Apexone 2019 Iug PDF
Apexone 2019 Iug PDF
Apexone 2019 Iug PDF
the product described herein without notice. Before installing and using the product,
review the readme files, release notes, and/or the latest version of the applicable
documentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com/en-us/enterprise/apex-one.aspx
Trend Micro, the Trend Micro t-ball logo, Trend Micro Apex One, Trend Micro Apex
Central, OfficeScan, Control Manager, Damage Cleanup Services, eManager, InterScan,
Network VirusWall, ScanMail, ServerProtect, and TrendLabs are trademarks or
registered trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Copyright © 2019. Trend Micro Incorporated. All rights reserved.
Document Part No.: APEMS8590/190219
Release Date: April 2019
Protected by U.S. Patent No.: 5,951,698
This documentation introduces the main features of the product and/or provides
installation instructions for a production environment. Read through the documentation
before installing or using the product.
Detailed information about how to use specific features within the product may be
available at the Trend Micro Online Help Center and/or the Trend Micro Knowledge
Base.
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please contact us at
[email protected].
Evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
Privacy and Personal Data Collection Disclosure
Certain features available in Trend Micro products collect and send feedback regarding
product usage and detection information to Trend Micro. Some of this data is
considered personal in certain jurisdictions and under certain regulations. If you do not
want Trend Micro to collect personal data, you must ensure that you disable the related
features.
The following link outlines the types of data that Trend Micro Apex One collects and
provides detailed instructions on how to disable the specific features that feedback the
information.
https://success.trendmicro.com/data-collection-disclosure
Data collected by Trend Micro is subject to the conditions stated in the Trend Micro
Privacy Policy:
https://www.trendmicro.com/en_us/about/legal/privacy-policy-product.html
Table of Contents
Preface
Preface ............................................................................................................... vii
Apex One Documentation ............................................................................ viii
Audience ............................................................................................................. ix
Document Conventions ................................................................................... ix
Terminology ........................................................................................................ x
i
Trend Micro Apex One™ Installation and Upgrade Guide
ii
Table of Contents
iii
Trend Micro Apex One™ Installation and Upgrade Guide
Backing Up and Restoring the Apex One Configuration Files ....... 5-3
Uninstalling the Apex One Server ............................................................... 5-4
Uninstalling the Apex One Server Using the Uninstallation Program
.................................................................................................................... 5-5
Manually Uninstalling the Apex One Server ...................................... 5-6
Rolling Back the Apex One Server and Security Agents Using the Server
Backup Package ............................................................................................... 5-9
Rolling Back the Security Agents ......................................................... 5-9
Restoring the Previous OfficeScan Server Version ......................... 5-11
Manually Rolling Back to Previous Security Agent Versions ................. 5-15
Part 1: Preparing the Previous OfficeScan Server Version ............ 5-15
Part 2: Preparing an Update Source for Agents to Roll Back ....... 5-17
Part 3: Rolling Back the Security Agent ............................................ 5-21
iv
Table of Contents
Index
Index .............................................................................................................. IN-1
v
Preface
Preface
Welcome to the Trend Micro Apex One™ Installation and Upgrade Guide. This document
discusses requirements and procedures for installing the Apex One server, and
upgrading the server and Security Agents.
Topics in this chapter:
• Apex One Documentation on page viii
• Audience on page ix
• Document Conventions on page ix
• Terminology on page x
Note
For information on installing Security Agents, see the Administrator’s Guide.
vii
Trend Micro Apex One™ Installation and Upgrade Guide
Documentatio
Description
n
Installation and A PDF document that discusses requirements and procedures for
Upgrade Guide installing the Apex One server, and upgrading the server and agents
Note
The Installation and Upgrade Guide may not be available for
minor release versions, service packs, or patches.
Help HTML files compiled in WebHelp or CHM format that provide "how
to's", usage advice, and field-specific information. The Help is
accessible from the Apex One server and agent consoles, and from
the Apex One Master Setup.
Readme file Contains a list of known issues and basic installation steps. It may
also contain late-breaking product information not found in the Help
or printed documentation
Download the latest version of the PDF documents and readme at:
http://docs.trendmicro.com/en-us/enterprise/apex-one.aspx
viii
Preface
Audience
Apex One documentation is intended for the following users:
• Apex One Administrators: Responsible for Apex One management, including the
Apex One server and Security Agent installation and management. These users are
expected to have advanced networking and server management knowledge.
• End users: Users who have the Security Agent installed on their endpoints. The
endpoint skill level of these individuals ranges from beginner to power user.
Document Conventions
The documentation uses the following conventions.
Table 2. Document Conventions
Convention Description
Configuration notes
Note
Recommendations or suggestions
Tip
ix
Trend Micro Apex One™ Installation and Upgrade Guide
Convention Description
Terminology
The following table provides the official terminology used throughout the Apex One
documentation:
Terminology Description
Agent user (or user) The person managing the Security Agent on the agent
endpoint
Server computer The endpoint where the Apex One server is installed
Administrator (or Apex One The person managing the Apex One server
administrator)
x
Preface
Terminology Description
Agent installation The folder on the endpoint that contains the Security
folder Agent files. If you accept the default settings during
installation, you will find the installation folder at any of
the following locations:
C:\Program Files\Trend Micro\Security Agent
Server installation The folder on the endpoint that contains the Apex One
folder server files. If you accept the default settings during
installation, you will find the installation folder at any of
the following locations:
C:\Program Files\Trend Micro\Apex One
Smart scan agent Any Security Agent that has been configured to use smart
scan
Conventional scan agent Any Security Agent that has been configured to use
conventional scan
xi
Trend Micro Apex One™ Installation and Upgrade Guide
Terminology Description
Plug-in solutions Native Apex One features and plug-in programs delivered
through Plug-in Manager
xii
Chapter 1
1-1
Trend Micro Apex One™ Installation and Upgrade Guide
Tip
Trend Micro recommends that you perform a complete Windows Update on the target
server computer before installing or upgrading to the Apex One server
1-2
Planning Apex One Installation and Upgrade
Important
Apex One completely discontinues support of the Apache server. You can upgrade from
an OfficeScan server that uses Apache only if no program other than the OfficeScan server
uses the Apache server. During the upgrade process, Setup uninstalls the Apache server
and installs the required IIS server.
Important
After upgrading to Apex One, the older Database Backup screen used to back up the
older Codebase database no longer appears on the Apex One web console.
The following table outlines the database support and migration availability for the Apex
One server.
Apex One
OfficeSca OfficeSca with
Database Apex One
n XG n XG SP1 Endpoint
Sensor
1-3
Trend Micro Apex One™ Installation and Upgrade Guide
Apex One
OfficeSca OfficeSca with
Database Apex One
n XG n XG SP1 Endpoint
Sensor
Note
When installing or upgrading to Apex One with the Endpoint Sensor feature, you must
enable Full-Text and Semantic Extractions for Search on a supported SQL Server
version before beginning the installation process.
For more information about the Endpoint Sensor requirements, see Apex One Endpoint
Sensor on page 1-12.
1-4
Planning Apex One Installation and Upgrade
Item Description
HTTPS support HTTPS communication between the Apex One server and the
Security Agent is required.
If you are upgrading from an OfficeScan server that used HTTP
for server-agent communication, you must ensure that your
Firewall allows HTTPS communication to avoid any service
disruption after installation.
Important
You cannot upgrade to the Apex One server if you do not
select to allow HTTPS communication during the upgrade
procedure.
Operating system Apex One only supports endpoints running specific Windows
support operating systems.
For a complete list of Apex One server and Security Agent
requirements, see the System Requirements documents.
During an upgrade installation, the Setup program verifies that all
endpoints that report to the server run a supported operating
system. If the Setup program detects an unsupported operating
system, the upgrade cannot continue.
Before upgrading to the Apex One server, move all agents
installed on unsupported operating systems to an older
OfficeScan server or uninstall the agent program.
1-5
Trend Micro Apex One™ Installation and Upgrade Guide
2. Use the “Apex One Settings Export Tool” to migrate the older OfficeScan server
settings to the new Apex One server.
c. Go to Settings > Privileges and Other Settings > Other Settings tab.
d. In the Update Settings section, select Pattern files, engines, drivers in the
Security Agents only update the following components drop-down.
5. On the older OfficeScan server, use the Move Agent function to transfer agents to
the new Apex One server.
For more information, see the Administrator's Guide for your version of OfficeScan.
c. Go to Settings > Privileges and Other Settings > Other Settings tab.
The following table outlines considerations for performing an in-place upgrade to the
Apex One server.
1-6
Planning Apex One Installation and Upgrade
Item Description
Database backup Before upgrading from an OfficeScan 11.0 SP1 or XG server that
uses a Codebase database, you should back up the server
database. You can back up the database manually or allow the
Setup program to perform the back up for you.
For more information about manually backing up the OfficeScan
server database, refer to the Installation and Upgrade Guide for
your version of OfficeScan.
SQL Server When upgrading from an OfficeScan 11.0 SP1 or XG server that
uses a Codebase database, you can either prepare your own
SQL Server database or allow the Setup program to install SQL
Server 2016 SP1 Express during installation. During the upgrade
process, the Setup program automatically converts the Codebase
database to the SQL format.
Installation Verification
The following table outlines how to verify the successful completion of the Apex One
server and Security Agent.
Item Description
Apex One server Check that the following services are running:
• Apex One Master Service (OfcService.exe)
• Apex One Plug-in Manager (OfcAoSMgr.exe)
• Apex One Active Directory Service
(OSCEIntegrationService.exe)
• Apex One Log Receiver Service (OfcLogReceiverSvc.exe)
• Apex One Deep Discovery Service (ofcDdaSvr.exe)
• Apex One database process (DbServer.exe)
1-7
Trend Micro Apex One™ Installation and Upgrade Guide
Item Description
1-8
Planning Apex One Installation and Upgrade
Item Requirements
License • Included in the Apex One Full Feature for Windows and Mac
license
• An existing Trend Micro Endpoint Application Control license
(activated in Apex Central)
Apex Central Required for licensing and Security Agent policy deployment
registration
Compatibility with • Server: The Apex One server with Application Control can
Trend Micro exist on the same server with Trend Micro Endpoint
Endpoint Application Control (not recommended).
Application Control
Important
Trend Micro Endpoint Application Control server
settings are not compatible with the Apex One
Application Control feature. You must manually
configure all policies using the Apex Central web
console.
1-9
Trend Micro Apex One™ Installation and Upgrade Guide
Type Description
Server The Apex One Setup program installs the Application Control
feature automatically during normal Apex One server installation.
After verifying that the Activation Code includes Application
Control, Apex One starts the Trend Micro Application Control
Service on the Apex One server computer.
