<<USE COURIER REGULAR 10 FONT IF YOU WOULD LIKE TO PRINT THIS DOCUMENT>>

Trend Micro, Inc.

April 2014

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Trend Micro(TM) OfficeScan(TM) Agent
Version 11.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Notes: This readme file was current as of the date above. However,
all customers are advised to check Trend Micro's website for
documentation updates at:
http://docs.trendmicro.com/
Register online with Trend Micro within 30 days of installation to
continue downloading new pattern files and product updates from the
Trend Micro website. Register during installation, or online at:
http://olr.trendmicro.com
Trend Micro always seeks to improve its documentation. If you have
questions, comments, or suggestions about this or any Trend Micro
documents, please contact us at docs@trendmicro.com. Your feedback
is always welcome.
Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Contents
=====================================================================
1. About OfficeScan
2. What's New
3. Document Set
4. System Requirements
5. Installation
6. Post-Installation Configuration
7. Known Issues
8. Contact Information
9. About Trend Micro
10. License Agreement
=====================================================================

1. About OfficeScan
========================================================================
Trend Micro(TM) OfficeScan(TM) protects enterprise networks from
malware, network viruses, web-based threats, spyware, and mixed
threat attacks. An integrated solution, OfficeScan consists of an
agent program that resides at the endpoint and a server program
that manages all agents. The agent guards the endpoint and reports
its security status to the server. The server, through the web-based
management console, makes it easy to set coordinated security
policies and deploy updates to every agent.
OfficeScan is powered by the Trend Micro Smart Protection Network, a
next generation cloud-client infrastructure that delivers security

that is smarter than conventional approaches. Unique in-the-cloud

technology and a lighter-weight agent reduce reliance on
conventional pattern downloads and eliminate the delays commonly
associated with desktop updates. Businesses benefit from increased
network bandwidth, reduced processing power, and associated cost
savings. Users get immediate access to the latest protection
wherever they connect-within the company network, from home, or
on the go.

2. What's New
========================================================================
OfficeScan includes the following new features and enhancements:
2.1 What's New in OfficeScan 11.0
=====================================================================
Suspicious File Restoration
--------------------------OfficeScan provides administrators the ability to restore previously
detected "suspicious" files and add files to domain-level "approved"
lists to prevent further actions on the files.
If a program or file has been detected and quarantined,
administrators can globally or granularly restore the file on agents.
Administrators can use additional SHA1 verification checking to
ensure that the files to be restored have not been modified in any
way. After restoring the files, OfficeScan can automatically add
the files to domain-level exclusion lists to exempt them from
further scanning.
Advanced Protection Service
--------------------------The Advanced Protection Service provides the following new scan
features.
Browser Exploit Prevention
-------------------------Browser Exploit Prevention uses sandbox technology to test
the behavior of web pages in real time and detect any malicious
script or program before the OfficeScan agent is exposed to
threats.
Enhanced Memory Scanning
-----------------------Enhanced memory scanning works in conjunction with Behavior
Monitoring to detect malware variants during Realtime Scans and
take quarantine actions against threats.
Data Protection Enhancements
---------------------------OfficeScan Data Protection has been enhanced to provide the
following benefits:
- Data Discovery through integration with Control Manager:

Administrators can configure Data Loss Prevention policies

on Control Manager to scan folders on OfficeScan agents for
sensitive files. After discovering sensitive data within a file,
Control Manager can log the location of the file or, through
integration with Trend Micro Endpoint Encryption, automatically
encrypt the file on the OfficeScan agent.
- User Justification support: Administrators can allow users to
provide reasons for transferring sensitive data or block the
transmissions themselves. OfficeScan logs all transfer attempts
and the reasons provided by the user.
- Smartphone and tablet support: Data Loss Prevention and Device
Control can now monitor and take action on sensitive data being
sent to smart devices, or block access to smart devices
entirely.
Suspicious Connection Settings Enhancements
------------------------------------------Command & Control (C&C) Contact Alert Services has been updated to
include the following:
- Global User-defined Approved and Blocked IP lists
- Malware network fingerprinting to detect C&C callbacks
- Granular action configuration when suspicious connections
are detected
- C&C server and agent logs record the process responsible for
C&C callbacks
Outbreak Prevention Enhancments
------------------------------Outbreak Prevention has been updated to protect against the
following:
- Executable compressed files
- Mutex processes
Self-protection Feature Enhancements
-----------------------------------The self-protection features available in this release provide both
light-weight and high level security solutions to protect both your
server and OfficeScan agent programs.
- Light-weight solution: Designed for server platforms to protect
OfficeScan agent process and registry keys by default, without
affecting the performance of the server
- High-level security solution: Enhances the Agent Self-protection
feature available in previous releases by providing:
- IPC command authentication
- Pattern file protection and verification
- Pattern file update protection

