Trend Micro, Inc.

March 2019

Trend Micro Apex One™

Version 2019

This readme file is current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates at https://docs.trendmicro.com/en-us/enterprise/apex-one.aspx.

Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation, or online at http://olr.trendmicro.com.

Trend Micro always seeks to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://docs.trendmicro.com/en-us/survey.aspx.

Contents

1. About Apex One
2. What's New
3. Document Set
4. System Requirements
5. Installation
6. Known Issues
7. Contact Information
8. About Trend Micro
9. License Agreement

1. About Trend Micro Apex One

Trend Micro Apex One™ protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, Apex One consists of the Security Agent program that resides at the endpoint and a server program that manages all agents. The Security Agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every Security Agent.

Apex One is powered by the Trend Micro Smart Protection Network™, a next generation cloud-client infrastructure that delivers security that is smarter than conventional approaches. Unique in-the-cloud technology and a lighter-weight agent reduce reliance on conventional pattern downloads and eliminate the delays commonly associated with desktop updates. Businesses benefit from increased network bandwidth, reduced processing power, and associated cost savings. Users get immediate access to the latest protection wherever they connect—within the company network, from home, or on the go.

For more information, go to:

https://docs.trendmicro.com/en-us/enterprise/apex-one.aspx

Back to top

2. What's New

Apex One includes the following new features and enhancements:

• Offline Predictive Machine Learning

  Predictive Machine Learning has been upgraded to provide offline protection against portable executable files. The lightweight, offline model helps protect all endpoints against unknown threats when a functional Internet connection is unavailable.

• Fileless Attack Protection

  Security Agent policies provide increased real-time protection against the latest fileless attack methods through enhanced memory scanning for suspicious process behaviors. Security Agents can terminate suspicious processes before any damage can be done.

• Off-premises Security Agent Protection

  Enhanced Edge Relay Server support allows for increased communication between the Apex One server and off-premises Security Agents. Security Agents can receive updated policy settings from the Apex One server even when a direct connection to the server is unavailable.

• Rebranded Console

  The OfficeScan server and OfficeScan agent programs have been rebranded to the Apex One server and Security Agent respectively. The new Apex One server integrates with Apex Central (formerly Trend Micro Control Manager) to provide increased protection against security risks. The all-in-one Security Agent program continues to provide superior protection against malware and data loss but also allows you implement Application Control, Endpoint Sensor, and Vulnerability Protection policies without having to install and maintain multiple agent programs.

Back to top

3. Document Set

The document set for the Apex One server includes:

• Installation and Upgrade Guide: A PDF document that discusses requirements and procedures for installing the Apex One server, and upgrading the server and Security Agents
• Administrator's Guide: A PDF document that discusses getting started information, agent installation procedures, and Apex One server and Security Agent management
• Help: HTML files compiled in WebHelp format that provide "how to's", usage advice, and field-specific information. The Help is accessible from the Apex One server, Security Agent, and Policy Server consoles, and from the Apex One Master Setup.
• Readme file: Contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Help or printed documentation.
• Knowledge Base: An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following website: http://esupport.trendmicro.com

Download the latest versions of the PDF documents and readme at https://docs.trendmicro.com/en-us/enterprise/apex-one.aspx.

Back to top

4. System Requirements

• Apex One supports the following web browsers:

  • Microsoft™ Internet Explorer™ 11
  • Microsoft™ Edge™
  • Google™ Chrome™

• The Apex One Security Agent can be installed on endpoints running Microsoft Windows platforms. The Security Agent is also compatible with various third-party products.

  Visit the following website for a complete list of system requirements and compatible third-party products:

  https://docs.trendmicro.com/en-us/enterprise/apex-one.aspx

  Size of Deployment Package

  Note: All of the following deployment package sizes are for packages that do not include the Data Protection feature.

