Apex One™

Deployment Methods
Suthinand Tannil (World)
Security Consultant, Thailand
 Feature
Apex One™: Single Converged Agent enablement
depends on
licensing
Threat Detection & Package: ADD
Response capabilities Smart Protection
including: for Endpoints Extra-Cost
Add-on Options:

Pre-execution & IOA Behavioral Application EDR

Runtime ML Analysis Control Investigation

Exploit Virtual DLP & MDR

Detection Patching Device Control Service

In-memory Isolation / SaaS Cloud

Detection Quarantine Management Sandbox

2 © 2019 Trend Micro Inc.

 Full SaaS and on-premise parity
Advanced threat detection
Machine Learning (pre-execution and runtime)
IOA Behavioral analysis
Exploit Prevention
Virtual Patching
Application Control
Integrated DLP
On-Premise Device Control SaaS
Centralized Visibility
EDR

Ability to migrate easily, or deploy hybrid

3 © 2019 Trend Micro Inc.
 Optimized: Simple, Flexible Packaging
Smart Protection

For Endpoints Complete

Machine Learning Optional Add-ons

Application Control
IOA Behavioral Analysis
Virtual Patching
Anti-malware Network Sandbox
Everything Endpoint Encryption
DLP
Mobile Security Investigation Sensor
Web GW
Email GW
Email Server
Office365
Box
Messaging, Web, SaaS Dropbox
4 Copyright 2017 Trend Micro Inc.
Google Drive
5 © 2019 Trend Micro Inc.
 Architecture Diagram
SSL SSL
Internet
Management
Console
Active Update Server

Smart Protection Server

(Optional)
Apex
HTTP for Commands
One
and Updates
Server
Apex One Custom
Database
Port for Notifications
Apex One Security Agents

External Apex One Security Apex Central Deep Discovery

Agent Edge Server Analyzer

6 © 2019 Trend Micro Inc.

 Introduction
• Features Web-based
Management
Console

Multiple
Server and
Off-Premise Client
Management Deployment
Options
Administration

Apex Central Active

Directory
Integration Integration

7 © 2019 Trend Micro Inc.

 Apex Central

Apex One

Edge Relay

Apex One

8 © 2019 Trend Micro Inc.

 Architecture Components
• Apex One server(s)
• Apex Central server
• Smart Protection server(s)
• Edge Relay server(s)
• Apex One Agents
• Web-based management console

9 © 2019 Trend Micro Inc.

 Architecture Components
• Apex Central Server
– The centralize management server for Trend Micro products, agent
configurations, centralize logs and updates.
– Can manage both OfficeScan server and Apex One server

10 © 2019 Trend Micro Inc.

 Architecture Components
• Apex One Server
The central repository for all agent configurations, security risk, logs and updates.

The server performs two important functions:

1. Installs, monitors, and manages ALL Apex agents.

2. Downloads most of the components needed by the agents.

11 © 2019 Trend Micro Inc.

 Architecture Components
• Apex One Server

Services
• OfficeScan Master Service
• Web server
• i* Service i.e. iVP Service
• Trend Micro Smart Scan Server (integrated)
• Apex Central Agent
• Apex Active Directory Integration Service
Processes
• Trend Micro Apex Database Server

12 © 2019 Trend Micro Inc.

 Architecture Components
• Apex One Agent

Protects endpoints (Windows computers) from security risks

Sends events and status information of the endpoint to the parent server in real time.

(Examples of events are virus/malware detection, agent startup, agent shutdown, start of a scan, and
completion of an update.)

13 © 2019 Trend Micro Inc.

 Architecture Components
• Apex One Agent
Services
• Apex One Data Discovery Service (DLP, DataDiscovery.exe)
• Apex One Data Protection Service (DLP+ Device Control, DSAGENT.exe)
• Endpoint Sensor Engine Wrapper (EDR, ESEServiceShell.exe)
• Endpoint Sensor Service (EDR, ESClient.exe)
• NT Listener (TmListen.exe)
• Real-time Scan (Ntrtscan.exe)
• Common Client Solution (TmCCSF.exe)
• NT Firewall (TmPfw.exe)
• Unauthorized Change Prevention Service (TMBMSRV.exe)
Processes
• Plugin Manager (CNTAoSMgr.exe)
• Browser Exploit Detection (TmsaInstance64.exe)

14 © 2019 Trend Micro Inc.

 Architecture Components
• Smart Protection Server

Hosts the Smart Scan Pattern and Web Blocking List

These patterns contain majority of the pattern definitions and URL

reputations.

15 © 2019 Trend Micro Inc.

 Architecture Components
• Smart Protection Server

INTEGRATED Smart Protection Server:

Installs on the same computer where the Apex One server is installed.

STANDALONE Smart Protection Server:

Installs on a different server (virtual)
Has a separate management console

16 © 2019 Trend Micro Inc.

 Architecture Components
• Apex One & Central Web Console

Central point for monitoring Apex One throughout the corporate network.

Used to manage Apex One agents in the network.

17 © 2019 Trend Micro Inc.

Service Display Service Name Process Name Description
Name
Apex One NT Listener tmlisten tmlisten.exe This service receives commands and notifications from the Apex One server. TmListen.exe performs the following
functionalities:
• Server-agent communication
• Update
• Component startup
• Log delivery

Apex One NT ntrtscan ntrtscan.exe This service uses VSAPI, SSAPI, DCE, and ICRC modules in performing manual, on-demand, and real-time scanning
RealTime Scan functionalities. It also uses Predictive Machine Learning (TrendX) modules in performing real-time Scanning
functionalities

Apex One NT Firewall TmPfw TmPfw.exe This service is responsible for Apex One Security Agent firewall functionality. Through the central management
console, administrators can create rules and apply them to filter connections (e.g filter by application, IP address,
port number, or protocol).
Trend Micro TMBMServer TMBMServer.exe This service protects the Apex One Security agent registry and processes from unauthorized changes. It also loads
Unauthorized Change Falcon
Prevention Service Module used for Behavior Feature Collection of Predictive Machine Learning (TrendX).

Apex One Monitor PccNTMon.exe This process provides the user-interactive components of the Apex One Security agent. It is responsible for the
following functionalities:
• Starting the security agent console (PccNt.exe)
• Displaying the security agent icon in the system tray
• Sending quarantined files to the Apex One server
• Detecting Internet Explorer proxy settings

Trend Micro Apex CNTAoSMgr.exe The Plug-in manager downloads add-on applications from the Apex One server.
One Client Plug-in
Service Manager

18 © 2019 Trend Micro Inc.

Service Display Name Service Name Process Name Description

Trend Micro Endpoint Sensor TMESC ESClient.exe Integrated Endpoint Sensor (iES) agent service. This service provide endpoint sensor control
Service (Agent) capabilities.

Trend Micro Application
Control Agent Service
Trend Micro Vulnerability
Protection Service (Agent)
Trend Micro Advanced
Threat Assessment Service
(Agent)
Trend Micro Forensic Toolkit
TMiACAgentSvc Agent service that provides application and device control capabilities.
iVPAgent Integrated Vulnerability Protection agent service. This service detects Intrusion Prevention rule
violations and automates the application of virtual patches before official patches become
available.
ATASAgent ATASAgent.exe This is an Integrated Trend Micro Advanced Threat Assessment Service Agent.
TmForensicManager.exe This is used the iATAS for its investigation task. Refer to iATAS section for more details.

19 © 2019 Trend Micro Inc.

 Apex One Security Agent Interface

20 © 2019 Trend Micro Inc.

Installing Apex One
 Noted !!
• Remove third-party endpoint security software.

• Make sure you have ADMINISTRATOR RIGHTS on the target

endpoint(s).

• Server must be part of an Active Directory domain to take

advantage of the Role-based Administration and Security
Compliance features.

22 © 2019 Trend Micro Inc.

 Installation Options

Fresh Install – No existing Apex One in the server

Upgrade – Install Apex One on top of existing OfficeScan

• https://success.trendmicro.com/solution/1122308-quick-
migration-guide-for-trend-micro-apex-one

23 © 2019 Trend Micro Inc.

 Supported Upgrade Path
• Trend Micro Apex One™ supports upgrades from the following versions:
– OfficeScan XG Service Pack 1
– OfficeScan XG
– OfficeScan 11.0 Service Pack 1
• Trend Micro Apex Central™ supports upgrades from the following versions:
– Control Manager 6.0 Service Pack 3 Patch 3
– Control Manager 7.0
– Control Manager 7.0 Patch 1
• Trend Micro highly recommends applying all available patches and hot fixes to
your current Apex One, OfficeScan, Apex Central, or Control Manager server
before performing an upgrade.

24 © 2019 Trend Micro Inc.

 Noted !!
• Trend Micro Apex Central™ is required to enable additional
features of Apex One, such as:
– Apex One Application Control
– Apex One Endpoint Sensor
– Apex One Vulnerability Protection
– Managed Detection and Response Service
– Sandbox as a Service

25 © 2019 Trend Micro Inc.

 Apex One Hardware Requirement

26 © 2019 Trend Micro Inc.

 Apex One Hardware Requirement

27 © 2019 Trend Micro Inc.

 Apex Central Hardware Requirement

28 © 2019 Trend Micro Inc.

 System Requirement

29 © 2019 Trend Micro Inc.

 Noted !!
• For a detailed step by step install/upgrade guide and post
installation tasks, please refer to the Install and Upgrade
Guide:
– Apex One Installation and Upgrade Guide
– Apex Central Installation and Upgrade Guide

30 © 2019 Trend Micro Inc.

 Endpoint System Requirement

If some client OS not in this

support list,
Please consider keep old office
scan server and create new
server for Apex One, use same
Apex Central server (control
manager)

31 © 2019 Trend Micro Inc.

 Communication Ports

32 © 2019 Trend Micro Inc.

 Communication Ports
• Integrated Smart Protection Server Ports
Name Apex One Server Default Website IIS Description
virtual site IIS
HTTP-Integrated 8082 443 Apex One server uses this port to
Protection receive queries from Officescan clients as part of
Server Port Cloud Client File Reputation (CCFR) functionality.
HTTPSIntegrated 4345 443 When using the Apex One virtual site, the scan server
Server Port uses port 4345 if the Apex One management console
uses HTTP. IF HTTPS functionality is used, the scan
server uses 4343.

• Local Web Classification Port

Name Apex One Server Default Description
virtual site IIS Website IIS
LWCS Port 8080 80 Scan server uses this port to receive queries from Apex
One agents as part of the Web Reputation functionality

33 © 2019 Trend Micro Inc.

 New Installation Pre-requisite

34 © 2019 Trend Micro Inc.