- Behavior Monitoring process protection

Scan Performance and Detection Enhancements
------------------------------------------- Real-Time Scan maintains a persistent scan cache which reloads each
time the OfficeScan agent starts. The OfficeScan agent tracks any
changes to files or folders that occurred since the OfficeScan
agent unloaded and removes these files from the cache.
- This version of OfficeScan includes global Approved lists for
Windows system files, digitally signed files from reputable
sources, and Trend Micro-tested files. After verifying that a file
is known to be safe, OfficeScan does not perform any action on the
file.
- Damage Cleanup Services enhancements provide improved detection
capabilities for rootkit threats and a reduced number of false
positives through updated GeneriClean scanning.
- Compressed file settings are separated between Real-time and
On-demand Scans to help improve performance.
- Dual-layer logs provide a more detailed view for detections that
administrators want to examine further.
OfficeScan Agent Interface Redesign
----------------------------------The OfficeScan agent interface has been redesigned to provide an
easier, more streamlined, and more modern experience. All the
features available in the previous OfficeScan client program are
still available in the updated version.
The updated interface also allows administrators to "unlock"
administrative functions directly from the OfficeScan agent console
in order to quickly troubleshoot issues without opening the web
console.

3. Document Set
========================================================================
The document set for the OfficeScan agent includes:
* Readme file - Contains a list of known issues and basic
installation steps. It may also contain late-breaking product
information not found in the Help or printed documentation.
* Help - HTML files compiled in WebHelp format that provide
"how to's", usage advice, and field-specific information.
The Help is accessible from the OfficeScan agent console.
* Knowledge Base - An online database of problem-solving and
troubleshooting information. It provides the latest information
about known product issues. To access the Knowledge Base, go to
the following website:
http://esupport.trendmicro.com

4. System Requirements
========================================================================
The OfficeScan agent can be installed on endpoints running
Microsoft Windows platforms. The OfficeScan agent is also
compatible with various third-party products.
Visit the following website for a complete list of
system requirements and compatible third-party products:
http://docs.trendmicro.com/en-us/enterprise/officescan.aspx

5. Installation
========================================================================
The OfficeScan administrator in your organization is responsible for
installing and upgrading OfficeScan. Contact the administrator if
you have questions or concerns about the installation or upgrade.

6. Post-Installation Configuration
========================================================================
If your OfficeScan administrator grants you the privileges to modify
scan settings, you can specify how OfficeScan handles security
risks on your endpoint. To determine if you have the privileges to
modify scan settings, open the OfficeScan agent console and check
if the "Settings" menu is active.
You can open the console from the Start menu or from the icon in
the system tray.
* To open the console from the Start menu, select "Programs >
Trend Micro OfficeScan Agent > OfficeScan Agent".
* To open the console from the system tray, right-click the
OfficeScan icon and then select "Open OfficeScan Agent Console".

7. Known Issues
========================================================================
The following are the known issues in this release:
Agent Installation, Upgrade, and Uninstallation
====================================================================
1. The OfficeScan agent is unable to query the web reputation
servers after performing a fresh installation or upgrade. To
resolve the issue, ensure that agents restart their computers if
a restart notification appears.
2. When an application that locks the Windows Service Control
Manager (SCM) is launched, the OfficeScan agent cannot be
installed or upgraded. Before upgrading or installing OfficeScan,

ensure that no SCM-locking application is running.