  For the fully-functional Security Agent MSI Setup Package:

  • 32-bit Setup Package (Smart Scan) = 238 MB
  • 64-bit Setup Package (Smart Scan) = 294 MB

  For the coexist Security Agent MSI Setup Package:

  • 32-bit Setup Package (Smart Scan) = 238 MB
  • 64-bit Setup Package (Smart Scan) = 294 MB

Visit the following website for a complete list of system requirements:

https://docs.trendmicro.com/en-us/enterprise/apex-one.aspx

Back to top

5. Installation

See the Installation and Upgrade Guide for instructions on:

• Installing the Apex One server
• Upgrading to the Apex One server and Security Agent
• Rolling back agents to a previous server version

For Security Agent installation instructions, refer to the Administrator's Guide.

Back to top

6. Known Issues

Known Issues

The following are the known issues related to the Apex One server and Security Agents in this release:

• Server Installation, Upgrade, and Uninstallation
• Agent Installation and Upgrade
• Scanning
• Server Update
• Agent Update
• Server Management
• Agent Management
• Device Control
• Data Loss Prevention
• Apex One Firewall
• Smart Scan
• Web Reputation
• Predictive Machine Learning
• Cloud Synchronization Channel Support
• Apex Central Integration
• Additional Release Notes

Server Installation, Upgrade, and Uninstallation

1. The Apex One web console and all OfficeScan services cannot be accessed if the Apex One server was installed on Windows Server 2012, or Windows Server 2012 R2 before joining a domain. To resolve the issue:

   1. Go to Control Panel > System and Security > Windows Firewall > Advanced settings.

   2. Click Inbound Rules. Allow access to all required File and Printer Sharing rules.

   3. Click Inbound Rules > New Rule... > Port.

   4. Add the following port exceptions:

      • Trend Micro Local Web Classification Server HTTP, TCP Port 5274
      • Trend Micro Apex One Server HTTP, TCP port 8080
      • Trend Micro Apex One Server HTTPS, TCP port 4343
      • Trend Micro Smart Scan Server (Integrated) HTTP, TCP port 8082
      • Trend Micro Smart Scan Server (Integrated) HTTPS, TCP port 4345

2. When the Apex One server is installed to a disk using the FAT32 file system, role-based logon to the Apex One web console does not work.

3. Trend Micro Mobile Security is a standalone program and has no longer been supported as a plug-in program since OfficeScan 11.0. To continue using Mobile Security, Trend Micro recommends upgrading to the standalone version 9.0. For detailed migration steps, see http://esupport.trendmicro.com/solution/en-US/1098095.aspx.

4. When upgrading to the Apex One server from a previous OfficeScan version using a Virtual IIS website, the IIS website is removed and rebuilt, resetting all IIS settings to default values.

Agent Installation and Upgrade

1. When an application that locks the Windows Service Control Manager (SCM) is launched, the Security Agent cannot be installed or upgraded. Before upgrading or installing the Security Agent, ensure that no SCM-locking application is running.
2. The Security Agent (operating in fully-featured mode) may not install correctly if Norton SystemWorks™ antivirus is installed on the endpoint. Uninstall it before installing Security Agent.
3. If the Security Agent is installed using the "per-user" method, the Security Agent shortcut will still show on all the users' Windows Start menu.
4. After a Security Agent in a VPN environment is uninstalled successfully, the agent is not removed on the web console's agent tree and its status is offline.
5. Installing Security Agents to Windows 7 SP1 or Windows Server 2008 R2 using a GUEST OS running on VMware Workstation 6.x and below may cause the system to stop responding. This is because of compatibility issues with the Intel™ Network Adapter Driver.
6. If you add the Security Agent program to the Microsoft Software Restriction Policy list using the user interface, you may need to restart the endpoint before subsequent additions to the list take effect.

7. You are unable to migrate OfficeScan XG SP1 agents to the Apex One server successfully if the agents used the GlobalSettings.ini "ASE=0" setting to force an HTTP connection with the previous OfficeScan server.

