DLP 5.6 Ig

Trend Micro Incorporated reserves the right to make changes to this document and to
the products described herein without notice. Before installing and using the software,
please review the readme files, release notes, and the latest version of the applicable user
documentation, which are available from the Trend Micro website at:
http://docs.trendmicro.com
Trend Micro, the Trend Micro t-ball logo, and TrendLabs are trademarks or registered
trademarks of Trend Micro Incorporated. All other product or company names may be
trademarks or registered trademarks of their owners.
Copyright © 2012 Trend Micro Incorporated. All rights reserved.
Document Part No.: LPEM54474/100607
Release Date: June 2012
Protected by U.S. Patent No. 7,516,130 and U.S. Patent No. 7,747,642.
The user documentation for Trend Micro Data Loss Prevention introduces the main
features of the software and installation instructions for your production environment.
Read through it before installing or using the software.
Detailed information about how to use specific features within the software are available
in the online help file and the online Knowledge Base at the Trend Micro website.
Trend Micro always seeks to improve its documentation. If you have questions,
comments, or suggestions about this or any Trend Micro document, please contact us at
docs@trendmicro.com.
Please evaluate this documentation on the following site:
http://www.trendmicro.com/download/documentation/rating.asp
1
Table of Contents
Chapter 1: Installing the DLP Endpoint Agent

Agent Installation Overview ......................................................................... 1-2
System Requirements ............................................................................. 1-2
Installation Prerequisites ....................................................................... 1-3
Preparation .............................................................................................. 1-4
Agent Installation with DLPforEndpoint.msi ........................................... 1-4
Agent Installation with install.bat ........................................................ 1-4
Agent Installation with Microsoft System Center Configuration
Manager (SCCM) .................................................................................. 1-10
Custom Installation .............................................................................. 1-12
DTOOL Property ................................................................................ 1-13
Agent Installation with dtool.exe ............................................................... 1-14
Dtool Parameters ................................................................................. 1-15
Installing DLP with Dtool.exe ........................................................... 1-16
Uninstalling DLP with DTool.exe ..................................................... 1-17
Performing Custom Installation ........................................................ 1-18
Enabling Safe Mode Support ............................................................. 1-19
Agent Installation with a Copied Image ................................................... 1-19
Installing the DLP Endpoint Agent by Copying the Image .......... 1-19
Chapter 2: Installing the DLP Virtual Appliance

DLP Virtual Appliance Installation ............................................................. 2-2
Virtual Machine Specifications ............................................................. 2-2
Installing the DLP Virtual Appliance .................................................. 2-3
Configuring Network Settings .................................................................... 2-15
Configuring Network Settings through the DLP Server CLI ....... 2-16
Reconfiguring the DLP Web Console Date Format .............................. 2-17
i
Trend Micro DLP Endpoint 5.6 Installation Guide
ii
Chapter 1
Installing the DLP Endpoint Agent
1-1
Agent Installation Overview

You can install the DLP Endpoint agent using one of the following methods.
• Install with DLPforEndpoint.msi
• Install with Dtool.exe
• Deploy to multiple endpoints by copying an image
WARNING!
You must restart target machines after installation and uninstallation. Failure to restart after
uninstallation leaves filter drivers in place until the machine is shut down.
System Requirements
Hardware Requirements
TABLE 1-1. Endpoint Agent Hardware Requirements
SPECIFICATIONS MINIMUM RECOMMENDED
CPU 300MHz Intel Pentium or 1024MHz Intel Pentium or

