Lab Guide

Advanced
User Protection
Lab Guide
@2022 Trend Micro Inc. P a g e 1 | 95

Asia Pacific, Middle East and Africa
Copyright © 2021 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,

or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: September 3, 2021

Trend Micro Apex One as a Service
Courseware v5

Table of Contents
Lab 1: Accessing the Apex One Lab Environment........................................................... 1
Exercise 1: Registering for an Apex One as a Service Trial Account ..................................................... 2
Exercise 2: Access the Product Cloud Lab Environment ................................................................. 4
Lab 2: Initializing the Apex One as a Service Account................................................... 11

Exercise 1: Run First-time Initialization ................................................................................................. 11
Lab 3: Integrating With Active Directory ........................................................................ 17

Exercise 1: Integrate With Microsoft Active Directory .......................................................................... 17
Lab 4: Installing Security Agents............................................................................... 21

Exercise 1: Create a Security Agent Installation Package ................................................................... 21
Exercise 2: Save the Agent Download Link.......................................................................................... 22
Exercise 3: Install Security Agents ....................................................................................................... 22
Exercise 4: View the Agent List ............................................................................................................ 24
Exercise 5: Disable Smart Feedback ................................................................................................... 25
Lab 5: Deploying Policies Through Apex Central .......................................................... 27

Exercise 1: Configure the Agent Polling Interval .................................................................................. 27
Exercise 2: Configure a Policy Template .............................................................................................. 28
Exercise 3: Test the New Policy ........................................................................................................... 32
Lab 6: Creating Update Agents ..................................................................................... 33

Exercise 1: Create the Update Agent Policy ........................................................................................ 33
Exercise 2: Define the Update Source ................................................................................................. 36
Exercise 3: Verify the New Update Source .......................................................................................... 38
Lab 7: Protecting Endpoint Computers From Malware .................................................. 39

Exercise 1: Configure Real-Time Scans ............................................................................................... 39
Exercise 2: Test Virus/Malware Scans ................................................................................................. 41
Exercise 3: Test Spyware/Grayware Scans ......................................................................................... 44
Exercise 4: View Quarantined Files ...................................................................................................... 46
Lab 8: Protecting Endpoint Computers Through Behavior Monitoring ...................... 47

Exercise 1: Block Newly Encountered Software................................................................................... 47
Lab 9: Protecting Endpoint Computers From Unknown Threats ................................... 51

Exercise 1: Enable Predictive Machine Learning. ................................................................................ 51
Lab 10: Blocking Web Threats ...................................................................................... 55

Exercise 1: Enable Web Reputation ..................................................................................................... 55
Exercise 2: Protect Endpoint Computers From Browser Exploits ........................................................ 57
Lab 11: Protecting Endpoint Computers Through Traffic Filtering ................................. 61

Exercise 1: Enable the Firewall Service ............................................................................................... 61
Exercise 2: Create a Firewall Policy ..................................................................................................... 62
Exercise 3: Create a Firewall Profile .................................................................................................... 65
Exercise 4: Verify the Firewall Deployment ................................................................................... 67
Exercise 5: Disable the Firewall Policy ................................................................................................. 69
Lab 12: Blocking Unauthorized Applications ................................................................. 71
Exercise 1: Update a Policy .................................................................................................................. 71
Exercise 2: Test the Policy ................................................................................................................... 72
Exercise 3: Define Application Control Criteria .................................................................................... 74
Exercise 4: Test the Allow Rule ............................................................................................................ 77
Lab 13: Protecting Endpoint Computers from Vulnerabilities ...................................79

Exercise 1: Enable Vulnerability Protection .......................................................................................... 79
Exercise 2: Test Vulnerability Protection. ...................................................................................... 82
Lab 14: Preventing Data Loss ....................................................................................... 85

Exercise 1: Configure Data Identifiers .................................................................................................. 85
Exercise 2: Configure a Data Loss Prevention Template ..................................................................... 87
Exercise 3: Deploy a New Data Loss Prevention Policy ...................................................................... 89

Lab 1: Accessing the Apex One Lab
Environment
This first lab introduces participants to the virtual lab environment used to complete the hands-on
exercises in this Apex One as a Service training course.
The classroom lab environment is delivered as a virtual application through Trend Micro Product Cloud
and will be accessed from a Web browser on your computer. Google Chrome is the preferred browser for
this environment, though other browsers may work if the appropriate plug-ins are enabled and working
properly.
Network Settings
The details and login credentials for each virtual machine in the classroom environment are listed here.
Always log into Windows as the local administrator. Logging in as a domain administrator will display a
different desktop and certain exercise files may not be available.
VM Name Hostname Operating System Addressing Login

IP: 192.168.4.1 Login Name:
Subnet mask: 255.255.240.0 administrator
Windows Server 2016
VM-DC2016 dc2016.trend.local Default gateway: 192.168.0.1
DNS 1: ::1 Password:
DNS 2: 127.0.0.1 trendmicro
VM-CLIENT-01 client-01.trend.local Windows Server 2016 Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
VM-CLIENT-02 client-02.trend.local Windows 10 Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
VM-CLIENT-03 client-03.trend.local Windows 10 Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
VM-WIN2012 win2012.trend.local Windows Server 2012 R2 Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:

Exercise 1:Registering for an Apex One as a Service
Trial Account
In this exercise, participants will register for an Apex One as a Service trial account. This trial version of
Apex One as a Service will be available for 30 days and will allow you to manage up to five endpoint
computers.
1 In a Web browser, type the following URL to access to trial registration page for training:
http://go2.trendmicro.com/geoip/trial-175

2 Complete the form, ensuring that your email address is correct. (The confirmation email with the
details of your unique Apex One as a Service instance will be delivered to this address.)
• Create a unique logon ID for your account. This ID will identify and to log you into your
unique service instance.
Write your Logon ID here:
• Provide a password that satisfies the listed criteria.
Write your password here:
• Accept the Trend Micro License Agreement and click Get my Free Trial.
3 After a few minutes, a confirmation email will be sent the address you provided. These details will
be required in the next lab to initialize your trial account.

