CSM4SMB v3 AG

CSM4SMB-v3-AG.
book Page 1 Monday, April 23, 2007 10:40 AM
Client Server
Messaging Security3
for Small and Medium Business
Administrator’s Guide
CSM4SMB-v3-AG.book Page 2 Monday, April 23, 2007 10:40 AM
Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the
software, please review the readme files, release notes and the latest version of the
Getting Started Guide, which are available from Trend Micro's Web site at:
http://www.trendmicro.com/download/default.asp
NOTE: A license to the Trend Micro Software includes the right to product updates,
pattern file updates, and basic technical support for one (1) year from the date of
purchase only. Thereafter, you must renew Maintenance on an annual basis by
paying Trend Micro’s then-current Maintenance fees to have the right to continue
receiving product updates, pattern updates, and basic technical support.
To order renewal Maintenance, you may download and complete the Trend Micro
Maintenance Agreement at the following site:
http://www.trendmicro.com/en/purchase/license/overview.htm
Trend Micro, the Trend Micro t-ball logo, TrendLabs, Damage Cleanup Services,
OfficeScan, PC-cillin, and ScanMail are trademarks of Trend Micro Incorporated
and are registered in certain jurisdictions. All other brand and product names are
trademarks or registered trademarks of their respective companies or organizations.
Copyright © 1998-2007 Trend Micro Incorporated. All rights reserved. No part of
this publication may be reproduced, photocopied, stored in a retrieval system, or
transmitted without the express prior written consent of Trend Micro Incorporated.
Document Part No. CMEM33118/70305
Release Date: March 2007
Protected by U.S. Patent Nos. 5,623,600; 5,889,943; 5,951,698; and 6,119,165
The Administrator’s Guide for Trend Micro Client/Server and Client Server
Messaging Security for SMB is intended to introduce the main features of the
software and installation instructions for your production environment. You should
read it prior to installing or using the software.
Detailed information about how to use specific features within the software are
available in the online help file and online Knowledge Base at Trend Micro’s Web
site.
Trend Micro is always seeking to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro documents, please contact
us at [email protected]. Your feedback is always welcome. Please
evaluate this documentation on the following site:
www.trendmicro.com/download/documentation/rating.asp
CSM4SMB-v3-AG.book Page i Monday, April 23, 2007 10:40 AM
Contents
Contents
Preface
How this Book Is Organized ................................................................. ii
Using the Trend Micro Client Server Messaging Security for SMB
Documentation .................................................................................. iii
Chapter 1: Introducing Trend Micro Client Server Messaging

Security for SMB
Product Overview .............................................................................. 1-1
What’s New in Client Server Messaging Security 3.6 ....................... 1-2
What You Can Do with Client Server Messaging Security ............... 1-2
Analyze Your Network’s Protection ............................................. 1-3
Enforce Antivirus Policies ............................................................. 1-3
Protect Clients and Servers from Spyware/Grayware ................... 1-3
Update Your Protection ................................................................. 1-4
Perform Scans from One Location ................................................ 1-4
Quarantine Infected Files ............................................................... 1-4
Control Outbreaks on the Network ................................................ 1-4
Manage Client Server Messaging Security Groups ....................... 1-4
Protect Clients from Hacker Attacks with Personal Firewall ........ 1-5
Protect POP3 Mail Messages ......................................................... 1-5
Benefits and Capabilities ................................................................... 1-5
Single-Console Operation .............................................................. 1-5
Outbreak Defense .......................................................................... 1-5
Spyware/Grayware Approved List ................................................ 1-6
Secure Web Console Communication ........................................... 1-6
Enhanced Protection for Your Exchange Servers ......................... 1-7
Chapter 2: Client Server Messaging Security Components

Overview of Client Server Messaging Security Protection ............... 2-2
Trend Micro Security Dashboard for SMB ................................... 2-3
Trend Micro Security Server ......................................................... 2-4
Trend Micro Client Server Messaging Security Agent ................. 2-4
Trend Micro Messaging Security Agent ........................................ 2-5
i
CSM4SMB-v3-AG.book Page ii Monday, April 23, 2007 10:40 AM
Trend Micro™ Client Server Messaging Security 3.6 for SMB™ Administrator’s Guide
Client Server Messaging Security Updateable Components ..............2-5

About the Trend Micro Scan Engine .............................................2-7
About the Virus Pattern File ..........................................................2-8
About the Virus Cleanup Engine ...................................................2-9
About the Virus Cleanup Pattern .................................................2-10
About the Common Firewall Driver ............................................2-10
About the Network Virus Pattern File .........................................2-10
About the Vulnerability Pattern File ............................................2-10
About Hot Fixes, Patches, and Service Packs ..............................2-10
Chapter 3: Planning for Installation of Client Server Messaging

Security
Overview of Installation and Deployment .........................................3-2
Phase 1: Initial Planning .................................................................3-2
Phase 2: Trend Micro Security Server Installation ........................3-2
Phase 3: Client/Server Security Agent Installation ........................3-2
Phase 4: Client/Server Security Configuration ..............................3-3
Phase 1: Initial Planning .....................................................................3-3
Client Server Messaging Security Minimum Requirements ..........3-4
Other Requirements .......................................................................3-6
Other Installation Considerations .......................................................3-7
Server Performance ........................................................................3-7
Location of the Trend Micro Security Server ................................3-7
Number of Clients ..........................................................................3-8
Network Traffic Considerations .....................................................3-8
Using Update Agents to Reduce Network Bandwidth Consumption
During Updates ...........................................................................3-9
Deciding on a Dedicated Server ...................................................3-10
Location of the Program Files ......................................................3-10
Number of Groups ........................................................................3-10
Chapter 4: Client Server Messaging Security Installation Overview

Phase 2: Installing Client Server Messaging Security ........................4-2
Preparing for the Client Server Messaging Security Installation .......4-2
Choosing Your Edition ..................................................................4-3
Third Party Antivirus Applications ................................................4-4
Full version and Trial Version .......................................................4-5
ii
CSM4SMB-v3-AG.book Page iii Monday, April 23, 2007 10:40 AM
Contents
The Registration Key and Activation Codes ................................. 4-5

Information to Prepare Before Performing the Installation ........... 4-6
Understanding Client/Server Security Ports .................................. 4-7
Trend Micro Security Server Prescan ............................................ 4-7
Other Installation Notes ................................................................. 4-8
Installing Client Server Messaging Security ...................................... 4-9
Performing a Custom Installation .................................................... 4-10
Part 1 – Pre-configuration tasks ................................................... 4-10
Part 2 – Configuring the Security Server and Security Dashboard
Settings ...................................................................................... 4-15
Part 3 – Configuring the Messaging and Client Security Agents 4-27
Part 4 – Starting the Remote Messaging Security Agent Installation .
4-32
Performing a Typical Installation .................................................... 4-36
Performing a Silent Installation ....................................................... 4-36
Upgrading Client Server Messaging Security .................................. 4-37
Upgrading from a Previous Version ............................................ 4-37
Upgrading from an Evaluation Version ....................................... 4-39
Upgrading Trend Micro Messaging Security Agent ........................ 4-39
Verifying the Trend Micro Security Server Installation or Upgrade 4-42
Uninstalling the Trend Micro Security Server ................................. 4-43
Chapter 5: Installing the Trend Micro Client Server Messaging

Security Agent
Choosing an Installation Method ....................................................... 5-2
Installing, Upgrading, or Migrating Client/Server Security Agent .... 5-3
Performing a Fresh Install .................................................................. 5-4
Installing from the Internal Web Page ........................................... 5-4
Installing with Login Script Setup ................................................. 5-5
Installing with Windows 2000/Server 2003 Scripts ...................... 5-7
Installing with Client Packager ...................................................... 5-7
Installing with an MSI file ........................................................... 5-11
Installing with Windows Remote Install ..................................... 5-11
Installing with Vulnerability Scanner .......................................... 5-13
Installing MSA from the Security Dashboard ............................. 5-15
Upgrading the Client/Server Security Agent ................................... 5-16
Migrating from Trend Micro Anti-Spyware .................................... 5-16
iii
CSM4SMB-v3-AG.book Page iv Monday, April 23, 2007 10:40 AM
Migrating from Third-party Antivirus Applications ........................5-17

Automatic Client Migration .........................................................5-17
Verifying the Client Installation, Upgrade, or Migration .................5-21
Using Vulnerability Scanner to Verify the Client Installation .....5-21
Testing the Client Installation with the EICAR Test Script .............5-23
Removing the Client .........................................................................5-24
Removing the Client Using Its Uninstallation Program ..............5-25
Removing the Client from the Security Dashboard .....................5-25
Chapter 6: The Trend Micro Security Dashboard for SMB

Exploring the Security Dashboard ......................................................6-2
Getting Around the Security Dashboard ........................................6-3
Chapter 7: Configuring Desktop and Server Groups

Configurable Options for Desktop and Server Groups ......................7-2
Configuring Real-time Scan ...............................................................7-2
Using the Personal Firewall ................................................................7-8
Using Desktop Privileges .................................................................7-14
Using Quarantine ..............................................................................7-17
Chapter 8: Protecting Your Microsoft Exchange Servers

The Messaging Security Agent ..........................................................8-2
Configurable Options for Exchange Server Groups ......................8-2
Trend Micro Default Scan Settings ................................................8-3
Real-Time Virus Scanning on Exchange Servers ..............................8-4
About the Messaging Security Agent Scan Actions ......................8-8
Using Advanced Scanning Options .............................................8-13
Enabling and Disabling Scans ......................................................8-14
About Blocking Attachments ...........................................................8-15
Screening Out Spam .........................................................................8-17
Setting the Spam Detection Rate ..................................................8-21
Detecting and Taking Action Against Phish ................................8-22
Filtering Undesirable Content ..........................................................8-23
Viewing Content Filtering Rules .................................................8-23
Enabling Content Filtering Rules .................................................8-24
Adding Content Filtering Rules ...................................................8-24
Modifying Content Filter Rules ...................................................8-27
iv
CSM4SMB-v3-AG.book Page v Monday, April 23, 2007 10:40 AM
Contents
About the Quarantine Folder ....................................................... 8-39

Querying the Quarantine Folder .................................................. 8-41
Resending Quarantined Messages ............................................... 8-41
Deleting Quarantined Messages .................................................. 8-41
Managing the End User Quarantine Tool ................................. 8-42
Setting up the Spam Folder .......................................................... 8-43
Generating Debugger Reports ..................................................... 8-44
Chapter 9: Using Outbreak Defense

The Outbreak Defense Strategy ......................................................... 9-2
Current Status ..................................................................................... 9-2
Threat Prevention ........................................................................... 9-3
Threat Protection ........................................................................... 9-5
Threat Cleanup ............................................................................... 9-6
Potential Threat .................................................................................. 9-7
Settings ............................................................................................... 9-8
Outbreak Defense .......................................................................... 9-8
Vulnerability Assessment .............................................................. 9-9
Chapter 10: Manual and Scheduled Scans

Manual and Scheduled Scans ........................................................... 10-1
About Scans for Desktops and Servers ........................................ 10-2
About Scans for Exchange Servers .............................................. 10-2
Scanning Desktops and Servers for Viruses, Spyware, and Other
Malware Threats ............................................................................ 10-3
Scanning Exchange Servers for Viruses, Malware, and Other Threats ...
10-5
Chapter 11: Updating Components

Choosing an Update Source ............................................................. 11-2
Updating Components ...................................................................... 11-2
Updating the Trend Micro Security Server ...................................... 11-4
Manual and Scheduled Updates ....................................................... 11-4
Manual Updates ........................................................................... 11-4
Scheduled Updates ....................................................................... 11-4
Setting the Update Source for the Trend Micro Security Server ..... 11-6
Default Update Times ...................................................................... 11-7
v
CSM4SMB-v3-AG.book Page vi Monday, April 23, 2007 10:40 AM
Using Update Agents ........................................................................11-8

Rolling Back Components ..............................................................11-10
Chapter 12: Viewing and Interpreting Logs

Viewing and Interpreting Logs .........................................................12-2
Management Console Event Logs ....................................................12-2
Desktop/Server Logs ........................................................................12-2
Exchange Server Logs ......................................................................12-3
Using Log Query ..............................................................................12-3
Creating One-time Reports ...............................................................12-6
Deleting One-time Reports ...............................................................12-7
Scheduling Reports ...........................................................................12-7
Deleting Scheduled Reports .............................................................12-9
Editing Scheduled Reports ...............................................................12-9
Maintaining Logs and Reports .......................................................12-10
Maintenance - Reports ...............................................................12-10
Maintenance - Logs ....................................................................12-11
Chapter 13: Working with Notifications

Configuring Event Notifications ......................................................13-2
Event Types ..................................................................................13-2
Notification Method Settings .......................................................13-4
Chapter 14: Configuring Global Settings

Internet Proxy Options .....................................................................14-2
SMTP Server Options .......................................................................14-3
Desktop/Server Options ....................................................................14-4
General Scan Settings ..................................................................14-5
Virus Scan Settings ......................................................................14-6
Spyware/Grayware Scan Settings ................................................14-6
Alert Settings ................................................................................14-7
Approved List for Network Virus Scanning ................................14-7
Watchdog Settings .......................................................................14-7
System Options .................................................................................14-8
Removing Inactive Client/Server Security Agents ......................14-9
Verifying Client-Server Connectivity ........................................14-10
Maintaining the Quarantine Folder ............................................14-11
vi
CSM4SMB-v3-AG.book Page vii Monday, April 23, 2007 10:40 AM
Contents
Chapter 15: Using Administrative and Client Tools

Tool Types ....................................................................................... 15-2
Summary of Tools ............................................................................ 15-2
Administrative Tools ........................................................................ 15-3
Login Script Setup ....................................................................... 15-3
Vulnerability Scanner .................................................................. 15-4
Client Tools ...................................................................................... 15-8
Client Packager ............................................................................ 15-8
Restore Encrypted Virus .............................................................. 15-8
Touch Tool ................................................................................. 15-11
Client Mover .............................................................................. 15-12
Chapter 16: Performing Additional Administrative Tasks

Changing the Security Dashboard Password ................................... 16-2
Viewing Product License Details ..................................................... 16-3
Participating in the World Virus Tracking Program ........................ 16-3
Chapter 17: Understanding the Threats

What Do the Terms Mean? .............................................................. 17-2
Viruses ......................................................................................... 17-2
Trojans ......................................................................................... 17-4
Bots .............................................................................................. 17-4
Packers ......................................................................................... 17-4
Worms .......................................................................................... 17-4
About ActiveX ............................................................................. 17-5
About Mass-Mailing Attacks ....................................................... 17-5
About Compressed Files .............................................................. 17-6
About Macro Viruses .................................................................. 17-7
Guarding Against Malicious or Potentially Malicious Applications 17-8
Chapter 18: FAQs, Troubleshooting and Technical Support

Frequently Asked Questions (FAQs) ............................................... 18-2
Registration .................................................................................. 18-2
Installation, Upgrade, and Compatibility ..................................... 18-2
Configuring Settings .................................................................... 18-3
Documentation ............................................................................. 18-3
Troubleshooting ............................................................................... 18-4
vii
CSM4SMB-v3-AG.book Page viii Monday, April 23, 2007 10:40 AM
User’s Spam Folder not Created ..................................................18-4

Internal or External Sender/Recipient Confusion ........................18-4
Re-sending a Quarantine Message Fails ......................................18-5
Settings Replication .....................................................................18-5
Restoring Program Settings after Rollback or Reinstallation ......18-6
Some Client Server Messaging Security Components are not Installed
18-8
Unable to Access the Web Console .............................................18-8
Incorrect Number of Clients on the Security Dashboard .............18-9
Unsuccessful Installation from Web Page or Remote Install .......18-9
Client Icon Does Not Appear on Security Dashboard after Installation
18-11
Issues During Migration from Third-party Antivirus Software .18-11
The Trend Micro Security Information Center ..............................18-13
Known Issues ..................................................................................18-14
Contacting Technical Support ........................................................18-14
The Trend Micro Knowledge Base ................................................18-15
Sending Suspicious Files to Trend Micro ......................................18-16
About TrendLabs ............................................................................18-16
Appendix A: System Checklists

Server Address Checklist .................................................................. A-1
Ports Checklist ................................................................................... A-3
Appendix B: Trend Micro Services

Trend Micro Outbreak Prevention Policy ......................................... B-1
Trend Micro Damage Cleanup Services ............................................ B-2
The Damage Cleanup Services Solution ....................................... B-2
Vulnerability Assessment .................................................................. B-3
Trend Micro IntelliScan .................................................................... B-3
Trend Micro ActiveAction ................................................................ B-4
Trend Micro IntelliTrap ..................................................................... B-4
True File Type ............................................................................... B-5
About ActiveAction ........................................................................... B-5
Appendix C: Planning a Pilot Deployment

Choosing a Pilot Site ......................................................................... C-1
viii
CSM4SMB-v3-AG.book Page ix Monday, April 23, 2007 10:40 AM
Contents
Creating a Rollback Plan ....................................................................C-1

Deploying Your Pilot .........................................................................C-2
Evaluating Your Pilot Deployment ....................................................C-2
Appendix D: Trend Micro Product Exclusion List

Exclusion List for Exchange Servers ................................................ D-4
Appendix E: Client Side Information

Roaming Clients .................................................................................E-2
32-bit and 64-bit Clients ....................................................................E-3
Appendix F: Spyware Types
Appendix G: Glossary of Terms
ix
CSM4SMB-v3-AG.book Page x Monday, April 23, 2007 10:40 AM
x
CSM4SMB-v3-AG.book Page i Monday, April 23, 2007 10:40 AM
Preface
Preface
Welcome to the Trend Micro Client Server Messaging Security for Small and
Medium Businesses Version 3.6Administrator’s Guide. This book contains
information about the tasks you need to do to install and configure Client Server
Messaging Security. This book is intended for novice and experienced users of Client
Server Messaging Security who want to quickly configure, administer, and use the
product.
i
CSM4SMB-v3-AG.book Page ii Monday, April 23, 2007 10:40 AM
How this Book Is Organized

This document can be separated into four main sections consisting of installation
planning, product and component installation, post installation configuration, and
finding help.
• Section 1 – The first section of this document consists of three chapters, 1 to 3, that
introduce the product and address pre-installation and planning.
• Section 2 – The second section consists of two chapters, 4 to 5, and covers product
and component installation.
• Section 3 – The third section, chapters 6 to 16, provides high-level descriptions of
the Security Dashboard and information about accomplishing configuration related
tasks.
• Section 4 – The fourth section contains two chapters, 17 to 18, that provide support
related information such as FAQ, how to finding help, reference information.
• Section 5 – The fifth section contains seven Appendices that provide additional
information and resources.
ii
CSM4SMB-v3-AG.book Page iii Monday, April 23, 2007 10:40 AM
Using the Trend Micro Client Server Messaging

Security for SMB Documentation
The documentation set for Trend Micro Client Server Messaging Security for SMB
includes the following:
• Administrator’s Guide – This guide helps you configure Client/Server Security
Agent options. The latest version of the Administrator’s Guide is available in
electronic form at the following location:
http://www.trendmicro.com/download/
• Getting Started Guide – This guide helps you plan for and install the Trend Micro
Security Server program, modify important default client settings, and roll out your
clients. The latest version of the Getting Started Guide is available in electronic
form at the following location:
• Online help – The purpose of online help is to provide descriptions for performing
the main tasks, usage advice, and field-specific information, such as valid
parameter ranges and optimal values. Online help is accessible from the Trend
Micro Security Dashboard for SMB™.
• Readme file – The Readme file contains late-breaking product information not
found in the online or printed documentation. Topics include a description of new
features, installation tips, known issues and product release history.
• Knowledge Base – The Knowledge Base is an online database of problem-solving
and troubleshooting information. It provides the latest information about known
product issues. To access the Knowledge Base, go to the following Web site:
http://esupport.trendmicro.com
us at [email protected]. Your feedback is always welcome. Please evaluate this
documentation on the following site:
iii
CSM4SMB-v3-AG.book Page iv Monday, April 23, 2007 10:40 AM
iv
Chapter 1
Introducing Trend Micro Client Server

Messaging Security for SMB
This chapter provides an overview of Client Server Messaging Security’s key
features and capabilities.
The topics discussed in this chapter include:
• Product Overview on page 1-1
• What’s New in Client Server Messaging Security 3.6 on page 1-2
• What You Can Do with Client Server Messaging Security on page 1-2
• Benefits and Capabilities on page 1-5
Product Overview
Designed to suit the needs of small- to medium-sized business IT networks, Trend
Micro Client Server Messaging Security for SMB provides network-wide desktop
and server protection.
Network-wide desktop and server protection helps shield servers and computers on
the network from virus and spyware/grayware threats. Client Server Messaging
Security keeps computers on your network up-to-date with the latest pattern files
through centralized management and automatic updates of client installations.
1-1
Seamless integration with Microsoft™ Windows™ and Microsoft Exchange

Server™ makes Client Server Messaging Security a powerful, multi-layered defense
against viruses, spyware/grayware, and other malicious code. Centralized
management tools and intelligent malicious code scanning offers excellent antivirus
and content security in a scalable high-performance software architecture.
This manual describes how to install, configure, maintain, and troubleshoot Client
Server Messaging Security. You can view electronic copies of product manuals in
Adobe Acrobat (PDF) format on the Trend Micro Small and Medium Business
Solution CD. The Adobe Acrobat (PDF) files are on the CD in the documents folder.
{CD-ROM drive}\Documentation
Replace {CD-ROM drive} with the drive letter of the CD-ROM drive on your
computer.
What’s New in Client Server Messaging

Security 3.6
This version of Client Server Messaging Security inherits all the features of previous
versions and provides the following new feature:
• Windows Vista Support—Client Server Messaging Security Agent clients can
now be installed on Windows Vista (32-bit and 64-bit) clients. Refer to Table E-3
for a comparison of the CSA features on different platforms.
What You Can Do with Client Server Messaging

Security
Perform key administrative tasks using the Security Dashboard:
• Analyze Your Network’s Protection on page 1-3
• Enforce Antivirus Policies on page 1-3
• Protect Clients and Servers from Spyware/Grayware on page 1-3
• Update Your Protection on page 1-4
• Perform Scans from One Location on page 1-4
• Quarantine Infected Files on page 1-4
1-2
Introducing Trend Micro Client Server Messaging Security for SMB
• Control Outbreaks on the Network on page 1-4

• Manage Client Server Messaging Security Groups on page 1-4
• Protect Clients from Hacker Attacks with Personal Firewall on page 1-5
• Protect POP3 Mail Messages on page 1-5
Analyze Your Network’s Protection

Client Server Messaging Security can generate various types of logs, including virus
logs, system event logs, and update logs. Use these logs to verify update deployment,
check client-server communication, and determine which computers are vulnerable
to infection.
Also use log information as a basis for designing and redesigning network protection,
identifying which computers are at a higher risk of infection, and changing the
antivirus settings accordingly for these computers.
Enforce Antivirus Policies

Client Server Messaging Security provides three types of scans: Scheduled Scan,
Manual Scan, and Real-time Scan. Enforce your organization’s antivirus policies by
configuring these three types of scans. Specify the types of files to scan and the
action to take when Client Server Messaging Security finds a virus.
To apply uniform scan settings to all clients, choose not to grant privileges to clients
and lock the client program with a password to prevent users from removing or
turning it off.
Protect Clients and Servers from Spyware/Grayware

In addition to protecting against viruses, Client Server Messaging Security also
checks for and removes any spyware installed on clients and servers. As with
antivirus scanning, three types of anti-spyware scans are available – Scheduled Scan,
Manual Scan, and Real-time Scan.
Each scan type provides the option to run either a full scan (all files and registries) or
a quick scan (registry only). Available scan actions for spyware include Clean
(remove) and Pass (record to log only).
1-3
Update Your Protection

Virus writers create new viruses and release them everyday. To ensure that you stay
protected against the latest threats, you must periodically update the Client Server
Messaging Security components. Trend Micro usually releases new virus pattern
files on a daily basis.
Perform Scans from One Location

The Security Dashboard provides the option of performing Scan Now (Manual Scan)
and configuring scheduled scans on clients to run during off-peak hours when client
CPU usage is low.
Quarantine Infected Files

You can specify a quarantine folder to control live viruses and infected files. The
Trend Micro Security Server then automatically forwards infected files to the
quarantine folder.
Control Outbreaks on the Network

Enabling Outbreak Defense and setting up outbreak notifications helps you to
respond quickly to outbreaks that may be developing.
Outbreak Defense helps stop outbreaks from overwhelming your network by
blocking shared folders and vulnerable ports on clients, by denying write access to
folders, and by blocking attachments and filtering content. Download the latest
pattern file and then perform Scan Now on all clients to remove any existing threats.
Manage Client Server Messaging Security Groups

A group in Client Server Messaging Security is a cluster of clients that share the
same configuration and run the same tasks. A Client Server Messaging Security
group is different from a Windows domain. There can be several Client Server
Messaging Security groups in any given Windows domain.
Group clients into Client Server Messaging Security groups to simultaneously apply
the same configuration to all group members.
1-4
Protect Clients from Hacker Attacks with Personal Firewall

Help protect clients running Windows 2000/XP/Server 2003 from hacker attacks and
network viruses by creating a barrier between the client machine and the network.
Personal Firewall allows you to block or allow certain types of network traffic.
Additionally, Personal Firewall will identify patterns in network packets that may
indicate an attack on clients.
Protect POP3 Mail Messages

Protects client machines running Windows 2000/XP/Server 2003 from infected Post
Office Protocol 3 (POP3) mail messages and attachments. When a virus is detected,
the user can choose to delete, clean, or ignore the mail message containing the virus.
Benefits and Capabilities

Trend Micro Client Server Messaging Security for SMB brings many benefits to your
organization by providing a comprehensive yet user-friendly method of managing
your antivirus policies. The following is a summary of the advantages you can
obtain.
Single-Console Operation
TheTrend Micro Security Server allows you to manage your entire anti-virus system
through a single Web console. The Trend Micro Security Dashboard for SMB is
installed when you install theTrend Micro Security Server and uses standard Internet
technologies such as Java, CGI, HTML, and HTTP.
Outbreak Defense
Use Outbreak Defense to take preemptive steps to secure your network. Outbreak
Defense first informs you of the latest threats, and then takes action to shield your
network and clients from the threat. While Outbreak Defense is protecting your
network and clients, TrendLabs is busy creating a solution to the threat. As soon as
TrendLabs finds a solution, they release updated components. The Security Server
then downloads and deploys the updated components to clients. For the last step,
1-5
Outbreak Defense cleans up any virus remnants, and repairs files and directories that
have been damaged by the threat.
Using Outbreak Defense, you can take the following actions in the event of an
outbreak:
• Block ports to help prevent viruses from infecting files on the network
• Write-protect certain files and directories
• Block certain attachments
Spyware/Grayware Approved List

Certain applications are classified by Trend Micro as spyware/grayware not because
they can cause harm to the system on which they are installed, but because they have
the potential to expose the client or the network to malware or hacker attacks.
Hotbar, for example, is a program that embeds a toolbar into Web browsers. Hotbar
tracks URLs that users visit and records words or phrases that are entered into search
engines. These pieces of information are used to display targeted ads, including
pop-ups, on users' browsers. Since the information that Hotbar collects can
potentially be sent to a third party site and used by malware or hackers to collect
information about your users, Client Server Messaging Security prevents this
application from installing and running by default.
If you want to run Hotbar or any other application that Client Server Messaging
Security classifies as spyware/grayware, you need to add it to the spyware/grayware
approved list.
By preventing potentially risky applications from running and by giving you full
control over the spyware/grayware approved list, Client Server Messaging Security
helps ensure that only the applications you approve run on clients and servers.
Secure Web Console Communication

Client Server Messaging Security provides secure communications between the
Trend Micro Security Server and the Security Dashboard through Secure Socket
Layer (SSL) technology.
The Trend Micro Security Server can generate a certificate for each Web console
session, allowing the Security Dashboard to encrypt data based on Public Key
1-6
Infrastructure (PKI) cryptography standards. The default period for the certificate is
three years.
Enhanced Protection for Your Exchange Servers

Powerful and creative antivirus features
• SMTP scanning for Exchange 2000 and 2003 servers.
For better scanning capability, Client Server Messaging Security delivers a new
SMTP scanning technology for Microsoft Exchange 2000 and 2003. You can now
scan message traffic with full mail information available at the mail transport level
on both platforms, preventing unsolicited messages from entering Exchange store
databases on back-end servers.
• Leverage Microsoft VSAPI to scan messages at a low level in the Exchange store.
• Quickly scan messages using multi-threaded in-memory scanning.
• Detect and take action against viruses, Trojans, and worms. Use Trend Micro
recommended actions or customize actions against viruses.
• Use IntelliTrap to detect bots and other more sophisticated threat types.
• Use true file type recognition to detect falsely labeled files.
• Detect all macro viruses and remove them or use heuristic rules to remove them.
Attachment blocking
• Block named attachments or block attachments by file type
Integrated Anti-spam and Content filtering
• Integrated anti-spam and content filtering management. Manage all anti-spam and
content filtering from the Security Dashboard
• Use rule-based filters to screen out message content deemed to be harassing,
offensive, or otherwise objectionable
• Detect phishing incidents and take automatic actions against them
• Use anti-spam filters with adjustable sensitivity levels to screen out spam while
reducing false-positives
• Use keyword matching to search for logs and quarantined email messages.
• Use End User Quarantine tool to allow user to set Exchange server-side rules to
control approved sender lists
1-7
Quarantine
• Set the Messaging Security Agent to quarantine suspect email messages
• Query logs for quarantine events and resend quarantined messages when you
decide they are safe
Web based management console
• Access remote servers through the Security Dashboard, the secure Web console for
Client Server Messaging Security
Notifications
• Send notifications to recipients or senders of messages containing detected threats
1-8
Chapter 2

Components
This chapter provides a brief overview of Client Server Messaging Security
protection, and describes the components that Client Server Messaging Security uses
to carry out the protection.
• Overview of Client Server Messaging Security Protection on page 2-2
• Trend Micro Security Dashboard for SMB on page 2-3
• Trend Micro Security Server on page 2-4
• Trend Micro Client Server Messaging Security Agent on page 2-4
• Trend Micro Messaging Security Agent on page 2-5
• Client Server Messaging Security Updateable Components on page 2-5
2-1
Overview of Client Server Messaging Security

Protection
Trend Micro Client Server Messaging Security is a centrally managed antivirus
solution for desktops, notebook computers, and servers. Client Server Messaging
Security helps protect your organization’s Windows™ Vista/2000/XP/Server 2003
and computers from a wide range of threats and potential nuisances, such as file
viruses, spyware/grayware, macro viruses, malicious Java™ applets and ActiveX™
controls.
The antivirus function of Client Server Messaging Security is provided through the
client, which reports to and gets updates from the server. The Trend Micro Security
Dashboard for SMB allows you to configure, monitor, and update clients.
FIGURE 2-1. Client Server Messaging Security Protection
WWW/FTP Mail/Groupware
Server Server File Server
Desktops and Laptops
Client Server Messaging Security includes the following components:

• Trend Micro Security Dashboard for SMB manages all clients from a single
location.
2-2
Client Server Messaging Security Components
• Trend Micro Security Server, which hosts the Trend Micro Security Dashboard for
SMB, downloads updates from the Trend Micro ActiveUpdate server, collects and
stores logs, and helps control virus outbreaks.
• Trend Micro Client Server Messaging Security Agent, which protects your
Windows Vista/2000/XP/Server 2003 computers from viruses, spyware/grayware,
Trojans, and other threats
• Trend Micro Messaging Security Agent, which protects Microsoft Exchange
servers, filters spam, and blocks content.
Trend Micro Security Dashboard for SMB

The Trend Micro Security Dashboard for SMB is the central point for monitoring
Client Server Messaging Security across the entire network, as well as for
configuring Trend Micro Security Server and client settings.
Client Server Messaging Security gives you complete control over desktop,
notebook, and server antivirus settings. Use the Security Dashboard to do the
following:
• Deploy the Client/Server Security Agent program to desktops, notebooks, and
servers.
• Deploy the Messaging Security Agent program to an Exchange server.
• Cluster desktops, notebooks, and servers into logical groups for simultaneous
configuration and management.
• Set antivirus and anti-spyware scan configurations and start Manual Scan on a
single group or on multiple groups.
• Receive notifications and view log reports for virus activities.
• When spyware or viruses are detected on clients, receive notifications and send
outbreak alerts via email, SNMP Trap, or Windows Event Log.
• Control outbreaks by configuring and enabling Outbreak Prevention.
The Security Dashboard is installed when you install Trend Micro Security Server.
The Security Dashboard uses standard Internet technologies such as Java, CGI,
HTML, and HTTP.
Open the Security Dashboard from any computer that has a Web browser that meets
the minimum requirements.
2-3
Trend Micro Security Server

The Trend Micro Security Server is the central repository for all client
configurations, virus logs, and client software and updates.
The Trend Micro Security Server performs these important functions:
• It installs, monitors, and manages clients on the network
• It downloads virus pattern files, spyware pattern files, scan engines, and program
updates from the Trend Micro update server, and then distributes them to clients
FIGURE 2-2. How Client-Server Communication via HTTP Works
The Trend Micro Security Server

Internet downloads the pattern file and scan
engine from the update source.
Security Dashboard
Trend Micro
Security Server with
HTTP Web server
Manage the Trend Micro

Security Server and clients
using the Web console.
Client/Server Security & Messaging Security Agents
Trend Micro Client Server Messaging Security Agent

Protect Windows computers from viruses and spyware by installing the Client/Server
Security Agent on each desktop, notebook, and server. The Client/Server Security
Agent provides three methods of scanning: Real-time Scan, Scheduled Scan, Manual
Scan.
2-4
The Client/Server Security Agent reports to the Trend Micro Security Server from
which it was installed. To provide the server with the very latest client information,
the client sends event status information in real time. Clients report events such as
virus and spyware detection, client startup, client shutdown, start of scan, and
completion of an update.
Configure scan settings on clients from the Trend Micro Security Dashboard for
SMB. To enforce uniform desktop protection across the network, choose not to grant
the clients privileges to modify the scan settings or to remove the client program.
Trend Micro Messaging Security Agent

Protect Exchange servers from viruses by installing the Messaging Security Agent on
each Exchange server. The Messaging Security Agent protects the Exchange server
against viruses, Trojans, worms, and other malware. It also provides spam blocking,
content filtering, and attachment blocking for added security. The Messaging
Security Agent provides three methods of scanning – Real-time Scan, Scheduled
Scan, and Manual Scan.
The Messaging Security Agent reports to the Trend Micro Security Server from
which it was installed. The Messaging Security Agent sends events and status
information to the Security Server in real time. You can view the events and status
information from the Security Dashboard.
Client Server Messaging Security Updateable

Components
Client Server Messaging Security uses the following components to scan for,
identify, and perform damage cleanup tasks to help protect and clean clients:
• Virus pattern– A file that helps Client Server Messaging Security identify virus
signatures– unique patterns of bits and bytes that signal the presence of a virus.
• Virus scan engine 32-bit – The engine Client Server Messaging Security uses to
scan for viruses.
• Virus scan engine 64-bit – The engine Client Server Messaging Security uses to
scan for viruses
2-5
• Virus cleanup template – Used by the Virus Cleanup Engine, this template helps
identify viruses, Trojans and Trojan processes.
• Virus cleanup engine 32-bit – The engine Damage Cleanup Services™ uses to
scan for and remove from memory viruses, Trojans and Trojan processes, and
other malware.
• Messaging Security Agent scan engine – The engine that the Messaging Security
Agent uses to identify viruses and malware.
• IntelliTrap exception pattern – The pattern that the Virus Scan Engines and
Messaging Security Agent scan engine uses to identify exceptions to items listed in
the IntelliTrap pattern.
• IntelliTrap pattern – The pattern that the Virus Scan Engines and Messaging
Security Agent scan engine uses to detect malicious code such as bots in
compressed files.
• Vulnerability pattern – A file that helps Client Server Messaging Security
identify vulnerabilities on client machines.
• Common firewall pattern – Like the virus pattern file, this file helps Client
Server Messaging Security identify virus signatures.
• Common firewall engine 32-bit – The driver the Personal Firewall uses with the
network virus pattern file to scan client machines for network viruses.
• Spyware Pattern – Contains known spyware signatures and used by the spyware
scan engines (both 32-bit and 64-bit) to detect spyware on clients and servers for
manual and scheduled scans
• Spyware Active-monitoring Pattern – Similar to spyware pattern, but is used by
the scan engine for real-time anti-spyware scanning
• Spyware Scan Engine (32-bit) – A separate scan engine that scans for, detects,
and removes spyware from infected clients and servers running on i386 (32-bit)
operating systems (for example, Windows Vista, Windows 2000, and Windows
XP)
• Spyware Scan Engine (64-bit) – Similar to the spyware scan engine for 32-bit
systems, this scan engine scans for, detects, and removes spyware on x64 (64-bit)
operating systems (for example, Windows Vista x64, Windows XP Professional
x64 Edition, Windows 2003 x64 Edition)
• Anti-spam pattern for Messaging Security Agent – The pattern that the
Messaging Security Agent Anti-spam engine uses to detect spam email
2-6
• Anti-spam engine for Messaging Security Agent – The engine that the
Messaging Security Agent uses to detect spam email
• Anti-Rootkit Driver (32-bit) – A module required by the spyware scan engine to
detect rootkits
• Hot fixes and security patches – Workaround solutions to customer related
problems or newly discovered security vulnerabilities that you can download from
the Trend Micro Web site and deploy to the Trend Micro Security Server and/or
client program.
About the Trend Micro Scan Engine

At the heart of all Trend Micro products lies a scan engine. Originally developed in
response to early file-based computer viruses, the scan engine today is exceptionally
sophisticated and capable of detecting Internet worms, mass-mailers, Trojan horse
threats, phish sites, and network exploits as well as viruses. The scan engine detects
two types of threats:
• Actively circulating – Threats that are actively circulating on the Internet
• Known and controlled – Controlled viruses not in circulation, but that are
developed and used for research
Rather than scan every byte of every file, the engine and pattern file work together to
identify not only tell-tale characteristics of the virus code, but the precise location
within a file where the virus would hide. If Client Server Messaging Security detects
a virus, it can remove it and restore the integrity of the file.
The scan engine includes an automatic clean-up routine for old virus pattern files (to
help manage disk space), as well as incremental pattern updates (to help manage
bandwidth).
In addition, the scan engine is able to decrypt all major encryption formats (including
MIME and BinHex). It also recognizes and scans common compression formats,
including Zip, Arj, and Cab. Client Server Messaging Security also allows you to
determine how many layers of compression to scan (up to a maximum of six) for
compressed files contained within a file.
It is important that the scan engine remain current with new threats. Trend Micro
ensures this in two ways:
• Frequent updates to the virus pattern file
2-7
• Technological upgrades in the engine software prompted by a change in the nature

of virus threats, such as a rise in mixed threats like SQL Slammer
The Trend Micro scan engine is certified annually by international computer security
organizations, including ICSA (International Computer Security Association)
Scan Engine Updates

By storing the most time-sensitive virus information in the virus pattern file, Trend
Micro is able to minimize the number of scan engine updates while at the same time
keeping protection up-to-date. Nevertheless, Trend Micro periodically makes new
scan engine versions available. Trend Micro releases new engines under the
following circumstances:
• New scanning and detection technologies are incorporated into the software
• A new, potentially harmful virus is discovered that the scan engine cannot handle
• Scanning performance is enhanced
• Support is added for additional file formats, scripting languages, encoding, and/or
compression formats
To view the version number for the most current version of the scan engine, visit the
Trend Micro Web site:
http://www.trendmicro.com
About the Virus Pattern File

