Trend Micro Updates Harvard Townsend SIRT IT Security Roundtable Chief Information Security Officer

advertisement
Trend Micro Updates
SIRT IT Security Roundtable
Harvard Townsend
Chief Information Security Officer
harv@ksu.edu
November 6, 2009
Agenda








Why the changes?
Timeline for the changes
New antivirus web site
Trend Micro OfficeScan 10 features
Trend Micro Security for Macs 1.5 features
Removing SAV for Macs
Residence Halls
Q&A
2
Why the changes?
OfficeScan 8 to OfficeScan 10 (Windows)
Symantec AV for Macs to Trend Micro Security for Mac 1.5









Support for new operating systems (Windows 7, Mac OS X 10.6/Snow
Leopard)
Support contract for Symantec AV for Macs ended Oct. 27 and no budget
for renewal
Release of managed Trend Micro client for Macs
Mac product bundled in pre-paid Trend Micro contract (since paid per
user, not per device/platform); licenses paid thru March 2012; support
renewed annually
More security features for Mac (like Web Reputation Services)
Beneficial features in OfficeScan 10
Single vendor for AV and tech support
Can manage both platforms from single OfficeScan server
Give Shea more work before she leaves K-State
3
Timeline


Oct. 27: Symantec AV for Macs support
contract expired
Tuesday, November 10:





OfficeScan 10 for Windows pushed to clients
that use the central IT Trend Micro service
OfficeScan 10 available on antivirus.ksu.edu for
new installations
TM Security for Mac 1.5 available from
antivirus.ksu.edu for manual installation
New antivirus.ksu.edu web site released
January 2010 – Trend required in residence
halls for both Windows and Macs
4
New antivirus web site





Replaces current one on Nov. 10
New ITS web format
Easier for user to find what they need
www.k-state.edu/its/antivirus or
antivirus.k-state.edu
Linked from the main ITS web site
5
Trend Micro OfficeScan 10



Major upgrade from version 8 (where did version 9 go?!)
Ripe with marketing hype (“Cloud-Client Architecture”,
“Smart Protection Network”, “Global Threat Intelligence”)
But it appears to provide real value:







Faster deployment of pattern file updates
Smaller client footprint
Windows 7 support in sp1 (not officially supported in
OfficeScan 8)
More options for re-scheduling missed scheduled scans
Better Active Directory integration
Better control of removable devices like USB drives
Protection of the OfficeScan program itself (prevents malware
from altering OfficeScan files, processes and registry entries)
6
TMOS 10 Features

“In-the-cloud” scanning (“SmartScan”) vs.
conventional scanning





Client uses pattern info stored on local or global
servers rather than having to store everything on
every client computer
Updates pattern files hourly instead of daily
Smaller pattern files on the client, less network
bandwidth used to deploy pattern files
Some heuristic-based detection
Can still do conventional scanning for systems
with limited Internet access
7
TMOS 10 Features

Better options for dealing with missed scheduled scan





Postpone a schedule scan before it begins
Stop and Resume a current active schedule scan
Resume a missed schedule scan
Automatically skip schedule scan when Laptop Battery is
below certain %
Automatically stop schedule scan when it lasts over a
certain amount of period.
8
TMOS 10 Features

Device Access Control


Sysadmins can control use of removable drives
Examples: Removable Thumb Drives, Firewire Hard Drives,
PC-Cards, Media Players.
9
TMOS 10 Features

The Trend Micro Unauthorized Change
Prevention Service replaces the OfficeScan
watchdog as the principal means of preventing
OfficeScan services from being stopped, and
settings from being changed




To prevent OSCE applications being injected with
malware and impact business operation
Feature provides the ability to protect OfficeScan
files / file types within folders from being modified
Protect OfficeScan system processes to prevent
unauthorized shut-down
Protect OfficeScan system registries from
unauthorized modification
10
TMOS 10 User Experience

After automatic installation,
user will be prompted to
reboot via the pop-up
warning in the lower right
hand corner of the screen
(above system tray)

Icon change
OfficeScan 8
OfficeScan 10 w/
& Conventional Scan Smart Scan
Problem
communicating11
w/ server
TMOS 10 User Experience


OfficeScan console largely the same
Firewall config for communicating with
OfficeScan servers:



Smart Scan server: TCP/443 from
10.130.69.52 (on campus only)
OfficeScan server (conventional scan):
TCP/8080 from 129.130.255.181
Off campus, component updates try
campus server, then failover to
osce10-p.activeupdate.trendmicro.com
12
TMOS 10 User Experience

What else about TMOS 10? What is your experience?






TMOS 10 install wipe out any custom TMOS 8 configs?
No tool yet to export/import config from TMOS 8 server to
TMOS 10 environment, but they’re working on it.
Significant CPU utilization every hour on Local Scan Server
when it downloads and processes new pattern files – has
this been a problem?
Pushing new pattern file on demand (like in yesterday’s
malware outbreak, how to push to both conventional and
SmartScan configs)
Standalone Scan Server requires VMware™ ESXi Server 3.5
Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0
1,000 client limit if run Local Scan Server and OfficeScan
server on same server (compared to 5,000-8,000 clients for
latter) – called “Integrated Scan Server”
13
Trend Micro Security for Mac

Features/Advantages:










No additional cost to cover all Macs
Symantec license was for 1,500 Macs; Trend licensed by
user, unlimited quantity for home/office, student/employee
Managed product (can push pattern file updates, manage
configuration, centralized reporting, etc.)
Managed as plug-in to current Windows OfficeScan servers,
so have common mgmt platform
Service Pack 1 supports Mac OS X 10.6/Snow Leopard
(Symantec still not supporting 10.6)
Supports Mac OS X 10.4/5/6 on Intel and PowerPC
processors
Includes Web Reputation Services to help prevent users from
visiting known malicious web sites
Covered by current Silver Premium Support contract
Single vendor for all AV product
14
No additional cost
Trend Micro Security for Mac






Trend Micro Security for Mac Version 1.5 (TMSM 1.5) released in
late summer, replacing standalone v. 1.0 from spring
Service Pack 1 with Snow Leopard support released Oct. 7
Full-featured antivirus product with real-time, scheduled, and
manual scans; regular pattern file updates; centralized mgmt;
Web Reputation Services to control access to known malicious
web sites
Available Nov. 10 from antivirus.k-state.edu for manual
installation
Management requires OfficeScan server running on Windows;
colleges/depts can use central IT server if needed (talk to Shea)
For client installation, must remove any other antivirus first


ClamXav for those who installed it on 10.6/Snow Leopard
Symantec AV on all others (see
www.k-state.edu/its/antivirus/mac/removemacav.html)
15
Trend Micro Security for Mac




Default port for communicating with server is
61617; open firewall for that port both incoming
and outgoing
Campus computers should install TMSM 1.5
starting next week
Students in residence halls should install after
Nov. 10 as well; will be forced to in January
before the start of the spring semester (waiting on
Bradford Campus Manager support)
For sysadmins, manuals available at
www.trendmicro.com/download/product.asp?productid=114
16
Summary

November 10:






Users of central IT OfficeScan server upgraded
automatically
OfficeScan 10 available on web for new installs
TM Security for Mac 1.5 sp1 available on web for
manual install
New antivirus.ksu.edu web site released
Colleges/depts with own AV infrastructure should
upgrade to TMOS 10 and TMSM 1.5 soon
Residence halls required to run Trend Micro by
policy now, forced via Bradford Campus Manager
in January
17
What’s on your mind?
18
Download