Professional Documents
Culture Documents
the products described herein without notice. Before installing and using the software,
please review the readme files, release notes, and the latest version of the applicable user
documentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com
Trend Micro, the Trend Micro t-ball logo, and TrendLabs are trademarks or registered
trademarks of Trend Micro Incorporated. All other product or company names may be
trademarks or registered trademarks of their owners.
Copyright © 2012 Trend Micro Incorporated. All rights reserved.
Document Part No.: LPEM54474/100607
Release Date: June 2012
Protected by U.S. Patent No. 7,516,130 and U.S. Patent No. 7,747,642.
The user documentation for Trend Micro Data Loss Prevention introduces the main
features of the software and installation instructions for your production environment.
Read through it before installing or using the software.
Detailed information about how to use specific features within the software are available
in the online help file and the online Knowledge Base at the Trend Micro website.
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please contact us at
docs@trendmicro.com.
Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
1
Table of Contents
i
Trend Micro DLP Endpoint 5.6 Installation Guide
ii
Chapter 1
1-1
Trend Micro DLP Endpoint 5.6 Installation Guide
WARNING!
You must restart target machines after installation and uninstallation. Failure to restart after
uninstallation leaves filter drivers in place until the machine is shut down.
System Requirements
Hardware Requirements
TABLE 1-1. Endpoint Agent Hardware Requirements
The endpoint agent consumes more disk space with the following activities:
• Downloading sensitive information/policies from the DLP server
• Downloading the fingerprint file from the DLP server
• Temporarily storing incident logs or captured data when the agent is offline
• Applying patches and hot fixes
• Temporarily processing data or files that are potential leaks
1-2
Agent Installation Overview
Software Requirements
The endpoint agent runs on the following operating systems:
32-bit
• Windows 7 Ultimate SP1, Enterprise SP1, Professional SP1, Starter SP1, Home
Premium SP1, Home Basic SP1
• Windows Vista Enterprise SP1/SP2, Business SP1/SP2, Home Premium SP1/SP2,
Ultimate SP1/SP2, Home Basic SP1/SP2
• Windows XP Professional SP2/SP3, Home SP2/SP3, Tablet 2005, Media Center
SP2/SP3
• Windows 2008 Datacenter SP1/SP2, Enterprise SP1/SP2, Standard SP1/SP2
• Windows 2003 Enterprise SP1/SP2, Datacenter SP2, Standard SP1/SP2, Standard
R2 SP1/SP2, Web Edition SP2, Enterprise R2 SP1/SP2
64-bit
• Windows 7 Ultimate SP1, Enterprise SP1, Professional SP1, Starter SP1, Home
Premium SP1, Home Basic SP1
• Windows Vista Enterprise SP1/SP2, Business SP1/SP2, Home Premium SP1/SP2,
Ultimate SP1/SP2, Home Basic SP1/SP2
• Windows XP Professional SP1/SP2
• Windows 2008 Datacenter SP1/SP2, Enterprise SP1/SP2, Standard SP1/SP2,
Enterprise R2 SP1, Standard R2 SP1
• Windows 2003 Enterprise SP1/SP2, Datacenter SP2, Standard SP1/SP2, Standard
R2 SP1/SP2, Web Edition SP2, Enterprise R2 SP1/SP2
Installation Prerequisites
• You must have an overall understanding of the DLP system, as well as general
familiarity with MS DOS and Windows™ operating systems.
• Before using this guide, you must set up the server. See the QuickStart Guide
included with the product for this process.
1-3
Trend Micro DLP Endpoint 5.6 Installation Guide
Preparation
• If you have a previous version, you will need to perform a fresh install. Uninstall
the previous version before beginning the installation.
• If your server components are deployed with default port settings, note that the
DLP management server listens at the following ports:
• 8904, 8804: Agent connection
• 8080: Agent connection (ActiveUpdate) and web console access
• 8443: Web console access
Basically, you install the DLP server on a standalone OS with a standalone IP
address. There is little chance of conflict on those ports with other servers that
have their own IP addresses. If there is a conflict on those ports (such as if they are
all behind the same firewall), you can use different firewall ports to map to those
ports.
• Copy the installation package into a temporary directory on your hard disk. Be sure
to maintain the directory structure, and copy all files including subdirectories to the
temporary installation directory.
1-4
Agent Installation with DLPforEndpoint.msi
WARNING!
install.bat must run with administrative privileges. If the target OS is Windows Vista or
later, only the administrator can execute it successfully.
Usage scenarios:
install.bat ServerIP [ MsiPath [n] [log] [nohide] [sb] ]
Parameters:
• ServerIP: The IP address of the DLP server must be the first parameter. [Required]
• MsiPath: Indicates the absolute path of DLPforEndpoint.msi. [Optional] DLP
accepts the UNC path. If omitted, DLP uses the current path.
• n: No reboot after installation. [Optional]
• log: Log the installation to file at c:\InstallDLPforEndpoint.log [Optional]
• nohide: Do not hide the Agent folder and service. [Optional]
• sb: Support safe mode. [Optional]
Note
The ServerIP must be the first parameter. The MsiPath must be the second parameter if it
exists.
2. Install the endpoint agent on a local machine from the UNC path with no reboot.
1-5
Trend Micro DLP Endpoint 5.6 Installation Guide
3. Install the endpoint agent with the server IP of 10.20.30.40, with the log opened
and not hiding the agent.
a. Open a command prompt.
b. Change to the directory that contains the install.bat and DLPforEndpoint.msi
files.
c. Execute the following command:
install.bat 10.20.30.40 \\server\share
\DLPforEndpoint.msi n
4. Install the endpoint agent with the server IP of 10.20.30.40, with the log opened,
not hiding the agent and supporting safe mode.
a. In normal mode, open a command prompt.
b. Change to the directory that contains the install.bat and DLPforEndpoint.msi
files
c. Execute the following command:
install.bat 10.20.30.40 DLPforEndpoint.msi sb log nohide
Installation Result
The installation is successful if the command line shows the following string:
## DLPforEndpoint installed successfully!
Otherwise, the installation has failed. If you cannot check the output of the command
line, check the log.
Log
1-6
Agent Installation with DLPforEndpoint.msi
Note
xxx represents an insignificant string.
Uninstallation
The DLP Endpoint uninstall batch file is uninstall.bat.
Usage scenarios:
• Deploy the DLPforEndpoint.msi file through the Microsoft System Center
Configuration Manager (SCCM).
• Deploy the DLPforEndpoint.msi file through the AD (Domain Controller).
• Uninstall DLP Endpoint Agent manually.
uninstall.bat [MsiPath [n] [log]]
Parameters:
• MsiPath: The absolute path of the DLPforEndpoint.msi file. [Optional]
The UNC path is accepted. If omitted, the current path is used.
• n: No reboot after uninstallation. [Optional]
1-7
Trend Micro DLP Endpoint 5.6 Installation Guide
Note
The MsiPath must be the first parameter if it exists.
2. Uninstall the local DLP Endpoint Agent version from the UNC path, with No
reboot.
a. Open a command prompt.
b. Change to the directory that contains the uninstall.bat file.
c. Execute the following command:
uninstall.bat \\server\share\DLPforEndpoint.msi n
Note
The password protection functionality was added to dtool.exe but not install.bat. However,
you can still use uninstall.bat to uninstall an agent that is password protected.
1. Open uninstall.bat with a text editor and find the following line:
set set LPPara=“-u -n”
1-8
Agent Installation with DLPforEndpoint.msi
Uninstallation Result
The uninstallation is successful when the command line shows the following string:
## DLPforEndpoint uninstall finished! Check the log in drive C for details!
Otherwise, the uninstallation has failed. If you cannot check the output of the command
line, check the log.
Log
Filename: UninstallDLPforEndpoint.log
Location: In the target machine's root drive c:\
The uninstall was successful when the log contains:
• a. Action ended xxx: Dtool. Return value 1.
• b. xxxProduct: LeakProof -- Installation operation completed successfully.
• c. xxxProduct: LeakProof -- Removal completed successfully.
xxx represents an insignificant string.
Line a means the Dtool.exe inside the DLPforEndpoint.msiwas successfully executed.
Line b means the msiexec /i command was successfully executed.
1-9
Trend Micro DLP Endpoint 5.6 Installation Guide
Note
DLP uses different installation packages for systems running Windows 32-bit and 64-bit
platforms. Use the package created for the type of platform installed on your system.
Perform installation for each platform type separately. If the package does not match the
platform, installation cannot be completed.
1-10
Agent Installation with DLPforEndpoint.msi
Note
DLP uses different installation packages for systems running Windows 32-bit and 64-bit
platforms. Perform uninstallation for each platform type separately.
1-11
Trend Micro DLP Endpoint 5.6 Installation Guide
Custom Installation
Use the msiexec command and its parameters to install the DLPforEndpoint.msi file.
Note
DLP uses different installation packages for systems running Windows 32-bit and
64-bit platforms. Use the package created for the type of platform installed on your system.
If the package does not match the platform, installation cannot be completed.