The Trend Micro scan engine uses an external data file, called the virus pattern file. It
contains information that helps Client Server Messaging Security identify the latest
viruses and other Internet threats such as Trojan horses, mass mailers, worms, and
mixed attacks. New virus pattern files are created and released several times a week,
and any time a particularly threat is discovered.
All Trend Micro antivirus programs using the ActiveUpdate function can detect the
availability of a new virus pattern file on the Trend Micro server. Administrators can
schedule the antivirus program to poll the server every week, day, or hour to get the
latest file.
2-8
Tip: Trend Micro recommends scheduling automatic updates at least hourly. The default
setting for all Trend Micro products is hourly.
You can download virus pattern files from the following Web site, where you can
also find the current version, release date, and a list of all the new virus definitions
included in the file:
http://www.trendmicro.com/download/pattern.asp
The scan engine works together with the virus pattern file to perform the first level of
detection, using a process called pattern matching. Since each virus contains a unique
“signature” or string of telltale characters that distinguish it from any other code, the
virus experts at TrendLabs™ capture inert snippets of this code in the pattern file.
The engine then compares certain parts of each scanned file to the pattern in the virus
pattern file, looking for a match. When the engine detects a match, a virus has been
detected and a notification is sent via an email message to the system administrator.
About the Virus Cleanup Engine

Damage Cleanup Services (DCS) makes use of a scanning and cleanup tool called
the Virus Cleanup Engine (DCE) to find and repair damage caused by viruses and
other Internet threats. The Virus Cleanup Engine can find and clean viruses, Trojans,
and other malware. The DCE is essentially a software agent that makes use of a
database to find targeted machines and evaluate whether viruses or other Internet
threats have affected them. DCE resides on a single machine and deploys to the
targeted client machines on the network at the time of scanning.
The Virus Cleanup Engine uses damage cleanup templates that contain information
that DCE uses to restore damage caused by the latest known viruses, malware, or
other Internet threats. DCS regularly updates these templates. When you install DCS,
you are installing the version of the Virus Cleanup Engine that was current as of the
release of this product. TrendLabs updates the Virus Cleanup Pattern frequently,
therefore, Trend Micro recommends that you update your components immediately
after you have installed and activated Damage Cleanup Services.
2-9
About the Virus Cleanup Pattern

The Virus Cleanup Engine uses the Virus Cleanup Pattern to identify Trojans,
network viruses, and active malware.
About the Common Firewall Driver

The Common Firewall Driver has two purposes. The Common Firewall Driver, in
conjunction with the user-defined settings of the Personal Firewall, blocks ports
during an outbreak. The Common Firewall Driver uses the Network Virus Pattern
file to detect network viruses.
About the Network Virus Pattern File

The Network Virus Pattern file contains a regularly updated database of packet-level
network virus patterns. Trend Micro updates the network virus pattern file
frequently, as often as hourly, to ensure Client Server Messaging Security can
identify new network viruses.
About the Vulnerability Pattern File

Client Server Messaging Security deploys the Vulnerability Pattern file after
updating components. The Vulnerability Pattern file is used in the Outbreak Defense
> Potential Threat screen when the Scan for Vulnerability Now tool is used, or when
scheduled Vulnerability Assessment is triggered, or whenever a new Vulnerability
Pattern file is downloaded. As soon as the Trend Micro Security Server completes
downloading a new Vulnerability Pattern file, Client Server Messaging Security
starts to scan clients for vulnerabilities.
About Hot Fixes, Patches, and Service Packs

After an official product release, Trend Micro often develops hot fixes, patches, and
service packs to address issues, enhance product performance, or add new features.
The following is a summary of the items Trend Micro may release:
• Hot fix – A workaround or solution to a single, customer-reported issue. Hot fixes
are issue-specific, and therefore are not released to all customers. Windows hot
2-10
fixes include a Setup program, while non-Windows hot fixes do not. Typically,
you need to stop the program daemons, copy the file to overwrite its counterpart in
your installation, and restart the daemons.
• Security Patch – A hot fix focusing on security issues and that is suitable for
deployment to all customers. Windows security patches include a Setup program,
while non-Windows patches commonly have a setup script.
• Patch – A group of hot fixes and security patches that solve multiple program
issues. Trend Micro makes patches available on a regular basis. Windows patches
include a Setup program, while non-Windows patches commonly have a setup
script.
• Service Pack – A consolidation of hot fixes, patches, and feature enhancements
significant enough to be a product upgrade. Both Windows and non-Windows
service packs include a Setup program and setup script.
You can obtain hot fixes from your Technical Account Manager. Check the Trend
Micro Knowledge Base to search for released hot fixes:
http://esupport.trendmicro.com/support
Check the Trend Micro Web site regularly to download patches and service packs:
http://www.trendmicro.com/download
Note: All releases include a readme file with the information you need to install, deploy, and
configure your product. Read the readme file carefully before installing the hot fix,
patch, or service pack file(s).
2-11
2-12
Chapter 3
Planning for Installation of Client

Server Messaging Security
This chapter outlines the phases necessary for the successful installation and
deployment of Trend Micro Client Server Messaging Security for SMB and provides
instructions for the first phase: planning. Read this chapter carefully before
performing installation.
• Client Server Messaging Security Minimum Requirements on page 3-4
• Location of the Trend Micro Security Server on page 3-7
• Number of Clients on page 3-8
• Network Traffic Considerations on page 3-8
• Using Update Agents to Reduce Network Bandwidth Consumption During Updates
on page 3-9
• Location of the Program Files on page 3-10
• Number of Groups on page 3-10
3-1
Overview of Installation and Deployment

This section outlines the phases for Client Server Messaging Security installation and
deployment. Each phase has corresponding sections that discuss in detail the tasks
that you need to perform.
Phase 1: Initial Planning

During this phase, plan how to deploy Trend Micro Client Server Messaging Security
for SMB by verifying and considering the following information:
• Client Server Messaging Security Minimum Requirements on page 3-4
• Location of the Trend Micro Security Server on page 3-7
• Number of Clients on page 3-8
• Network Traffic Considerations on page 3-8
• Location of the Program Files on page 3-10
• Number of Groups on page 3-10
Phase 2: Trend Micro Security Server Installation

During this phase, use the master installer to install the Trend Micro Security Server.
Complete this phase by performing the following tasks:
• Preparing for the Client Server Messaging Security Installation on page 4-2
• Installing Client Server Messaging Security on page 4-9
• Verifying the Trend Micro Security Server Installation or Upgrade on page 4-42
Phase 3: Client/Server Security Agent Installation

During this phase, complete your installation and deployment by rolling out the
Client/Server Security Agent to your desktops and servers, and the Messaging
Security Agent to Exchange Servers. Complete this phase by performing the
following tasks:
• Choosing an Installation Method on page 5-2
• Installing, Upgrading, or Migrating Client/Server Security Agent on page 5-3
3-2
Planning for Installation of Client Server Messaging Security
• Verifying the Client Installation, Upgrade, or Migration on page 5-21

• Testing the Client Installation with the EICAR Test Script on page 5-23
Phase 4: Client/Server Security Configuration

After installing the Client/Server Security Agent to your clients, modify the default
settings if necessary to ensure that the settings are in line with your antivirus and
security initiatives:
• Configuring Desktop and Server Groups on page 7-1
• Protecting Your Microsoft Exchange Servers on page 8-1
• Configuring Global Settings on page 14-1
Phase 1: Initial Planning

The steps in this phase help you develop a plan for Client Server Messaging Security
installation and deployment. Trend Micro highly recommends creating an installation
and deployment plan before performing installation. Creating an installation and
deployment plan will help ensure that you incorporate Client Server Messaging
Security’s capabilities into your existing antivirus and network protection plan.
3-3
Client Server Messaging Security Minimum Requirements

The computer(s) running the Trend Micro Security Server program and any
computer accessing the Trend Micro Security Dashboard for SMB need to meet the
minimum requirements listed in this section.
TABLE 3-1. Component Minimum System Requirements
Minimum System Requirements

Other
Client Server Messaging
Security - Components Requirement
CPU RAM Disk OS s
Space
Trend Micro Security Server 733MHz 512MB 1GB Win 2000 Security
SP2 Server:
IE5.5
Win XP
SP1 Web Server:
IIS5.0
Win 2003 IIS5.1
(R2) IIS6.0
Apache2.0.54
SBS2000
Web
SBS2003 Console:
(R2) IE5.5 (Hi-color
display
adaptor
w/1024x768
resolution)
3-4
TABLE 3-1. Component Minimum System Requirements
Minimum System Requirements

Other
Client Server Messaging Requirement
Security - Components Disk
CPU RAM OS s
Space
Client/Server Security Agent 300MHz 128MB 200MB Win Vista Monitor:

800x600
Win Vista resolution
x64
Win 2000
SP2
Win XP
Win XP
Pro x64
Win 2003
(R2)
Win 2003
x64 (R2)
SBS
2000
SBS
2003 (R2)
Messaging Security Agent 733MHz 512MB 500MB Win 2000 Software:
SP2 Exchange
2000 SP3
Win 2003
(R2) Exchange
2003
SBS2000
SP1a
SBS2003
(R2)
3-5
WARNING! You have the option of installing Apache Web server when you install the Trend
Micro Security Server. By default, the administrator account is the only account
created on the Apache Web server. Trend Micro recommends creating another
account from which to run the Web server; otherwise a hacker may be able to
take control of the Apache server and compromise the Trend Micro Security
Server.
Before installing the Apache Web server, refer to the Apache Web site for the
latest information on upgrades, patches, and security issues:
http://www.apache.org.
Note: If using Remote install to install the Client/Server Security Agent on Windows
Vista/XP clients, you must disable Simple File Sharing unless they are part of a
domain (see your Windows documentation for instructions).
Other Requirements
• Administrator or Domain Administrator access on the computer hosting the
Security Server
• File and printer sharing for Microsoft Networks installed
• Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
Note: If Microsoft ISA Server or a proxy product is installed on the network, you need to
enable the HTTP port ( 80 or 8080) and SSL port (443 or 4343) to enable access to the
Security Dashboard and to ensure that client-server communication can be established.
3-6
Other Installation Considerations
Server Performance
Ideally, the computer on which the Trend Micro Security Server is installed would
have the following:
• Single 2.8~3.2 GHz processor
• 500 MB of memory
Location of the Trend Micro Security Server

Client Server Messaging Security is flexible enough to accommodate a variety of
network environments. For example, you can position a firewall between the Trend
Micro Security Server and clients running the Client/Server Security Agent, or
position both the Trend Micro Security Server and all Client/Server Security Agent
clients behind a single network firewall.
Ideally, the Security Server should be located behind a firewall and there should not
be a firewall between the clients and the security server.
If managing more than one site, having a security server at the main site as well as at
each managed site will reduce bandwidth usage between the main site and managed
sites, and speed up pattern deployment rates.
If client computers have the Windows XP Firewall enabled, Client Server Messaging
Security will automatically add it to the Exception list.
Note: If a firewall is located between the Trend Micro Security Server and its clients, you
must configure the firewall to allow traffic between the client listening port and the
Trend Micro Security Server’s listening port (see Understanding Client/Server
Security Ports on page 4-7for more information on the types of ports the client and
Trend Micro Security Server use to communicate)
3-7
Number of Clients
A client is a computer that has the Client/Server Security Agent software installed on
it. clients can be desktops, servers (even Exchange servers), and notebook computers,
including those that belong to users who telecommute or connect to the corporate
network from their homes.
If you have a heterogeneous client base (that is, if your network has different
Windows operating systems, such as Windows Vista, 2000, XP, or Server 2003),
identify how many clients are using a specific Windows version. Use this
information to decide which client deployment method will work best in your
environment.
Note: A single Trend Micro Security Server can manage up to 2500 clients. If you have
more then this amount, Trend Micro suggests installing more than one Trend Micro
Security Server.
Network Traffic Considerations

When planning for deployment, consider the network traffic that Client/Server
Security will generate. Client/Server Security generates network traffic when the
Trend Micro Security Server and clients communicate with each other.
The Trend Micro Security Server generates traffic when it does the following:
• Connects to the Trend Micro ActiveUpdate server to check for and download
updated components
• Notifies clients to download updated components
• Notifies clients about configuration changes
The client generates traffic when it does the following:
• Starts up
• Performs scheduled update
• Switches between roaming mode and normal mode
• Performs Update Now
• Generates a Virus Log
3-8
Network Traffic During Pattern File Updates

Significant network traffic is generated whenever TrendLabs releases an updated
version of any of the following items:
• Virus pattern, Virus scan engine 32-bit, Virus scan engine 64-bit
• IntelliTrap pattern, IntelliTrap exception pattern
• Virus cleanup template, Virus cleanup engine 32- bit
• Messaging Security Agent scan engine
• Spyware pattern, spyware active-monitoring pattern, anti-rootkit driver (for 32-bit
systems only), and spyware scan engine
• Anti-spam pattern, Anti-spam engine
• Vulnerability pattern
• Common Firewall pattern, Common Firewall driver 32-bit
To reduce network traffic generated during pattern file updates, Client Server
Messaging Security uses a method called incremental update. Instead of
downloading the full updated pattern file every time, the Trend Micro Security
Server only downloads the new patterns that have been added since the last release.
The Trend Micro Security Server merges the new patterns with the old pattern file.
Regularly updated clients only have to download the incremental pattern, which is
approximately 5KB to 200KB. The full pattern is approximately 13MB when
compressed and 20MB to 30MB when uncompressed and takes substantially longer
to download.
Trend Micro releases new pattern files daily. However, if a particularly damaging
virus is actively circulating, Trend Micro releases a new pattern file as soon as a
detection routine for the threat is available.
Using Update Agents to Reduce Network Bandwidth

Consumption During Updates
If you identify sections of your network between clients and the Trend Micro
Security Server as "low-bandwidth" or "heavy traffic", you can specify Client/Server
Security Agent clients to act as update sources (Update Agents) for other clients. This
helps distribute the burden of deploying components to all clients.
3-9
For example, if your network is segmented by location, and the network link between
segments experiences a heavy traffic load, Trend Micro recommends allowing at
least one client on each segment to act as an Update Agent.
Deciding on a Dedicated Server

When selecting a server that will host Client Server Messaging Security, consider the
following:
• How much CPU load is the server carrying?
• What other functions does the server perform?
If you are installing Client Server Messaging Security on a server that has other uses
(for example, application server), Trend Micro recommends that you install on a
server that is not running mission-critical or resource-intensive applications.
Location of the Program Files

During the Trend Micro Security Server installation, specify where to install the
program files on the clients. Either accept the default client installation path or
modify it. Trend Micro recommends that you use the default settings, unless you
have a compelling reason (such as insufficient disk space) to change them.
The default client installation path is:
C:\Program Files\Trend Micro\Security Server
Number of Groups
A group in Client Server Messaging Security is a cluster of clients that share the
same configuration and run the same tasks. By clustering your clients into groups,
you can simultaneously configure, manage, and apply the same configuration to all
group members.
A Client Server Messaging Security group is different from a Windows domain.
There can be several Client Server Messaging Security groups in one Windows
domain.
For ease of management, plan how many Client Server Messaging Security groups to
create. You can group clients based on the departments they belong to or the
3-10
functions they perform. Alternatively, you can group clients that are at a greater risk
of infection and apply a more secure configuration to all of them.
3-11
3-12
Chapter 4

Installation Overview
This chapter explains the steps necessary for the next phase: Client Server Messaging
Security installation or upgrade. It also provides information on uninstalling the
Trend Micro Security Server program.
• Preparing for the Client Server Messaging Security Installation on page 4-2
• Installing Client Server Messaging Security on page 4-9
• Performing a Custom Installation on page 4-10
• Performing a Typical Installation on page 4-36
• Performing a Silent Installation on page 4-36
• Upgrading Client Server Messaging Security on page 4-37
• Upgrading Trend Micro Messaging Security Agent on page 4-39
• Verifying the Trend Micro Security Server Installation or Upgrade on page 4-42
• Uninstalling the Trend Micro Security Server on page 4-43
4-1
Phase 2: Installing Client Server Messaging

Security
The steps in this phase help you prepare for Client Server Messaging Security
installation and outline how to perform a fresh install or an upgrade.
Tip: You can preserve your client settings when you upgrade to this version of Client
Server Messaging Security or if you need to reinstall this version of Client Server
Messaging Security. See Upgrading from a Previous Version on page 4-37 for
instructions.
Preparing for the Client Server Messaging

Security Installation
This section provides background information you will need to understand before
performing the installation.
4-2
Client Server Messaging Security Installation Overview
Choosing Your Edition

The Activation Code that you receive from Trend Micro depends on the product
purchased.
The following tables list the features supported for each edition.
TABLE 4-1. Features Available by Product Types
Features Client Server Client Server

Security Messaging Security
Component Updates Yes Yes
Antivirus Yes Yes

Firewall Yes Yes
Anti-spyware Yes Yes
Anti-spam No Yes
Content Filtering No Yes

Attachment Blocking No Yes
TABLE 4-2. License Status Consequences
Fully Licensed Evaluation (30 days) Expired
Expiration Notification Yes Yes Yes
Virus Pattern File Updates Yes Yes No
Program Updates Yes Yes No
Technical Support Yes No No
Real-time Scanning Yes Yes Yes
Note: To upgrade your edition, contact a Trend Micro sales representative.
4-3
Third Party Antivirus Applications

Trend Micro highly recommends removing third party antivirus applications from
the computer on which you will install the Trend Micro Security Server. The
existence of other antivirus applications on the same computer may hinder proper
Trend Micro Security Server installation and performance.
Note: Client Server Messaging Security cannot uninstall the server component of any
third-party antivirus product, but can uninstall the client component (see Migrating
from Third-party Antivirus Applications on page 5-17 for instructions and for a
list of third party applications Client Server Messaging Security can remove).
Known Compatibility Issues

This section explains compatibility issues that may arise if you install the Trend
Micro Security Server on the same computer with certain other third-party
applications. Always refer to the documentation of all third-party applications that
are installed on the same computer on which you will install theTrend Micro Security
Server.
SQL Server
You can scan SQL Server databases; however, this may decrease the performance of
applications that access the databases. Trend Micro recommends excluding SQL
Server databases and their backup folders from Real-time Scan. If you need to scan a
database, perform a manual scan during off-peak hours to minimize the impact of the
scan.
Internet Connection Firewall (ICF)

Windows XP SP2 and Windows Server 2003 provide a built-in firewall named
Internet Connection Firewall (ICF). Trend Micro highly recommends removing any
third-party firewall applications if you want to install Personal Firewall. However, if
you want to run ICF or any other third-party firewall, add the Trend Micro Security
Server listening ports to the firewall exception list (see Understanding Client/Server
Security Ports on page 4-7 for information on listening ports and see your firewall
documentation for details on how to configure exception lists).
4-4
Full version and Trial Version

You can install either a full version of Client Server Messaging Security or a free,
trial version.
• Full version – Comes with technical support, virus pattern downloads, real-time
scanning, and program updates for one year. You can renew a full version by
purchasing a maintenance renewal.
• Trial version – Provides real-time scanning and updates for 30 days. You can
upgrade from a trial version to a full version at any time.
The Registration Key and Activation Codes

Your version of Client Server Messaging Security comes with a Registration Key.
During installation, Client Server Messaging Security prompts you to enter an
Activation Code.
If you do not have the Activation Code(s), use the Registration Key that came with
your product to register on the Trend Micro Web site and receive the Activation
Code(s). The Client Server Messaging Security master installer can automatically
redirect you to the Trend Micro Web site:
http://www.trendmicro.com/support/registration.asp
If you do not have either the Registration Key or Activation Code, you can still
install the trial version. The trial version has all the same functionality as the full
version, and if you upgrade within 30 days all of your settings will automatically be
upgraded to the full version. To find out more information contact your Trend Micro
sales representative (see Contacting Technical Support on page 18-14).
Note: If you have questions about registration, please consult the Trend Micro Web site at
the following address:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=e
n-116326
4-5
Information to Prepare Before Performing the Installation

The master installer will prompt you for the following information during
installation:
• Security server details – The domain/hostname or the IP address of the security
server and the target directory where Client Server Messaging Security installs the
the security server files.
• Proxy server details – If a proxy server handles Internet traffic on your network,
you must configure proxy server information (including the user name and
password). This information is necessary to download the latest components from
the Trend Micro update server. You can enter proxy server information during or
after installation. Use the Trend Micro Security Dashboard for SMB to enter
information after installation.
• SMTP server – If using an SMTP server to send notifications, enter the name of
the SMTP server, the port number, and the recipients’ email address.
Note: The installation program will automatically detect the name of the SMTP server and
fill in the field if the SMTP server is on the same computer as the CSM server
installation.
• Dashboard password – To prevent unauthorized access to the Trend Micro

Security Dashboard for SMB, you can specify a password that will be required of
anyone trying to open the console.
• Client unload/uninstall password – Set a password to prevent unauthorized
unloading or removal of the Client/Server Security Agent.
• Client software installation path – Configure the client installation path where
Client/Server Security files will be copied to during client setup.
• Account and Privileges – You must log on with an administrator account with
domain administrator privileges, or with administrator privileges on the local
computer. If you do not log on with domain administrator privileges or local
computer privileges, you must manually create an administrative group before
proceeding with the installation.
• Restarting Exchange services – You do not need to stop Exchange services
before starting the installation or restart them after a successful installation. When
4-6
uninstalling or upgrading the Trend Micro Messaging Security Agent, the IIS
Admin service and all related services will automatically be stopped and restarted.
WARNING! If you are installing the Messaging Security Agent on a server that is running
lockdown tools (such as typically implemented for Windows 2000 server with IIS
5.0), remove the lockdown tool so that it does not disable IIS service and cause
the installation to be unsuccessful.
Understanding Client/Server Security Ports

Client/Server Security utilizes two types of ports:
• Server listening port (HTTP port): used to access the Trend Micro Security
Server. By default, Client/Server Security uses one of the following:
• IIS server default Web site – The same port number as your HTTP server’s
TCP port.
• IIS server virtual Web site – 8059
• Apache server – 8059
• Client listening port – A randomly generated port number through which the
client receives commands from the Trend Micro Security Server.
You can modify the server listening port during installation or after. You can modify
the client listening port only during installation.
WARNING! Many hacker and virus attacks use HTTP and are directed at ports 80 and/or
8080– commonly used in most organizations as the default Transmission
Control Protocol (TCP) ports for HTTP communications.
If your organization is currently using one of these ports as the HTTP port,
Trend Micro recommends using another port number.
Trend Micro Security Server Prescan

Before the master installer begins the installation process, it performs a prescan. This
prescan includes a virus scan and Damage Cleanup Services scan to help ensure the
4-7
target computer does not contain viruses, Trojans, or other potentially malicious
code.
The prescan targets the most vulnerable areas of the computer, which include the
following:
• the Boot area and boot directory (for boot viruses)
• the Windows folder
• the Program Files folder
Actions for Prescan Detections

If the Client Server Messaging Security setup program detects viruses, Trojans, or
other potentially malicious code, you can take the following actions:
• Clean – Cleans an infected file by removing the virus or malicious application.
Client/Server Security encrypts and renames the file if the file is uncleanable.
• Rename – Encrypts the file and changes the file extension to .VIR, VIR1, VIR2...
The file remains in the same location.
• Delete – Deletes the file.
• Pass – Does nothing to the file.
Tip: Trend Micro recommends cleaning or deleting infected files.
Other Installation Notes

Installing the Trend Micro Security Server does not require you to restart the
computer. After completing the installation, immediately configure the Trend Micro
Security Server, and then proceed to rolling out the Client/Server Security Agent
program. If using an IIS Web server, the setup program automatically stops and
restarts the IIS service during Web server installation.
WARNING! Make sure that you do not install the Web server on a computer that is running
applications that might lock IIS. This could prevent successful installation. See
your IIS documentation for more information.
4-8
Tip: Trend Micro highly recommends installing Client Server Messaging Security during
non-peak hours to minimize the effect on your network.
Installing Client Server Messaging Security

There are three methods for installing Client Server Messaging Security:
• Typical: provides a simple and easy solution for installing Client Server
Messaging Security using Trend Micro default values. This method is suitable for a
single small business using a single Trend Micro Security Server and up to ten
client desktops.
• Custom: provides flexibility in implementing your network security strategy. This
method is suitable if you have many computers and servers, or multiple Exchange
servers.
• Silent: performing a Silent installation creates a record file that you can use to
perform identical installations on other computers or networks.
Note: Close any running applications before installing Client Server Messaging Security. If
you install while other applications are running, the installation process may take
longer to complete.
Tip: You can preserve your client settings when you upgrade to this version of Client
Server Messaging Security or if you need to reinstall this version of the Client
Server Messaging Security. See Upgrading from a Previous Version on page
4-37 for instructions.
Note: If information from a previous MSA installation exists on the client, you will be
unable to install MSA successfully. Use the Windows Installer Cleanup Utility to
clean up remnants of the previous installation. To download the Windows Installer
Cleanup Utility, visit http://support.microsoft.com/kb/290301/en-us.
4-9
Performing a Custom Installation

The Custom Installation method provides the most flexibility in implementing your
network security strategy. The Custom and Typical installation processes follow a
similar flow:
1. Perform pre-configuration tasks
2. Enter the settings for the Trend Micro Security Server and Security Dashboard
3. Configure the Messaging Security Agent installation options
4. Configure the Client/Server Security Agent installation options for local and
remote client computers
5. Start the installation process
6. Optional: configure the Remote Messaging Security Agent installation option
for remote Exchange servers.
Part 1 – Pre-configuration tasks

The pre-configuration tasks consist of launching the installation wizard, providing
licensing and activation details, pre-scanning the server for viruses, and choosing an
installation type.
To start the pre-configuration tasks:
1. Open the folder that contains the setup files and double-click Setup
(SETUP.EXE). The Client Server Messaging Welcome screen appears.
4-10
FIGURE 4-1. Client Server Messaging Security Welcome Screen
2. Click Next. The Software License Agreement screen appears.

3. Read the license agreement. If you agree with the terms, select I accept the
terms in the license agreement.
4. Click Next. The Product Activation screen appears.
4-11
FIGURE 4-2. Product Activation Screen
5. Click Register Online if the product has not been registered yet. If the product is
already registered, skip this step.
6. Enter the Activation Code in the Activation Code field.
Note: If you do not have an Activation Code, click Next to install the trial version.
Upgrade to the full version before the 30-day trial period ends and all settings
will remain.
7. Click Next. The Computer Prescan screen appears.
4-12
FIGURE 4-3. Computer Prescan Screen
8. Choose whether to prescan your computer for threats by selecting one of the
following options:
• Prescan my computer for threats
• Do not prescan my computer for threats
Note: If you choose to prescan your computer for threats, a threat progress screen will
appear while scanning is taking place. See Actions for Prescan Detections on
page 4-8.
9. Click Next. The Setup Type screen appears.
4-13
FIGURE 4-4. Installation Setup Type Screen
10. From the Setup Type screen, choose one of the following options:
• Typical installation (recommended)
• Custom installation
Note: For instructions on performing an installation using the Typical method, see
Performing a Typical Installation on page 4-36. The default values for the
Custom installation are exactly the same as the values for a Typical installation.
11. Click Next. The Setup Overview screen appears. At this time, all of the
pre-installation tasks are complete.
4-14
FIGURE 4-5. Installation Setup Overview Screen
12. The Setup Overview screen briefly lists the tasks that you need to complete in
order to install the Trend Micro Security Server, Security Dashboard,
Client/Server Security Agent, and Messaging Security Agent.
Part 2 – Configuring the Security Server and Security

Dashboard Settings
To configure the Security Server and Security Dashboard:
1. From the Setup Overview screen, click Next. The Installation Stage screen
appears with the Security Server icon highlighted.
4-15
FIGURE 4-6. Security Server Installation Stage Screen
2. Click Next. The Server Identification screen appears.
4-16
FIGURE 4-7. Security Server Identification Screen
3. Choose from one of the following server identification options for client-server
communication:
• Server information – Choose Domain name or IP address:
• Domain name – Verify the target server domain name. You can also use
the server’s fully qualified domain name (FQDN) if necessary to ensure
successful client-server communication.
• IP address – Verify that the target server IP address is correct.
4-17
Tip: Clicking IP address is not recommended if the computer the Security

Server will be installed on obtains an IP address from a DHCP server.
If the server has multiple network interface cards (NICs), Trend Micro
recommends using one of the IP addresses, instead of the domain name or
FQDN.
• Target directory – Enter the target directory where Trend Micro Security
Server files will be installed.
4. Click Next. The Select Program Folder screen appears.
FIGURE 4-8. Select Program Folder Screen
Note: This screen will not appear if you choose the Typical installation method.
4-18
5. Type a location in the Program folder field where program shortcuts will be
stored or accept the default location.
6. Click Next. The Web Server screen appears allowing you to choose a Web
server
FIGURE 4-9. Web Server Selection Screen
7. From the Web Server screen, select a Web server to host the Security
Dashboard. Choose from one of the following:
• IIS server
• Apache web server
8. Click Next. Depending on the type of server chosen, the corresponding screen
appears.
4-19
FIGURE 4-10. IIS Web Server Configuration Screen
4-20
FIGURE 4-11. Apache Web Server Configuration Screen
9. Configure the following Web server settings:

• HTTP port
• Enable SSL
• SSL port
Note: If using IIS server, you must specify an IIS Web site, virtual or default. Client
Server Messaging will assign default values for the HTTP and SSL port settings.
10. Click Next. The Proxy Server screen appears.
4-21
FIGURE 4-12. Proxy Server Settings Screen
11. If a proxy server is required to access the Internet, select the Use a proxy server
check box and then provide the following information:
• Proxy type
• Server or IP address
• Port
• User name
• Password
12. Click Next. The SMTP Server and Notification Recipient(s) screen appears.
4-22
FIGURE 4-13. SMTP Server Settings Screen
13. The SMTP Server and Notification Recipient(s) screen, requires the following
information:
• SMTP Server
• Port
• Recipient(s)
Note: The installation program will automatically detect the name of the SMTP server
and fill in the SMTP Server and Port fields if the SMTP server is on the same
computer as the CSM server installation.
14. Click Next. The Administrator Account Password screen appears.
4-23
FIGURE 4-14. Administrator Account Password Screen
15. The Administrator Account Password screen requires the following

information:
• Security Dashboard – Needed in order to administer the Security Dashboard
• Password
• Confirm password
• Client/Server Security Agent – Needed in order to uninstall the Client/Server
Security Agent
• Password
• Confirm password
Note: The Password field holds 1 – 24 characters, and is case sensitive.
16. Click Next. The World Virus Tracking Program screen appears.
4-24
FIGURE 4-15. World Virus Tracking Program Screen
17. Choose whether to participate in the World Virus Tracking Program.

18. Click Next. The Component Selection screen appears.
4-25
FIGURE 4-16. Component Selection Screen
19. Select the components to install.

• Client/Server Security Agent
• Messaging Security Agent
• Remote Messaging Security Agent
20. Click Next. The Messaging Agent Installation Stage screen appears with the
Messaging Security Agent icon highlighted.
4-26
FIGURE 4-17. Messaging Agent Installation Stage Screen
Note: If the local server does not have Exchange server on it, the Messaging Security
agent option will be unavailable.
Part 3 – Configuring the Messaging and Client Security

Agents
The options below are dependant upon the components selected from the Component
Selection screen. For example, if the local server already has the Client/Server
Security Agent installed, the option to install and configure the Client/Server
Security Agent will not appear. If the local server does not have an Exchange server
installed on it, the option to install and configure the Messaging Security Agent will
also be unavailable.
To configure the Messaging and Client/Server Security Agents:
1. Click Next. The Install Messaging Security Agent screen appears.
4-27
FIGURE 4-18. Install Messaging Security Agent Screen
2. Enter the Domain Administrator account information.

• Account
• Password
Note: The installation program will automatically detect the name of the local Exchange
server and fill in the Exchange Server field if the Exchange server is on the same
computer as the CSM server installation.
3. Click Next. The Messaging Security Agent Settings screen appears.
4-28
FIGURE 4-19. Messaging Security Agent Settings Screen
4. From the Messaging Security Agent Settings screen:

a. Web server – Select the type of Web server for hosting the Security
Dashboard.
• IIS server
• Apache web server
b. Target directory – Directory where Client Server Messaging Security
installs the Messaging Security Agent files.
c. Shared directory – System root directory for the Messaging Security Agent
installation.
4-29
Note: Anonymous Access is required for communication between the Security Server and
the Messaging Security Agent. The installation program will automatically enable
Anonymous Access Authentication Methods for the Messaging Security Agent. To
view the Anonymous Access Authentication Methods, access the Messaging Security
Agent Web site on the IIS console.
5. Click Next. The Client/Server Security Agent Installation Stage screen

appears with the Client/Server Security Agent and Remote Client/Server Security
Agent icons highlighted.
FIGURE 4-20. Client/Server Security Agent Installation Stage Screen
6. Click Next. The Client/Server Security Agent Installation Path screen

appears.
4-30
FIGURE 4-21. Client/Server Security Agent Installation Path Screen
7. Set the following items:

• Path – The directory where the Client/Server Security Agent files are
installed
• Port – The port used for Client/Server Security Agent and Security Server
communications
Note: The Client/Server Security Agent applies the Path and Port settings to both local
and remote clients.
8. Click Next. The Review Settings screen appears.
4-31
FIGURE 4-22. Review Settings Screen
9. Click Next. The installation process begins installing the Security Server,
Messaging Security Agent, and Client/Server Security Agent. Upon completion,
the Remote Messaging Security Agent Installation Stage screen appears.
Note: The next step assumes that you selected install Remote Messaging Security
Agent from the Component Selection screen. If you chose not to select the
option to install the Remote Messaging Security Agent, an InstallShield Wizard
Complete screen will appear.
Part 4 – Starting the Remote Messaging Security Agent

Installation
To configure the Remote Messaging Security Agent:
1. The Remote Messaging Security Agent Installation Stage screen appears.
4-32
FIGURE 4-23. Remote Messaging Security Agent Installation Stage
2. Click Next. The Install Remote Messaging Security Agent screen appears.
4-33
FIGURE 4-24. Install Remote Messaging Security Agent Screen
3. To install Messaging protection to a remote Exchange server, click Yes and then
enter the Domain Administrator account information.
• Exchange Server
• Account
• Password
Note: If you chose No, the InstallShield Wizard Complete screen will appear, and the
installation process will be complete. If you chose Yes, upon completion of the
Remote Messaging Security Agent installation, you will be prompted to install
another Remote Messaging Security Agent.
4. Click Next. The Remote Messaging Security Agent Settings screen appears.
4-34
FIGURE 4-25. Remote Messaging Security Agent Settings
5. From the Remote Messaging Security Agent Settings screen:

a. Web server – Select a Web server type.
• IIS server
• Apache Web server
b. Target directory – Directory where the Remote Messaging Security Agent
files are installed
c. Shared directory – System root directory for the Remote Messaging Security
Agent installation
6. Click Next. The program begins installing the Remote Messaging Security Agent
on the remote Exchange server.
4-35
7. Upon completion, the Remote Messaging Security Agent Status screen

re-appears. Repeat the above process to install the Remote Messaging Security
Agents on other Exchange servers.
Performing a Typical Installation

The Typical installation method follows the same flow as the Custom installation
method. During a Typical installation the following options are not available because
they use the Trend Micro default settings:
• Client Server Messaging Security program folder
• Web server
• Web server settings
• Proxy server settings
• Client/Server Security Agent settings
To perform an installation using the Typical method follow the steps in Performing a
Custom Installation on page 4-10.
Performing a Silent Installation

Use the Silent installation method when multiple repeated installations using the
same configuration are required.
You can use Silent installation to help you run multiple identical installations on
separate networks. The procedure for running a silent installation is identical to the
Custom installation except for the following pre-configuration and actual installation
steps.
Pre-configuration steps:
1. Open the command window. Go to the directory where the Client Server
Messaging Security setup files are located.
2. At the prompt, type setup -r.
To continue with the setup process and to learn more about configuring Client Server
Messaging Security during installation see Performing a Custom Installation on page
4-10.
4-36
Starting the silent installation:

1. Go to:
• For Win2000 OS – C:\WINNT
• For WinXP/2003 OS – C:\Windows
2. Find the file setup.iss and copy it to the Client Server Messaging Security setup
folder.
3. Open a command window and at the prompt navigate to the Client Server
Messaging Security setup folder and type setup -s.
To verify that the installation is successful, go to the Client Server Messaging
Security folder and view the setup.log file. If the result code is equal to "0", the
installation was successful.
Upgrading Client Server Messaging Security

You can upgrade to a full version of Client Server Messaging Security from a
previous version or from a trial version (see Full version and Trial Version on page
4-5 for more information on the differences between the full and trial versions).
Upgrading from a Previous Version

Client Server Messaging Security supports the following upgrades:
• Upgrade from Client/Server Security 3.0 (SP1) to Client Server Security 3.6
• Upgrade from Client/Server Security 3.0 (SP1) to Client Server Messaging
Security 3.6
• Upgrade from Client Server Security 3.5 to Client Server Security 3.6
• Upgrade from Client Server Security 3.5 to Client Server Messaging Security 3.6
• Upgrade from Client/Server/Messaging Security 3.0 (SP1) to Client Server
Messaging Security 3.6
• Upgrade from Client Server Messaging Security 3.5 to Client Server Messaging
Security 3.6
4-37
Note: If you upgrade the Client/Server Suite Server or Client Server Messaging Security
Server that is running of a Windows NT4 server, the upgrade process will be
interrupted and a warning message will appear. This happens as well if you upgrade
Client/Server Agent on a Windows 9x/NT client. If you continue with the upgrade, the
Client/Server Agent will be unable to report to the CSM Server.
Client Server Messaging Security 3.6 does not support upgrade under the following
conditions:
• Upgrade to Client Server Messaging Security 3.6 from OfficeScan Enterprise
Edition or ScanMail for Microsoft Exchange.
• Upgrade from one language to another.
• Client Server Security 3.6 will not upgrade Client/Server Security Agents running
on Windows 9x/ME/NT clients.
• Upgrade from Client/Server Suite 2.0 to Client Server Security 3.6
• Upgrade from Client/Server Suite 2.0 to Client Server Messaging Security 3.6
Tip: Upgrade from Client/Server/Messaging Suite 3.0/3.5 to Client Server

Messaging Security 3.6 You can preserve your client settings when you upgrade to
this version of Client Server Messaging Security or if you need to reinstall this
version.
Trend Micro recommends deleting all virus log files from the Trend Micro Security
Server before upgrading. If you want to preserve the virus log files, save them to
another location first.
To upgrade to this version of Client Server Messaging Security:

• Run the master installer program on the target computer. Upgrading is very similar
to performing a fresh install, but you will not be prompted to enter configuration
information, such as port numbers or proxy server information. Client Server
Messaging Security uses the same existing configuration information on the
computer (see Performing a Custom Installation on page 4-10 for instructions).
4-38
Upgrading from an Evaluation Version

When your trial version is about to expire, Client Server Messaging Security display
a notification message on the Live Status screen. You can upgrade from a trial
version to the full version using the Security Dashboard. Your configuration settings
will be saved. When you purchase a license to the full version, you will be given a
Registration Key or an Activation Code.
To upgrade from a trial version:
1. Open the Security Dashboard.
2. On the main menu, click Preferences > Product License. The Product License
screen appears.
3. Click View license upgrade instructions.
4. If you have an Activation Code, click Enter a new code.
5. Type the activation code in the New Activation Code field and click Activate.
If you do not have an Activation Code, click Register Online and use the
Registration Key to obtain an Activation Code.
Upgrading Trend Micro Messaging Security

Agent
Note: Client Server Messaging Security 3.6 will not upgrade Messaging Security Agents that
are running on Exchange server 5.5.
Upgrade Effect On Logs and Folders

Upgrading to the Client Server Messaging Security 3.6 Messaging Security Agent
has the following effects on logs and folders:
• Logs are retained and can be queried in the upgraded version.
4-39
Tip: Before upgrading, check the size of your log files. If the log file is very large, Trend
Micro recommends that you run maintenance using your current version before you
upgrade. This will greatly reduce the amount of time required for upgrade.
• The quarantine and backup folders are retained during upgrading; however, you
will no longer be able to query the quarantined log or resend the quarantined items
from the previous version from the Security Dashboard of the upgraded version.
• If the previous version of Client Server Messaging Security used eManager, then
Client Server Messaging Security 3.6 retains the anti-spam logs from that version.
Upgrade Effect on Configurations

