Trend Micro, Inc.
January 2018
Trend Micro™ Worry-Free Business Security Services™
Version 6.3
This readme file is current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at http://docs.trendmicro.com/en-us/smb/worry-free-business-security-services.aspx.
Trend Micro always seeks to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://docsstg.trendmicro.com/en-us/survey.aspx.
1. About Worry-Free Business Security Services
Trend Micro™ Worry-Free Business Security Services™ for small offices protects multiple Windows computers, Macs, and Android devices located in or out of the office from viruses and other threats from the web. Unique Web Threat Protection stops threats before they reach devices and inflict damage or steal data. This safer, smarter, simpler protection from web threats will not cause devices to slow down. You can centrally manage security from anywhere without the need to add a server, install server software, configure settings, or maintain updates. Trend Micro security experts host and constantly update the service for you. Trend Micro™ Worry-Free Business Security Services™ is:
Safer: Powered by XGen™ security, Worry-Free Business Security Services uses a blend of threat protection techniques to eliminate security gaps - in any activity, on any endpoint, anywhere. XGen security:
Goes beyond next-generation technologies and protects against the full range of threats. Progressively filters out threats using the most efficient technique for maximum detection without false positives.
Blends signatureless techniques, including machine learning, behavioral analysis, variant protection, census check, application control, and good-file check with file and web reputation.
Smarter: Stop viruses and other threats without configuring settings or maintaining updates.
Simpler: Centrally manage and check the status of protected devices anywhere (no server required).
Worry-Free Business Security Services includes the following new features and enhancements:
Data Loss Prevention (DLP)
Worry-Free Business Security Services pre-defined DLP templates for hundreds of global regulatory and compliance regulations, including PCI/DSS, HIPAA, GLBA, SB-1386, US PII, and others.
Aggressive Scan
Worry-Free Business Security Services now includes an Aggressive Scan feature for deeper scanning and cleaning of infected endpoints.
The document set for the Worry-Free Business Security Services includes:
Download the latest versions of the PDF documents and readme at http://docs.trendmicro.com/en-us/smb/worry-free-business-security-services.aspx.
4. Security Agent System Requirements
The Worry-Free Business Security Services Security Agent can be installed on Microsoft Windows, Mac OS, iOS, or Android platforms. The Security Agent is also compatible with various third-party products.
Visit the following website for a complete list of system requirements and compatible third-party products:
Windows Security Agent Known Issues
Security Agent Deployment and Upgrade
When the following conditions apply, the proxy server information needs to be added to the firewall exception list in the Worry-Free Business Security Services web console.
Endpoints are installed on Windows 8, Windows Server 2012, or later and use a proxy server.
The firewall security level is set to High in the advanced mode in the Worry-Free Business Security Services web console.
Endpoints may lose network connection temporarily during installation.
Users cannot deploy the Security Agent program when Internet Explorer 10 or later is running in Metro mode on Windows 8 or later.
The email installation link does not work properly when users try to re-activate the Security Agent using Microsoft Edge. However, Microsoft intends to resolve this issue in a later release.
After users install the Security Agent and then open Firefox, sometimes the Firefox extension installation process does not start. Users need to manually enable the extension in Add-ons Manager.
Security Agent
If the Security Agent is enabled and a malware program resides in the Security Agent folder before Real-time Scan starts, the Security Agent cannot restrict that malware from updating the registry.
On Windows 10 endpoints, Worry-Free Business Security Services alerts may be hidden behind the Microsoft Edge browser window. Users must check for any unauthorized event or threat alerts that may appear.
If the Security Agent is installed on a Windows endpoint running Enhanced Mitigation Experience Toolkit (EMET), there might be some performance and conflict issues. Trend Micro recommends not installing the Security Agent and Microsoft EMET on the same endpoint.
Issue: If users have installed Windows Update KB3076895 (MS15-084), the Msxml6.dll 6.20.5008.0 file included in the update might cause issues in the TmListen.exe service and policy setting deployments.
Workaround: Install Windows Update KB3092627 or later to update the Msxml6.dll file.
The Security Agent does not support IPv6.
When multiple logon sessions exist on an endpoint, some agent process files might crash after an agent upgrade. Users might need to manually start the Security Agent.
Firewall
During Security Agent installation or firewall driver uninstallation, the endpoint may temporarily lose its network connection. Some applications, such as Secure Shell (SSH), Terminal Services Client, or Remote Desktop could be affected by the disconnection. If the network connection is lost, restart the application after installing the Security Agent or after disabling the firewall.
The Security Agent firewall may conflict with other firewall applications. Trend Micro recommends uninstalling or disabling other firewall applications.
On VMware clients, the Security Agent firewall may block all incoming packets.
To address this issue, add the following value to the VMware client registry:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\PFW
Name: EnableBypassRule
Type: REG_DWORD
Data: 1
Web Reputation and URL Filtering
When running Internet Explorer 9 or later with Internet Explorer Enhanced Security Configuration, the Web Reputation plug-in module (TmIEPlugInBHO Class) cannot be automatically applied. Risky URLs using SSL cannot be blocked.
Web Reputation Services and URL Filtering are not supported when Internet Explorer 10 or later is running in Metro mode on Windows 8 or later.