2. msiexec /x command
1-12
Agent Installation with DLPforEndpoint.msi
Note
/q: No UI
b. After the first command finishes successfully, run the following command:
msiexec /x DLPforEndpoint.msi /q /l*+ c:
\InstallDLPforEndpoint.log
2. Install from a share folder without the UI and reboot after installation.
a. Run the following command:
msiexec /i \\server\share\DLPforEndpoint.msi /q /
norestart DTOOL="-i -n"
b. After the first command finishes successfully, run the following command.
msiexec /x \\server\share\DLPforEndpoint.msi /q /
forcerestart
Tip
/forcerestart: Reboots the computer after installation.
DTOOL Property
DTOOL is a property of the DLPforEndpoint.msifile.
Usage: DTOOL=''parameters''
Separate parameters with a space.
For example:
msiexec /i DLPforEndpoint.msi DTOOL="-i -n -
clink_ip=192.168.1.1"
Current Parameters
1-13
Trend Micro DLP Endpoint 5.6 Installation Guide
• -i: Install.
For example:
Note
Only the domain administrator can install remotely.
The File and Printer Sharing must be in the exception list in the Microsoft Windows
Firewall on the target machine before installing or uninstalling remotely.
The User Account Control is enabled in Windows Vista and later versions by default. The
DOS prompt must be run as the administrator in order to install or uninstall locally,
whether using dtool or msi.
WARNING!
You must reboot target machines after installation and after uninstallation. Failure to
reboot after install or uninstall will put the target machine into an unknown state.
1-14
Agent Installation with dtool.exe
Dtool Parameters
Specify dtool.exe without parameters to see the Help listing. The following are
supported options.
Usage
Parameters
• -i: Install
• -u: Uninstall
1-15
Trend Micro DLP Endpoint 5.6 Installation Guide
Note
DLP uses different installation packages for systems running Windows 32-bit and 64-bit
platforms.
If the package does not match the platform, an error message is displayed and installation
will not be completed.
If remotely deploying DLP to both 32-bit and 64-bit platforms, run both installation
packages on a 64-bit machine. It is not possible to run the package for 64-bit platforms on
a 32-bit machine.
During remote installation, the message “computer architecture error” is displayed in the
file dtoolRemoteControl.csv when the package does not match the platform. To complete
installation, search the file for a list of machines that return the error and restart installation
using the correct package.
1. Prepare the DLP directory tree as an installation directory. Simply copy the DLP
directory from the setup DVD or other source location.
Directory tree contains:
[dir] DLP
[file] --dtool.exe
[file] --PVUSvc.exe
[file] --uninstaller.exe
[file] --updater.exe
[sub-dir] --system32
2. Open a command prompt and change the directory to the installation directory.
1-16
Agent Installation with dtool.exe
-- install to a local machine. Set the server ip x.x.x.x and enable the safe mode
feature.
dtool.exe -i XYZ
-- load the computer names from the list.txt file and install.
dtool.exe -i -clink_ip=x.x.x.x -ppwd
-- install to a local machine, set the server ip x.x.x.x, and set the dtool.exe password
to pwd. The password, pwd, will be required to run dtool.exe to uninstall the agent.
For example, if the password = 123, type -p123.
Note
Only the domain can uninstall remotely.
Only the administrator can uninstall locally.
1. Prepare the DLP directory tree as an uninstallation directory. Simply copy the DLP
directory from the setup DVD or other source location.
2. Open a command prompt and change the directory to the uninstallation directory.
1-17
Trend Micro DLP Endpoint 5.6 Installation Guide
-- load the computer names from the list.txt file and uninstall.
dtool.exe -u -ppwd
-- uninstall the agent from a local machine using the password, pwd, to run
dtool.exe.
Note
This is the former method of installation.
1-18
Agent Installation with a Copied Image
3. From the command prompt, enter the dtool command. See commands of
installation in Part 3. (You do not need the -c option in this case).
Note
The AgentGuid string is at registry key: HKEY_LOCAL_MACHINE > SOFTWARE >
Provilla
1-19
Trend Micro DLP Endpoint 5.6 Installation Guide
8. Restart the new machine and change its machine name and IP accordingly.
Note
The network is available during this. There is no need to disconnect the network.
The second machine can automatically register with the DLP server.
1-20
Chapter 2
2-1
Trend Micro DLP Endpoint 5.6 Installation Guide
COMPONENT SPECIFICATION
Memory 2048MB
Note
Trend Micro recommends at least 4096MB of
RAM.
Note
Trend Micro recommends at least 250GB of
disk space for incident logs, fingerprints, and
other data storage purposes.
2-2
DLP Virtual Appliance Installation
Note
When using VMware, the DLP server performance may downgrade depending on the
CPU, memory, and the hard disk drive input/output in the virtual machine.
WARNING!
Any existing data or partitions are removed during the installation process. Back up any
existing data on the system (if any) before installing DLP VA.
WARNING!
If you install DLPVA on an ESX server, disable the snapshot feature for the virtual
machine. Otherwise, the snapshot will exhaust hard disk space.
2-3
Trend Micro DLP Endpoint 5.6 Installation Guide
http://www.trendmicro.com/download
2-4
DLP Virtual Appliance Installation
Exit Installation Exits the installation process to boot from the local
disk.
2-5
Trend Micro DLP Endpoint 5.6 Installation Guide
4. Select the keyboard language for the system and click Next.
2-6
DLP Virtual Appliance Installation
Note
If the host hardware contains any components that do not meet the minimum
specifications, the installation program highlights the non-conforming components
and the installation stops.
5. Click Next.
The DLP VA installer detects and displays all available hard disk drives.
6. Select at least one drive for the DLP VA installation.
7. If the hard drive requires partitioning, a warning appears above the list of available
hard drives. Click Next to continue with the partitioning.
2-7
Trend Micro DLP Endpoint 5.6 Installation Guide
8. Select the drive to use for the DLP VA installation and click Next.
The network settings screen appears.
Note
Although the Dell R610 has multiple network interface ports, you must configure the
eth0 interface. The DLP management server only manages agents (DLP Network
Monitor and DLP Endpoint agents) using the eth0 interface. You will connect agents
to the DLP server using the eth0 interface.
9. Type the following network settings for eth0 and click Next.
2-8
DLP Virtual Appliance Installation
FIELD DESCRIPTION
IPv4 Address This is the IP address of the DLPVA management interface. Type
the IP address and appropriate subnet mask to complete the
configuration.
Hostname Type the Fully Qualified Domain Name (FQDN) for this DLPVA
host. Hostname must be unique so that you can identify the DLP
management server when you register the agents to the server.
Gateway Type the IP address to be used as the gateway for this DLPVA
installation.
Primary DNS Type the IP address to be used as the primary DNS server for
this DLPVA installation.
Secondary Type the IP address to be used as the secondary DNS server for
DNS this DLPVA installation.
2-9
Trend Micro DLP Endpoint 5.6 Installation Guide
Note
You can reconfigure the date format on the web console. See Reconfiguring the DLP
Web Console Date Format on page 2-17.
Note
You can click a yellow point to select a city in a different region.
2-10
DLP Virtual Appliance Installation
12. Specify passwords for the root, enable, and admin accounts. DLP VA uses three
different levels of administrator types to secure the system. The password must be
a minimum of eight characters and a maximum of 32 characters.
Tip
For the best security, create a highly unique password using upper and lower case
alphabetic characters, numerals, and special characters found on your keyboard.
• Root Account: Accesses the operating system shell and has all rights to the
server. This is the most powerful user on the system.
2-11
Trend Micro DLP Endpoint 5.6 Installation Guide
15. Select Continue to erase any data on the hard disk partition and format the hard
disk. If you have data on the hard disk that you need to keep, cancel the installation
and back up the information before proceeding.
16. Click Continue.
2-12
DLP Virtual Appliance Installation
A screen appears with the formatting status of the local drive. When formatting
completes, the DLP VA installation begins.
2-13
Trend Micro DLP Endpoint 5.6 Installation Guide
After the installation completes, a summary screen appears. The installation log is
saved in the /root/install.log file for reference.
The DVD automatically ejects. Remove the DVD from the drive to prevent
reinstallation.
Trend Micro recommends disconnecting the DVD drive from the virtual machine
now that DLPVA is installed.
2-14
Configuring Network Settings
Note
During installation, you might receive the following messages:
Both of these messages are normal. The latter message indicates that the system
BIOS is not reporting or presenting any PSB or ACPI objects or hooks to the Linux
kernel. Either the CPU or BIOS does not support PSB or ACPI objects or hooks, or
they are simply disabled.
18. After installation, log on to the CLI to enable the DLP server.
You can also log on to the CLI shell to perform additional configuration,
troubleshooting, or housekeeping tasks.
Note
You must configure system configurations, such as network settings, through the DLP VA
CLI. You cannot configure system configurations using Linux commands. If you do,
settings are not saved in the configuration file and the agent will not be able to register with
the server.
The default users for the DLP server CLI are admin, enable and root. Log on to the
DLP server CLI as admin to configure the network settings if you have not already done
so. If you received the DLP VA pre-installed with your appliance, use the default
password, “trenddlp.” You will automatically enter the CLI where you are required to
configure the network.
2-15
Trend Micro DLP Endpoint 5.6 Installation Guide
2-16
Reconfiguring the DLP Web Console Date Format
Note
To change network settings, you can log on at any time and use the command
“configure DLP network” if needed.
2-17
Trend Micro DLP Endpoint 5.6 Installation Guide
2-18