Upgrading to Client Server Messaging Security 3.6 has the following effects on old
configurations:
• End User Quarantine (EUQ).
The approved sender lists are maintained in the upgraded version.
• eManager.
Previous versions of Client Server Messaging Security used eManager anti-spam
rules to block email messages that matched specified keywords. In Client Server
Messaging Security 3.6, this function is provided by Content Filtering rules. The
anti-spam rule name from the previous version is imported to Client Server
Messaging Security 3.6. For detailed information about how Client Server
Messaging Security 3.6 upgrades anti-spam rules from eManager see Table 4-3.
TABLE 4-3. Effect of Upgrading eManager Anti-spam Rules
The old anti-spam rule CSM 3.6 imports the rule as a Content
Filtering rule
Exactly matching keywords By default, CSM 3.6 uses exact matches

on all keywords to filter content.
Partially matching keywords CSM 3.6 uses regular expressions with

the specified keywords.
Global exception CSM 3.6 sets the rule to trigger a Pass

action so that CSM 3.6 takes no action
against messages configured with global
exceptions rules. CSM 3.6 assigns this
imported rule the lowest rule order
number so that it is always filtered first.
4-40
CSM 3.6 imports the rule as a Content

The old anti-spam rule
Filtering rule
Notifications CSM 3.6 retains the notification settings.
Client Server Messaging Security 3.6 supports all eManager message blocking
actions described in the following table:
TABLE 4-4. Effect of Upgrading eManager Anti-spam Actions
Old anti-spam action Upgraded Content Filtering action
Quarantine Quarantine
Archive Archive
Delete Quarantine
Upgrade Effect on Messaging Security Agent Actions

Actions from previous versions of Client Server Messaging Security 3.6 are changed
when you upgrade. Consult the following table for each action.
TABLE 4-5. Effect of Upgrading on Actions
Before Upgrade Action After Upgrade Action
Clean Clean
Quarantine Quarantine entire message

ScanMail 6.x used Quarantine to In Client Server Messaging Security 3.6
move infected messages to a Quarantine entire message copies the original
quarantine directory, replace the infected message into a quarantine folder and
infected files, and deliver the does not deliver the message to the original
remaining message to the original recipient.
recipient.
After upgrading, the old Quarantine action is
replaced with the new Quarantine entire
message action.
Delete Replace with text/file
ScanMail 6.x used Delete to remove The behavior of the Replace with text/file action
the contents of a message and is the same as the behavior of delete in
replace it with a warning text. ScanMail 6.x. Client Server Messaging Security
3.6 converts this action to replace with text/file.
Pass Pass
4-41
Verifying the Trend Micro Security Server

Installation or Upgrade
After completing the installation or upgrade, verify that the Trend Micro Security
Server is properly installed.
To verify the installation, do the following:
• Look for the Client/Server Security program shortcuts on the Windows Start menu
of the Trend Micro Security Server
• Check if Client Server Messaging Security is in the Add/Remove Programs list of
the Client Server Messaging Security Control Panel
• Log on to the Security Dashboard with the server’s URL:
http://{Client Server Messaging Security_server_name}:{port
number}/SMB
or if using SSL:
https://{Client Server Messaging Security_server_name}:{port
number}/SMB
where {Client Server Messaging Security_server_name} is the name

or IP address you designated.
4-42
Uninstalling the Trend Micro Security Server

Client Server Messaging Security uses an uninstall program to safely remove the
Trend Micro Security Server from your computer. Remove the Client/Server Security
Agent program from all clients before removing the server.
To remove the Trend Micro Security Server:
1. On the computer you used to install the server, click Start > Control Panel >
Add or Remove Programs.
2. Click Trend Micro Security Server for SMB, and then click Change/Remove.
A confirmation screen appears.
3. Click Next. Master Uninstaller, the server uninstallation program, prompts you
for the administrator password.
4. Type the administrator password in the text box and click OK. Master
Uninstaller then starts removing the server files. A confirmation message
appears.
5. Click OK to close the uninstallation program.
Note: Uninstalling the Trend Micro Security Server does not uninstall clients.
Uninstall or move all clients before uninstalling the Trend Micro Security
Server.
4-43
4-44
Chapter 5
Installing the Trend Micro Client

Server Messaging Security Agent
This chapter explains the steps necessary for successful Trend Micro Client Server
Messaging Security Agent installation and upgrade. It also provides information on
removing the Client/Server Security Agent program.
• Choosing an Installation Method on page 5-2
• Installing from the Internal Web Page on page 5-4
• Installing with Login Script Setup on page 5-5
• Installing with Windows 2000/Server 2003 Scripts on page 5-7
• Installing with Client Packager on page 5-7
• Sending the Package via Email on page 5-10
• Installing with an MSI file on page 5-11
• Installing with Windows Remote Install on page 5-11
• Installing with Vulnerability Scanner on page 5-13
• Upgrading the Client/Server Security Agent on page 5-16
• Migrating from Third-party Antivirus Applications on page 5-17
• Verifying the Client Installation, Upgrade, or Migration on page 5-21
5-1
• Removing the Client on page 5-24
Choosing an Installation Method

Trend Micro Client Server Messaging Security for SMB provides several methods to
install the Client/Server Security Agent. This section provides a summary of the
different methods.
Tip: In organizations where IT policies are strictly enforced, Remote Install and Login
Script Setup are recommended.
• Internal Web page – Instruct the users in your organization to go to the internal
Web page and download the Client/Server Security Agent setup files (see
Installing from the Internal Web Page on page 5-4)
• Login Script Setup – Automate the installation of the Client/Server Security
Agent to unprotected computers when they log on to the domain (see Installing
with Login Script Setup on page 5-5)
• Client Packager – Deploy the Client/Server Security Agent setup or update files
to clients via email (see Installing with Client Packager on page 5-7)
• Windows Remote Install – Install the Client/Server Security Agent program on
all Windows Vista/2000/XP/Server 2003 clients from your Web console (see
Installing with Windows Remote Install on page 5-11)
• Trend Micro™ Vulnerability Scanner (TMVS) – Install the Client/Server
Security Agent on all Windows Vista/2000/XP (Professional)/Server 2003 clients
with the Trend Micro Vulnerability Scanner (Installing with Vulnerability Scanner
on page 5-13)
5-2
Installing the Trend Micro Client Server Messaging Security Agent
TABLE 5-1. Trend Micro Client Server Messaging Security Agent Deployment
Methods
Windows
Login Client
Web page scripts packager Remote TMVS
Install
Suitable for Yes No Yes No No

deployment
across the WAN
Suitable for Yes Yes No Yes Yes
centralized
administration
and
management
Requires client Yes No Yes No No

user intervention
Requires IT No Yes Yes Yes Yes

resource
Suitable for mass No Yes No Yes Yes

deployment
Bandwidth Low, if High, if Low, if Low, if Low, if

consumption scheduled clients are scheduled scheduled scheduled
started at
the same
time
To use any of these Client/Server Security Agent deployment methods, you must
have local administrator rights on the target computers.
Installing, Upgrading, or Migrating

Client/Server Security Agent
This section provides information on the following:
• Performing a fresh Client/Server Security Agent install with your chosen
installation method (see Choosing an Installation Method on page 5-2)
• Upgrading from a previous version of Client/Server Security to the current version
(see Upgrading the Client/Server Security Agent on page 5-16)
5-3
• Migrating from a third-party antivirus installation to the current version of

Client/Server Security (see Migrating from Third-party Antivirus Applications on
page 5-17)
Note: Close any running applications on the client computers before installing the
Client/Server Security Agent. If you install while other applications are running, the
installation process may take longer to complete.
Performing a Fresh Install

Follow one of the procedures below if this is the first time you are installing the
Trend Micro Client Server Messaging Security Agent on the target computer.
Installing from the Internal Web Page

If you installed the Trend Micro Security Server to a computer running Windows
2000, Windows XP, or Windows Server 2003 with Internet Information Server (IIS)
5.0 or 6.0, or Apache 2.0.54, your client users can install the Client/Server Security
Agent from the internal Web server created during master setup.
This is a convenient way to deploy the Client/Server Security Agent. You only have
to instruct users to go to the internal Web page and download the Client/Server
Security Agent setup files.
Tip: You can use Vulnerability Scanner to see which clients have not followed the
instructions to install from the Security Dashboard (see Using Vulnerability
Scanner to Verify the Client Installation on page 5-21 for more information).
Users must have Microsoft Internet Explorer 5.5 or later with the security level set to
allow ActiveX controls to successfully download the Client/Server Security Agent
setup files. The instructions below are written from the client user perspective. Email
your users the following instructions to install the Client/Server Security Agent from
the internal Web server.
To install from the internal Web page:
1. Open an Internet Explorer window and type one of the following:
5-4
• Trend Micro Security Server with SSL:

https://{Trend Micro Security
Server_name}:{port}/SMB/console/html/client
• Trend Micro Security Server without SSL:

http://{Trend Micro Security
Server_name}:{port}/SMB/console/html/client
2. Click InstallNow to start installing the Client/Server Security Agent.
Note: For Windows Vista clients, ensure Protected Mode is enabled.

To enable Protected Mode, in Internet Explorer, click Tools > Internet
Options > Security.
The installation starts. Once installation is completed, the screen displays the
message, "Agent installation is complete".
3. Verify the installation by checking if the Client/Server Security Agent icon
appears in the Windows system tray.
Installing with Login Script Setup

Use Login Script Setup to automate the installation of the Client/Server Security
Agent on unprotected computers when they log on to the domain. Login Script Setup
adds a program called autopcc.exe to the server login script. The program
autopcc.exe performs the following functions:
• Determines the operating system of the unprotected computer and the
• Updates the scan engine, virus pattern file, Damage Cleanup Services components,
cleanup file, and program files
Note: In order to enforce the use of login script installation method, client computers must
be listed in the Windows Active Directory of the server that is performing the
installation.
5-5
Note: Windows Vista does not support this feature.
To add autopcc.exe to the login script using Login Script Setup:

1. On the computer you used to run the server installation, Open C:\Program
Files\Trend Micro\Security Server\PCCSRV\Admin\SetupUsr.exe
2. The Login Script Setup utility loads. The console displays a tree showing all
domains on your network.
3. Browse for the Windows 2000/Server 2003 computer whose login script you
want to modify, select it, and then click Select. The server must be a primary
domain controller and you must have administrator access.
Login Script Setup prompts you for a user name and password.
4. Type your user name and password. Click OK to continue.
The User Selection screen appears. The Users list shows the computers that log
on to the server. The Selected users list shows the users whose computer login
script you want to modify.
• To modify the login script of a single user or multiple users, select them from
Users and then click Add
• To modify the login script of all users, click Add All
• To exclude a user whose computer you previously modified, select the name in
Selected users and click Delete
• To reset your choices, click Delete All
5. Click Apply when all the target users are in the Selected users list.
A message appears informing you that you have modified the server login scripts
successfully.
6. Click OK. The Login Script Setup utility will return to its initial screen.
• To modify the login scripts of other servers, repeat steps 2 to 4
• To close Login Script Setup, click Exit
5-6
Note: When an unprotected computer logs on to the servers whose login scripts you
modified, autopcc.exe will automatically install the client to it.
Installing with Windows 2000/Server 2003 Scripts

If you already have an existing login script, Login Script Setup will append a
command that executes autopcc.exe; otherwise, it creates a batch file called
ofcscan.bat(which contains the command to run autopcc.exe).
Login Script Setup appends the following at the end of the script:
\\{Server_name}\ofcscan
where:
{Server_name} is the computer name or IP address of the computer where the
Trend Micro Security Server is installed
ofcscan is the shared name of the PCCSRV folder where the autopcc.exe is
located.
The Windows 2000 login script is on the Windows 2000 server (through a net logon
shared directory), under:
\\Windows 2000 server\system
drive\WINNT\SYSVOL\domain\scripts\ofcscan.bat
The Windows 2003 login script is on the Windows 2003 server (through a net logon
shared directory), under:
\\Windows 2003 server\system
drive\windir\sysvol\domain\scripts\ofcscan.bat
Installing with Client Packager

Client Packager can compress setup and update files into a self-extracting file to
simplify delivery via email, CD-ROM, or similar media. It also includes an email
function that can open your Microsoft™ Outlook address book and allow you to send
the package from within the Client Packager console.
5-7
When users receive the package, all they have to do is double-click the file to run the
setup program. Client/Server Security Agents installed using Client Packager report
to the server where Client Packager created the setup package. This tool is especially
useful when deploying the Client/Server Security Agent setup or update files to
clients in low-bandwidth remote offices.
Note: Client packager requires a minimum of 140MB free disk space on the client. Windows
Installer 2.0 is necessary for the client to run an MSI package.
Client Packager can create two types of self-extracting files:

• Executable – This common file type has an .exe extension
Note: In Windows Vista clients, the program must be executed with Administrator
rights (Run as Administrator).
• Microsoft Installer Package Format (MSI) – This file type conforms to the
Microsoft Windows Installer package specifications. For more information on
MSI, see the Microsoft Web site.
Tip: Trend Micro recommends using Active Directory to deploy an MSI package with
Computer Configuration instead of User Configuration. This helps ensure that the
MSI package will be installed regardless of which user logs on to the machine.
Note: Install Microsoft Outlook to use the Client Packager send mail option.
To create a package with the Client Packager GUI:

1. On the Trend Micro Security Server, open Windows Explorer.
2. Browse to \PCCSRV\Admin\Utility\ClientPackager
3. Double-click ClnPack.exe to run the tool. The Client Packager console opens.
Note: You must run the program from the Trend Micro Security Server only.
5-8
4. In Target operating system, select the operating system for which you want to
create the package.
5. Select the type of package you want to create:
• Setup – Select if installing the Client/Server Security Agent program.
• Update – Select if updating Client/Server Security Agent components only.
6. Select from among the following installation options under Options:
• Silent Mode – Creates a package that installs on the client machine in the
background, unnoticeable to the client. The installation status window will not
appear.
• MSI Package – Creates a package that conforms to the Microsoft Windows
Installer Package Format.
Note: If you select MSI Package, the package file has an .msi extension; otherwise, it
has an .exe extension. The MSI package is for Active Directory deployment
only. For local installation, create an .exe package.
• Disable Prescan (only for fresh-install) – Disables the normal file scanning
that Client/Server Security performs before starting setup.
7. Under Components, select the components to include in the installation
package:
• Program – All components (if you select Program, Client Packager
automatically selects the other components).
• Scan engine – The latest scan engine on the Trend Micro Security Server.
• Virus pattern – The latest virus pattern file on the Trend Micro Security
Server.
• Common Firewall Driver – The driver for Personal Firewall
• Network Virus Pattern – The latest pattern file specifically for network
viruses
• DCE/DCT – The latest virus cleanup engine and template on the Trend Micro
Security Server
8. Select the Client/Server Security Agent utilities to include in the package:
5-9
• POP3 Mail Scan – Performs a virus scan on the client's Post Office Protocol 3
(POP3) mail messages and attachments as they are downloaded from the mail
server.
9. Ensure that the location of the ofcscan.ini file is correct next to Source file.
To modify the path, click to browse for the ofcscan.ini file. By default,
this file is located in the \PCCSRV folder of the Trend Micro Security Server.
10. In Output file, click to specify the file name (for example,
ClientSetup.exe) and the location to create the client package.
11. Click Create to build the client package. When Client Packager finishes creating
the package, the message "Package created successfully" appears. To verify
successful package creation, check the output directory you specified.
12. Send the package to your users via email, or copy it to a CD or similar media and
distribute among your users.
WARNING! You can only send the package to the Client/Server Security Agents that report to
the server where the package was created. Do not send the package to
Client/Server Security Agents that report to other Trend Micro Security Servers.
Sending the Package via Email
Note: Microsoft Outlook is necessary to use the Client Packager email function.
To send the package from the console:

1. Click Send mail. The Choose Profile window appears.
2. Choose a profile name from the list and click OK.
3. Enter the user name and password required to access Outlook on your computer.
4. The Send mail screen opens with the default subject and message. Click To and
specify the recipients of the package. Client Packager opens your Microsoft
Outlook address book. Click Cc or Bcc to furnish copies to other recipients in
your organization.
5. Edit the default subject and message (optional) and click Send.
5-10
Installing with an MSI file

If you are using Active Directory, you can install the Client/Server Security Agent by
creating a Microsoft Windows Installer file. Use Client Packager to create a file with
an .msi extension. You can take advantage of Active Directory features by
automatically deploying the Client/Server Security Agent program to all your clients
simultaneously with the MSI file, rather than requiring each client to install
Client/Server Security Agent themselves.
For more information on MSI, see the Microsoft Web site (www.microsoft.com).
For instructions on creating an MSI file, see Installing with Client Packager on page
5-7).
Installing with Windows Remote Install

Remotely install the Client/Server Security Agent to Windows Vista/2000/XP
(Professional Edition Only) and Server 2003 computers connected to the network,
and install to multiple computers at the same time. To use Windows Remote Install,
you need administrator rights for the target computers.
Note: You cannot use Windows Remote Install to install the Client/Server Security Agent on
machines running Windows XP Home Edition.
To install with Windows Remote Install:
Note: Installing CSA on Windows Vista requires a few additional steps. Refer to Enabling
CSA Remote Install on Windows Vista Clients on page 5-12 for additional
details.
1. From the Security Dashboard main menu, click Security Settings > Add. The
Add Computer screen appears.
2. Select Desktop or server from under Computer Type and then select Remote
install from under Method.
3. Click Next. The Remote Install screen appears.
5-11
4. From the list of computers in the Groups and Computers box, select a client,
and then click Add >>. A prompt for a user name and password to the target
computer appears. You need administrator rights to the target computer.
5. Type your user name and password, and then click Login. The target computer
appears in the Selected Computers list box.
6. Repeat these steps until the list displays all the Windows computers in the
Selected Computer list box.
7. Click Install to install the Client/Server Security Agent to your target computers.
A confirmation box appears.
8. Click Yes to confirm that you want to install the client to the target computers. A
progress screen appears as the program copies the Client/Server Security Agent
files to each target computer.
When Client Server Messaging Security completes the installation to a target
computer, the installation status will appear in the Result field of the selected
computers list, and the computer name appears with a green check mark.
Note: Windows Remote Install will not install the Client/Server Security Agent on a
machine already running a Trend Micro Security Server.
Enabling CSA Remote Install on Windows Vista Clients

Installing CSA on Windows Vista clients requires additional steps.
To enable Remote Install on Windows Vista clients:
1. Temporarily enable File and Printer Sharing.
Note: If the company security policy is to disable Windows Firewall, proceed to step 2
to start the Remote Registry service.
a. Open Windows Firewall in the Control Panel.

b. Click Allow a program through Windows Firewall. If you are prompted for
an administrator password or confirmation, type the password or provide
confirmation. The Windows Firewall Settings window appears.
5-12
c. Under the Program or port list in the Exceptions tab, make sure the File
and Printer Sharing check box is selected.
d. Click OK.
2. Temporarily start the Remote Registry service.
a. Open Microsoft Management Console.
Tip: Type services.msc in the Run window to open Microsoft Management

Console.
b. Right-click Remote Registry and select Start.

3. If required, return to the original settings after installing Client/Server Security
Agent on the Windows Vista client.
Installing with Vulnerability Scanner

Use Vulnerability Scanner (TMVS) to detect installed antivirus solutions, search for
unprotected computers on your network, and install the Client/Server Security Agent
on them. To determine if computers need protection, Vulnerability Scanner pings
ports that antivirus solutions normally use.
This section explains how to install the Client/Server Security Agent program with
Vulnerability Scanner. For instructions on how to use Vulnerability Scanner to detect
antivirus solutions, see the Administrative Tools section of the Administrator’s Guide
and the Trend Micro Security Server online help.
Note: You can use Vulnerability Scanner on machines running Windows 2000 or Server
2003; however, the machines cannot be running Terminal Server.
You cannot install the Client/Server Security Agent with Vulnerability Scanner if an
installation of the Trend Micro Security Server is present on the same machine.
To install the Client/Server Security Agent with Vulnerability Scanner:

1. In the drive where you installed the Trend Micro Security Server, open the
following directories: Client/Server Security > PCCSRV > Admin > Utility >
5-13
TMVS. Double-click TMVS.exe. The Trend Micro Vulnerability Scanner

console appears.
2. Click Settings. The Settings screen appears.
FIGURE 5-1. TMVS Settings Screen
3. Under Trend Micro Security Server Setting (for Install and Log Report),
type the Trend Micro Security Server name and port number.
5-14
4. Select the Auto-install Client/Server Security Client for unprotected

computer check box.
5. Click Install Account.
6. Type a user name and password with administrator privileges to the server (or
domain), and then click OK.
7. Click OK to go back to the main TMVS screen.
8. Click Start to begin checking the computers on your network and begin
Client/Server Security Agent installation.
Installing MSA from the Security Dashboard

The Messaging Security Agent (MSA) can also be installed from the Security
Dashboard.
To install the MSA from the Security Dashboard:
1. Log on to the Security Dashboard.
2. Click the Security Settings tab, and then click the Add button.
3. Under the Computer Type section, click Exchange server.
4. Under Exchange Server Information, type the following information:
• Server name: the name of the Exchange server to which you want to install
MSA
• Account: the user name that you use to log on to the Exchange server
• Password: the password for your Exchange account
5. Click Next. The Exchange Server Settings screen appears.
6. Under Web Server Type, select the type of Web server that you want to install
on the Exchange server. You can select either IIS Server or Apache Server.
7. Under Directories, change or accept the default target and shared directories for
the MSA installation. The default target and shared directories are
C:\Program Files\Trend Micro\Messaging Security
Agent and C$, respectively.
8. Click Next. The Exchange Server Settings screen appears.
5-15
9. Verify that the Exchange server settings that you specified in the previous screens
are correct, and then click Next to start the MSA installation.
10. To view the status of the MSA installation, click the Live Status tab.
Upgrading the Client/Server Security Agent

You can upgrade to a full version of Client Server Messaging Security from a
previous version or from a trial version. When you upgrade the Trend Micro Security
Server, clients are automatically upgraded.
Migrating from Trend Micro Anti-Spyware

If you have Trend Micro Anti-Spyware (TMASY) on the network, take note of the
following:
• If you install the CSM server on the same server as the TMASY server, the CSM
server setup program will not remove or upgrade the TMASY server. You need to
manually remove the TMASY server before installing the CSM server on the same
machine.
• Removing the TMASY client before installing the Client/Server Security Agent
(CSA) is not required. The CSA setup program will automatically remove the
TMASY client when detected on the same client computer, and then install CSA.
• The anti-spyware settings for CSA and TMASY are different. After installing the
CSAs, you may need to configure the anti-spyware settings to make them the same
as your previous TMASY client settings. Refer to Table 5-2 for a comparison of
the CSA and TMASY anti-spyware settings.
5-16
TABLE 5-2. Comparison of CSA and TMASY Anti-Spyware Settings
Client/Server Security Agent Trend Micro Anti-Spyware Client
Real-time Scan Enabled Disabled (Active Application

Monitoring)
Default action Clean Deny executable
Manual Scan
Scan type Full scan Quick scan
Default action Clean Scan and do nothing (auto clean is

disabled by default)
Scan on start N/A Enabled
Check network N/A Enabled
Scheduled Scan Disabled Enabled

Scan schedule Every Monday Daily
Scan time 12:30 23:00
Scan type Full scan Quick scan

Default action Clean Scan and do nothing (auto clean is
disabled by default)
Migrating from Third-party Antivirus

Applications
Migrating from third-party antivirus software to Client Server Messaging Security is
a two-step process: the installation of the Trend Micro Security Server, followed by
the automatic migration of the clients.
Automatic Client Migration

Automatic client migration refers to replacing existing third-party client antivirus
software with the Client/Server Security Agent program. The client setup program
automatically removes the third-party software on your client computers and replaces
it with the Client/Server Security Agent.
5-17
Refer to Table for a list of third-party client applications that Client Server
Messaging Security can automatically remove.
Note: Client Server Messaging Security only removes the following client installations,
not server installations
TABLE 5-3. Removable Third-party Client Applications
Trend Micro
PC-cillin™ (Internet Security) 2000

Virus Buster 2001, 2000, 2000 for NT ver.1.00-
PccillinCorp NT client
PccillinCorp 95 client
Symantec™
Norton™ Internet Security™ 2005, 2004, 2004 JP
Norton Antivirus™ CE 10.1

Norton Antivirus™ CE 8.1 server
Norton Antivirus™ CE 8.0 9x
Norton Antivirus™ CE 8.0 NT
Norton Antivirus™ CE 7.5 9x
Norton Antivirus™ CE 7.0 for Windows NT
Symantec Antivirus CE 9.0
Symantec Client Security 3.0 NT
Symantec Client Firewall 2004 9x/NT
Symantec LiveUpdate 2.6
LANDesk VirusProtect 5.0
McAfee™
VirusScan™ Enterprise 8.0, 7.1, 7.0, Virus Scan (MSPlus98), WebScanX v3.1.6, VirusScan
ASaP, 95 {3.20,4.01,4.02, 4.03(#4023),4.03a (#4059)}, NT 4.03a (#4019), 5.15, 5.16, 5.21,
6.01, 4.5, 4.51, Thin Client (TC)
VirusScan Professional 9.0
Managed VirusScan
5-18
SpamKiller
SecurityCenter
Desktop Firewall 8.0
NetShield™ NT 4.03a (build #4014, #4019), 4.5 (Build #4062)
Internet Security Suite™ 6.0
ePOAgent™1000, 2000, 3000
Dr.Solomon™ 4.0.3
Dr.Solomon™ 4.0.3 NT
Dr.Solomon™ 7.77, 7.95 NT
LANDesk™
VirusProtect™ 5.0
Computer Associates™
eTrustITM Agent 8.0

iTechnology iGateway 4.0
eTrustITM Server 8.0
eTrust AntiVirus™ 7.1

InocuLAN™ NT 4.5, 9.x, 4.53
eTrust InoculateIT™ 7.0, 6.0
InoculateIT™ Clients for Windows 6.0

InocuLAN™ 5
Cheyenne AntiVirus™ 9x, NT
Ahnlab™
V3 Pro™ 2000 Deluxe, 98, 98 Deluxe
Panda Software™
Platinum™ 7.0
Antivirus 2007 (and 2007+ Firewall Italian version)
Antivirus 6.0, Local Networks, Windows NT WS
5-19
Titanium Antivirus 2004
FileSecure
CVPSecure
FileSecure Workstation
F-Sercure™
Anti-Virus™ 4.04, 4.08, 4.2, 4.3, 5.3
Backweb™
Management Agent™
Internet Shield
E-mail Scanning
Kaspersky™
Antivirus Personal 4.0, Workstation 3.5. 5.4
Sophos™
Anti-Virus NT, NT 5.0.3.

AutoUpdate 1.4.0
Anti-Virus 9x
Authentium™
Command AntiVirus™ win 2000/XP, 4.64 for win 9x/ME, 4.8, 4.9, 4.90.0 Standalone, 4.8, 4.9,
4.91.0 Enterprise,
Grisoft™
Grisoft AVG 6.0, 7.0
Others
PER Antivirus
The Hacker Anti-Virus 5.5
eSafe Desktop v3
Norman Virus Control
5-20
NOD32 AV
F-Prot for Windows
Tegam ViGUARD 9.25e for Windows NT
ViRobot 2k Professional
Command AV 4.93.8 Standalone
Command AV 4.93.8 Enterprise
Verifying the Client Installation, Upgrade, or

Migration
After completing the installation or upgrade, verify that the Client/Server Security
Agent is properly installed.
To verify the installation, do the following:
• Look for the Client Server Messaging Security program shortcuts on the Windows
Start menu of the client running the Client/Server Security Agent.
• Check if Client Server Messaging Security is in the Add/Remove Programs list of
the client’s Control Panel.
• Use Vulnerability Scanner (see Using Vulnerability Scanner to Verify the Client
Installation on page 5-21).
Using Vulnerability Scanner to Verify the Client Installation

You can also automate Vulnerability Scanner by creating scheduled tasks. For
information on how to automate Vulnerability Scanner, see the Client Server
Messaging Security online help.
Note: You can use Vulnerability Scanner on machines running Windows 2000 and Server
2003; however, the machines cannot be running Terminal Server.
5-21
To verify client installation using Vulnerability Scanner:

1. In the drive where you installed the Trend Micro Security Server, open the
following directories: Trend Micro Security Server > PCCSRV > Admin >
Utility > TMVS. Double-click TMVS.exe. The Trend Micro Vulnerability
Scanner console appears.
3. Under Product Query, select the OfficeScan Corporate Edition/Security
Server check box and specify the port that the server uses to communicate with
clients.
4. Under Description Retrieval Settings, click the retrieval method to use. Normal
retrieval is more accurate, but it takes longer to complete.
If you click Normal retrieval, you can set Vulnerability Scanner to try to
retrieve computer descriptions, if available, by selecting the Retrieve computer
descriptions when available check box.
5. To have results automatically sent to yourself or to other administrators in your
organization, select the Email results to the system administrator check box
under Alert Settings. Then click Configure to specify your email settings.
• In To, type the email address of the recipient.
• In From, type your email address. If you are sending it to other administrators
in your organization, this will let the recipients know who sent the message.
• In SMTP server, type the address of your SMTP server. For example, type
smtp.company.com. The SMTP server information is required.
• In Subject, type a new subject for the message or accept the default subject.
6. Click OK to save your settings.
7. To display an alert on unprotected computers, click the Display alert on
unprotected computers check box. Then click Customize to set the alert
message. The Alert Message screen appears.
8. Type a new alert message in the text box or accept the default message and then
click OK.
9. To save the results as a comma-separated value (CSV) data file, select the
Automatically save the results to a CSV file check box. By default,
Vulnerability Scanner saves CSV data files to the TMVS folder. If you want to
5-22
change the default CSV folder, click Browse, select a target folder on your
computer or on the network, and then click OK.
10. Under Ping Settings, specify how Vulnerability Scanner will send packets to the
computers and wait for replies. Accept the default settings or type new values in
the Packet size and Timeout fields.
11. Click OK. The Vulnerability Scanner console appears.
12. To run a manual vulnerability scan on a range of IP addresses, do the following:
a. In IP Range to Check, type the IP address range that you want to check for
installed antivirus solutions and unprotected computers.
b. Click Start to begin checking the computers on your network.
13. To run a manual vulnerability scan on computers requesting IP addresses from a
DHCP server, do the following:
a. Click the DHCP Scan tab in the Results box. The DHCP Start button
appears.
b. Click DHCP Start. Vulnerability scanner begins listening for DHCP requests
and performing vulnerability checks on computers as they log on to the
network.
Vulnerability Scanner checks your network and displays the results in the Results
table. Verify that all desktop and notebook computers have the client installed.
If Vulnerability Scanner finds any unprotected desktop and notebook computers,
install the client on them using your preferred client installation method.
Testing the Client Installation with the EICAR

Test Script
Trend Micro recommends testing your product and confirming that it works by using
the EICAR test script. EICAR, the European Institute for Computer Antivirus
Research, developed the test script as a safe way to confirm that antivirus software is
properly installed and configured. Visit the EICAR Web site for more information:
http://www.eicar.org
5-23
The EICAR test script is an inert text file with a .com extension. It is not a virus and
does not contain any fragments of viral code, but most antivirus software will react to
it as if it were a virus. Use it to simulate a virus incident and confirm that email
notifications, HTTP scanning, and virus logs work properly.
WARNING! Never use real viruses to test your antivirus installation.
To test the client installation with the EICAR test script:

1. Make sure Real-time scan is enabled on the client.
2. Copy the following string and paste it into Notepad or any plain text editor:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FI
LE!$H+H*
3. Save the file as EICAR.com to a temporary directory. Client/Server Security
Agent should immediately detect the file.
4. To test other computers on your network, attach the EICAR.com file to an email
message and send it to one of the computers.
Note: Trend Micro also recommends testing a zipped version of the EICAR file. Using
compression software, zip the test script and perform the steps above.
To test the client installation HTTP scanning capability:

• Download the EICAR.com test script from either of the following URLs:
http://www.trendmicro.com/vinfo/testfiles/
http://www.eicar.org/anti_virus_test_file.htm
Client/Server Security Agent should show that it detected the EICAR test file.
Removing the Client

There are two ways to remove the client – from the Security Dashboard and by
running its uninstallation program.
5-24
Removing the Client Using Its Uninstallation Program

If you granted users the privilege to remove the client program, instruct them to run
the client uninstallation program from their computers. For more information, see the
Trend Micro Security Server online help.
To run the client uninstallation program:
1. On the Windows Start menu, click Settings > Control Panel > Add or Remove
Programs.
2. Select Trend Micro Client/Server Security Agent and click Change/Remove.
The Client/Server Security Agent Uninstallation screen appears and prompts
for the uninstall password.
3. Type the uninstall password and then click OK. The Client/Server Security
Client Uninstallation screen shows the progress of the uninstallation.
When uninstallation is complete, the message "Uninstallation is complete" appears.
Removing the Client from the Security Dashboard

You can also remove a client remotely from the Security Dashboard.
To remove a client from the Security Dashboard:
1. Log on to the Security Dashboard.
2. Click the Security Settings tab.
3. In the client or server tree, select the client that you want to remove, and then
click Remove. The Remove Computer screen appears.
4. Under Removal Type, click Uninstall the selected agent(s), and then click
Apply. A confirmation message appears.
5. Click OK. A popup screen appears and displays the number of uninstall
notifications that were sent by the server and received by the target client.
6. Click OK.
To verify that the client has been removed, refresh the Security Settings screen. The
client that you removed should have disappeared from the client or server tree.
5-25
5-26
Chapter 6
The Trend Micro Security Dashboard

for SMB
This chapter describes the main features, elements, and navigation methods of the
Security Dashboard.
• Exploring the Security Dashboard on page 6-2
• Getting Around the Security Dashboard on page 6-3
6-1
Exploring the Security Dashboard

When you install the Trend Micro Security Server, you also install the Security
Dashboard, which uses standard Internet technologies such as Java, CGI, HTML, and
HTTP.
To open the Security Dashboard:
1. On any computer on the network, open a Web browser and type the following in
the address bar:
http://{Client Server Messaging Security_Server_Name}:{port
number}/SMB in the address bar.
If using SSL type the following in the address bar:

https://{Client Server Messaging Security_Server_Name}:{port
number}/SMB
2. The browser displays the Trend Micro Security Dashboard for SMB login screen.
FIGURE 6-1. Login Screen of the Security Dashboard
3. Type your password in the Password text box, and then click Log on. The
browser displays the Live Status screen of the Security Dashboard.
6-2
The Trend Micro Security Dashboard for SMB
FIGURE 6-2. Live Status Screen
Getting Around the Security Dashboard

There are two main parts to the Security Dashboard: the main navigation menu and
the main body frame. Some screens contain a side menu and a tool bar.
The main navigation menu contains the following sections:
Live Status
• View the latest threats to client computers, servers, and mail servers.
• Deploy updates to at-risk clients.
• Monitor server disk space.
Security Settings
• Configure security setting for client computers, servers, and mail servers.
• Replicate settings from one client, server, or mail server to another.
6-3
• Install protection to clients, servers, and mail servers.

• Configure the Spyware/Grayware Approved List (can also be configured from
Scans)
Outbreak Defense
• View recent virus outbreak activity.
• Scan clients, servers, and mail servers for vulnerabilities.
• View the vulnerability level of different clients, servers, and mail servers.
• Detect vulnerabilities on clients, servers, and mail servers.
• View and clean-up clients, servers, and mail servers that are infected with viruses
or other malware.
Scans
• Scan clients, servers, and mail servers for malicious applications.
• Configure the Spyware/Grayware Approved List (can also be configured from
Security Settings)
• Schedule scans of clients, servers, and mail servers.
Updates
• Check the Trend Micro ActiveUpdate server for the latest updated components,
including virus pattern files, virus scan engine, spyware pattern, spyware scan
engine, anti-rootkit driver, spyware active-monitoring pattern, program files, and
Damage Cleanup scan engine and template.
• Configure update source.
• Configure update schedule.
• Assign and configure update agents.
Preferences
• Set up notifications for different events that occur.
• Configure global settings for ease of maintenance.
6-4
The Trend Micro Security Dashboard for SMB
• Use different client and administrative tools to help manage security for the
network and clients.
• View product license information, maintain the administrator password, and help
keep the global business environment safe by joining the World Virus Tracking
program.
Help
• Use the help menu to get answers to Client Server Messaging Security questions,
view other Trend Micro security solutions, and get customer support.
6-5
6-6
Chapter 7
Configuring Desktop and Server

Groups
This chapter explains how to set real-time scan options, configure Personal Firewall
settings, set desktop privileges, and specify a quarantine directory for desktop and
server groups.
• Configurable Options for Desktop and Server Groups on page 7-2
• Configuring Real-time Scan on page 7-2
• Using the Personal Firewall on page 7-8
• Using Desktop Privileges on page 7-14
• Using Quarantine on page 7-17
7-1
Configurable Options for Desktop and Server

Groups
The following items can be accessed by clicking the Configure tool:
• Antivirus/Anti-spyware – Configure real-time scan antivirus and anti-spyware
options for all members of the group.
• Firewall – Configure Personal Firewall options for all members of the group.
• Client Privileges – Configure privileges for all members of the group.
• Quarantine – Specify the Quarantine directory for all members of the group.
Configuring Real-time Scan

Use the Configure tool on the Security Settings page to set real-time scan settings for
all members of the group.
To configure Real-time scan:
1. On the main menu, click Security Settings. The Security Settings screen
appears.
FIGURE 7-1. Security Settings Screen
7-2
Configuring Desktop and Server Groups
2. From the Security Settings screen, select a group, and then click the Configure
tool. The Configure screen for the selected group appears with the
Antivirus/Anti-spyware configuration options displayed by default.
FIGURE 7-2. Security Settings - Desktop/Server Configuration Screen
3. To enable antivirus real-time scan, select the Enable real-time antivirus check
box.
4. To enable anti-spyware real-time scan, select the Enable real-time anti-spyware
check box.
5. Select the Target tab to specify settings for the following options:
• Use IntelliScan – Uses true file type identification – Click to use IntelliScan
(see Trend Micro IntelliScan on page B-3).
• All scannable files – Click to scan all files that the client opens or saves
• Scan files with the following extensions – Click to manually specify the files
to scan based on their extensions
You can add or delete extensions from the default set of extensions.
7-3
Tip: You can also use ? and * as wildcards when specifying extensions. For example,
if you want to scan all files with extensions starting with D, you can type .D? or
.D*. Client/Server Security will scan all files with extensions starting with D,
including .DOC, .DOT, and .DAT. This option is only available for Real-time
Scan.
6. From the Select a condition section, choose one of the following conditions for
scanning to occur:
• Scan files being created/modified and retrieved
• Scan files being retrieved
• Scan files being created/modified
7. Exclusions – Select Enable Exclusions to exclude certain directories, files, and
extensions from scanning. See Excluding Files and Folders from Scans on page
7-6
8. Advanced Settings – Select Advanced Settings to choose the following
advanced options:
For Antivirus Only
• Enable IntelliTrap – (Default)
• Scan mapped drives and shared folders on the network
• Scan floppy during system shutdown
• Scan compressed files: Up to {number}compression layers
For Anti-spyware Only
• Click the Modify Spyware/Grayware Approved List link to add to or
modify the list of spyware/grayware applications that are allowed to run on
clients and servers that belong to the group.
i. Use Search or the Quick Find links to locate the spyware/grayware
application that you want to allow.
ii. Select the application name in the left pane. To select multiple
applications, press CTRL while clicking the application names.
iii.Click Add.
9. Click Save to go back to the antivirus/anti-spyware security settings page.
7-4
10. Click the Action tab, and then specify how to handle Internet threats when
Client/Server Security detects them. Scan actions for viruses and spyware are
configured separately.
For Virus Detections
• ActiveAction – (see Trend Micro ActiveAction on page B-4).
• Perform the same action for all detected Internet threats
• Customized action for the following detected threats
In the Action list, select the action to perform on infected files. You can click
Pass, Delete, Rename, Quarantine, and Clean. The recommended scan
action is Clean.
In the Action for Uncleanable Threats list, select the action to perform if a
threat is uncleanable.
Client/Server Security only performs the uncleanable threats action if the
primary action is not successful. You can select actions for the following types
of Internet Threats (the default action is specified below):
• Joke: Quarantine
• Worm/Trojan: Quarantine
• Virus: Clean
• Test virus: Pass
• Packer: Quarantine
• Other threats: Clean
• Backup detected file before cleaning check box – Select this check box
(recommended) to save a copy of the file before it is cleaned. This saves a
copy of the infected file in the following directory on the client computer:
C:\Program Files\Trend Micro\Client Server Security
Agent\Backup
7-5
For Spyware Detection

• Clean – Remove any spyware detected by real-time scan
• Deny access – Prevent spyware from being installed, accessed, or executed
WARNING! Denying spyware access to the computer does not remove the spyware
threat from infected clients and servers.
11. Click Advanced Settings to view advanced setting options.

