<> Trend Micro Incorporated January 20, 2021 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) ServerProtect(TM) for Linux(TM) 3.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at: http://docs.trendmicro.com TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM Contents =================================================================== 1. About ServerProtect for Linux 3.0 2. What's New 3. Documentation Set 4. System Requirements 5. Installation 5.1 Installing ServerProtect for Linux 3.0 5.2 Removing ServerProtect for Linux 3.0 After the Trial Period 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement =================================================================== 1. About ServerProtect for Linux ======================================================================== ServerProtect for Linux provides comprehensive protection against computer viruses/spyware, Trojans, worms, and other security risks for file servers based on the Linux operating system. Managed through an intuitive, portable web-based console or Linux command line console, ServerProtect provides centralized virus scanning, pattern updates, event reporting and antivirus configuration. 2. What's New ======================================================================== ServerProtect for Linux 3.0 includes the following new features and enhancements: - Support for new platforms In this release, supported platforms are based on the Linux kernel 4.x. The supported platforms are: - Red Hat Enterprise Server 8 - SUSE Linux Enterprise Server 15 - CentOS Linux 8 ServerProtect has a simplified installation program that requires only one installation package for all supported platforms. - ServerProtect management through Trend Micro Apex Central(TM) or Trend Micro Control Manager(TM) You can use Trend Micro's central management console, Apex Central (formerly known as Trend Micro Control Manager), to manage ServerProtect for Linux. When registered to Apex Central / Control Manager, ServerProtect can make use of features such as: - Reports Available from Apex Central / Control Manager - Outbreak Prevention Services for file blocking - License deployment for ServerProtect Please refer to the "Getting Started Guide" or "Administrator's Guide" for details. 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining ServerProtect. To access the Online Help, go to http://docs.trendmicro.com - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining ServerProtect. - Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get ServerProtect "up and running". - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ======================================================================== ServerProtect for Linux requires the following hardware and software specifications on the computers where it is installed: Processor ~~~~~~~~~ - Intel(TM) Pentium(TM) II or later - AMD(TM) Athlon(TM) or later NOTE: This version of ServerProtect supports Intel processors with Intel 64 architecture and AMD processors with AMD64 technology. Intel Itanium architecture is not supported. Memory ~~~~~~ 512 MB or more (1 GB recommended for application/file servers) Disk space ~~~~~~~~~~ - 300 MB for the "/opt" directory - 300 MB for the "/tmp" directory Linux Distributions and Kernels ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Red Hat Enterprise Linux 8 - 4.18.0-80.el8.x86_64 - CentOS Linux 8 - 4.18.0-80.el8.x86_64 - SUSE Linux Enterprise Server 15 - 4.12.14-23.1.x86_64 - 4.12.14-195.1.x86_64 NOTE: Real-time Scan is disabled if you do not have the appropriate KHM installed for your operating system. If the KHM is not included in the package, please check the Trend Micro website for other officially released KHMs: http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval =111®s=NABU&lang_loc=1 NOTE: You can also build the KHM on your Linux system using the open-source code included in the ServerProtect installation package. Trend Micro does not provide support for the KHM you built yourself. For detailed instructions on building and installing a KHM, refer to the INSTALL file in the "/opt/TrendMicro/SProtectLinux/SPLX.module/scr/module" directory or the appendix in the Getting Started Guide. Before you build the KHM on your Linux computer, make sure the following dependent packages are installed: -elfutils-libelf-devel -zlib-devel WARNING: During the KHM build process, some Linux computers may experience a kernel panic or system hang. Thus, Trend Micro recommends you perform these operations on a test computer. Web Browsers ~~~~~~~~~~~~ - Internet Explorer 11 or later - Mozilla Firefox 37 or later - Microsoft Edge 93.0 or higher - Google Chrome 93.0 or higher Apex Central / Control Manager ~~~~~~~~~~~~~~~ - Apex Central 2019 or later - Control Manager 7.0 or later 5. Installation ======================================================================== NOTE: Before you install ServerProtect on your Linux computer, make sure the following dependent packages are installed. For the versions, you can use the default libs bundled in the OS image. - glibc - libgcc - zlib - bzip2 - libuuid - libstdc++ (Red Hat and CentOS only) - nss-softokn-freebl (Red Hat and CentOS only) - perl-Sys-Syslog (Red Hat and CentOS only) 5.1 Installing ServerProtect for Linux 3.0 ===================================================================== To install ServerProtect for Linux 3.0: 1. Log on as a root user. 2. From the directory containing the ServerProtect installation files, type the following at the command line: ./SProtectLinux-3.0.bin TIP: For details on command options, type ./SProtectLinux-3.0.bin -h at the command line. NOTE: To install ServerProtect with Real-time Scan disabled, use the -n option. After the installation is complete, set the value of the RealtimeScan parameter to "0" in the "tmsplx.xml" configuration file and restart the ServerProtect service. For more information, refer to the "Getting Started Guide". The installer extracts and installs the required files to appropriate locations on the Linux system. After the installation, you can access the ServerProtect web console from the following URL: http://:14942/ or https://:14943/ If you access ServerProtect through the web console, verify that ports 14942 and 14943 are open on the Linux system. Evaluation Version ~~~~~~~~~~~~~~~~~~ An Activation Code (also called a serial number) is required to enable scanning and product updates. You can activate ServerProtect during set-up or any time thereafter. See the "Registering and Activating ServerProtect" topic in the ServerProtect online help for details. IMPORTANT: Trend Micro recommends that you set your logon password as soon as you install ServerProtect. There is no default password. NOTE: To install ServerProtect on multiple computers, use the "RemoteInstall" program. Please refer to the "Installation" chapter of the "Getting Started Guide" for details. 5.2 Removing ServerProtect for Linux 3.0 After the Trial Period ===================================================================== To remove ServerProtect: 1. Log on as a root user. 2. Type the following at the command line: rpm -e SProtectLinux The command above automatically stops the ServerProtect service, and removes the application. 6. Post-Installation Configuration ======================================================================== 6.1 Verifying Real-time Scan Status ===================================================================== To ensure that Real-time Scan is properly activated and that it starts properly on kernel-dependent installations, log on to the ServerProtect web console and check the Real-time Scan settings after installing the product. 6.2 Initiating Automatic Update on Apex Central / Control Manager ===================================================================== After you have registered ServerProtect to Control Manager / Apex Central, you must configure settings on the Control Manager / Apex Central server to initiate automatic component update on the ServerProtect computer. To initiate automatic update from Apex Central / Control Manager: 1. Make sure you have successfully registered ServerProtect to Apex Central / Control Manager. 2. Log on to the Apex Central / Control Manager web console and select "Product Programs" in the "Manual Download" or "Scheduled Download" screen. 3. From Apex Central / Control Manager, perform a component update. NOTE: Trend Micro recommends updating the scan engine and virus/spyware pattern files immediately after installing the product. 7. Known Issues ======================================================================== Here are the known issues in this release. 7.1 When selinux is running at the same time, ServerProtect may not function properly. The "execve" hook in the ServerProtect service conflicts with the selinux service on Red Hat Enterprise Linux (RHEL) 8 and CentOS 8 x86_64 platforms. ===================================================================== To support "execve" hook on x86_64 kernels after 2.6.32, ServerProtect for Linux uses the Linux Security Module (LSM) to perform the "execve" hook. A conflict may occur under this situation because the kernel only allows one LSM module to register at a time. To resolve this issue, stop the selinux service before installing or running ServerProtect. To stop the service: 1. Open "/etc/selinux/config". 2. Set "SELINUX=disabled". 3. Restart your computer. 7.2 ServerProtect Real-time Scan cannot resolve full file paths in chroot environments ===================================================================== ServerProtect Real-time Scan cannot resolve full file paths in chroot environments. If users want to scan or exclude the chroot file paths, please check the relative file paths after chroot and add these to the Real-time Scan directories or Real-time Scan exclusion lists. 7.3 Cannot open online help window in Internet Explorer 11 or above ===================================================================== By default, Internet Explorer 11 blocks all pop-up windows, including the online help screens. To resolve this issue, please allow pop-up windows for the ServerProtect "Help menu" in Internet Explorer 11. 