Handbook Student

ADVANCED
Apex One
Specialization
Handbook
Asia Pacific,
@2022 Trend Middle
Micro Inc.East and Africa P a g e 1 | 224
Table of Content
Lesson 1: Trend Micro Apex One Overview .................................................................................. 4
Objectives: .......................................................................................................................................... 4
1.1 Trend Micro Solutions ...................................................................................................................................... 5
1.2 Key Challenges ................................................................................................................................................. 9
1.3 Apex One Features & Components .......................................................................................................... 24
1.4 Architecture ................................................................................................................................................. 37
1.5 Supported Platforms...................................................................................................................................... 39
1.6 Introduction to Apex One SaaS.................................................................................................................. 46
Lesson 2: Apex One Basic Configuration ................................................................................... 49
Objectives: ........................................................................................................................................ 49
2.1 Communication Ports ................................................................................................................................... 50
2.2 Scan Types ....................................................................................................................................................... 59
2.3 Configuring Policies ............................................................................................................................... 83
2.4 Log Flow...................................................................................................................................................... 101
2.5 Agent Grouping............................................................................................................................................ 103
2.6 Updates………………. .............................................................................................................................. 105
Lesson 3: Apex One Product Licensing ............................................................................................... 114
Objectives: ...................................................................................................................................... 114
3.1 Smart Protection Suite ................................................................................................................................. 115
3.2 NFR Licenses ................................................................................................................................................. 117
3.3 NFR - User Protection .................................................................................................................................. 118
3.4 Customer Licensing Portal (CLP) .............................................................................................................. 120
Lesson 4: Introduction to Proof of Concepts ........................................................................................ 125
Objectives: ...................................................................................................................................... 125
4.1 Introduction to PoC & Demo ..................................................................................................................... 126
4.2 Product Cloud................................................................................................................................................ 128
4.3 Proof-of-Concept (PoC) .............................................................................................................................. 132
4.4 PoC Use Cases .............................................................................................................................................. 137
Lesson 5: Competitive Advantage ...................................................................................................... 171
Objectives: ...................................................................................................................................... 171
5.1 Competitive Advantage ............................................................................................................................. 172
5.2 IDC Market Share .................................................................................................................................... 173
5.3 Gartner ............................................................................................................................................................ 174
5.4 The Forrester Wave...................................................................................................................................... 175
Lesson 6: Endpoint Detection & Response .......................................................................................... 171
@2022 Trend Micro Inc. P a g e 2 | 224

Objectives: ...................................................................................................................................... 176
Lesson 7: Trend Micro Vision One and Zero Trust Strategy ................................................................ 186
Objectives: ...................................................................................................................................... 186
7.1 Why EDR is Simply not Enough ............................................................................................................... 187
7.2 Trend Micro Vision One ............................................................................................................................. 192
Lesson 8: Troubleshooting .................................................................................................................. 186
Objectives: ...................................................................................................................................... 205
8.1 Basic Troubleshooting Steps ..................................................................................................................... 205
8.2 Policy Deployment Issue ........................................................................................................................... 207
8.3 Communication Issues ............................................................................................................................... 208
8.4 Performance Issues ..................................................................................................................................... 216
8.5 Server Crash Disaster Recovery ............................................................................................................... 217
8.6 Raising Support Case via Partner Portal ............................................................................................... 219
Best Practice Guide ...................................................................................................................................................... 223

Lesson 1: Trend Micro Apex One
Overview
Objectives:
Upon completion of this lesson, you will be able to:
• Position Trend Micro Solutions

• Key Challenges
• Explain Product Features and Components
• Understanding Architecture with integrated components
• Supported Platforms
• Introduction to Apex One SaaS