Agent The Security Agent program includes but does not immediately
install the Application Control Service during normal Security
Agent installation. To install the Apex One Application Control
feature on the Security Agent, you must enable and deploy an
Application Control policy from the Apex Central web console.
Once the Security Agent receives the Application Control settings,
the Security Agent installs the Application Control feature.
Type Description
OfficeScan server The Apex One license only includes the Application Control
activation for fresh installations. If you upgrade from a previous
version of the OfficeScan server, you must contact your sales
representative to obtain a new license that activates the
Application Control feature.
The Apex One Setup program installs the Apex One Application
Control feature automatically during normal Apex One server
installation.
Trend Micro Apex One does not support any upgrade or settings migration
Endpoint from the standalone Trend Micro Endpoint Application Control
Application Control server to the Apex One Application Control feature.
server
Important
Trend Micro Endpoint Application Control server settings
are not compatible with the Apex One Application Control
feature. You must manually configure all policies using the
Apex Central web console.
1-10
Planning Apex One Installation and Upgrade
Type Description
Trend Micro Apex One does not support upgrading the Trend Micro Endpoint
Endpoint Application Control agent program to the Apex One Security
Application Control Agent.
agent
If you install the Apex One Security Agent on an endpoint with the
Trend Micro Endpoint Application Control agent installed and
deploy an Application Control policy from the Apex Central
console, the Security Agent automatically uninstalls the Trend
Micro Endpoint Application Control agent and installs the Apex
One Application Control feature.
Type Description
Apex One server After installing the Apex One server with a valid license for the
feature, you can verify the following:
• The Trend Micro Application Control Service is running on
the Apex One server computer.
• The Application Control Service folder exists on the Apex
One server computer in the following location:
<Server installation folder>/iServiceSvr/iAC
Security Agent After installing the Security Agent and deploying an Application
endpoint Control policy from Apex Central, you can verify the following:
• The Trend Micro Application Control Service (Agent) is
running on the Security Agent endpoint.
• The Application Control Service folder exists on the endpoint
in the following location:
<Security Agent installation folder>/iService/iAC
1-11
Trend Micro Apex One™ Installation and Upgrade Guide
Settings Description
Security Agent On the Apex Central web console, go to Policies > Policy
endpoint Management and add or modify the Application Control
Settings for the Apex One Security Agent policies as required.
Note
If you do not install the Endpoint Sensor Service and select a supported SQL Server with
Full-Text and Semantic Extractions for Search enabled, the only way to use Endpoint
Sensor later is to go to the Uninstall or change a program screen of Windows Control
Panel.
Select the Apex One server and click Change.
1-12
Planning Apex One Installation and Upgrade
Item Requirements
Important
This feature is only officially supported on the following
platforms:
• Windows 7 SP1
• Windows 8.1
• Windows 10
Apex Central Required for licensing and Security Agent policy deployment
registration
1-13
Trend Micro Apex One™ Installation and Upgrade Guide
Item Requirements
Compatibility with • Server: If you install the Apex One server with the Apex One
Trend Micro Endpoint Sensor feature on the same server with the
Endpoint Sensor standalone Trend Micro Endpoint Sensor server (not
recommended):
• The standalone Trend Micro Endpoint Sensor server is
disabled.
• The standalone Trend Micro Endpoint Sensor files and
database continue to reside on the server computer and
may cause a performance impact.
Important
Standalone Trend Micro Endpoint Sensor server
settings are not compatible with the Apex One
Endpoint Sensor feature. You must manually configure
all policies using the Apex Central web console.
Redis service The Apex One server computer cannot have an existing Redis
service installed. You must uninstall any existing Redis service
and allow the Setup program to install a new service.
Verification
After clicking Next on the Endpoint Sensor Installation screen
1-14
Planning Apex One Installation and Upgrade
Item Requirements
Note
This feature does not support SQL Server Express
versions.
Verification
After clicking Next on the Apex One Database Setup screen
Type Description
Server The Apex One Setup program provides the option of installing the
Apex One Endpoint Sensor feature during normal Apex One
server installation.
1-15
Trend Micro Apex One™ Installation and Upgrade Guide
Type Description
Agent The Security Agent program includes but does not immediately
install the Endpoint Sensor Service during normal Security Agent
installation. To install the Endpoint Sensor Service on the Security
Agent, you must enable and deploy an Endpoint Sensor policy
from the Apex Central web console.
Once the Security Agent receives the Endpoint Sensor settings,
the Security Agent installs the Endpoint Sensor Service.
Type Description
OfficeScan server The Apex One Setup program provides the option of installing the
Apex One Endpoint Sensor feature during normal Apex One
server upgrades.
Trend Micro Apex One does not support any upgrade or settings migration
Endpoint Sensor from the standalone Trend Micro Endpoint Sensor server to the
server Apex One Endpoint Sensor feature.
Important
Standalone Trend Micro Endpoint Sensor server settings
are not compatible with the Apex One Endpoint Sensor
feature. You must manually configure all policies using the
Apex Central web console.
Trend Micro Apex One does not support upgrading the Trend Micro Endpoint
Endpoint Sensor Sensor agent program to the Apex One Security Agent.
agent
If you install the Apex One Security Agent on an endpoint with the
standalone Trend Micro Endpoint Sensor agent installed and
deploy an Endpoint Sensor policy from the Apex Central console,
the Security Agent automatically uninstalls the Trend Micro
Endpoint Sensor agent and installs the Apex One Endpoint
Sensor feature.
1-16
Planning Apex One Installation and Upgrade
Assessment task When the MDR service begins an assessment task, an additional
20 GB of disk space (per 100 endpoints) is required on the Apex
One server to handle the additional log information.
Trend Micro When the MDR service deploys the TMIK, an additional 40 GB of
Investigation Kit disk space (per 100 endpoints) is required on the Apex One
(TMIK) server to handle the additional log information.
Item Requirements
License • Included in the Apex One Full Feature for Windows and Mac
license
• An existing Trend Micro Vulnerability Protection license
(activated in Apex Central)
1-17
Trend Micro Apex One™ Installation and Upgrade Guide
Item Requirements
Apex Central Required for licensing and Security Agent policy deployment
registration
Compatibility with • Server: The Apex One server with Vulnerability Protection
Trend Micro can exist on the same server with Trend Micro Vulnerability
Vulnerability Protection (not recommended).
Protection
• Agent: Once you deploy a Vulnerability Protection policy to
the Apex One Security Agent, the Security Agent
automatically uninstalls any existing Trend Micro Vulnerability
Protection agent before applying the Apex One Vulnerability
Protection settings.
Compatibility with The following Trend Micro products are not compatible with the
other Trend Micro Apex One Vulnerability Protection feature:
products
• Deep Security Agent
• Intrusion Defense Firewall agent
You cannot activate the Apex One Vulnerability Protection feature
on Security Agents installed on endpoints with an incompatible
agent program installed. You must uninstall the conflicting
program before activating the Apex One Vulnerability Protection
feature.
Type Description
Server The Apex One Setup program installs the Apex One Vulnerability
Protection feature automatically during normal Apex One server
installation.
After verifying that the Activation Code includes Vulnerability
Protection, Apex One starts the Trend Micro Vulnerability
Protection Service on the Apex One server computer.
1-18
Planning Apex One Installation and Upgrade
Type Description
Agent The Security Agent program includes but does not immediately
install the Apex One Vulnerability Protection feature during normal
Security Agent installation. To install the Vulnerability Protection
feature on the Security Agent, you must enable and deploy a
Vulnerability Protection policy from the Apex Central web console.
Once the Security Agent receives the Vulnerability Protection
settings, the Security Agent installs the Vulnerability Protection
feature.
Type Description
OfficeScan server The Apex One license only includes the Vulnerability Protection
activation for fresh installations. If you upgrade from a previous
version of the OfficeScan server, you must contact your sales
representative to obtain a new license that activates the
Vulnerability Protection feature.
The Apex One Setup program installs the Apex One Vulnerability
Protection feature automatically during normal Apex One server
installation.
Trend Micro Apex One does not support any upgrade or settings migration
Vulnerability from the standalone Trend Micro Vulnerability Protection server to
Protection server the Apex One Vulnerability Protection feature.
Trend Micro Apex One does not support upgrading the Trend Micro
Vulnerability Vulnerability Protection agent program to the Apex One Security
Protection agent Agent.
If you install the Apex One Security Agent on an endpoint with the
Trend Micro Vulnerability Protection agent installed and deploy a
Vulnerability Protection policy from the Apex Central console, the
Security Agent automatically uninstalls the Trend Micro
Vulnerability Protection agent and installs the Apex One
Vulnerability Protection feature.
1-19
Trend Micro Apex One™ Installation and Upgrade Guide
Type Description
Apex One server After installing the Apex One server with a valid license for the
feature, you can verify the following:
• The Trend Micro Vulnerability Protection Service is
running on the Apex One server computer.
• The Vulnerability Protection Service folder exists on the Apex
One server computer in the following location:
<Server installation folder>/iServiceSvr/iVP
Security Agent After installing the Security Agent and deploying a Vulnerability
endpoint Protection policy from Apex Central, you can verify the following:
• The Trend Micro Vulnerability Protection Service (Agent)
is running on the Security Agent endpoint.
• The Vulnerability Protection Service folder exists on the
endpoint in the following location:
<Security Agent installation folder>/iService/iVP
Settings Description
Security Agent On the Apex Central web console, go to Policies > Policy
endpoint Management and add or modify the Vulnerability Protection
Settings for the Apex One Security Agent policies as required.
1-20
Planning Apex One Installation and Upgrade
Information needed
during
Installation Information
Fresh
Upgrade
Install
1-21
Trend Micro Apex One™ Installation and Upgrade Guide
Information needed
during
Installation Information
Fresh
Upgrade
Install
WARNING!
Many hacker and virus/malware attacks delivered
over HTTP use ports 80 and/or 8080. Most
organizations use these port numbers as the
default TCP port for HTTP communications. Use
other port numbers if the default port numbers are
currently in use.
1-22
Planning Apex One Installation and Upgrade
Information needed
during
Installation Information
Fresh
Upgrade
Install
1-23
Trend Micro Apex One™ Installation and Upgrade Guide
Information needed
during
Installation Information
Fresh
Upgrade
Install
Note
The backup package requires at least 300MB of
free disk space and may take some time to
complete.
1-24
Planning Apex One Installation and Upgrade
Procedure
1. Stop the World Wide Web Publishing service on the Trend Micro Apex One server
computer.
2. Modify the URLScan configuration file to allow the file types specified above.
3. Restart the World Wide Web Publishing service.
1-25
Trend Micro Apex One™ Installation and Upgrade Guide
Database Servers
Administrators can scan database servers, however, this may decrease the performance
of applications that access the databases. Consider excluding databases and their backup
folders from Real-Time Scan. Perform a Manual Scan during off-peak hours to
minimize the impact of the database scans.
