Computer Security, Technology, Tutorials, Windows 10

How To Set Up & Configure Trend Micro Worry-Free Business Services

December 15, 2017

Introduction

In this tutorial, you are going to learn how to configure, set up, and optimize the Trend Micro Security agent which is a lightweight enterprise-grade software that protects Windows endpoint PCs from viruses/malware/Trojans/spyware and other potentially harmful threats.

Trend Micro Worry-Free Business Security (WFBS) provides numerous layers of protection to make endpoints secure.

This article serves as a guide on how to leverage Trend Micro’s business security solution and take maximum advantage of the features offered which ultimately ensures that your enterprise’s network is properly protected from the latest emerging cyber threats.

Login To Trend Micro Worry-Free Business Security Services Web Console

Trend Micro’s web console allows the administrator to manage every security agent from one location conveniently.

To access it, use the following link:

Trend Micro Worry-Free Business Security Services

Configure Smart Scan

Once you are logged in, you’ll be shown a dashboard.

To edit the policy settings for a group, do the following:

1. Click on Devices tab

2. Click on the group Device (Default) where your endpoints are located in by default.

3. On the right, click Configure Policy.

4. Under Windows tab, in Scan Method area, ensure Smart Scan is selected.

5. Click Save to apply any changes you have made.

Smart scans provide the advantage of both local scans and leverage File Reputation Services. Whereas, conventional scans retains all components on the security agent and scans every file locally.

Configure Anti-virus/Anti-spyware

1. Click on Anti-virus/Anti-spyware area.

2. Ensure that Enable real-time antivirus / anti-spyware checkbox is ticked.

Target Tab

1. Under Target tab, choose IntelliScan.

2. Under Select a condition, tick Scan files being created, modified, or retrieved.

3. Under Advanced Settings, tick Scan POP3 messages, tick Enable IntelliTrap, tick Quarantine malware variants detected in memory, tick Scan mapped drives and shared folders on the network, tick Scan floppy drive system shutdown, tick Scan compressed files: select 6 for Maximum layers.

4. Click Save to apply any changes you have made.

IntelliScan is a technique deployed for determining files to scan which also uses minimal system resources.

IntelliTrap uncovers cyberthreats that deploy real-time compression coupled with the additional use of software such as Packers to circumvent AV analysis and detection.

Action Tab

1. Under Action tab, ensure ActiveAction is selected, ensure that Backup detected file before cleaning is ticked, ensure that Clean is selected for purposes of enabling the cleaning of detected spyware, tick Display an alert message on the device when a virus/spyware is detected.

2. Click Save to apply any changes you have made.

ActiveAction provides convenience and protection by deploying scan actions that are suggested by Trend Micro. ActiveAction is updated to provide protection against the latest cyberthreats and the latest attack vectors.

It is extremely important to ensure that the Anti-virus/Anti-spyware settings are properly applied to leverage Trend Micro’s enterprise endpoint protection technologies.

Trend Micro Personal Firewall Service (TmPfw.exe Process from Program Files (x86) > Trend Micro > Client Server Security Agent)

By default, the WFBS firewall is turned off on all security agents.

When you initially enable the firewall, WFBS applies the following default settings:

Simple Mode, Security Level: Low – On. Firewall uses Trend Micro default settings. Inbound & Outbound Traffic Permitted. Firewall inspects every packet for network viruses. Only network viruses are blocked.

Intrusion Detection System (IDS) – Off

Alert Message – Off

Trend Micro’s WFBS firewall possesses stateful inspection capabilities. WFBS enforces two kinds of rules: Access Rules & Generic Stream Scanning Rules.

When you are deploying the WFBS firewall, it’s important to change the “Simple mode” to “Advanced mode.”, set the Security Level to “High“, enable the “Intrusion Detection System.

High Security Level blocks all incoming & outgoing traffic excluding all traffic permitted in the “Exceptions” list under “Exception Settings.”

Exceptions permit the administrator to decide on which ports they may add to the exception list and whether those ports will be allowed or be denied network traffic.

Access Rules permits the administrator to define the sort of packets that are blocked and are permitted to pass.