1.1 Trend Micro Solutions
Trend Micro provides layered content security with interconnected solutions that share data so
you can protect your users, network, data center, and cloud resources from data breaches and
targeted attacks.
Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits. Only complete visibility into all network
traffic and activity will keep the organization ahead of purpose-built attacks which bypass
traditional controls, exploit network vulnerabilities, and either ransom or steal sensitive data,
communications, and intellectual property.
Trend Micro Network Defense detects and prevents breaches anywhere on the network to protect
critical data and reputation. Rapidly detect, analyze, and respond to targeted attacks on your
network. Stop targeted email attacks and detect advanced malware and ransomware with custom
sandbox analysis, before damage is done. The Trend Micro Network Defense solution preserves
the integrity of the network while ensuring that data, communications, intellectual property, and
other intangible assets are not monetized by unwanted third parties. A combination of next-
generation intrusion prevention and proven breach detection enables the enterprise to prevent
targeted attacks, advanced threats and ransomware from embedding or spreading within their
network.
Hybrid Cloud Security

The Trend Micro Hybrid Cloud Security solution protects enterprise workloads in the data center
and the cloud from critical new threats, like ransomware, that can cause significant business
disruptions, while helping to accelerate regulatory compliance. Hybrid Cloud Security delivers
comprehensive, automated security for physical, virtual and cloud servers. The organization can
secure critical data and applications across their cloud and virtualized environments with effective
server protection that maximizes their operational and economic benefits. Whether you are
focused on securing physical, virtual, cloud, or hybrid environments, Trend Micro provides the

advanced server security you need with the Trend Micro Deep Security platform. Available as
software, in the Amazon Web Services and Azure marketplace, or as a service, Deep Security
provides you with security optimized for VMware, Amazon Web Services, and Microsoft Azure.
User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too
many products that don’t work together, increasing complexity, slowing users, and leaving gaps
in an organization’s security. To further complicate matters, organization are moving to the cloud
and need flexible security deployment options that will adapt as their needs change.
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any
application, any device, anywhere.
Trend Micro Smart Protection Network

The Trend Micro Smart Protection Network mines data around the clock and across the globe to
ensure up-to-the-second threat intelligence to immediately stamp out attacks before they can
harm valuable enterprise data assets. Trend Micro rapidly and accurately collates this wealth of
global threat intelligence to customize protection to the specific needs of your home or business
and uses predictive analytics to protect against the threats that are most likely to impact you.
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s
most extensive cloud-based protection infrastructures that collects more threat data from a
broader, more robust global sensor network to ensure customers are protected from the volume
and variety of threats today, including mobile and targeted attacks. New threats are identified
quickly using finely tuned automated custom data mining tools and human intelligence to root out
new threats within very large data streams.
Visibility and Control

Whether your endpoints are internal or external, you can manage a comprehensive set of security
capabilities from one single management console providing a strong level of visibility and control.
In addition, suspicious objects discovered by different applications can be consolidated into a
single list and distributed within the entire environment.
Trend Micro XGen™ Security

Trend Micro’s endpoint protection solution, powered by XGen, delivers a blend of cross
generational threat defense techniques that are smart, optimized, and connected to protect
endpoint computers across the enterprise – all while preventing business disruptions and helping
with regulatory compliance.

Smart
Protects against the full range of known and unknown threats using a cross-generational blend of
threat defense techniques that applies the right technique at the right time, and is powered by
global threat intelligence.
Optimized
Minimizes IT impact with solutions that are specifically designed for and integrated with leading
customer platforms and applications on endpoints computers. The footprint on the client
applications is minimized to ensure a more efficient use of resources.
Connected
Speeds time to response with automatic sharing of threat intelligence across security layers and
centralized visibility and control XGen security uses proven techniques to quickly identify known
good or bad data, freeing advanced techniques to more quickly and accurately identify unknown
threats. This identification in rapid succession with right-time technology regardless of location
and device across a connected system, maximizes both visibility and performance. This core set
of techniques powers each of the Trend Micro solutions, in a way that is optimized for each layer
of security: hybrid clouds, networks, and user environments.