1-26
Chapter 2
2-1
Trend Micro Apex One™ Installation and Upgrade Guide
Visit the following website for a complete list of fresh installation requirements:
http://docs.trendmicro.com/en-us/home.aspx
Important
Due to security concerns, Trend Micro recommends installing the Apex One server within
the company intranet. If you need to manage endpoints that leave the local intranet, Trend
Micro recommends installing the Apex One Edge Relay Server in the DMZ.
2-2
Installing Trend Micro Apex One
Server Performance
Enterprise networks require servers with higher specifications than those required for
small and medium-sized businesses.
Tip
Trend Micro recommends at least 2 GHz dual processors and over 3 GB of RAM for the
Apex One server.
The number of networked endpoint agents that a single Apex One server can manage
depends on several factors, such as available server resources and network topology.
Contact your Trend Micro representative for help in determining the number of agents
the server can manage.
Dedicated Server
When selecting the endpoint to host the Apex One server, consider the following:
If the target endpoint has other functions, choose another endpoint that does not run
critical or resource-intensive applications.
Conventional Scan
Conventional Scan is the scan method used in all earlier Apex One versions. A
Conventional Scan agent stores all Apex One components on the agent endpoint and
scans all files locally.
2-3
Trend Micro Apex One™ Installation and Upgrade Guide
Smart Scan
Smart Scan leverages threat signatures that are stored in-the-cloud. When in Smart Scan
mode, the Apex One agent first scans for security risks locally. If the agent cannot
determine the risk of the file during the scan, the agent connects to a Smart Protection
Server.
Smart Scan provides the following features and benefits:
• Provides fast, real-time security status lookup capabilities in the cloud
• Reduces the overall time it takes to deliver protection against emerging threats
• Reduces network bandwidth consumed during pattern updates. The bulk of pattern
definition updates only need to be delivered to the cloud and not to many agents.
• Reduces the cost and overhead associated with corporate-wide pattern
deployments
• Lowers kernel memory consumption on endpoints. Consumption increases
minimally over time.
2-4
Installing Trend Micro Apex One
Network Traffic
When planning for deployment, consider the network traffic that Apex One generates.
The server generates traffic when it does the following:
• Connects to the Trend Micro ActiveUpdate server to check for and download
updated components
• Starts up
• Updates components
Security Agents updated regularly only download the incremental pattern. Otherwise,
they download the full pattern file.
Trend Micro releases new pattern files regularly. Trend Micro also releases a new pattern
file as soon as a damaging and actively circulating virus/malware is discovered.
2-5
Trend Micro Apex One™ Installation and Upgrade Guide
2-6
Installing Trend Micro Apex One
Note
Apex One cannot automatically uninstall the server component of any third-party antivirus
product, but can uninstall the agent component. See the Administrator’s Guide for details.
Active Directory
All Apex One servers must be part of an Active Directory domain to take advantage of
the Role-based Administration and Security Compliance features.
Silent Installation
Install or upgrade multiple Apex One servers silently if the servers will use identical
installation settings.
Procedure
1. Create a response file by running Setup and recording the installation settings to
an .iss file. All servers installed silently using the response file use the settings.
Important
• For fresh installations, create a response file from any endpoint without the
Apex One server installed.
2. Run Setup from a command prompt and point Setup to the location of the
response file to use for silent installation.
2-7
Trend Micro Apex One™ Installation and Upgrade Guide
Procedure
1. Download the ApexOne.exe file and extract the contents.
2. Open a command prompt and type the directory of the Apex One setup.exe
file.
For example, "CD C:\Apex One Installer\setup.exe".
3. Type the following:
setup.exe -r
The -r parameter triggers Setup to launch and record the installation details to a
response file.
4. Perform the installation steps in Setup.
5. After completing the steps, check the response file setup.iss in %windir%.
Procedure
1. Copy the installation package and setup.iss to the target endpoint.
2. In the target endpoint, open a command prompt and type the directory of the
installation package.
3. Type the following:
setup.exe -s <-f1path>setup.iss <-f2path>setup.log.
2-8
Installing Trend Micro Apex One
• <-f2path>setup.log: Location of the log file that Setup will create after
installation. If the path contains spaces, enclose the path with quotes ("). For
example, -f2"C:\osce log\setup.log".
4. Press ENTER.
Setup silently installs the server to the endpoint.
5. To determine if installation was successful:
• Check the Apex One program shortcuts on the target endpoint. If the
shortcuts are not available, retry the installation.
• Log on to the Apex One web console.
2-9
Trend Micro Apex One™ Installation and Upgrade Guide
License Agreement
Read the license agreement carefully and accept the license agreement terms to proceed
with installation. Installation cannot proceed without accepting the license agreement
terms.
2-10
Installing Trend Micro Apex One
Endpoint Prescan
Before the Apex One server installation commences, Setup can scan the target endpoint
for viruses and malware. Setup scans the most vulnerable areas of the endpoint, which
include the following:
• Windows folder
Setup can perform the following actions against detected virus/malware and Trojan
horse programs:
• Clean: Cleans a cleanable file before allowing full access to the file, or lets the
specified next action handle an uncleanable file.
2-11
Trend Micro Apex One™ Installation and Upgrade Guide
• Rename: Changes the infected file's extension to "vir". Users cannot open the
file initially, but can do so if they associate the file with a certain application. Virus/
Malware may execute when opening the renamed infected file.
• Pass: Allows full access to the infected file without doing anything to the file. A
user may copy/delete/open the file.
Important
During a local upgrade installation, the setup program prompts you to update your
ransomware protection settings in order to receive optimized protection against
ransomware threats.
Applying the updated settings only changes the settings on agents that already have
Behavior Monitoring enabled.
Proxy Server
The Apex One server uses the HTTPS protocol for agent-server communication and to
connect to the Trend Micro ActiveUpdate server and download updates. If a proxy
2-12
Installing Trend Micro Apex One
server handles Internet traffic on the network, Apex One needs the proxy settings to
ensure that the server can download updates from the ActiveUpdate server.
Administrators can skip specifying proxy settings during installation and do so after
installation from the Apex One web console.
Product Activation
Specify the case-sensitive Activation Code you received to activate all Apex One
features.
To obtain the Activation Codes, click Register Online. Setup opens the Trend Micro
registration website. After completing the registration form, Trend Micro sends an email
with the Activation Codes. After receiving the codes, continue with the installation
process.
Product Versions
Install either a full or trial version of Apex One. Both versions require a different type of
Activation Code. To obtain an Activation Code, register the product with Trend Micro.
2-13
Trend Micro Apex One™ Installation and Upgrade Guide
Version Description
Full Version The full version includes all the product features and
technical support, and provides a grace period (usually 30
days) after the license expires. After the grace period
expires, technical support and component updates are not
available. The scan engines continue to scan endpoints
using out-of-date components. These out-of-date
components may not be able to protect endpoints
completely from the latest security risks. Renew the license
before or after it expires by purchasing a maintenance
renewal.
Trial Version The trial version includes all the product features. Upgrade a
trial version to the full version at any time. If not upgraded at
the end of the trial period, Apex One disables component
updates, scanning, and all agent features.
Use the Registration Key that came with the product to obtain Activation Codes (if not
already obtained). Setup automatically redirects to the Trend Micro website for product
registration.
http://olr.trendmicro.com
After registering the product, Trend Micro sends the Activation Codes.
Contact a Trend Micro sales representative to obtain the Registration Key or Activation
Codes, if neither is available at the time of installation.
Note
For questions about registration, refer to:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-116326.
2-14
Installing Trend Micro Apex One
Installation Path
2-15
Trend Micro Apex One™ Installation and Upgrade Guide
Server Identification
Specify if Security Agents identify the server computer by its fully qualified domain
name (FQDN), host (domain) name or IP address.
Communication between the server computer and Security Agents is dependent on the
specified IP address. Changing the IP address results in Security Agents not being able
to communicate with the Apex One server. The only way to restore communication is to
redeploy all the Security Agents. The same situation applies if the server computer is
identified by a host name that changes.
In most networks, the server computer’s IP address is more likely to change than its host
name, thus it is usually preferable to identify the server computer by a host name.
2-16
Installing Trend Micro Apex One
Tip
For administrators using the IP address instead of the host name, Trend Micro does not
recommend changing the IP address (obtained from the DHCP server) after the
installation. Administrators can avoid further communication issues with Security Agents
by setting the IP address configuration to Static (on the DHCP server) using the same IP
address information obtained from the DHCP server.
Another way to preserve the IP address configuration is to reserve the IP address for the
Apex One server only. This forces the DHCP server to assign Apex One the same IP
address even when DHCP-enabled.
When using static IP addresses, identify the server by its IP address. In addition, if the
server computer has multiple network interface cards (NICs), consider using one of the
IP addresses instead of the host name to ensure successful agent-server communication.
Web Server
The Apex One web server hosts the web console, allows the administrator to run
console Common Gateway Interfaces (CGIs), and accepts commands from Security
2-17
Trend Micro Apex One™ Installation and Upgrade Guide
Agents. The web server converts these commands to Security Agent CGIs and forwards
them to the Apex One Master Service.
HTTP Port
The web server listens for Security Agent requests on the HTTP port and forwards
these requests to the Apex One Master Service. This service returns information to
Security Agents at the designated Security Agent communication port.
SSL Support
Apex One uses Secure Sockets Layer (SSL) for secure communication between the web
console and the server. SSL provides an extra layer of protection against hackers.
Although Apex One encrypts the passwords specified on the web console before
sending them to the Apex One server, hackers can still sniff the packet and, without
decrypting the packet, "replay" it to gain access to the console. SSL tunneling prevents
hackers from sniffing packets traversing the network.
The SSL version used depends on the version that the web server supports.
The SSL certificate should have a validity period between 1 and 20 years. The
administrator can still use the certificate after it expires. However, a warning message
appears every time SSL connection is invoked using the same certificate.
1. The administrator sends information from the web console to the web server
through SSL connection.
2. The web server responds to the web console with the required certificate.
4. The web console sends data to the web server using RC4 encryption.
2-18
Installing Trend Micro Apex One
Although RSA encryption is more secure, it slows down the communication flow.
Therefore, it is only used for key exchange, and RC4, a faster alternative, is used for data
transfer.
Ports
Web Server and Settings
HTTP HTTPS (SSL)
IIS default website with SSL enabled 80 (not configurable) 443 (not configurable)
IIS virtual website with SSL enabled 8080 (configurable) 4343 (configurable)
2-19
Trend Micro Apex One™ Installation and Upgrade Guide
If you integrate with Apex Central and have purchased the Endpoint Sensor license,
select Install Endpoint Sensor to ensure that all required Endpoint Sensor Services are
available for Security Agents.