equivalent greater
RAM 128MB 1024MB or greater
Available Disk Space 300MB 1GB or greater
Network Interface Card (NIC) 10/100 Mbps
The endpoint agent consumes more disk space with the following activities:
• Downloading sensitive information/policies from the DLP server
• Downloading the fingerprint file from the DLP server
• Temporarily storing incident logs or captured data when the agent is offline
• Applying patches and hot fixes
• Temporarily processing data or files that are potential leaks
1-2
Agent Installation Overview
Software Requirements
The endpoint agent runs on the following operating systems:
32-bit
• Windows 7 Ultimate SP1, Enterprise SP1, Professional SP1, Starter SP1, Home
Premium SP1, Home Basic SP1
• Windows Vista Enterprise SP1/SP2, Business SP1/SP2, Home Premium SP1/SP2,
Ultimate SP1/SP2, Home Basic SP1/SP2
• Windows XP Professional SP2/SP3, Home SP2/SP3, Tablet 2005, Media Center
SP2/SP3
• Windows 2008 Datacenter SP1/SP2, Enterprise SP1/SP2, Standard SP1/SP2
• Windows 2003 Enterprise SP1/SP2, Datacenter SP2, Standard SP1/SP2, Standard
R2 SP1/SP2, Web Edition SP2, Enterprise R2 SP1/SP2
64-bit
• Windows 7 Ultimate SP1, Enterprise SP1, Professional SP1, Starter SP1, Home
Premium SP1, Home Basic SP1
• Windows Vista Enterprise SP1/SP2, Business SP1/SP2, Home Premium SP1/SP2,
Ultimate SP1/SP2, Home Basic SP1/SP2
• Windows XP Professional SP1/SP2
• Windows 2008 Datacenter SP1/SP2, Enterprise SP1/SP2, Standard SP1/SP2,
Enterprise R2 SP1, Standard R2 SP1
• Windows 2003 Enterprise SP1/SP2, Datacenter SP2, Standard SP1/SP2, Standard
R2 SP1/SP2, Web Edition SP2, Enterprise R2 SP1/SP2
Installation Prerequisites
• You must have an overall understanding of the DLP system, as well as general
familiarity with MS DOS and Windows™ operating systems.
• Before using this guide, you must set up the server. See the QuickStart Guide
included with the product for this process.
1-3
• Ensure that you have administrative privileges on all endpoints.

• DLP uses different installation packages for systems running Windows 32-bit and
64-bit platforms. Use the package created for the type of platform installed on your
system. If the package does not match the platform, installation cannot be
completed.
Preparation
• If you have a previous version, you will need to perform a fresh install. Uninstall
the previous version before beginning the installation.
• If your server components are deployed with default port settings, note that the
DLP management server listens at the following ports:
• 8904, 8804: Agent connection
• 8080: Agent connection (ActiveUpdate) and web console access
• 8443: Web console access
Basically, you install the DLP server on a standalone OS with a standalone IP
address. There is little chance of conflict on those ports with other servers that
have their own IP addresses. If there is a conflict on those ports (such as if they are
all behind the same firewall), you can use different firewall ports to map to those
ports.
• Copy the installation package into a temporary directory on your hard disk. Be sure
to maintain the directory structure, and copy all files including subdirectories to the
temporary installation directory.
Agent Installation with DLPforEndpoint.msi

This topic describes how to install, uninstall and deploy DLPforEndpoint.msi.
Agent Installation with install.bat

You can install the agent using the install.bat batch file.
1-4
WARNING!
install.bat must run with administrative privileges. If the target OS is Windows Vista or
later, only the administrator can execute it successfully.
Usage scenarios:
install.bat ServerIP [ MsiPath [n] [log] [nohide] [sb] ]
Parameters:
• ServerIP: The IP address of the DLP server must be the first parameter. [Required]
• MsiPath: Indicates the absolute path of DLPforEndpoint.msi. [Optional] DLP
accepts the UNC path. If omitted, DLP uses the current path.
• n: No reboot after installation. [Optional]
• log: Log the installation to file at c:\InstallDLPforEndpoint.log [Optional]
• nohide: Do not hide the Agent folder and service. [Optional]
• sb: Support safe mode. [Optional]
Note
The ServerIP must be the first parameter. The MsiPath must be the second parameter if it
exists.
Sample Installation Procedures

1. Install the endpoint agent on a local machine with the server IP of 10.20.30.40
a. Open a command prompt.
b. Change to the directory that contains the install.bat and DLPforEndpoint.msi
files.
c. Execute the following command:
install.bat 10.20.30.40
2. Install the endpoint agent on a local machine from the UNC path with no reboot.
1-5

b. Change to the directory that contains the install.bat file.
install.bat 10.20.30.40 \\server\share
\DLPforEndpoint.msi n
3. Install the endpoint agent with the server IP of 10.20.30.40, with the log opened
and not hiding the agent.
files.
install.bat 10.20.30.40 \\server\share
\DLPforEndpoint.msi n
4. Install the endpoint agent with the server IP of 10.20.30.40, with the log opened,
not hiding the agent and supporting safe mode.
a. In normal mode, open a command prompt.
files
install.bat 10.20.30.40 DLPforEndpoint.msi sb log nohide
Installation Result
The installation is successful if the command line shows the following string:
## DLPforEndpoint installed successfully!
Otherwise, the installation has failed. If you cannot check the output of the command
line, check the log.
Log
1-6
File name: InstallDLPforEndpoint.log

Location: In the target machine's root drive c:\
Installation is successful if the log contains:
• a. Action ended xxx: Dtool. Return value 1.
• b. xxxProduct: LeakProof -- Installation operation completed successfully.
• c. xxxProduct: LeakProof -- Removal completed successfully.
Note
xxx represents an insignificant string.
Line a means Dtool.exe inside the DLPforEndpoint.msi was successfully executed.