Trend Micro Apex One
Apex One is the next evolution of the Trend Micro enterprise endpoint security solution and
replaces OfficeScan as Trend Micro’s flagship endpoint security product. Apex One can be
installed as a new product in the enterprise or upgrade OfficeScan XG to Apex One. Apex One
protects endpoint computers from malware, network viruses, Web-based threats, spyware and
mixed threat attacks (both known and unknown). It uses a client/server architecture that consists
of a Security Agent program that resides on the endpoint and a Server program that manages all
Agents. The Agent guards the endpoint and reports on its security status to the Server. Apex One
offers threat detection, response and investigation within a single agent on both Windows and
Mac computers.
The Apex One Server is capable of providing real-time, bidirectional communication between the
Server and Security Agents using Hypertext Transfer Protocol (HTTPS). The Apex One Web
Management console makes it easy for administrators to set coordinated security policies and

deploy updates to every endpoint Agent. In addition, different users access roles can be set up
for specific administrative tasks such as policy configuration, log query, and report generation.
Within the environment, Trend Micro Apex Central may also be deployed to provide centralized
management for many Trend Micro products, including Apex One. Once installed, Apex One can
integrate with Apex Central to provide additional security capabilities. The Apex One Server
downloads components (pattern file and program updates) from the Trend Micro Active Update
Server, Apex Central, or any other server or UNC path where new patterns have been uploaded
to.
1.2 Key Challenges

• Cybercriminals change approach to Malware
Serious Threats continue to hit Endpoints!

Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a
ransom from the victim to restore access to the data upon payment. Users are shown instructions
for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to
thousands, and are typically payable to cybercriminals in cyptocurrency. It is a curse to data and
web security and the respective professionals. Now, it can easily take the highest place among
the IT security challenges. This type of challenge will not only hack your data but also help hackers
blackmail you based on the information as it will be able to encrypt all the data. It can cost you a
very large amount of money. Criminals can have both your information and the money. You won’t
be able to do anything against it.
DDoS is the most common attack on cryptocurrency exchange websites and their platforms; three
out of four bitcoin sites were victims of DDoS attacks in the third quarter of 2017 alone. It is a cyber-
attack on a service provider that aims to disrupt its service, usually by flooding the server with too
many requests to respond. By using multiple sources to attack a server DDoS attacks can be
difficult to stop.

Fileless malware is a type of malicious software that uses legitimate programs to infect a
computer. It does not rely on files and leaves no footprint, making it challenging to detect and
remove. Modern adversaries know the strategies organizations use to try to block their attacks,
and they’re crafting increasingly sophisticated, targeted malware to evade defenses. It’s a race
against time, as the most effective hacking techniques are usually the newest ones. Fileless
malware has been effective in evading all but the most sophisticated security solutions. There are
claims that fileless malware is “undetectable.” This isn’t literally true, it just means that fileless
attacks are often undetectable by antivirus, whitelisting, and other traditional endpoint security
solutions.
IoT (Internet of things) is a blessing to us, but it’s an extraordinary blessing to criminals nowadays.
Most of us use different types of smart devices. Thanks to IoT, we can now connect all our devices
to each other. It reduces a lot of complexity. Now you can handle and control all of your devices
from anywhere using just your phone. With the modern innovation, you are continuously plugged
in. That’s getting you away from the cyber protection. Criminals can hack one of your devices and
then it can have access to your entire information; both personal and professional. They can use
the internet of things for the DDoS attack. It will make them take down the whole system based
on the internet. Threats to IoT systems and devices translate to bigger security risks because of
certain characteristics that the underlying technology possesses. These characteristics make IoT
environments functional and efficient, but they are likely to be abused by threat actors.
Characteristics like:
• Gathering of abundant data
• Connection of virtual and physical environments
• Creation of complex environments
• Centralization of architecture
The 2020 SonicWall Cyber Threat Report, is the result of threat intelligence collected over the course of
2019 by over 1.1 million sensors placed in over 215 countries and territories:

Hackers have breached over 50,000 servers across the world to mine
cryptocurrency
Cybercriminals are leveraging more evasive methods to target businesses and consumers.
Spray-and-pray tactics that once had malware attack numbers soaring have since been
abandoned for more targeted and evasive methods aimed at weaker victims. SonicWall recorded
9.9 billion malware attacks, a slight 6% year-over-year decrease.
Fileless malware targets Microsoft Office/Office 365, PDF documents:

Cybercriminals used new code obfuscation, sandbox detection and bypass techniques, resulting
in a multitude of variants and the development of newer and more sophisticated exploit kits using
fileless attacks instead of traditional payloads to a disk. While malware decreased 6% globally,
most new threats masked their exploits within today’s most trusted files. In fact, Office (20.3%)
and PDFs (17.4%) represent 38% of new threats detected by Capture ATP.
• Endpoint Security Challenges