Note
This feature is only officially supported on the following platforms:
• Windows 7 SP1
• Windows 8.1
• Windows10
2-20
Installing Trend Micro Apex One
The following table outlines the minimum requirements necessary for installing the
Endpoint Sensor Service.
Redis The Apex One server computer cannot After clicking Next on the
service have an existing Redis service installed. Endpoint Sensor
You must uninstall any existing Redis Installation screen
service and allow the Setup program to
install a new service.
Note
This feature does not support SQL
Server Express versions.
Database Full-Text and Semantic Extractions for After clicking Next on the
configuration Search enabled Apex One Database Setup
screen
For more information on enabling Full-Text
and Semantic Extractions for Search,
see your SQL Server documentation.
Note
If you do not install the Endpoint Sensor Service and select a supported SQL Server with
Full-Text and Semantic Extractions for Search enabled, the only way to use Endpoint
Sensor later is to go to the Uninstall or change a program screen of Windows Control
Panel.
Select the Apex One server and click Change.
2-21
Trend Micro Apex One™ Installation and Upgrade Guide
Important
If you are planning to use the Endpoint Sensor feature, you must create a database on a
properly prepared and supported version of SQL Server.
For more information, see Apex One Endpoint Sensor on page 1-12.
Procedure
1. Choose the location of the Apex One database:
• Install/Create a new SQL Server Express instance: Choose to install SQL
Server 2016 SP2 Express and create the “\OFFICESCAN” database instance
2-22
Installing Trend Micro Apex One
Important
This option is not available if you chose to install the Endpoint Sensor feature.
• SQL Server: Select the preexisting SQL Server installation and the database
instance that Apex One should use.
When using the Windows Account to log on to the server, Apex One applies the
User name of the currently logged on user.
Important
The user account must belong to the local administrator group or Active Directory
(AD) built-in administrator and you must configure the following User Rights
Assignment policies using the Windows Local Security Policy or Group Policy
Management console:
• Log on as a service
The user account must also have the following database roles:
• dbcreator
Note
Only required if you are creating a new database instance using the Setup
program.
• bulkadmin
• db_owner
3. In the Database Name section, specify the name of the database instance on the
SQL Server to use for the required Apex One database(s).
2-23
Trend Micro Apex One™ Installation and Upgrade Guide
Note
• The Endpoint Sensor option only displays if you chose to install the Endpoint
Sensor feature.
• The Setup program automatically creates a new database instance if the specified
database does not exist on the SQL Server. The configured authentication
account must have the dbcreator permission to create a new database.
There are several methods for installing or upgrading Security Agents. This screen lists
the different deployment methods and approximate network bandwidth needed.
Use this screen to estimate the size required on the servers and the bandwidth
consumption when deploying Security Agents to the target endpoints.
2-24
Installing Trend Micro Apex One
Note
All these installation methods require local administrator or domain administrator rights on
the target endpoints.
Setup can install the integrated Smart Protection Server on the target endpoint. The
integrated server provides File Reputation Services to Security Agents that use smart
scan and Web Reputation Services to Security Agents subject to web reputation policies.
Manage the integrated server from the Apex One web console.
Important
This version of Apex One only supports HTTPS communication for File Reputation and
Web Reputation queries.
Trend Micro recommends installing the standalone Smart Protection Server, which has
the same functions as the integrated server but can serve more Security Agents. The
2-25
Trend Micro Apex One™ Installation and Upgrade Guide
standalone server is installed separately and has its own management console. See the
Trend Micro Smart Protection Server Administrator’s Guide for information on the standalone
server.
Tip
Because the integrated Smart Protection Server and the Apex One server run on the same
endpoint, the endpoint’s performance may reduce significantly during peak traffic for the
two servers. To reduce the traffic directed to the Apex One server, assign a standalone
Smart Protection Server as the primary smart protection source and the integrated server
as a backup source. See the Administrator’s Guide for information on configuring smart
protection sources for Security Agents.
2-26
Installing Trend Micro Apex One
Note
Install the Security Agent to other endpoints on the network after server installation.
For more information, see the Administrator’s Guide.
2-27
Trend Micro Apex One™ Installation and Upgrade Guide
Smart Feedback
2-28
Installing Trend Micro Apex One
• File checksums
• Websites accessed
• File information, including sizes and paths
• Names of executable files
You can terminate your participation to the program anytime from the web console.
Tip
You do not need to participate in Smart Feedback to protect your endpoints. Your
participation is optional and you may opt out at any time. Trend Micro recommends that
you participate in Smart Feedback to help provide better overall protection for all Trend
Micro customers.
2-29
Trend Micro Apex One™ Installation and Upgrade Guide
Accept the default Security Agent installation settings or specify a different installation
path. Change the path if there is insufficient disk space on the installation directory.
Tip
Trend Micro recommends using the default settings.
If specifying a different installation path, type a static path or use variables. If the
specified path includes a directory that does not exist on the Security Agent, Setup
creates the directory automatically during Security Agent installation.
To type a static Security Agent installation path, type the drive path, including the drive
letter. For example, C:\Program Files\Trend Micro\Security Agent.
Note
Modification of the Security Agent installation path is not possible after installation of the
Apex One server completes. All installed Security Agents use the same installation path.
2-30
Installing Trend Micro Apex One
When specifying variables for the Security Agent installation path, use the following:
• $BOOTDISK: The drive letter of the hard disk that the endpoint boots from, by
default C:\
• $WINDIR: The Windows directory, by default C:\Windows
The Apex One Firewall protects Security Agents and servers on the network using
stateful inspections, high performance network virus scans, and elimination. Create rules
to filter connections by IP address, port number, or protocol, and then apply the rules to
different groups of users.
2-31
Trend Micro Apex One™ Installation and Upgrade Guide
Optionally choose to disable the Apex One Firewall and enable it later from the Apex
One server web console.
Optionally enable the Apex One Firewall on server platforms. When upgrading with the
Apex One Firewall already enabled on server platforms, select Enable the Apex One
Firewall (on Server platforms) so that Apex One does not disable the Apex One
Firewall after the upgrade.
Anti-spyware Feature
When in assessment mode, all agents managed by the server log spyware/grayware
detected during Manual Scan, Scheduled Scan, Real-Time Scan, and Scan Now but do
not clean spyware/grayware components. Cleaning terminates processes or deletes
registries, files, cookies, and shortcuts.
Trend Micro provides assessment mode to allow for the evaluation of items that Trend
Micro detects as spyware/grayware. Administrators can then configure the appropriate
action. For example, add spyware/grayware detected as a security risk to the spyware/
grayware approved list.
2-32
Installing Trend Micro Apex One
After the installation, refer to the Administrator’s Guide for some recommended actions to
take during assessment mode.
Configure assessment mode to take effect only for a certain period of time by specifying
the number of weeks in this screen. After the installation, change assessment mode
settings from the web console (Agents > Global Agent Settings, on the Secuirty
Settings tab in the Spyware/Grayware Scan Settings Only section).
Web Reputation policies dictate whether Apex One blocks or allows access to a website.
For details about policies, see the Administrator’s Guide.
Selecting Enable Web Reputation Services (on desktop platforms) enables policies
for internal and external agents installed on desktop platforms. Select Enable Web
Reputation Services (on Server platforms) if server platforms require the same level
of web threat protection as desktop platforms.
2-33
Trend Micro Apex One™ Installation and Upgrade Guide
Security Agents use the location criteria configured in the web console’s Endpoint
Location screen to determine their location and the policy to apply. Security Agents
switch policies each time the location changes.
Configure web reputation policy settings from the web console after installation. Apex
One administrators typically configure a stricter policy for external agents.
Web reputation policies are granular settings in the Apex One agent tree. Enforce
specific policies to all agents, agent groups, or individual agents.
When enabling web reputation policies, be sure to install Smart Protection Servers
(integrated or standalone) and add them to the smart protection source list on the Apex
One web console. Security Agents send web reputation queries to the servers to verify
the safety of websites that users are accessing.
Note
The integrated server installs with the Apex One server. For details, see Install Integrated
Smart Protection Server on page 2-25. The standalone server installs separately.
2-34
Installing Trend Micro Apex One
Apex One uses public-key cryptography to authenticate communications that the Apex
One server initiates on agents. With public-key cryptography, the server keeps a private
key and deploys a public key to all agents. The agents use the public key to verify that
incoming communications are server-initiated and valid. The agents respond if the
verification is successful.
Note
Apex One does not authenticate communications that agents initiate on the server.
Apex One can generate the authentication certificate during the installation or
administrators can import a preexisting authentication certificate from another Apex
One server.
2-35
Trend Micro Apex One™ Installation and Upgrade Guide
Specify passwords to access the web console and unload and uninstall the Security
Agent.
2-36
Installing Trend Micro Apex One
Accept the default folder name, specify a new one, or select an existing folder to which
Setup adds the program shortcuts.
2-37
Trend Micro Apex One™ Installation and Upgrade Guide
Installation Information
This screen provides a summary of the installation settings. Review the installation
information and click Back to change any of the settings or options. To start the
installation, click Install.
2-38
Installing Trend Micro Apex One
When the installation is complete, view the readme file for basic information about the
product and known issues.
Administrators can launch the web console to start configuring Apex One settings.
2-39
Chapter 3
3-1
Trend Micro Apex One™ Installation and Upgrade Guide
Upgrade Considerations
This version of Apex One supports upgrades from the following versions:
• XG Service Pack 1
• XG
• 11.0 Service Pack 1
Note
Trend Micro highly recommends applying all available patches and hotfixes to your current
Apex One or OfficeScan server before performing an upgrade.
Visit the following website for a complete list of Apex One system requirements:
http://docs.trendmicro.com/en-us/home.aspx
Consider the following when upgrading the Apex One server and Security Agents:
• IPv6 Support on page 3-2
• Unsupported Operating Systems on page 3-3
• Trend Micro Apex One Settings and Configurations on page 3-3
• Scan Method Deployment During Upgrade on page 3-5
IPv6 Support
The IPv6 requirements for the Apex One server and agent upgrades are as follows:
• The server must already be using an IIS web server.
• Assign an IPv6 address to the server. In addition, the server must be identified by
its host name, preferably its fully qualified domain name (FQDN). If the server is
identified by its IPv6 address, all agents currently managed by the server lose
connection with the server. If the server is identified by its IPv4 address, it cannot
deploy the agent to pure IPv6 endpoints.
3-2
Upgrading Trend Micro Apex One
• Verify that the host machine's IPv6 or IPv4 address can be retrieved using, for
example, the ping or nslookup command.
Important
Upgrading from an OfficeScan server that uses the Apache web server prevents the use of
IPv6 addressing.