• To display an alert message on the client when a virus is detected, select
Display an alert message on the desktop or server when a virus is
detected.
12. Click Save.
Excluding Files and Folders from Scans

To increase the performance of scanning and to skip files that are causing false
alarms, you can exclude certain files, folders, and file types from scanning. The items
you add to the exclusion list will be skipped by Real-time Scan.
To exclude files and folders from scanning:
1. On the main menu, click Security Settings, select a group, and click Configure.
The Security Settings screen will appear.
2. To configure exclusion options, click the Antivirus/Anti-spyware link from the
side menu. The main frame changes to display the Antivirus/Anti-spyware
configuration options. By default, the Target tab is selected.
3. Click the expand button next to the Exclusions section. The section expands to
display Exclusion configuration options.
4. Under Exclusions, make sure that the check box next to Enable Exclusions is
selected.
5. To exclude all folders containing Trend Micro products and components, select
the Do not scan the directories where Trend Micro products are installed
check box. To view details about the Trend Micro products excluded see Trend
Micro Product Exclusion List on page D-1.
7-6
6. To exclude specific directories, type the directory names under Enter the
directory path (E.g. c:\temp\ExcludeDir) and click Add.
7. To exclude specific files by file name, type the file names, or the file name with
full path under Enter the file name or the file name with full directory path
(E.g. ExcludeDoc.hlp; c:\temp\excldir\ExcludeDoc.hlp) and click Add.
Note: All subdirectories in the directory path you specify will also be excluded.
8. Specify the files to exclude based on their extensions.

To use specified extensions, select the extensions to protect from the Select file
extension from the list, and click Add.
To specify an extension that is not in the list, type it in the Or type the extension
below text box, and then click Add.
Note: Wildcard characters, such as "*", are not accepted for file extensions.
9. To apply this setting to all future clients that will belong to the group you
selected, click Save.
Note: If Microsoft Exchange Server is running on your client machines, Trend Micro
recommends excluding all Microsoft Exchange Server folders from scanning. To
exclude scanning of Exchange server folders on a global basis, go to
Preferences > Global Settings, click the Server/Desktop tab, and then select
Exclude Microsoft Exchange server folders when installed on Microsoft
Exchange server.
7-7
Using the Personal Firewall

Trend Micro Client Server Messaging Security for SMB has simplified the process of
configuring the Personal Firewall. In this version of Client Server Messaging
Security, there are two options to choose from when configuring the Personal
Firewall, simple mode and advanced mode. Simple mode enables the firewall with
the Trend Micro recommended default settings. Use advanced mode to customize the
Personal Firewall settings.
Personal Firewall Features

Personal Firewall helps protect Client Server Messaging Security Windows
2000/XP/Server 2003 clients from hacker attacks and network viruses by creating a
barrier between the client and the network.
Personal Firewall Defaults for Simple Mode

Personal Firewall provides default settings to give you a basis for initiating your
client firewall protection strategy. The defaults are meant to include common
conditions that may exist on your clients, such as the need to access the ScanMail for
Microsoft Exchange Web console.
TABLE 7-1. Personal Firewall Default Settings
Default Security
Level Description
Low Inbound and outbound traffic allowed, only network viruses blocked.
Default Settings Status
Intrusion Detection Disabled

System
Alert Message (send) Disabled
Default Exception
Action Protocol Port Direction
Name
DNS Allow TCP/UDP 53 Incoming and

outgoing
7-8
Default Exception
Action Protocol Port Direction
Name
NetBIOS Allow TCP/UDP 137,138,139,445 Incoming and

outgoing
HTTPS Allow TCP 443 Incoming and

outgoing
HTTP Allow TCP 80 Incoming and

outgoing
Telnet Allow TCP 23 Incoming and

outgoing
SMTP Allow TCP 25 Incoming and

outgoing
FTP Allow TCP 21 Incoming and

outgoing
POP3 Allow TCP 110 Incoming and

outgoing
Traffic Filtering
Personal Firewall filters all incoming and outgoing traffic, providing the ability to
block certain types of traffic based on the following criteria:
• Direction (incoming or outgoing)
• Protocol (TCP/UDP/ICMP)
• Destination ports
• Destination computer
Intrusion Detection System

Personal Firewall also includes an Intrusion Detection System (IDS). When enabled,
IDS can help identify patterns in network packets that may indicate an attack on the
client. Personal Firewall can help prevent the following well-known intrusions:
• Too Big Fragment
• Ping of Death
• Conflicted ARP
• SYN flood
7-9
• Overlapping Fragment
• Teardrop
• Tiny Fragment Attack
• Fragmented IGMP
• LAND attack
Exceptions
Exceptions are comprised of specific settings that allow or block different kinds of
traffic based on client port number(s) and IP address(es). You can configure a list of
exceptions. The exceptions in the list override the Security level settings.
Exception settings include the following:
• Action – Block or allow all traffic that meets the exception criteria
• Direction – Inbound or outbound network traffic to/from the client.
• Protocol – The type of traffic: TCP, UDP, ICMP.
• Port(s) – Ports on the client computer on which to perform the action.
• Computers – The computers on the network to which the above traffic criteria
apply.
Configuring Exceptions: An Example

During an outbreak, you may choose to block all client traffic, including the HTTP
port (port 80). However, if you still want to grant the blocked clients access to the
Internet, you can add the Web proxy server to the exception list.
Configuring Personal Firewall – Simple Mode

This section provides the necessary steps for successful deployment of Personal
Firewall. By default, Client Server Messaging Security disables the Personal Firewall
on all new groups and clients.
To configure Personal Firewall:
1. On the main menu, select Security Settings. The Security Settings screen
appears.
2. Select a group and then click Configure. The Configuration screen for the
selected group appears.
7-10
3. From the side menu, select Firewall. The Firewall Configuration screen
appears.
FIGURE 7-3. Personal Firewall – Simple Mode Screen
4. In the main frame, select the Enable Firewall check box.

5. Select Simple mode. Simple mode uses the Trend Micro recommended default
settings. For more information about the default firewall settings see Personal
Firewall Defaults for Simple Mode on page 7-8
Tip: Trend Micro recommends uninstalling other software-based firewalls before

deploying and enabling Personal Firewall. Multiple vendor firewall installations on
the same computer may produce unexpected results.
For the latest information regarding third-party firewall compatibility issues, see
Knowledge Base Solution ID 20473. It is available at the following Web site:
http://esupport.trendmicro.com/support/viewxml.do?Content
ID=en-120437
Configuring the Personal Firewall - Advanced Mode

This section provides the necessary steps for successful deployment of Personal
Firewall. By default, Client Server Messaging Security disables the Personal Firewall
on all new groups and clients.
7-11
To deploy the firewall:

appears.
2. Select a group or groups, and then click Configure. The configuration screen
for the selected group(s) appears
3. Click Firewall on the side menu. The Firewall Configuration screen appears
with Enable Firewall and Simple mode selected by default.
4. To configure advanced settings, select Advanced mode. The Firewall
Configuration screen changes to display the advanced settings options.
FIGURE 7-4. Personal Firewall – Advanced Mode Screen
5. If Enable Firewall is not already selected, select it.

6. Under the Security Level heading, select a security level to allow or block
inbound/outbound traffic.
7. Under the Settings heading, select the options to apply. The options are Enable
Intrusion Detection System and Enable Alert Message.
7-12
8. Under the Exceptions heading, select the ports to exclude from blocking in the
event of an outbreak.
To add, remove, or edit the port exception list, click the corresponding tool and
follow the onscreen instructions. To create a new exception, perform the
following:
a. Click Add. The Add Exception screen appears.
b. Type a name for the exception.
c. Next to Action, choose whether to allow or deny network traffic for this
exception.
d. Next to Direction, select Inbound and/or Outbound.
e. From the Protocol list, select a network traffic protocol:
• All
• TCP/UDP (default)
• TCP
• UDP
• ICMP
f. Specify ports to exclude from blocking:
• All ports (default)
• Port range
• Specified ports
g. Under Machines, specify client IP addresses.
• All IP addresses (default)
• Single IP – To resolve the client host name to an IP address, click
Resolve.
• IP range
h. Click Save. The Firewall Configuration screen appears with the new
exception in the exception list.
9. Click the check boxes next to the exceptions you want to include.
7-13
Disabling the Firewall

From the Security Dashboard, disable Personal Firewall on client computers.
To disable the Personal Firewall:
appears.
2. Select a group and then click Configure. The configuration screen for the
3. From the side menu, select Firewall. The Firewall Configuration screen
appears.
4. To disable the firewall for the group, deselect the Enable Firewall check box.
5. Click Save.
Note: Deselecting the Enable Firewall check box will disable the firewall for both simple
and advanced mode.
Using Desktop Privileges

You can grant users privileges to modify individual scan settings and remove or
unload the client, while retaining control over Client Server Messaging Security on
your network. Granting users privileges is simply a way of sharing control over
individual client settings.
However, to enforce a uniform antivirus policy throughout your organization, Trend
Micro recommends granting limited privileges to users. This ensures that Client
Server Messaging Security does not modify the scan settings or remove the clients
without permission.
To grant privileges to clients:
1. On the main menu, select Security Settings. The Security Settings screen
appears. Select the group to which to grant privileges, and then from the Security
Settings toolbar, click the Configure icon. The configuration screen for the
2. From the side menu, select Client Privileges.
7-14
FIGURE 7-5. Desktops and Servers Privileges Screen
3. Select the privileges to grant users.

• Antivirus
• Manual Scan settings
• Scheduled Scan settings
• Real-time Scan settings
• Stop Scheduled Scan
• Enable roaming mode
7-15
• Anti-spyware
• Manual Scan settings
• Scheduled Scan settings
• Real-time Scan settings
• Firewall
• Display Firewall tab
• Allow desktops to enable/disable firewall
Note: If you allow clients to enable or disable the firewall, you cannot change these
settings from Security Dashboard. If you do not grant clients this privilege, you
can change these settings from the Security Dashboard. The information under
Local Firewall settings on the client console always reflects the settings
configured from the client console, not the Security Dashboard.
• Mail Scan – Select the check boxes for the Mail Scan privileges to grant
users.
• Display mail scan tab
• Install/upgrade POP3 mail scan module
• Real-time POP3 mail scan settings
• Proxy Setting
• Allow agent user to configure proxy settings
• Update Privileges
• Perform "Update Now!"
• Enable/Disable Scheduled Update
• Update Settings
• Download from Trend Micro ActiveUpdate Server
Tip: To ensure that laptop users are updated when they are out of the office, make
sure that the Download from Trend Micro ActiveUpdate Server option is
selected.
• Enable Scheduled Update
7-16
• Forbid program upgrade and hot fix deployment

When client users initiate an update, the client machine gets updates from the
update source specified on the Update Source screen. If the update fails, the
client machines attempt to update from the Trend Micro Security Server.
Selecting Download from the Trend Micro ActiveUpdate server enables
clients to attempt to update from the Trend Micro ActiveUpdate server if the
update from the Trend Micro Security Server fails.
• Client Security
• Normal – Click to allow clients read/write access to the Client/Server
Security Agent folders, files, and registries on client machines.
• High – Click to restrict clients from accessing Client/Server Security
Agent folders, files, and registries.
Note: If you select High, the access permissions settings of the Client/Server Security
Agent folders, files, and registries are inherited from the Program Files folder
(for client machines running Windows Vista/2000/XP/Server 2003).
Therefore, if the permissions settings (Security settings in Windows) of the
WINNT file or Program Files folder are set to allow full read/write access,
selecting High still allows clients full read/write access to the Client/Server
Security Agent folders, files, and registries.
4. Click Save.
Using Quarantine
In Quarantine directory, type a Uniform Resource Locator (URL) or Universal
Naming Convention (UNC) path to store the infected files. If an invalid quarantine
directory is specified, Client Server Messaging Security uses the default quarantine
directory on the client:
C:\Program Files\Trend Micro\Client Server Security Agent\SUSPECT
To set the Quarantine directory:
appears.
7-17
2. Select a desktop or server and click Configure. The Configuration screen for
the selected item appears.
3. Click Quarantine from the side menu. The Quarantine Directory screen
appears.
FIGURE 7-6. Desktop/Server Quarantine Screen
4. In Quarantine directory, type a Uniform Resource Locator (URL) or Universal

Naming Convention (UNC) path to store the infected files. If an invalid
quarantine directory is specified, Client Server Messaging Security uses the
default quarantine directory on the client.
5. Click Save.
7-18
Chapter 8
Protecting Your Microsoft Exchange

Servers
This chapter describes the Trend Micro Messaging Security Agent, and explains how
to set real-time scan options, configure anti-spam, content filtering, attachment
blocking, and quarantine maintenance options for Microsoft Exchange™ servers.
• The Messaging Security Agent on page 8-2
• Configurable Options for Exchange Server Groups on page 8-2
• Trend Micro Default Scan Settings on page 8-3
• Real-Time Virus Scanning on Exchange Servers on page 8-4
• About Blocking Attachments on page 8-15
• Screening Out Spam on page 8-17
8-1
The Messaging Security Agent

Client Server Messaging Security uses the Messaging Security Agent to gather
security information from Microsoft Exchange servers. For example, the Messaging
Security Agent reports spam detections or completion of component updates to the
Trend Micro Security Server. The information displays in the Security Dashboard
and the Trend Micro Security Server uses it generate logs and reports about the
security status of your Microsoft Exchange servers.
The Messaging Security Agent helps prevent email-borne viruses by scanning email
passing in and out of the Microsoft Exchange Mailbox Store as well as email that
passes between the Exchange Server and external destinations. In addition, the
Messaging Security Agent helps stop spam before it arrives at its destination.
Whenever the Messaging Security Agent backs up, quarantines, or archives an
infected file, it encrypts the file and stores it in the MSA storage folder, typically in
Client\storage\. This helps prevent users from opening the infected file and
spreading the virus to other files on the computer. If an infected file that has been
encrypted by MSA needs to be opened, use the Restore Encrypted Virus
(VSEncode.exe) tool. For more information on restoring files encrypted by MSA,
refer to Restore Encrypted Virus on page 15-8.
Note: Each detected threat generates one log entry/notification. This means that if
Messaging Security Agent detects multiple threats in a single email, it will generate
multiple log entries and notifications. There may also be instances when the same
threat is detected several times, especially if you are using cache mode in Outlook
2003. When cache mode is enabled, the same threat may be detected both in the
transport queue folder and Sent Items folder, or in the Outbox folder.
Configurable Options for Exchange Server Groups

The following items can be accessed by clicking Configure from the Security
Settings screen:
• Antivirus – Configure real-time scan options for all members of the group.
• Anti-spam – Set spam detection level, configure approved/blocked senders list,
and set actions for spam.
8-2
Protecting Your Microsoft Exchange Servers
• Content Filtering – Enable and configure content filtering.

• Attachment Blocking – Specify attachment blocking requirements.
• Quarantine – Perform queries, quarantine maintenance, and set Quarantine
directories.
• Operations – Perform spam maintenance, set internal email address, and set
system debugger options.
Trend Micro Default Scan Settings

Consider the options listed in Table to help you optimize your Messaging Security
Agent configurations.
TABLE 8-1. Trend Micro Default Actions for the Messaging Security Agent
Scan option Real-time scan Manual and Scheduled

scan
Anti-spam
Spam Quarantine message to Not supported

user’s spam folder (Default:
If End User Quarantine
installed)
Phish Delete entire message Not supported
Content filtering
Filter messages that match Quarantine entire message Replace

any condition defined
Filter messages that match Quarantine entire message Not available

all conditions defined
Monitor the message Quarantine entire message Replace

content of particular email
account(s)
Create exemption for Pass Pass

particular email account(s)
Attachment blocking
Action Replace attachment with Replace attachment with

text/file text/file
8-3
TABLE 8-1. Trend Micro Default Actions for the Messaging Security Agent
Manual and Scheduled

Scan option Real-time scan scan
Antivirus
Scanning for email Action: ActiveAction Action: ActiveAction

message body and (default) (default)
attachment
Other
Encrypted and Password Action: Pass The same as for real-time

protected files (When you configure the scanning
action to Pass, encrypted
files and files that are
protected by passwords are
passed and the event is not
logged)
Excluded files Action: Pass The same as for real-time
(Files over specified (When you configure the scanning
scanning restrictions) action to Pass, files or
message body over the
specified scanning
restrictions are passed and
the event is not logged)
Real-Time Virus Scanning on Exchange

Servers
The Messaging Security Agent guards all known virus entry points with real-time
scanning of all incoming messages, SMTP messages, documents posted on public
folders, and files replicated from other Microsoft Exchange servers.
The Messaging Security Agent scans the following in real time:
• All incoming and outgoing email messages
• SMTP messages arriving at Exchange from the Internet
• Public-folder postings
• All server-to-server replications
8-4
Note: The speed of real-time scanning depends on its settings. You can increase the
performance of real-time scans by specifying certain file types that are
vulnerable to viruses or by limiting the maximum number of compression layers
to scan.
The following are the basic steps for configuring anti-virus. The Messaging Security
Agent provides identical options to configure Real-time, Manual, and Scheduled virus scans.
Refer to Scanning Exchange Servers for Viruses, Malware, and Other Threats on
page 10-5 for more information about configuring Manual and Scheduled scans.
Step 1: Select the Target tab and set the files to include in your scan.
The target for a scan is the file(s) or content contained in email messages. The
Messaging Security Agent usually scans the files according to the true file type
unless you configure the Messaging Security Agent to scan specific file types.
SeeFile Types Eligible for Scanning on page 8-5.
Step 2: Select the Action tab to set the actions that the Messaging Security Agent
takes when it detects a virus or other threat in the files you specified.
You can select ActiveAction to use the Trend Micro recommended actions or
customize your actions according to the type of threat detected.
When the Messaging Security Agent (MSA) detects a threat in an email, it can send
notifications to the email sender and/or recipients. From this screen, you can choose
who MSA should notify when it detects a threat in an email. See Sending
Notifications as a Course of Action on Detected Email Threats on page 8-12
Step 3: Select the Preferences > Notifications menu item to set who is notified
when virus events occur and how they receive notification. See Configuring Event
Notifications on page 13-2.
File Types Eligible for Scanning

By default, the Messaging Security Agent scans all scannable outgoing, incoming
and stored messages in your Exchange environment. Scanning all files provides the
maximum security possible. However, scanning every message requires a lot of time
and resources and might be redundant in some situations. Therefore, you might want
to limit the amount of files the Messaging Security Agent includes in the scan. Table
8-5
describes the methods that the Messaging Security Agent can use to determine which
files to scan.
TABLE 8-2. Types of Target Files
Target type Description
All scannable files Messaging Security Agent scans for viruses, worms,
Trojans, and other malicious code in all file attachments -
except unscannable files. Unscannable files are
encrypted or password protected files.
See About Scannable Files on page 8-6 for more

information about files that Messaging Security Agent
does not scan.
IntelliScan IntelliScan uses Trend Micro recommended settings to

perform an efficient scan
See True File Type on page B-5 for more information

about how the Messaging Security Agent identifies true
file types.
Specific file type The Messaging Security Agent scans only the file types
you specify. File type is determined by file extension
name. For ease of use, Trend Micro has grouped file
extension types in functional groups. Select file types by
group or drill-down to select individual file extension
types.
For some files, such as very large attachments and compressed files, you can set
restrictions on how the Messaging Security Agent scans (See Set Exclusions for
Large Attachments and Compressed Files on page 8-7).
About Scannable Files

When you select All scannable files, the Messaging Security Agent scans all files
except files that are encrypted, password protected, or those it judges to be
unscannable. To protect yourself from threats contained in unscannable files,
configure the Messaging Security Agent to execute a special action against
unscannable files.See About the Messaging Security Agent Scan Actions on page 8-8
8-6
Files That Are Not Scanned

The scan engine does not scan some files that are unlikely to harbor viruses, for
example, .gif files. The scan engine determines whether it is necessary to scan a file
by examining the file header—if the scan engine determines that the file content
matches a type that does not harbor viruses, then it does not examine the content of
the file body.
Set Exclusions for Large Attachments and Compressed Files

You can configure how the Messaging Security Agent scans email messages that
have a large message body or contain very large attachments, and/or compressed
files. Use the options from Anti-virus > Scanning restrictions to set limits for the
Messaging Security Agent. The Messaging Security Agent will not scan files that
exceed your limits.
Note: A compression layer is added each time a file is compressed. That is, if a file is
compressed and then compressed again, it has two layers of compression.
Tip: Trend Micro recommends using Exclusions to set scanning restrictions to protect
against Denial of Service attacks (DoS). DoS attacks cause a loss of service, namely
a network connection. Typically, DoS attacks negatively affect network bandwidth or
overload computer resources such as memory.
See Screening Out Spam on page 8-17 for more information about how the
Messaging Security Agent processes compressed files.
How the Messaging Security Agent Scans Emails

The Messaging Security Agent (MSA) first scans emails for spam and then scans for
content filtering violations. It next scans for attachments that are in violation of
administrator defined rules. Finally the MSA scans for viruses.
The MSA completes the following scanning processes when scanning emails
1. Scans for spam (Anti-spam)
a. Compares the email to the administrator’s approved/blocked senders list
b. Checks for phishing occurrences
8-7
c. Compares the email with the Trend Micro supplied exception list
d. Applies heuristic scanning rules
e. Compares the email with the Spam signature database
2. Scans for content filtering rule violations
3. Scans for attachments that exceed user defined parameters
4. Scans for viruses (Antivirus)
About the Messaging Security Agent Scan Actions

When the Messaging Security Agent detects a file that matches your scanning
configurations, it executes an action to protect your Exchange environment. The type
of action it executes depends on the type of scan it is performing (real-time, manual,
or scheduled) and the type of actions you have configured for the Messaging Security
Agent to take against the detected threat.
You can configure the Messaging Security Agent to execute one of the following
basic types of action:
ActiveAction: Select ActiveAction to have the Messaging Security Agent execute
actions recommended by Trend Micro. SeeTrend Micro ActiveAction on page B-4.
Customized Action: You can configure the Messaging Security Agent to take
customized actions according to the type of threat presented by viruses, Trojans,
worms, packers, and other threats. SeeUsing Customized Actions on page 8-9.
Advanced Options: Use the Advanced Options to:
• Set the action the Messaging Security Agent takes against unscannable or excluded
files.
• Enable macro scanning and set the macro scanning method.
• Set up the backup directory to where the Messaging Security Agent moves backed
up files.
• Type the text that the Messaging Security Agent uses when it replaces text/file.
8-8
Types of Security Threats

The types of computer security threats are constantly changing. The Messaging
Security Agent is designed to counter all prevalent attacks. Table 8-3 introduces
some common types of security threats that the Messaging Security Agent can
protect your Exchange environment against.
TABLE 8-3. Types of Security Threats
Attack type Description
A virus is a malicious code that infects files so that it can

replicate and cause damage to your computer. In
Viruses messaging environments, infected files are often spread
through email attachments. When infected files are
executed, viruses replicate and may damage your
computer’s files or operations.
A Trojan horse program is a program that performs some

unexpected or unauthorized - usually malicious – actions.
Trojans, like regular programs, must be run to be
Trojans effective. Frequently Trojan horse programs are installed
and/or run when users launch a seemingly harmless
application by clicking on an email attachment.
A computer worm is a self-contained program (or set of

Worms programs) that can spread functional copies of itself or its
segments to other computer systems. Worms often use
email and applications to propagate.
A compressed and/or encrypted Windows or Linux

executable program, often a Trojan. Compressing
Packers executables makes them more difficult for Antivirus
products to detect.
The Messaging Security Agent detects some malicious

code that is difficult to categorize, but poses a significant
Other threats threat to Exchange. This category is useful when you
want the Messaging Security Agent to perform an action
against a previously unknown threat type.
Using Customized Actions

You can configure the Messaging Security Agent to take actions according to the
type of threat presented by viruses, Trojans, and worms. If you use customized
8-9
actions, you can set an action for each type of threat. The Messaging Security Agent
executes the action you set when it detects a threat of the matching type.
TABLE 8-4. Messaging Security Agent Customized Actions
Action Description
Clean Removes malicious code from infected message bodies and

attachments. The remaining email message text, any uninfected files,
and the cleaned files are delivered to the intended recipient(s). Trend
Micro recommends you use the default scan action clean for viruses.
Under some conditions, the Messaging Security Agent cannot clean a

file. SeeAbout Uncleanable Files on page 8-11.
During a manual or scheduled scan, the Messaging Security Agent

updates the Information Store and replaces the file with the cleaned one.
Replace with The Messaging Security Agent deletes the infected content and replaces
text/file it with text or a file. The email message is delivered to the intended
recipient, but the text replacement informs them that the original content
was infected and was replaced.
Quarantine Moves the email message to a restricted access folder, removing it as a

entire message security risk to the Exchange environment. The original recipient will not
receive the message. This option is not available in manual and
scheduled scanning.
SeeSetting up the Quarantine Folder on page 8-40 for more

information about the quarantine folder.
Delete entire During real-time scanning, the Messaging Security Agent deletes the
message entire email message. The original recipient will not receive the
message. This option is not available in manual or scheduled scanning.
The delete action in Client Server Messaging Security 3.6 differs from
that of previous versions of Messaging Security such as ScanMail 6.21.
ScanMail 6.21 used the action delete to remove the contents of a
message and replace it with a warning text. The delete entire message
in Client Server Messaging Security 3.6 will completely delete messages
and will not send the message on to the original recipient.
8-10
TABLE 8-4. Messaging Security Agent Customized Actions
Action Description
Pass Records virus infection of malicious files in the Virus logs, but takes no
action.
Note: For Excluded files or Encrypted and Password protected

files, when you configure the action to Pass, files or
message body over the specified scanning restrictions, or
encrypted files and files that are protected by passwords
are passed and the event is not logged
Mass-mailing Behavior
Email-aware viruses, like the infamous Melissa, Loveletter, AnnaKournikova and
others, have the ability to spread through email by automating the infected
computer's email client. Mass-mailing behavior describes a situation when an
infection spreads rapidly between clients and servers in an Exchange environment.
Trend Micro designed the scan engine to detect behaviors that mass-mailing attacks
usually exhibit. The behaviors are recorded in the Virus Pattern file that is updated
using the TrendLabs™ ActiveUpdate Servers.
Enable the Messaging Security Agent to take action against these attacks whenever it
detects a mass-mailing behavior. The action set for mass-mailing behavior takes
precedence over all other actions. The default action against mass-mailing attacks is
Delete entire message.
About Uncleanable Files

When the Messaging Security Agent cannot successfully clean a file, it labels the file
"uncleanable" and performs the user-configured action for uncleanable files. The
default action is Delete entire message. The Messaging Security Agent records all
virus events and associated courses of action in the log file.
Some common reasons why the Messaging Security Agent cannot perform the clean
action are as follows:
• The file contains a Trojan, worm, or other malicious code. To stop an executable
from executing, the Messaging Security Agent must completely remove it.
8-11
• The Messaging Security Agent does not support the compression format used to
compress the file. The scan engine only cleans files compressed using pkzip and
only when the infection is in the first layer of compression.
For example, consider a compressed file titled “EuropeanBusinessTrip.zip” which
contains the following
FIGURE 8-1. Compression Layers Explained
EuropeanBusinessTrip.zip is 3
compression layers deep.
Only files in the first compression

layer, shown in red font, such as
"Airline ticket" and "Sightseeing on
the weekend" can be cleaned.
• An unexpected problem prevents the Messaging Security Agent from cleaning,

such as:
• The temp directory that acts as a repository for files requiring cleaning is full
• The file is locked or is currently executing
• The file is corrupted
• The file is password protected
• The file is located in the Windows Recycle Bin, Windows Temp folder, or
Internet Explorer temporary folder
Sending Notifications as a Course of Action on Detected Email

Threats
When the Messaging Security Agent (MSA) detects a threat in an email, it can send
notifications to the email sender and/or recipients. From the Action tab area of the
8-12
Antivirus/Anti-spyware screen, you can configure MSA to send notifications to all

senders and/or recipients or to just internal senders and/or recipients. You can also
configure MSA to not send notifications when it detects spoofing mails.
Backing Up Files Before Taking Action

You can set the Messaging Security Agent to backup a file to the Backup folder
before taking action on it. This is a safety precaution designed to protect the original
file from damage.
Tip: Trend Micro recommends quickly deleting backed up files once you have determined
that the original file was not damaged and that it is usable. If the file becomes
damaged or unusable, send it to Trend Micro for further analysis. (Even if the
Messaging Security Agent has completely cleaned and removed the virus itself, some
viruses damage the original file code beyond repair.)
To specify the location of the Backup folder:

1. From the Antivirus screen, click the Action tab.
2. Click the plus icon to expand the Backup Directory panel.
3. Type the directory path for your backup folder in the space provided.
4. Click Save.
Do not clean infected compressed files to improve performance

Select this option to improve the Messaging Security Agent performance. When the
Messaging Security Agent detects a security threat in a compressed file, it will not
clean the file. Instead, it processes the files as if they were uncleanable.
Using Advanced Scanning Options

Use the Advanced Options to set how the Messaging Security Agent handles
macros, unscannable files, and excluded files. You can also set up the backup and
quarantine folders and customize the replacement file/text used when the Messaging
Security Agent replaces an infected attachment.
8-13
Using Advanced Macro Scanning

The Messaging Security Agent uses the virus pattern file to identify known malicious
macro codes during regular virus scanning. The Messaging Security Agent takes
action against malicious macro code depending on the action that you configure from
the Anti-virus screen. Use Advanced macro scanning to gain additional protection
against malicious macro code.
Advanced macro scanning supplements regular virus scanning. It uses heuristic
scanning to detect macro viruses or simply strips all detected macro codes. Heuristic
scanning is an evaluative method of detecting viruses that uses pattern recognition
and rules-based technologies to search for malicious macro code. This method excels
at detecting undiscovered viruses and threats that do not have a known virus
signature. When a malicious macro code is detected using heuristic scanning, the
Messaging Security Agent takes action against the malicious code based on the
action that you configured from the Antivirus screen. When you select Delete all
macros detected by advanced macro scanning, the Messaging Security Agent
strips all macro code from the scanned files.
Enabling and Disabling Scans

You can enable or disable virus scanning for real-time or scheduled scans.
Real-time scanning is persistent and ongoing. When you enable real-time scanning,
the Messaging Security Agent starts to scan all incoming and outgoing messages
immediately. Real-time scanning consists of four filters: Antivirus, Content Filtering,
Attachment Blocking, and Anti-spam. You can enable and disable each filter
separately. When all of the filters are disabled, no real-time scanning can occur.
Disabling a real-time scanning filter does not disable or change your scan
configurations.
WARNING! If you disable real-time scanning, you are vulnerable to infected files entering the
Exchange environment while the scan is disabled.
8-14
About Blocking Attachments

Attachment blocking prevents email messages containing suspect attachments from
being delivered to the Exchange Information Store. You can configure the Messaging
Security Agent to block attachments according to the attachment type or attachment
name and then replace, quarantine, or delete all the messages that have attachments
that match your configuration.
Blocking can occur during real-time, manual, and scheduled scanning, but the delete
and quarantine actions are not available for manual and scheduled scans. You can
enable or disable attachment blocking.
The extension of an attachment identifies the file type, for example .txt, .exe, or .dll.
However, the Messaging Security Agent examines the file header rather than the file
name to ascertain the actual file type. Many viruses are closely associated with
certain types of files. By configuring the Messaging Security Agent to block
according to file type, you can decrease the security risk to your Exchange servers
from those types of files. Similarly, specific attacks are often associated with a
specific file name.
Tip: Using blocking is an effective way to control virus outbreaks. You can temporarily
quarantine all high-risk file types or those with a specific name associated with a
known virus. Later, when you have more time, you can examine the quarantine
folder and take action against infected files.
8-15
Selecting Blocking Targets

Block attachments with two general strategies: either block all attachments and then
exclude specified attachments or specify all the attachments to block.
• All attachments
The Messaging Security Agent can block all email messages that contain
attachments. However, this type of scan requires a lot of processing. Refine this
type of scan by selecting attachment types or names to exclude.
• Specified attachments
When you select this type of scan, the Messaging Security Agent only scans for
email messages containing attachments that you identify. This type of scan can be
very exclusive and is ideal for detecting email messages containing attachments
that you suspect contain threats. This scan runs very quickly when you specify a
relatively small amount of attachment names or types.
You can block attachments according to:
• Specific name
By default, the Messaging Security Agent examines the file header rather than the
file name to ascertain the actual file type. When you set Attachment Blocking to
scan for specific names, the Messaging Security Agent will detect attachment types
according to the name they were given.
• Attachment type
The Messaging Security Agent examines the file header rather than the file name
to ascertain the actual file type.
8-16
Attachment Blocking Actions

You can configure the Messaging Security Agent to take action against email
messages containing detected threats. The following table lists the actions the
Messaging Security Agent can take.
TABLE 8-5. Attachment Blocking Actions
Action Description
Replace with The Messaging Security Agent deletes the attachment and replaces
text/file it with a text file. The email message is delivered to the intended
recipient, but the text replacement informs them that the original
content was infected and was replaced.
Quarantine Moves the email message that contains the attachment to a

restricted access folder, removing it as a security risk to the
Exchange environment. This action is not available for manual or
scheduled scans.
Delete entire During real-time scanning, the Messaging Security Agent deletes
message the entire email message. This option is not available in manual or
scheduled scanning.
Screening Out Spam

The Messaging Security Agent uses the Trend Micro spam engine and spam pattern
file to screen each email message for spam before delivering them to the Information
Store. The Exchange server will not process rejected spam mail and the messages do
not end up in your client’s mailboxes.
The Messaging Security Agent performs one of the following actions on detected
spam during real-time scanning:
• Quarantines spam messages to a server-side spam folder
• Quarantines spam messages to user’s spam folder
• Deletes the spam message
• Tags and delivers messages as spam
8-17
Note: Microsoft Outlook may automatically filter and send messages that MSA detected as
spam to its Junk Mail folder.
Approved and Blocked Sender Lists

Administrators can set up Approved and Blocked senders lists for the Messaging
Security Agent. The Messaging Security Agent does not classify addresses from the
Approved senders list as spam (unless it detects a phishing incident), nor does it filter
messages from this list as spam. The Messaging Security Agent filters addresses
from Blocked senders lists and always classifies them as spam with the action
depending on the rule set by the administrator.
Note: The Exchange administrator maintains a separate Approved and Blocked Senders list
for the Exchange server. If an end-user creates an approved sender, but that sender is
on the administrator's Blocked Senders list, the Messaging Security Agent detects
messages from that blocked sender as spam and takes action against those messages.
Note: When importing an Approved and Blocked Senders list, make sure that the text file is
encoded in ANSI format to avoid compatibility issues. If you import the list in
Unicode format, you will unable to import the list successfully.
The Spam Filter

Administrators can set the spam detection rate to screen out spam. The detection
level determines how tolerant the Messaging Security Agent will be towards suspect
email messages. A high detection level quarantines most email as spam, but it might
also falsely identify and quarantine legitimate email messages as spam, creating
"false positive" spam mail. A low detection level does not rigorously screen email
messages, but does not create many false positive spam messages.
SeeSetting the Spam Detection Rate on page 8-21.
Seven Spam Categories

The Messaging Security Agent screens spam according to seven categories and
allows administrators to specify a detection level for each category:
8-18
• Adult
• Commercial
• Financial
• Spiritual
• Health
• Racial
• Others
Example: If an administrator’s clients work in the banking field, the administrator
might decide to set a high sensitivity level for the "sexual" category - messages in
this category are very likely to be classified as spam. However, it might be more
difficult to filter "commercial" type messages. Therefore, the administrator can set a
low sensitivity level for email messages in the "commercial" category.
Using Approved and Blocked Senders List

An Approved Senders list is a list of trusted email addresses. The Messaging Security
Agent does not filter messages arriving from these addresses for spam - except when
Detect Phishing incidents is enabled. When you have enabled Detect Phishing
incidents, and the Messaging Security Agent detects a phishing incident in an email,
then that email message will not be delivered even when it belongs to an approved
sender list. A Blocked Senders list is a list of suspect email addresses. The Messaging
Security Agent always categorizes email messages from blocked senders as spam
and takes the appropriate action.
There are two Approved Senders lists: one for the Exchange administrator and one
for the end-users.
• The Exchange administrator uses the Anti-spam screen to manage his or her lists.
The Exchange administrator’s Approved Senders list and Blocked Senders list
control how the Messaging Security Agent handles email messages bound for the
Exchange server.
• The end-user manages the Spam Folder that is created for them during installation.
The end-users’ lists only affect the messages bound for the server-side mailbox
store for each individual end-user.
For example: The sender "[email protected]" is on the administrator’s Blocked
senders list, but the end-user has added that address to his Approved senders list.
8-19
Messages from that sender arrive at Exchange and the Messaging Security Agent
detects them as spam and takes action against them. If the Messaging Security Agent
takes the Quarantine message to user’s spam folder action, it will attempt to deliver
the message to the end user’s Spam folder, but the message will be redirected to the
end user’s inbox instead because the end user has approved that sender.
Note: When you are using Outlook, there is a rule size limit for the amount and size of
addresses on the list. To prevent a system error, the Messaging Security Agent
limits the amount of addresses that an end user can include in his or her approved
sender list (this limit is calculated according to the length and the number of email
addresses)
The Messaging Security Agent supports wildcard matching for Approved and
Blocked Senders lists. It uses the asterisk (*) as the wildcard character.
TABLE 8-6. Email Address Matches for Wildcards
Pattern Matched samples Unmatched samples
[email protected] [email protected] Any address different from

[email protected]. the pattern
@trend.com [email protected] [email protected]

*@trend.com [email protected] [email protected]
[email protected]
trend.com [email protected] [email protected]

[email protected] [email protected]
[email protected].
*.trend.com [email protected] [email protected]

trend.com.* [email protected] [email protected]

8-20
TABLE 8-6. Email Address Matches for Wildcards
Pattern Matched samples Unmatched samples
*.trend.com.* [email protected] [email protected]

[email protected]
*.*.*.trend.com The same as "*.trend,com"

*****.trend.com
*trend.com All invalid.

trend.com*
trend.*.com
@*.trend.com
The Messaging Security Agent does not support the wildcard match on the username
part. However, if you type a pattern such as “*@trend.com”, the Messaging Security
Agent still treats it as “@trend.com”. This feature applies to user-defined Approved
Senders and Blocked Senders.
Setting the Spam Detection Rate