Line b means the msiexec /i command was successfully executed.
Line c means the msiexec /x command was successfully executed.
Uninstallation
The DLP Endpoint uninstall batch file is uninstall.bat.
Usage scenarios:
• Deploy the DLPforEndpoint.msi file through the Microsoft System Center
Configuration Manager (SCCM).
• Deploy the DLPforEndpoint.msi file through the AD (Domain Controller).
• Uninstall DLP Endpoint Agent manually.
uninstall.bat [MsiPath [n] [log]]
Parameters:
• MsiPath: The absolute path of the DLPforEndpoint.msi file. [Optional]
The UNC path is accepted. If omitted, the current path is used.
• n: No reboot after uninstallation. [Optional]
1-7
• log: Log the uninstallation to the c:\UninstallDLPforEndpoint.log file [Optional].
Note
The MsiPath must be the first parameter if it exists.
Sample Uninstallation Procedures

1. Uninstall local DLP Endpoint Agent with log opened.
b. Change to the directory that contains the uninstall.bat and
DLPforEndpoint.msifiles.
uninstall.bat DLPforEndpoint.msi log
2. Uninstall the local DLP Endpoint Agent version from the UNC path, with No
reboot.
b. Change to the directory that contains the uninstall.bat file.
uninstall.bat \\server\share\DLPforEndpoint.msi n
Uninstalling Password-protected Agents
Note
The password protection functionality was added to dtool.exe but not install.bat. However,
you can still use uninstall.bat to uninstall an agent that is password protected.
1. Open uninstall.bat with a text editor and find the following line:
set set LPPara=“-u -n”
2. Change the line to the following line:
1-8
set set LPPara=“-u -n -p{password}”
Password is a placeholder for your actual password. Password accepts

alphanumeric characters and no spaces.
3. Save the uninstall.bat file.
4. Open a command prompt.
5. Change to the directory that contains the uninstall.bat and
DLPforEndpoint.msifiles.
6. Execute the following command:
uninstall.bat DLPforEndpoint.msi n
Uninstallation Result
The uninstallation is successful when the command line shows the following string:
## DLPforEndpoint uninstall finished! Check the log in drive C for details!
Otherwise, the uninstallation has failed. If you cannot check the output of the command
line, check the log.
Log
Filename: UninstallDLPforEndpoint.log
Location: In the target machine's root drive c:\
The uninstall was successful when the log contains:
• a. Action ended xxx: Dtool. Return value 1.
• b. xxxProduct: LeakProof -- Installation operation completed successfully.
• c. xxxProduct: LeakProof -- Removal completed successfully.
xxx represents an insignificant string.
Line a means the Dtool.exe inside the DLPforEndpoint.msiwas successfully executed.
Line b means the msiexec /i command was successfully executed.
1-9
Line c means the msiexec /x command was successfully executed.
Agent Installation with Microsoft System Center

Configuration Manager (SCCM)
Deploying Agents Using SCCM
Note
DLP uses different installation packages for systems running Windows 32-bit and 64-bit
platforms. Use the package created for the type of platform installed on your system.
Perform installation for each platform type separately. If the package does not match the
platform, installation cannot be completed.
1. Create a shared folder that contains the DLPforEndpoint.msi, install.bat, and

uninstall.bat files on the server.
2. Create a package in the Software Distribution folder of the SCCM Computer
Management section.
a. Right-click Packages and select New > Package.
b. Complete the General panel of the New Package Wizard.
c. Set the Source Directory (the share folder) in the Data Source panel.
3. Create a Distribution Point for the Package.
4. Create an install program for the Package.
a. Set the command line with: install.bat x.x.x.x (x.x.x.x is the server_ip).
b. Set Run: Hidden.
c. Set the Run Mode: Run with administrative rights.
d. Select Suppress program notifications.
5. Create an install advertisement for the Package.
a. Set the Package created above.
1-10
b. Set the install Program created above.