   To resolve this issue, modify the GlobalSettings.ini ASE value to "1" and deploy to all agents on the OfficeScan XG SP1 server before migrating agents to the Apex One server.

8. The Common Client Solution Framework service may not start if “Microsoft Visual C++ 2017 Redistributable” was not installed successfully.

   To resolve this issue, ensure that you install the following Windows update to properly install Microsoft Visual C++ 2017 Redistributable:

   https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows

9. Security Agents running on Windows Server 2016 platforms cannot report security statuses to Windows Security Center because Windows Server 2016 does not provide the Windows Security Center service. If Windows Defender is enabled on Windows Server 2016 with the Security Agent installed, performance issues may occur. Trend Micro recommends disabling Windows Defender before installing the Security Agent.

Scanning

1. When specifying the scan target for Scheduled Scan, Scan Now and Real-time Scan, spyware/grayware scan can be disabled. However, for Manual Scan, there is no option for disabling spyware/grayware scan, which means that during Manual Scan, the Security Agent will always scan for spyware/grayware.
2. When the Security Agent is configured to scan mapped drives during Manual Scan, the mapped drive may not get scanned when scanning is initiated through Terminal Service client.
3. When an email containing an attachment with spyware/grayware is retrieved through Eudora email client and POP3 Mail Scan is disabled, the Security Agent's Real-time Scan denies access to the email even if the scan action is "clean". The email does not appear on the inbox and the Eudora client displays a message informing the user that access to the email is denied.
4. After the Damage Cleanup Engine cleans a malicious file, the infection channel always displays as "Local or network drive" regardless of the actual source of the infection.

5. A Microsoft Hyper-V virtual machine might not be able to start if the host computer has Security Agent installed. This is because the Security Agent and Hyper-V virtual machine accesses the same Hyper-V xml file and causes file access violation. As a workaround:

   • Set exclusion folder for the virtual machine xml file located in C:\ProgramData\Microsoft\Virtual Machine Manager\.
   • Turn off file mapping scan by modifying the TmFilter/TmxpFilter registry value.

6. In a Citrix environment, when the Security Agent detects a security risk during a particular user session, the notification message for the security risk displays on all active user sessions.

   Security risk can be any of the following:

   • Virus/Malware
   • Spyware/Grayware
   • Firewall policy violation
   • Web Reputation policy violation
   • Unauthorized access to external devices

Server Update

1. When updating Apex One patterns and engines from Apex Central, administrators are not notified of the update status even if notifications are enabled. The update status can be viewed from the Apex Central console.

Agent Update

1. Security Agents can only download settings from the Apex One server, not Update Agents.
2. An Update Agent running a 64-bit platform is unable to generate incremental patterns. Therefore, the Update Agent always downloads all incremental patterns available in the ActiveUpdate server, regardless of how many of these patterns it has previously downloaded.
3. When the server and agent endpoints are located on geographical locations with different time zones, the agent cannot be configured to update based on the server's time zone.

Server Management

1. When the endpoint's date/time format is changed, the date/time format on the Apex One console does not automatically change.

Agent Management

1. Agent names in the Security Agent tree supports only 15 characters and truncates the succeeding characters.
2. Double-byte characters (characters typically used in East Asian languages) cannot be used when specifying the notification message for virus/malware infection source (Administration > Notifications > Agents > Virus/Malware tab).

Device Control

1. If the Device Control permission for USB storage devices is changed from "Allow" to "Block" when USB storage device files are already opened on the agent endpoint, access to the opened files is still permitted. The Block permission is updated the next time that the USB device is plugged in, or the agent endpoint is restarted.
2. Device management applications (such as iTunes, HTCSync, and SamSung Kies) for devices blocked by Device Control are also blocked from user access.

