Apex One as a Service FAQs

Parent topic: Getting Help

Where can I find the latest news about Trend Micro Apex One™ as a Service?

Trend Micro Apex One™ as a Service regularly publishes news about upcoming events, emerging threats, product updates, and more.

You can access the news feed by clicking the bell icon in the upper right of the Apex Central web console.

What files and folders can I exclude from scanning?

Trend Micro recommends excluding certain files and folders from scanning to avoid issues with performance or functionality.

To configure scan exclusion settings, go to Policies > Policy Management > <Policy Name> > Real-time Scan Settings > Scan Exclusion.

Note:

The listed files and folders refer to the default installation locations of the related products. If you installed a product using a customized installation location, change the directories accordingly.

AutoDesk Inventor/AutoCAD

  • C:\Program Files\Autodesk\Inventor 2013\Bin\Inventor.exe

  • C:\Program Files\Autodesk\Vault Professional 201\Explorer\Connectivity.VaultPro.exe

  • C:\Program Files\Autodesk\AutoCAD 2013\acad.exe

  • C:\Program Files\Autodesk\Inventor Fusion 2013\Inventor Fusion.exe

  • C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe

  • C:\Program Files (x86)\Autodesk\Autodesk Design Review 2013\DesignReview.exe

  • C:\Program Files\Autodesk\Product Design Suite 2013\Bin\ProductDesignSuite.exe

Cisco AnyConnect VPN

  • C:\Program Files (x86)\cisco\cisco anyconnect vpn client\vpnagent.exe

  • C:\Program Files (x86)\cisco\cisco anyconnect vpn client\vpnui.exe

Citrix Products

Exclude the following file extensions from scanning:

  • .LOG

  • .DAT

  • .TMP

  • .POL

  • .PF

Note:

By default, Deep Security excludes the following process:

C:\Windows\System32\winlogon.exe

You do not need to add this process to Process Image exclusion again.

IBM Domino Data Directory

The IBM Domino data directory stores Domino email messages. Trend Micro recommends excluding the Domino data directory from scanning because this directory is regularly updated with new messages; thus, repeated scanning of this folder may not be efficient.

The default Domino data directory for a non-partitioned installation is as follows:

\lotus\domino\data

FSLogix Profile Containers

File directories:

  • C:\Program Files\FSLogix*

Files:

  • server*.vhdx (file server)

  • [example.com]*.vhdx (DFS namespace)

  • L:*.vhdx (local drive on the file server)

  • C:\Windows\Temp*.vhdx

Note:

Excluded files or directories may vary among environments depending on the UNC path and mapped drives.

Microsoft Active Directory Domain Controller

  • C:\WINNT\SYSVOL

  • C:\WINNT\NTDS

  • C:\WINNT\ntfrs

  • C:\WINNT\system32\dhcp

  • C:\WINNT\system32\dns

Microsoft Exchange Server

Trend Micro recommends excluding the directory or partition where the Microsoft Exchange mailbox is stored.

To prevent the Exchange Information Store from being corrupted, you must exclude the Installable File System (IFS) M: drive from scanning.

Microsoft Internet Information Services (IIS) 7.0

Trend Micro recommends excluding web server log files stored in the default IIS log directory:

C:\inetpub\logs\*.log

Oracle Database

Exclude the following file extensions from scanning:

  • .DBF

  • .LOG

  • .RDO

  • .ARC

  • .CTL

SAP Products

  • SAP ABAP or Java installations:

    \usr\sap\

  • SAP Content Server installations:

    \SAPDB\

Files:

  • SAP Print Server:

    SAPSprint.exe

  • Servers where SAPgui is installed:

    lsagent.exe

Note:

Trend Micro recommends excluding base SAPinst directories and subdirectories during SAP upgrades and installations:

C:\Program Files\SAPinst_instdir\

Symantec Backup Exec

  • C:\Program Files\Symantec\Backup Exec\beremote.exe

  • C:\Program Files\Symantec\Backup Exec\beserver.exe

  • C:\Program Files\Symantec\Backup Exec\bengine.exe

  • C:\Program Files\Symantec\Backup Exec\benetns.exe

  • C:\Program Files\Symantec\Backup Exec\pvlsvr.exe

  • C:\Program Files\Symantec\Backup Exec\BkUpexec.exe

System Center Configuration Manager (SCCM)

SCCM 2012 Manager:

  • %windir%\Windows\TEMP\BootImages\

    (boot image)

  • %windir%\ConfigMgr_OfflineImageServicing\*

    (OS image)

SCCM 2012 Endpoint Protection:

  • File directories:

    • %programfiles%\Microsoft Configuration Manager\Inboxes\*.*

    • %programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.*

  • File paths:

    • %allusersprofile%\NTUser.pol

    • %systemroot%\system32\GroupPolicy\registry.pol

    • %windir%\Security\database\*.chk

    • %windir%\Security\database\*.edb

    • %windir%\Security\database\*.jrs

    • %windir%\Security\database\*.log

    • %windir%\Security\database\*.sdb

    • %windir%\SoftwareDistribution\Datastore\Datastore.edb

    • %windir%\SoftwareDistribution\Datastore\Logs\edb.chk

    • %windir%\SoftwareDistribution\Datastore\Logs\edb*.log

    • %windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs

    • %windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs

    • %windir%\SoftwareDistribution\Datastore\Logs\Res1.log

    • %windir%\SoftwareDistribution\Datastore\Logs\Res2.log

    • %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb

System Center Operations Manager (SCOM)

File directories:

  • Operations Manager 2007 and Operations Manager 2007 R2:

    %programfiles%\System Center Operations Manager\<version>\Health Service State

    The placeholder "<version>" represents "2007" for Operations Manager 2007 or Operations Manager 2007 R2.

    Operations Manager 2012:

    • %programfiles%\System Center Operations Manager\<component>\Health Service State

      The placeholder "<component>" represents "Agent" or "Server" for Operations Manager 2012.

  • Operations Manager 2012 R2 (management server):

    %programfiles%\Microsoft System Center 2012 R2\Operations Manager\Server\Health Service State

  • Operations Manager 2012 R2 (gateway server):

    %programfiles%\System Center Operations Manager\Gateway\Health Service State

  • Operations Manager 2012 R2 (agent):

    %programfiles%\Microsoft Monitoring Agent\Agent\Health Service State

File extensions:

  • SQL database servers:

    Recommended exclusions include SQL Server database files used by Operations Manager components and the system database files for the master database and tempdb database. For example:

    • .MDF

    • .LDF

  • Operations Manager (servers, gateways, and agents):

    Recommended exclusions include the queue and log files used by Operations Manager. For example:

    • .EDB

    • .CHK

    • .LOG

VMware

Attempting to access VMware disk partitions during scanning may affect session loading performance and the ability to interact with virtual machines. As such, Trend Micro recommends excluding large flat files and designed files such as VMware disk partitions.

You can exclude virtual machines by excluding the directories containing the virtual machines or by excluding .VMDK and .VMEM file extensions.

How do I add DNS names and IP addresses to exception lists?

For security reasons, many organizations use exception lists to limit intranet access to only approved communication sources. Because Apex One as a Service servers rely on the Internet to manage Security Agents on endpoints, you may need to add the Apex One DNS names and IP addresses to firewall or gateway exception lists to ensure that your endpoints remain protected.

Ports

Apex One as a Service servers use the following ports:

  • Apex One: TCP 443

  • Apex One (Mac): TCP 8443

DNS

Trend Micro recommends adding DNS names to exception lists so that IP subnets can be dynamically approved according to DNS.

You can find the registered Apex One DNS names on the Product Servers screen of the Apex Central web console (Directories > Product Servers).

IP Addresses

Because Apex One as a Service resides on the Microsoft Azure Cloud, Apex One as a Service servers do not use a single IP address or set of IP addresses.

Currently, Apex One as a Service resides in several regions of Azure Cloud. Microsoft provides a list of their datacenter IP ranges at the following location:

https://www.microsoft.com/en-us/download/details.aspx?id=56519

Note:

When adding IP addresses to exception lists, you must import the following region names:

  • "name": "AzureCloud.australiaeast"

  • "name": "AzureCloud.centralus"

  • "name": "AzureCloud.westeurope"

  • "name": "AzureCloud.southeastasia"

URLs

Note:

  • The services listed below use the Content Delivery Network (CDN) for caching, so static IPs are not available.

  • You should only add IP addresses according to your language version (i.e., for English-language product versions, you should only add "*-en" URLs).

The following URLs must be available to endpoint Security Agents:

  • ActiveUpdate:

    https://osce14-p.activeupdate.trendmicro.com/activeupdate

  • Global Smart Scan Server:

    https://osce14.icrc.trendmicro.com/tmcss

  • License server:

    http://licenseupdate.trendmicro.com/ollu/license_update.aspx

  • Host Data Lake:

    xdr-nabu-prod.etdl.trendmicro.com

  • PR Feedback server:

    https://licenseupdate.trendmicro.com/fb/bifconnect.ashx

  • Web Rating server:

    • osce14-0-en.url.trendmicro.com

    • osce14-0-jp.url.trendmicro.com

    • osce14-0-tc.url.trendmicro.com

    • osce14-0-de.url.trendmicro.com

    • osce14-0-fr.url.trendmicro.com

    • osce14-0-sp.url.trendmicro.com

    • osce14-0-ru.url.trendmicro.com

    • osce14-0-it.url.trendmicro.com

    • osce14-0-po.url.trendmicro.com

    • osce14-0-kr.url.trendmicro.com

  • Smart Feedback:

    • osce140-de.fbs25.trendmicro.com

    • osce140-en.fbs25.trendmicro.com

    • osce140-es.fbs25.trendmicro.com

    • osce140-fr.fbs25.trendmicro.com

    • osce140-jp.fbs25.trendmicro.com

    • osce140-pl.fbs25.trendmicro.com

    • osce140-it.fbs25.trendmicro.com

    • osce140-ru.fbs25.trendmicro.com

    • osce140-tc.fbs25.trendmicro.com

    • osce140-kr.fbs25.trendmicro.com

  • Near Field Communication (NFC) server:

    • osce14-en.gfrbridge.trendmicro.com

    • osce14-jp.gfrbridge.trendmicro.com

    • osce14-tc.gfrbridge.trendmicro.com

    • osce14-kr.gfrbridge.trendmicro.com

    • osce14-de.gfrbridge.trendmicro.com

    • osce14-fr.gfrbridge.trendmicro.com

    • osce14-it.gfrbridge.trendmicro.com

    • osce14-es.gfrbridge.trendmicro.com

    • osce14-ru.gfrbridge.trendmicro.com

    • osce14-po.gfrbridge.trendmicro.com

  • Census server:

    • https://osce14-en-census.trendmicro.com

    • https://osce14-de-census.trendmicro.com

    • https://osce14-fr-census.trendmicro.com

    • https://osce14-es-census.trendmicro.com

    • https://osce14-it-census.trendmicro.com

    • https://osce14-pl-census.trendmicro.com

    • https://osce14-ru-census.trendmicro.com

    • https://osce14-jp-census.trendmicro.com

    • https://osce14-kr-census.trendmicro.com

    • https://osce14-tc-census.trendmicro.com

  • Census server (backup):

    • osce14bak-en-census.trendmicro.com

    • osce14bak-de-census.trendmicro.com

    • osce14bak-es-census.trendmicro.com

    • osce14bak-fr-census.trendmicro.com

    • osce14bak-it-census.trendmicro.com

    • osce14bak-jp-census.trendmicro.com

    • osce14bak-kr-census.trendmicro.com

    • osce14bak-pl-census.trendmicro.com

    • osce14bak-ru-census.trendmicro.com

    • osce14bak-sc-census.trendmicro.com

    • osce14bak-tc-census.trendmicro.com

  • Predictive Machine Learning (File)

    • osce140-en-f.trx.trendmicro.com

    • osce140-de-f.trx.trendmicro.com

    • osce140-es-f.trx.trendmicro.com

    • osce140-fr-f.trx.trendmicro.com

    • osce140-it-f.trx.trendmicro.com

    • osce140-jp-f.trx.trendmicro.com

    • osce140-kr-f.trx.trendmicro.com

    • osce140-pl-f.trx.trendmicro.com

    • osce140-ru-f.trx.trendmicro.com

    • osce140-tc-f.trx.trendmicro.com

  • Predictive Machine Learning (Behavior)

    • osce140-en-b.trx.trendmicro.com

    • osce140-de-b.trx.trendmicro.com

    • osce140-es-b.trx.trendmicro.com

    • osce140-fr-b.trx.trendmicro.com

    • osce140-it-b.trx.trendmicro.com

    • osce140-jp-b.trx.trendmicro.com

    • osce140-kr-b.trx.trendmicro.com

    • osce140-pl-b.trx.trendmicro.com

    • osce140-ru-b.trx.trendmicro.com

    • osce140-tc-b.trx.trendmicro.com

  • Predictive Machine Learning (Coexist mode)

    • oscecmp140-de-f.trx.trendmicro.com

    • oscecmp140-en-f.trx.trendmicro.com

    • oscecmp140-es-f.trx.trendmicro.com

    • oscecmp140-fr-f.trx.trendmicro.com

    • oscecmp140-it-f.trx.trendmicro.com

    • oscecmp140-jp-f.trx.trendmicro.com

    • oscecmp140-kr-f.trx.trendmicro.com

    • oscecmp140-pl-f.trx.trendmicro.com

    • oscecmp140-ru-f.trx.trendmicro.com

    • oscecmp140-tc-f.trx.trendmicro.com

How do I send logs from Apex One as a Service to a third-party SIEM solution?

Apex Central allows you to forward syslog messages from Apex One as a Service to a third-party security information and event management (SIEM) solution.

Important:

Before enabling syslog forwarding on Apex Central, ensure that the syslog input/receiver service on your SIEM solution is preconfigured and running.

For specific SIEM configurations, refer to your SIEM server documentation.

To configure syslog forwarding on Apex Central, go to Administration > Settings > Syslog Settings and provide the following SIEM server information on the Syslog Settings screen:

  • Server address: Provide the IP address or host name of the SIEM server that receives the forwarded syslogs

  • Port: Provide the communication port number on the SIEM server

    Note:

    • For TCP/UDP communications, the default port number is usually 514.

    • For TLS communications, the default port number is usually 6514.

  • Protocol: Select the communication method used by the SIEM server

How does Apex One as a Service policy deployment work?

Apex Central deploys policies to the Apex One server.

For detailed information about the Apex One as a Service policy deployment process and deployment triggers, see the following article:

https://success.trendmicro.com/solution/1123401-understanding-apex-one-policy-deployment.