3. After upgrading OfficeScan, the following issues occur:
* If upgrading from OfficeScan 8.0 patch 2, the OfficeScan
firewall service may sometimes not start even if this service
and the Common Firewall Driver are up-to-date.
The following error appears in the Setupapi.log file found
under %systemroot%:
"0x800b0100: No signature was present in the subject."
* If upgrading from version 8.0 Service Pack 1 by moving a agent
to an OfficeScan 10.6 server, the OfficeScan firewall service
cannot be started and the Common Firewall Pattern version is 0.
* When upgrading by moving a agent to an OfficeScan 10.6 server,
the Common Firewall Pattern version is "N/A".
To resolve these issues, perform the following steps:
a. Stop the Cryptographic Services from the Microsoft Management
Console.
b. Navigate to C:\Windows\system32 and rename the "catroot2"
folder to "oldcatroot2".
c. Start the Cryptographic Services.
d. Open a command prompt (cmd.exe) and run the following
commands:
regsvr32 wintrust.dll
regsvr32 netcfgx.dll
e. Restart the computer.
4. The OfficeScan agent unloads and then reloads three times when
upgraded to this version. This happens if the agent upgrades,
applies smart scan as its scan method, and then applies the
domain level scan method.
5. Installing OfficeScan agents to Windows 7 or Windows Server 2008
R2 using a GUEST OS running on VMware Workstation 6.x and below
may cause the system to stop responding. This is because of
compatibility issues with the Intel(TM) Network Adapter Driver.
6. When installing the OfficeScan agent on Windows 8 and Windows
Server 2012 platforms using the browser-based installation
method, the installation is unsuccessful if the user is currently
in Windows UI mode. This is due to Internet Explorer 10 not
allowing ActiveX controls to run.
To resolve this issue:
Switch to desktop mode on Windows 8 and Windows Server 2012
platforms while performing a browser-based installation of the

OfficeScan agent.
Scanning
====================================================================
1. A Microsoft Hyper-V virtual machine might not be able to start
if the host computer has OfficeScan agent installed. This is
because the OfficeScan agent and Hyper-V virtual machine
accesses the same Hyper-V xml file and causes file access
violation. As a workaround:
* Set exclusion folder for the virtual machine xml file located
in C:\ProgramData\Microsoft\Virtual Machine Manager\.
* Turn off file mapping scan by modifying the TmFilter/TmxpFilter
registry value.
2. When specifying the scan target for Scheduled Scan, Scan Now and
Real-time Scan, spyware/grayware scan can be disabled. However,
for Manual Scan, there is no option for disabling spyware/
grayware scan, which means that during Manual Scan, OfficeScan
will always scan for spyware/grayware.
3. When OfficeScan is configured to scan mapped drives during
Manual Scan, the mapped drive may not get scanned when scanning
is initiated through Terminal Service agent.
4. When an email containing an attachment with spyware/grayware is
retrieved through Eudora email agent and POP3 Mail Scan is
disabled, OfficeScan's Real-time Scan denies access to the email
even if the scan action is "clean". The email does not appear on
the inbox and the Eudora agent displays a message informing the
user that access to the email is denied.
5. In a Citrix environment, when the OfficeScan agent detects a
security risk during a particular user session, the notification
message for the security risk displays on all active user
sessions.
Security risk can be any of the following:
*
*
*
*
*

Virus/Malware
Spyware/Grayware
Firewall policy violation
Web Reputation policy violation
Unauthorized access to external devices

6. After updating the agent program, the "Prompt users before

executing newly encountered programs downloaded through HTTP or
email applications (Server platforms excluded)" setting does not
take effect until the agent program or endpoint is restarted.

Agent Update
====================================================================
1. OfficeScan agents with agent-level settings can only download
settings from the OfficeScan server, not Update Agents.