c. Set the collection to deploy.
Uninstalling Agents Using Microsoft SCCM
Note
platforms. Perform uninstallation for each platform type separately.
1. Create a share folder that contains the DLPforEndpoint.msi, install.bat, and

uninstall.bat files on the server.
2. Create a package in the Software Distribution folder of the SCCM Computer
Management section.
a. Right-click Packages and select New > Package.
b. Complete the General panel of the New Package Wizard.
c. Set the Source Directory (the share folder) in the Data Source panel.
3. Create a Distribution Point for the Package.
a. Set the command line: uninstall.bat
b. Set Run: Hidden.
4. Create an uninstall program for the Package.
a. Set the command line: uninstall.bat
b. Set Run: Hidden.
d. Select Suppress program notifications.
5. Create an uninstall advertisement for the Package
a. Set the Package created above.
1-11
b. Set the uninstall Program created above.
c. Set the collection to deploy.
Custom Installation
Use the msiexec command and its parameters to install the DLPforEndpoint.msi file.
Note
DLP uses different installation packages for systems running Windows 32-bit and
64-bit platforms. Use the package created for the type of platform installed on your system.
If the package does not match the platform, installation cannot be completed.
Two-step Custom Installation

1. msiexec /i command with the DTOOL property
a. Extract the DLP Endpoint setup files to a temporary folder.
b. Run Dtool in the temporary folder with parameters.
c. DTOOL Property: Refer to the DTOOL Property.
2. msiexec /x command
a. Clean up the files extracted to the temporary folder.
b. Clean up the registry keys written by the /i command.
Sample Installation Procedures

1. Install locally without the UI. Specify the server IP 1.2.3.4, and log on to the c:
\InstallDLPforEndpoint.log file.
a. Run the following command:
msiexec /i DLPforEndpoint.msi /q /norestart DTOOL="-i -n

-clink_ip=1.2.3.4" /log c:\InstallDLPforEndpoint.log
1-12
Note
/q: No UI
/log xxx: Record the log to the xxx file
/l*+ file.log: Record the log to the existing xxx file
b. After the first command finishes successfully, run the following command:
msiexec /x DLPforEndpoint.msi /q /l*+ c:
\InstallDLPforEndpoint.log
2. Install from a share folder without the UI and reboot after installation.
a. Run the following command:
msiexec /i \\server\share\DLPforEndpoint.msi /q /
norestart DTOOL="-i -n"
b. After the first command finishes successfully, run the following command.
msiexec /x \\server\share\DLPforEndpoint.msi /q /
forcerestart
Tip
/forcerestart: Reboots the computer after installation.
DTOOL Property
DTOOL is a property of the DLPforEndpoint.msifile.
Usage: DTOOL=''parameters''
Separate parameters with a space.
For example:
msiexec /i DLPforEndpoint.msi DTOOL="-i -n -
clink_ip=192.168.1.1"
Current Parameters
1-13
• -i: Install.
• -n: no reboot after installation.
• -cpara=value: Specify the parameters when installing (combine with -i).
For example:
clink_ip=[x.x.x.x], server IP address is x.x.x.x
Agent Installation with dtool.exe

Dtool.exe offers additional installation functions not available with install.bat, such as
the “install with password” function. The “install with password” function protects
unauthorized DLP Agent uninstalls by requiring a password to run dtool. The dtool.exe
executable is a command line application for deploying the DLP Endpoint agent to
client machines (endpoints) throughout the network.
Note
Only the domain administrator can install remotely.
Only the accounts with administrative privilege can install locally.
The File and Printer Sharing must be in the exception list in the Microsoft Windows
Firewall on the target machine before installing or uninstalling remotely.
The User Account Control is enabled in Windows Vista and later versions by default. The
DOS prompt must be run as the administrator in order to install or uninstall locally,
whether using dtool or msi.
WARNING!
You must reboot target machines after installation and after uninstallation. Failure to
reboot after install or uninstall will put the target machine into an unknown state.
To recover from an unknown state:
reboot - uninstall - reboot - install - reboot
1-14
Dtool Parameters
Specify dtool.exe without parameters to see the Help listing. The following are
supported options.
Usage
dtool.exe [-i [-cpara=value] [-ppwd] [-sb] ] [-u] [-s] [-d] n