3-3
Trend Micro Apex One™ Installation and Upgrade Guide
Tip
This version of Trend Micro Apex One provides a backup mechanism for rollback
purposes. Perform a manual database back up if you do not plan on using the automated
back up during installation.
Procedure
1. Back up the database from the OfficeScan 11.x or XG web console by going to
Administration > Database Backup.
For detailed instructions, see the Administrator's Guide or Server Help for these
product versions.
WARNING!
Do not use any other type of backup tool or application.
2. Stop the OfficeScan Master Service from the Microsoft Management Console.
3. Manually back up the following files and folders found under <Server
installation folder>\PCCSRV:
Note
Back up these files and folders to roll back Trend Micro Apex One only if you
encounter upgrade issues.
3-4
Upgrading Trend Micro Apex One
• Log folder: Contains system events and the connection verification logs
Note
If you encounter upgrade issues, copy the backup files from step 3 to the <Server
installation folder>\PCCSRV folder on the target endpoint and restart the
OfficeScan Master Service.
When upgrading Apex One from an earlier version, retain or customize the scan
method for each domain depending on the upgrade method chosen. Consider the
following:
• When planning to upgrade the OfficeScan 11.x or XG server directly on the server
computer, it is not necessary to make scan method changes from the web console
because agents retain their scan method settings after they upgrade.
• In the Apex One 2019 server, choose manual agent grouping. This agent
grouping method allows for the creation of new domains.
3-5
Trend Micro Apex One™ Installation and Upgrade Guide
Note
When using automatic agent grouping, enable it only after all agents have
upgraded to ensure that all scan method settings are retained during agent
upgrade.
• Duplicate the domain structure and scan method settings in the OfficeScan
11.x or XG server into the Apex One 2019 server. If the domain structure
and scan method settings on the two servers are not identical, some agents
that move to the Apex One 2019 server may not apply their original scan
method settings.
1. The installation package includes updates to the firewall drivers. If you have
enabled the Apex One/OfficeScan firewall in your current server version,
deploying the package may cause the following agent endpoint disruptions:
• When Common Firewall Driver update starts, agent endpoints are temporarily
disconnected from the network. Users are not notified before disconnection.
3-6
Upgrading Trend Micro Apex One
• After deploying the package, the TDI driver's previous version still exists on
the agent endpoint and the new version is not loaded until the endpoint is
restarted. Users are likely to encounter problems with the Security Agent if
they do not restart immediately.
If the option to display the restart notification message is enabled on the web
console, users are prompted to restart. However, users who decide to
postpone the restart are not prompted again. If the option is disabled, users
are not notified at all.
3-7
Trend Micro Apex One™ Installation and Upgrade Guide
problems, it is possible that database files have been locked. In this case,
restart the server computer to unlock the files and then run another upgrade.
Use one of following upgrade methods:
• Upgrade Method 1: Disable Automatic Agent Upgrade on page 3-8
• Upgrade Method 2: Upgrade Update Agents on page 3-10
• Upgrade Method 3: Move Agents to the Apex One 2019 Server on page 3-16
• Upgrade Method 4: Enable Automatic Agent Upgrade on page 3-19
Procedure
• For OfficeScan 11.x and XG servers:
a. Go to Agents > Agent Management.
b. On the agent tree, click the root domain icon ( ) to select all agents.
c. Click Settings > Privileges and Other Settings and go to the Other
Settings tab.
d. Select OfficeScan agents can update components but not upgrade the
agent program or deploy hot fixes.
e. Click Apply to All Agents.
It may take a while to deploy the settings to online agents on a complex
network environment and a large number of agents. Before the upgrade,
allocate sufficient time for settings to deploy to all agents. OfficeScan agents
that do not apply the settings automatically upgrade.
3-8
Upgrading Trend Micro Apex One
b. On the agent tree, click the root domain icon ( ) to select all agents.
c. Click Settings > Privileges and Other Settings and go to the Other
Settings tab.
Configure Apex One server settings using the web console immediately after completing
the installation and before upgrading agents.
For detailed instructions on how to configure Apex One settings, refer to the
Administrator's Guide or Server Online Help.
Procedure
1. Go to Updates > Agents > Automatic Update, and ensure that the following
options are enabled:
3-9
Trend Micro Apex One™ Installation and Upgrade Guide
3-10
Upgrading Trend Micro Apex One
Procedure
• For OfficeScan 11.x and XG servers:
a. Go to Agents > Agent Management.
b. On the agent tree, click the root domain icon ( ) to select all agents.
c. Click Settings > Privileges and Other Settings and go to the Other
Settings tab.
d. Select OfficeScan agents can update components but not upgrade the
agent program or deploy hot fixes.
e. Click Apply to All Agents.
It may take a while to deploy the settings to online agents on a complex
network environment and a large number of agents. Before the upgrade,
allocate sufficient time for settings to deploy to all agents. OfficeScan agents
that do not apply the settings automatically upgrade.
• For Apex One servers:
a. Go to Agents > Agent Management.
b. On the agent tree, click the root domain icon ( ) to select all agents.
c. Click Settings > Privileges and Other Settings and go to the Other
Settings tab.
d. In the Security Agents only update the following components drop-
down, select Pattern Files.
e. Click Apply to All Agents.
It may take a while to deploy the settings to online agents on a complex
network environment and a large number of agents. Before the upgrade,
allocate sufficient time for settings to deploy to all agents. Security Agents that
do not apply the settings automatically upgrade.
3-11
Trend Micro Apex One™ Installation and Upgrade Guide
Procedure
1. Go to Agents > Agent Management.
2. On the agent tree, select the Update Agents to upgrade.
Tip
To locate Update Agents easily, select a domain, go to the Agent tree view on top of
the agent tree and then select Update agent view.
3. Click Settings > Privileges and Other Settings and go to the Other Settings
tab.
4. In the Security Agents only update the following components drop-down,
select All components (including hotfixes and the agent program).
5. Click Save.
6. Go to Updates > Agents > Manual Update.
7. Select the Manually select agents option and click Select.
8. In the agent tree that opens, choose the Update Agents to upgrade.
Tip
To locate Update Agents easily, select a domain, go to the Agent tree view on top of
the agent tree and then select Update agent view.
3-12
Upgrading Trend Micro Apex One
Procedure
1. Go to Agents > Agent Management.
2. On the agent tree, select the Update Agents to upgrade.
Tip
To locate Update Agents easily, select a domain, go to the Agent tree view on top of
the agent tree and then select Update agent view.
3-13
Trend Micro Apex One™ Installation and Upgrade Guide
6. Click Save.
Wait for the Update Agent to finish downloading the agent program before
proceeding to Part 5.
7. Repeat step 1 to step 6 until all Update Agents have applied the necessary settings.
Procedure
1. Go to Updates > Agents > Automatic Update, and ensure that the following
options are enabled:
3. On the agent tree, select the agents that you want to upgrade. You can select one or
several domains, or individual/all agents within a domain.
4. Click Settings > Privileges and Other Settings and go to the Other Settings
tab.
6. Click Save.
3-14
Upgrading Trend Micro Apex One
Upgrade Results
Online Agents
Note
Restart the agent endpoints after the upgrade.
• Automatic Upgrade
Online agents start to upgrade when any of the following events occur:
• The Apex One server downloads a new component and notifies agents to
update.
• The agent restarts and then connects to the Apex One server.
• Schedule update runs on the agent endpoint (only for agents with scheduled
update privileges).
• Manual Upgrade
If none of the above events have occurred, perform any of the following tasks to
upgrade agents immediately:
Note
See the Administrator's Guide for instructions on creating the agent package.
3-15
Trend Micro Apex One™ Installation and Upgrade Guide
Offline Agents
Offline agents upgrade when they become online.
Procedure
1. Perform a fresh installation of the Apex One 2019 server.
For details, see The Setup Program on page 2-9.
3-16
Upgrading Trend Micro Apex One
5. On the agent tree, click the root domain icon ( ) to select all agents.
6. Click Settings > Privileges and Other Settings and go to the Other Settings
tab.
7. In the Security Agents only update the following components drop-down,
select All components (including hotfixes and the agent program).
8. Click Apply to All Agents.
9. Record the following Apex One 2019 server information. Specify this information
on the previous OfficeScan or Apex One server when moving agents:
• Endpoint name or IP address
• Server listening port
To view the server listening port navigate to Administration > Settings >
Agent Connection. The port number displays on the screen.
Procedure
1. On the web console of the previous server, go to Updates > Summary.
2. Click Cancel Notification. This function clears the server notification queue,
which will prevent problems moving clients/agents to the Apex One 2019 server.
3-17
Trend Micro Apex One™ Installation and Upgrade Guide
WARNING!
Perform the succeeding steps immediately. If the server notification queue gets
updated before you move clients/agents, clients/agents might not move successfully.
4. On the agent tree, select the agents that you want to upgrade. Select only online
agents because offline and roaming agents cannot be moved.
b. Specify the Apex One 2019 server computer name/IP address and server
listening port under Move selected agent(s) online to another OfficeScan
Server.
6. Click Move.
Upgrade Results
• Online agents start to move and upgrade.
• For offline agents, instruct users to connect to the network so that the agents
can become online. For agents that are offline for an extended period of time,
instruct users to uninstall the agent from the endpoint and then use a suitable
agent installation method (such as agent packager) discussed in the
Administrator's Guide to install the Security Agent.
Note
Restart the agent endpoints to finish upgrading the agents.
3-18
Upgrading Trend Micro Apex One
If the server manages a small number of agents, consider allowing agents to upgrade
immediately. It is possible to use the upgrade methods discussed previously.
Procedure
a. Go to Updates > Agents > Automatic Update and ensure that the
following options are enabled:
c. On the agent tree, click the root domain icon ( ) to select all agents.
d. Click Settings > Privileges and Other Settings and go to the Other
Settings tab.
e. Select OfficeScan agents can update components but not upgrade the
agent program or deploy hot fixes.
3-19
Trend Micro Apex One™ Installation and Upgrade Guide
a. Go to Updates > Agents > Automatic Update and ensure that the
following options are enabled:
c. On the agent tree, click the root domain icon ( ) to select all agents.
d. Click Settings > Privileges and Other Settings and go to the Other
Settings tab.
Note
To speed up the upgrade process, unload the Security Agent before upgrading any Apex
One server running Windows Server 2008 Standard 64-bit.
Configure Apex One server settings using the web console immediately after completing
the installation and before upgrading agents.
3-20
Upgrading Trend Micro Apex One
For detailed instructions on how to configure Apex One settings, refer to the
Administrator's Guide or Server Online Help.
Upgrade Results
• Online agents upgrade immediately after server upgrade is complete.
• Offline agents upgrade when they become online.
• Independent (formerly roaming) agents upgrade when they become online or, if
the agent has scheduled update privileges, when scheduled update runs.
