Agent Post-installation
Verify the following after deploying agents:
The agent icon appears on the endpoint’s system tray
after the agent registers to its parent server.
An option in the Threat Mitigator
console (in the Mitigation Settings >
Agent Settings screen) can hide the agent icon from view. If this
option is enabled on the Threat Mitigator server to which the agent reports,
the icon will not display in the system tray.
If the agent icon is not visible, refer to the other checkpoints
below to verify that the agent has been installed successfully.
The agent program exists in %WINDIR%/PEAgent.
The agent registry key exists.
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Policyenforcer
The agent can be queried from:
The Threat Mitigator console’s Threat Management screen and its status is Connected. For details about the tasks you can perform on the Threat Management screen, see Threat Management.
The Network VirusWall Enforcer console's Summary screen
If the agent was deployed from TMAgent Manager:
The agent version and the server (Threat Mitigator or Network VirusWall Enforcer) to which the agent reports are displayed on the TMAgent Manager console.
On the endpoint, the TMAgent Manager Client program exists in %ProgramFiles%\Trend Micro\PEAgentManagerClient.
On the endpoint, the TMAgent Manager Client registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PEAgentManagerClient.
On the endpoint, the the TMAgent Manager Client program is available on the Plug-in Manager screen on the OfficeScan client console.
Perform the following tasks after deploying agents:
Configure global agent settings from the Threat Mitigator console. For details, see Agent Settings.
If you deployed the agent from the Endpoint Security Platform console, create an analysis that collects the following information from endpoints:
Agent version
Agent installation time
Whether the agent service is up and running
Agent's parent server and communication port
Agent's installation path
The following is a sample script for this analysis:
Property Name="Trend Micro Threat Management Agent Version"
if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "Version" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"
Property Name="Trend Micro Threat Management Agent Installation Time"
if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "InstallDate" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"
Property Name="Trend Micro Threat Management Agent Status"
if (exists running service "TMAgent")then ("Running") else ("Not Running")
Property Name="Trend Micro Threat Management Agent Registered Server's IP:Port"
if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "Reportto" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"
Property Name="Trend Micro Threat Management Agent Installed Directory"
if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry) then (value "ApplicationPath" of key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" of registry as string) else "N/A"
Relevance:
(((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (name of operating system as lowercase starts with "win")) AND (version of client >= "5.0")) AND (if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" whose (exists value "ApplicationPath" of it) of registry) then TRUE else FALSE)
If you deployed the agent from the Endpoint Security Platform console, create an analysis that checks whether agent services are running on the endpoint.
The following is a sample script for this analysis:
Property Name="Threat Mitigation Service Status":
if (exists running service "Threat Mitigation Service")then ("Running") else ("Not Running")
Relevance:
(((if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (name of operating system as lowercase starts with "win")) AND (version of client >= "5.0")) AND (if (exists key "HKEY_LOCAL_MACHINE\Software\TrendMicro\Policyenforcer" whose (exists value "ApplicationPath" of it) of registry) then TRUE else FALSE)
If you configured agents to report to Network VirusWall Enforcer servers, in addition to reporting to a Threat Mitigator server, access the TMAgent Manager console, go to the Server Address column, and then check if the Network VirusWall Enforcer’s IP address is listed.
From the TMAgent Manager console, you can also configure agents already reporting to Network VirusWall Enforcer to also report to Threat Mitigator.
See also: