Agent Post-installation

Agent Post-installation

Verify the following after deploying agents:

1. The agent icon appears on the endpoint’s system tray after the agent registers to its parent server.

• An option in the Threat Mitigator console (in the Mitigation Settings > Agent Settings screen) can hide the agent icon from view. If this option is enabled on the Threat Mitigator server to which the agent reports, the icon will not display in the system tray.
  
  If the agent icon is not visible, refer to the other checkpoints below to verify that the agent has been installed successfully.

2. The agent program exists in %WINDIR%/PEAgent.

3. The agent registry key exists.

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Policyenforcer

4. The agent can be queried from:

• The Threat Mitigator console’s Threat Management screen and its status is Connected. For details about the tasks you can perform on the Threat Management screen, see Threat Management.

• The Network VirusWall Enforcer console's Summary screen

5. If the agent was deployed from TMAgent Manager:

1. The agent version and the server (Threat Mitigator or Network VirusWall Enforcer) to which the agent reports are displayed on the TMAgent Manager console.

2. On the endpoint, the TMAgent Manager Client program exists in %ProgramFiles%\Trend Micro\PEAgentManagerClient.

3. On the endpoint, the TMAgent Manager Client registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PEAgentManagerClient.

4. On the endpoint, the the TMAgent Manager Client program is available on the Plug-in Manager screen on the OfficeScan client console.

Recommended Tasks

Perform the following tasks after deploying agents:

1. Configure global agent settings from the Threat Mitigator console. For details, see Agent Settings.

2. If you deployed the agent from the Endpoint Security Platform console, create an analysis that collects the following information from endpoints:

• Agent version

• Agent installation time

• Whether the agent service is up and running

• Agent's parent server and communication port

• Agent's installation path

The following is a sample script for this analysis:

Property Name="Trend Micro Threat Management Agent Version"

if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "Version" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"

Property Name="Trend Micro Threat Management Agent Installation Time"

if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "InstallDate" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"

Property Name="Trend Micro Threat Management Agent Status"

if (exists running service "TMAgent")then ("Running") else ("Not Running")

Property Name="Trend Micro Threat Management Agent Registered Server's IP:Port"

if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "Reportto" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"

Property Name="Trend Micro Threat Management Agent Installed Directory"

if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "ApplicationPath" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"

Relevance:

(((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (name of operating system as lowercase starts with "win")) AND (version of client >= "5.0")) AND (if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" whose (exists value "ApplicationPath" of it) of registry) then TRUE else FALSE)

3. If you deployed the agent from the Endpoint Security Platform console, create an analysis that checks whether agent services are running on the endpoint.

The following is a sample script for this analysis:

Property Name="Threat Mitigation Service Status":

if (exists running service "Threat Mitigation Service")then ("Running") else ("Not Running")

Relevance:

(((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (name of operating system as lowercase starts with "win")) AND (version of client >= "5.0")) AND (if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" whose (exists value "ApplicationPath" of it) of registry) then TRUE else FALSE)

4. If you configured agents to report to Network VirusWall Enforcer servers, in addition to reporting to a Threat Mitigator server, access the TMAgent Manager console, go to the Server Address column, and then check if the Network VirusWall Enforcer’s IP address is listed.

5. From the TMAgent Manager console, you can also configure agents already reporting to Network VirusWall Enforcer to also report to Threat Mitigator.

See also:

• Agent Deployment Methods

• Agent Settings

• Agent Uninstallation