The spam engine makes use of spam signatures and heuristic rules to screen email
messages. It scans email messages and assigns a spam score to each one based on
how closely it matches the rules and patterns from the pattern file. The Messaging
Security Agent compares the spam score to the user-defined spam detection level.
When the spam score exceeds the detection level, the Messaging Security Agent
takes action against the spam.
For example: Spammers often use many exclamation marks, or more than one
consecutive exclamation mark(!!!!) in their email messages. When the Messaging
Security Agent detects a message that uses exclamation marks in this way, it
increases the spam score for that email message.
Select one of these options for your spam detection:
• High
This is the most rigorous level of spam detection. The Messaging Security Agent
monitors all email messages for suspicious files or text, but there is greater chance
8-21
of false positives. False positives are those emails that the Messaging Security
Agent filters as spam when they are actually legitimate emails.
• Medium
This is the default setting. The Messaging Security Agent monitors at a high level
of spam detection with a moderate chance of filtering false positives.
• Low
This is most lenient level of spam detection. The Messaging Security Agent will
only filter the most obvious and common spam messages, but there is a very low
chance that it will filter false positives.
Note: If a significant volume of spam is not caught by the spam engine, download the Trend
Micro Anti-Spam Pilot for advanced protection against spam. For more information,
visit
http://www.trendmicro.com/en/products/desktop/anti-spam/evaluate/overview.htm.
Detecting and Taking Action Against Phish

A Phish is an email message that falsely claims to be from an established or
legitimate enterprise. The message encourages recipients to click on a link that will
redirect their browsers to a fraudulent Web site where the user is asked to update
personal information such as passwords, social security numbers, and credit card
numbers in an attempt to trick a recipient into providing private information that will
be used for identity theft.
When the Messaging Security Agent detects a Phish message, it can take the
following actions:
• Quarantine message to a server-side spam folder
The Messaging Security Agent sends the entire message to the CSM Server for
quarantine.
• Delete entire message
The Messaging Security Agent deletes the entire message and Exchange does not
deliver it.
• Tag and deliver
8-22
The Messaging Security Agent adds a tag to the header information of the email
message that identifies it as phish and then delivers it to the intended recipient.
Filtering Undesirable Content

Content Filtering evaluates inbound and outbound messages on the basis of
user-defined rules. Each rule contains a list of keywords and phrases. Content
filtering evaluates the header and/or content of messages by comparing the messages
with the list of keywords. When the content filter finds a word that matches a
keyword it can take action to prevent the undesirable content from being delivered to
Exchange clients. The Messaging Security Agent can send notifications whenever it
takes an action against undesirable content.
The content filter provides a means for the administrator to evaluate and control the
delivery of email on the basis of the message text itself. It can be used to monitor
inbound and outbound messages to check for the existence of harassing, offensive, or
otherwise objectionable message content. The content filter also provides a synonym
checking feature which allows you to extend the reach of your policies. You can, for
example, create rules to check for:
• Sexually harassing language
• Racist language
• Spam embedded in the body of an email message
Viewing Content Filtering Rules

The Messaging Security Agent (MSA) displays all the content filtering rules in the
Content Filtering screen. This screen shows summary information about the rules
including:
• Action: MSA takes this action when it detects undesirable content
• Order: MSA applies each filter in succession according to the order shown on this
page.
• Enabled: During real-time scan, manual scan, or schedule scan, you can enable or
disable all content filtering or each individual content filter rule. The icons on the
Content Filtering screen show the status of the content filtering rule. Click on the
icon to toggle between enabled and disabled.
8-23
• Green check mark—indicates that you have enabled the rule

• The red circle "x"—indicates that you have disabled the rule
Note: By default, content filtering is not enabled.
When you click on an individual rule, the Edit rule page opens displaying details
about the rule.
Enabling Content Filtering Rules

When content filtering is enabled, you can enable and disable individual content filter
rules. The green check icon indicates the rule is enabled, the red "x" indicates the rule
is disabled. Click on the icon to toggle between enabled and disabled.
To enable content filtering rules:
1. Click Content Filtering.
2. Click Enable Content Filtering. Clear the check box to disable content filtering.
3. Click Save.
To enable an individual content filter:
1. Click Content Filtering.
2. If necessary, click Enable Content Filtering.
3. Click to enable rules that are disabled. The icon toggles to a green check mark
to indicate the rule is enabled.
4. Click Save.
Adding Content Filtering Rules

To create a content filtering rule you move through a series of steps. At each step you
add to your rule until it is complete. After you have created your rule, the Messaging
Security Agent (MSA) begins to filter all incoming and outgoing messages according
to your rule. You can create the rules that do the following:
• Filter messages that match any condition defined
8-24
This type of rule is capable of filtering content from any message in real-time or
during a manual or scheduled scan.
• Filter message that match all conditions defined
This type of rule is capable of filtering content from any message during real-time
scanning.
• Monitor the message content of particular email account(s)
This type of rule monitors the message content of particular email account(s).
Monitoring rules are similar to a general content filter rules, except that they only
filter content from specified email account(s).
• Create exemption for particular email account(s)
This type of rule creates an exemption for particular email account(s). When you
exempt a particular email account, this account will not be filtered for content rule
violations.
To create a rule that filters messages that match any condition defined:
Step 1: Select the type of content rule
1. From the Content Filtering page, click Add.
2. Select Filter messages that match any condition defined.
3. Click Next.
Step 2: Name your rule and select the message part to filter
1. Type the name of your rule in the Rule name field.
2. Click the message part that you want to filter for undesirable content. The MSA
can filter email messages by Header (From, To, and CC), Subject, Body, or
Attachment.
Note: Client Server Messaging Security for SMB only supports filtering of header and
subject content during real-time scans. It does not support filtering of header and
subject content during manual and scheduled scans.
3. Click Next.
Step 3: Set the keywords for which MSA searches
1. Select whether the MSA filters content for "any" or for "all" of the keywords.
8-25
• "Any" keyword tells MSA to take action against content that contains any of
the keywords in the list.
• "All" tells MSA to take action against content only when the content contains
all of the keywords in the list.
2. Type or import keywords.
• Type a keyword in the space provided.
• Click Add to add it to the list of keywords that MSA checks when
filtering content. MSA can support content filtering for Microsoft Office,
PDF, ZIP, RAR and text files.
• Click Delete to remove keywords from the list.
By default, MSA searches for exact matches of the keywords that you add.
• Click Import to import keyword lists.
When you import a keyword file, the imported keywords appear in the
keyword list. The imported file must be a text (.txt) file. The imported
keywords use the same format as they had in the text file.
3. Click Match case-sensitive to have MSA disregard words that do not match the
keyword's case when filtering content.
4. Set up your list of synonyms.
• Click Match synonym to have MSA consider all the synonyms of the
keyword when filtering content.
• Click next to Match synonym to display the list of synonyms. When you
select a keyword, all of the keyword’s synonyms display in the Synonyms to
exclude list. Use the arrow keys to add and delete synonyms for each
corresponding keyword.
5. Click Next.
Step 4: Set the action MSA takes against content that matches the keyword
1. Select an action for MSA to take when it detects undesirable content. MSA can
perform the following actions when it detects content that matches the rule
conditions:
• Replace with text/file — replaces the filtered content with a text file.
You cannot replace text from the From, To, CC, or Subject fields.
8-26
• Quarantine — moves the message to the quarantine directory

• Delete entire message — deletes the entire email message
• Archive — moves the message to the archive directory and delivers the
message to the original recipient
2. Select whether MSA notifies designated individuals when it takes action against
undesirable content.
Note: The actions delete entire message and quarantine are unavailable during manual or
scheduled scans.
3. Click Next.
Step 5: Set the notifications MSA sends when it takes an action
1. On the action page, select the check box for the notification that you want to send
to the infected recipient/sender.
2. Click Save.
Modifying Content Filter Rules

You can modify a rule by clicking on the rule name from the Content Filtering
screen. When you click on a rule name, the Content Filtering > Edit Rule screen
opens displaying information that corresponds to that rule.
You can modify the following parts of a rule:
• Enable or disable the rule
• Modify the rule name
• Modify the keywords for which MSA searches
• Modify the part of the email message that MSA filters
• Set the action MSA takes against content that matches the keyword
• Set the notifications MSA sends when it takes an action
To enable or disable the rule
• Select the Enable this rule check box to enable the rule.
• Clear the check box to disable the rule.
8-27
To modify the rule name

1. Click on a rule name. The Content Filtering > Edit Rule screen opens.
2. Type a new name in the Rule name field.
3. Click Save.
To modify the keywords for which MSA searches
2. Select a keyword from the Keyword list.
3. Click Delete to remove it from the list.
4. Click Import to import keyword lists.
When you import a keyword file, the imported keywords appear in the keyword
list. The imported file must be a text (.txt) file. The imported keywords use the
same format as they had in the text file.
5. Click ( ) next to Match synonym to display the list of synonyms. When you
6. Click Save.
To modify the part of the email message that MSA filters
2. If necessary, click the Target tab.
3. Choose the parts of the email that you want to modify. Different rules are able to
filter different parts of the email message. Refer to the procedure for creating the
type of rule for detailed information about the parts of the message that it can
filter.
4. Modify the keywords for the part that you want to filter for undesirable content.
5. Click Save.
To modify the action that MSA takes when it detects a Content Rule violation
2. If necessary, click the Action tab.
8-28
3. Select an action for MSA to take when it detects undesirable content.

4. Set the action for MSA to take against messages that match the keyword.
5. Click Save.
To modify the notifications MSA sends when it takes an action
2. If necessary, on the action page select the check box for the notification that you
want to send to the infected recipient/sender.
3. Click Save.
Changing the Rule Order

MSA applies the content filtering rules to email messages according to the order
shown in the Content Filtering screen. You configure the order in which the rules are
applied. MSA filters all email messages according to each rule until a content
violation triggers an action that prevents further scanning (such as delete or
quarantine). You can change the order of these rules to optimize content filtering.
To change the order of the content filtering rules:
1. Select a check box that corresponds to the rule for which you want to change the
order.
2. Click Reorder. A box appears around the order number for the rule.
3. Type a new order number in the box. The rule order number will change to the
number that you type and all the other rule order numbers will change
accordingly.
For example: If you select rule number 5 and change it to rule number 3, then
rule numbers 1 and 2 will remain the same, and rule numbers 3 and higher will
increase by one number.
About Filtering Keywords

Keywords are not strictly words. They can be any of the following:
• Numbers
• Typographical characters
• Short phrases
8-29
• Words or phrases connected by logical operators

• Words or phrases that use regular expressions
Using Keywords Effectively

MSA offers simple and powerful features to create highly specific filters. Consider
the following, when creating your Content Filtering rules:
• By default, MSA searches for exact matches of keywords. Use regular expressions
to set MSA to search for partial matches of keywords.
• MSA analyzes multiple keywords on one line differently than multiple keywords
when each word occupies a single line. See Table 8-8 for more information about
using keywords on multiple lines.
• You can also set MSA to search for synonyms of the actual keywords.
TABLE 8-7. How to Use Keywords
Situation Example Match / non-match
Two words on bare sexy Matches:

same line "Click here to see bare sexy beauties."
Does not match:

Click here to see bare naked sexy hotties.
Two words sepa- bare, sexy Matches:

rated by a "Click here to see hot, bare, sexy beauties."
comma
Does not match:
"Click here to see hot, bare, and sexy beau-
ties."
8-30
TABLE 8-7. How to Use Keywords
Situation Example Match / non-match
Multiple words nude When you choose Any specified keywords

on multiple lines sexy
bare naked Matches:
"This is a nude picture"
Also matches:
"See young, hot, and sexy beauties"
When you choose All specified keywords
Matches:
"This is a nude picture of sexy buff and bare
naked"
Does not match:

"This is a nude picture of sexy buff bare and
naked"
Also does not match:
"See nude, sexy, and bare naked beauties"
Many keywords sex bare nude naked buff Matches:

on same line Click here for sex bare nude naked buff
Does not match:
"Click here to see sex that s bare and buff"
8-31
Formatting Keywords That Use Operators

When typing a keyword or phrase that includes an operator, follow the format in the
example below:
Example: .WILD. valu*
Note: The operator has a dot immediately preceding and following. There is a space between
the final dot and the keyword.
TABLE 8-8. Using Exact Matching and keywords on Multiple Lines
Supported How to format the

How it works
keyword keyword
any keyword MSA searches content that matches Type the word and add it to
the word the keyword list
OR MSA searches for any of the key- Type ".OR." between all
words separated by OR the words you want to
include
For example: apple OR orange. MSA
searches for either apple or orange. If For example:
content contains either, then there is "apple .OR. orange"
a match.
AND MSA searches for all of the keywords Type ".AND." between all
separated by AND the words you want to
include
For example: apple AND orange.
MSA searches for both apple and For example:
orange. If content does not contain "apple .AND. orange"
both, then there is no match.
NOT MSA excludes keywords following Type ".NOT." before a word
NOT from search. you want to exclude
For example: .NOT. juice. MSA For example: ".NOT. juice"

searches for content that does not
contain juice. If the message has
"orange soda", there is a match, but if
it contains "orange juice", there is no
match.
8-32
TABLE 8-8. Using Exact Matching and keywords on Multiple Lines
Supported How to format the

keyword How it works keyword
WILD WILD means wildcard. The wildcard Type ".WILD." before the
symbol replaces a missing part of the parts of the word you want
word. Any words that are spelled to include
using the remaining part of the wild-
card are matched.
For example, if you want to match all
words containing "valu", type
".WILD.valu". The words Valu-
mart, valucash, and valubucks all
match.
Note: MSA does not support using
"?" in the wildcard command
".WILD.".
REG To specify a regular expression, add Type ".REG." before the

a .REG. operator before that pattern word pattern you want to
(for example, .REG. a.*e). detect.
For example: ".REG. a.*e"

matches: "ace", "ate", and
"advance", but not "all",
"any", nor "antivirus"
8-33
Using Regular Expressions

Regular expressions are used to perform string matching. See the following tables for
some common examples of regular expressions. To specify a regular expression, add
a ".REG." operator before that pattern.
Note: Regular expressions are a powerful string matching tool. For this reason, Trend Micro
recommends that administrators who choose to use regular expressions be familiar
and comfortable with regular expression syntax. Poorly written regular expressions
can have a dramatic negative performance impact. Trend Micro’s recommendation is
to start with simple regular expressions that do not use complex syntax. When
introducing new rules, use the archive action and observe how MSA manages
messages using your rule. When you are confident that the rule has no unexpected
consequences, you can change your action.
To create a rule that filters messages that match all conditions

defined:
2. Select Filter messages that match all conditions defined.
3. Click Next.
Step 2: Name your rule and select the message part to filter for keywords
1. Type the name of your rule in the Rule name space.
2. Set the part of the message that MSA filters. MSA can filter messages according
to:
• Message header
Type a keyword in the From, To, CC, and/or Subject field to have MSA take
action against email messages that contain matching keywords in the
corresponding fields. Separate multiple keywords with a semi-colon (;).
• Attached files
Type a name in the Attachment file name field. MSA takes action against
messages that have attachments with the name you specify. Separate multiple
keywords with a semi-colon (;).
8-34
Tip: MSA performs Content Filtering before Attachment Blocking.
• Size
Select an option from the Size drop list and type a number to indicate a size in
bytes. The maximum amount of digits for this field is 10. MSA cannot filter
messages that exceed 2GB.
3. Click Next.
1. Select an action for MSA to take when it detects undesirable content during a
real-time scan. MSA can perform the following actions when it detects content
that matches the rule conditions:
• Quarantine — moves the message to the quarantine directory.
• Pass — delivers the message without triggering any action.
3. Click Next.
1. Click on the check boxes corresponding to the people MSA will notify.
2. Click ( ) to customize the notification for that recipient.
3. To set Advanced Notification:
• Click SNMP to send notification by SNMP. Click ( ) to customize the SNMP
message.
8-35
• Click Write to Windows event log to have MSA write the notification to a
Windows event log.
4. Click Finish.
Step 5: Save your configuration
Click Save.
To create a rule that monitors message content for a particular email account(s):
2. Select Monitor the message content of particular email account(s).
3. Click Next.
Step 2: Name your rule and enter the email account(s) you want to monitor
1. Type a name for your rule in the space provided.
2. Type the mailbox address for the email account that you want to monitor. You
can monitor an email account located in the From, To, and CC part of the header.
3. Click Next.
Step 3: Select the message part to filter and add keywords
1. Click the message part that you want to filter for undesirable content. MSA can
filter email messages by Subject, Body, or Attachment. MSA can support
content filtering for Microsoft Office, PDF, and text files.
2. Type a keyword in the space provided.

• Click Add to add it to the list of keywords that MSA checks when filtering
content.
• Click Delete to remove keywords from the list.
8-36
By default, MSA searches for exact matches of the keywords that you add.
3. Click Match case-sensitive to have MSA disregard words that do not match the
keyword's case when filtering content.
4. Set up your list of synonyms.
• Click Match synonym to have MSA consider all the synonyms of the
keyword when filtering content.
• Click ( ) next to Match synonym to display the list of synonyms. When you
5. Click Next.
8-37
1. Select an action for MSA to take when it detects undesirable content. MSA can
perform the following actions when it detects content that matches the rule
conditions:
• Replace with text/file — replaces the filtered content with a text file.
You cannot replace text from the From, To, CC, or Subject fields.
• Quarantine — moves the message to the quarantine directory.
Note: The actions delete entire message and quarantine are unavailable during manual
or scheduled scans.
3. Click Next.
1. Click on the check boxes corresponding to the people MSA will notify.
2. On the action page, select the check box for the notification that you want to send
to the infected recipient/sender.
3. Click Save.
8-38
To create an exemption rule:

2. Select Create exemption for particular email account(s).
3. Click Next.
Step 2: Name your rule and enter the email account(s) you want to exempt
1. Type the name of your rule in the Rule name space.
2. Type the email address that you want to exempt from content filtering in the
space provided and click Add to add it to the list.
3. When you are satisfied with your list, click Finish.
Step 3: Save your configuration
Click Save.
About the Quarantine Folder

When the Messaging Security Agent quarantines a message, the message is sent to a
designated quarantine folder.
When the Messaging Security Agent quarantines an email message, it logs the event.
You can query the quarantine database to gather information about quarantined
messages. See Querying the Quarantine Folder on page 8-41.
You can use Quarantine to:
• Reduce the chance of important messages being deleted, if they are erroneously
detected by aggressive filters
• Review messages that trigger content filters to determine the severity of the policy
infraction
• For disciplinary purposes, maintain evidence of an employee’s continued misuse of
your company’s messaging system
8-39
Note: Do not confuse the quarantine folder with the end user’s spam folder. An administrator
sets up the quarantine folder after installing the Messaging Security Agent. The
quarantine folder is a file-based folder. The Messaging Security Agent creates the end
user’s spam folder during installation. The end user’s spam folder is located in the
Information Store for each user's mailbox. Whenever the Messaging Security Agent
does a quarantine action on an email message, it sends the message to the quarantine
folder. The end user’s spam folder only receives email messages resulting from an
anti-spam quarantine action.
Setting up the Quarantine Folder

The Messaging Security Agent quarantines email messages according to your
configured actions. You can create one quarantine folder for each action. The
Messaging Security Agent can quarantine email messages as the result of the
following:
• Antivirus
The Messaging Security Agent quarantines email messages containing viruses,
worms, Trojans, and other malicious threats. Set the quarantine folder from
Antivirus > Action > Quarantine Directory.
• Anti-spam
The Messaging Security Agent quarantines spam and phishing email. Set the
quarantine folder from Anti-spam > Action > server-side spam folder.
• Attachment blocking
The Messaging Security Agent quarantines email messages containing
questionable attachments. Set the quarantine folder from Attachment Blocking >
Action > Quarantine Directory.
• Content filtering
The Messaging Security Agent quarantines email messages containing undesirable
content. Set the quarantine folder from Content Filtering > Select rule > Action >
Quarantine Directory.
To set up the Quarantine Directory
1. Click Security Settings.
2. Choose the Exchange servers where you want to set up quarantine directories.
8-40
3. Click Configure. The Antivirus screen opens for the Exchange Server.
4. Click Quarantine > Directory.
5. Type the directory path for the quarantine directory in the space provided.
6. Click Save.
Viewing the Quarantine Folder

You can view the quarantine folder to determine whether messages are safe. When
you think a message is safe, delete the entire message or resend the complete email
messages to the original recipients.
WARNING! The quarantine folder contains email messages that have a high-risk of being
infected. Be cautious when handling email messages from the quarantine folder
so that you do not accidentally infect your computer.
Querying the Quarantine Folder

To view information about quarantined messages, you must make a quarantine query.
Use the Quarantine > Query to set up and run your queries.
Resending Quarantined Messages

You can resend messages that you consider safe to the original recipient. When you
resend messages, the entire email message is resent.
Note: If you resend a quarantined message that was originally sent using Microsoft Outlook,
the recipient may receive multiple copies of the same message. This may occur
because VSAPI strips each message that it scans into several sections.
Deleting Quarantined Messages

The Messaging Security Agent provides a Quarantine Maintenance screen where you
can configure how long to keep the quarantined messages and schedule regular
maintenance.
8-41
Managing the End User Quarantine Tool

During installation, the Messaging Security Agent adds a folder, Spam Mail, to the
server-side mailbox of each end user. When spam messages arrive, the system
quarantines them in this folder according to spam filter rules predefined by the
Messaging Security Agent. End users can view this spam folder to open, read, or
delete the suspect email messages.
See Setting up the Spam Folder on page 8-43
End users can open email messages quarantined in the spam folder. When they open
one of these messages, two buttons appear on the actual email message: Approved
Sender and View Approved Sender List. When they click Approved Sender, the
Messaging Security Agent moves the message from that sender to their inbox, adds
the address of the message to their personal Approved Sender List. Clicking View
Approved Sender opens another screen that allows the end user to view and modify
their list of approved senders by SMTP email address or domain. When the Exchange
server receives messages from the addresses on the end user’s approved sender list, it
delivers them to the end user’s inbox, regardless of the header or content of the
message.
Note: Client Server Messaging Security also provides administrators with an Approved
Senders and Blocked Senders list. The Messaging Security Agent applies the
administrator’s approved senders and blocked senders before considering the end user
list.
End User Quarantine Housekeeping Feature

The Messaging Security Agent housekeeping feature performs programmed tasks
every 24 hours at the default time of 2:30 AM. It performs the following duties:
• Auto-deletes expired spam messages
• Recreates the spam folder when it has been deleted
• Creates spam folders for newly created mail accounts
• Maintains email message rules.
The housekeeping feature is an integral part of the Messaging Security Agent and
requires no configuration.
8-42
Setting up the Spam Folder

You can open the Spam Maintenance screen by clicking Operations > Spam
Maintenance. The Spam Maintenance screen displays the name of the Spam Folder
and the number of days that the End User Quarantine (EUQ) tool retains spam
messages.
End users can rename the spam folder using Microsoft Outlook; however, the
Messaging Security Agent identifies the folder by ID, not by folder name.
You can set the following features from this screen:
• Disable the End User Quarantine tool
Clear Enable End User Quarantine to disable the End User Quarantine tool for
all mailboxes.
• Disable the End User Quarantine tool for one or more individual users
This disables the End User Quarantine tool for each user you add to the User List
Settings.
• Create a new Spam Folder
Create a new spam folder for each new user that you add to the Exchange server
where you have installed the End User Quarantine tool.
• Modify the amount of days that the Messaging Security Agent will retain spam
messages
See Managing the End User Quarantine Tool on page 8-42 for more information
about the End User Quarantine tool.
To create the spam folder:
1. Click Operations > Spam Maintenance.
2. Select Enable End User Quarantine tool.
3. Do one of the following:
• Click Create spam folder and delete spam messages
- or -
• Click Save
8-43
To reset the storage time limit using:

2. Type the number of days you want the Messaging Security Agent to retain the
spam in the field next to Delete spam messages older than: (the default value is
14 days and the maximum time limit is 30 days).
3. Click Save to save your change and close the screen.
To disable an individual end-user’s EUQ spam folder:
2. Under User List Settings, type the email address of the end-user for whom you
want to disable EUQ.
3. Click Add. The end user’s email address is added to the list of addresses that
have EUQ disabled.
4. To remove an end user from the list and restore EUQ service, select the end
user’s email address from the list and click Remove.
5. Click Save.
Generating Debugger Reports

Client Server Messaging Security Debugger can assist you in debugging or just
reporting the status of the Client Server Messaging Security processes. When you are
having unexpected difficulties you can use debugger to create debugger reports and
send them to Trend Micro technical support for analysis.
How It Works
Each Client Server Messaging Security module inserts messages into the program,
and then records the action into log files upon execution. You can forward the logs to
Trend Micro Technical Support staff to help them debug the actual program flow in
your environment. All of the modules produce text files you that you can view with
any text editor.
You can use the debugger to generate logs on the following modules:
• Messaging Security Agent Master Service
• Messaging Security Agent Remote Configuration Server
8-44
• Messaging Security Agent System Watcher

• Virus Scan API (VSAPI)
• Simple Mail Transfer Protocol (SMTP)
• Common Gateway Interface (CGI)
• End User Quarantine (EUQ)
By default, the Messaging Security Agent keeps the logs in the following directory:
c:\Program Files\Trend Micro\Messaging Security Agent\Debug
To generate reports using the Client Server Messaging Security Debugger:
1. Click Operations > System Debugger.
2. Select the check boxes of the modules that you want to debug.
3. Click Save to start collecting data for the module(s) that you have selected.
Note: The Messaging Security Agent Debugger continues to collect debug data until you
clear all items you were debugging and click Save.
8-45
8-46
Chapter 9
Using Outbreak Defense

This chapter explains the Outbreak Defense Strategy, how to configure Outbreak
Defense, and how to use it to protect your network and clients.
• The Outbreak Defense Strategy on page 9-2
• Current Status on page 9-2
• Potential Threat on page 9-7
• Settings on page 9-8
• Using Exception on page 9-8
• Using Scheduled Policy Downloads Settings on page 9-8
9-1
The Outbreak Defense Strategy

The Outbreak Defense Strategy is based on the idea that outbreaks have a lifecycle.
They (the infection) start slow, infecting only a few clients initially. As time goes on,
the few infected clients unknowingly pass the infection to other clients. At this point,
the infection has spread throughout the network, or if the affect of the infection was
noticeable, the client users and administrator realized they have a problem and take
action. Slowly, the outbreak subsides. Maybe the infection gets chance to flare up
again as unaware and unprotected client users connect to other infected clients, or
open infected emails. The Outbreak Defense Strategy was designed to manage
outbreaks at every point along the outbreak lifecycle.
Current Status
Displays the on-going status of your clients and network in response to a current
worldwide virus outbreak. The status roughly corresponds to the outbreak lifecycle.
Outbreak Defense first takes preventative measures such as informing you of the
threat and taking action as prescribed in the Outbreak Prevention Policy (downloaded
from TrendLabs). Next, your clients are protected from the threat when updated
components are downloaded from the Trend Micro ActiveUpdate server and
deployed. Finally, Damage Cleanup Services, using newly updated components,
starts to clean infected and damaged files, and remove virus remnants.
9-2
FIGURE 9-1. Outbreak Defense Screen – No Threat
Threat Prevention
The Threat Prevention stage of the Current Status screen displays information about
recent threats, computers that have alerts enabled, and computers that are vulnerable
to the current threat.
9-3
FIGURE 9-2. Outbreak Defense Screen – Threat Prevention Stage
Threat Information
The Threat Information section displays information about viruses that are currently
on the Internet and that could potentially affect your network and clients. Threat
Information, using the Outbreak Prevention Policy, takes steps to protect your
network and clients while TrendLabs develops a solution (SeeTrend Micro Outbreak
Prevention Policy on page B-1).
Threat Information
This panel displays the name of the current outbreak threat. Learn more about this
threat by clicking Help > Security Info to redirect your browser to the Trend Micro
Web site.
• Risk Level–the level of risk the threat poses to computers and networks based on
the number and severity of virus and malware incident
9-4
• Automatic Response Details–click to view the specific actions Outbreak Defense

is using to protect your computers from the current threat. Click Disable to stop the
Automatic Response from the server-side. Stopping the Automatic Response on
the server-side will stop it for the CSAs as well.
Alert Status for Online Computers

The Alert Status for Online Computers displays a total for the number of clients that
do and do not have automatic alert enabled. Click the number link under the Enabled
and Not Enabled columns to view more information about specific client computers.
Vulnerable Computer(s)
The Vulnerable Computer(s) section displays a list of clients that have vulnerabilities
that make them susceptible to the threat displayed in the Threat Information section.
Threat Protection
The Threat Protection stage of the Current Status screen provides information about
the components that are affected by the threat, and the solution download and
deployment status.
FIGURE 9-3. Outbreak Defense Screen – Protection Stage
9-5
Solution Download Status

Displays a list of components that need to be updated in response to the threat listed
in the Threat Information section.
Solution Deployment Status

Displays the number of clients that have up-to-date components. Displays the
number of clients that have out-of-date components. Provides a link to view clients
with up-to-date or out-of-date components.
Threat Cleanup
The Threat Cleanup stage of the Current Status screen displays the status of the scan
that takes place after the updated components have been deployed. The Threat
Cleanup section also displays the status of computers after the scan, and lists whether
the updates were successful in cleaning or removing threat remnants.
FIGURE 9-4. Outbreak Defense Screen - Cleanup Stage
9-6
Note: For a scan to automatically take place after the new components have been deployed,
it has to be enabled in the Outbreak Defense > Settings screen.
Computer Scanning Status for

Click the links to display a list of Client computers that have received notification to
scan for threats or that have not yet received notification. Client computers that are
not turned on or that have been disconnected from the network cannot receive
notifications.
Computer Cleanup Status for

This panel displays the results of the Cleanup scan.
Potential Threat
The Potential Threat screen uses the information gathered from Vulnerability
Assessment and Damage Cleanup Services to display information about clients that,
because they are already infected or have vulnerabilities, are Potential Threats to the
security of your network. Vulnerability Assessment determines which clients have
vulnerabilities and Damage Cleanup Services determines which clients are still
infected and need to be cleaned in order to make them safe.
Vulnerable Computer(s)
The Vulnerable Computer(s) section displays a list of clients that have vulnerabilities
that make them susceptible to the most recent threat. Client Server Messaging
Security uses Vulnerability Assessment to determine which clients have
vulnerabilities. To learn more about Vulnerability Assessment see Vulnerability
Assessment on page B-3.
Computer(s) to Cleanup
The Computer(s) to Cleanup section displays information about infected computers.
Administrators can also perform a real-time cleanup of infected computers using
updated cleanup security components. The Cleanup service uses Trend Micro
Damage Cleanup Services. To learn more about how Damage Cleanup works, see
Trend Micro Damage Cleanup Services on page B-2.
9-7
To perform a real-time cleanup of infected computers using newly updated

cleanup components:
1. Click Cleanup Now in the Threat Cleanup table.
2. A Threat Cleanup progress bar appears displaying the progress of the threat
cleanup process.
3. After the cleanup process is completed, a Cleanup Notification Results screen
appears.
Settings
Use the Settings screen to configure Outbreak Defense and Vulnerability
Assessment options.
Outbreak Defense
Use Outbreak Defense to configure threat response settings, block or unblock ports,
and schedule when and how often the Outbreak Prevention Policy is updated.
Note: After you disable Outbreak Defense, Trend Micro recommends running Cleanup Now
to help rid your clients of Trojans and any running processes related to Trojans, or
other types of malicious code (see Computer(s) to Cleanup on page 9-7).
Using Exception
Use Exception to Add new ports to, and Edit or Remove existing ports from the list
of ports to exclude from blocking.
Note: When adding a new exception, make sure that Enable this exception is checked.
Using Scheduled Policy Downloads Settings

Use Scheduled Policy Downloads to set when and how often the Security Server
checks for and downloads new Outbreak Prevention Policies. By default, the
9-8
Security Server checks for new Outbreak Prevention Policies every 30 minutes and
downloads new policies as required.
To set a Scheduled Policy Download source and time:
1. From the main menu, click Outbreak Defense > Settings. The Settings screen
appears. The Outbreak Defense tab is selected by default.
2. Click the plus (+) icon for the Scheduled Policy Download Settings section.
3. From the Scheduled Policy Download Settings section, set the following
options:
a. Frequency: The default time is every 30 minutes.
b. Source: Choose from where to download updates. The default is the Trend
Micro ActiveUpdate server:
• Trend Micro ActiveUpdate server
• Intranet location containing a copy of the current file
• Other update source
4. Click Save.
Vulnerability Assessment
To set a time for Vulnerability Assessment:
1. Click Outbreak Defense > Settings to open the Settings screen.
2. Click the Vulnerability Assessment tab.
3. Select Enable Scheduled Vulnerability Prevention
4. For each client create a schedule using the following UI elements:
• Daily – Click to perform vulnerability assessment every day
• Weekly, every – Click to perform a vulnerability assessment once a week.
You must select a day from the list and a start time. The time selected is the
time that Client/Server Security will perform the scan.
• Monthly, on day – Click to perform a vulnerability assessment once a month.
You must select a date from the list and a start time.
Regardless of the selection, specify when to start vulnerability assessment in the
Start time lists.
9-9
5. Set the Target for the scan.

• Select All groups to scan all the computers that appear in the Group
Management Tree on the Security Settings screen.
• Select the Specified group(s) to limit the vulnerability assessment scan to
only the specific groups you designate.
6. Click Save.
9-10
Chapter 10
Manual and Scheduled Scans

This chapter describes Manual and Scheduled scans and how to use Manual and
Scheduled scan to protect your network and clients from viruses, malware, and other
threats.
• Manual and Scheduled Scans on page 10-1
• Scanning Desktops and Servers for Viruses, Spyware, and Other Malware Threats
on page 10-3
• Scanning Exchange Servers for Viruses, Malware, and Other Threats on page 10-5

Client Server Messaging Security provides three types of scans to protect your clients
from viruses, malware, and other types of malicious code: Manual Scan, Scheduled
Scan, and Real-time Scan. Each scan has a different purpose and use, but all are
configured approximately the same way. This chapter discusses Manual and
Scheduled Scans.
10-1
About Scans for Desktops and Servers

Manual Scan – Occurs after user execution and completely scans all specified files.
The length of the scan depends on the number of files and your hardware resources.
Scheduled Scan – A scheduled scan completely scans all files at the time and
frequency configured. Use scheduled scans to automate routine scans on your clients
and improve virus management efficiency.
About Scans for Exchange Servers

Manual scans
Client Server Messaging Security performs manual and scheduled scanning, on
demand, according to a manual prompt. Manual scanning eliminates viruses from
inside the Information Store databases, eradicates old virus infections, and minimizes
the possibility of reinfection. When performing a manual scan, Client Server
Messaging Security takes actions against threats according to the administrator’s
configurations. You can abort manual scan by clicking Stop Scanning when the scan
is in progress.
Client Server Messaging Security does not allow the selection of individual Stores
for scanning.
Manual scanning makes use of the following filters:
• Antivirus
• Content Filtering
• Attachment Blocking
To configure a Manual scan, click Scans > Manual Scan.
Scheduled scans
Scheduled scans occur according to the schedule you have configured. If user wants
to disable Scheduled Scan, they have to clear all check boxes for "Antivirus",
"Content Filtering", and "Attachment Blocking" under Scans > Scheduled Scan.
Scheduled scanning makes use of the following filters:
• Antivirus
• Content Filtering
10-2
• Attachment Blocking
To configure a Scheduled scan, click Scans > Scheduled Scan.
Scanning Desktops and Servers for Viruses,

Spyware, and Other Malware Threats
Because creating Manual and Scheduled Scans for desktops and servers are similar,
the steps for configuring the two will be combined. An additional section for setting a
scan schedule will follow.
FIGURE 10-1. Manual Scan Screen
To configure Manual or Scheduled Scans for desktops and servers:

1. Click Scans > Manual Scan or Scheduled Scan to open the Scan screen.
2. Select the group(s) to scan.
See File Types Eligible for Scanning on page 8-5 for more detailed information.
3. Optional: Set the antivirus and anti-spyware scanning options by clicking the
group name, and then clicking either Antivirus or Anti-spyware.
Anti-spyware Settings
a. Verify that the Anti-spyware check box is selected for each group.
10-3
b. To configure the anti-spyware scan settings, click the Anti-spyware link. The
manual anti-spyware scan settings page appears.
c. On the Target tab, select the type of anti-spyware scan to run. Available
options include:
• Full scan – Scans the entire disk and registry for spyware
• Quick scan – Examines common areas where spyware is typically
installed
d. On the Action tab, click an action to perform on any spyware that is detected.
Available options include:
• Clean – Remove the spyware from infected clients
• Pass – Only record the detected spyware in the spyware logs
e. Click Save to save your scan settings, and then Back to go back to the Scan
Now page.
4. Click Scan Now to run a Manual Scan or click Save to save the Scheduled Scan
settings.
To set a time for Scheduled scans:
1. Click Scans > Scheduled Scan to open the Scheduled Scan screen.
2. Click the Schedule tab. A table displaying a list of all scannable clients appears.
• Daily – Click to perform Scheduled Scan every day
• Weekly, every – Click to perform a Scheduled Scan once a week. You must
select a day from the list and a start time. The time selected is the time that
Client/Server Security will perform the scan.
• Monthly, on day – Click to perform a Scheduled Scan once a month. You
must select a date from the list and a start time.
Regardless of the selection, specify when to start scheduled scans in the Start
time lists.
4. Click Save.
10-4
Scanning Exchange Servers for Viruses,

Malware, and Other Threats
Manual and scheduled scanning on the Microsoft Exchange server is similar to
traditional hard drive antivirus scanning. However, Client Server Messaging
Security, unlike traditional antivirus scanners, can support the Microsoft Exchange
database format, and can scan files and documents stored on Exchange servers.
You can run a manual scan to ensure that Client Server Messaging Security scans all
messages in the Information Store once. Completely scanning the Information Store
in this way minimizes the chance of infections from unexpected sources such as
unprotected mail servers or improper configurations. Manual scanning scans the
entire Information Store by default.
If you begin a manual scan when a scheduled scan is running, the scheduled scan is
interrupted. The scheduled scan aborts, but runs again according to its schedule.
You can perform virus scanning, attachment blocking, and content filtering through
manual scanning. These filters are similar to those used during real-time scanning,
except some actions are not available during manual or scheduled scanning.
To configure Manual or Scheduled Scans for Exchange servers:
1. Click Scans > Manual Scan or Scheduled Scan to open the Scan screen.
2. Select the Exchange server(s) to scan.
See File Types Eligible for Scanning on page 8-5 for more detailed information.
3. Optional: Set the scanning options by clicking the Exchange server name.
To learn more about configuring scan options for Exchange servers see Trend
Micro Default Scan Settings on page 8-3, or the Getting Started Guide.
4. Click Scan Now to run a Manual Scan or click Save to save the Scheduled Scan
settings.
To set a time for Scheduled Scans:
1. Click Scans > Scheduled Scan to open the Scheduled Scan screen.
2. Click the Schedule tab. A table displaying a list of all scannable clients appears.
10-5
• Daily – Click to perform Scheduled Scan every day

• Weekly, every – Click to perform a Scheduled Scan once a week. You must
select a day from the list and a start time. The time selected is the time that
Client/Server Security will perform the scan.
• Monthly, on day – Click to perform a Scheduled Scan once a month. You
must select a date from the list and a start time.
Regardless of the selection, specify when to start scheduled updates in the Start
time lists.
4. Click Save.
Tip: Trend Micro recommends that you do not schedule a scan to run at the same time as
you set for a scheduled update. This may cause the scheduled scan to stop
unexpectedly. Similarly, if you begin a manual scan when a scheduled scan is
running, the scheduled scan is interrupted. The scheduled scan aborts, but
runs again according to its schedule.
Note: To disable Scheduled Scan, deselect all options for the specific desktop, server, or
Exchange server, and click Save.
Completely scanning the Information Store in regularly scheduled scans minimizes

the chance of infections from unexpected sources such as unprotected mail servers or
improper configurations. Scheduled scanning scans the entire Information Store by
default.
Note: When running manual or scheduled scan, you may see the message message from
"" [total 0 recipient(s)] on the real-time monitor page. These are mail
scan logs for Exchange System Mails.
Tip: Trend Micro recommends that you set Client Server Messaging Security to run
scheduled scans at regular intervals for optimal protection of your desktops, servers,
or Exchange Information Store.
10-6
Chapter 11
Updating Components
This chapter explains how to use and configure Manual and Scheduled Updates.
• Choosing an Update Source on page 11-2
• Updating Components on page 11-2
• Updating the Trend Micro Security Server on page 11-4
• Manual and Scheduled Updates on page 11-4
• Setting the Update Source for the Trend Micro Security Server on page 11-6
• Default Update Times on page 11-7
• Using Update Agents on page 11-8
• Rolling Back Components on page 11-10
11-1
Choosing an Update Source

When choosing the location(s) from where to update clients, consider the bandwidth
of the sections of your network that are between clients and the update source(s). The
following table describes different component update options and recommends when
to use them:
TABLE 11-1. Update Source Options
Update Option Description Recommendation
ActiveUpdate server > The Trend Micro Security Use this method if there are
Trend Micro Security Server Server receives updated no sections of your network
> clients. components from the between the Trend Micro
ActiveUpdate server (or Security Server and clients
other update source) and you identify as
deploys them directly to ’low-bandwidth’.
clients.
ActiveUpdate server > The Trend Micro Security Use this method to balance
Trend Micro Security Server Server receives updated the traffic load on your
> Update Agents > clients components from the network if there are sections
ActiveUpdate server of your network between the
(or other update source) Trend Micro Security Server
and deploys them and clients you identify as
directly to Update Agents, ’low-bandwidth’.
which deploy the
components to clients.
ActiveUpdate Update Agents receive Use this method only if you
server > Update updated components are experiencing problems
Agents > clients directly from the updating Update Agents
ActiveUpdate server (or from the Trend Micro
other update source) and Security Server or from
deploy them to other Update Agents.
clients. Under most circumstances,
Update Agents receive
updates faster from the
Trend Micro Security Server
or from other Update Agents
than from an external
update source.
Updating Components
To ensure that your clients stay protected from the latest virus threats and other
malicious code, you need to update the Client Server Messaging Security
components regularly. To view details about the components that Client Server
11-2
Updating Components
Messaging Security uses to protect your clients see Client Server Messaging Security
Updateable Components on page 2-5.
Configure the Trend Micro Security Server to download Client Server Messaging
Security components from the Trend Micro ActiveUpdate server. After the server
downloads any available updates, it automatically deploys these to the clients.
Client Server Messaging Security provides two methods for updating your
components:
• Update your components manually
• Update your components based on a schedule
For information on how to update your components, see To update the Trend Micro
Security Server components: on page 11-5.
For information on how to set a schedule for updates, see To set a schedule to check
for updated components: on page 11-6.
If you use a proxy server to connect to the Internet, make sure you properly configure
your proxy settings to download updates successfully. For information on how to
configure your proxy settings, see Internet Proxy Options on page 14-2.
TABLE 11-2. Updatable Components
Component Sub-component
Antivirus • Virus pattern

• Virus scan engine 32-bit
• Virus cleanup template
• Virus cleanup engine 32-bit
• Messaging security agent scan engine
• IntelliTrap exception pattern
• IntelliTrap pattern
Anti-spyware • Spyware scan engine 32-bit

• Spyware scan engine 64-bit
• Spyware pattern
• Spyware active-monitoring pattern
• Anti-rootkit driver 32-bit
11-3
TABLE 11-2. Updatable Components
Component Sub-component
Anti-spam • Anti-spam pattern for Messaging Security Agent

• Anti-spam engine for Messaging Security Agent
Outbreak Defense • Vulnerability pattern
Network Virus • Common firewall pattern

• Common firewall engine 32-bit
Updating the Trend Micro Security Server

To help ensure that computers and servers on your network stay protected against the
latest threats, regularly update the Client Server Messaging Security components.
Do the following to configure Trend Micro Security Server to perform updates:
1. Configure the Trend Micro Security Server for manual or scheduled updates.
2. Select an update source.
3. Use Desktop Privileges to configure update options for clients running the
Client/Server Security Agent and/or the Messaging Security Agent.
Manual and Scheduled Updates
Manual Updates
Trend Micro recommends updating the server manually immediately after deploying
the Client/Server Security Agent and whenever there is a virus outbreak.
Scheduled Updates
Configure the Trend Micro Security Server to regularly check its update source and
automatically download any available updates. Because clients normally get updates
from the Trend Micro Security Server, using automatic scheduled update is an easy
11-4
Updating Components
and effective way of ensuring that your protection against viruses is always current.
Because setting Scheduled updates is similar to setting Manual updates, both
procedures will be combined here. An additional section for setting an update time
will follow.
Note: As soon as the Trend Micro Security Server receives updated components, they are
automatically deployed to clients.
To update the Trend Micro Security Server components:

1. On the main menu, click Updates > Manual or Scheduled. The Update screen
appears.
FIGURE 11-1. Manual Update Screen
2. Under components section, select the components to update.