Exercise 2: Access the Product Cloud Lab
Environment
In this exercise, participants will access the classroom virtual application through the email link delivered
to participants by Trend Micro Product Cloud. The lab environment is available for the duration of
the training session only and will be reset automatically at the end of the final day of class. Google
Chrome is the recommended browser to use for the classroom exercises.
1 In the email message that was sent to you by Trend Micro, click the link to access the lab
environment.
Note: If you did not receive the email message with the link, you may not have been correctly
registered for the class. Please advise the instructor immediately.

2 The Product Cloud Training page is displayed in the browser. The name of the class is displayed in
the frame at the top of the Web page. The Status should be listed as provisioned.
3 Hover your mouse over the computer icon on the right side of the page and click Go To Lab
Detail.

4 A frame with the vApp details is displayed on the right side of the Web page, listing the virtual
machines available in the environment.
5 Hover your mouse over one of the virtual machines, and click Remote Control to enter that
virtual machine.

6 The selected virtual machine will be launched. It will take a moment for the virtual machine to
load and the window to be resized.
7 To log into the virtual machine, click on the toolbar to send a CTRL+ALT+DEL command
tothe virtual machine. Log in with the appropriate details.
• User name: Administrator
• Password: trendmicro

8 To maximize the virtual machine window, click on the toolbar.
9 To fit the virtual machine window to the display, click on the toolbar.

10 To switch between the different virtual machines in the environment, click the image switcher in
the upper right-hand corner of the window.
Note: The connection icon on the toolbar will indicate if the network connection is adequate to run
the lab environment. Green bars should be displayed.
Once you are comfortable with navigating around the Product Cloud environment, proceed to Lab

Lab 2: Initializing the Apex One as a
Service Account
In this lab, participants will initialize their Apex One as a Service account and prepare the Apex One and
Apex Central servers.
Estimated time to complete this lab: 20 minutes
Exercise 1: Run First-time Initialization

In this exercise, your Apex One as a Service account is prepared and the Apex One and Apex Central
server are initialized.
1 In the lab environment, switch to the VM-DC2016 virtual machine.
2 Log into Windows Server 2016 with following credentials if prompted:
Note: Verify that the keyboard language is set correctly for your locale. See the section Changing
Languages Within Virtual Machines at the end of this lab for more details on changing the default
keyboard language within the virtual machine.
3 If an Enable Network Discovery message is displayed when logging into ANY client virtual
machine, click Yes.
4 In the Chrome Web browser, launch the Apex Central as a Service Web Management console
by typing the following URL:
https://manage.trendmicro.com/

5 Log in with the Apex One as a Service credentials you assigned when you created your trial
account in the previous lab.
6 A security alert suggesting you enable two-factor authentication is presented. Click Skip for now.
I accept the risks.

7 You will be prompted to step though the initialization. Click Get Started.
8 Select your Data Center Region, Language and Time Zone and click Next.

9 The Apex One and Apex Central Servers are prepared. It may take about 10 minutes for the
console to be initialized for your account.
10 Once the preparation operations are completed, a Quick Start Guide is displayed. Click Close.

11 The Apex Central as a Service Web Management console is displayed. Bookmark this page
forquicker access in later labs.
12 An email confirmation message is delivered to the email address you used to register your
account. The link to access the Apex Central as a Service Web Management console is also
contained in this message, should you require it in later labs.

Changing Keyboard Languages Within Virtual Machines
Once logged into a virtual machine, verify that the keyboard language is set correctly for your locale.
If your preferred language is not being used, double-click the Change Language shortcut on the desktop.
Click Add a language and make your selection of keyboard languages. Move your new choice of language
to the top of the list using Move Up.
Reboot the computer. Once you log back in, your selected language which should be displayed in the
system tray.
Note: You will need to perform these steps on each virtual machine in the environment.
Alternately, a text file on the desktop called Copy and Paste.txtcontains entries that can be copied into
any requested fields

Lab 3: Integrating With Active Directory
In this lab, participants will integrate Active Directory with their instance of Apex One as a Service.
Exercise 1: Integrate With Microsoft Active Directory

In this exercise, Apex One will be integrated and synchronized with Microsoft Active Directory.
1 In the lab environment, switch to the VM-DC2016 virtual machine.
2 In the Chrome Web browser, launch the Apex Central Web Management console by clicking the
bookmark you created, or by typing the URL from the trial account confirmation email you
received from Trend Micro.
3 In the Apex Central Web Management console, go to Administration > Settings > Active
Directory and Compliance Settings.
4 On the Active Directory Settings tab, click Enable Active Directory Synchronization.

5 The Active Directory synchronization tool must be download and run on the Active Directory
domain controller. Click Download the Active Directory synchronization tool and save the file to
the C:\Tempfolder on the DC-2016 server.
6 A warning is displayed regarding previous downloads of the synchronization tool. Click

Download.
7 In Windows Explorer, navigate to the C:\Tempfolder and extract the files from the
Apex_Central_ADSyncAgent_xxxx.zipfile C:\Temp.

8 Open a Command Prompt on the DC-2016 server. Navigate to the C:\Tempdirectory and execute
the following command:
ADSyncAgentTool.exe -i
Note: If you did not extract the files into C:\Temp, navigate to the folder where the decompressed files
reside and run the command.
Provide the following Active Directory details when prompted:

• Server FQDN or IP address: 192.168.4.1
• User name: trend\administrator
Press nto exit the utility when done. When prompted to provide advanced settings, press nagain.
9 Synchronize the server settings by executing the following command:

ADSyncAgentTool.exe -s
When the command displays as successful, close the Command Prompt window.

10 Return to the Apex Central Web Management console and confirm that the Active Directory
details are saved and synchronized.
Note: It may take a moment for the synchronization icon to be displayed. It the icon does not
appear after a few minutes, try refreshing the Web page.
11 Click Save

Lab 4: Installing Security Agents
In this lab, participants will install Security Agents on endpoint computers in the virtual lab environment.
Exercise 1: Create a Security Agent Installation

Package
In this exercise, an installation package for the Apex One Security Agent for Windows will be created.
1 In the lab environment, switch to the VM-DC2016 virtual machine and log into the Apex Central
Web Management.
2 Click Administration > Security Agent Download.
Specify the details of the installation package:

• Operating System: Windows 64-bit
• Installation Mode: Full feature set
• Package Type: Standalone
Click Download Installer and save the resulting *.msifile to the Lab Files folder on the desktop.
Note: The package that is downloaded is customized for the instance of Apex One as a Service on
which it was created.