Issue: If Chrome is open while the Security Agent updates Web Reputation Services and URL Filtering components, the Security Agent will not be able to block HTTPS websites.
Workaround: Restart Chrome to resolve the issue.
The HTTPS Web Threat Protection and URL Filtering features do not support checking websites that use HTTP/2 protocol.
For a list of unsupported websites, see the Knowledge Base.
HTTPS Web Threat Protection does not support Mac Security Agents.
Windows Small Business Server Dashboard Add-In Tool
When Internet Explorer 9 is installed under Windows Small Business Server 2011 Essentials, a popup window concerning unused windows appears when closing the Dashboard console.
Dashboard Add-in is not compatible with Internet Explorer Enhanced Security Configuration. Ensure this option is disabled before opening the Dashboard.
Login Script Setup Tool
Endpoints installed on Windows Vista or later and have User Account Control (UAC) enabled cannot run automatic installation.
Device Control
Multiple log entries appear when a user tries to access or copy files to a USB device. Device Control detects each instance as a single policy violation but includes multiple entries in the logs to differentiate the OS versions.
Device Control supports all 32-bit operating systems and only the following 64-bit platforms: Windows Vista SP1 x64 and later.
Application Control
When users block an application that consists of .dll files only, Worry-Free Business Security Services will not block the application. Blocking the .dll files might also block other applications that run the same .dll files.
When multiple logon sessions exist on an endpoint, the Application Control feature will increase CPU usage for a while.
Full Disk Encryption
BitLocker cannot encrypt endpoints that run multiple operating systems when users install Windows 7 first and then install Windows 10. In this scenario, the default system partition size on both operating systems will be 100 MB, but BitLocker requires at least 350 MB of system partition size on Windows 10.
Data Loss Prevention
When uninstalling the Security Agent with Data Loss Prevention enabled, users must restart the endpoints to completely remove the Data Loss Prevention components. Currently there is no reminder of the requirement.
If users try to reinstall the Security Agent without restarting the endpoints, the Data Loss Prevention components cannot be installed until users restart the endpoints. After reinstalling the Data Loss Prevention components, users must restart the endpoints again.
Mac Security Agent Known Issues
The Security Agent does not support root accounts.
When the operating system is upgraded to Mac OS X 10.8, the Security Agent program cannot start. The Security Agent requires Java and the upgrade to Mac OS X 10.8 automatically removes Java. To resolve this issue, install the latest version of Java and then restart the Mac.
When installing the Security Agent on a Mac running on Mac OS X 10.6.7 or earlier, the installation process may be unsuccessful. To resolve this issue, upgrade to Mac OS X 10.6.8, and then download and install the following Apple update:
Android Security Agent Known Issues
When Worry-Free Business Security Services is installed on a device running Android 2.x, the system proxy is not updated as this version of the operating system does not support system proxies. This could also prevent the device from connecting to the server to receive updates.
Worry-Free Business Security Services cannot be installed on rooted Android devices.
On an Android device, if the user goes to Settings > Apps > Worry-Free Security > Storage and taps CLEAR CACHE, the Security Agent might not be able to connect to the server to receive updates. The user would need to re-enroll the device.
If other installed apps interfere with the device's network connection, the Security Agent might not be able to connect to the server to receive updates.
When using the "Remote Locate" feature to find a mobile device, the language code (for example: en, jp, fr) that displays in the browser for the embedded Google Maps may not be the same as the language used by the web console.
Worry-Free Business Security Services uses Google Cloud Messaging (GCM) for Android mobile device management commands. Commands sent to Android devices can take some time to be received, or the commands may be unsuccessful.
If multiple device administrators manage a single Android device, some commands may not be successful (for example: reset password). Worry-Free Business Security Services uses the Android Device Administrator for mobile device management commands. When more than one Device Administrator exists for the same Android device, the stricter policy on the device has priority. For example, if two apps both require users to follow a password policy, only the stricter policy is applied.
For Android devices that contain multiple user profiles, the Security Agent can only be installed in the owner's profile. An error occurs when users try to install the Security Agent in other user profiles.
For Android 7.0 devices that already use a password to unlock the device screen, an error occurs when users try to send the Reset Password command to these devices from the Worry-Free Security Services web console.
iOS Security Profile Known Issues
Worry-Free Business Security Services uses the Apple Push Notification service (APNs) for iOS mobile device management commands. Commands sent to iOS devices can take some time to be received, or the commands may be unsuccessful.
If the Private Browsing feature in Safari is enabled (https://support.apple.com/en-ph/HT203036), iOS devices may not successfully complete device enrollment.
A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.
You can contact Trend Micro via fax, phone, and email, or visit us at http://www.trendmicro.com.
Evaluation copies of Trend Micro products can be downloaded from our website.
Global Mailing Address/Telephone numbers
For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to http://www.trendmicro.com/us/about-us/contact/index.html.
Note: This information is subject to change without notice.
Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro™ Smart Protection Network™ infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit http://www.trendmicro.com.
Copyright 2018, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo and Worry-Free Business Security Services are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners.
Information about your license agreement with Trend Micro can be viewed at http://us.trendmicro.com/us/about/company/user_license_agreements/.
License Attributions can be viewed from the Worry-Free Business Security Services web console.