[-n] [-v] [-q] [-ffilename] [computer_name]
Parameters
• -i: Install
• -sb: Support safe mode in DLP agent.
• -u: Uninstall
• -e: update install, keep original settings and policy
• -s: Silent reboot, no shutdown message box.
• -dx: Delay rebooting x minutes (maximum to 11:59PM today).
• -n: No reboot after install/update/uninstall.
• -v: Show dtool version.
• -q: Quiet mode, no messages.
• -fx: Take computer names from file x:
One computer name for each line in file x.
• -efile.cfg: update, install, keep settings indicated by file.cfg.
• -cpara=value: Specify parameters when installing (combine with -i).
Para list: link_ip=[x.x.x.x], Server IP address;
link_port=[x], Server Port;
hide_me=[true|false], Hide agent or not.
1-15
• -ppwd: pwd is the protection password when installing or uninstalling. The

password is 1-20 characters, including [a-z][A-Z][0-9] and [~!@#$^&*()_+-={}
[];:,.?.
• computer_name: This must be the last one in the command, if any.
Installing DLP with Dtool.exe
Note
platforms.
If the package does not match the platform, an error message is displayed and installation
will not be completed.
If remotely deploying DLP to both 32-bit and 64-bit platforms, run both installation
packages on a 64-bit machine. It is not possible to run the package for 64-bit platforms on
a 32-bit machine.
During remote installation, the message “computer architecture error” is displayed in the
file dtoolRemoteControl.csv when the package does not match the platform. To complete
installation, search the file for a list of machines that return the error and restart installation
using the correct package.
1. Prepare the DLP directory tree as an installation directory. Simply copy the DLP
directory from the setup DVD or other source location.
Directory tree contains:
[dir] DLP
[file] --dtool.exe
[file] --PVUSvc.exe
[file] --uninstaller.exe
[file] --updater.exe
[sub-dir] --system32
2. Open a command prompt and change the directory to the installation directory.
1-16
3. Enter the dtool command from the command prompt.

Command samples:
dtool.exe -i -clink_ip=x.x.x.x
-- install to a local machine and set the server ip x.x.x.x.

dtool.exe -i -clink_ip= x.x.x.x -sb
-- install to a local machine. Set the server ip x.x.x.x and enable the safe mode
feature.
dtool.exe -i XYZ
-- install to a remote machine XYZ.

dtool.exe -i -s -d10
-- install silently and reboot the system after 10 minutes.

dtool.exe -i -flist.txt
-- load the computer names from the list.txt file and install.
dtool.exe -i -clink_ip=x.x.x.x -ppwd
-- install to a local machine, set the server ip x.x.x.x, and set the dtool.exe password
to pwd. The password, pwd, will be required to run dtool.exe to uninstall the agent.
For example, if the password = 123, type -p123.
Uninstalling DLP with DTool.exe
Note
Only the domain can uninstall remotely.
Only the administrator can uninstall locally.
1. Prepare the DLP directory tree as an uninstallation directory. Simply copy the DLP
directory from the setup DVD or other source location.
2. Open a command prompt and change the directory to the uninstallation directory.
1-17
3. Enter the dtool command from the command prompt.

Command samples:
dtool.exe -u
-- uninstall the agent of a local machine.

dtool.exe -u XYZ
-- uninstall the agent of a remote machine XYZ.

dtool.exe -u -flist.txt
-- load the computer names from the list.txt file and uninstall.
dtool.exe -u -ppwd
-- uninstall the agent from a local machine using the password, pwd, to run
dtool.exe.
Performing Custom Installation
Note
This is the former method of installation.
1. Configure two files:

dsa.pro
dsa.loc
The file, dsa.pro in system32\dgagent, configures the DLP agent.
Configuration options:
link_ip = (Server IPv4 address)
link_port = (Server configured link port number)
hide_me = (Set to false to see the agent process, service and registry keys)
2. Open a command prompt and change the directory to the installation directory.
1-18
Agent Installation with a Copied Image
3. From the command prompt, enter the dtool command. See commands of
installation in Part 3. (You do not need the -c option in this case).
Enabling Safe Mode Support

You must use “sb” option for the DLP agent to work in safe mode. To directly enable
safe mode after the installation, use the following command:
�- dtool.exe -sb
Agent Installation with a Copied Image

You can ghost one machine with the DLP agent installed and copy the image for virtual
machines on other endpoints. However, you must remove the GUID of the DLP agent
before copying the image.
Installing the DLP Endpoint Agent by Copying the Image

1. Create a virtual machine with the installed DLP Endpoint agent.
2. Stop the DLP Endpoint agent.
3. Delete the DLP Endpoint agent GUID.
Note
The AgentGuid string is at registry key: HKEY_LOCAL_MACHINE > SOFTWARE >
Provilla
4. Stop the operating system on the virtual machine.