Data Loss Prevention

1. Data transmitted through Instant Messaging applications are not detected if the applications use a non-transparent proxy server.
2. Data Loss Prevention logs can only display the first 1000 bytes of characters in the Source and Destination columns due to a buffer overflow issue with long file names.
3. Security Agents with Data Loss Prevention enabled may encounter a high CPU usage issue when uploading large files through Box Sync.

Apex One Firewall

1. The Firewall rule for outgoing traffic will not work as expected if a machine has several IP addresses with different Firewall policies.

2. When the security level on a Citrix server is medium or high, perform the following steps:

   1. On the Apex One web console, create a new firewall policy.
   2. Add the following port numbers to the policy's exclusion list: 1494, 2598
   3. Go to Agents > Firewall > Profiles and click Assign Profile to Agents.
3. The Apex One firewall service and driver cannot be installed if a previous version of the firewall driver exists and is running but there is no Trend Micro Common Firewall in the network protocol.

Smart Scan

1. Only Internet Explorer is supported for configuring proxy settings used by agents to connect to the Global Smart Protection Server. If proxy settings are configured in other browsers, agents will not be able to connect to the Global Smart Protection Server.

Web Reputation

1. If you enable the option Check HTTPS URLs in a Web Reputation policy, select the option Enable third-party browser extensions in Internet Explorer. If this option is disabled, agents will not be able to check the reputation of HTTPS websites.

2. Agents can browse blocked sites if using Juniper Networks VPN and proxy servers to connect to the Internet. To resolve this issue:

   1. Connect to the network using Juniper Networks VPN.
   2. Open Internet Option > Connection > LAN Settings.
   3. Disable Automatic configuration settings.
   4. Enable Proxy server and specify the IP address and port of your proxy server.
   5. Click Ok.
3. If users access the Internet using Firefox and a proxy server, be sure that proxy settings in Internet Explorer have been configured. If proxy settings have not been configured in Internet Explorer, Web Reputation will not work, even if proxy settings have been configured in Firefox.
4. On the Security Agent endpoint, Web Reputation automatic proxy detection in Internet Explorer does not work if the administrator enables the Security Agent Access Restriction option on the Apex One web console's Privileges and Other Settings screen.

Predictive Machine Learning

1. The logged "User Account" may display inaccurate data. If another user logs onto an endpoint before a Predictive Machine Learning query result completes, the Security Agent logs the newly logged on user as the event owner when the query returns.

Cloud Synchronization Channel Support

1. Apex One does not provide support of the Windows 8.1 pre-installed OneDrive (SkyDrive) synchronization folder. The Security Agent logs malware infections for OneDrive (SkyDrive) as being in the "Local or network drive" channel.
2. If you disable the Unauthorized Change Prevention Service, the Security Agent may lock files during the synchronization process and prevent the files from synchronizing to the sync folder. To resolve this issue, enable the Unauthorized Change Prevention Service.
3. The Security Agent logs malicious files that do not include a portable executable extension as being in the "Local or network drive" channel.
4. The Security Agent logs malicious files synchronized to mounted drives as being in the "Local or network drive" channel.

Apex Central Integration

1. The Integrated Windows Authentication protocol is not supported when registering Apex One to Apex Central and specifying web server authentication credentials for the IIS server. Only basic access authentication is supported.

Additional Release Notes

1. Download the latest components after upgrading to keep your security risk protection current.

Back to top

7. Contact Information

A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees.

Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.

http://www.trendmicro.com/us/about-us/contact/index.html

Back to top

8. About Trend Micro

Smart, simple, security that fits

As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information

Copyright 2019, Trend Micro Incorporated. All rights reserved.

Trend Micro, the t-ball logo, OfficeScan, Trend Micro Security (for Mac), Control Manager, Trend Micro Apex One, and Trend Micro Apex Central are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners.

Back to top

9. License Agreement

Information about your license agreement with Trend Micro can be viewed at http://us.trendmicro.com/us/about/company/user_license_agreements/.

License Attributions can be viewed from the Apex One web console.

Back to top