Note
Restart the agent endpoints to finish upgrading the agents.
3-21
Trend Micro Apex One™ Installation and Upgrade Guide
License Agreement
Read the license agreement carefully and accept the license agreement terms to proceed
with installation. Installation cannot proceed without accepting the license agreement
terms.
Important
Only displays if the previous OfficeScan server used HTTP communication with
OfficeScan agents.
3-22
Upgrading Trend Micro Apex One
Apex One requires the use of the more secure HTTPS protocol for communication
between the server and Security Agents. To avoid connection issues between the
upgraded server and Security Agents, ensure that you configure your Firewall to allow
traffic through port 4343.
Important
You cannot proceed with the upgrade to Apex One 2019 if you do not enable HTTPS
communication.
3-23
Trend Micro Apex One™ Installation and Upgrade Guide
The Setup program assesses the target endpoint resources. During upgrade scenarios, a
warning screen appears if a previous version of the Security Agent program exists on the
target endpoint.
3-24
Upgrading Trend Micro Apex One
Trend Micro recommends enabling ransomware and network attack protection on all
Security Agents.
The following table outlines the Apex One web console features enabled for each
setting.
3-25
Trend Micro Apex One™ Installation and Upgrade Guide
Web Console
Setting Features
Location
Important
Enabling Protect against
ransomware does not automatically
enable the Unauthorized Change
Prevention Service. If you disabled
the service, you must manually
enable the Unauthorized Change
Prevention Service before Security
Agents can protect against
ransomware attacks.
3-26
Upgrading Trend Micro Apex One
Database Back Up
During upgrades, the Setup program provides the option to back up the OfficeScan
database before upgrading to the latest version of Apex One. You can use this backup
information for rollback purposes.
Note
The backup package may require more than 300MB of free disk space.
3-27
Trend Micro Apex One™ Installation and Upgrade Guide
If you integrate with Apex Central and have purchased the Endpoint Sensor license,
select Install Endpoint Sensor to ensure that all required Endpoint Sensor Services are
available for Security Agents.
Note
This feature is only officially supported on the following platforms:
• Windows 7 SP1
• Windows 8.1
• Windows10
3-28
Upgrading Trend Micro Apex One
The following table outlines the minimum requirements necessary for installing the
Endpoint Sensor Service.
Redis The Apex One server computer cannot After clicking Next on the
service have an existing Redis service installed. Endpoint Sensor
You must uninstall any existing Redis Installation screen
service and allow the Setup program to
install a new service.
Note
This feature does not support SQL
Server Express versions.
Database Full-Text and Semantic Extractions for After clicking Next on the
configuration Search enabled Apex One Database Setup
screen
For more information on enabling Full-Text
and Semantic Extractions for Search,
see your SQL Server documentation.
Note
If you do not install the Endpoint Sensor Service and select a supported SQL Server with
Full-Text and Semantic Extractions for Search enabled, the only way to use Endpoint
Sensor later is to go to the Uninstall or change a program screen of Windows Control
Panel.
Select the Apex One server and click Change.
3-29
Trend Micro Apex One™ Installation and Upgrade Guide
Important
If you are planning to use the Endpoint Sensor feature, you must select a database on a
properly prepared and supported version of SQL Server.
For more information, see Apex One Endpoint Sensor on page 1-12.
Procedure
1. Beside SQL Server, select the preexisting SQL Server installation and the database
instance that Apex One should use.
3-30
Upgrading Trend Micro Apex One
When using the Windows Account to log on to the server, Apex One applies the
User name of the currently logged on user.
domain_name\user_name or user_name
Important
The user account must belong to the local administrator group or Active Directory
(AD) built-in administrator and you must configure the following User Rights
Assignment policies using the Windows Local Security Policy or Group Policy
Management console:
• Log on as a service
The user account must also have the following database roles:
• dbcreator
• bulkadmin
• db_owner
4. Click Next.
Important
If you selected to install Endpoint Sensor Services, the Setup program immediately
evaluates whether the selected SQL Server database is properly configured and meets
the minimum requirements. If the SQL Server database does not meet the
requirements, you must select another SQL Server database or go back and choose to
not install Endpoint Sensor.
3-31
Trend Micro Apex One™ Installation and Upgrade Guide
There are several methods for installing or upgrading Security Agents. This screen lists
the different deployment methods and approximate network bandwidth needed.
Use this screen to estimate the size required on the servers and the bandwidth
consumption when deploying Security Agents to the target endpoints.
Note
All these installation methods require local administrator or domain administrator rights on
the target endpoints.
3-32
Upgrading Trend Micro Apex One
Installation Information
This screen provides a summary of the installation settings. Review the installation
information and click Back to change any of the settings or options. To start the
installation, click Install.
Important
Only displays if the previous OfficeScan server had a registered Edge Relay Server.
3-33
Trend Micro Apex One™ Installation and Upgrade Guide
Apex One does not support the older OfficeScan versions of the Edge Relay Server.
You must install a new Edge Relay Server or upgrade your existing Edge Relay Server to
protect off-premises Security Agents.
After installing or upgrading the Edge Relay Server, all Security Agents that you want to
manage using the Edge Relay Server must connect directly to the Apex One server to
obtain the latest Edge Relay Server settings.
For more information about Edge Relay Server installation or upgrade, refer to the Apex
One Administrator's Guide.
3-34
Upgrading Trend Micro Apex One
When the installation is complete, view the readme file for basic information about the
product and known issues.
Administrators can launch the web console to start configuring Apex One settings.
3-35
Chapter 4
Post-installation Tasks
Perform the following tasks after the Apex One server installation completes.
Topics in this chapter:
• Verifying the Server Installation or Upgrade on page 4-2
• Updating the Apex One Server on page 4-4
• Checking Default Settings on page 4-5
• Registering Apex One to Apex Central on page 4-6
4-1
Trend Micro Apex One™ Installation and Upgrade Guide
Apex One server The Trend Micro Apex One server shortcuts appear on the
shortcuts Windows Start menu on the server computer.
Programs list Trend Micro Apex One Server is listed on the Add/Remove
Programs list on the server computer's Control Panel.
Apex One web console Type the following URL in the Internet Explorer browser:
• HTTPS connection: https://<Apex One server
name>:<port number>/officescan
4-2
Post-installation Tasks
Apex One server The following Apex One server services display on the
services Microsoft Management Console:
• Apex One Active Directory Integration Service: This
service displays if the Active Directory integration and
Role-based Administration features work properly.
• Apex One Apex Central Agent: The status for this service
should be "Started" if the Apex One server has been
registered to Apex Central.
• Apex One Deep Discovery Service: The status for this
service should be "Started".
• Apex One Master Service: The status for this service
should be "Started".
• Apex One Log Receiver Service: The status for this
service should be "Started".
• Apex One Plug-in Manager: The status for this service
should be "Started".
• Trend Micro Smart Protection Query Handler: The status
for this service should be "Started".
• Trend Micro Smart Protection Server: The status for this
service should be "Started".
• Trend Micro Local Web Classification Server: The status
for this service should be "Started" if Web Reputation
Services was enabled during installation.
Apex One server When you open Windows Task Manager, DBServer.exe is
processes running.
Server installation log The server installation log, OFCMAS.LOG, exists in %windir%.
4-3
Trend Micro Apex One™ Installation and Upgrade Guide
Program folder The Apex One server files are found under the <Server
installation folder>.
Procedure
1. On the server web console, go to Administration > Smart Protection > Smart
Protection Sources.
4-4
Post-installation Tasks
Note
This section describes performing a manual update. For information on scheduled update
and update configurations, see the Server Online Help.
Procedure
1. Log on to the web console.
2. On the main menu, click Updates > Server > Manual Update.
The Manual Update screen appears, showing the current components, their
version numbers, and the most recent update dates.
3. Select the components to update.
4. Click Update. The server checks the update server for updated components. The
update progress and status display.
Scan Settings
Apex One provides several types of scans to protect endpoints from security risks.
Modify the scan settings from the web console by going to Agents > Agent
Management and clicking Settings > {Scan Type}.
4-5
Trend Micro Apex One™ Installation and Upgrade Guide
Agent Settings
Apex One provides several types of settings that apply to all agents registered to the
server or to all agents with a certain privilege. Modify agent settings from the web
console by going to Agents > Global Agent Settings.
Agent Privileges
Default agent privileges include displaying the system tray icon on the Security Agent
endpoint. Modify default agent privileges from the web console.
1. Go to Agents > Agent Management.
2. Click Settings > Privileges and Other Settings.
Note
Apex Central registration only applies to newly installed Apex One servers.
On the Apex One web console, go to Administration > Settings > Apex Central.
See the Apex One Server Help or Apex One Administrator’s Guide for the procedure.
4-6
Chapter 5
5-1
Trend Micro Apex One™ Installation and Upgrade Guide
• Use the uninstallation program to safely remove the Apex One server from the
endpoint. Before uninstalling the server, move the agents it manages to another
Apex One server.
• Roll back agents to version previous Apex One versions instead of uninstalling the
Apex One server. See Rolling Back the Apex One Server and Security Agents Using the
Server Backup Package on page 5-9.
Before uninstalling the server, move the agents it manages to another Apex One server
with the same version. Consider backing up the server database and configuration files
in order to reinstall the server later.
Procedure
1. Record the following information for the other server. This information is
necessary when moving the agents.
To view the server listening port, go to Administration > Settings > Agent
Connection. The port number displays on the screen.
5-2
Uninstalling and Rolling Back Apex One
3. On the agent tree, select the agents to move and then click Manage Agent Tree >
Move Agent.
4. Under Move selected agent(s) to another Apex One server, specify the server
computer name/IP address and server listening port of the other Apex One (or
OfficeScan) server.
5. Click Move.
If all agents were moved and are already being managed by the other server, it is safe to
uninstall the Apex One server.
Note
During the uninstallation process, Apex One does give you the option of not deleting the
SQL database.
Procedure
1. Stop the Apex One Master Service from the Microsoft Management Console.
2. Manually back up the following files and folders found under <Server
installation folder>\PCCSRV:
5-3
Trend Micro Apex One™ Installation and Upgrade Guide
• Log folder: Contains system events and the connection verification logs
For more information, see Uninstalling the Apex One Server on page 5-4.
If you encounter problems with the uninstallation program, manually uninstall the
server.
Note
For Security Agent uninstallation instructions, see the Administrator’s Guide.
5-4
Uninstalling and Rolling Back Apex One
Procedure
1. Run the uninstallation program. There are two ways to access the uninstallation
program.
• Method A
a. On the Apex One server computer, click Start > Programs > Trend
Micro Apex One Server > Uninstall Apex One. A confirmation
screen appears.
b. Click Yes. The server uninstallation program prompts you for the
administrator password.
c. Type the administrator password and click OK. The server uninstallation
program starts removing the server files. A confirmation message
appears.