To update all components, select the Components check box.
3. Click Update Now to Manually update the components, or click Save if setting a
Scheduled update.
11-5
Note: After the server downloads the updated components, it then automatically deploys
them to clients.
To set a schedule to check for updated components:

1. Click Updates > Scheduled to open the Scheduled Update screen.
2. Click the Schedule tab.
• Hourly – Click to perform an update every hour
• Daily – Click to perform an update every day
• Weekly, every – Click to perform an update once a week. You must select a
day from the list and a start time. The time selected is the time that
Client/Server Security will check for and download updated components.
• Monthly, on day – Click to perform an update once a month. You must select
a date from the list and a start time.
Regardless of the selection, specify when to start scheduled updates in the Start
time lists.
4. Click Save.
Setting the Update Source for the Trend Micro

Security Server
Choose from where and how Trend Micro Security Server receives its updates.
Set up an update source for the Trend Micro Security Server:
1. From the main menu, click Updates > Source. The Update Source screen
appears.
11-6
Updating Components
FIGURE 11-2. Update Source Screen
2. From the Download updates from section, choose from where to download
updates:
• Trend Micro ActiveUpdate server
• An intranet location containing a copy of the current file
• An other update source.
3. Click Save.
Default Update Times

By default Client Server Messaging Security downloads components from the Trend
Micro ActiveUpdate server under the following circumstances:
• When you install the product for the first time, all of components for the Security
Server and client computers are immediately updated from the Trend Micro
ActiveUpdate server.
• Whenever the Client Server Messaging Security master service is started, the
Security Server updates the Outbreak Defense policy.
• By default, Scheduled Updates run every hour to update the Security Server.
11-7
• To ensure that client computers stay up-to-date, CSA runs a scheduled update
every 8 hours.
The Trend Micro recommended settings for component updates provide reasonable
protection to small and medium-sized business. If necessary, you can run Manual
updates or modify the Scheduled updates.
Trend Micro updates the scan engine or program generally only during the release of
a new Client Server Messaging Security version. However, Trend Micro releases
pattern files every day to keep your client virus protection current.
Using Update Agents

If you identify sections of your network between clients and the Trend Micro
Security Server as "low-bandwidth" or "heavy traffic", you can specify Client/Server
Security Agent clients to act as update sources (Update Agents) for other clients. This
helps distribute the burden of deploying components to all clients.
For example, if your network is segmented by location, and the network link between
segments experiences a heavy traffic load, Trend Micro recommends allowing at
least one client on each segment to act as an Update Agent.
To allow one or more clients to act as Update Agents:
1. On the main menu, click Updates > Source. The update source screen appears.
2. Click the Security Agents tab.
3. Under the Assign Update Agent(s) section, click Add. The Add an Update Agent
screen appears.
4. From the Select Security Agent(s)... list box, select one or more Client/Server
Security Agent clients to act as Update Agents.
5. Click Save.
Note: Unless specified in the Alternative Update Source section, all Update Agents receive
their updates from the Trend Micro Security Server.
11-8
Updating Components
To allow CSAs to get their updates from an alternative update source:

3. Under the Alternative Update Source section, select Enable Alternative Update
Sources.
4. [Optional]—Select Always update from Security Server for Update Agents.
Note: If this option is selected, the Update Agents will download updates from the
Trend Micro Security Server even if their IP address falls within one of the
ranges specified in the Add an Alternative Update Source screen. In order for
this option to work, Enable Alternative Update Sources must be selected.
5. Click Add. The Add an Alternative Update Source screen appears.

6. Enter a range of IP addresses. Security Agents with IP addresses that fall within
this range will receive their updates from the update source you specify:
a. IP from—Type the first IP address in the range.
b. IP to—Type the last IP address in the range.
Note: To specify a single Security Agent, enter the Security Agent’s IP address in both
the IP from and IP to fields.
7. Select an update source:

• Update Agent—Select an Update Agent as a source for updates.
- or -
• Specified—Specifiy a path to an update source.
8. Click Save.
Note: Security Agents not specified will automatically receive their updates from the
Trend Micro Security Server.
11-9
To stop Security Agents from acting as Update Agents:

3. Under the Computer Name column, select the clients that you no longer wish to
act as Update Agents.
4. Click Remove.
To stop Security Agents from receiving updates from alternative update
sources:
3. Under the IP Range column, select one or more of the IP address range(s).
4. Click Remove.
Rolling Back Components

Rolling back refers to reverting to the previous version of a virus pattern file or scan
engine. If the pattern file or scan engine that you are using is not functioning
properly, roll back these components to their previous versions.
Note: You can roll back only the virus pattern file and scan engine. No other components
can be rolled back.
The Security Server uses the following scan engines:

You need to roll back these types of scan engines separately. The rollback procedures
for both types of scan engines are the same. The Trend Micro Security Server retains
only the current and the previous versions of the scan engine and the last five pattern
files.
11-10
Updating Components
To roll back the pattern file or scan engine:

1. On the menu, click Updates > Rollback. The Rollback screen appears showing
the current versions of your virus pattern file and scan engine, and the previous
versions of these components, if any.
2. Click Synchronize with Server under the appropriate section.
3. Click Back to return to the original Rollback screen.
4. If an older version pattern file exists on the server, you can roll back both the
client and the server. Click Rollback server and agents. The Rollback screen
appears.
11-11
11-12
Chapter 12
Viewing and Interpreting Logs

This chapter describes how to use Client Server Messaging Security logs and reports
to monitor your system and analyze your protection.
• Viewing and Interpreting Logs on page 12-2
• Management Console Event Logs on page 12-2
• Desktop/Server Logs on page 12-2
• Exchange Server Logs on page 12-3
• Using Log Query on page 12-3
• Creating One-time Reports on page 12-6
• Deleting One-time Reports on page 12-7
• Scheduling Reports on page 12-7
• Deleting Scheduled Reports on page 12-9
• Editing Scheduled Reports on page 12-9
• Maintaining Logs and Reports on page 12-10
12-1

Client Server Messaging Security keeps comprehensive logs about virus and spyware
incidents, events, and updates. This section contains a list of the different logs. Use
these logs to assess your organization's virus protection policies and to identify
clients that are at a higher risk of infection. Also, use these logs to verify that updates
have been deployed successfully.
Note: Use spreadsheet applications, such as Microsoft Excel, to view CSV log files.
Client Server Messaging Security maintains logs under the following categories:
• Management console event logs
• Desktop/Server logs
• Exchange server logs
Management Console Event Logs

Each type of log contains different information.
• Manual scan log
• Update log
• Outbreak Defense event log
• Console event log
Desktop/Server Logs
• Virus log
• Spyware log
• Update log
• Network virus log
• Outbreak Defense log
• Event log
12-2
Exchange Server Logs

• Virus log
• Attachment blocking log
• Content filtering log
• Update log
• Backup log
• Archive log
• Outbreak Defense log
• Scan event log
Using Log Query

This section describes how to use the Log Query screen to view log information.
TABLE 12-1. Log Type and Content
Type (event or item that

generated the log entry) Content (type of log to obtain content from)
Management console events • Manual scan

• Update
• Outbreak Defense events
• Console events
Desktop/Server • Virus logs

• Manual scan
• Real-time scan
• Scheduled scan
• DCS scan
• Spyware logs
• Manual scan
• Real-time scan
• Scheduled scan
• Update logs
• Network virus logs
• Outbreak Defense logs
• Event logs
12-3
TABLE 12-1. Log Type and Content
Type (event or item that Content (type of log to obtain content from)
generated the log entry)
Exchange server • Virus logs

• Attachment blocking logs
• Content filtering logs
• Update logs
• Backup logs
• Archive logs
• Outbreak Defense logs
• Scan events logs
Client Server Messaging Security records log entries for many different events. Use
log query to view the different logs.
Note: An MSA sends its logs to the Security Server every five minutes (not as soon as the
logs are generated). This time interval between log generation and log sending helps
keep network traffic between the client and the server to a minimum.
12-4
To view virus logs:

1. On the main menu, click Reports > Log Query. The Log Query screen appears.
FIGURE 12-1. Default Log Query Screen
2. Under Time Range, select All dates or select Specified range and type a range
of dates.
3. Under Type, select from one of the following:
• Management console events
• Desktop/Server
• Exchange Server
Note: The items displayed in the Content list will depend on the Type selected
4. Under Content, select the type of log to view.

5. To view the log, click Display Logs. The appropriate log screen appears.
6. To save the log as a comma-separated value (CSV) data file, click Export. Use a
spreadsheet application to view CSV data files.
12-5
Creating One-time Reports

This section describes how to create a One-time report.
To create a One-time report:
1. From the main menu, click Reports > One-time Reports, the One-time
Reports screen appears. From the One-time reports toolbar, click New Report
icon, the New Report screen appears.
FIGURE 12-2. Create One-time Report Screen
2. Type a report name in the Report name text box.

3. Under the Time Range section, type the dates in the From and To that you want
the report to include.
4. Under the Content section, to create a report that lists all the different Threat
events, select the Select All check box. To receive information on specific
threats, select the appropriate check box.
5. Under the Send Report section, select the Send report to check box, and then
type the email addresses to which you want to send the report.
6. Click Generate.
12-6
Deleting One-time Reports

This section describes how to delete a One-time report.
To delete a One-time report:
1. From the main menu, click Reports > One-time Reports, the One-time
Reports screen appears.
2. Select the report to be deleted.
3. From the One-time reports toolbar, click the Delete icon, a message box will
appear, verifying the request to delete the report.
4. Click Yes. The report no longer appears in the One-time report screen.
Scheduling Reports
This section describes how to create reports using the Scheduled report screen.
To schedule reports:
1. From the main menu, click Reports > Scheduled Reports, the Scheduled
Reports screen appears. From the Scheduled reports toolbar, click Add, the Add
screen appears.
12-7
FIGURE 12-3. Create Scheduled Report Screen
2. Enter a report name in the Report name text box.

3. Under the Schedule section, select Daily to create a report on a daily basis, or
choose Weekly and select a day of the week to generate the report. Select
Monthly and enter a day of the month to generate the report on a monthly basis.
For daily, weekly, and monthly reports, the time of day to generate must be
selected.
6. Click Generate.
12-8
Deleting Scheduled Reports

This section describes how to delete a Scheduled report.
To delete a Scheduled report:
2. Select the report(s) to be deleted.
3. From the Scheduled reports toolbar, click Delete. A message box will appear,
verifying the request to delete the report.
4. Click Yes. The report no longer appears in the Scheduled Report screen.
Editing Scheduled Reports

This section describes how to edit a Scheduled report.
To edit a Scheduled report:
2. Select the report(s) to be edited.
3. From the Scheduled reports toolbar, click the name of the report. The Edit
Report Settings screen appears.
4. Select Enable this report if not already selected.
5. Enter a report name in the Report name text box.
6. Under the Schedule section, select Daily to create a report on a daily basis, or
choose Weekly and select a day of the week to generate the report. Select
Monthly and enter a day of the month to generate the report on a monthly basis.
For daily, weekly, and monthly reports, the time of day to generate must be
selected.
12-9
9. Click Save.
Maintaining Logs and Reports

This section describes how to maintain Logs and Reports using the Maintenance
screen.
Maintenance - Reports
To conserve disk space on the server, specify the maximum number of reports to
keep.
To set the maximum number of reports to keep:
1. On the main menu, click Reports > Maintenance. The Maintenance screen
appears.
FIGURE 12-4. Reports Maintenance Screen
2. Select the Reports tab, the main body changes to display the Reports >
Maintenance screen.
3. Under Maximum Reports to Keep, enter a number between 1 and 100 for each
type of report listed.
4. Click Save.
12-10
Maintenance - Logs
To conserve disk space on the server, delete logs manually or schedule regular
deletion times.
To set up auto log deletion:
appears.
2. Select Auto Log Deletion. The Auto Log Deletions options appear.
FIGURE 12-5. Auto Log Deletion Screen
3. Under Log Type, select the types of logs to delete.

4. Under the Delete Logs Older Than column, type a value for number of days
after which time Client/Server Security or Client Server Messaging Security will
delete the specified log.
5. Click Save to save the auto log deletion options.
To delete logs manually:
appears.
12-11
2. Select Manual Log Deletion. The Manual Log Deletion options appear.
FIGURE 12-6. Manual Log Deletion Screen
3. Under the Delete Logs Older Than column, type a value for number of days
after which time Trend Micro Security Server will delete the specified log.
4. Click Delete to delete the selected log immediately.
5. Click Save to save the manual log deletion options.
12-12
Chapter 13
Working with Notifications

When Client Server Messaging Security logs a significant threat or system event, it
displays the results in the Live Status screen. You can set Client Server Messaging
Security to send Notifications whenever these events happen. In addition, you can
customize the parameters that trigger both notification and the Live Status display.
• Configuring Event Notifications on page 13-2
• Event Types on page 13-2
• Notification Method Settings on page 13-4
13-1
Configuring Event Notifications

Send notifications to yourself or other administrators in your organization whenever
Client Server Messaging Security detects that any of the following events have taken
place.
Event Types
Threat Events:
• Outbreak Defense – An alert activated, or highly critical vulnerabilities detected
• Antivirus – Viruses detected on clients, servers, or Exchange server exceeds a
certain number, actions taken against viruses are unsuccessful, Real-time scan
disabled on clients, servers, or Exchange server
• Anti-spyware – Spyware detected on clients and servers, including those that
required the infected client to be restarted to completely remove the spyware
threat. You can also configure the spyware notification threshold, that is, the
number of spyware incidents detected within the specified time period (default is
one hour).
• Anti-spam – Spam occurrences exceed a certain percentage of total email
messages
Note: The Anti-spam option is only available with Client Server Messaging Security.
• Network Virus – Network viruses detected exceeds a certain number

System Events:
• License – Product license expires, seat count usage more than 80%, or seat count
usage more than 100%
• Component update – Last time components updated exceeds a certain number of
days or updated components not deployed to clients quick enough
• Unusual system events – Disk space reaching dangerously low levels
To have Client/Server Security send notifications for the different events, do the
following:
1. On the main menu, click Preferences > Notifications. The Notifications screen
appears.
13-2
FIGURE 13-1. Notifications – Events Screen
Note: The Anti-spam option will only appear if Client Server Messaging Security is
installed.
2. To receive notification of any threat event occurrence, select the Type check box
under the Threat Events section.
To receive notification of specific threat event occurrences, select any of the
following:
• Outbreak Response
• Antivirus
• Anti-spyware
• Anti-spam
• Network Virus
3. To receive notification of any system event occurrences, select the Type check
box under the System Events section. The possible system events are:
• License expiration
13-3
• Component update
• System unusual events
4. Click Save.
Notification Method Settings

To ensure that recipients receive the notifications, Client Server Messaging Security
provides multiple options for sending notifications. Send notifications using the
following methods:
• Email
• SNMP trap
• Windows Event Log
To configure the different notification sending options:
1. On the main menu, click Preferences > Notifications. Click the Settings tab.
The main frame changes to display the different notification sending options.
FIGURE 13-2. Notification – Schedule Screen
13-4
To send notifications using email:

1. Under Email Notification, in the From field, type the email address of the
Security Server.
2. Under Email Notification, in the To field, type the email address(es) of
notification recipients. Separate multiple email addresses with a semicolon.
3. Click Save.
To send notifications using SNMP Notification:
1. Select Enable SNMP Notifications
2. Type the IP address for SNMP trap notifications and the community name.
3. Click Save.
To send notifications using the Windows event log:
1. Select the Write to Windows event log check box.
2. Click Save to save the settings.
Note: Use one or all of the previous methods to send notifications
13-5
13-6
Chapter 14
Configuring Global Settings

This chapter explains how to use Global Settings.
• Internet Proxy Options on page 14-2
• SMTP Server Options on page 14-3
• Desktop/Server Options on page 14-4
• System Options on page 14-8
14-1
Internet Proxy Options

If your network uses a proxy server to connect to the Internet, you must configure the
Internet proxy settings in order to accomplish the following tasks:
• Download updates from the Trend Micro ActiveUpdate server
• View product license information
• Participate in the World Virus Tracking program
To set the Internet Proxy:
1. On the main menu, click Preferences > Global Settings.
2. Select the Proxy tab and the main frame changes to display proxy configuration
options.
FIGURE 14-1. Global Settings – Proxy Server Settings Screen
3. Select the Use a proxy server for updating components, product license
notifications, and World Virus Tracking check box.
4. Type the address of the proxy server and its port number.
• If the proxy server uses version 4 or 5 of the SOCKS protocol to handle
Transmission Control Protocol (TCP), select the Use SOCKS 4/5 proxy
protocol check box.
14-2
5. If the proxy server requires a password, type your user name and password in the
fields provided.
6. Click Save.
SMTP Server Options

The SMTP Server settings apply to all notifications and reports generated by the
To set the SMTP server:
1. On the main menu, click Preferences > Global Settings. The Global Settings
screen appears.
2. Select the SMTP tab and the main frame changes to display SMTP configuration
options.
FIGURE 14-2. Global Settings – SMTP Server Settings Screen
3. Type the IP address or name of the SMTP server.

4. Type the port number of the SMTP server.
5. Click Save.
14-3
Desktop/Server Options
The Global Settings > Desktop/Server screen contains the following configurable
items.
• General Scan Settings on page 14-5
• Virus Scan Settings on page 14-6
• Spyware/Grayware Scan Settings on page 14-6
• Alert Settings on page 14-7
• Approved List for Network Virus Scanning on page 14-7
• Watchdog Settings on page 14-7
• Agent Uninstallation on page 14-7
• Agent Unloading on page 14-8
To set the Desktop/Server options:
screen appears.
2. Select the Desktop/Server tab and the main frame changes to display global
desktop/server settings options.
14-4
FIGURE 14-3. Global Settings – Desktop/Server Settings Screen
3. Select the options you would like to enable.

4. Enter additional details as needed.
5. Click Save.
The following sections describe the options that you can configure on the
Desktop/Server tab.
General Scan Settings

• Exclude Security Server database folder from real-time scan – Select this
check box to prevent Client Server Messaging Security from scanning its own
database during Real-time Scans only
Note: By default, Client Server Messaging Security does not scan its own database. Trend
Micro recommends preserving this selection to prevent any possible corruption of the
database that may occur during scanning.
14-5
• Exclude Microsoft Exchange server folder when installed on Microsoft

Exchange server – Select this check box to skip scanning of Microsoft Exchange
folders when CSA is installed on the server
• Exclude Microsoft Domain Controller folders – Select this check box to skip
scanning of Domain Controller folders when CSA is installed on the server
Virus Scan Settings

• Configure scan settings for large compressed files – Select this check box to
specify which compressed files the Client/Server Security Agent will skip based on
the size of each extracted file or number of files contained within the compressed
file
• Clean compressed files – Select this check box if you want to clean compressed
files
• Scan up to { } OLE layer(s) – Select this check box if you want your clients to
scan Object Linking and Embedding (OLE) layers and then specify how many
layers to scan. OLE allows users to create objects with one application and then
link or embed them in a second application.
• Add Manual Scan to the Windows shortcut menu on clients – Select this check
box if you want to create a link to a client's shortcut menu. Using the Scan with
Client/Server Security Agent link on the shortcut menu allows users to scan files
and folders by just right clicking a file or folder on the Windows desktop or in
Windows Explorer.
Spyware/Grayware Scan Settings

• Scan for cookies– Select this check box to scan for and remove tracking cookies
that have been downloaded to clients and servers from visited Web sites. Detected
tracking cookies are added to the spyware counter on the Live Status page.
Note: By default, Client Server Messaging Security does not scan its own database. Trend
Micro recommends preserving this selection to prevent any possible corruption of the
database that may occur during scanning.
• Count cookie into spyware log – Select this check box to record each detected
spyware cookie to the spyware log
14-6
Alert Settings
• Show the alert icon on the Windows taskbar if the virus pattern file is not
updated after { } days – Select this check box if you want to display the alert icon
on your clients when the pattern file is outdated and select a number from the list.
Approved List for Network Virus Scanning

• Enable approved list for network virus scanning – Select this if you want to
enable the approved list for network scanning to keep trusted computer(s) from
being identified as network viruses.
• IP address – Enter the IP address of the computer you would like to add to the
approved list, and click Add.
Watchdog Settings
• Enable the Client/Server Security Agent watchdog service – Select this check
box if you want to enable the CSA watchdog service.
• Check client status every {} minutes – Choose how often the watchdog service
should check client status.
• If the client cannot be started, retry {} times – Choose how many times the
watchdog service should attempt to restart the Client/Server Security Agent.
• Enable anti-hacking mode – Select this check box to enable anti-hacking mode.
Tip: Trend Micro recommends enabling the client watchdog service to help ensure that the
Client/Server Security Agent is protecting your client computers. If the Client/Server
Security Agent unexpectedly terminates, which could happen if the client is under
attack from a hacker, the watchdog service restarts the Client/Server Security Agent.
Agent Uninstallation
• Allow the client user to uninstall Client/Server Security Agent – Choose this
option if you want to allow client user to remove the CSA without supplying a
password.
• Require a password for the client user to uninstall Client/Server Security
Agent – Choose this option if you want to require the client user to supply a
password before uninstalling the CSA.
14-7
Agent Unloading
• Allow the client user to unload Client/Server Security Agent – Choose this
option if you want to allow client user to unload the CSA without supplying a
password.
• Require a password for the client user to unload the Client/Server Security
Agent – Choose this option if you want to require the client user to supply a
password before unloading the CSA.
System Options
The System section of the Global Settings screen contains the following configurable
items.
• Remove Inactive Client/Server Security Agents
• Connection Verification
• Quarantine Maintenance
To set the System options:
screen appears.
2. Select the System tab and the main frame changes to display global system
settings options.
14-8
FIGURE 14-4. Global Settings – System Settings Screen
3. Select the options you would like to enable.

4. Enter additional details as needed.
5. Click Save.
The following sections describe the options that you can configure on the System
Settings screen.
Removing Inactive Client/Server Security Agents

When you use the Client/Server Security Agent (CSA) uninstallation program to
remove the CSA program from a computer, the program automatically notifies the
Security Server. When the Security Server receives this notification, it removes the
client icon from the Security Groups Tree to show that the client does not exist
anymore.
However, if the CSA is removed using other methods, such as reformatting the
computer hard drive or deleting the client files manually, the Security Server will not
14-9
be aware of the removal and it will display the CSA as inactive. If a user unloads or
disables the client for an extended time, the Security Server also displays the CSA as
inactive.
To have the Security Groups Tree only display active clients, you can configure the
Security Server to remove inactive CSAs from the Security Groups Tree
automatically.
To enable the automatic removal of inactive CSAs, configure the following options:
• Enable automatic removal of inactive Client/Server Security Agent – Select
this option to enable the automatic removal of clients that have not made contact
with the Security server for a specific number of days.
• Automatically remove a Client/Server Security Agent if inactive for {} days –
Choose the number of days that a client is allowed to be inactive before it is
removed from the Security Dashboard.
Verifying Client-Server Connectivity

Client Server Messaging Security represents the client connection status in the
Security Groups Tree using icons. However, certain conditions may prevent the
Security Groups Tree from displaying the correct client connection status. For
example, if the network cable of a client is accidentally unplugged, the client will not
be able to notify the Trend Micro Security Server that it is now offline. This client
will still appear as online in the Security Groups Tree.
You can verify client-server connection manually or by schedule from the Security
Dashboard.
Note: Verify Connection does not allow the selection of specific groups or clients. It verifies
the connection to all clients registered with the Trend Micro Security Server.
You can perform verification of client-server connection automatically and manually

by configuring the following options:
• Enable scheduled verification – Select this check box to enable scheduled
verification of client-security server communication.
• Verify Now – Click this if you want to instantly test for client-security server
connectivity.
14-10
Maintaining the Quarantine Folder

Whenever a client detects an Internet threat in a file and the scan action for that type
of threat is quarantine, the Client/Server Security Agent program encrypts the
infected file, places it in the Client/Server Security Agent’s suspect folder, and sends
it to the Trend Micro Security Server quarantine folder. Client Server Messaging
Security encrypts the infected file to prevent it from infecting other files.
The default location of Client/Server Security Agent suspect folder is as follows:
C:\Program Files\Trend Micro\Client Server Security Agent\SUSPECT
The default location of Trend Micro Security Server quarantine folder is as follows:
C:\Program Files\Trend Micros\Security Server\PCCSRV\Virus
Note: If the client is unable to send the encrypted file to the Trend Micro Security Server for
any reason, such as network connection problems, the encrypted file remains in the
client’s suspect folder. The client attempts to resend the file when it reconnects to the
For more information on configuring scan settings, or changing the location of the
quarantine folder, see Virus Scan Settings on page 14-6.
From the Global Settings screen, you can configure the capacity of the quarantine
folder and the maximum individual file size for every infected file that can be stored
in it.
To following options are available to help you manage the quarantine folder:
• Quarantine folder capacity – Type an amount in MB for the capacity of the
Quarantine folder.
• Maximum size for a single file – Type an amount for the size of single folder
stored in the Quarantine folder.
• Delete All Quarantined Files – Click this to delete all files in the Quarantine
folder instantly.
14-11
14-12
Chapter 15
Using Administrative and Client Tools

This chapter explains how to use the Administrative and Client tools that come with
Client Server Messaging Security.
• Tool Types on page 15-2
• Summary of Tools on page 15-2
• Administrative Tools on page 15-3
• Client Tools on page 15-8
15-1
Tool Types
Client Server Messaging Security includes a set of tools that can help you easily
accomplish various tasks, including server configuration and client management.
These tools are classified into two categories:
• Administrative tools – Developed to help configure the Trend Micro Security
Server and manage clients
• Client tools – Developed to help enhance the performance of the Client/Server
Security Agent program
Summary of Tools
Refer to Table Note: for a complete list of tools included in this version of
Client/Server Security
Note: Some tools available in previous versions of Client/Server Security are not
available in this version. If you require these tools, contact technical support.
TABLE 15-1. Client Server Messaging Security Tools
Administrative Tools Client Tools
Login Script Setup: automate the installation Client Packager (ClnPack.exe): create a
of the Client/Server Security Agent program self-extracting file containing the
Client/Server Security Agent program and
components
Vulnerability Scanner (TMVS.exe): search Restore Encrypted Virus (VSEncode.exe):

for unprotected computers on your network open infected files that Client Server
Messaging Security encrypted
Touch Tool (TmTouch.exe): change the time

stamp on a hot fix to automatically redeploy it
15-2
TABLE 15-1. Client Server Messaging Security Tools
Administrative Tools Client Tools
Client Mover Tool (IPXfer.exe): transfer

Client/Server Security Agent from one
Security Server to another. Source and
destination servers must be running the
same Client Server Messaging Security
version and operating system language.
Note: You cannot run these tools from the Security Dashboard. For instructions on how
to run the tools, see the relevant section below.
Administrative Tools
This section contains information about the following Client/Server Security
administrative tools:
Login Script Setup

With Login Script Setup, you can automate the installation of the Client/Server
Security Agent to unprotected computers when they log on to the network. Login
Script Setup adds a program called autopcc.exe to the server login script. The
program autopcc.exe performs the following functions:
• Determines the operating system of the unprotected client computer and installs the
appropriate version of the Client/Server Security Agent
• Updates the virus pattern file and program files
For instructions on installing clients, see the Client/Server Security Agent online
help.
15-3
Vulnerability Scanner
Use Vulnerability Scanner to detect installed antivirus solutions and to search for
unprotected computers on your network. To determine if computers are protected,
Vulnerability Scanner pings ports that are normally used by antivirus solutions.
Vulnerability Scanner can perform the following functions:
• Perform a DHCP scan to monitor the network for DHCP requests so that when
computers first log on to the network, Vulnerability Scan can determine their status
• Ping computers on your network to check their status and retrieve their computer
names, platform versions, and descriptions
• Determine the antivirus solutions installed on the network. It can detect Trend
Micro products (including OfficeScan, ServerProtect for Windows NT and Linux,
ScanMail for Microsoft Exchange, InterScan Messaging Security Suite, and
PortalProtect) and third-party antivirus solutions (including Norton AntiVirus
Corporate Edition v7.5 and v7.6, and McAfee VirusScan ePolicy Orchestrator).
• Display the server name and the version of the pattern file, scan engine and
program for OfficeScan and ServerProtect for Windows NT
• Send scan results via email
• Run in silent mode (command prompt mode)
• Install the Client/Server Security Agent remotely on computers running Windows
Vista/2000/XP (Professional only)/Server 2003 (R2)
You can also automate Vulnerability Scanner by creating scheduled tasks. For
information on how to automate Vulnerability Scanner, see the TMVS online help.
To run Vulnerability Scanner on a computer other than the server, copy the TMVS
folder from the \PCCSRV\Admin\Utility folder of the server to the computer.
Note: You cannot install the Client/Server Security Agent with Vulnerability Scanner if the
server component of Client/Server Security is present on the same machine.
Vulnerability Scanner does not install the Client/Server Security Agent on a machine
already running the server component of Client Server Security.
To configure Vulnerability Scanner:

1. In the drive where you installed the server component of Client/Server Security,
open the following directories: Client/Server Security > PCCSRV >Admin >
15-4
Utility > TMVS. Double-click TMVS.exe. The Trend Micro Vulnerability

Scanner console appears.
3. In the Product Query box, select the products that you want to check for on your
network. Select the Check for all Trend Micro products to select all products.
If you have Trend Micro InterScan and Norton AntiVirus Corporate Edition
installed on your network, click Settings next to the product name to verify the
port number that Vulnerability Scanner will check.
4. Under Description Retrieval Settings, click the retrieval method that you want
to use. Normal retrieval is more accurate, but it takes longer to complete.
If you click Normal retrieval, you can set Vulnerability Scanner to try to
retrieve computer descriptions, if available, by selecting the Retrieve computer
descriptions when available check box.
5. To send the results to you or other administrators automatically, under Alert
Settings select the Email results to the system administrator check box, and
then, click Configure to specify your email settings.
a. In To, type the email address of the recipient.
b. In From, type your email address. This will let the recipient know who sent
the message, if you are not only sending it to yourself.
c. In SMTP server, type the address of your SMTP server. For example, you
can type smtp.company.com. The SMTP server information is required.
d. In Subject, type a new subject for the message or accept the default subject.
Click OK to save your settings.
6. To display an alert on unprotected computers, select the Display alert on
unprotected computers check box. Then, click Customize to set the alert
message. The Alert Message screen appears. You can type a new alert message
or accept the default message. Click OK.
7. To save the results as a comma-separated value (CSV) data file, select the
Automatically save the results to a CSV file check box. By default, CSV data
files are saved to the TMVS folder. If you want to change the default CSV folder,
click Browse. The Browse for folder screen appears. Browse for a target folder
on your computer or on the network and then click OK.
15-5
8. You can enable Vulnerability Scanner to ping computers on the network to get
their status. Under Ping Settings, specify how Vulnerability Scanner will send
packets to the computers and wait for replies. Accept the default settings or type
new values in the Packet size and Timeout text boxes.
9. To remotely install the client component of Client/Server Security and send a log
to the server, type the server name and port number. If you want to remotely
install the client component of Client/Server Security automatically, select the
Auto-install Client/Server Security Client for unprotected computer check
box.
10. Click Install Account to configure the account. The Account Information
screen appears.
11. Type the user name and password and click OK.
12. Click OK to save your settings. The Trend Micro Vulnerability Scanner
console appears.
To run a manual vulnerability scan on a range of IP addresses:
1. Under IP Range to Check, type the IP address range that you want to check for
installed antivirus solutions and unprotected computers. Note that the
Vulnerability Scanner only supports class B IP addresses.
2. Click Start to begin checking the computers on your network. The results are
displayed in the Results table.
To run Vulnerability Scanner on computers requesting IP addresses from a
DHCP server:
1. Click the DHCP Scan tab in the Results box. The DHCP Start button appears.
2. Click DHCP Start. Vulnerability scanner begins listening for DHCP requests
and performing vulnerability checks on computers as they log on to the network.
To create scheduled tasks:
1. Under Scheduled Tasks, click Add/Edit. The Scheduled Task screen appears.
2. Under Task Name, type a name for the task you are creating.
3. Under IP Address Range, type the IP address range that you want to check for
installed antivirus solutions and unprotected computers.
4. Under Task Schedule, click a frequency for the task you are creating. You can
set the task to run Daily, Weekly, or Monthly. If you click Weekly, you must
15-6
select a day from the list. If you click Monthly, you must select a date from the
list.
5. In the Start time lists, type or select the time when the task will run. Use the
24-hour clock format.
6. Under Settings, click Use current settings if you want to use your existing
settings, or click Modify settings.
If you click Modify settings, click Settings to change the configuration. For
information on how to configure your settings, refer to Step 3 to Step 12 in To
configure Vulnerability Scanner: on page 15-4.
7. Click OK to save your settings. The task you have created appears under
Scheduled Tasks.
Other Settings
To configure the following settings you need to modify TMVS.ini:
• EchoNum – Set the number of computers that Vulnerability Scanner will
simultaneously ping.
• ThreadNumManual – Set the number of computers that Vulnerability Scanner
will simultaneously check for antivirus software.
• ThreadNumSchedule – Set the number of computers that Vulnerability Scanner
will simultaneously check for antivirus software when running scheduled tasks.
To modify these settings:
1. Open the TMVS folder and locate the TMVS.ini file.
2. Open TMVS.ini using Notepad or any text editor.
3. To set the number of computers that Vulnerability Scanner will simultaneously
ping, change the value for EchoNum. Specify a value between 1 and 64.
For example, type EchoNum=60 if you want Vulnerability Scanner to ping 60
computers at the same time.
check for antivirus software, change the value for ThreadNumManual. Specify a
value between 8 and 64.
15-7
For example, type ThreadNumManual=60 to simultaneously check 60

computers for antivirus software.
check for antivirus software when running scheduled tasks, change the value for
ThreadNumSchedule. Specify a value between 8 and 64.
For example, type ThreadNumSchedule=60 to simultaneously check 60
computers for antivirus software whenever Vulnerability Scanner runs a
scheduled task.
6. Save TMVS.ini.
Client Tools
This section contains information about Client Server Messaging Security client
tools.
Client Packager
Client Packager is a tool that can compress setup and update files into a
self-extracting file to simplify delivery via email, CD-ROM, or similar media. It also
includes an email function that can access your Microsoft Outlook address book and
allow you to send the self-extracting file from within the tool’s console.
To run Client Packager, double-click the file. Client/Server Security clients that are
installed using Client Packager report to the server where the setup package was
created.
Restore Encrypted Virus

Client/Server Security Agents and Messaging Security Agents encypt infected files
and attachments to prevent users from opening them and spreading viruses to other
files on the computer.
Whenever Client/Server Security Agent backs up, quarantines, or renames an
infected file, it encrypts the file. The quarantined file is stored in the \Suspect
folder on the client, and then sent to the quarantine directory. The backup file is
stored in the \Backup folder of the client, typically in C:\Program
15-8
Files\Trend Micro\Client Server Security

Agent\Backup\. Whenever Messaging Security Agent backs up, quarantines,
or archives a mail or attachment, it encrypts the file and stores it in the MSA storage
folder, typically in C:\Program Files\Trend Micro\Messaging
Security Agent\storage\.
However, there may be some situations when you have to open the file even if you
know it is infected. For example, an important document has been infected and you
need to retrieve the information from the document, you will need to decrypt the
infected file to retrieve your information. You can use Restore Encrypted Virus to
decrypt infected files from which you want to open.
Note: To prevent Client/Server Security from detecting the virus again when you use
Restore Encrypted Virus, exclude the folder to which you decrypt the file from
Real-time Scan.
WARNING! Decrypting an infected file may spread the virus to other files.
Restore Encrypted Virus requires the following files:

• Main file: VSEncode.exe
• Required DLL file: Vsapi32.dll
To decrypt files in the Suspect folder:
1. On the client where you want to decrypt an infected file, open Windows Explorer
and go to the \PCCSRV\Admin\Utility\VSEncrypt folder of Client/Server
Security.
2. Copy the entire VSEncrypt folder to the client computer.
Note: Do not copy the VSEncrypt folder to the Client/Server Security folder. The
Vsapi32.dll file of Restore Encrypted Virus will conflict with the original
Vsapi32.dll.
3. Open a command prompt and go to the location where you copied the VSEncrypt
folder.
15-9
4. Run Restore Encrypted Virus using the following parameters:

• no parameter: encrypt files in the Suspect folder
• -d: decrypt files in the Suspect folder
• -debug: create debug log and output in the root folder of the client
• /o: overwrite encrypted or decrypted file if it already exists
• /f: {filename}: encrypt or decrypt a single file
• /nr: do not restore original file name
For example, you can type VSEncode [-d] [-debug] to decrypt files in the
Suspect folder and create a debug log. When you decrypt or encrypt a file, the
decrypted or encrypted file is created in the same folder.
Note: You may not be able to encrypt or decrypt files that are locked.
Restore Encrypted Virus provides the following logs:

• VSEncrypt.log – Contains the encryption or decryption details. This file is
created automatically in the temp folder for the user logged on the machine
(normally, on the C: drive).
• VSEncDbg.log – Contains the debug details. This file is created automatically in
the temp folder for the user logged on the machine (normally, on the C: drive) if
you run VSEncode.exe with the -debug parameter.
To encrypt or decrypt files in other locations:
1. Create a text file and then type the full path of the files you want to encrypt or
decrypt.
For example, if you want to encrypt or decrypt files in C:\My
Documents\Reports, type C:\My Documents\Reports\*.* in the text
file. Then save the text file with an INI or TXT extension, for example, you can
save it as ForEncryption.ini on the C: drive.
2. At a command prompt, run Restore Encrypted Virus by typing VSEncode.exe
-d -i {location of the INI or TXT file}, where {location of the INI or TXT
file} is the path of the INI or TXT file you created (for example,
C:\ForEncryption.ini).
15-10
Touch Tool
The Touch Tool synchronizes the time stamp of one file with the time stamp of
another file or with the system time of the computer. If you unsuccessfully attempt to
deploy a hot fix (an update or patch that Trend Micro releases) on the Trend Micro
Security Server, use the Touch Tool to change the time stamp of the hot fix. This
causes Client/Server Security to interpret the hot fix file as new, which makes the
server attempt to deploy the hot fix again automatically.
To run the Touch Tool:
1. On the Trend Micro Security Server, go to the following directory:
\PCCSRV\Admin\Utility\Touch
2. Copy the TMTouch.exe file to the folder where the file you want to change is
located. If synchronizing the file time stamp with the time stamp of another file,
put both files in the same location with the Touch tool.
3. Open a command prompt and go to the location of the Touch Tool.
4. Type the following:
TmTouch.exe <destination_filename> <source_filename>
where:
<destination_filename> = the name of the file (the hot fix, for example) whose
time stamp you want to change
<source_filename> = the name of the file whose time stamp you want to replicate
If you do not specify a source filename, the tool sets the destination file time
stamp to the system time of the computer.
Note: You can use the wildcard character "*" in the destination file name field, but not the
source file name field.
5. To verify the time stamp changed, type dir in the command prompt or right
click the file in Windows explorer and select Properties.
15-11
Client Mover
If you have more than one Client Server Messaging Security server on the network,
you can use Client Mover to transfer clients from one Client Server Messaging
Security server to another.
This is especially useful after adding a new Client Server Messaging Security server
to the network when you want to transfer existing clients to the new server. The two
Client Server Messaging Security servers must be of the same type and same
language version.
Client Mover requires the IPXfer.exe file.
To run Client Mover:
1. On the Client Server Messaging Security server, go to the following directory:
\PCCSRV\Admin\Utility\IPXfer.
2. Copy the IPXfer.exe file to the client that you want to transfer.
3. On the client, open a command prompt and then go to the folder where you
copied the file.
4. Run Client Mover using the following syntax:
IPXfer.exe -s <server_name> -p <server_listening_port> -m 1
-c <client_listening_port>
where:
• <server_name> = the server name of the destination Client Server
Messaging Security server (the server to which the client will transfer)
• <server_listening_port> = the listening (trusted) port of the
destination Client Server Messaging Security server. To view the listening
port on the Security Dashboard, click Security Settings. The listening port is
shown next to the Security Server name.
• 1 = You must use the number "1" after "-m"
• <client_listening_port> = the port number of the client machine
To confirm the client now reports to the other server, do the following:
1. On the client, right click the CSA icon in the system tray.
2. Click Client/Server Security Agent Console.
15-12
3. Click Help on the menu, and then click About.

