the OPP state (Outbreak Prevention Policy).

I cannot search AD user(s)/group(s) in PortalProtect. Why?

• PortalProtect only searches AD user(s)/group(s) from the current forest. Make sure the user exists in the current forest.

• PortalProtect only searches the AD user(s)/group(s) for the beginning characters in a search string.

• If your are searching for the string: ”test”, then entering the characters ”te” will produce a hit. However, a search using the characters: ”es” will not produce a hit for the string ”test”.

I can access the PortalProtect Web console from the local server, but I cannot access it from a remote machine. Why?

Check the following:

• Whether there are network firewalls that block access to the PortalProtect Web Console through the HTTPS (default is 16373) port you specified during installation.

• Whether the Windows firewall on the PortalProtect server blocks the HTTPS (default is 16373) port you specified during installation.

Internet Explorer shuts down with a Data Execution Prevention alert when accessing the PortalProtect management console. What can I do to fix this problem?

• Select Tools > Internet Options > Advanced tab. Scroll to Security, and clear the checkbox Enable memory protection to help mitigate online attacks.

Which folders should I exclude for other Trend Micro Products?

The following four (3) folders should be excluded for other Trend Micro products:

• Backup folder

• Temp folder

• Sharedrespool folder

You can change the location of the Backup folders. The following indicates the default

locations:

• Default Backup folder:

Drive:\Program Files\Trend Micro\PortalProtect\storage\backup

• Temp folder:

Drive:\Program Files\Trend Micro\PortalProtect\Temp

• Sharedrespool folder:

Drive:\Program Files\Trend Micro\PortalProtect\SharedResPool

How does PortalProtect read a file to know if it has an extension?

When a user uploads a file to the SharePoint Server, SharePoint Server calls PortalProtect to detect whether the file has any virus in it. PortalProtect gets the file name and the extension from SharePoint Server.

After PortalProtect reads the extension, how does it determine whether there is a match; is there a database that contains all the user-configurations to which it compares the extensions?

All the user configurations are saved in a database. PortalProtect compares the file extension to see if there is a match.

Why does the Windows event log show: ”Unable to connect to the PortalProtect database. Check your network settings and make sure the network connection between PortalProtect and the database server is available.”

PortalProtect monitors the database connection and will stop the PortalProtect service when it is unable to connect to it. When this happens, PortalProtect creates an entry in the Windows event log. PortalProtect will continue to monitor the database connection, and when the connection is restored, PortalProtect creates another entry in the Windows event log indicating that the database connection was restored.

The PortalProtect single sign on was unable to log on the Web console of a Windows 2003 server. Why?

If you use mstsc to connect to a remote server, try:

• Changing the connection mode to: mstsc/admin and re-connecting

• Or change the URL from localhost to hostname or use 127.0.0.1

What is the difference between the Smart Protection Server query order AS LISTED and RANDOM?

The query order is only for available to the Smart Protection Server List. When the query order is As listed, PortalProtect will use the first available Smart Protection Server. When the query order is Random, PortalProtect will select from the available Smart Protection Server at random.

How does PortalProtect support IPv6?

PortalProtect provides IPv6 support in the following scenarios:

• Specifying target servers for installation

• Accessing the PortalProtect Web console

• Registering PortalProtect to Trend Micro Control Manager

• Specifying IP addresses for the download source

• Setting IP addresses for SNMP notifications

• Querying Web Reputation ratings