Enabling the IDS is important as it allows the detection of patterns in network packets that can denote an attack being carried out on a client.

Alert Messages should be enabled as it is particularly useful when WFBS discovers a violation and will thus inform the client.

Click Save to apply any changes you have made.

Once the firewall has been enabled, you will not only see it with a green circle (enabled status) in the Security Agent but also see the component versions of the Common Firewall Driver (64-bit) and Common Firewall Pattern which will indicate “Last updated” whenever updates are applied.

Firewall patterns play a tremendous role in detecting network viruses as the patterns are “definers” working in cooperation with Generic Stream Scanning Rules. Hence, it’s important that the patterns are kept up-to-date.

Ensuring that the firewall is enabled and that it is properly configured with the appropriate exclusions added to the exception list is essential for network security.

Configuring Web Reputation

1. Click on Web Reputation area.

2. Tick Enable Web Reputation.

3. Under Security Level, tick Medium or High. The Security Level set depends on your organization’s needs. But generally, I recommend setting the Security Level to Medium unless you absolutely require the most stringent security which has potential costs of inconvenience. By default, the Security Level is set to Low.

4. Under Browser Exploit Prevention, ensure that Block pages containing malicious pages is ticked. By default, Browser Exploit Prevention is not enabled.

5. Click Save to apply any changes you have made.

It is important that the Web Reputation component is properly configured as websites are a common attack vector.

Configuring URL Filtering

1. Click on URL Filtering area.

2. Tick Enable URL Filtering.

3. Under Filter Strength, the default setting is set to Low (default). You may change the setting to Medium or even High depending on your organization’s needs. Generally, Low (default) should suffice.

1. Under Business Hours, select All day (24 hours). By default, this is not enabled. It’s important that URL filtering is deployed at all hours.

Configuring Predictive Machine Learning

1. Click on Predictive Machine Learning area.

2. Tick Enabling Predictive Machine Learning.

3. Under File, tick Quarantine in Action.

4. Under Process, tick Terminate.

5. Click Save to apply any changes you have made.

Predictive Machine Learning deploys sophisticated machine learning technology to discover imminent unknown security risks.

By default, Predictive Machine Learning is not enabled. It is absolutely imperative to enable this feature to not only leverage Trend Micro’s unique technologies, but also minimize the risks of successful security compromises by adversaries.

Configuring Behavior Monitoring

1. Click on Behavior Monitoring area.

2. Tick Enable Behavior Monitoring. Behavior Monitoring is required for Predictive Machine Learning to work.

3. Tick Enable Malware Behavior Blocking for known and potential threats and select Known and potential threats.

4. Tick Enable Intuit QuickBooks protection.

5. Under Ransomware Protection, tick Enable all ransomware protection features. Expand Enable all ransomware protection features and ensure that all checkboxes are ticked to make sure the client receives maximum ransomware protection.

6. Under Event Monitoring, tick Enable Event Monitoring. Expand Enable Event Monitoring and make any applicable changes to the Actions of Possible Changes Monitored. The default settings will usually suffice.

7. Under Security Agent Alerts, tick Display alerts on devices with Behavior Monitoring violations.

8. Click Save to apply any changes you have made.

Configuring Device Control

1. Click on Device Control area.

2. Tick Enable device control. Under USB device, you can modify the Permission. For instance, we could permit USB devices to Read. It’s not recommended to give Full access or Modify or Read and execute to prevent an adversary from physically compromising the security of your endpoint by plugging in USB devices.

3. Tick Block the autorun function on USB storage devices. You don’t want an adversary to be able to deploy the autorun function on USB storage devices.

4. Click Save to apply any changes you have made.

Configuring Application Control

1. Click on Application Control area.

2. Under Blocked Application List, click Manage Applications, and you will be presented with a box called Manage Applications to Block which allows you to pick applications to block from Trend Micro’s Certified Safe Software List for the group Device (Default). There are many categories that you can select to block and individually block specific applications. There is also the ability for you to enable Block new applications added to a specific category.