4. Verify that the Client Server Messaging Security server that the client reports to
has been updated under Communication information, Server name/port.
15-13
15-14
Chapter 16
Performing Additional Administrative

Tasks
• Changing the Security Dashboard Password on page 16-2
• Viewing Product License Details on page 16-3
• Participating in the World Virus Tracking Program on page 16-3
16-1
Changing the Security Dashboard Password

To prevent unauthorized users from modifying your settings or removing the
Client/Server Security Agent program from your computers, the Security Dashboard
is password-protected. The Client Server Messaging Security master setup program
requires you to specify a Security Dashboard password; however, you can modify
your password from the Security Dashboard.
To change the Security Dashboard password:
1. On the main menu, click Preferences > Password. The Administration
Password screen appears.
FIGURE 16-1. Preferences – Password Screen
2. Type your current password in the Old password text box.

3. Type your new password (maximum 24 characters) in the New password text
box, and then retype that password in the Confirm password text box.
4. Click Save.
Note: If you forget the Security Dashboard password, contact Trend Micro technical support
for instructions on how to gain access to the Dashboard again. The only other
alternative is to remove and reinstall Client Server Messaging Security.
16-2
Performing Additional Administrative Tasks
Viewing Product License Details

From the product license screen, you can renew, upgrade, or view product license
details.
FIGURE 16-2. Preferences – Product License Screen
Participating in the World Virus Tracking

Program
You can send virus scanning results from your Client/Server Security Agent
installation to the World Virus Tracking Program to better track trends in virus
outbreaks. Your participation in this program can benefit attempts to better
understand the development and spread of virus infections.
When you install Client Server Messaging Security, the installer asks you whether
you want to participate in the World Virus Tracking Program; however, you can
change this setting at any time.
To save Virus Tracking Program participation settings:
1. On the main menu, click Preferences > World Virus Tracking. The World
Virus Tracking Program screen appears.
16-3
FIGURE 16-3. Preferences – World Virus Tracking Program Screen
2. Read the disclaimer and click Yes to participate in the World Virus Tracking
Program or click No to decline participation.
3. Click Save.
To view the current Trend Micro virus map, click Virus Map or enter the
following address in your Web browser:
http://www.trendmicro.com/map
16-4
Chapter 17
Understanding the Threats

• What Do the Terms Mean? on page 17-2
• Viruses on page 17-2
• Trojans on page 17-4
• Bots on page 17-4
• Packers on page 17-4
• Worms on page 17-4
• About Mass-Mailing Attacks on page 17-5
• About Compressed Files on page 17-6
• About Macro Viruses on page 17-7
• Guarding Against Malicious or Potentially Malicious Applications on page 17-8
17-1
What Do the Terms Mean?

Computer security is a rapidly changing subject. Administrators and information
security professionals invent and adopt a variety of terms and phrases to describe
potential risks or uninvited incidents to computers and networks. The following is a
discussion of these terms and their meanings as used in this document.
Some of these terms refer to real security risks and some refer to relatively harmless,
but annoying or unsolicited incidents. Trojans, viruses, and worms are examples of
terms used to describe real security risks. Joke programs and other grayware are
terms used to describe incidents that might be harmful, but are sometimes simply
annoying and unsolicited. The Messaging Security Agent can protect Exchange
servers against all of the incidents described in this chapter.
Viruses
A computer virus is a segment of code that has the ability to replicate. Viruses
usually replicate by infecting files. When a virus infects a file, it attaches a copy of
itself to the file in such a way that when the former executes, the virus also runs.
When this happens, the infected file also becomes capable of infecting other files.
Like biological viruses, computer viruses can spread quickly and are often difficult to
eradicate.
In addition to replication, some computer viruses share another commonality: a
damage routine that delivers the virus payload. While payloads may only display
messages or images, they can also destroy files, reformat your hard drive, or cause
other damage. Even if the virus does not contain a damage routine, it can cause
trouble by consuming storage space and memory, and degrading the overall
performance of your computer.
Generally, there are three kinds of viruses:
• File – File viruses may come in different types– there are DOS viruses, Windows
viruses, macro viruses, and script viruses. All of these share the same
characteristics of viruses except that they infect different types of host files or
programs.
• Boot – Boot viruses infect the partition table of hard disks and boot sector of hard
disks and floppy disks.
17-2
• Script – Script viruses are viruses written in script programming languages, such
as Visual Basic Script and JavaScript and are usually embedded in HTML
documents.
VBScript (Visual Basic Script) and Jscript (JavaScript) viruses activate themselves
using Microsoft's Windows Scripting Host. They then infect other files. Since
Windows Scripting Host is available on Windows 98, Windows 2000 and other
Windows operating systems, the viruses can be activated simply by
double-clicking a *.vbs or *.js file from Windows Explorer.
What is so special about script viruses? Unlike programming binary viruses, which
require assembly-type programming knowledge, virus authors programs script
viruses as text. A script virus can achieve functionality without low-level
programming and with code as compact as possible. It can also use predefined
objects in Windows to make accessing many parts of the infected system easier
(for example, for file infection, for mass-mailing). Furthermore, since the code is
text, it is easy for others to read and imitate the coding paradigm. Because of this,
many script viruses have several modified variants.
For example, shortly after the “I love you” virus appeared, antivirus vendors found
modified copies of the original code, which spread themselves with different
subject lines, or message bodies.
Whatever their type is, the basic mechanism remains the same. A virus contains code
that explicitly copies itself. In the case of file viruses, this usually entails making
modifications to gain control when a user accidentally executes the infected program.
After the virus code has finished execution, in most cases, it passes back the control
to the original host program to give the user an impression that nothing is wrong with
the infected file.
Take note that there are also cross-platform viruses. These types of viruses can infect
files belonging to different platforms (for example, Windows and Linux). However,
such viruses are very rare and seldom achieve 100% functionality.
Network Viruses
A virus spreading over a network is not, strictly speaking, a network virus. Only
some of the threats mentioned above, such as worms, qualify as network viruses.
Specifically, network viruses use network protocols, such as TCP, FTP, UDP, HTTP,
and email protocols to replicate. They often do not alter system files or modify the
boot sectors of hard disks. Instead, network viruses infect the memory of client
17-3
machines, forcing them to flood the network with traffic, which can cause
slowdowns and even complete network failure. Because network viruses remain in
memory, they are often undetectable by conventional disk-based file I/O scanning
methods.
Personal Firewall works with a network virus pattern file to identify and block
network viruses (see the on-line help for more information about configuring the
Personal Firewall).
Trojans
A Trojan is a malicious program that masquerades as a harmless application. Unlike
viruses, Trojans do not replicate but can be just as destructive. An application that
claims to rid your computer of viruses when it actually introduces viruses onto your
computer is an example of a Trojan. Traditional antivirus solutions can detect and
remove viruses but not Trojans, especially those that are already running on the
system.
Bots
Bots are compressed executable files that are designed with the intent to cause harm
to computer systems and networks. Bots, once executed, can replicate, compress, and
distribute copies of themselves.
Packers
A packer is a compressed and/or encrypted Windows or Linux executable program,
often a Trojan. Compressing executables makes them more difficult for Antivirus
products to detect.
Worms
A computer worm is a self-contained program (or set of programs) that is able to
spread functional copies of itself or its segments to other computer systems. The
propagation usually takes place via network connections or email attachments.
Unlike viruses, worms do not need to attach themselves to host programs. Worms
often use email and applications, such as Microsoft™ Outlook™, to propagate. They
17-4
may also drop copies of themselves into shared folders or utilize file-sharing systems,
such as Kazaa, under the assumption that users will likely download them, thus
letting the worm propagate. In some cases, worms replicate themselves using chat
applications such as ICQ, AIM, mIRC, or other Peer-to-Peer (P2P) programs.
About ActiveX
ActiveX is a technology from Microsoft that handles interaction between Web
browsers, Microsoft applications, other third party applications, and the computer
operating system. ActiveX makes use of ActiveX controls– software components
installed on computers that add specialized functionality to Web pages, such as
animation and interactive programs.
Creators of spyware and other grayware often mask their applications as legitimate
ActiveX controls. When your users view Web sites that require ActiveX
functionality, they may knowingly or unknowingly download the ActiveX controls to
their computers and unwittingly install grayware applications.
Two related ways to help guard against spyware and other grayware that are masked
as ActiveX controls are as follows:
• Setting client Web browser security to prompt the user before installing ActiveX
applications
• Educating your users to look out for applications that could be grayware when they
download any files, controls, or applications to their browsers
About Mass-Mailing Attacks

Email-aware viruses, like the infamous Melissa, Loveletter, AnnaKournikova and
others, have the ability to spread via email by automating the infected computer's
email client. Mass-mailing behavior describes a situation when an infection spreads
rapidly between clients and servers in an Exchange environment. Mass-mailing
attacks can be expensive to clean up and cause panic among users. Trend Micro
designed the scan engine to detect behaviors that mass-mailing attacks usually
demonstrate. The behaviors are recorded in the Virus Pattern file that is updated
using the TrendLabs™ ActiveUpdate Servers.
You can enable the Messaging Security Agent to take a special action against
mass-mailing attacks whenever it detects a mass-mailing behavior. The action set for
17-5
mass-mailing behavior takes precedence over all other actions. The default action
against mass-mailing attacks is delete.
For example, you configure the Messaging Security Agent to quarantine messages
when it detects a worm or a Trojan in an email message. You also enable
mass-mailing behavior and set the Messaging Security Agent to delete all messages
that demonstrate mass-mailing behavior. The Messaging Security Agent receives a
message containing a worm such as a variant of MyDoom. This worm uses its own
SMTP engine to send itself to email addresses that it collects from the infected
computer. When the Messaging Security Agent detects the MyDoom worm and
recognizes its mass-mailing behavior, it will delete the email message containing the
worm - as opposed to the quarantine action for worms that do not show mass-mailing
behavior.
About Compressed Files

Compression and archiving are among the most common methods of file storage,
especially for file transfers - such as email attachments, FTP, and HTTP. Before any
virus detection can occur on a compressed file, however, you must first decompress
it. Recognizing the fundamental importance of decompression in the detection of
viruses, Trend Micro is committed to supporting all major decompression routines,
present and future. For other compression file types, the Messaging Security Agent
performs scan actions on the whole compressed file, rather than individual files
within the compressed file.
The Messaging Security Agent currently supports the following compression types:
• Extraction–used when multiple files have been compressed or archived into a
single file: PKZIP, LHA, LZH, ARJ, MIME, MSCF, TAR, GZIP, BZIP2, RAR,
and ACE.
• Expansion–used when only a single file has been compressed or archived into a
single file: PKLITE, PKLITE32, LZEXE, DIET, ASPACK, UPX, MSCOMP,
LZW, MACBIN, and Petite.
• Decoding–used when a file has been converted from binary to ASCII, a method
that is widely employed by email systems: UUCODE and BINHEX.
17-6
Note: When the Messaging Security Agent does not support the compression type,
then it cannot detect viruses in compression layers beyond the first compression
layer.
When the Messaging Security Agent encounters a compressed file it does the
following:
1. The Messaging Security Agent extracts the compressed files and scans them.
The Messaging Security Agent begins by extracting the first compression layer.
After extracting the first layer, the Messaging Security Agent proceeds to the
second layer and so on until it has scanned all of the compression layers that the
user configured it to scan up to a maximum of six.
2. The Messaging Security Agent performs a user-configured action on infected
files.
The Messaging Security Agent performs the same action against infected files
detected in compressed formats as for other infected files. For example, if you
configure the action for infected files to be quarantine, then the Messaging
Security Agent quarantines messages in which it detects infected files.
The Messaging Security Agent can clean files from two types of compression
routines: PKZIP and LHA. However, the Messaging Security Agent can only
clean the first layer of files compressed using these compression routines.
About Macro Viruses

Macro viruses are application-specific. They infect macro utilities that accompany
such applications as Microsoft Word (.doc) and Microsoft Excel (.xls). Therefore,
they can be detected in files with extensions common to macro capable applications
such as .doc, .xls, and .ppt. Macro viruses travel between data files in the application
and can eventually infect hundreds of files if undeterred.
As these file types are often attached to email messages, macro viruses spread readily
by means of the Internet in email attachments.
How the Messaging Security Agent prevents macro viruses from infecting your
Exchange server:
17-7
• Detects malicious macro code using heuristic scanning

Heuristic scanning is an evaluative method of detecting viruses. This method
excels at detecting undiscovered viruses and threats that do not have a known virus
signature
• Blocks attachment files commonly attacked by macro viruses and quarantines,
blocks, or deletes
Guarding Against Malicious or Potentially

Malicious Applications
You can take many steps to prevent the installation of spyware and other types of
grayware onto your client computers. Trend Micro suggests making the following
standard practices part of the anti-spyware/grayware initiative in your organization:
• Follow the recommended Client/Server Security configuration steps in this
chapter.
• Educate your client users to do the following:
Read the End User License Agreement (EULA) and included documentation of
applications they download and install on their computers.
Click No to any message asking for authorization to download and install software
unless the client users are certain both the creator of the software and the Web site
they are viewing are trustworthy.
Disregard unsolicited commercial email (spam), especially if the spam asks users
to click a button or hyperlink.
• Configure Web browser settings that ensure a strict level of security. Trend Micro
recommends requiring Web browsers to prompt users before installing ActiveX
controls. To increase the security level for Internet Explorer (IE), go to Tools >
Internet Options > Security and move the slider to a higher level. If this setting
causes problems with Web sites you want to visit, click Sites..., and add the sites
you want to visit to the trusted sites list.
• If using Microsoft Outlook, configure the security settings so that Outlook does not
automatically download HTML items, such as pictures sent in spam messages.
Creators of spyware and grayware often use pictures.
17-8
• Disallow the use of peer-to-peer file-sharing services. Spyware and other grayware
applications may be masked as other types of files your users may want to
download, such as MP3 music files.
• Periodically examine the installed software on your client computers and look for
applications that may be spyware or other grayware. If you find an application or
file that Client Server Messaging Security cannot detect as grayware but you think
is a type of grayware, send it to Trend Micro:
http://subwiz.trendmicro.com/SubWiz.
Trend Labs will analyze the files and applications you submit.
If you prefer to communicate via email, send a message to the following address:
[email protected]
SeeContacting Technical Support on page 18-14 for more information.

• Keep your Windows operating systems updated with the latest patches from
Microsoft. See the Microsoft Web site for details.
17-9
17-10
Chapter 18
FAQs, Troubleshooting and Technical

Support
This chapter provides answers to commonly asked questions about installation and
deployment, describes how to troubleshoot problems that may arise with Client
Server Messaging Security, and provides information you will need to contact Trend
Micro technical support.
• Frequently Asked Questions (FAQs) on page 18-2
• Troubleshooting on page 18-4
• The Trend Micro Security Information Center on page 18-13
• Known Issues on page 18-14
• Contacting Technical Support on page 18-14
• The Trend Micro Knowledge Base on page 18-15
• Sending Suspicious Files to Trend Micro on page 18-16
• About TrendLabs on page 18-16
18-1
Frequently Asked Questions (FAQs)

The following is a list of frequently asked questions and answers.
Registration
I have several questions on registering Client Server Messaging Security. Where can
I find the answers?
See the following Web site for frequently asked questions about registration:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-116326
Installation, Upgrade, and Compatibility

Which OfficeScan versions can upgrade to this version of Client Server Messaging
Security?
This version of Client Server Messaging Security supports upgrade from: CSM 3.0
and CSM 3.5.
Which client installation method is best for my network environment?

See the on-line help for a summary and brief comparison of the various client
installation methods available.
Can the Trend Micro Security Server be installed remotely using Citrix or Windows
Terminal Services?
Yes. The Trend Micro Security Server can be installed remotely with Citrix or
Windows Terminal Services.
Does Client Server Messaging Security support 64-bit platforms?

Yes. A scaled down version of the Client/Server Security Agent is available for the
x64 platform. However, no support is currently available for the IA-64 platform.
18-2
FAQs, Troubleshooting and Technical Support
Can I upgrade to Client Server Messaging Security from Trend Micro™

ServerProtect?
No. Server Protect will have to be uninstalled then Client Server Messaging Security
can be installed. See Client Server Messaging Security Minimum Requirements on
page 3-4.
Configuring Settings
I have several questions on configuring Client Server Messaging Security settings.
Where can I find the answers?
You can download all Client Server Messaging Security documentation from the
following site:
Documentation
What documentation is available with this version of Client Server Messaging
Security?
This version of Client Server Messaging Security includes the following:
Administrator's Guide, Getting Started Guide, readme file, and help files for the
Security Dashboard, Master Installer, and Client/Server Security Agent.
Can I download the Client Server Messaging Security documentation?

Yes. You can download the Administrator's Guide, Getting Started Guide, and
readme file from the following site:
I have questions/issues with the documentation. How can I provide feedback to Trend
Micro?
us at [email protected]. Your feedback is always welcome. Please evaluate this
documentation on the following site:
18-3
Troubleshooting
This section helps you troubleshoot issues that may arise during installation, upgrade,
migration, and deployment.
User’s Spam Folder not Created

When the administrator creates a mailbox account for a user, the mailbox entity is not
created immediately in Exchange server, but will be created under the following
conditions:
• An end user logs on to their mailbox for the first time
– or –
• The first email arrives at the mailbox
The administrator must first create the mailbox entity and the user must log on before
EUQ can create a spam folder.
Internal or External Sender/Recipient Confusion

You can only define one domain as the internal address for the Messaging Security
Agent. If you use Exchange System Manager to change your primary address on a
server, Messaging Security Agent does not recognize the new address as an internal
address because Messaging Security Agent cannot detect that the recipient policy has
changed. Type a new internal address and save.
For example: You have two email addresses for a domain: @trend_1.com and
@trend_2.com. You set @trend_1.com as the primary address. Messaging Security
Agent considers email messages with the primary address to be internal (that is,
abc@trend_1.com, or xyz@trend_1.com are internal). Later, you use Exchange
System Manager to change the primary address to @trend_2.com. This means that
Exchange now recognizes addresses such as abc@trend_2.com and
xyz@trend_2.com to be internal addresses. However, Messaging Security Agent still
considers these addresses to be external.
18-4
Re-sending a Quarantine Message Fails

Resending a quarantine message fails. This can happen when the system mailbox on
the Exchange server environment does not exist. To resolve the problem, edit the
following in the registry keys: ResendMailbox, ResendMailboxDomain, and
ResendMailSender to assign another mailbox.
Settings Replication
You can only replicate settings from a source Messaging Security Agent to a target
Messaging Security Agent that share the same domain. Messaging Security Agent is
unable to replicate settings when the source Messaging Security Agent is located in
the parent domain, and the target Messaging Security Agent(s) is located in the child
domain (or vice versa), because it lacks the required permission.
To solve this problem, perform the following:
For Windows 2003 operating system:
1. Execute regedit.
2. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurePipeServers\winreg
3. Right click winreg > Permissions

4. Add Smex Admin Group of target domain, and enable Allow Read
For Windows Vista/2000 operating system:
1. Execute regedt32
2. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePi
peServers\winreg
3. Click winreg
4. Select winreg > Security > Permissions
5. Add Smex Admin Group of target domain, and enable Allow Read
6. Go to
18-5
HKEY_LOCAL_MACHINE\SOFTWARE\TRENDMICRO\ScanMail for Exchange
7. Click ScanMail for Exchange

8. Select Security > Permissions from Menu
9. Add Smex Admin Group of target domain, and enable Allow Read and Allow
Full Control
Messaging Security Agents and Source Location

In addition, if the source and target Messaging Security Agents are located in
different forests, there will be no way to replicate the settings to the selected target
Messaging Security Agent(s).
Restoring Program Settings after Rollback or

Reinstallation
You can save a copy of the Client Server Messaging Security database and important
configuration files for rolling back your Client Server Messaging Security program.
You may want to do this if you are experiencing problems and want to reinstall Client
Server Messaging Security or if you want to revert to a previous configuration.
To restore program settings after rollback or reinstallation:
1. Back up the Trend Micro Security Server database to a location outside of the
Client/Server Security program directory.
WARNING! Do not use any other type of backup tool or application.
2. Manually back up the following files and folders from the folder:Program
Files\Trend Micro\Security Server\PCCSRV
• ofcScan.ini – Contains global client settings
• ous.ini – Contains the update source table for antivirus component
deployment
• Private folder – Contains firewall and update source settings
• Web\tmOPP folder – Contains Outbreak Defense settings
• Pccnt\Common\OfcPfw.dat – Contains firewall settings
18-6
• Download\OfcPfw.dat – Contains firewall deployment settings

• Log folder – Contains system events and the verify connection log
• Virus folder – The folder in which Client/Server Security quarantines
infected files
• HTTDB folder – Contains the Client/Server Security database
3. Uninstall Client Server Messaging Security (see Uninstalling the Trend Micro
Security Server on page 4-43).
4. Perform a fresh install (see Performing a Custom Installation on page 4-10).
5. After the master installer finishes, stop the Trend Micro Security Server Master
Service on the target computer:
6. Update the virus pattern version from the backup file:
\Private\component.ini
a. Get current virus pattern version from the new server.

\Trend Micro\Security Server\PCCSRV\Private\component.ini.
[6101]
ComponentName=Virus pattern
Version=xxxxxx 0 0
b. Update the virus pattern version in the backup file:

\Private\component.ini
Note: If you change the Security Server installation path, you will have to update the
path info in the backup files ofcscan.ini and \private/ofcserver.ini
7. With the backups you created, overwrite the Client Server Messaging Security
database and the relevant files and folders on the target machine in the PCCSRV
folder.
8. Restart the Trend Micro Security Server Master Service.
18-7
Some Client Server Messaging Security Components are

not Installed
Licenses to various components of Trend Micro products may differ by region. After
installation, you will see a summary of the components your Registration
Key/Activation Code allows you to use. Check with your vendor or reseller to verify
the components for which you have licenses.
Unable to Access the Web Console

There are several potential causes of this problem.
Browser Cache
If you upgraded from a previous version of CSM, Web browser and proxy server
cache files may prevent the Security Dashboard from loading properly. Clear the
cache memory on your browser and on any proxy servers located between the Trend
Micro Security Server and the computer you use to access the Security Dashboard.
SSL Certificate
Also, verify that your Web server is functioning properly. If you are using SSL,
verify that the SSL certificate is still valid. See your Web server documentation for
details.
Virtual Directory Settings

There may be a problem with the virtual directory settings If you are running the
Security Dashboard on an IIS server and the following message appears:
The page cannot be displayed
HTTP Error 403.1 - Forbidden: Execute access is denied.
Internet Information Services (IIS)
This message may appear when either of the following addresses is used to access the
console:
http://<server name>/SMB/
http://<server name>/SMB/default.htm
18-8
However, the console may open without any problems when using the following
address:
http://<server name>/SMB/console/html/cgi/cgichkmasterpwd.exe
To resolve this issue, check the execute permissions of the SMB virtual directory.
Do the following:
1. Open the Internet Information Services (IIS) manager.
2. In the SMB virtual directory, select Properties.
3. Select the Virtual Directory tab and change the execute permissions to Scripts
instead of none.
Also change the execute permissions of the client install virtual directory.
Incorrect Number of Clients on the Security Dashboard

You may see that the number of clients reflected on the Security Dashboard is
incorrect.
This happens if you retain client records in the database after client program removal.
For example, if client-server communication is lost while removing the client, the
server does not receive notification about the client removal. The server retains client
information in the database and still shows the client icon on the console. When you
reinstall the client, the server creates a new record in the database and displays a new
icon on the console.
Use the Verify Connection feature through the Security Dashboard to check for
duplicate client records. For more information on the Verify Connection feature, refer
to Verifying Client-Server Connectivity on page 14-10.
Unsuccessful Installation from Web Page or Remote

Install
If users report that they cannot install from the internal Web page or if
installation with Remote Install is unsuccessful, try the following:
• Verify that client -server communication exists by using ping and telnet
• Verify that you have administrator privileges to the target computer where you
want to install the client
18-9
• Check if TCP/IP on the client is enabled and properly configured

• Check if the target computer meets the minimum system requirements
• Check if any files have been locked
• If you have limited bandwidth, check if it causes connection timeout between the
server and the client
• If you are using a proxy server for client-server communication, check if the proxy
settings are configured correctly
• Open a Web browser on the client, type http://{Server name}:{server
port} /SMB/cgi/cgionstart.exe in the address text box, and then press
ENTER. If the next screen shows -2, this means the client can communicate with
the server. This also indicates that the problem may be in the server database; it
may not have a record of the client computer.
• Delete Trend Micro add-ons and browsing history.
a. Close and re-open Internet Explorer.
b. In Internet Explorer, click Tools > Internet Options.
The Internet Option window appears.
c. In the Browsing History section, click Delete.
The Delete Browsing History window appears.
d. Click Delete All. Confirm to delete files and settings stored by add-ons.
e. In the Programs tab, click Manage add-ons.
The Manage Add-ons window appears.
f. Select and delete all Trend Micro add-ons for all categories in the Show
drop-down list box.
Tip: Sort entries by Publisher to group Trend Micro add-ons.
g. Close the windows and restart Internet Explorer.

h. Start the Web Installation. Refer to Installing from the Internal Web Page on
page 5-4 for additional instructions.
18-10
Client Icon Does Not Appear on Security Dashboard after

Installation
You may discover that the client icon does not appear on the Security Dashboard
after you install the client. This happens when the client is unable to send its status to
the server.
To resolve this, do the following:
• Verify that client-server communication exists by using ping and telnet
• If you have limited bandwidth, check if it causes connection timeout between the
server and the client
• Check if the \PCCSRV folder on the server has shared privileges and if all users
have been granted full control privileges
• Verify that the Trend Micro Security Server proxy settings are correct
• Open a Web browser on the client, type http://{Trend Micro Security
Server_Name}:{port number}/SMB/cgi/cgionstart.exe in the address
text box, and then press ENTER. If the next screen shows -2, this means the client
can communicate with the server. This also indicates that the problem may be in
the server database; it may not have a record on the client.
Issues During Migration from Third-party Antivirus

Software
This section discusses some issues you may encounter when migrating from
third-party antivirus software.
Client Migration
The setup program for the Client/Server Security Agent utilizes the third-party
software’s uninstallation program to automatically remove it from your users’ system
and replace it with the Client/Server Security Agent. If automatic uninstallation is
unsuccessful, users get the following message:
Uninstallation failed.
There are several possible causes for this error:

• The third-party software’s version number or product key is inconsistent
18-11
• The third-party software’s uninstallation program is not working

• Certain files for the third-party software are either missing or corrupted
• The registry key for the third-party software cannot be cleaned
• The third-party software has no uninstallation program
There are also several possible solutions for this error:
• Manually remove the third-party software
• Stop the service for the third-party software
• Unload the service or process for the third-party software
To manually remove third-party software:
• If the third-party software is registered to the Add/Remove Programs
a. Open the Control Panel.
b. Double-click Add/Remove Programs.
c. Select the third-party software from the list of installed programs.
d. Click Remove.
• If the third-party software is not registered to the Add/Remove Programs
a. Open the Windows registry.
b. Go to
HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVer
sion\Uninstall.
c. Locate the third-party software and run the uninstall string value.
d. If the third-party software’s setup program is in MSI format:
• Locate the product number
• Verify the product number
• Run the uninstall string
Note: Some product uninstallation keys are in the Product Key folder.
To modify the service for the third-party software:

1. Restart the computer in Safe mode.
18-12
2. Modify the service startup from automatic to manual.

3. Restart the system again.
4. Manually remove the third-party software.
To unload the service or process for the third-party software:
WARNING! This procedure may cause undesirable effects to your computer if performed
incorrectly. Trend Micro highly recommends backing up your system first.
1. Unload the service for the third-party software.

2. Open the Windows registry, then locate and delete the product key.
3. Locate and delete the run or run service key.
Verify that the service registry key in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services has been
removed.
The Trend Micro Security Information Center

Comprehensive security information is available over the Internet, free of charge, on
the Trend Micro Security Information Web site:
http://www.trendmicro.com/vinfo/
Visit the Security Information site to:

• Read the Weekly Virus Report, which includes a listing of threats expected to
trigger in the current week, and describes the 10 most prevalent threats around the
globe for the current week
• View a Virus Map of the top 10 threats around the globe
• Consult the Virus Encyclopedia, a compilation of known threats including risk
rating, symptoms of infection, susceptible platforms, damage routine, and
instructions on how to remove the threat, as well as information about computer
hoaxes
• Download test files from the European Institute of Computer Anti-virus Research
(EICAR), to help you test whether your security product is correctly configured
18-13
• Read general virus information, such as:

• The Virus Primer, which helps you understand the difference between viruses,
Trojans, worms, and other threats
• The Trend Micro Safe Computing Guide
• A description of risk ratings to help you understand the damage potential for a
threat rated Very Low or Low vs. Medium or High risk
• A glossary of virus and other security threat terminology
• Download comprehensive industry white papers
• Subscribe to Trend Micro’s Virus Alert service, to learn about outbreaks as they
happen, and the Weekly Virus Report
• Learn about free virus update tools available to Web masters
• Read about TrendLabs™, Trend Micro’s global antivirus research and support
center
Known Issues
Known issues are features in Client Server Messaging Security software that may
temporarily require a workaround. Known issues are typically documented in the
Readme document you received with your product. Readmes for Trend Micro
products can also be found in the Trend Micro Update Center:
Known issues can be found in the technical support Knowledge Base:

http://esupport.trendmicro.com/support/
Trend Micro recommends that you always check the Readme text for information on
known issues that could affect installation or performance, as well as a description of
what is new in a particular release, system requirements, and other tips.
Contacting Technical Support

A license to the Trend Micro software usually includes the right to product updates,
pattern file updates, and basic technical support for one (1) year from the date of
18-14
purchase only. After the first year, Maintenance must be renewed on an annual basis
at Trend Micro’s then-current Maintenance fees.
You can contact Trend Micro via fax, phone, and email, or visit us at:
http://www.trendmicro.com
Speeding Up Your Support Call

When you contact the Knowledge Base, to speed up your problem resolution, ensure
that you have the following details available:
• Microsoft Windows and Service Pack versions
• Network type
• Computer brand, model, and any additional hardware connected to your machine
• Amount of memory and free hard disk space on your machine
• Detailed description of the install environment
• Exact text of any error message given
• Steps to reproduce the problem
The Trend Micro Knowledge Base

Trend Micro Knowledge Base is a 24x7 online resource that contains thousands of
do-it-yourself technical support procedures for Trend Micro products. Use
Knowledge Base, for example, if you are getting an error message and want to find
out what to do. New solutions are added daily.
Also available in Knowledge Base are product FAQs, important tips, preventive
antivirus advice, and regional contact information for support and sales.
Knowledge Base can be accessed by all Trend Micro customers as well as anyone
using an evaluation version of a product. Visit:
http://kb.trendmicro.com/solutions/
If you cannot find an answer to a particular question, the Knowledge Base includes
an additional service that allows you to submit your question via an email message.
Response time is typically 24 hours or less.
18-15
Sending Suspicious Files to Trend Micro

You can send your viruses, infected files, Trojans, suspected worms, and other
suspicious files to Trend Micro for evaluation. To do so, contact your support
provider or visit the Trend Micro Submission Wizard URL:
http://subwiz.trendmicro.com/SubWiz
Click the link under the type of submission you want to make.
Note: Submissions made via the submission wizard/virus doctor are addressed promptly and
are not subject to the policies and restrictions set forth as part of the Trend Micro
Virus Response Service Level Agreement.
When you submit your case, an acknowledgement screen displays. This screen also
displays a case number. Make note of the case number for tracking purposes.
If you prefer to communicate by email message, send a query to the following
address:
[email protected]
In the United States, you can also call the following toll-free telephone number:
(877) TRENDAV, or 877-873-6328
About TrendLabs
TrendLabs is Trend Micro’s global infrastructure of antivirus research and product
support centers that provide up-to-the minute security information to Trend Micro
customers.
The “virus doctors” at TrendLabs monitor potential security risks around the world,
to ensure that Trend Micro products remain secure against emerging threats. The
daily culmination of these efforts are shared with customers through frequent virus
pattern file updates and scan engine refinements.
TrendLabs is staffed by a team of several hundred engineers and certified support
personnel that provide a wide range of product and technical support services.
Dedicated service centers and rapid-response teams are located in Tokyo, Manila,
18-16
Taipei, Munich, Paris, and Lake Forest, CA, to mitigate virus outbreaks and provide
urgent support.
TrendLabs’ modern headquarters, in a major Metro Manila IT park, has earned ISO
9002 certification for its quality management procedures in 2000—one of the first
antivirus research and support facilities to be so accredited. We believe TrendLabs is
the leading service and support team in the antivirus industry.
18-17
18-18
Appendix A
System Checklists
Use the checklists in this appendix to record relevant system information as a
reference.
Server Address Checklist

You must provide the following server address information during installation, as
well as during the configuration of the Trend Micro Security Server to work with
your network. Record them here for easy reference.
TABLE A-1. Server Address Checklist
INFORMATION REQUIRED SAMPLE YOUR VALUE
Trend Micro Security Server information
IP address 10.1.104.255
Fully Qualified Domain Name server.company.com

(FQDN)
NetBIOS (host) name yourserver
Web server information
A-1
TABLE A-1. Server Address Checklist
INFORMATION REQUIRED SAMPLE YOUR VALUE
IP address 10.1.104.225
Fully Qualified Domain Name server.company.com

(FQDN)
NetBIOS (host) name yourserver
Proxy server for component download
IP address 10.1.174.225
Fully Qualified Domain Name proxy.company.com

(FQDN)
NetBIOS (host) name proxyserver
SMTP server information (Optional; for email notifications)
IP address 10.1.123.225
Fully Qualified Domain Name mail.company.com

(FQDN)
NetBIOS (host) name mailserver
SNMP Trap information (Optional; for SNMP Trap notifications)
Community name trendmicro
IP address 10.1.194.225
A- 2
Ports Checklist
Client Server Messaging Security uses the following ports.
TABLE A-2. Port Checklist
PORT SAMPLE YOUR VALUE
SMTP 25
Proxy Administrator Defined
Security Dashboard 4343
Trend Micro Security Server 8080

Client/Server Security Agent 21112
Messaging Security Agent 16372
A-3
A- 4
Appendix B
Trend Micro Services
Trend Micro Outbreak Prevention Policy