• Method B
b. Click Control Panel > Add or Remove Programs. Locate and double-
click "Trend Micro Apex One Server". Follow the on-screen instructions
until you are prompted for the administrator password.
c. Type the administrator password and click OK. The server uninstallation
program starts removing the server files. A confirmation message
appears.
5-5
Trend Micro Apex One™ Installation and Upgrade Guide
Procedure
1. Open the Microsoft Management Console and stop the Apex One Master Service.
2. Open a command prompt and then go to <Server installation folder>
\PCCSRV.
This command uninstalls Apex One-related services but does not remove
configuration files or the Apex One database.
4. Go to <Server installation folder>\PCCSRV\private and open
ofcserver.ini.
Setting Instruction
WSS_INSTALL=1 Change 1 to 0
[WSS_WEB_SERVER]
ServerPort=8082
5-6
Uninstalling and Rolling Back Apex One
IIS_VHostIdx=5
Note
The value for IIS_VHostidx should be the same as the "isapi" value indicated on
the following line:
[WSS_SSL]
SSLPort=<SSL port>
Svrsvcsetup -install
Svrsvcsetup -enablessl
Svrsvcsetup -setprivilege
Procedure
5-7
Trend Micro Apex One™ Installation and Upgrade Guide
WARNING!
The next steps require the deletion of registry keys. Making incorrect changes to the
registry can cause serious system problems. Always make a backup copy before
making any registry changes. For more information, refer to the Registry Editor Help.
a. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\.
c. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Trend Micro\OfficeScan\
and delete the OfficeScan hive.
d. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\. Delete the OfficeScan Management Console-
<Server Name> folder.
5. Delete the Apex One website from the Internet Information Services (IIS) console.
b. Expand ServerName.
c. If you installed Apex One on a separate website, go to the Web Sites folder
and then delete Apex One.
d. If you installed Apex One virtual directories under the default website, go to
Default Web Site and then delete the Apex One virtual directory.
5-8
Uninstalling and Rolling Back Apex One
Important
• Administrators can only roll back the Apex One server and agents using the following
procedure if the administrator chose to back up the server during the installation
process. If the server backup files are not available, refer to the previously installed
OfficeScan version's Installation and Upgrade Guide for manual rollback procedures.
• This version of Apex One only supports rollbacks to the following OfficeScan
versions:
• OfficeScan XG
• OfficeScan 11.0
Important
Ensure that you roll back Security Agents before rolling back the Apex One server.
Procedure
5-9
Trend Micro Apex One™ Installation and Upgrade Guide
a. On the Apex One 2019 web console, go to Agents > Agent Management.
b. Select the Security Agents to be rolled back.
c. Click the Settings > Privileges and Other Settings > Other Settings tab.
d. In the Security Agents only update the following components drop-
down, select Pattern files, engines, drivers.
2. On the Apex One 2019 web console, go to Updates > Agents > Update Source.
3. Select Customized Update Source.
4. On the Customized Update Source List, click Add.
A new screen opens.
5. Type the IP addresses of the Security Agents to be rolled back.
6. Type the update source URL.
For example, type:
http://<IP address of the Apex One server>:<port>/Apex One/
download/Rollback
7. Click Save.
8. Click Notify All Agents.
When the Security Agent to be rolled back updates from the update source, the
Security Agent is uninstalled and the previous Security Agent version is installed.
9. After the previous Security Agent version is installed, inform the user to restart the
endpoint.
After the rollback process is complete, the Security Agent continues to report to
the same Apex One server.
5-10
Uninstalling and Rolling Back Apex One
Note
After rolling back the Security Agent, all components, including the Virus Pattern,
also roll back to the previous version. If administrators do not roll back the Apex
One server, the rolled-back Security Agent cannot update components.
Administrators must change the update source of the rolled-back Security Agent to
the standard update source to receive further component updates.
Important
Ensure that you roll back Security Agents before restoring the OfficeScan server.
Procedure
1. Uninstall the Apex One 2019 server.
2. Install the previous OfficeScan server version.
5-11
Trend Micro Apex One™ Installation and Upgrade Guide
Tip
Trend Micro recommends not changing the host name or IP address when restoring
the server.
To verify the previous version of the server, go to the <Server installation folder> and
view the restoration folder created during the Apex One 2019 server installation. The
folder name (referred to as <Restore_folder_version>) is one of the following:
• OSCEXG_SP1: OfficeScan XG Service Pack 1
• OSCEXG: OfficeScan XG
• OSCE11_SP1: OfficeScan 11.0 Service Pack 1
• OSCE11: OfficeScan 11.0
5-12
Uninstalling and Rolling Back Apex One
regsvr32.exe /u /s perfLWCSPerfMonMgr.dll
5-13
Trend Micro Apex One™ Installation and Upgrade Guide
regsvr32.exe /s perfLWCSPerfMonMgr.dll
• World Wide Web Publishing Service (if using the IIS web server)
9. Clean the Internet Explorer cache and remove ActiveX controls manually. For
details on removing ActiveX controls in Internet Explorer 9, see http://
windows.microsoft.com/en-us/internet-explorer/manage-add-ons#ie=ie-9.
Tip
Administrators can confirm a successful rollback by checking the OfficeScan version
number on the About screen (Help > About).
10. Optionally register the OfficeScan server to the Apex Central/Control Manager
server using the web console.
11. After confirming that OfficeScan rolled back successfully, delete all files in the
<Server_installation_folder>\<Restore_folder_version>\
directory.
5-14
Uninstalling and Rolling Back Apex One
Note
Perform a manual rollback if you did not back up the server information during
installation. If you did back up the server information during the server installation,
perform the rollback procedure outlined in Rolling Back the Apex One Server and Security
Agents Using the Server Backup Package on page 5-9.
Procedure
1. Prepare a server with the previous OfficeScan server version installed.
2. Apply the latest hot fixes, patches, or service packs for the previous OfficeScan
server version.
5-15
Trend Micro Apex One™ Installation and Upgrade Guide
3. Replicate the following Apex One 2019 server settings to the previous OfficeScan
server version.
a. Agent settings
• Scan
• Update Agents
• Privileges
• Spyware/Grayware Approved List
• Behavior Monitoring Exception List
b. Global Agent settings
c. Web Reputation settings
• Endpoint location
• Policies
• Proxy
d. Firewall settings
• Policy
• Profiles
e. Connection verification schedule
f. Update settings
• Server scheduled update
• Server update source
• Agent scheduled update
• Agent update source
g. Log maintenance settings
h. Notifications - all notification settings
5-16
Uninstalling and Rolling Back Apex One
i. Administration settings
• Quarantine Manager
• Control Manager
• Database backup
4. On the previous OfficeScan server version, run Agent Packager twice to create two
Security Agent installation packages, one for x86 endpoints and another for x64
endpoints.
Settings on the Security Agent installation package for x86 endpoints:
• Package type: Setup
• Windows operating system type: 32-bit
• Output file: InstNTPkg.exe
Settings on the Security Agent installation package for x64 endpoints:
• Package type: Setup
• Windows operating system type: 64-bit
• Output file: InstNTPkg.exe
Because the two output files have the same file name, save them to separate
locations so that one file does not overwrite the other.
Procedure
1. Prepare the endpoint to act as update source.
2. On the Apex One 2019 server computer, go to <Server Installation
Folder>\PCCSRV and copy the Download folder (including subfolders) to the
update source endpoint (the endpoint prepared in the previous step).
5-17
Trend Micro Apex One™ Installation and Upgrade Guide
For example, copy the Download folder to the following directory on the update
source endpoint:
C:\OfficeScanUpdateSource
RollbackAgent.dll
RollbackAgent_64x.dll
ClientRollback.exe
ClientRollback.exe
ClientRollback.exe
5-18
Uninstalling and Rolling Back Apex One
k. Copy the following compressed files from the temporary folder to the update
source endpoint:
RollbackAgent.zip
RollbackAgent_64x.zip
RollbackNTPkg.zip
RollbackNTPkgx64.zip
Note
Copy the files to the \Download\Product folder on the update source
endpoint. For example, copy the files to C:\OfficeScanUpdateSource
\Download\Product.
a. Ensure that the "Internet Guest Account" has read access to the following
compressed files in \Download\Product (for example,
C:\OfficeScanUpdateSource\Download\Product):
RollbackAgent.zip
RollbackAgent_64x.zip
RollbackNTPkg.zip
RollbackNTPkgx64.zip
Tip
To check the access permission, right-click each file and select Properties. In the
Security tab, the permission for Internet Guest Account should be "Read".
5-19
Trend Micro Apex One™ Installation and Upgrade Guide
6. Modify the following lines in the server.ini file and then save the file:
WARNING!
Do not change any other settings in the server.ini file.
[All_Product]
MaxProductID=109
[Info_109_35000_1_5633]
Update_Path=product/RollbackAgent_64x.zip, <RollbackAgent64
file size>
Where:
Tip
To get the file size, right-click the .zip file and click Properties. Take note of the
size, not the size on disk.
5-20
Uninstalling and Rolling Back Apex One
Procedure
1. On the Apex One 2019 web console go to Updates > Agents > Update Source:
a. Select Customized Update Source.
b. On the Customized Update Source List, click Add. A new screen opens.
c. Type the IP addresses of the agents to be rolled back.
d. Type the update source URL. For example, type:
http://<IP address of update source>/
OfficeScanUpdateSource/
e. Click Save.
The screen closes.
f. Click Notify All Agents.
When agents to be rolled back update from the update source, the Security
Agent is uninstalled and the previous agent version is installed.
2. After the previous agent is installed, inform the user to restart the endpoint. After
the restart, the Security Agent reports to the OfficeScan server prepared in Part 1.
5-21
Chapter 6
Troubleshooting Resources
This chapter describes resources you can use to troubleshoot possible issues with this
version of Apex One.
Topics in this chapter:
• Support Intelligence System on page 6-2
• Case Diagnostic Tool on page 6-2
• Trend Micro Performance Tuning Tool on page 6-2
• Installation Logs on page 6-5
• Server Debug Logs on page 6-5
• Agent Debug Logs on page 6-7
6-1
Trend Micro Apex One™ Installation and Upgrade Guide
Note
The Trend Micro Performance Tuning Tool only supports 32-bit platforms.
6-2
Troubleshooting Resources
Procedure
1. Contact Trend Micro Technical Support to obtain a copy of the Trend Micro
Performance Tuning Tool.
2. Unzip TMPerfTool.zip to extract TMPerfTool.exe.
3. Place TMPerfTool.exe in the <Client installation folder> or in the
same folder as TMBMCLI.dll.