2. An Update Agent running a 64-bit platform is unable to generate

incremental patterns. Therefore, the Update Agent always
downloads all incremental patterns available in the ActiveUpdate
server, regardless of how many of these patterns it has
previously downloaded.
Agent Management
====================================================================
1. If the agent security level configured on the web console is
set to "High", connection through Nortel VPN agent cannot be
established.
2. Select the "Show icon and notifications" option to display the
OfficeScan icon in the Windows 7 and 8 system tray. The default
option for Windows 7 and 8 is "Only show notification".
3. Some agent console screens include a Help button, which, when
clicked, opens context-sensitive, HTML-based Help. Because
Windows Server Core 2008 lacks a browser, the Help will not be
available to the user. To view the Help, the user must install
a browser.
Device Control
====================================================================
1. The Device Control feature is unable to block recording of files
(or "file burning") to optical disks.
Data Loss Prevention
====================================================================
1. Data transmitted through Instant Messaging applications are not
detected if the applications use a non-transparent proxy server.
2. After upgrading the OfficeScan agent to OfficeScan 11.0 from
an OfficeScan version prior to 10.6 SP3, the preexisting agentside Data Loss Prevention logs are deleted (unless updating from
the OfficeScan 10.6 SP2 DLP Enhancement Patch).
3. Data Loss Prevention cannot monitor Gmail messages on the
following browsers:
- FireFox v14
OfficeScan Firewall
====================================================================
1. For Windows XP and Windows Server 2003 platforms, incoming
packets to a computer on a VMware agent are dropped if the
endpoint has the OfficeScan agent installed.
Workaround:
a. On the agent computer, open Registry Editor.

b. Add the following registry value:

Key: [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\
PC-cillinNTCorp\CurrentVersion\PFW
for x64 computers:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432\TrendMicro\
PC-cillinNTCorp\CurrentVersion\PFW
Name: EnableBypassRule
Type: REG_DWORD
Value: 1
c. Reload the agent for settings to take effect.
2. OfficeScan does not support specific application exceptions on
Windows 8 and Windows Server 2012 platforms. OfficeScan allows or
denies all application traffic on computers with these platforms.
Web Reputation
====================================================================
1. Agents can browse blocked sites if using Juniper Networks VPN
and proxy servers to connect to the Internet. To resolve this
issue:
a. Connect to the network using Juniper Networks VPN.
b. Open Internet Option > Connection > LAN Settings.
c. Disable Automatic configuration settings.
d. Enable Proxy server and specify the IP address and port of
your proxy server.
e. Click Ok.
2. Due to the blocking of add-ons in Internet Explorer 10, HTTPS
scanning only supports Windows 8 or Windows 2012 platforms
operating in desktop mode.

8. Contact Information
========================================================================
A license to the Trend Micro software usually includes the right to
product updates, pattern file updates, and basic technical support
for one (1) year from the date of purchase only. After the first
year, Maintenance must be renewed on an annual basis at
Trend Micro's then-current Maintenance fees.
You can contact Trend Micro via fax, phone, and email, or visit us
at:
http://www.trendmicro.com
Evaluation copies of Trend Micro products can be downloaded from our

web site.
Global Mailing Address/Telephone numbers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For global contact information in the Asia/Pacific region, Australia
and New Zealand, Europe, Latin America, and Canada, refer to:
http://www.trendmicro.com/en/about/overview.htm
The Trend Micro "About Us" screen displays. Click the appropriate
link in the "Contact Us" section of the screen.
Note: This information is subject to change without notice.

9. About Trend Micro

========================================================================
Trend Micro Incorporated, a global leader in Internet content
security and threat management, aims to create a world safe for the
exchange of digital information for businesses and consumers. A
pioneer in server-based antivirus with over 20 years experience, we
deliver top-ranked security that fits our customers' needs, stops
new threats faster, and protects data in physical, virtualized and
cloud environments. Powered by the Trend Micro(TM) Smart Protection
Network(TM) infrastructure, our industry-leading cloud-computing
security technology and products stop threats where they emerge, on
the Internet, and are supported by 1,000+ threat intelligence
experts around the globe. For additional information, visit
www.trendmicro.com.
Copyright 2014, Trend Micro Incorporated. All rights reserved.
Trend Micro, the t-ball logo and OfficeScan are trademarks of Trend
Micro Incorporated and are registered in some jurisdictions. All
other product or company names may be trademarks or registered
trademarks of their owners.

10. License Agreement

========================================================================
Information about your license agreement with Trend Micro can be
viewed at:
http://us.trendmicro.com/us/about/company/user_license_agreements/
Third-party licensing information can be viewed from the
OfficeScan web console.