The Trend Micro Outbreak Prevention Policy is a set of Trend Micro recommended
default security configuration settings that are applied in response to an outbreak on
the network.
The Outbreak Prevention Policy is downloaded from Trend Labs to the Trend Micro
Security Server.
When the Trend Micro Security Server detects an outbreak, it determines the degree
of the outbreak and immediately implements the appropriate security measures as
stated in the Outbreak Prevention Policy.
Based on the Outbreak Prevention Policy, Automatic Threat Response takes the
following preemptive steps to secure your network in the event of an outbreak:
• Blocks shared folders to help prevent viruses from infecting files in shared folders
• Blocks ports to help prevent viruses from using vulnerable ports to infect files on
the network and clients
• Denies write access to files and folders to help prevent viruses from modifying
files
• Displays an alert message on clients running the Client/Server Security Agent
program when a possible outbreak detected
B-1
Trend Micro Damage Cleanup Services

Client Server Messaging Security uses Damage Cleanup Services (DCS) to protect
your Windows computers against Trojans (or Trojan horse programs) and viruses.
The Damage Cleanup Services Solution

To address the threats posed by Trojans and viruses, DCS does the following:
• Detects and removes live Trojans and active malicious code applications
• Kills processes that Trojans and other malicious applications create
• Repairs system files that Trojans and malicious applications modify
• Deletes files and applications that Trojans and malicious applications drop
To accomplish these tasks, DCS makes use of these components:
• Virus cleanup engine – The engine Damage Cleanup Services uses to scan for and
remove Trojans and Trojan processes
• Damage cleanup template – Used by the virus cleanup engine, this template helps
identify Trojan files and processes so the engine can eliminate them
In Client Server Messaging Security, DCS runs on the client on these occasions:
• Client users perform a manual cleanup from the client main console
• You perform Cleanup Now on the client from the Trend Micro Security Dashboard
for SMB
• Client users run Manual or Scheduled Scan.
• After hot fix or patch deployment (see for more information)
• When the Client Server Messaging Security service is restarted (the Client Server
Messaging Security client Watchdog service must be selected to restart the client
automatically if the client program unexpectedly terminates. Enable this feature on
the Global Client Settings screen. See the Administrator’s Guide and Client
Server Messaging Security online help for details.)
Because DCS runs automatically, you do not need to configure it. Users are not even
aware when it is executed because it runs in the background (when the client is
running). However, Client Server Messaging Security may sometimes notify the user
B- 2
to restart their computer to complete the process of removing a Trojan or grayware

application.
Vulnerability Assessment
Vulnerability Assessment provides system administrators or other network security
personnel with the ability to assess security risks to their networks. The information
they generate by using Vulnerability Assessment gives them a clear guide as to how
to resolve known vulnerabilities and secure their networks.
Use Vulnerability Assessment to:
• Configure tasks that scan any or all computers attached to a network. Scans can
search for single vulnerabilities or a list of all known vulnerabilities.
• Run manual assessment tasks or set tasks to run according to a schedule.
• Request blocking for computers that present an unacceptable level of risk to
network security.
• Create reports that identify vulnerabilities according to individual computers and
describe the security risks those computers present to the overall network. The
reports identify the vulnerability according to standard naming conventions so that
security personnel can do further research to resolve the vulnerabilities and secure
the network.
• View assessment histories and compare reports to better understand the
vulnerabilities and the changing risk factors to network security.
Trend Micro IntelliScan

IntelliScan is a new method of identifying files to scan. For executable files (for
example, .zip and .exe), the true file type is determined based on the file content. For
non-executable files (for example, .txt), the true file type is determined based on the
file header.
Using IntelliScan provides the following benefits:
• Performance optimization – IntelliScan does not affect crucial applications on the
client because it uses minimal system resources
B-3
• Shorter scanning period – Because IntelliScan uses true file type identification, it
only scans files that are vulnerable to infection. The scan time is therefore
significantly shorter than when you scan all files.
Trend Micro ActiveAction

Different types of viruses require different scan actions. Customizing scan actions for
different types of viruses requires knowledge about viruses and can be a tedious task.
ActiveAction is a set of pre-configured scan actions for viruses and other types of
Internet threats. The recommended action for viruses is Clean, and the alternative
action is Quarantine. The recommended action for Trojans and joke programs is
Quarantine.
If you are not familiar with scan actions or if you are not sure which scan action is
suitable for a certain type of virus, Trend Micro recommends using ActiveAction.
Using ActiveAction provides the following benefits:
• Time saving and easy to maintain – ActiveAction uses scan actions that are
recommended by Trend Micro. You do not have to spend time configuring the scan
actions.
• Updateable scan actions – Virus writers constantly change the way viruses attack
computers. To help ensure that clients are protected against the latest threats and
the latest methods of virus attacks, new ActiveAction settings are updated in virus
pattern files.
Trend Micro IntelliTrap

IntelliTrap detects malicious code such as bots in compressed files. Virus writers
often attempt to circumvent virus filtering by using different file compression
schemes. IntelliTrap is a real-time, rule-based, and pattern recognition scan engine
technology that detects and removes known viruses in files compressed up to six
layers deep using any of 16 popular compression types.
B- 4
True File Type

When set to scan true file type, the scan engine examines the file header rather than
the file name to ascertain the actual file type. For example, if the scan engine is set to
scan all executable files and it encounters a file named “family.gif,” it does not
assume the file is a graphic file. Instead, the scan engine opens the file header and
examines the internally registered data type to determine whether the file is indeed a
graphic file, or, for example, an executable that someone named to avoid detection.
True file type scanning works in conjunction with IntelliScan to scan only those file
types known to be of potential danger. These technologies can mean a reduction in
the overall number of files that the scan engine must examine (perhaps as much as a
two-thirds reduction), but with this reduction comes a potentially higher risk.
For example, .gif files make up a large volume of all Web traffic, but they are
unlikely to harbor viruses, launch executable code, or carry out any known or
theoretical exploits. Therefore, does this mean they are safe? Not entirely. It is
possible for a malicious hacker to give a harmful file a “safe” file name to smuggle it
past the scan engine and onto the network. This file could cause damage if someone
renamed it and ran it.
Tip: For the highest level of security, Trend Micro recommends scanning all files.
About ActiveAction
Different types of viruses require different scan actions. Customizing scan actions for
different types of viruses can be a tedious task. For this reason, Trend Micro created
ActiveAction.
ActiveAction is a set of pre-configured scan actions for viruses and other types of
threats. The recommended action for viruses is Clean, and the alternative action is
Quarantine. The recommended action for Trojans and joke programs is Quarantine.
If you are not familiar with scan actions or if you are not sure which scan action is
suitable for a certain type of virus, Trend Micro recommends using ActiveAction.
Using ActiveAction brings you the following benefits:
B-5
• Effort-saving maintenance – ActiveAction uses Trend Micro scan actions. You

do not have to spend time customizing the scan actions.
• Updateable scan actions – Virus writers constantly change the way viruses attack
computers.
To ensure that clients are protected against the latest threats and the latest methods of
virus attacks, Trend Micro updates ActiveAction settings in every new pattern file.
B- 6
Appendix C
Planning a Pilot Deployment

Before performing a full-scale deployment, Trend Micro recommends that you first
conduct a pilot deployment in a controlled environment. A pilot deployment provides
an opportunity to determine how features work and what level of support you will
likely need after full deployment.
It also gives your installation team a chance to rehearse and refine the deployment
process and test if your deployment plan meets your organization’s antivirus needs.
Tip: Although this phase is optional, Trend Micro highly recommends conducting a pilot
deployment before doing a full-scale deployment.
Choosing a Pilot Site

Choose a pilot site that matches your production environment. Try to simulate the
type of network topology that would serve as an adequate representation of your
production environment.
Creating a Rollback Plan

Trend Micro recommends creating a disaster recovery or rollback plan in case there
are issues with the installation or upgrade process.
C-1
This process should take into account company information security policies, as well
as technical specifics.
Deploying Your Pilot

Evaluate the different deployment methods (see Overview of Installation and
Deployment on page 3-2) to see which ones are suitable for your particular
environment.
Evaluating Your Pilot Deployment

Create a list of successes and failures encountered throughout the pilot process.
Identify potential pitfalls and plan accordingly for a successful deployment. This
pilot evaluation plan can be rolled into the overall production deployment plan.
C- 2
Appendix D
Trend Micro Product Exclusion List

This product exclusion list contains all of the Trend Micro products that are, by
default, excluded from scanning.
TABLE D-1. Trend Micro Product Exclusion List
Product Name Installation Path Location
InterScan eManager 3.5x HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

\InterScan eManager\CurrentVersion
ProgramDirectory=
ScanMail eManager (ScanMail for HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

Exchange eManager) 3.11, 5.1, \ScanMail for Exchange eManager\CurrentVersion
5.11, 5.12 ProgramDirectory=
SMLN eManager NT
(ScanMail for Lotus Notes) HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro
\ScanMail for Lotus Notes\CurrentVersion
AppDir=
DataDir=
IniDir=
IWSS (Interscan Web Security HKEY_LOCAL_MACHINE\Software\TrendMicro\Int

Suite) erscan Web Security Suite
Program Directory= C:\Program Files\Trend
Mircro\IWSS
InterScan WebProtect HKEY_LOCAL_MACHINE

SOFTWARE\TrendMicro\InterScan
WebProtect\CurrentVersion
ProgramDirectory=
D-1
InterScan FTP VirusWall HKEY_LOCAL_MACHINE

SOFTWARE\TrendMicro\ InterScan FTP
VirusWall\CurrentVersion
ProgramDirectory=
InterScan Web VirusWall HKEY_LOCAL_MACHINE

SOFTWARE\TrendMicro\ InterScan Web
ProgramDirectory=
InterScan E-Mail VirusWall HKEY_LOCAL_MACHINE

SOFTWARE\TrendMicro\ InterScan E-Mail
ProgramDirectory={Installation Drive}:\INTERS~1
InterScan NSAPI Plug-In HKEY_LOCAL_MACHINE

SOFTWARE\TrendMicro\ InterScan NSAPI
Plug-In\CurrentVersion
ProgramDirectory=
InterScan E-Mail VirusWall HKEY_LOCAL_MACHINE

SOFTWARE\TrendMicro\ InterScan E-Mail
VirusWall \CurrentVersion
ProgramDirectory=
D- 2
SMEX (ScanMail for Exchange) HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

\ScanMail for Exchange\CurrentVersion
TempDir=
DebugDir=
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro
\ScanMail for Exchange\RealTimeScan\ScanOption
BackupDir=
MoveToQuarantineDir=
\ScanMail for
Exchange\RealTimeScan\ScanOption\Advance
QuarantineFolder=
\ScanMail for
Exchange\RealTimeScan\IMCScan\ScanOption
BackupDir=
\ScanMail for
Exchange\RealTimeScan\IMCScan\ScanOption\Ad
vance
QuarantineFolder=
\ScanMail for Exchange\ManualScan\ScanOption
BackupDir=
D-3
SMEX (ScanMail for Exchange) HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

Continued \ScanMail for Exchange\QuarantineManager
QMDir=
1. Get exclusion.txt file path from

HKEY_LOCAL_MACHINE\SOFTWARE\TrendMic
ro\ScanMail for
Exchange\CurrentVersion\HomeDir
2. Go to HomeDir path (e.g. C:\Program Files\Trend
Micro\Messaging Security Agent\)
3. Open exclusion.txt
Agent\Temp\
Agent\storage\quarantine\
Agent\storage\backup\
Agent\storage\archive\
Agent\SharedResPool
IMS (IM Security) HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro

\IM Security\CurrentVersion
HomeDir=
VSQuarantineDir=
VSBackupDir=
FBArchiveDir=
FTCFArchiveDir=
Exclusion List for Exchange Servers

By default, when the CSA is installed on an Exchange server (2000 or later), it will
not scan Exchange databases, Exchange log files, Virtual server folders, or the M
drive. The exclusion list is saved in:
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersi
on\Misc.
ExcludeExchangeStoreFiles=C:\Program
Files\Exchsrvr\mdbdata\priv1.stm|C:\Program
Files\Exchsrvr\mdbdata\priv1.edb|C:\Program
Files\Exchsrvr\mdbdata\pub1.stm|C:\Program
Files\Exchsrvr\mdbdata\pub1.edb
D- 4
ExcludeExchangeStoreFolders=C:\Program
Files\Exchsrvr\mdbdata\|C:\Program Files\Exchsrvr\Mailroot\vsi
1\Queue\|C:\Program Files\Exchsrvr\Mailroot\vsi
1\PickUp\|C:\Program Files\Exchsrvr\Mailroot\vsi 1\BadMail\|M:\
For other MS recommended folders, please add them to scan exclusion list manually.
For more information, please see http://support.microsoft.com/kb/245822/.
D-5
D- 6
Appendix E
Client Side Information

Client Server Messaging Security differentiates three types of clients:
• Normal clients
• Roaming clients
• 32-bit and 64-bit clients
Normal clients are computers that have the Client/Server Security Agent installed
and are stationary computers that maintain a continuous network connection with the
Icons that appear in a client’s system tray indicate the status of the normal client. See
for a list of icons that appear on the normal client.
TABLE E-1. Icons That Appear on a Normal Client
Icon Description Real-time Scan
Normal client Enabled
Pattern file is outdated Enabled
Scan Now, Manual Scan, or Scheduled Enabled

Scan is running
Real-time Scan is disabled Disabled
E-1
TABLE E-1. Icons That Appear on a Normal Client
Real-time Scan is disabled and the pattern Disabled

file is outdated
Real-time Scan Service is not running (red Disabled

icon)
Real-time Scan Service is not running and Disabled

the pattern file is outdated (red icon)
Disconnected from the server Enabled
Disconnected from the server and the Enabled

pattern file is outdated
Disconnected from the server and Disabled

Real-time Scan is disabled
Roaming Clients
Roaming clients are computers with the Client/Server Security Agent installation that
do not always maintain a constant network connection with the Trend Micro Security
Server (for example, notebook computers). These clients continue to provide
antivirus protection, but have delays in sending their status to the server.
Assign roaming privileges to clients that are disconnected from the Trend Micro
Security Server for an extended period.
Roaming clients get updated only on these occasions:
• When the client performs Update Now or performs a Scheduled Update.
• When client connects to the Trend Micro Security Server.
For more information on how to update clients, see the Trend Micro Security Server
online help.
E-2
The status of a roaming client is indicated by icons that appear in its system tray. See
for a list of icons that appear on roaming clients.
TABLE E-2. Icons That Appear on a Roaming Client
Roaming client (blue icon) Enabled
Real-time Scan is disabled Disabled
Pattern file is outdated Enabled
Real-time Scan is disabled and the Disabled

pattern file is outdated
Real-time Scan Service is not running Disabled

(red icon)
Real-time Scan Service is not running Disabled

and the pattern file is outdated (red
icon)
32-bit and 64-bit Clients

The Client/Server Security Agent (CSA) supports Windows Vista/XP/Server 2003
computers that use x86 processor architecture, and x64 processor architecture. The
table below shows a comparison between Client/Server Security features for 32-bit
and 64-bit client computers:
TABLE E-3. 32-bit and 64-bit Client Features Comparison
Vista Vista
32-bit 64-bit
Feature clients clients 32-bit 64-bit
clients clients
Manual, Real-time, and Scheduled

Scan for viruses and other malicious
code
Roaming mode
Damage Cleanup Services N/A N/A
E-3
TABLE E-3. 32-bit and 64-bit Client Features Comparison
Anti-spyware
Personal Firewall N/A N/A N/A
Mailscan N/A N/A N/A
Outbreak Prevention Policy N/A N/A
Watch Dog N/A N/A
Manual Scan from the Windows N/A N/A

shortcut menu
Anti-Rootkit N/A N/A
CSA installation using login scripts N/A N/A
Note: Client/Server Security Agent does not support the Itanium 2 Architecture (IA-64).
E-4
Appendix F
Appendix F
Spyware Types
The Trend Micro anti-spam engine can detect 21 types of spyware. The following
table identifies these spyware types and provides a threat description for each type.
These spyware types may appear in the Spyware/Grayware Type column on the
Spyware/Grayware Log Details page.
Spyware Type Threat Description
Trackware Trackware is a generic term that describes software that collects a

computers demographic and usage information and sends it to some
remote server via the Internet, where it can be used by other people in a
variety of different ways including marketing.
Adware Adware is a type of software that displays advertisements on the computer

screen while a computer is running. Typically, AdWare is built into software
that performs some other primary task such as file sharing.
The justification for AdWare is for the software developer to recover

revenue via advertising instead of for instance charging for their software.
Some Adware will collect the computers usage information (e.g. sites
visited) and send it up to a remote server on the Internet where it is
collected and processed for marketing purposes.
F-1
Cookie Cookies are small files that are created by your Web browser when you visit
sites on the Internet. Typically, they are used as a convenience to
remember frequently used information that is required for access to a
particular Web site. They can also be used to track your visits to certain
Web sites and can provide companies with information about frequency of
visits and other profile information. The user is usually not aware that their
surfing habits are being tracked.
Trend Micro Anti-Spyware identifies cookies that are created by the most
common advertising companies and allows you to clean them, which helps
to ensure your privacy while surfing.
Dialer A program that usually configures some sort of dial up configuration such as
a dial-up-networking connection in Windows. The user either knowingly or
unknowingly will end up using the dialer that calls a time-charged number
that is usually billed to your credit card.
General The threat type is not known, or is not yet classified.
KeyLogger/Monit A type of software can be either commercially sold or may be installed

oring Software inadvertently via the Internet. This software can allow people to monitor you
keystrokes, your computer screen, etc. and can even allow remote access.
Trojan A type of software that is installed unknowingly, usually as a result of

installing some other software, or viewing an email. Since it exists as a
software program on the computer, the range of activity of a Trojan can be
quite broad, from usage monitoring to remote control to customized
collection and theft of information.
Suspect This item is suspect, because Trend Micro Anti-Spyware detected some
characteristics that match a known spyware.
Browser Hijacker A type of software that changes settings in your Web browser. This often
includes changing your browser's default home page.
Parasite A type of software that piggybacks onto other software. This type of
software may be installed without the user's knowledge or consent.
Browser Helper A type of module that acts as a plugin to Internet Explorer browser. Some
Object BHOs may monitor or manipulate your Web surfing.
Layered Service A type of module that acts as a plugin to your Network System. LSPs
Provider usually have low level access to your network and Internet data.
URL Shortcut A shortcut to a URL that exists in your Internet Browser or your desktop.
Peer To Peer Software that allows users to exchange shared files over the Internet.
Worm Software that propagates by creating duplicates of itself on other

computers.
Downloader Software that manages the download of other software onto computers.
F-2
Virus Software that propagates itself by attaching to other valid programs, or by

existing as a separate program.
EULAware Software that contains a non-standard or questionable End User License

Agreement. For example, a license agreement that states the software or
license may be updated without first notifying the user and that the user
agrees to any future changes made to the software and/or license
agreement.
EULAware may broadly permit the software to transmit any type of

information to a server, including information unrelated to the function of the
software application.
CoolWebSearch A particularly complex set of Browser Hijacker variants that require

Variant innovative detection and removal techniques.
Security A medium/high risk security weakness that exists on your computer that
Weakness could be used to compromise your systems security.
F-3
F-4
Appendix G
Appendix G
Glossary of Terms
The following is a list of terms in this document:
Term Description
ActiveUpdate ActiveUpdate is a function common to many Trend Micro products.

Connected to the Trend Micro update Web site, ActiveUpdate provides
up-to-date downloads of components such as the virus pattern files, scan
engines, and program files.
ActiveX A type of virus that resides in Web pages that execute ActiveX controls.
malicious code
administrator The person in an organization who is responsible for activities such as

setting up new hardware and software, allocating user names and
passwords, monitoring disk space and other IT resources, performing
backups, and managing network security.
administrator A user name and password that has administrator-level privileges.

account
Anti-spam Refers to a filtering mechanism, designed to identify and prevent delivery of

advertisements, pornography, and other “nuisance” mail.
attachment A file attached to (sent with) an email message.

body (message The content of an email message.
body)
G-1
Term Description
boot sector A sector is a designated portion of a disk (the physical device on which data
viruses is written and read). The boot sector contains the data used by your
computer to load and initialize the computer's operating system. A boot
sector virus infects the boot sector of a partition or a disk.
bots Bots are compressed executable files that are designed with the intent to
cause harm to computer systems and networks. Bots, once executed, can
replicate, compress, and distribute copies of themselves.
clean To remove virus code from a file or message.
Cleanup Cleanup detects and removes Trojans and applications or processes

installed by Trojans. It repairs files modified by Trojans.
client A computer system or process that requests a service of another computer

system or process (a “server”) using some kind of protocol and accepts the
server's responses. A client is part of a client-server software architecture.
Note that the online help uses the term “Client computer” in a special way to
refer to computers that form a client-server relationship to the Client Server
Messaging main program, the Security Server.
client computers The Client computers are all the desktops, laptops, and servers where the
CSAs are installed. Exchange servers protected by Messaging Security
Agents are also considered to be Client computers. CSAs perform Antivirus
scanning and Firewall configurations on Client desktops and servers.
Messaging Security Agents perform Antivirus scanning, Anti-spam filtering,
email Content Filtering, and Attachment Blocking on Exchange servers.
compressed file A single file containing one or more separate files plus information to allow
them to be extracted by a suitable program, such as WinZip.
COM and EXE file A type of virus that masquerades as an application by using a .exe or .com
infectors file extension.
configuration Selecting options for how your Trend Micro product will function, for
example, selecting whether to quarantine or delete a virus-infected email
message.
Content Filtering Scanning email messages for content (words or phrases) prohibited by your
organization's Human Resources or IT messaging policies, such as hate
mail, profanity, or pornography.
content violation An event that has triggered the content filtering policy.
default A value that pre-populates a field in the Security Dashboard. A default value
represents a logical choice and is provided for convenience. Use default
values as pre-set by Trend Micro or customize them as required.
Denial of Service An attack on a computer or network that causes to a loss of 'service',

Attack (DoS namely a network connection. Typically DoS attacks negatively affect
Attack) network bandwidth or overload computer resources, such as memory.
G-2
Term Description
domain name The full name of a system, consisting of its local host name and its domain
name, for example, tellsitall.com. A domain name should be sufficient to
determine a unique Internet address for any host on the Internet. This
process, called “name resolution”, uses the Domain Name System (DNS).
Dynamic Host A device, such as a computer or switch, must have an IP address to be

Control Protocol connected to a network, but the address does not have to be static. A
(DHCP) DHCP server, using the Dynamic Host Control Protocol, can assign and
manage IP addresses dynamically every time a device connects to a
network.
encryption Encryption is the process of changing data into a form that can be read only
by the intended receiver. To decipher the message, the receiver of the
encrypted data must have the proper decryption key. Lacing decryption
codes, CSAs cannot scan encrypted files.
End User License An End User License Agreement or EULA is a legal contract between a
Agreement software publisher and the software user. It typically outlines restrictions on
(EULA) the side of the user, who can refuse to enter into the agreement by not
clicking “I accept” during installation. Clicking “I do not accept” will, of
course, end the installation of the software product.
Many users inadvertently agree to the installation of spyware and other

types of grayware into their computers when they click “I accept” on EULA
prompts displayed during the installation of certain free software.
Exceptions Exceptions, in relation to the Firewall, are a list of ports and communication
protocols that will not be blocked by the Firewall. Exceptions also describe
the ports that you have set so that they are never blocked during Outbreak
Defense protection measures.
false positives A false positive occurs when a Web site, URL, “infected” file, or email
message is incorrectly determined by filtering software to be of an
unwanted type. For example, a legitimate email between colleagues may
be detected as spam if a job-seeking filter does not distinguish between
resume (to start again) and résumé (a summary of work experience).
file name The portion of a file name (such as .dll or .xml) which indicates the kind of
extension data stored in the file. Apart from informing the user what type of content the
file holds, file name extensions are typically used to decide which program
to launch when a file is run.
File Transfer FTP is a standard protocol used for transporting files from a server to a
Protocol (FTP) client over the Internet. Refer to Network Working Group RFC 959 for more
information.
file type The kind of data stored in a file. Most operating systems use the file name
extension to determine the file type. The file type is used to choose an
appropriate icon to represent the file in a user interface, and the correct
application with which to view, edit, run, or print the file.
G-3
Term Description
firewall Firewalls create a barrier between the Internet and your local network to
protect the local network from hacker attacks and network viruses.
Firewalls examine data packet to determine if they are infected with a
network virus.
FQDN (fully A fully qualified domain name (FQDN) consists of a host and domain name,
qualified domain including top-level domain. For example, www.trendmicro.com is a fully
name) qualified domain name: www is the host, trendmicro is the second-level
domain, and .com is the top-level domain.
FTP (file transfer FTP is a standard protocol used for transporting files from a server to a
protocol) client over the Internet.
grayware Files and programs, other than viruses, that can negatively affect the
performance of the computers on your network. These include spyware,
adware, dialers, joke programs, hacking tools, remote access tools,
password cracking applications, and others. The OfficeScan scan engine
scans for grayware as well as viruses.
hot fixes and Workaround solutions to customer related problems or newly discovered
patches security vulnerabilities that you can download from the Trend Micro Web
site and deploy to the OfficeScan server and/or client program.
Hyper Text HTTP is a standard protocol used for transporting Web pages (including
Transfer graphics and multimedia content) from a server to a client over the Internet.
Protocol (HTTP)
HTTPS Hypertext Transfer Protocol using Secure Socket Layer (SSL).

IntelliScan IntelliScan is a Trend Micro scanning technology that optimizes
performance by examining file headers using true file type recognition, and
scanning only file types known to potentially harbor malicious code. True file
type recognition helps identify malicious code that can be disguised by a
harmless extension name.
Internet Protocol "The internet protocol provides for transmitting blocks of data called
(IP) datagrams from sources to destinations, where sources and destinations
are hosts identified by fixed length addresses." (RFC 791)
Intrusion Intrusion Detection Systems are commonly part of firewalls. An IDS can
Detection System help identify patterns in network packets that may indicate an attack on the
(IDS) client.
keywords The Messaging Security Agent can filter incoming email messages for
keywords that you set up using Content Filtering rules. When keywords are
detected the Messaging Security Agent can take action to prevent the
delivery of messages containing these keywords. Note that keywords are
not strictly words, but can be numbers, typographical characters, or short
phrases.
local The term “local” refers to a computer on which you are directly installing or
running software, as opposed to a “remote” computer which is physically
distant and/or connected to your computer through a network.
G-4
Term Description
macro viruses A type of virus encoded in an application macro and often included in a
document.
malware A malware is a program that performs unexpected or unauthorized actions.

It is a general term used to refer to viruses, Trojans, and worms. Malware,
depending on their type, may or may not include replicating and non
replicating malicious code.
message body The content of an email message.
Network virus Viruses that use network protocols, such as TCP, FTP, UDP, HTTP, and
email protocols to replicate. They often do not alter system files or modify
the boot sectors of hard disks. Instead, network viruses infect the memory
of computers, forcing them to flood the network with traffic, which can
cause slowdowns and even complete network failure.
Notifications The Security Server can send your system administrator a notification
whenever significant abnormal events occur on your Client computers. For
example: You can set up a condition that whenever the CSA detects 40
viruses within one hour, the Security Server will send a notification to the
system administrator.
Outbreak During Outbreak Defense, the Security Server enacts the instructions
Defense contained in the Outbreak Prevention Policy. The Trend Micro Outbreak
Prevention Policy is a set of recommended default security configurations
and settings designed by TrendLabs to give optimal protection to your
computers and network during outbreak conditions. The Security Server
downloads the Outbreak Prevention Policy from Trend Micro ActiveUpdate
server every 30 minutes or whenever the Security Server starts up.
Outbreak Defense enacts preemptive measures such as blocking shared
folders, blocking ports, updating components, and running scans.
phishing incident A Phish is an email message that falsely claims to be from an established or
legitimate enterprise. The message encourages recipients to click on a link
that will redirect their browsers to a fraudulent Web site where the user is
asked to update personal information such as passwords, social security
numbers, and credit card numbers in an attempt to trick a recipient into
providing private information that will be used for identity theft.
Phish sites A Web site that lures users into providing personal details, such as credit
card information. Links to phish sites are often sent in bogus email
messages disguised as legitimate messages from well-known businesses.
Ping of Death A Denial of Service attack where a hacker directs an oversized ICMP
packet at a target computer. This can cause the computers buffer to
overflow, which can freeze or reboot the machine.
Post Office POP3 is a standard protocol for storing and transporting email messages
Protocol 3 from a server to a client email application.
(POP3)
G-5
Term Description
port number A port number, together with a network address - such as an IP number,
allow computers to communicate across a network. Each application
program has a unique port number associated with it. Blocking a port on a
computer prevents an application associated with that port number from
sending or receiving communications to other applications on other
computers across a network. Blocking the ports on a computer is an
effective way to prevent malicious software from attacking that computer.
privileges From the Security Dashboard, administrators can set privileges for the
(desktop CSAs. End users can then set the CSAs to scan their Client computers
privileges) according to the privileges you allowed. Use desktop privileges to enforce a
uniform antivirus policy throughout your organization.
proxy server A World Wide Web server which accepts URLs with a special prefix, used to
fetch documents from either a local cache or a remote server, then returns
the URL to the requester.
quarantine To place infected data such as email messages, infected attachments,

infected HTTP downloads, or infected FTP files in an isolated directory (the
Quarantine Directory) on your server.
remote The term “remote” refers to a computer that is connected through a network
to another computer, but physically distant from that computer.
rules (content Content filtering rules are rules that you set up to filter the content of email
filtering) messages. You define undesirable content and sources and set the
Messaging Security Agent to detect and take action against such content
violations.
scan To examine items in a file in sequence to find those that meet a particular
criteria.
scan engine The module that performs antivirus scanning and detection in the host
product to which it is integrated.
Secure Socket SSL is a scheme proposed by Netscape Communications Corporation to
Layer (SSL) use RSA public-key cryptography to encrypt and authenticate content
transferred on higher-level protocols such as HTTP, NNTP, and FTP.
SSL certificate A digital certificate that establishes secure HTTPS communication between
the Policy Server and the ACS server.
security The Security Dashboard is a centralized Web-based management console.

dashboard You can use it to configure the settings of CSAs and Messaging Security
Agents which are protecting all your remote desktops, servers and
Exchange servers. The Trend Micro Security Dashboard for SMB is
installed when you install the Trend Micro Security Server and uses Internet
technologies such as ActiveX, CGI, HTML, and HTTP.
G-6
Term Description
security server When you first install Client Server Messaging Security, you install it on a
Windows server that becomes the Security Server. The Security Server
communicates with the CSAs and the Messaging Security Agents installed
on Client computers. The Security Server also hosts the Security
Dashboard, the centralized Web management console for the entire Client
Server Messaging Security solution.
server A program which provides some service to other (client) programs. The
connection between client and server is normally by means of message
passing, often over a network, and uses some protocol to encode the
client's requests and the server's responses. Note that the online help uses
the term “Security Server” in a special way to refer to the server that forms a
client-server relationship with the computers on your network to which you
have installed the CSAs.
Simple Mail SMTP is a standard protocol used to transport email messages from server
Transport to server, and client to server, over the internet.
Protocol (SMTP)
SOCKS 4 A TCP protocol used by proxy servers to establish a connection between

clients on the internal network or LAN and computers or servers outside the
LAN. The SOCKS 4 protocol makes connection requests, sets up proxy
circuits and relays data at the Application layer of the OSI model.
spam Unsolicited email messages meant to promote a product or service.

Telnet Telnet is a standard method of interfacing terminal devices over TCP by
creating a "Network Virtual Terminal". Refer to Network Working Group
RFC 854 for more information.
Test virus An inert file that acts like a real virus and is detectable by virus-scanning
software. Use test files, such as the EICAR test script, to verify that your
antivirus installation is scanning properly.
Transmission A connection-oriented, end-to-end reliable protocol designed to fit into a

Control Protocol layered hierarchy of protocols which support multi-network applications.
(TCP) TCP relies on IP datagrams for address resolution. Refer to DARPA
Internet Program RFC 793 for information.
TrendLabs TrendLabs is Trend Micro's global network of antivirus research and

product support centers that provide 24 x 7 coverage to Trend Micro
customers around the world.
Trojan horses Executable programs that do not replicate but instead reside on systems to
perform malicious acts, such as open ports for hackers to enter.
updates Updates describe a process of downloading the most up-to-date

components such as pattern files and scan engines to your computer.
virus A virus is a program that replicates. To do so, the virus needs to attach itself
to other program files and execute whenever the host program executes.
G-7
Term Description
vulnerability A vulnerable computer has weaknesses in its operating system or

applications. Many threats exploit these vulnerabilities to cause damage or
gain unauthorized control. Therefore, vulnerabilities represent risks not only
to each individual computer where they are located, but also to the other
computers on your network.
wildcard A term used in reference to content filtering, where an asterisk (*)
represents any characters. For example, in the expression *ber, this
expression can represent barber, number, plumber, timber, and so on.
worm A self-contained program (or set of programs) that is able to spread

functional copies of itself or its segments to other computer systems, often
via email. A worm can also be called a network virus.
G-8
Index E
Encrypted and Password protected files 8-4
End User Quarantine
disabling 8-43
A
evaluation license
Activation Codes 4-5
benefits 4-5
administrator account
features 4-3
required for installation 4-6
Excluded files (Files over specified scanning restric-
administrator privileges
tions) 8-4
required for installation 4-6
F
C
firewall
capabilities
deploy Security Server behind 3-7
Client Server Messaging Security 1-2–1-8
firewall, Windows XP
added to Exception list 3-7
capabilities 1-2, 1-8
fully licensed
benefits 4-5
deployment considerations 3-7
features 4-3
listening port 4-7
overview 2-4 G
Common Firewall Driver 2-10 generating debugger reports, how to 8-45
compatibility issues
third-party applications 4-4 H
Configuring Personal Firewall – Simple Mode 7-10 hostname, Security Server
Configuring the Personal Firewall - Advanced Mode prepare before installing 4-6
7-11 Hot Fixes 2-10
content filtering rules
changing order 8-29 I
Current Status – Cleanup 9-6 incremental pattern file update
Current Status – Prevention 9-2 size of download 3-9
Current Status – Protection 9-5 installation
overview 3-2
D installation path, Client/Server Security Agent
Damage Cleanup services prepare before installing 4-6
how it works 2-9 Internet Connection Firewall (ICF)
debugger reports, generating 8-44 removing 4-4
deleting quarantined messages 8-41 IP address, Security Server
deleting spam messages from Spam folder 8-44 prepare before installing 4-6
deployment
overview 3-2 K
Security Server 3-7 keywords
Security Server, on dedicated server 3-10 about 8-29
Disabling the Firewall 7-14 supported 8-32
domain name, Security Server
prepare before installing 4-6 L
license
I–1
consequences of expiry 4-3 overview 2-3

lockdown tools, warning Security Server
remove during installation 4-7 communication with the Security Agents 2-4
deployment location 3-7
M deployment on a dedicated server 3-10
macro viruses deployment with firewall 3-7
explained 17-7 listening port 4-7
overview 2-4
N server
network traffic
address, checklist A-1
causes 3-8 Service Packs 2-10
deployment considerations 3-8
Simple Mail Transport Protocol (SMTP)
during pattern file updates 3-9
definition G-7
Network Virus Pattern File 2-10 SMTP server
O prepare before installing 4-6
Outbreak Defense - Settings 9-8 SOCKS 4
overview 2-9 definition G-7
Spam Folder
P creating 8-43
password, Security Dashboard deleting spam messages 8-44
prepare before installing 4-6 renaming 8-43
Patches 2-10 setting the retention time limit 8-44
ports spam messages
Client/Server/Security Agent 4-7 deleting 8-43
modifying after installation 4-7 SQL server databases
Security Server 4-7 excluding from scanning
ports, warning performance 4-4
attacks on HTTP port (80 or 8080) 4-7 standard alert
Potential Threat 9-7 email 13-4
prescan, Security Server
actions 4-8
T
Telnet
explanation 4-7
definition G-7
proxy server
prepare details before installing 4-6 test virus
definition G-7
R third party antivirus applications
Registration Key 4-5 removing 4-4
reorder content filtering rules 8-29 Transmission Control Protocol (TCP)
restart after installation 4-8 definition G-7
Trend Micro ActiveAction B-4
S Trend Micro IntelliScan B-3
scheduled scans TrendLabs
content filtering of header and subject unavailable definition G-7
8-36 updates Virus Cleanup Pattern 2-9
Security Dashboard Trojan horses
I–2
definition G-7
U
Using Antivirus to Configure Real-time Scan 7-2
Using Desktop Privileges 7-14
Using Quarantine 7-17
Using the Personal Firewall 7-8
V
Virus Cleanup Engine 2-9
Virus Cleanup Pattern 2-10
virus pattern file
size of download 3-9
W
Warning
back up before removing third-party antivirus
software 18-13
change port number to prevent attacks on HTTP
port 4-7
dangers of disabling real-time scanning 8-14
decrypting files 15-9
do not send installation package to wrong Client
computer 5-10
never use real virus for testing 5-24
quarantine folder contains email messages that
have a high-risk of being infected 8-41
remove lockdown tool during installation 4-7–4-8
using back up tools 18-6
Windows XP Firewall
added to Exception list 3-7
I–3
I–4

CSM4SMB v3 AG

Uploaded by

Copyright:

Available Formats

CSM4SMB v3 AG

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSM4SMB v3 AG

Uploaded by

Copyright:

Available Formats

CSM4SMB-v3-AG.

book Page 1 Monday, April 23, 2007 10:40 AM

Chapter 1: Introducing Trend Micro Client Server Messaging

Chapter 2: Client Server Messaging Security Components

Client Server Messaging Security Updateable Components ..............2-5

Chapter 3: Planning for Installation of Client Server Messaging

Chapter 4: Client Server Messaging Security Installation Overview

The Registration Key and Activation Codes ................................. 4-5

Chapter 5: Installing the Trend Micro Client Server Messaging

Migrating from Third-party Antivirus Applications ........................5-17

Chapter 6: The Trend Micro Security Dashboard for SMB

Chapter 7: Configuring Desktop and Server Groups

Chapter 8: Protecting Your Microsoft Exchange Servers

About the Quarantine Folder ....................................................... 8-39

Chapter 9: Using Outbreak Defense

Chapter 10: Manual and Scheduled Scans

Chapter 11: Updating Components

Using Update Agents ........................................................................11-8

Chapter 12: Viewing and Interpreting Logs

Chapter 13: Working with Notifications

Chapter 14: Configuring Global Settings

Chapter 15: Using Administrative and Client Tools

Chapter 16: Performing Additional Administrative Tasks

Chapter 17: Understanding the Threats

Chapter 18: FAQs, Troubleshooting and Technical Support

User’s Spam Folder not Created ..................................................18-4

Appendix A: System Checklists

Appendix B: Trend Micro Services

Appendix C: Planning a Pilot Deployment

Creating a Rollback Plan ....................................................................C-1

Appendix D: Trend Micro Product Exclusion List

Appendix E: Client Side Information

Appendix F: Spyware Types

Appendix G: Glossary of Terms

How this Book Is Organized

Using the Trend Micro Client Server Messaging

Introducing Trend Micro Client Server

Seamless integration with Microsoft™ Windows™ and Microsoft Exchange

What’s New in Client Server Messaging

What You Can Do with Client Server Messaging

Introducing Trend Micro Client Server Messaging Security for SMB

• Control Outbreaks on the Network on page 1-4

Analyze Your Network’s Protection

Enforce Antivirus Policies

Protect Clients and Servers from Spyware/Grayware

Update Your Protection

Perform Scans from One Location

Quarantine Infected Files

Control Outbreaks on the Network

Manage Client Server Messaging Security Groups

Introducing Trend Micro Client Server Messaging Security for SMB

Protect Clients from Hacker Attacks with Personal Firewall

Protect POP3 Mail Messages

Benefits and Capabilities

Spyware/Grayware Approved List

Secure Web Console Communication

Introducing Trend Micro Client Server Messaging Security for SMB

Enhanced Protection for Your Exchange Servers

Client Server Messaging Security