5. Copy the virtual machine with the installed agent to another virtual machine.
(Ghost the physical image or virtual image of the original virtual machine.)
6. Start the second virtual machine with the copied image.
7. Change the operating system name and IP address for the new machine.
1-19
8. Restart the new machine and change its machine name and IP accordingly.
Note
The network is available during this. There is no need to disconnect the network.
The second machine can automatically register with the DLP server.
1-20
Chapter 2
Installing the DLP Virtual Appliance
2-1
DLP Virtual Appliance Installation

The DLP Virtual Appliance (DLP VA) only supports new installations. You cannot
upgrade an existing DLP installation. The DLP VA installation process formats your
existing system for DLP VA. The installation procedure is basically the same for both a
Bare Metal and a VMware ESX virtual machine platform. However, the Bare Metal
installation boots from the DLP VA installation DVD to begin the procedure.
Virtual Machine Specifications

If you are installing the DLP VA on a new virtual machine under VMware ESX 3.5,
ensure that you create the new virtual machine with the following configuration:
TABLE 2-1. ESX Virtual Machine Specifications
COMPONENT SPECIFICATION
Guest Operating System Redhat Enterprise Linux 4 (32-bit)
Virtual CPUs 1 (DLP currently supports one virtual processor).
Memory 2048MB
Note
Trend Micro recommends at least 4096MB of
RAM.
Network Interface Card (NIC) DLP supports only 1 NIC.
Disk Size 30GB minimum
Note
Trend Micro recommends at least 250GB of
disk space for incident logs, fingerprints, and
other data storage purposes.
2-2
Note
When using VMware, the DLP server performance may downgrade depending on the
CPU, memory, and the hard disk drive input/output in the virtual machine.
Installing the DLP Virtual Appliance
WARNING!
Any existing data or partitions are removed during the installation process. Back up any
existing data on the system (if any) before installing DLP VA.
1. Start the DLP VA installation:

On a Bare Metal Server
a. Insert the Data Loss PreventionVA Installation DVD into the server’s
DVD drive.
b. Power on the Bare Metal server.
On a VMware ESX Virtual Machine
WARNING!
If you install DLPVA on an ESX server, disable the snapshot feature for the virtual
machine. Otherwise, the snapshot will exhaust hard disk space.
a. Start the virtual machine on your VMware ESX server.

b. Insert the Data Loss PreventionVA Installation DVD into the virtual DVD
drive with any one of the following methods.
* Insert the DLP VA Installation DVD into a physical DVD drive on the
ESX server. Then connect the virtual DVD drive of the virtual machine to
the physical DVD drive.
* Connect the virtual DVD drive of the virtual machine to the Data Loss
PreventionDLPVA-5.5.xxxx-i386-DVD.iso file. The Data Loss
PreventionDLPVA-5.5.xxxx-i386-DVD.iso file is available at:
2-3
http://www.trendmicro.com/download
c. Restart the virtual machine by clicking VM > Send Ctrl+Alt+Del on the

VMware Web console.
The DLP VA installation menu appears.
FIGURE 2-1. Data Loss Prevention VA installation menu
These are the options on the DLP VA installation menu:
TABLE 2-2. DLP VA Installation Menu Options
MENU OPTIONS DESCRIPTION
Install DLP VA Installs DLP VA onto the new hardware or virtual

machine.
2-4
MENU OPTIONS DESCRIPTION
System Recovery Recovers a DLP VA system if the administrative

passwords cannot be recovered.
System Memory Performs memory diagnostic tests to rule out memory

Test issues.
Exit Installation Exits the installation process to boot from the local
disk.
2. Select Install DLP VA.
The license agreement screen appears.
FIGURE 2-2. DLP VA Wizard License Agreement screen
3. Click Accept to continue.
2-5
The keyboard language selection screen appears.
FIGURE 2-3. DLP VA Wizard keyboard selection
4. Select the keyboard language for the system and click Next.
2-6
The DLP VA installer scans your hardware to determine if the minimum