7.4 Setting "UserLevelDebug" to "5" for ServerProtect causes the system to hang after restarting. ===================================================================== On x86_64 platforms, after setting "UserLevelDebug" to "5" (the highest debug level) and restarting the computer, the system hangs. To resolve this issue, add "/var/log" in the Real-time Scan exclusion list. Make sure the debug log file(s) is located in the "/var/log" directory. NOTE: When enabling debug logging, you must first restart the rsyslog, and then restart the ServerProtect service. Also, you need to restart the rsyslog service immediately after you modify the "rsyslog.conf" file when you enable debug logging. When disabling debug logging, you must first restart the ServerProtect service, and then restart the rsyslog. 7.5 Users need to manually configure to enable Single Sign-On (SSO) to work in a Network Address Translation (NAT) environment ===================================================================== When registering ServerProtect to a Control Manager server through NAT, you cannot access the ServerProtect web console using SSO. To resolve this issue: 1. Add a port forwarding rule on your NAT device. 2. Set the "IPAddressList" key value in the "/opt/TrendMicro/ SProtectLinux/Agent.ini" file to the IP address of the public interface on the NAT device. 3. Open the "/opt/TrendMicro/SProtectLinux/Product.ini" file and set the "ProtocolName" parameter to either "http" or "https" and the port number to "14942" or "14943" respectively to configure port forwarding in a NAT-enabled network. 4. Restart the ServerProtect service. After the configuration, you should be able to access the ServerProtect web console through SSO. 7.6 Unable to start the VNC server on x86_64 Linux platforms after installing ServerProtect ===================================================================== On x86_64 Linux platforms, users cannot start the VNC server after installing ServerProtect. This issue is not reported on i686 Linux platforms. To resolve this issue: 1. Disable Real-time Scan in ServerProtect by typing "./splxmain -x" in the "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/" directory. 2. Start the VNC server. 3. Start Real-time Scan by typing "./splxmain -v" in the "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/" directory. 7.7 ServerProtect Real-time Scan does not scan files in NFS shared folders when the files are operated by NFS clients ===================================================================== When installed on an NFS server, ServerProtect Real-time Scan does not scan files in NFS shared folders for viruses when the files are operated by NFS clients. Once a file operation is performed on the NFS server, ServerProtect Real-time Scan will scan the files for viruses. 7.8 Unable to configure the action for unscannable files ===================================================================== Actions cannot be configured for unscannable files. The action for all unscannable files is "pass" and there is no system log for it. 7.9 The "execve" hook in the ServerProtect service conflicts with the selinux service on RHEL 8 and CentOS 8 x86_64 platforms. ===================================================================== To support "execve" hook on x86_64 kernels after 2.6.32, ServerProtect for Linux uses the Linux Security Module (LSM) to perform the execve hook. A conflict may occur under this situation because the kernel only allows one LSM module to register at a time. To resolve this issue, stop the selinux service before installing or running ServerProtect. To stop the service: 1. Open "/etc/selinux/config". 2. Set "SELINUX=disabled". 3. Restart your computer. 7.10 Unable to export logs in Internet Explorer 11 when you use access the WEB UI via the HTTPS protocol. ===================================================================== To resolve this known issue, do the following: 1. On Internet Explorer 11, click the settings icon, or the "Tools" menu, and then click "Internet Options". 2. On the "Advanced" tab, clear the "Do not save encrypted pages to disk" option. 3. Click "OK" to save settings. 7.11 On Internet Explorer, the progress bar does not animate while registering/unregistering to Trend Micro Control Manager. ===================================================================== To resolve this issue, do the following: 1. On Internet Explorer, click the settings icon, or the "Tools" menu, and then click "Internet Options". 2. On the "Advanced" tab, select the "Play animations in webpages" option. 3. Click "OK" to save the setting. 4. Restart Internet Explorer and access the ServerProtect for Linux Web console again. 7.12 ServerProtect for Linux is not compatible with UEFI Secure Boot. ===================================================================== If UEFI Secure Boot is enabled, KHM will not load properly. To work around this issue, disable the UEFI Secure Boot feature before installing ServerProtect, or use a signed KHM. To use a signed KHM: 1. Sign the KHM by following the corresponding procedure for signing a kernel module on your operating system. 2. Stop the ServerProtect for Linux service. 3. Copy the signed KHM to the "/opt/TrendMicro/SProtectLinux/SPLX.module/" folder. 4. Start the ServerProtect for Linux service. 8. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 9. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2021, Trend Micro Incorporated. All rights reserved. Trend Micro, ServerProtect, Control Manager, InterScan, VirusWall, Apex Central, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the "Administrator's Guide"