Trend Micro Updates SIRT IT Security Roundtable Harvard Townsend Chief Information Security Officer harv@ksu.edu November 6, 2009 Agenda Why the changes? Timeline for the changes New antivirus web site Trend Micro OfficeScan 10 features Trend Micro Security for Macs 1.5 features Removing SAV for Macs Residence Halls Q&A 2 Why the changes? OfficeScan 8 to OfficeScan 10 (Windows) Symantec AV for Macs to Trend Micro Security for Mac 1.5 Support for new operating systems (Windows 7, Mac OS X 10.6/Snow Leopard) Support contract for Symantec AV for Macs ended Oct. 27 and no budget for renewal Release of managed Trend Micro client for Macs Mac product bundled in pre-paid Trend Micro contract (since paid per user, not per device/platform); licenses paid thru March 2012; support renewed annually More security features for Mac (like Web Reputation Services) Beneficial features in OfficeScan 10 Single vendor for AV and tech support Can manage both platforms from single OfficeScan server Give Shea more work before she leaves K-State 3 Timeline Oct. 27: Symantec AV for Macs support contract expired Tuesday, November 10: OfficeScan 10 for Windows pushed to clients that use the central IT Trend Micro service OfficeScan 10 available on antivirus.ksu.edu for new installations TM Security for Mac 1.5 available from antivirus.ksu.edu for manual installation New antivirus.ksu.edu web site released January 2010 – Trend required in residence halls for both Windows and Macs 4 New antivirus web site Replaces current one on Nov. 10 New ITS web format Easier for user to find what they need www.k-state.edu/its/antivirus or antivirus.k-state.edu Linked from the main ITS web site 5 Trend Micro OfficeScan 10 Major upgrade from version 8 (where did version 9 go?!) Ripe with marketing hype (“Cloud-Client Architecture”, “Smart Protection Network”, “Global Threat Intelligence”) But it appears to provide real value: Faster deployment of pattern file updates Smaller client footprint Windows 7 support in sp1 (not officially supported in OfficeScan 8) More options for re-scheduling missed scheduled scans Better Active Directory integration Better control of removable devices like USB drives Protection of the OfficeScan program itself (prevents malware from altering OfficeScan files, processes and registry entries) 6 TMOS 10 Features “In-the-cloud” scanning (“SmartScan”) vs. conventional scanning Client uses pattern info stored on local or global servers rather than having to store everything on every client computer Updates pattern files hourly instead of daily Smaller pattern files on the client, less network bandwidth used to deploy pattern files Some heuristic-based detection Can still do conventional scanning for systems with limited Internet access 7 TMOS 10 Features Better options for dealing with missed scheduled scan Postpone a schedule scan before it begins Stop and Resume a current active schedule scan Resume a missed schedule scan Automatically skip schedule scan when Laptop Battery is below certain % Automatically stop schedule scan when it lasts over a certain amount of period. 8 TMOS 10 Features Device Access Control Sysadmins can control use of removable drives Examples: Removable Thumb Drives, Firewire Hard Drives, PC-Cards, Media Players. 9 TMOS 10 Features The Trend Micro Unauthorized Change Prevention Service replaces the OfficeScan watchdog as the principal means of preventing OfficeScan services from being stopped, and settings from being changed To prevent OSCE applications being injected with malware and impact business operation Feature provides the ability to protect OfficeScan files / file types within folders from being modified Protect OfficeScan system processes to prevent unauthorized shut-down Protect OfficeScan system registries from unauthorized modification 10 TMOS 10 User Experience After automatic installation, user will be prompted to reboot via the pop-up warning in the lower right hand corner of the screen (above system tray) Icon change OfficeScan 8 OfficeScan 10 w/ & Conventional Scan Smart Scan Problem communicating11 w/ server TMOS 10 User Experience OfficeScan console largely the same Firewall config for communicating with OfficeScan servers: Smart Scan server: TCP/443 from 10.130.69.52 (on campus only) OfficeScan server (conventional scan): TCP/8080 from 129.130.255.181 Off campus, component updates try campus server, then failover to osce10-p.activeupdate.trendmicro.com 12 TMOS 10 User Experience What else about TMOS 10? What is your experience? TMOS 10 install wipe out any custom TMOS 8 configs? No tool yet to export/import config from TMOS 8 server to TMOS 10 environment, but they’re working on it. Significant CPU utilization every hour on Local Scan Server when it downloads and processes new pattern files – has this been a problem? Pushing new pattern file on demand (like in yesterday’s malware outbreak, how to push to both conventional and SmartScan configs) Standalone Scan Server requires VMware™ ESXi Server 3.5 Update 2. VMware ESX™ Server 3.5 or 3.0, or VMware Server 2.0 1,000 client limit if run Local Scan Server and OfficeScan server on same server (compared to 5,000-8,000 clients for latter) – called “Integrated Scan Server” 13 Trend Micro Security for Mac Features/Advantages: No additional cost to cover all Macs Symantec license was for 1,500 Macs; Trend licensed by user, unlimited quantity for home/office, student/employee Managed product (can push pattern file updates, manage configuration, centralized reporting, etc.) Managed as plug-in to current Windows OfficeScan servers, so have common mgmt platform Service Pack 1 supports Mac OS X 10.6/Snow Leopard (Symantec still not supporting 10.6) Supports Mac OS X 10.4/5/6 on Intel and PowerPC processors Includes Web Reputation Services to help prevent users from visiting known malicious web sites Covered by current Silver Premium Support contract Single vendor for all AV product 14 No additional cost Trend Micro Security for Mac Trend Micro Security for Mac Version 1.5 (TMSM 1.5) released in late summer, replacing standalone v. 1.0 from spring Service Pack 1 with Snow Leopard support released Oct. 7 Full-featured antivirus product with real-time, scheduled, and manual scans; regular pattern file updates; centralized mgmt; Web Reputation Services to control access to known malicious web sites Available Nov. 10 from antivirus.k-state.edu for manual installation Management requires OfficeScan server running on Windows; colleges/depts can use central IT server if needed (talk to Shea) For client installation, must remove any other antivirus first ClamXav for those who installed it on 10.6/Snow Leopard Symantec AV on all others (see www.k-state.edu/its/antivirus/mac/removemacav.html) 15 Trend Micro Security for Mac Default port for communicating with server is 61617; open firewall for that port both incoming and outgoing Campus computers should install TMSM 1.5 starting next week Students in residence halls should install after Nov. 10 as well; will be forced to in January before the start of the spring semester (waiting on Bradford Campus Manager support) For sysadmins, manuals available at www.trendmicro.com/download/product.asp?productid=114 16 Summary November 10: Users of central IT OfficeScan server upgraded automatically OfficeScan 10 available on web for new installs TM Security for Mac 1.5 sp1 available on web for manual install New antivirus.ksu.edu web site released Colleges/depts with own AV infrastructure should upgrade to TMOS 10 and TMSM 1.5 soon Residence halls required to run Trend Micro by policy now, forced via Bradford Campus Manager in January 17 What’s on your mind? 18