specifications have been met and displays the results.
FIGURE 2-4. DLP VA Wizard hardware components screen
Note
If the host hardware contains any components that do not meet the minimum
specifications, the installation program highlights the non-conforming components
and the installation stops.
5. Click Next.
The DLP VA installer detects and displays all available hard disk drives.
6. Select at least one drive for the DLP VA installation.
7. If the hard drive requires partitioning, a warning appears above the list of available
hard drives. Click Next to continue with the partitioning.
2-7
8. Select the drive to use for the DLP VA installation and click Next.
The network settings screen appears.
FIGURE 2-5. DLP VA Wizard network settings screen
Note
Although the Dell R610 has multiple network interface ports, you must configure the
eth0 interface. The DLP management server only manages agents (DLP Network
Monitor and DLP Endpoint agents) using the eth0 interface. You will connect agents
to the DLP server using the eth0 interface.
9. Type the following network settings for eth0 and click Next.
2-8
TABLE 2-3. Network Settings Fields
FIELD DESCRIPTION
IPv4 Address This is the IP address of the DLPVA management interface. Type
the IP address and appropriate subnet mask to complete the
configuration.
Hostname Type the Fully Qualified Domain Name (FQDN) for this DLPVA
host. Hostname must be unique so that you can identify the DLP
management server when you register the agents to the server.
Gateway Type the IP address to be used as the gateway for this DLPVA
installation.
Primary DNS Type the IP address to be used as the primary DNS server for
this DLPVA installation.
Secondary Type the IP address to be used as the secondary DNS server for
DNS this DLPVA installation.
2-9
The Network Time Protocol (NTP) settings screen appears.
FIGURE 2-6. DLP VA Wizard NTP settings screen
Note
You can reconfigure the date format on the web console. See Reconfiguring the DLP
Web Console Date Format on page 2-17.
10. Specify the DLP VA server time and clock settings.

a. Select the location of the DLP VA server.
b. Specify whether the server system clock uses UTC.
Note
You can click a yellow point to select a city in a different region.
2-10
11. Click Next.

The account settings screen appears.
FIGURE 2-7. DLP VA Wizard account settings screen
12. Specify passwords for the root, enable, and admin accounts. DLP VA uses three
different levels of administrator types to secure the system. The password must be
a minimum of eight characters and a maximum of 32 characters.
Tip
For the best security, create a highly unique password using upper and lower case
alphabetic characters, numerals, and special characters found on your keyboard.
• Root Account: Accesses the operating system shell and has all rights to the
server. This is the most powerful user on the system.
2-11
• Enable Account: Accesses the command line interface (CLI) - privilege

mode. This account has all rights to execute any CLI command.
• Admin Account: Accesses the Data Loss PreventionVA CLI management
interfaces. It has all rights to the Data Loss PreventionVA application but no
access rights to the operating system shell.
13. Click Next.
The review settings screen appears.
14. Confirm that the selected values are correct, and click Next.
The installation process prompts you to begin the installation.
15. Select Continue to erase any data on the hard disk partition and format the hard
disk. If you have data on the hard disk that you need to keep, cancel the installation
and back up the information before proceeding.
16. Click Continue.
2-12
A screen appears with the formatting status of the local drive. When formatting
completes, the DLP VA installation begins.
FIGURE 2-8. DLP VA Wizard formatting status screen
2-13
After the installation completes, a summary screen appears. The installation log is
saved in the /root/install.log file for reference.
FIGURE 2-9. DLP VA Wizard Installation Successful screen
17. Click Reboot to restart the system.
Bare Metal installation:
The DVD automatically ejects. Remove the DVD from the drive to prevent
reinstallation.
Virtual machine installation:
Trend Micro recommends disconnecting the DVD drive from the virtual machine
now that DLPVA is installed.
After DLPVA reboots, the initial CLI login screen appears.
2-14
Configuring Network Settings
Note
During installation, you might receive the following messages:
for crash kernel (0x0 to 0x0) not within permissible range
powernow-k8: bios error -no psb or acpi_pss objects
Both of these messages are normal. The latter message indicates that the system
BIOS is not reporting or presenting any PSB or ACPI objects or hooks to the Linux
kernel. Either the CPU or BIOS does not support PSB or ACPI objects or hooks, or
they are simply disabled.
18. After installation, log on to the CLI to enable the DLP server.
You can also log on to the CLI shell to perform additional configuration,
troubleshooting, or housekeeping tasks.
Configuring Network Settings

If you received the DLP VA pre-installed with your appliance, then you must configure
network settings from the DLP server command line interface (CLI) before logging on
to the DLP web console. If you re-installed or installed the DLP VA yourself, you set up
the network settings during the installation process. Therefore, you can go directly to the
DLP web console.
Note
You must configure system configurations, such as network settings, through the DLP VA
CLI. You cannot configure system configurations using Linux commands. If you do,
settings are not saved in the configuration file and the agent will not be able to register with
the server.
The default users for the DLP server CLI are admin, enable and root. Log on to the
DLP server CLI as admin to configure the network settings if you have not already done
so. If you received the DLP VA pre-installed with your appliance, use the default
password, “trenddlp.” You will automatically enter the CLI where you are required to
configure the network.
2-15
Configuring Network Settings through the DLP Server CLI

1. Log on to the DLP server CLI.
The DLP server command prompt appears.
FIGURE 2-10. Command line interface
2. Type enable and press Enter.