Exercise 2: Save the Agent Download Link
1 Still on the Agent Download page, click get Download Link. The Security Agent download link is
displayed.
2 Click Copy Link.

3 Open the Lab Files folder on the Window Server 2016 desktop and open the Download Link.txt
file. Paste the copied download link and save the text file. Saving the link in the textfile will
allow you to easily access the link on other computers in the lab environment.
Exercise 3: Install Security Agents

1 In the lab environment, switch to the VM-CLIENT-01 virtual machine.
2 Log into Windows Server 2016 with following credentials if prompted:
3 On the desktop, open the Lab Files folder and double-click the agent_cloud_x64.msifile to
launch the Security Agent installer and click Run.
After a few moments, the Setup Wizard is displayed.
4 When the Welcome dialog is presented, click Next to begin the setup wizard.

5 The Security Agent components are installed.
6 Once the setup is complete, click Finish the close the wizard.
7 After a moment, the Apex One icon will be displayed in the system tray to indicate it is installed.
8 Restart the computer to complete the installation process if prompted.

10 Log into Windows 10 with following credentials if prompted:
11 Repeat the setup process on the VM-CLIENT-02 virtual machine.

13 Log into Windows 10 with following credentials if prompted:
14 Open the Lab Files folder on the Windows 10 desktop and open the Download Link.txttextfile.
15 Copy the download URL from the text file and copy into the address bar of the Chrome browser.
16 When prompted, save the agent_cloud_x64.msifile to the Windows 10 desktop.
17 Double-click the agent_cloud_x64.msifile to launch the Security Agent installer and step
through the Setup Wizard to install the Security Agent. Restart the computer when prompted.
Exercise 4: View the Agent List

In this exercise, the list of Agents deployed in the previous exercises will be reviewed.
1 In the lab environment, switch to the VM-DC2016 virtual machine. Log into the Apex Central Web
Management console.
2 Click Directories > Users/Endpoints. In the left-hand pane, expand Endpoints and click All. The list
of all endpoints in Apex Central managed products is displayed.
3 Still in the Apex Central Web Management console, click Directories > Product Servers.
4 Click the Apex One as a Service link to access the Apex One Web Management console
throughsingle sign on.

5 In the Apex One Web Management console, click Agents > Agent Management.
6 Double-click the Trend domain and the Agents installed in these exercises are displayed. Ensure
that your list matches what is displayed here.
Exercise 5: Disable Smart Feedback

In this exercise, Smart Feedback will be disabled so that details of the sample files used in the hands-on
labs are not forwarded to the Smart Protection Network.
1 Still in the Apex One Web Management console, click Administration > Smart Protection > Smart
Feedback.
2 Disable Trend Micro Smart Feedback and click Save. .

Lab 5: Deploying Policies Through Apex
Central
In this lab, participants will configure and deploy an Apex One policy though Apex Central.
Exercise 1: Configure the Agent Polling Interval

To accelerate the deployment of policies in the classroom environment, the default Agent polling value
will be updated to 5 minutes (the lowest value allowed).
1 In the lab environment, switch to the VM-DC2016 virtual machine. In the Apex Central Web
Management console, click Directories > Product Servers.
2 Click the Apex One as a Service link to access the Apex One Web Management console
throughsingle sign on.
3 Click Agents > Global Agent Settings. On the Network tab, set the Polling Interval value to 5
minutes and click Save.
Agents will now query the Apex One Server for updates every 5 minutes.

Exercise 2: Configure a Policy Template
In a new instance of Apex One as a Service, a random password is assigned for Security Agent unloading
and uninstalling. In this exercise, a new policy will be configured and deployed to assign a known
unloading and uninstalling password to Security Agents on certain endpoints.
1 Return to the Apex Central Web Management console and click Policies > Policy
Management.Click Close to hide the information window that is displayed.
2 In the Product list, select Apex One Security Agent. To create a policy for this product, click
Create or Create one now.

3 The policy template window is displayed. Click Targets in the left-hand pane to select the target
endpoints.
4 Type a name for the policy, for example, Default Agent Policy.
5 Click to enable Filter by Criteria and click Set Filter.
6 This new default policy must be deployed to all Windows 10 computers in the virtual
environment. Click to enable Operating systems and start to type Windows 10. The list will filter as
you type and when Windows 10 is displayed, click to select. Click Save.

7 Identify the policy settings to be deployed. In this example, click Privileges and Other Settings in
the left-hand frame. On the Privileges tab, scroll down to Unload and Unlock and Uninstallation.
Type and confirm a new password that conforms to the password rules, for example Pa$$w0rd,
for both .
8 Click Deploy.

9 The policy will be listed as Pending while it awaits deployment to the filtered target endpoints. It
up to five minutes for the policy to deploy, based on the polling interval. Click Refresh at the
top of the policy list to recheck the status.
10 While waiting for the policy to deploy, click the number 2 under the Pending column. This will run
a query to list the two endpoints that were identified through the filtering operation. Close the
tab when you are done.
11 Once applied to the target endpoints, the policy will display with a status of Deployed.

Exercise 3: Test the New Policy
In this exercise, the deployment of the policy will be confirmed on the target endpoint by unloading the
Security Agent with the new password.
2 Right-mouse click the Security Agent icon in the system tray and click Unload Security Agent.
3 When prompted, type the unload password that you entered when the Default Agent Policy was
configured, for example, Pa$$w0rd.
4 The Security Agent is unloaded from memory and in a moment, the Security Agent icon will
disappear from the system tray in the lower right-hand corner of the Windows screen.
5 To restart the Security Agent on CLIENT-02, click Start > Trend Micro Apex One Security Agent >
Security Agent.

Lab 6: Creating Update Agents
In this lab, participants will create an Update Agent to distribute updates within the classroom
environment.
Exercise 1: Create the Update Agent Policy

In this exercise, the Security Agent on the CLIENT-03 computer will be promoted to become the Update
Agent for the environment.
1 In the lab environment, switch to the VM-DC2016 virtual machine and in the Apex Central Web
Management console, click Policies > Policy Management.
2 In the Product list, select Apex One Security Agent and click Create.
3 The policy template window is displayed. Type a name for the policy, for example, Update
Agent Policy.
4 Click to enable Specify Target and click Select.

5 CLIENT-03 will be promoted to be the Update Agent. Click the Browse tab and select Product
Directory from the Directory list. Expand Apex Central as a Service until you display the Trend
domain. In the endpoint list, click to select CLIENT-03. Click Add Selected Target and OK.
6 In the left-hand pane of the policy template window, click Update Agent. In the right-hand frame,
click to select the components to be distributed by the Update Agent.

7 Click Privileges and Other Settings in the left-hand frame. On the Privileges tab, scroll down to
Unload and Unlock and Uninstallation. Type and confirm a new password that conforms to the
password rules, for example Pa$$w0rd, for both and click Deploy..
Note: Policy settings are not cumulative. Since CLIENT-03 is receiving a new policy, the Unload and
Unload and the Uninstallation password policy items must be added to the new policy.
8 The Policy will be listed as Pending while it awaits deployment to CLIENT-03. It can take several
minutes for the policy to deploy, based on the polling interval. Click Refresh at the top of the
policy list to recheck the status.
Note: CLIENT-03 was previously assigned the Default Agent Policy as it matched the attributes of the
filtered policy. Now that CLIENT-03 is specified in this new policy, the Update Agent policy takes
priority.

9 Once applied to the target endpoints, the policy will display with a status of Deployed. Wait until
the policy is deployed before continuing.
Exercise 2: Define the Update Source

The Security Agent on the CLIENT-03 computer will become the update source for Security Agents within
an IP address range. The Agent update source must be updated to refer to the Update Agent.
1 In the Apex One Web Management console, click Updates > Agents > Update Source.
2 Click Customized Update Source and click Add.

3 Configure the IPv4 range and Update Source as follows:
• IPv4: From 192.168.4.2to 192.168.4.2 (only CLIENT-01 will use this Update Agent)
• Update Source: Select CLIENT-03 from the Update Agent list
Click Save.
4 The Customized Update Source list is updated. Click Notify All Agents.
Note: Note that the External Source is listed as the /activeupdatedirectory on the Update Agent
computer.
5 A notification confirmation message is displayed. Click Back.

6 In the lab environment, switch to the VM-CLIENT-03 virtual image. Navigate to the following
folder in Windows Explorer to view the update files that are available for distribution to Security
Agents within the assigned range:
C:\Program Files (x86)\Trend Micro\Security Agent\activeupdate
Exercise 3: Verify the New Update Source

The Security Agents in the IP address range have been notified of the new update source. In this exercise,
you will confirm that the Security Agents are contacting the Update Agent for updates.
2 Right-mouse click the Security Agent icon in the stem tray and click Update Now.
3 Once the update is complete, open the TmuDump.txt file in Windows Explorer in the following
folder to view the update log:
C:\Program Files (x86)\Trend Micro\Security Agent\AU_Data\AU_Log\
4 Scroll towards the bottom of the log file to locate the entries for the latest update, and note that
the server.ini file is now being retrieved from \activeupdate directory on the CLIENT-03 computer
(the Update Agent)

Lab 7: Protecting Endpoint Computers
From Malware
In this lab, participants will enable malware scanning and sample malware will be accessed to trigger the
protection.
Exercise 1: Configure Real-Time Scans

In this exercise, real-time scanning is configured for agents within the Trend domain.
Web Management console.
2 Click Policies > Policy Management and click to edit the Default Agent Policy.

3 In the policy category list in the left-hand pane, click the Real-time Scan category. On the Action
tab, enable Use the same action for all virus/malware types and set the 1st action to Quarantine.
4 In the policy category list in the left-hand pane, click the Web Reputation category and on the
Internal Agents tab, disable Web reputation for Windows desktop platforms.
Note: The Web site you will access to download a malware sample is blocked by the Apex One Web
reputation protection. The protection is disabled to allow the download of a sample file from the
www.eicar.orgWeb site.
5 Click Deploy.
6 Once the policy is listed as Deployed, switch to the VM-CLIENT-02 virtual machine.

7 Double-click the Apex One icon in the Windows system tray to display the console.
8 Click the Connection Status icon and note that Real-time Scan is enabled.
Exercise 2: Test Virus/Malware Scans

1 In the Chrome browser on VM-CLIENT-02, type the following URL to access the EICAR web site
orclick the bookmark:
http://www.eicar.org/download/eicar.com

2 When prompted, do not save or run the file. Wait a moment and a notification about malware
being downloaded is displayed on the Windows 10 desktop.
3 Click Cancel to terminate the eicar.comdownload.

4 Click the number 1 in the Threats/Violations Found alert window next to Virus/Malware to open
the Logs viewer for this endpoint computer.
Review the details of the logged event and click Close. Close the Threat/Violations Found
notification window as well.
Note: Even though the malware file was not saved to the computer by clicking Save, the browser still
cached the malware download and triggered the real-time scan.
5 In the lab environment, switch to the VM-DC2016 virtual machine and return to the Apex Central
6 Click Detections > Logs > Log Query. Select Virus/Malware from the first drop-down list and Last
24 Hours from the third drop-down list and click Search.

7 The details of the event generated by the malware capture will be displayed.
Note: It may take a few minutes for the Security Agent to forward its logs. If the log entry does
not display, try again in a couple of minutes.
Exercise 3: Test Spyware/Grayware Scans

1 In the lab environment, switch to the VM-CLIENT-02 virtual machine. Locate and open the Lab
Files folder on the Windows 10 desktop. In this shared folder, double-click the Spyware_Test_Files
folder.
2 Drag the Spyware_Files_Password_novirus.zip file from the shared folder to the Windows 10
desktop.
3 Once on the Windows 10 desktop, right-mouse click the file and click Extract All. Accept the
default location and click Extract.
4 When prompted, type the archive password of novirusand click OK.

5 After a few moments, a notification about spyware/grayware being detected is displayed on the
Windows 10 desktop.
6 Close the Threat/Violations Found window.

Management console, run another log query to locate the entry relate to the spyware being
detected.

Exercise 4: View Quarantined Files
In this exercise, participants will view the files quarantined by the Security Agent.
1 In the lab environment, switch to the VM-CLIENT-02 virtual machine. Open Windows Explorer, and
navigate to the quarantine folder at the following location to verify if there are any quarantine
files (these will be identified with a .qtnextension:
C:\Program Files (x86)\Trend Micro\Security Agent\Suspect\Backup
2 Still in Windows Explorer, navigate to the following folder on the CLIENT-02 computer:
C:\Program Files (x86)\Trend Micro\Security Agent
3 Double-click vsencode.exeto open the Restore utility:
A list of the quarantined files in the folder is displayed, and these files can be restored from this
location.
Click Close without restoring the file

Through Behavior Monitoring
In this lab, participants will access an unknown application will be accessed to trigger Malicious Behavior
Detection.
Exercise 1: Block Newly Encountered Software

In this exercise, a software application that has not been encountered previously will be blocked.

3 In the policy category list in the left-hand pane, click Behavior Monitoring. Ensure that Monitor
newly encountered programs... is enabled along with Prompt User. Since this setting is already
enabled, click Cancel as there is no need to redeploy the policy.
4 In the lab environment, switch to the VM-CLIENT-02 virtual image. Access the sample detection
Web site by clicking the Detections bookmark in the browser or typing the following URL:
http://detection.trend.local
5 Click the suspicious link and save the file to the desktop.
6 Double-click the suspicious.exefile on the desktop and click Run.

7 In a moment, a Newly Encountered Program Detected message should be displayed. In this case,
the Census feature detects that this file has a low prevalence, and the Security Agent becomes
suspicious of the file. Do not click any of the options at this point, instead allow the Time out
value to expire.
8 Since the program was not allowed within the defined timeout, a second notification will appear
in a moment displaying that the threat was blocked through Malicious Behavior Detection.

9 Click the number 1 next to Malicious Behavior Detections to open the Log viewer.
10 Click Close once you have examined the details of the detection. Close the Threats/Violations
Found alert.
Management console, run a log query to locate any entries related to the behavior monitoring
event.
Note: It may take up to an hour for the Security Agent to forward its Behavior Monitoring logs to the
Apex One Server. If the log entry does not display right away, try again later.
The details of the event generated by behavior monitoring will be displayed.

From Unknown Threats
In this lab, participants will enable Predictive Machine Learning and sample malware will be accessed to
trigger protection.
Exercise 1: Enable Predictive Machine Learning


3 In the policy category list in the left-hand pane, click Predictive Machine Learning. Ensure that
Enable Predictive Machine Learning is selected and the Detection Settings has both File and
Process is enabled. As these settings are already enabled, there is no need to redeploy the policy.
4 Switch to the VM-CLIENT-02 image and return to the Detections demo site.
5 Click trendx_detect to download a malware sample.

6 Do not run or save the file. After a moment, a Threats/Violations Found notification should be
displayed.
7 Click Cancel on the download message.

8 Click the number link next to Unknown Threats to display additional information regarding the
threat, including that Predictive Machine Learning caught the potential malware.
9 Click Close in the Logs window. Close the Threats/Violations Found alert.
10 You may be prompted to restart the endpoint to complete the cleanup of the ransomware file.
If prompted, restart the server.

Management console, run a log query to locate any entries related to the predictive machine
learning event.
Note: It make take a few minutes for the log event to display.

Lab 10: Blocking Web Threats
In this lab, participants will configure Web Reputation and sample Web sites will be accessed.
Exercise 1: Enable Web Reputation

3 In the policy category list in the left-hand pane, click Web Reputation.
4 On the Internal Agents tab, click to re-enable Web Reputation for Windows desktop platforms
andset the Security Level to Medium and click Deploy.

5 Once the policy displays as deployed, switch to the VM-CLIENT-02 virtual machine.
6 In a Web browser, access the sample web sites listed below and note what happens when you
attempt to access each of these sites:
• wrs81.winshipway.com
Sites with a score of 65 or lower will be blocked (since Medium level is set) and the Web browser
will display the following message.
In addition, a Malicious URLs alert should be displayed.

7 Click the number next to Malicious URLs to open the Web Reputation Logs. Note the entries for
the blocked Web sites, then click Close. Close the Threats/Violations Found alert.
8 In Windows Explorer, navigate to the following folder and locate the OfcUrlf.logfile:
C:\program Files (x86)\Trend Micro\Security Agent\Misc
9 Open the file in Notepad and note the details for the blocked websites.
10 In the Web browser, clear the browsing history and close the browser.
Exercise 2: Protect Endpoint Computers From

Browser Exploits
In this exercise, malware scanning, web reputation and memory scans will be combined to protect the
endpoint computers from known browser exploits.
1 Return to the VM-DC2016 virtual machine. In the Apex Central Web Management console, edit
the Default Agent Policy.
2 Confirm that the following settings in the Additional Service Settings category are enabled:
• Unauthorized Change Prevention Service
• Advanced Protection Service

By default, these services should be enabled.
3 In the Web Reputation category, ensure that Block pages containing malicious scripts is enabled.
Since these settings were already enabled, there is no need to redeploy the policy. Click Cancel to
close the policy window.

4 In the lab environment, switch to the VM-CLIENT-02 virtual machine. In Internet Explorer, type
the following URL to access some sample Web pages:
• http://192.168.4.1/CVE-2009-1568.htm
• http://192.168.4.1/CVE-2009-1569.htm
• http://192.168.4.1/CVE-2009-3867.htm
• http://192.168.4.1/CVE-2009-3869.htm
Since these pages contain malicious scripts, policy violation messages should be displayed.
5 Click the number link next to Malicious URLs (this number may vary) to display the log entries for
these pages accesses. Click Close once you have noted the details. Close the Threats/Violations
Found alert.

Management console, run a Web Violations log query to locate any entries related to the Web
event.

Through Traffic Filtering
In this lab, participants will create a new firewall policy and profile to block Internet connections from an
endpoint computer.
Exercise 1: Enable the Firewall Service

In this exercise, you will confirm that Firewall services are enabled in the default policy.
2 Edit the Default Agent Policy and confirm that the Firewall Service is enabled for Windows
desktop computers in the Additional Service Settings category.
3 Since this service is enabled by default, there is no need to redeploy the policy. Click Cancel.

Exercise 2: Create a Firewall Policy
In this exercise, a new firewall policy will be created to block Web traffic.
1 Log into the Apex One Web Management console, and click Agents > Global Agent Settings. On
the Security Settings tab, click to Enable the Apex One Firewall in the Firewall Settings section.
Click to disable Update the Apex One Firewall driver only after a system restart and click Save.
2 Security Agent are notified with the new settings. Click Back.
3 Refresh the Web console page, then click Agents > Firewall > Policies. The list of default firewall
policies is displayed.

4 Click Add and create a policy to allow all traffic through the Apex One firewall with the following
details:
• Name: Exercise Firewall Policy
• Security level: Low
• Enable firewall: Ensure this Firewall Feature item is enabled
• Display a notification when a Firewall violation is detected: Enabled
5 In the Exception pane, click Add and create an exception to block Web traffic with the following
details.
• Name: Block HTTP and HTTPS
• Application: All applications
• Action: Deny network traffic
• Direction: Inbound and Outbound enabled
• Protocol: TCP
• Specific Ports: 80,443
• IP address(es): All IP addresses

Click Save.
6 The new Exception is displayed. Click the up arrow in the Order column multiple times to move
the new exception above the default HTTP and HTTPS exceptions.
Click Save.

7 The new policy is displayed in the list.
Exercise 3: Create a Firewall Profile

In this exercise, a new firewall profile will be created, allowing the new policy to be applied to Agents.
1 Still in the Apex One Web Management console, click Agents > Firewall > Profiles. The list of
default profiles is displayed.
2 Click Add to create a new profile with the following details:

• Enable this profile: ensure this profile is enabled
• Name: Blocked Agent
• Description: Type an optional description
• Policy: Select Exercise Firewall Policy
• Endpoint: Click to enable Endpoint, then click Select Endpoints from the Agent Tree. Locate
the CLIENT-02 endpoint from the Trend domain. Click Select .

3 CLIENT-02 is now listed under Endpoint. Click Save.

4 Click Apply Profile to Agents.
A banner is displayed in the console advising you that the Security Agents are being notified of
the new settings. On the next Polling operation, the Security Agent will received details of the
firewall policy.
Exercise 4: Verify the Firewall Deployment

In this exercise, you will confirm the deployment of the Firewall components.
1 In the lab environment, switch to the VM-CLIENT-02 virtual image.
2 Double-click the Apex One icon in the Windows system tray to open the console. Click the
Settings icon at the bottom of the console window. On the Protection tab, click Firewall from the
list. Note that the Exercise Firewall Policy is in effect on this endpoint.
Note: It may take a few minutes for the firewall to enable on the client computer. Click Update in
the Agent Console to accelerate the update process.

3 Click Cancel to close the Settings window.
4 Still on the CLIENT-02 computer, open the Windows Command Prompt as an administrator and
navigate to the Security Agent folder with the following commands:
cd\
cd Program Files (x86)\Trend Micro\Security Agent
Note: The Command Prompt shortcut on the toolbar launches with administrator permissions. If
launching Command Prompt from the Windows menu, right-mouse click the item and click More >
Run as administrator.
5 Type the following command to generate a dump file of the firewall rules in effect on this
endpoint computer:
tmpfw dump
6 In Windows Explorer, locate and open the resulting dump file called !PfwDump.txtin the
following folder:
C:\Program Files (x86)\Trend Micro\Security Agent
7 Open the file in Notepad. Locate the entries for the exceptions to block ports 80 and 443.

8 On the Windows 10 desktop, open a web browser and browse to a random web site. The site
should be blocked. After a moment, a firewall violation notification message should be displayed
on the agent endpoint.
9 Click the number next to Firewall Violations or Network Viruses to view logging details regarding
the firewall violation. Click Close.
Exercise 5: Disable the Firewall Policy

In this exercise, the firewall profile blocking access to HTTP and HTTPS will be deleted so as not to impact
the Agent’s access to the Internet.
1 Return to the Apex One Web Management console on the VM-DC2016 virtual machine.
Click Agents > Firewall > Profiles. The list of current profiles is displayed

2 Click to select the Blocked Agent profile and click Delete.
3 Click Apply Profiles to Agents.

4 A message is displayed advising you that the Security Agents are being notified of the new
settings.
5 After a few minutes, return to the VM-CLIENT-02 virtual machine and in the Agent console,
confirm that the All Access policy is back in use.
Note: You can click Update to trigger Agent polling to accelerate the removal of the Exercise Firewall
Policy.
6 Attempt to browse to a random Web site. The site should be displayed

Lab 12: Blocking Unauthorized
Applications
In this lab, participants will enable Apex One Application Control to lockdown the inventory of
applications on an endpoint computer and block any unauthorized applications from running.
Exercise 1: Update a Policy

In this exercise, the Default Agent Policy will be updated to lockdown the application inventory on filtered
endpoint computers.
2 Click Policies > Policy Management and click to edit the Default Agent Policy

3 Click Application Control Settings and set the following:
• Enable Application Control: Click to enable

• Lockdown: Click to enable
• Enable assessment mode: Click to disable
Click Deploy.
4 Wait until the policy displays as Deployed before continuing to the next exercise.
Exercise 2: Test the Policy

In this exercise, a new application will be added to the endpoint to test the block. Since this application is
not part of the inventory when lockdown was enabled, the application should be prevented from running.

2 Open the Security Agent console to view the protection status of this endpoint. Note that
Application Control is enabled on this computer. A padlock symbol will eventually display to
indicate that the endpoint is in Lockdown mode.
Note: If Application Control does not display as enabled (with the green icon), click Update in the
Security Agent console to force a refresh. The inventory process will take a several minutes to
complete on the endpoint computer.
3 Open the Lab Files folder on the desktop. Copy the WinMD5.exefile from this folder to the
C:\Tempfolder on the CLIENT-02 computer.
4 Once the file has been copied, double-click file and click Run to execute the application.
5 A block message is displayed.
6 A policy violation message is displayed.

Management console, run an Application Control log query to locate any entries related to the
events.
Exercise 3: Define Application Control Criteria

In this exercise, the blocked application will be allowed by adding a new Allow criteria.
1 In the lab environment, switch to the VM-DC2016 virtual machine and return to the Apex Central
2 Click Policies > Policy Resources > Application Control Criteria. A single default criteria is
displayed. The Assess Gray Software List Applications criteria will be displayed when the
Certified Safe Software List Pattern has been downloaded.
3 Click Add Criteria and select Allow.

4 Create an Allow criteria with the following details:
• Name: Allow WinMD5

• Trust Permission: Application cannot execute external processes
• Match method: File paths
- Specific path
- String
- C:\Temp\winmd5.exe
Click Save.
5 The new Criteria is listed.

6 Return to Policies > Policy Management. Click the Default Agent Policy and click Application
Control.
7 In the User-Defined Rules section, click the All user accounts rule. The policy criteria are
displayed in the Available criteria column.

8 Click each criteria one at a time to move them into the Selected criteria column and click OK.
9 Scroll down and click Deploy. Wait until the new policy is deployed before proceeding to the next
exercise.
Exercise 4: Test the Allow Rule

In this exercise, the previously blocked application will be launched once again to test the Allow criteria.
2 In Windows Explorer, navigate to the C:\Tempfolder and double-click WinMD5.exe.
3 The application should run.
4 Click Exit to close the application

from Vulnerabilities
In this lab, participants will enable Apex One Vulnerability Protection to protect an endpoint computer
from operating system exploits.
Exercise 1: Enable Vulnerability Protection

In this exercise, vulnerability protection will be enabled for a single computer.
2 Click Administration > Updates > Manual Update. Expand Intrusion Prevention and note that the
Vulnerability Protection Pattern has been downloaded. This pattern is updated regularly and
contains the rules to protect the endpoint from vulnerabilities.

3 Click Policies > Policy Resources > Intrusion Prevention Rules. The IPS rules currently downloaded
are displayed.
4 Click Policies > Policy Management and edit the Default Agent Policy.
5 In the policy category list in the left-hand pane, click the Web Reputation category and on the
Internal Agents tab, disable Web reputation for Windows desktop platforms.
Note: The Web Reputation protection enabled in the policy will block the eicar web site used in this
exercise before the Vulnerability Protection kicks in. Disabling Web Reputation will allow the
intrusion prevention rules to block the sample site.

6 Click the Vulnerability Protection policy category in the left-hand frame and ensure that Enable
Vulnerability Protection is selected. Click to enable the Recommended profile.
7 In the Search field, type eicarand press <enter>. The Restrict Download of EICAR Test File Over
HTTP rule is displayed. Note that this rule is disabled in the Recommended profile. This rule will
allow you to test that the intrusion prevention rules are being enforced on the endpoint
computer. Change the Status for this rule to User-Defined (Enabled).

8 A message indicating a dependency for the user-define rule is displayed. Click Configure All to
add this dependency to the applied rules.
9 Click Deploy and wait until the policy is deployed before continuing.
Exercise 2: Test Vulnerability Protection

In this exercise, the EICAR sample file will be downloaded to trigger the Vulnerability Protection rule.
1 In the lab environment, switch to the VM-CLIENT-02 image and confirm that Vulnerability
Protection has been deployed.
2 In a Web browser on the CLIENT-02 computer, click the EICAR bookmark, or type the following
URL to download the EICAR test file:
http://www.eicar.org/download/eicar.com

3 The connection to the Web page should be reset and a browser error displayed.
4 Return to the Apex Central Web Management console and run a log query to locate the entry
related to the Intrusion Prevention Rules being triggered.

Lab 14: Preventing Data Loss
In this lab, participants will configure Apex One Data Loss Prevention to block files containing specific
data from leaving the endpoint computer.
Exercise 1: Configure Data Identifiers

In this exercise, participants will configure new data identifiers.
2 Click Policies > Policy Resources > DLP Data Identifiers.
3 In the Data Identifiers window, click the Keyword Lists tab and click Add.

4 In the Properties section, configure the following settings:
• Name: Exercise keywords
• Criteria: Combined score for keywords exceeds threshold
• Score Threshold: 9
5 In the Keywords section, add the following words and assign the listed scores. Click Add after
each one to append the word to the list.
Keyword Score Case Sensitive
contract 3 Disabled
Taylor 2 Disabled
confidential 5 Disabled

6 The Keywords List will display the custom keywords and their corresponding score.
Click Save.
7 A success message is displayed. Click Close.
8 To simplify the location of custom lists, the prefix of Managed will be added to the name.
Exercise 2: Configure a Data Loss Prevention

Template
In this exercise, a Data Loss Prevention Template will be configured.
1 Still in the Apex Central Web Management console, Click Policies > Policy Resources > DLP
Templates.

2 In the Data Loss Prevention Templates window, click Add.
3 Complete the Properties section in the Data Loss Prevention Templates windows as follows:
• Name: Confidential Contracts
• Available data identifiers: search for Exercise keywords. Click to select it and click >> to add
it to the Selected data identifiers list.
Click Add to Template, then Save.

4 A notification is displayed once the settings are successfully changed. Click Close.
5 Verify that the new Confidential Contracts template has been added to the list of available
templates.
Exercise 3: Deploy a New Data Loss Prevention Policy

In this exercise, participants will create and deploy a new Data Leak Prevention Policy.
1 In the Apex Central Web Management console, click Policies > Policy Management. Select Apex
One Data Loss Prevention as the product to apply the policy to and click Create.

2 Type a name for the policy, for example, Exercise DLP policy. Click Specify Target(s) and click
Select to identify the endpoints to receive the Data Loss Prevention rules.
3 On the Browse tab, locate and select CLIENT-02 in the Product Directory and click Add Selected
Targets, then OK.
4 Click Apex One DLP in the left-hand pane. On the Internal Agents tab, click Enable Data Loss
Prevention and click Add for a new rule.

5 On the Templates tab, type a name for the rule, for example, Exercise Contracts Rule. Use
Search to locate the Confidential Contracts and HIPAA templates to apply to the policy and click
Add > to move to the Selected templates list.
6 Click the Channel tab and enable the channel(s) that will be monitored by the policy. Click to
enable all the channels listed.
7 Click the Action tab to select the operations that will be triggered by the policy. Click to select the
Block action along with Notify the agents user, Record data and User Justification. Click Save.

8 The rule is added to the list. Click Deploy.
9 Wait until the policy is displayed as Deployed.
10 In the lab environment, switch to the VM-CLIENT-02 virtual machine and verify that Data Loss
Prevention is deployed from the Security Agent console on the client computer.

11 Open a connection to a shared folder on the CLIENT-03 computer by clicking Run on the taskbar
and typing the following path:
\\192.168.4.6\c$
12 Locate the Data Loss Prevention Test Document.txt file on the desktop of the CLIENT-02
computer and drag the file over to the opened shared folder windows for CLIENT-03.
13 When the User Justification message appears, select Yes and choose a reason. Click OK.
14 A Data Loss Prevent Violation message is displayed. Click Close.

Management console, run a log query to locate the entry related to the Data Loss Prevention
detection.

www.trendmicro.com
Asia Pacific, Middle East and Africa

Lab Guide

Uploaded by

Lab Guide

Uploaded by

Advanced

@2022 Trend Micro Inc. P a g e 1 | 95

No part of this publication may be reproduced, photocopied, stored in a retrieval system,

Released: September 3, 2021

@2022 Trend Micro Inc. P a g e 2 | 95

Lab 2: Initializing the Apex One as a Service Account................................................... 11

Lab 3: Integrating With Active Directory ........................................................................ 17

Lab 4: Installing Security Agents............................................................................... 21

Lab 5: Deploying Policies Through Apex Central .......................................................... 27

Lab 6: Creating Update Agents ..................................................................................... 33

Lab 7: Protecting Endpoint Computers From Malware .................................................. 39

Lab 8: Protecting Endpoint Computers Through Behavior Monitoring ...................... 47

Lab 9: Protecting Endpoint Computers From Unknown Threats ................................... 51

Lab 10: Blocking Web Threats ...................................................................................... 55

Lab 11: Protecting Endpoint Computers Through Traffic Filtering ................................. 61

Lab 13: Protecting Endpoint Computers from Vulnerabilities ...................................79

Lab 14: Preventing Data Loss ....................................................................................... 85

@2022 Trend Micro Inc. P a g e 4 | 95

VM Name Hostname Operating System Addressing Login

@2022 Trend Micro Inc. P a g e 5 | 95

@2022 Trend Micro Inc. P a g e 6 | 95

@2022 Trend Micro Inc. P a g e 7 | 95

@2022 Trend Micro Inc. P a g e 8 | 95

@2022 Trend Micro Inc. P a g e 9 | 95

@2022 Trend Micro Inc. P a g e 10 | 95

@2022 Trend Micro Inc. P a g e 11 | 95

@2022 Trend Micro Inc. P a g e 12 | 95

@2022 Trend Micro Inc. P a g e 13 | 95

Estimated time to complete this lab: 20 minutes

Exercise 1: Run First-time Initialization

@2022 Trend Micro Inc. P a g e 14 | 95

@2022 Trend Micro Inc. P a g e 15 | 95

@2022 Trend Micro Inc. P a g e 16 | 95

@2022 Trend Micro Inc. P a g e 17 | 95

@2022 Trend Micro Inc. P a g e 18 | 95

@2022 Trend Micro Inc. P a g e 19 | 95

Estimated time to complete this lab: 15 minutes

Exercise 1: Integrate With Microsoft Active Directory

@2022 Trend Micro Inc. P a g e 20 | 95

6 A warning is displayed regarding previous downloads of the synchronization tool. Click

@2022 Trend Micro Inc. P a g e 21 | 95

Provide the following Active Directory details when prompted:

9 Synchronize the server settings by executing the following command:

@2022 Trend Micro Inc. P a g e 22 | 95

@2022 Trend Micro Inc. P a g e 23 | 95

Estimated time to complete this lab: 30 minutes

Exercise 1: Create a Security Agent Installation

Specify the details of the installation package:

@2022 Trend Micro Inc. P a g e 24 | 95

2 Click Copy Link.

Exercise 3: Install Security Agents

@2022 Trend Micro Inc. P a g e 25 | 95

8 Restart the computer to complete the installation process if prompted.

9 In the lab environment, switch to the VM-CLIENT-02 virtual machine.

@2022 Trend Micro Inc. P a g e 26 | 95

Exercise 4: View the Agent List

@2022 Trend Micro Inc. P a g e 27 | 95

Exercise 5: Disable Smart Feedback

2 Disable Trend Micro Smart Feedback and click Save. .

@2022 Trend Micro Inc. P a g e 28 | 95

Estimated time to complete this lab: 20 minutes

Exercise 1: Configure the Agent Polling Interval

@2022 Trend Micro Inc. P a g e 29 | 95

@2022 Trend Micro Inc. P a g e 30 | 95

@2022 Trend Micro Inc. P a g e 31 | 95

@2022 Trend Micro Inc. P a g e 32 | 95

@2022 Trend Micro Inc. P a g e 33 | 95

@2022 Trend Micro Inc. P a g e 34 | 95

Estimated time to complete this lab: 15 minutes

Exercise 1: Create the Update Agent Policy

@2022 Trend Micro Inc. P a g e 35 | 95

@2022 Trend Micro Inc. P a g e 36 | 95

@2022 Trend Micro Inc. P a g e 37 | 95

Exercise 2: Define the Update Source

@2022 Trend Micro Inc. P a g e 38 | 95

5 A notification confirmation message is displayed. Click Back.