3. Under Blocked Path List, you also have the option of using a folder path for purposes of denying applications on endpoints. Generally, the former will suffice.

4. Click Save to apply any changes you have made.

Configuring Agent Privileges

1. Click on Agent Privileges.

I don’t recommend that you tick any of the checkboxes under Security Settings as granting the security agent privilleges makes the adversary’s job significantly easier. However, I will over the Agent Control tab briefly.

2. Under Agent Control tab, and in Update Privileges, do not Disable regular Agent upgrade and hotfix deployment. Disabling such an important feature should only be used for troubleshooting purposes.

3. Under Security Agent Self-Protection, tick Prevent users or other processes from modifying Trend Micro program files, registries and processes. You don’t want anyone ever to tamper with the client.

4. Click Save to apply any changes you have made.

Configuring Security Settings In Global Settings

To edit the policy settings for a group, do the following:

1. Place your cursor on Administration tab and click on Global Settings.

2. Under General Scan, untick Exclude the Microsoft Exchange server 2003 folders and untick Exclude the Microsoft domain controller folders.

3. Under Virus Scan,  tick Scan up to 10 OLE layer(s). Confirm that you have selected 10 OLE layer(s).

4. Under Virus Scan, tick Add Manual Scan to the Windows shortcut menu on clients.

5. Under Spyware/Grayware Scan, tick Scan for cookies and tick Add cookie detections to the Spyware log.

6. Under Beware Monitoring, tick Enable warning messages for low-risk changes or other monitored actions and tick Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded).

7. Under HTTPS Web Threat Protection, tick Enable HTTPS checking for Web Reputation and URL Filtering on Chrome and Microsoft Edge and tick Display a notification above the Security Agent icon when an update to the feature requires users to restart Chrome.

8. Under Outbreak Defense Prevention, tick Enable Red Alerts Issued by Trend Micro and tick Enable Yellow Alerts issued by Trend Micro. It’s important to receive all infection reports issued by Trend Micro. By default, only Enable Red Alerts issued by Trend Micro is enabled.

9. Click Save to apply any changes you have made.

Agent Control Tab

1. Under Agent Control tab, in Alert, tick Show the alert icon on the Windows taskbar if the virus pattern file is not updated after 1 day(s). Confirm that you have selected after 1 day(s). If the virus pattern file isn’t updated after 1 day, there might be an issue with the security agent as the client should be receiving frequent updates to the virus pattern file daily.

2. Under Agent Log, tick Send the Agent Web Reputation and URL Filtering log to the server.

3. Under Watchdog, tick Enable the Security Agent Watchdog service and select 1 minute(s) for Check Agent status every 1 minute(s).

Configuring Security Agent Password Protection

1. Under Security Agent Uninstallation Password, select Require the end user to enter a password to uninstall the Security Agent. Choose and enter a password. Confirm by re-entering the password again.

2. Under Security Agent Exit/Unlock Password, select Requires a password. Choose and enter a password. Confirm by re-entering the password again.

It’s extremely important to implement password protection on the client as it will prevent anyone with access to the endpoint from attempting to uninstall the client or completely terminate the client or unlock and modify advanced client settings.

3. Click Save to apply any changes you have made.

Device Management Tab

1. Under Device Management tab, tick Enable device labeling. The Label format: First Name can also be changed or be left to the default setting.

2. Under Agent Installation Link Validity, tick Enable Installation package expiration and enter in Duration (in days): 3. Or you can change the Duration (in days) to any number of days you want.

3. Click Save to apply any changes you have made.

Install And Use Microsoft Baseline Security Analyzer At Least Once A Month To Check If Endpoint Is Patched & Properly Configured

Download the program using the following link:

Microsoft Baseline Security Analyzer (for IT Professionals)

Note: I can confirm that Microsoft Baseline Security Analyzer works with Windows 10 despite Microsoft not listing it in under “System Requirements” > “Supported Operating System.” I ran the program using Windows 10 and conducted a security assessment. Works fine.

Encrypt Endpoints

Lastly, don’t forget to encrypt your endpoints!

Conclusion

You are all set!

You Might Also Like

Back to top
%d bloggers like this: