Scribd
Upload
38 views99 pages

TRENDsCampus - ADVANCED - User Protection - Lab Guide v5.1

Uploaded by

famaruqe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views99 pages

TRENDsCampus - ADVANCED - User Protection - Lab Guide v5.1

Uploaded by

famaruqe
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 99

ADVANCED

User Protection Lab


Guide

1|Page
@2021 Trend Micro Inc.
@2020 Trend Micro Inc. P a g e 1 | 102
Table of Content

Introduction .......................................................................................................................................................... 4
Network Settings ................................................................................................................................ 4
Training Cloud Login ...............................................................................................................................................5
Access the Product Cloud Portal....................................................................................................................... 5
Lab 1: Installations............................................................................................................................................... 10
Exercise 1.1: Installing Security Agents............................................................................................................ 11
Integrate with Microsoft Active Directory .................................................................................... 11
Install an Agent Remotely .................................................................................................................. 12
Install an Agent through Unmanaged Endpoints ................................................................................. 14
Install an Agent using AUTOPCC .......................................................................................................... 17
Install Agents through a Package......................................................................................................... 18
View the Agent list ........................................................................................................................ 20
Exercise 1.2: Installing a StandaloneSPS Server .......................................................................................... 20
Access the SPS Management Console ................................................................................................. 22
Adding SPS Server to Apex One ........................................................................................................... 25
Exercise 1.3: Registering Apex One withApex Central .................................................................................... 25
Lab 2: Configurations .......................................................................................................................................... 26
Exercise 2.1: Managing Policies through Apex Central .................................................................................... 28
Create an Apex Central User Account ................................................................................................. 28
Configure Policy Template................................................................................................................... 32
Exercise 2.2: Grouping Apex One Agents ........................................................................................................ 37
Exercise 2.3: Updating Security Agents........................................................................................................... 41
Verify Agent Update Sources............................................................................................................... 42
Create an Update Agent ...................................................................................................................... 45

2|Page
@2021 Trend Micro Inc.
Lab 3: PoC Use Cases............................................................................................................................................ 48
Exercise 3.1: Protecting Endpoint Computers from Malware .......................................................................... 48
Test Virus/Malware Scan ..................................................................................................................... 51
Test Spyware/Grayware Scans ............................................................................................................ 54
View Quarantined Files ....................................................................................................................... 56
Exercise 3.2: Protecting Endpoint Computers through Behavior Monitoring ................................................... 58
Exercise 3.3: Protecting Endpoint Computers from Unknown Threats ............................................................... 61
Exercise 3.4: Blocking Web Threats................................................................................................................. 65
Enable Web Reputation ...................................................................................................................... 65
Add an Application to the Web Reputation whitelist.................................................................... 69
Protect Endpoint Computers from Browser Exploits .................................................................... 71
Exercise 3.5: Protecting the Endpoint Computers through Traffic Filtering ........................................... 74
Enable Firewall Service ................................................................................................................. 75
Create a Firewall Policy........................................................................................................................ 76
Create a Firewall Profile ...................................................................................................................... 78
Verify the Firewall Deployment .................................................................................................... 79
Disable the Firewall Policy ................................................................................................................... 85
Exercise 3.6: Blocking Unauthorized Application ............................................................................................. 85
Test the Policy ..................................................................................................................................... 88
Define Application Control Criteria ............................................................................................... 89
Test the Allow Rule ....................................................................................................................... 91
View the Application Control Log Entry ........................................................................................ 92
Exercise 3.7: Protecting Endpoints from Vulnerability..................................................................................... 93
Enable Vulnerability Protection ........................................................................................................... 93
Test Vulnerability Protection ............................................................................................................... 96
View the Vulnerability Protection Log Entry ........................................................................................ 97

3|Page
@2021 Trend Micro Inc.
Introduction
This lab introduces participants to the virtual lab environment used to complete the hands-on exercises
in this Apex One training course.

The classroom lab environment is delivered as a virtual application through the Trend Micro Product
Cloud and will be accessed from a Web browser on your computer. Google Chrome is the preferred
browser for this environment, though other browsers may work if the appropriate plug-ins are enabled
and working properly.

Network Settings
The details and login credentials for each virtual machine in the classroom environment are listed here.
Always log into Windows as the local administrator. Logging in as a domain administrator will display a
different desktop and certain exercise files may not be available.

VM Name Hostname Operating System Addressing Login


VM-DC2016 dc2016.trend.local Windows Server 2016 (hosting IP: 192.168.4.1 Login Name:
Domain Controller and Subnet mask: 255.255.240.0 administrator
ApexCentral Server) Default gateway: 192.168.0.1
DNS 1: ::1 Password:
DNS 2: 127.0.0.1 trendmicro
VM-Server server.trend.local Windows Server 2016 IP: 192.168.4.8 Login Name:
(hosting Apex One Subnet mask: 255.255.240.0 admin
Server) Default gateway: 192.168.0.1 DNS 1:
192.168.4.1
Password:
trendmicro
VM-CLIENT-01 client-01.trend.local Windows Server 2016 IP: 192.168.4.2 Login Name:
Subnet mask: 255.255.240.0 administrator
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
VM-CLIENT - 02 client-02.trend.local Windows 10 IP: 192.168.4.4 Login Name:
Subnet mask: 255.255.240.0 administrator
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
VM-CLIENT - 03 client-03.trend.local Windows 10 IP: 192.168.4.6 Login Name:
Subnet mask: 255.255.240.0 administrator
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro
VM-WIN2012 win2012.trend.local Windows Server 2012 R2 IP: 192.168.4.3 Login Name:
Subnet mask: 255.255.240.0 administrator
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro

4|Page
@2021 Trend Micro Inc.
VM-ANALYZER DDAN CentOS IP: 192.168.4.5 Login Name:
Subnet mask: 255.255.240.0 admin
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 Admin1234!
VM-SPS SPS CentOS IP: 192.168.4.7 Login Name:
Subnet mask: 255.255.240.0 admin
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1 Password:
DNS 2: 8.8.8.8 trendmicro

Training Cloud Login


The instructor will distribute a unique Training Cloud user name and password to each class participant.
These credentials will be used for the duration of the training session. Write the user name and password
here for easy retrieval when needed during the different labs.

 Username: ………………………………….
 Password : ………………………………….

Accessing the Product Cloud Portal


1. To access the Product Cloud, open the hyperlink that is provided by the education team/trainer/
Product Cloud Team through a notification mail.

5|Page
@2021 Trend Micro Inc.
2. The Product Cloud Training page is displayed in the browser. The name of the class is displayed in
the frame at the top of the Web page. The Status should be listed as provisioned.

3. Hover your mouse over the computer icon on the right side of the page and click Go To Lab Detail.

6|Page
@2021 Trend Micro Inc.
4. A frame with the vApp details is displayed on the right side of the Web page, listing the virtual
machines available in the environment.

5. Hover your mouse over one of the virtual machines, and click Remote Control to enter that virtual
machine.

7|Page
@2021 Trend Micro Inc.
6. The selected virtual machine will be launched. It will take a moment for the virtual machine to load
and the window to be resized.

7. To login to virtual machine click on lock icon in the toolbar to send a CTRL+ALT+DELETE to login to the
virtual machine. Use appropriate username and password to login. Icons on the toolbar can also be used
to maximize and fit the screen

8|Page
@2021 Trend Micro Inc.
8. To login to different virtual machines in the environment click on the imager switch on the upper right
hand corner of the window.

9|Page
@2021 Trend Micro Inc.
Lab 1: Installations
In this section, you will be working on Installation of Apex One Agents, Standalone SPS, Edge relay server.
Before we start working on labs. Certain actions have to be performed.

To turn Microsoft Defender Firewall off:

1. Navigate to Client 2 Virtual Machine. Select the Start button > Settings > Update & Security > Windows
Security and then Firewall & network protection. Open Windows Security settings.

2. Turn off Microsoft Defender Firewall. Turn off the firewall for all of the options shown below.

10 | P a g e
@2021 Trend Micro Inc.
Exercise 1.1: Installing Security Agents
In this lab, participants will install Security Agents on endpoint computers in the virtual lab environment
with different methods.

Integrate with Microsoft Active Directory

In this exercise, Apex One will be integrated and synchronized with Microsoft Active Directory to assist in
locating endpoint computers.

1. In the virtual application, click to open the VM-SERVER virtual machine.


2. Log into Windows Server 2016 with credentials as listed in Network Settings page, if Prompted.
3. Click on the virtual machine window toolbar to maximize the window.
In the Internet Explorer or Chrome Web browser, launch the Apex One Web Management console by
typing the following URL: https://server.trend.local:4343/officescan. Alternately, click the Apex One
bookmark in the browser, or click Apex One in the Windows Start menu.
4. Log in with following Apex One credentials when prompted:
 User name: root
 Password: trendmicro
5. Go to Administration > Active Directory > Active Directory Integration.
6. Type the name of the classroom domain (trend) and click Save and Synchronize.

7. A message in the Web Management console confirms that the Active Directory domains are saved and
synchronized.

11 | P a g e
@2021 Trend Micro Inc.
Install an Agent Remotely

In this exercise, a Security Agent will be installed on the CLIENT-02 computer using Remote Installation from
the Web Management console.

1. In the virtual application, click to open the VM-CLIENT-02 virtual machine. If prompted, login into
Windows 10 using credentials as listed in Network Settings page.

NOTE: If an Enable Network Discovery message is displayed when logging into ANY client
virtual machine, click Yes.

2. Click Start > Windows Administrative Tools > Services. Locate the Remote Registry service.

3. Double-click the service and set the Startup type to Automatic and click Apply. Click Start to set the
service to Running. Click OK.

12 | P a g e
@2021 Trend Micro Inc.
4. Return to the VM-SERVER virtual machine and in the Web Management console go to Agents
> Agent Installation > Remote
5. In the Remote Installation window, type client-02 in the Search for endpoints field.

6. When prompted, type the administrator credentials to log into the CLIENT-02 computer.
7. The CLIENT-02 computer is displayed in the Selected Endpoints list. Click Install.

13 | P a g e
@2021 Trend Micro Inc.
8. Return to the VM-Client-02 virtual machine. A message should be displayed indicating that the
Security Agent was installed on this computer. Wait for the prompt to appear and click Restart to
complete the installation process

Install an Agent through Unmanaged Endpoints

In this exercise, you will install a Security Agent on an unmanaged endpoints detected through an Active
Directory search.

1. In the virtual application, click to open the VM-CLIENT-03 virtual machine. If prompted, log in to
Windows 10 with credentials as listed in Network Settings page.
2. Repeat steps 2-3 from the previous exercise on the CLIENT-03 computer.
3. Return to the VM-SERVER virtual machine and log into the Apex One Web Management console.

14 | P a g e
@2021 Trend Micro Inc.
4. Click Assessment >Unmanaged Endpoints. In the Active Directory / IP Address Scope pane, click the
Active Directory tab and click Define Scope

5. In the Active Directory Scope pane, click to enable trend.local, and click Save and Reassess.

6. Click OK to continue with the query of the domain.


7. The progress of the domain query is displayed.

15 | P a g e
@2021 Trend Micro Inc.
8. You may need to wait a few moments until the query completes. A success message is displayed
when complete & click OK. A list of unmanaged endpoints in the trend.local domain is displayed.
Click to highlight CLIENT-03 in the list and click Install.

9. When prompted, type the administrator credentials for the CLIENT-03 computer.

10. It may take a few minutes for the installation process to complete. Once it is finished, the Status
column will display Complete.
16 | P a g e
@2021 Trend Micro Inc.
11. Return the VM-CLIENT-03 virtual machine and wait for a message to be displayed indicating that the
Security Agent was installed on this computer. Restart the computer to complete the installation
process.

Install an Agent using AUTOPCC

In this exercise, a Security Agent will be installed on the CLIENT-01 computer.

1. Return to the VM-Server virtual machine. In Windows Explorer, locate and open following file:
D:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Autopcc.cfg\autopcc.ini
2. Locate the [Install] section. Modify the following settings:
 SilentInstall: 1 (This will enable silent installation, no setup dialog boxes are displayed on the client
computer)
 NoPrescan: 1 (This will disable the prescan on the client computer)

3. In the virtual application, click to open the VM-CLIENT-01 virtual machine. If prompted, log in to

17 | P a g e
@2021 Trend Micro Inc.
Windows Server 2016 with the credentials as listed in Network Settings page.
4. Click Run on the taskbar and enter the following command:
\\192.168.4.8\ofcscan\autopcc.exe
5. When prompted, click Run to execute the script.

A Windows Command Prompt window will appear momentarily as the script is initiated. After a short
while, the Apex One icon will be displayed in the system tray to indicate it is installed. When
prompted, restart the computer to complete the installation process.

Install Agents through a Package

In this exercise, an Agent installation package will be created and run on the VM-SERVER computer.

1. Return to the VM-Server virtual machine and in Windows Explorer, locate the following folder:
…\PCCSRV\Admin\Utility\ClientPackager\

Note: Some of the lesser-used utilities in this folder have been deleted to conserve
space in the classroom lab environment.

2. Locate and double click the Agent Packager tool called clnpack.exe.
3. Configure the Agent Packager with the following details:
 Package Type: Setup
 Windows operating system type: 64-bit
 Scan Method: Smart Scan
 Domain: Allow the agent to report its domain automatically
 Disable prescan: Click to enable (no prescan of the target computer should be performed)
 Source file: D:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\ofscan.ini
 Output file: D:\Apex One Installer.exe

18 | P a g e
@2021 Trend Micro Inc.
4. The Agent Packager will build the installation package with the defined parameters.

5. A Success message is displayed when the packing process is complete. Click OK.
6. Close the Agent Packager utility.
7. In the root of D:\, double-click Apex One Installer.exe to install the Security Agent on the Windows
Server 2016 computer. After a few moments, the Setup Wizard is displayed and the setup process
completes automatically.
8. After a few minutes, the Apex One icon will be displayed in the system tray to indicate it is installed.
Restart the computer to complete the installation process if prompted.
9. In the VM-Server virtual image, copy the Apex One Installer.exe file to the Lab Files folder on the
Windows desktop.
10. Open the VM-Server virtual machine and open the Lab Files folder on the Windows Server 2016 desktop.
Double-click the Apex One Installer.exe file to launch the Security Agent setup application. After a few
moments, the Setup Wizard is displayed and the setup process completes automatically.
11. After a few minutes, the Apex One icon will be displayed in the system tray to indicate it is installed.
Restart the computer to complete the installation process when prompted.

19 | P a g e
@2021 Trend Micro Inc.
View the Agent list
In this exercise, the list of Agents deployed in the previous exercises will be reviewed.
1. Return to the Agent Management list in the Apex One Web Management console.
2. Double click the Trend domain. The Agents installed in these exercises are displayed. Ensure that your
list matches what is displayed here.

Exercise 1.2: Installing a Standalone SPS Server


In this lab, participants will configure a new standalone Smart Protection Server in the classroom
environment and integrate it into the Apex One environment.

Access the SPS Management Console


The Smart Protection Server has been already installed on a virtual machine in the lab environment.
In this exercise, you will access the Smart Protection Server Management console and run the
Configuration Wizard for first-time installation.

1. In the VM-Server virtual machine, open Internet Explorer or Chrome and click the Smart Protection
Server bookmark or type the following URL to launch the Web console for the Smart Protection
Server: https://192.168.4.7:4343.If a Certificate Error message is displayed, accept the Security
Exception or Continue to this Website.

2. The Smart Protection Server Log On window is displayed.


3. Type the administrator credentials entered during the Smart Protection Server installation and click
Log on.

20 | P a g e
@2021 Trend Micro Inc.
4. A Welcome window is displayed. Click Configure First Time installation.

5. Accept the default selections for the File Reputation Service by clicking Next.

6. Accept the default selection for the Web Reputation service by clicking Next.

NOTE : You can change whether user-defined approved URLs or blocked URLs are
processed first by making a choice in the Filter Priority section.

7. Disable Trend Micro Smart Feedback and click Next.


21 | P a g e
@2021 Trend Micro Inc.
8. Leave the proxy settings disabled, and click Finish.
9. The Smart Protection Server Web Management console is displayed.

Adding SPS Server to Apex One


In this exercise, the Smart Protection Server will be identified as a source for Smart Protection information
within the Apex One Web Management console.

1. Return to the Apex One Web Management console, click Administration > Smart Protection
> Smart Protection Sources.
2. Click the Internal Agents tab, and click the standard list link.

22 | P a g e
@2021 Trend Micro Inc.
3. In the Standard Smart Protection Server List window, click Add.

4. Type the following details for the Smart Protection Server & click Save.
 Server: 192.168.4.7
 File Reputation Services: click to enable
 SSL: click to enable
 File Reputation Services Port: 443 (click Test Connection and ensure that the connection is
successful.)
 Web Reputation Services: click to enable
• Web Reputation Services Port: 5274 (Click Test Connection and ensure that the connection is
successful.)

23 | P a g e
@2021 Trend Micro Inc.
5. The new Standalone Smart Protection Server is displayed in the Smart Protection Server List. The Smart
Protection Servers will be accessed by Agents based on their order in the list & click on Save.

6. Click on Save and Notify Agents to distribute the details the Smart Protection Server to the Agents.

7. A banner in the console notifies you that Agents are being notified of the new Smart Protection
Server.
8. Open Windows Explorer and navigate to the following folder: ...\Apex One\PCCSRV

24 | P a g e
@2021 Trend Micro Inc.
9. Locate and open the sscfg.ini file to confirm that the Apex One Server is aware of the new Smart
Protection Server.

10. Open the VM-CLIENT-01 virtual image and in Windows Explorer navigate to the following
folder:...\Security Agent.
11. Locate and open the ssnotify.ini file to confirm that the Security Agent is aware of the new Smart
Protection Server.

12. Close the VM-CLIENT-01 virtual image.

Exercise 1.3: Registering Apex One with Apex Central


Before policies can be deployed through Apex Central, communication between Apex One and Apex
Central must be configured.

1. On the VM-DC2016 image, locate the digital certificate created during the setup of the Apex
Central Server. The certificate file is called TMCM_CA_Cert.pem and is located in the following folder:
25 | P a g e
@2021 Trend Micro Inc.
C:\Program Files (x86)\Trend Micro\Control Manager\Certificate\CA\
Copy this file to Lab Files folder.
2. On the VM-Server image, log into the Apex One Web Management console and click
Administration > Settings > Apex Central.
3. In the Apex Central Settings window, the Connection Status should be displayed as Not connected.

Complete the details of Apex Central Server as follows:

 Entity display name: ApexOne


 Server FQDN or IP address: dc2016.trend.local
 Port: Accept the default port of 443
 Apex Central Certificate: Click Browse and locate the TMCM_CA_Cert.pem certificate file in the Lab
Files folder.

4. Click Test connection. A connection was successful message should be displayed. Click OK.

26 | P a g e
@2021 Trend Micro Inc.
5. Click Register. The connection status is updated.

27 | P a g e
@2021 Trend Micro Inc.
Lab 2:Configurations
In this section, you will be working on Account management, Grouping of Agents, Feature wise configuring
Policies & Scans.

Exercise 2.1: Managing Policies through Apex Central


Before Managing the Policies through Apex Central, ensure that the communication between Apex
Central & Apex One is configured.

Create an Apex Central User Account


In this exercise, an Apex Central administrator account will be created in Apex One.

1. Still in the Apex One Web Management console, click Administration > Account Management
>User Accounts.
2. Click Add to create a new account. Complete the details for the account as follows:

 Select Role: Select Administrator (Built-in) from the list


 User name: Admin (the name of the Apex Central administrator, created during installation)
 Description: Apex Central Administrator
 Password: Pa$$w0rd (using the zero) (the password of the Apex Central administrator, assigned
during installation)

28 | P a g e
@2021 Trend Micro Inc.
3. Define the Agent Tree Scope to identify the branches of the Agent Tree this administrator will have
control over. The top branch of Apex One Server is selected by default, click Next.

4. To enable the Apex One items that the Apex Central account will have permissions to control, click the
Apex One Server at the top of the Agent Tree Scope list and click Finish.

29 | P a g e
@2021 Trend Micro Inc.
5. The new user account is displayed.

Confirm Registration

Confirming the Integration of Apex One and Apex Central by attempting a single sign on into Apex One.

1. Log into the Apex Central Web Management console by clicking the bookmark in the Internet
Explorer or Chrome browser. Log in with the following credentials:
 User name: Admin
 Password: Pa$$w0rd (with zero, not the letter O)
2. Click Administration > Managed Servers > Server Registration. In the Server Type list, click All. Apex
One should be listed as a Registered Server. Click the link with the URL.

3. You should be redirected to the Apex One Web Management console. Since the account for the Apex
Central administrator was assigned the Administrator (Built-in) role, they will be logged into Apex
One with full access to the Web Management console through single sign- on.

To Add Apex One to the Product Directory

30 | P a g e
@2021 Trend Micro Inc.
1. In the Apex Central Web Management console, click Directories > Products and click Directory
Management.

2. Click Local Folder, and click Add Folder.

3. Type a name for a new folder (or directory), for example, Trend Micro Servers and click Save.

31 | P a g e
@2021 Trend Micro Inc.
4. Expand the New Entity folder. Drag the Apex One Server device (listed as Apex One) from the New Entity
folder to the newly created Trend Micro Servers folder & when prompted, click OK to acknowledge the
move.

5. The Apex One Server should now be displayed in the Trend Micro Servers folder.

Configure Policy Template


In this exercise, a policy template will be configured to identify the target endpoints receiving the policy
details as well as the settings to be deployed to the Security Agents on those endpoints.

32 | P a g e
@2021 Trend Micro Inc.
1. Still in the Apex Central Web Management console, click Policies > Policy Management. Click close
to hide the information window that is displayed.

2. In the Product list, select Apex One Security Agent. To create a policy for this product, click Create or
Create one now.

33 | P a g e
@2021 Trend Micro Inc.
3. The policy template window is displayed. From this window, administrators will select the target
endpoints and identify the policy settings to be deployed.

4. Type a name for the policy, for example, No Scan.


5. Click to enable Specify Target and click Select.

34 | P a g e
@2021 Trend Micro Inc.
6. Click the Browse Tab. Expand DC2016> Local Folder > Trend Micro Servers > Apex One. Click the Trend
domain. In the right-hand pane, click to select CLIENT-02.

7. Click Add Selected Target then OK.


8. Expand Real-time Scan Settings and click to disable Virus/Malware Scan.

35 | P a g e
@2021 Trend Micro Inc.
9. Scroll down to the bottom of the list and click Deploy.

10. The Policy will be listed as Pending while it awaits deployment to the target endpoint Security Agents. It
may take some time for the policy to deploy. Click Refresh at the top of the policy list to recheck the
status.

11. Once applied to the target endpoints, the policy will display with a status of Deployed.

Test the New Policy

1. Open the VM-CLIENT-02 virtual machine.


2. Double-click the Security Agent icon in the system tray to display the console

36 | P a g e
@2021 Trend Micro Inc.
3. Since Real-time Scan was disabled in the policy, the Security Agent displays this status.

4. Click the Connection icon in the console. Note that Real-time Scan is disabled.

5. Close the Security Agent Console.

Exercise 2.2: Grouping Apex One Agents


In this lab, you will use automatic grouping techniques to organize Security Agents.

In this exercise, a new Agent group (domain) will be created for computers hosting Security Agents. This
new domain will be created based on Agent IP addresses.

1. Open the VM-Server image and in the Apex One Web Management console, click Agents
> Agent Grouping.

37 | P a g e
@2021 Trend Micro Inc.
2. Click Create custom agent groups for existing Security Agents.

3. In the Automatic Agent Grouping pane, click Add > IP Address.

38 | P a g e
@2021 Trend Micro Inc.
4. Click Enable grouping and configure the group with the following details:

 Name: Classroom
 IPv4 range: From 192.168.4.1 To 192.168.4.10
5. In the Agent tree pane, hover the pointer over the Trend domain and click the + icon. Type a name for
the new domain (group), for example, Classroom and click the √ icon. Click Save.

39 | P a g e
@2021 Trend Micro Inc.
6. The grouping details are displayed. Click Save and Create Domain Now

7. Click OK to acknowledge the message.


8. Return to Agent > Agent Management and expand the Trend domain. Note that the Classroom
group is displayed, but no Agents are collected in the new group.
9. Click the Apex One Server at the top of the Agent tree. Click Manage Agent Tree > Sort Agent.

40 | P a g e
@2021 Trend Micro Inc.
10. Click Start to begin the sorting operation

11. Click Close when the sorting operation is complete.


12. Click the Classroom domain in the Agent tree and the Agents within the selected IP address range are
displayed.

Exercise 2.3: Updating Security Agents


In this lab, you will verify alternate update sources for Security Agents and an Update Agent will be created
to distribute updates with the environment.

41 | P a g e
@2021 Trend Micro Inc.
Verify Agent Update Sources
In this exercise, the update source for Security Agents will be compared when the Apex One Server is online
and offline.

1. In the VM-Server image, open Apex One Web Management console. In the Agent Management
list, click the Classroom domain to display its Agents.

2. Right-click CLIENT-01, and click Settings > Privileges and Other Settings.

3. Click the Other Settings tab, and ensure that Security Agents download updates from the Trend
Micro ActiveUpdate Server is enabled. ClickSave.

42 | P a g e
@2021 Trend Micro Inc.
4. A message is displayed notifying that configuration changes have been applied, click Close.

5. Open the VM-CLIENT-01 virtual machine. Right-click the Security Agent icon in the Windows system
tray and click Update Now.

6. Once complete, a Component update is complete message is displayed. Click Close when the update
is complete.
7. Return to the VM- Server virtual machine and click Start > Windows Administrative Tools
>Internet Information Services Manager.
8. Click to select the Apex One Server virtual website (Server), then right-click and click Stop. This will
disable the Apex One server and prevent Agents from retrieving updates from the Server.

43 | P a g e
@2021 Trend Micro Inc.
9. Return to the VM-CLIENT-01 virtual machine, and run Update Now once again from the Security Agent
icon.
10. Once the update is complete, open Windows Explorer on CLIENT-01 and locate the tmudump.txt
log file located in the following folder: ...\Security Agent\AU_Data\AU_Log\
11. Open the file in Windows Notepad. Locate the entries related to the two Update Now actions:

First Update Now action:

Second Update Now action:

44 | P a g e
@2021 Trend Micro Inc.
12. Return to the VM-Server virtual machine and restart the Web Server.

Create an Update Agent


In this exercise, the Security Agent on the CLIENT-03 computer will be promoted to become the Update
Agent for the environment.

1. In the Agent Management list, right-mouse click the CLIENT-03 computer and click Settings
>Update Agent Settings.
2. Click to enable all the options to be delivered by the Update Agent and click Save.

45 | P a g e
@2021 Trend Micro Inc.
3. A message is displaying the configuration settings have been applied. Click Close.

4. The Security Agent on the CLIENT-03 computer will become the update agent for all of the Security
Agents within an IP address range. Click Updates > Agents > Update Source
5. Click Customized Update Source and click Add

6. Configure the IP Range and Update Source as follows:

 IPv4: From 192.168.4.1 to 192.168.4.6


 Update Source: Select CLIENT-03 from the Update Agent list & Click Save.

46 | P a g e
@2021 Trend Micro Inc.
7. The Customized Update Source list is updated. Click Notify All Agents.

8. On the VM-CLIENT-03 virtual image, navigate to the following folder in Windows Explorer to view the
update files that are available for distribution to Security Agents within the assigned range:
...\Security Agent\active update

47 | P a g e
@2021 Trend Micro Inc.
Lab 3: PoC Use Cases
In this section, you will be working on Use cases for various features like Antimalware, Web Reputation,
Behavior Monitoring, Firewall, IPS, Application Control, Predictive Machine Learning.

Exercise 3.1: Protecting Endpoint Computers from Malware


In this exercise, real-time scanning is configured for agents within the Trend domain.

1. In the VM-SERVER virtual machine, log into the Apex One Web Management console.
2. In the Agent Management list, right-mouse click the Classroom domain. Click Settings > Scan Settings >
Real-time Scan Settings.
By configuring Real-time Scan Settings at the Classroom branch of the Agent tree, all Agents in this
domain will inherit the settings.

48 | P a g e
@2021 Trend Micro Inc.
3. On the Target tab, ensure that Enable virus/malware scan and Enable spyware/grayware scan are both
enabled. Click to enable File types scanned by Intelliscan.

49 | P a g e
@2021 Trend Micro Inc.
4. On the Action tab, click Use the same action for all virus/malware types, and set the 1st Action for All
types to Quarantine. Click Save.

5. A message is displayed notifying that configuration changes have been applied, click Close.

6. In the virtual application, open the VM-CLIENT-02 virtual machine and log into Windows 10.
7. Double-click the Apex One icon in the Windows system tray to display the console.

50 | P a g e
@2021 Trend Micro Inc.
8. Click the Connection Status icon and note that Real-time Scan is enabled.

Test Virus/Malware Scan

1. On the CLIENT-02 computer, open Internet Explorer. A message regarding add-ons will be displayed
in the browser.

2. Click Choose add-ons. In the list, click to Enable All to enable the Trend Micro add-ons and click Done.

51 | P a g e
@2021 Trend Micro Inc.
3. In the browser (prefer chrome), type the following URL to access the EICAR web site:
https://www.eicar.org/?page_id=3950

Click to download the eicar.com test file.

4. When prompted, do not save or run the file. Wait a moment and a notification about malware being
downloaded is displayed on the Windows 10 desktop.

5. Click Cancel to terminate the eicar.com download.

52 | P a g e
@2021 Trend Micro Inc.
6. Click the number 1 in the Threats/Violations Found alert window next to Virus/Malware to open the
Logs viewer for this endpoint computer. Review the details of the logged event and click Close. Close
the Threat/Violations Found alert window as well.

NOTE: Even though the malware file was not saved to the computer by clicking Save,
the browser still cached the malware download and triggered the real-time scan.

7. Return to the VM-SERVER virtual machine and in the Apex One Web Management console, locate the
CLIENT-02 computer in the Agent list.
8. Right-mouse click the computer and click Logs > Virus/Malware Logs. Accept the default criteria and
click Display Logs.

53 | P a g e
@2021 Trend Micro Inc.
9. The details of the event generated by the malware capture will be displayed.

NOTE: It may take a few minutes for the Security Agent to forward its logs to the Apex
One Server. If the log entry does not display, try again in a couple of minutes.

Test Spyware/Grayware Scans

1. Return to the CLIENT-02 computer, locate and open the Lab Files folder on the Windows 10 desktop. In
this shared folder, double-click the Spyware_Test_Files folder.
2. Drag the Spyware_Files_Password_novirus.zip file from the shared folder to the Windows 10 desktop.
3. Once on the Windows 10 desktop, right-mouse click the file and click Extract All. Accept the default
location and click Extract.

4. When prompted, type the archive password of novirus and click OK.
5. Close the Threat/Violations Found window.
6. Return to the VM-SERVER virtual machine and in the Apex One Web Management console, locate the
CLIENT-02 computer in the Agent list.

54 | P a g e
@2021 Trend Micro Inc.
7. Wait a moment and a notification about spyware/grayware being detected is displayed on the
Windows 10 desktop

8. Right-mouse click the computer and click Logs > Spyware/Grayware Logs. Accept the default criteria
and click Display Logs.

55 | P a g e
@2021 Trend Micro Inc.
9. The details of the events generated by the spyware capture will be displayed.

Click Close.

NOTE: It may take a few minutes for the Security Agent to forward its logs to the Apex
One Server. If the log entry does not display, try again in a couple of minutes.

View Quarantined Files


In this exercise, you will view the files quarantined by the Security Agent.

1. Back on the VM-CLIENT-02 virtual machine, open Windows Explorer, and navigate to the quarantine
folder at the following location to verify if there are any quarantine files (these will be identified with
a .qtn extension: ...\Security Agent\Suspect\Backup
2. Still in Windows Explorer, navigate to the following folder on the CLIENT-02 computer:
...\Security Agent

3. Return to the Apex One Server Web Management console on the VM-SERVER virtual machine.

4. In the Agent Management list, click the Classroom domain to view its Agents. Right-click the CLIENT-02
computer in the Agent tree and click Tasks > Central Quarantine Restore

56 | P a g e
@2021 Trend Micro Inc.
5. In the Central Quarantine Restore Criteria window, type the name of the infected file as displayed in
the Restore Encrypted Virus utility (for example, eicar[1].com) and click Search.

57 | P a g e
@2021 Trend Micro Inc.
6. In the Central Quarantine Restore window, the option to restore the file is available by selecting
the file and clicking Restore. Optionally, click Add restored file to the domain-level exclusion list to no
longer identify this file as malware.

Click Close without restoring the file.

Exercise 3.2:Protecting Endpoint Computers through Behavior Monitoring


In this lab, participants will access an unknown application will be accessed to trigger Malicious Behavior
Detection.

Block Newly Encountered Software

In this exercise, a software application that has not been encountered previously will be blocked.

1. On the VM-SERVER virtual machine, open the Apex One Web Management console.
2. In the Agent Management list, click the Classroom domain to display its Agents.
3. Right-mouse click CLIENT-02 and click Settings > Behavior Monitoring Settings. Ensure that Monitor newly
encountered programs is enabled along with Prompt User. Click Save

58 | P a g e
@2021 Trend Micro Inc.
4. A message is displayed confirming the configuration settings have been applied. click Close.

5. Log back into the VM-CLIENT-02 virtual image and access the sample detection Web site by clicking the
Detections bookmark in the browser or typing the following URL: http://detection.trend.local
6. Click the suspicious link and save the file to the desktop.

NOTE: Ignore any Windows messages related to the unknown application, if displayed.

7. Double-click the suspicious.exe file on the desktop and click Run.


8. In a moment, a Newly Encountered Program Detected message should be displayed. In this case, the
Census feature detects that this file has a low prevalence, and the Security Agent becomes suspicious
of the file. Do not click any of the options at this point, instead allow the Time out value to expire

59 | P a g e
@2021 Trend Micro Inc.
9. Since the program was not allowed within the defined timeout, a second notification will appear
in a moment displaying that the threat was blocked through Malicious Behavior Detection.

10. Click the number 1 next to Malicious Behavior Detections to open the Log viewer.

11. Click Close once you have examined the details of the detection. Close the Threats/Violations Found
alert.
12. Return to the VM-SERVER virtual machine and in the Apex One Web Management console, locate the
CLIENT-02 computer in the Agent list.

60 | P a g e
@2021 Trend Micro Inc.
13. Right-mouse click the computer and click Logs > Behavior Monitoring Logs. Accept the default criteria
and click Display Logs.

14. The details of the event generated by behavior monitoring will be displayed.

Click Close.

NOTE: It may take a few minutes for the Security Agent to forward its logs to the Apex
One Server. If the log entry does not display, try again in a couple of minutes.

Exercise 3.3: Protecting Endpoint Computers from Unknown Threats


In this lab, participants will enable Predictive Machine Learning and sample malware will be accessed
to trigger protection. In addition, an unknown application will be accessed to trigger Malicious Behavior
Detection.

Enable Predictive Machine Learning

1. On the VM-SERVER virtual machine, open the Apex One Web Management console.

61 | P a g e
@2021 Trend Micro Inc.
2. In the Agent Management list, right-mouse click CLIENT-02 and click Settings > Predictive Machine
Learning Settings. Ensure that Enable Predictive Machine Learning is selected and ensure that only the
Type of File is enabled. Click Save.

3. A message is displayed confirming the configuration settings have been applied. Click Close.

62 | P a g e
@2021 Trend Micro Inc.
4. In the virtual application, click the VM-CLIENT-02 image. Return to the Detections demo site.
5. Click trendx_detect to download a malware sample.

6. Do not run or save the file. After a moment, a Threats/Violations Found notification should be
displayed.

7. Click Cancel on the download message.

8. Click the number link next to Unknown Threats to display additional information regarding the
threat, including that Predictive Machine Learning caught the potential malware.

63 | P a g e
@2021 Trend Micro Inc.
9. Click Close in the Logs window. Close the Threats/Violations Found alert.
10. Return to the VM-SERVER image and log into the Apex One Web Management console. Locate
and right-mouse click CLIENT-02. Click Logs > Predictive Machine Learning Logs. Accept the
default criteria and click Display Logs.

64 | P a g e
@2021 Trend Micro Inc.
11. Examine the details related to this violation. It may take a few minutes for the log event to
display

12. Click View on the far right side to obtain additional information about the file detection.

Exercise 3.4: Blocking Web Threats


In this lab, participants will configure Web Reputation and sample Web sites will be accessed.

Enable Web Reputation


1. In the VM-SERVER image, open the Apex One Web Management console.
2. In the Agent Management list, right-click the Classroom domain. Click Settings > Web Reputation
Settings.

65 | P a g e
@2021 Trend Micro Inc.
3. On the Internal Agents tab, confirm that Web Reputation is enabled for Windows desktops and set the
Security Level for these agents to Medium.

NOTE: Ensure that only the Classroom domain is selected when applying these settings. If
an Agent in the domain is selected in the Agent list when right-mouse clicking the
Classroom domain, the settings will only apply to that Agent.

4. In addition, disable Send queries to Smart Protection Servers. This will ensure that the requests are sent to
the Smart Protection Network. Leave all other settings at their defaults and click Save.

66 | P a g e
@2021 Trend Micro Inc.
5. A confirmation will be displayed to inform that the configuration

6. Changes have been applied. Click Close.

7. In the virtual application, open the VM-CLIENT-03 virtual machine.

8. On the Windows 10 computer, open Internet Explorer. A message regarding add-ons will be displayed
in the browser.

67 | P a g e
@2021 Trend Micro Inc.
9. Click Choose add-ons. In the list, click to Enable All to enable the Trend Micro add-ons and click Done.

10. In Internet Explorer, access the sample web sites listed below and note what happens when you
attempt to access each of these sites:
 wrs81.winshipway.com
 wrs71.winshipway.com
 wrs31.winshipway.com
Sites with a score of 65 or lower should be blocked (since Medium level is set) and the Web browser will
display the following message.

In addition, a Malicious URLs alert should be displayed.

68 | P a g e
@2021 Trend Micro Inc.
11. Click the number next to Malicious URLs to open the Web Reputation Logs. Note the entries for the
blocked Web site, then click Close. Close the Threats/Violations Found alert.

12. Navigate to the following folder and locate the OfcUrlf.log file: …\Security Agent\Misc
13. Open the file in Notepad and locate the details for which websites were blocked.

14. In Internet Explorer, clear the browsing history and close the browser.

Add an Application to the Web Reputation whitelist


In this exercise, you will configure Web Reputation to ignore requests made by specific applications. In
this example, Internet Explorer will be added to the Whitelist.

1. Still on the VM-CLIENT-03 image, right-click the Security Agent icon in the system tray and click
Unload Security Agent.

69 | P a g e
@2021 Trend Micro Inc.
2. When prompted, type the unload password entered during setup of the Apex One Server, for
example, trendmicro. Wait for the Agent icon to disappear from the system tray before continuing.

3. Open the Registry Editor (regedit) and locate the following entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\WhiteList]
4. Right-mouse click Whitelist and click New > Key. Create a new key called Internet Explorer.

NOTE: Agent Self-Protection prevents any modification to the Apex One Registry keys. If
the Security Agent is not completely unloaded, you may be prevented from creating this
new key. If an error is displayed when trying to create the key, try again after a couple
of minutes to allow the Agent to finish the unloading process.

5. Right-mouse click Internet Explorer and click New > String Value. Type the Value name of
ProcessImageName
6. Right-mouse click ProcessImageName and click Modify. Type the Value data of iexplore.exe.

NOTE: Ensure that the name of the Value data is iexplore.exe (not iexplorer.exe)

7. Close the Registry Editor and restart the Security Agent by clicking Start > Trend Micro Apex One
Security Agent > Security Agent. Wait for the agent icon to appear in the system tray before
continuing.

8. Open the Chrome browser and enter the following URL: http://wrs31.winshipway.com The
connection should be blocked.

9. Open Internet Explorer and enter the same URL. The connection should be allowed as Internet
70 | P a g e
@2021 Trend Micro Inc.
Explorer is on the whitelist.

Protect Endpoint Computers from Browser Exploits


In this exercise, malware scanning, web reputation and memory scans will be combined to protect the
endpoint computers from known browser exploits.

1. Return to the VM-SERVER virtual image and in the Agent Management list, right-mouse click the
Classroom domain, and click Settings > Additional Service Settings

2. As the memory scan feature requires Behavior Monitoring to be enabled, confirm that Unauthorized
Change Prevention Service is enabled for Windows desktops, along with the Advanced Protection Service
section. By default, this service should be enabled. This is the Common Control Solution Framework.

71 | P a g e
@2021 Trend Micro Inc.
3. A confirmation of the configuration change is displayed. Click Close.

4. Right-mouse click the Classroom domain again; this time click Settings > Web Reputation Settings.

5. On the Internal Agents tab, scroll to locate the Browser Exploit Prevention section and ensure that Block
pages containing malicious scripts is enabled.

6. A confirmation of the Web Reputation configuration change is displayed. Click Close.

Open the VM-CLIENT-02 virtual machine. On the Windows 10 desktop, open the Internet Explorer browser.
Click Tools and confirm that the Trend Micro add-ons are present in Internet Explorer by navigating to Manage
add-ons. Under Toolbars and Extensions, the add- ons should appear. If not already enabled (completed in a
previous lab), select each add-on and click Enable

72 | P a g e
@2021 Trend Micro Inc.
7. In Internet Explorer, type the following URL to access some sample Web pages:
a. http://192.168.4.1/CVE-2009-1568.htm
b. http://192.168.4.1/CVE-2009-1569.htm
c. http://192.168.4.1/CVE-2009-3867.htm
d. http://192.168.4.1/CVE-2009-3869.htm
Since these pages contain malicious scripts, a policy violation message should be displayed.

8. Click the number link next to Malicious URLs (this number may vary) to display the log entries for these pages’
accesses. Set the time range to Last 24 hours. Further details on each violation are displayed. Click Close once
you have noted the details. Close the Threats/Violations Found alert

73 | P a g e
@2021 Trend Micro Inc.
9. Return to the VM-SERVER virtual machine and in the Apex One Web Management console, locate the
CLIENT-02 computer in the Agent list.

10. Right-mouse click the computer and click Logs > Web Reputation Logs. Accept the default criteria and click
Display Logs

11. The details of the events generated by the accesses to Web pages containing the malicious scripts will be
displayed.

74 | P a g e
@2021 Trend Micro Inc.
Click Close.

Exercise 3.5: Protecting the Endpoint Computers through Traffic Filtering


In this lab, you will create a new firewall policy and profile to block Internet connections from an
endpoint computer.

Enable Firewall Service


In this exercise, Firewall services will be enabled for a domain.
1. Open the VM-SERVER virtual machine and log into the Apex One Web Management console.

2. In the Agent Management list, right-click the Classroom domain. Click Settings > Additional Service
Settings.

3. Ensure that the Firewall Service is enabled for Windows desktop computers.

75 | P a g e
@2021 Trend Micro Inc.
NOTE: Firewall services were enabled during the setup of Apex One on the virtual machine.

4. Click Save to apply the settings to the domain.

5. A confirmation will be displayed to inform you that the configuration changes have been applied.
Click Close.

Create a Firewall Policy


In this exercise, a new policy will be created to block Web traffic.

1. Still in the Apex One Web Management console, click Agents > Firewall > Policies. The list of default
Firewall policies is displayed.

76 | P a g e
@2021 Trend Micro Inc.
2. Click Add and create a policy to allow all traffic through the Apex One firewall with the following
details:
 Name: Exercise Firewall Policy
 Security level: Low
 Enable Firewall: Ensure this Firewall Feature item is enabled
 Display a notification when a Firewall violation is detected: enabled

3. In the Exception pane, click Add and create an exception to block Web traffic with the following
details.
 Name: Block HTTP and HTTPS
 Application: All applications
 Action: Deny network traffic
 Direction: Inbound and Outbound enabled
 Protocol: TCP
 Specific Ports: 80,443
 IP address(es): All IP addresses

77 | P a g e
@2021 Trend Micro Inc.
Click Save.
4. The new Exception is displayed. Click the up arrow in the Order column multiple times to move the
new exception above the default HTTP and HTTPS exceptions.

Click Save.

5. The new policy is displayed in the list.

78 | P a g e
@2021 Trend Micro Inc.
Create a Firewall Profile
In this exercise, a new firewall profile will be created, allowing the new policy to be applied to Agents.

1. Still in the Apex One Web Management console, click Agents > Firewall > Profiles. The list of default
profiles is displayed.

2. Click Add to create a new profile with the following details:


 Enable this profile: ensure this profile is enabled
 Name: Blocked Agent
 Description: Type an optional description
 Policy: Select Exercise Firewall Policy
 Endpoint: Click to enable Endpoint, then click Select Endpoints from the Agent Tree. Locate the
CLIENT-02 endpoint from the Classroom domain. Click Select.
Click Save.

79 | P a g e
@2021 Trend Micro Inc.
3. Click Apply Profile to Agents.

A banner is displayed in the console advising you that the Security Agents are being notified of the new
settings.

Verify the Firewall Deployment


In this exercise, the Agent list will be viewed to confirm the deployment of the Firewall components.

1. Still in the Apex One Web Management console, click Agents > Agent Management. Click the
Classroom domain to view its Agents.

2. Click Firewall view from the Agent tree view list.

80 | P a g e
@2021 Trend Micro Inc.
3. Confirm there is a green check mark in the Firewall column for CLIENT-02.

4. In the vApp, open the VM-CLIENT-02 virtual image.

81 | P a g e
@2021 Trend Micro Inc.
5. Double-click the Apex One icon in the Windows system tray to open the console. Click Settings at
the bottom of the console window. On the Protection tab, click Firewall from the list. Note the name
of the policy in effect on this endpoint.

Click Cancel to close the Settings window.

6. Still on the CLIENT-02 computer, open the Windows Command Prompt as an administrator and
navigate to the following folder: C:\Program Files (x86)\Trend Micro\Security Agent

NOTE: The Command Prompt shortcut on the toolbar launches with administrator permissions. If
launching Command Prompt from the Windows menu, right-mouse click the item and click More > Run
as administrator.

7. Type the following command to generate a dump file of the firewall rules in effect on this endpoint
computer: tmpfw dump

8. In Windows Explorer, locate and open the resulting dump file called !PfwDump.txt in the following
82 | P a g e
@2021 Trend Micro Inc.
folder: ...\Security Agent

9. Open the file in Notepad. Locate the entries for the exceptions to block ports 80 and 443.

10. On the Windows 10 desktop, open a web browser and browse to a random web site. The site be
should be blocked. After a moment, a firewall violation notification message should be displayed on
the agent endpoint.

83 | P a g e
@2021 Trend Micro Inc.
11. Click the number next to Firewall Violations or Network Viruses to view logging details regarding
the firewall violation.

12. Return to the VM-SERVER image and in the Apex One Web Management console, locate and right-
mouse click CLIENT-02. Click Logs > Firewall Logs. Accept the default criteria and click Display Logs.

13. Examine the details related to this violation. It may take a few minutes for the log event to display
then click Close.

84 | P a g e
@2021 Trend Micro Inc.
Disable the Firewall Policy
In this exercise, the firewall policy blocking access to HTTP and HTTPS will be deleted so as not to impact
the Agent’s access to the Internet.

1. Return to the Apex One Web Management console and click Agents > Firewall > Profiles. The list of
current profiles is displayed.

2. Click to select the Blocked Agent profile and click Delete.

3. Click Apply Profiles to Agents.


4. A message is displayed advising you that the Security Agents are being notified of the new settings.

5. After a moment, return to the VM-CLIENT-02 virtual machine and attempt to browse to a random
Web site. The site should be displayed.

Exercise 3.6:Blocking Unauthorized Application


In this lab, participants will enable Apex One Application Control to lockdown the inventory of
applications on an endpoint computer and block any unauthorized applications from running. The Application
Control policy to do this will be configured and deployed through Apex Central.
Create a Policy

In this exercise, a new policy will be created to lockdown the application inventory on filtered endpoint
computers.

1. In the VM-SERVER image, log into the Apex Central Web Management console and click Policies
>Policy Management.

85 | P a g e
@2021 Trend Micro Inc.
2. In the Product list, select Apex One Security Agent and click Create to define the new policy.

3. Configure the policy with the following details:


 Name: Lockdown
 Target: Click Specify Target(s) and click Select
4. Click Browse and locate the VM-SERVER computer. Click to select and click Add Selected Target.

5. Scroll to the bottom of the policy list and click Deploy.

86 | P a g e
@2021 Trend Micro Inc.
6. Expand Application Control Settings and click to enable Application Control. Click to enable Lockdown
and disable Assessment mode.

7. The policy will display as Pending as it is deployed to the Security Agent on the VM-SERVER
computer.

87 | P a g e
@2021 Trend Micro Inc.
8. Once the policy is applied to the endpoint, the policy status will change to Deployed. It may take some
time for the policy to deploy as it generates the inventory. Click Refresh at the top of the policy list to
recheck the status.

9. Click the number 1 in the Deployed column to perform a log query to identify the endpoint
computers on which the policy was deployed.

Test the Policy


In this exercise, a new application will be added to the endpoint to test the block. Since this application
is not part of the inventory when lockdown was enabled, the application should be prevented from
running.

1. On the VM-SERVER virtual machine, open the Security Agent console to view the protection status of
this endpoint. Note that Application Control is enabled on this computer. A padlock symbol may be
displayed after a while to indicate that the endpoint is in Lockdown mode.

88 | P a g e
@2021 Trend Micro Inc.
NOTE: If Application Control does not display as enabled (with the green icon), click Update in the
Security Agent console to force a refresh. The inventory process will take a few minutes to complete
on the endpoint computer, do not proceed to the next step until Application Control shows as
enabled.
2. Open the Lab Files folder on the desktop. Copy the WinMD5.exe file from this folder to the C:\Temp

3. folder on the DC-2016 computer.

4. Once the file has been copied, double-click to execute the file.

5. A block message is displayed.

6. A policy violation message is displayed.

Define Application Control Criteria


In this exercise, the blocked application will be allowed by adding a new Allow criteria.

1. Click Policies > Policy Resources > Application Control Criteria.

2. Click Add Criteria and select Allow.

3. Create an Allow criteria with the following details:


 Name: Allow WinMD5
89 | P a g e
@2021 Trend Micro Inc.
 Trust Permission: Application cannot execute external processes
 Match method: File Paths
- Specific path
- String
- C:\temp\winmd5.exe
Click Save.

4. The new Criteria is listed.

5. Return to Policies > Policy Management. Click the Lockdown policy and expand Application Control
Settings.

90 | P a g e
@2021 Trend Micro Inc.
6. In the User-Defined Rules section, click the All user accounts rule. The policy criteria are displayed in
Available Criteria. Click each criteria one at a time to move them into the Selected criteria column and click
OK.

7. Scroll down and click Deploy. Wait until the new policy is deployed before proceeding to the next
exercise.

Test the Allow Rule


In this exercise, the previously blocked application will be launched once again to test the Allow criteria.

1. In Windows Explorer, navigate to the C:\temp folder and double-click WinMD5.exe.

91 | P a g e
@2021 Trend Micro Inc.
2. The application should run

View the Application Control Log Entry


In this exercise, the log entry related to the Application Control incident will be reviewed.

1. Return to the Apex Central Web Management console and click Detections > Logs > Log Query.

2. Select Application Control violations and click OK.

3. Leave the other items at their default and click Search.

92 | P a g e
@2021 Trend Micro Inc.
4. The log entry related to the Application Control violation on the VM-SERVER computer is
displayed. It may take some time for the log entry to display.

5. Close the VM-VM-SERVER virtual machine.

Exercise 3.7: Protecting Endpoints from Vulnerability


In this lab, participants will enable Apex One Vulnerability Protection to protect an endpoint computer
from operating system exploits.

Enable Vulnerability Protection


In this exercise, vulnerability protection will be enabled for a single computer.

1. Open the VM-SERVER virtual machine and log into Apex Central Web Management console.

2. Click Administration > Updates > Manual Update. Expand Intrusion Prevention and note that the
Vulnerability Protection Pattern has been downloaded. This pattern is updated regularly and contains
the rules to protect the endpoint from vulnerabilities.

93 | P a g e
@2021 Trend Micro Inc.
3. Click Policies > Policy Resources > Intrusion Prevention Rules. The IPS rules currently downloaded are
displayed.

4. Click Policies > Policy Management and delete the policy called No Scan.

94 | P a g e
@2021 Trend Micro Inc.
5. Still under Policies > Policy Management, create a new policy for the Security Agent with the following
details:

 Name: Protect Client-02


 Filter: Specify Target and click Select
- Click Browse and expand the tree to display the endpoint computers. Select CLIENT- 02 and click
Add Selected Targets. Click OK.

6. Expand Vulnerability Protection Settings and insure that Enable Vulnerability Protection is select

95 | P a g e
@2021 Trend Micro Inc.
7. Click to enable Security Priority mode.

8. In the Search field, type eicar. The Restrict Download of EICAR Test File Over HTTP is displayed. Note
that this rule is enabled automatically in Security Priority mode. This rule will allow you to test that the
Vulnerability Rules are being enforced on the endpoint computer.

9. Scroll to the bottom of the list and click Deploy. The rules are then deployed to the Security Agent on
the CLIENT-02 computer. Wait until the policy is deployed before continuing.

Test Vulnerability Protection


In this exercise, the EICAR sample file will be downloaded to trigger the Vulnerability Protection rule.

1. Open the VM-CLIENT-02 image and confirm that Vulnerability Protection has been deployed.

2. In a Web browser on the CLIENT-02 computer, type the following URL to download the EICAR test
file: https://www.eicar.org/?page_id=3950

3. Click the eicar.com file to download.

96 | P a g e
@2021 Trend Micro Inc.
4. The connection to the Web page should be reset and a browser error displayed.

View the Vulnerability Protection LogEntry


In this exercise, the log entry related to the Vulnerability Protection incident will be reviewed.

1. Return to the Apex Central Web Management console.

2. Click Detections > Logs > Log Query. In the Log Query window, set the query to Intrusion Prevention and
leave the remaining options at their default and click Search.

97 | P a g e
@2021 Trend Micro Inc.
98 | P a g e
@2021 Trend Micro Inc.
end Micro Inc. P a g e 102 | 102

99 | P a g e
@2021 Trend Micro Inc.

You might also like