4. Right-click TMPerfTool.exe and select Run as administrator.
5. Read and accept the end user agreement and then click OK.
6. Click Analyze. The tool starts to monitor CPU usage and event loading.
6-3
Trend Micro Apex One™ Installation and Upgrade Guide
7. Select a system-intensive process and click the Add to the exception list (allow)
button ( ).
9. If the performance improves, select the process again and click the Remove from
the exception list button ( ).
b. Click Stop.
c. Click the Generate report button ( ) and then save the .xml file.
6-4
Troubleshooting Resources
d. Review the applications that have been identified as conflicting and add them
to the Behavior Monitoring exception list. For details, see the Administrator’s
Guide.
Installation Logs
Use the installation log files Apex One automatically generates to troubleshoot
installation problems.
Table 6-1. Installation Log Files
6-5
Trend Micro Apex One™ Installation and Upgrade Guide
WARNING!
Debug logs may affect server performance and consume a large amount of disk space.
Enable debug logging only when necessary and promptly disable it if you no longer need
debug data. Remove the log file if the file size becomes huge.
Option 1:
Procedure
1. Log on to the web console.
2. On the banner of the web console, click the "A" in "Apex". This opens the Debug
Log Setting screen.
3. Specify debug log settings.
4. Click Save.
5. Check the log file (ofcdebug.log) in the default location: <Server
installation folder>\PCCSRV\Log.
Option 2:
Procedure
1. Copy the "LogServer" folder located in <Server installation folder>
\PCCSRV\Private to C:\.
6-6
Troubleshooting Resources
[debug]
DebugLevel=9
DebugLog=C:\LogServer\ofcdebug.log
debugLevel_new=D
debugSplitSize=10485760
debugSplitPeriod=12
debugRemoveAfterSplit=1
4. Perform the appropriate task (that is, reinstall the server, upgrade to a new server
version, or perform a remote installation/upgrade).
Note
If the Security Agent is present on the Apex One server, then the agent also outputs
its debug logs in the server’s debug logs.
WARNING!
Debug logs may affect agent performance and consume a large amount of disk space.
Enable debug logging only when necessary and promptly disable it if you no longer need
debug data. Remove the log file if the file size becomes huge.
6-7
Trend Micro Apex One™ Installation and Upgrade Guide
Procedure
1. Create a file named ofcdebug.ini with the following content:
[Debug]
Debuglog=C:\ofcdebug.log
debuglevel=9
debugLevel_new=D
debugSplitSize=10485760
debugSplitPeriod=12
debugRemoveAfterSplit=1
2. Send ofcdebug.ini to agent users, instructing them to save the file to C:\.
LogServer.exe automatically runs each time the agent endpoint starts.
3. To start debug logging, reload the Security Agent or restart the endpoint.
Instruct users NOT to close the LogServer.exe command window that opens
when the endpoint starts as this prompts Apex One to stop debug logging. If users
close the command window, they can start debug logging again by running
LogServer.exe located in \Security Agent\Temp.
6-8
Chapter 7
Technical Support
Learn about the following topics:
• Troubleshooting Resources on page 7-2
• Contacting Trend Micro on page 7-3
• Sending Suspicious Content to Trend Micro on page 7-4
• Other Resources on page 7-5
7-1
Trend Micro Apex One™ Installation and Upgrade Guide
Troubleshooting Resources
Before contacting technical support, consider visiting the following Trend Micro online
resources.
Procedure
1. Go to http://esupport.trendmicro.com.
2. Select from the available products or click the appropriate button to search for
solutions.
3. Use the Search Support box to search for available solutions.
4. If no solution is found, click Contact Support and select the type of support
needed.
Tip
To submit a support case online, visit the following URL:
http://esupport.trendmicro.com/srf/SRFMain.aspx
A Trend Micro support engineer investigates the case and responds in 24 hours or
less.
Threat Encyclopedia
Most malware today consists of blended threats, which combine two or more
technologies, to bypass computer security protocols. Trend Micro combats this complex
malware with products that create a custom defense strategy. The Threat Encyclopedia
7-2
Technical Support
provides a comprehensive list of names and symptoms for various blended threats,
including known malware, spam, malicious URLs, and known vulnerabilities.
Go to http://about-threats.trendmicro.com/us/threatencyclopedia#malware to learn
more about:
• Malware and malicious mobile code currently active or "in the wild"
Website http://www.trendmicro.com
http://www.trendmicro.com/us/about-us/contact/index.html
http://docs.trendmicro.com
7-3
Trend Micro Apex One™ Installation and Upgrade Guide
https://ers.trendmicro.com/
Refer to the following Knowledge Base entry to send message samples to Trend Micro:
http://esupport.trendmicro.com/solution/en-US/1112106.aspx
7-4
Technical Support
http://esupport.trendmicro.com/solution/en-us/1059565.aspx
http://global.sitesafety.trendmicro.com/
Other Resources
In addition to solutions and support, there are many other helpful resources available
online to stay up to date, learn about innovations, and be aware of the latest security
trends.
Download Center
From time to time, Trend Micro may release a patch for a reported known issue or an
upgrade that applies to a specific product or service. To find out whether any patches
are available, go to:
http://www.trendmicro.com/download/
If a patch has not been applied (patches are dated), open the Readme file to determine
whether it is relevant to your environment. The Readme file also contains installation
instructions.
7-5
Trend Micro Apex One™ Installation and Upgrade Guide
Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please go to the
following site:
http://www.trendmicro.com/download/documentation/rating.asp
7-6
Appendix A
Sample Deployment
This section illustrates how to deploy Apex One based on network topology and
available network resources. Use this as a reference when planning Apex One
deployment in your organization.
A-1
Trend Micro Apex One™ Installation and Upgrade Guide
Basic Network
Figure 1 illustrates a basic network with the Apex One server and agents connected
directly. Most business networks have this configuration where the LAN (and/or WAN)
access speed is 10Mbps, 100Mbps or 1Gbps. In this scenario, the endpoint that meets
the Apex One system requirements and has adequate resources is a prime candidate for
the installation of the Apex One server.
A-2
Sample Deployment
Network information:
• Remote Site 1 WAN link averages around 70 percent utilization during business
hours. There are 35 agent endpoints on this site.
• Remote Site 2 WAN link averages around 40 percent utilization during business
hours. There are 9 agent endpoints on this site.
A-3
Trend Micro Apex One™ Installation and Upgrade Guide
• Server 3 only functions as a file and print server for the group at Remote Site 1.
This endpoint is a possible candidate for installing the Apex One server, but may
not be worth the extra management overhead. All servers run Windows Server
2012. The network uses Active Directory, but mainly for network authentication.
• All agent endpoints in Head Office, Remote Site 1, and Remote Site 2 run
Windows Server 2012 or Windows 7.
Procedure
1. Identify the endpoint on which to install the Apex One server.
2. Identify the available agent installation methods and eliminate methods that do not
fit the requirement. See the Administrator's Guide for more information on the agent
installation methods.
Possible installation methods:
• Login Script Setup
Login Script Setup works well if there is no WAN in place because local traffic
does not matter. However, given that more than 50MB of data transmits to
each endpoint, this option is not viable.
• Remote installation from the web console
This method is valid for all the LAN-connected endpoints at the head office.
Because these endpoints all run Windows Server 2012, it is simple to deploy
the package to the endpoints.
Due to the low link speed between the two remote sites, this deployment
method may impact available bandwidth if Apex One deployment occurs
during business hours. Use the whole link capacity to deploy Apex One
during non-business hours when most people are no longer at work.
However, if users turn off their endpoints, Apex One deployment to these
endpoints is not successful.
• Security Agent package deployment
A-4
Sample Deployment
Security Agent package deployment seems to be the best option for remote
site deployment. However, at Remote Site 2, there is no local server to
facilitate this option properly. Looking at all options in-depth, this option
provides the best coverage for most endpoints.
Procedure
1. Designate one agent to act as an Update Agent on Remote Site 1.
a. Log on to the web console and navigate to Agents > Agent Management.
A-5
Trend Micro Apex One™ Installation and Upgrade Guide
b. In the agent tree, select the agent to act as the Update Agent and click
Settings > Update Agent Settings.
2. Select the agents in Remote Site 1 that update components from the Update Agent.
c. In the screen that displays, type the IP address range of the endpoints in
Remote Site 1.
d. Select Update source and then select the designated Update Agent from the
drop-down list.
The best way to install the Security Agent is to use the same agent package in MSI
format used in Remote Site 1. However, since there is no available server, you cannot
use a Distributed File System (DFS).
Use another Active Directory policy, but again, not specifying the DFS share as the
source.
These methods keep the installation traffic within the local network and minimizes the
traffic across the WAN.
To minimize the impact of component updates across the WAN, designate one agent to
act as an Update Agent. See Remote Site 1 Deployment on page A-5 for more information.
A-6
Index
A fresh installation, 2-2
activation, 1-22 upgrade, 3-2
Activation Code, 2-13, 2-14 Conventional Scan, 2-3
Active Directory, 2-7, A-5
agent installation path, 1-23, 2-30 D
Agent Mover, 5-2 database backup, 3-3, 5-3
Apex Central, 2-6 database back up, 1-24
Apex One debug logs
Apex Central management, 2-6 server, 6-5
documentation, viii default settings
Apex One firewall, 2-31 agent privileges, 4-6
Apex One server global agent settings, 4-6
default settings, 4-5 scan settings, 4-5
installation logs, 4-3 Distributed File System (DFS), A-5
manual update, 4-5
documentation, viii
master service, 4-3
documentation feedback, 7-6
processes, 4-3
registry keys, 4-4 E
services, 4-3 Endpoint Sensor
assessment mode, 2-32 SQL Server, 1-12
automatic agent upgrade, 3-8, 3-15, 3-19 Exceptions
B performance tuning tool, 6-2
backup
F
Apex One server files and folders, 5-3
firewall, 2-31
OfficeScan database, 5-3
fresh installation
C checklist, 1-21
Case Diagnostic Tool, 6-2 considerations, 2-2
Client Packager, A-4 summary, 2-38, 3-33
compatibility issues, 1-24 verification, 4-2
component duplication, 2-5 full version, 2-14
components, 4-4
component updates, 2-5 H
considerations HTTP port, 1-22, 2-18
IN-1
Trend Micro Apex One™ Installation and Upgrade Guide
IN-2
Index
T
terminology, x
third-party security software, 2-6
TMPerftool, 6-2
trial version, 2-14
troubleshooting, 6-1
U
uninstallation
using the uninstallation program, 5-5
unsupported operating systems, 3-3
Update Agent, 2-6
updates, 2-5
upgrade
agents, 3-15, 3-18
checklist, 1-21
considerations, 3-2
summary, 2-38, 3-33
verification, 4-2
W
web console, 2-36, 2-39, 3-35, 4-2
web server, 1-22, 2-17
IN-3