3. Type the Enable account password and press Enter.
You enter privileged mode.
4. Set up the IP, Gateway, and DNS.
2-16
Reconfiguring the DLP Web Console Date Format
FIGURE 2-11. Configure IP settings
Note
To change network settings, you can log on at any time and use the command
“configure DLP network” if needed.
Reconfiguring the DLP Web Console Date

Format
You can change the date format that displays on the DLP web console.
1. Log on to the DLP management server as root.
2. Edit the systemConf.properties file at /home/dgate/prod/common/cfg/.
3. Change the user.defined.locale.key=en-US parameter to any of the following
locales: en-US, en-CA, zh-CHS, zh-CHT, ja-JP, ko-KR, or fr-FR.
2-17
4. Change the user.defined.time.format=short date parameter. This parameter can be

short date or long date.
5. Reboot the server so the changes can take effect.
2-18

DLP 5.6 Ig

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DLP 5.6 Ig

Uploaded by

Copyright:

Available Formats

Trend Micro Incorporated reserves the right to make changes to this document and to

Chapter 1: Installing the DLP Endpoint Agent

Chapter 2: Installing the DLP Virtual Appliance

Installing the DLP Endpoint Agent

Agent Installation Overview

SPECIFICATIONS MINIMUM RECOMMENDED

CPU 300MHz Intel Pentium or 1024MHz Intel Pentium or

RAM 128MB 1024MB or greater

Available Disk Space 300MB 1GB or greater

Network Interface Card (NIC) 10/100 Mbps

• Ensure that you have administrative privileges on all endpoints.

Agent Installation with DLPforEndpoint.msi

Agent Installation with install.bat

Sample Installation Procedures

a. Open a command prompt.

File name: InstallDLPforEndpoint.log

Line a means Dtool.exe inside the DLPforEndpoint.msi was successfully executed.

• log: Log the uninstallation to the c:\UninstallDLPforEndpoint.log file [Optional].

Sample Uninstallation Procedures

Uninstalling Password-protected Agents

2. Change the line to the following line:

set set LPPara=“-u -n -p{password}”

Password is a placeholder for your actual password. Password accepts

Line c means the msiexec /x command was successfully executed.

Agent Installation with Microsoft System Center

Deploying Agents Using SCCM

1. Create a shared folder that contains the DLPforEndpoint.msi, install.bat, and

b. Set the install Program created above.

Uninstalling Agents Using Microsoft SCCM

1. Create a share folder that contains the DLPforEndpoint.msi, install.bat, and

b. Set the uninstall Program created above.

c. Set the collection to deploy.

Two-step Custom Installation

a. Extract the DLP Endpoint setup files to a temporary folder.

b. Run Dtool in the temporary folder with parameters.

c. DTOOL Property: Refer to the DTOOL Property.

a. Clean up the files extracted to the temporary folder.

b. Clean up the registry keys written by the /i command.

Sample Installation Procedures

a. Run the following command:

msiexec /i DLPforEndpoint.msi /q /norestart DTOOL="-i -n

/log xxx: Record the log to the xxx file

/l*+ file.log: Record the log to the existing xxx file

• -n: no reboot after installation.

• -cpara=value: Specify the parameters when installing (combine with -i).

clink_ip=[x.x.x.x], server IP address is x.x.x.x

Agent Installation with dtool.exe

Only the accounts with administrative privilege can install locally.

To recover from an unknown state:

reboot - uninstall - reboot - install - reboot

dtool.exe [-i [-cpara=value] [-ppwd] [-sb] ] [-u] [-s] [-d] n

• -sb: Support safe mode in DLP agent.

• -e: update install, keep original settings and policy

• -s: Silent reboot, no shutdown message box.

• -dx: Delay rebooting x minutes (maximum to 11:59PM today).

• -n: No reboot after install/update/uninstall.

• -v: Show dtool version.

• -q: Quiet mode, no messages.

• -fx: Take computer names from file x:

One computer name for each line in file x.

• -efile.cfg: update, install, keep settings indicated by file.cfg.

• -cpara=value: Specify parameters when installing (combine with -i).

Para list: link_ip=[x.x.x.x], Server IP address;