❖ Manageability:
“Multiple Consoles to Manage Different Solution”
A single management console makes it easy to deploy antivirus protection to multiple devices,
manage all devices from one place, mix and match device types, schedule regular scans and
quickly add more devices.
❖ Visibility:
“Lack of Integration of Security tools”

In any given attack, any number of controls or processes likely could have prevented, or at
least detected the incident, but they go unseen because 100 different security controls from a
nearly equal number of security vendors, controls that frequently do not communicate with
one another, presents some inherent challenges. We require a much more comprehensive
view and visibility of the security posture than isolated capabilities often provide.
❖ Intelligence Sharing:
“Sharing of Threat Intelligence across different Solutions”
Threat Intelligence or Cyber Threat Intelligence (CTI) is a part of cybersecurity that focuses
on the analysis and collection of information on both potential and current cyber-attacks that
threaten the security of an environment. Threat intelligence sharing among solutions is very
important as it helps in lowering risk, avoid loss of data, avoiding repetitive tasks, enables In-
depth threat analysis and sharing this intelligence helps to give a timely response to an
attack.

• Apex One converges to overcome these challenges
Apex One converges to overcome key challenges like manageability, visibility & threat intelligence
sharing.
• Endpoint STRATEGY Re-Defined with Apex One

✓ Automated:
Trend Micro Apex One™ protection offers advanced automated threat detection and response
against an ever-growing variety of threats, including fileless and ransomware. Our cross-
generational blend of modern techniques provides highly tuned endpoint protection that
maximises performance and effectiveness.
Threat Detection
A range of layered detection capabilities, alongside investigation and response,
defends the endpoint through every stage

There are several points at which threats could enter the system through the endpoint computer.
A variety of automated threat detection techniques can be enabled in Apex One to monitor for
threats on the endpoint.
ENTRY POINT:
Entry point detection uses methods to capture threats as they enter the endpoint.
✓ Web Reputation: Web reputation blocks connections to malicious Web sites. This is done
at the kernel level, allowing Apex One to not only block users from accessing a malicious
site, but also blocking programs on the endpoint from accessing the site.
✓ HIPS-Virtual Patching: Apex One block exploits of operating system vulnerabilities by
applying a virtual patch. Trend Micro provides timely protection for operating system
vulnerabilities with the industry’s most timely vulnerability research.
✓ Browser Exploit Protection: Malicious behavior can also be captured within the Web
browser based on script inspection and site behavior.
✓ Device Control: Apex One can block unknown removable media devices, making it less
likely for the endpoint to be infected with malware. This protection is now available for the
Mac in Apex One.

PRE-EXECUTION:
Detection methods used in the pre-execution phase capture and block threats as they are written
to disk or to memory.
✓ Packer Detection: Apex One identifies packed malware as it unpacks prior to execution,
blocking threats attempting to hide themselves in memory.
✓ Predictive Machine Learning: File-based threats can be evaluated against a cloud-based
model before they are run to predict if the file is malicious. Apex One can take advantage of
an offline model in cases where the endpoint is not connected to the network. Mac computers
can now benefit from this technique as well.
✓ Application Control: Application control prevents unrecognized software from executing.
✓ Variant Protection: Variant protection detects mutations of malicious samples by
recognizing known fragments of malware code.
✓ File-based Signatures: The majority of threats still arrive at the endpoint as file-based
attacks. File-based signatures provide an effective technique for detecting known malicious
items.

RUNTIME:
While many threats can be detected as they are written to disk, there are some threats that won’t
be detected until they execute.
✓ Runtime Machine Learning: Run-time machine learning techniques monitor anything that
is executing and evaluates it against a separate run-time machine learning model.
✓ IOA Behavioral Analysis: Powerful behavior analysis techniques provide a clear indication
if an attack is taking place based on file behavior. This provides an effective mechanism for
detecting ransomware and file-less malware. New rules are continually being introduced to
detect new suspicious behavior.
✓ In-memory Runtime Analysis: Some malware executes only in memory. In-memory
runtime analysis can monitor for malicious script behavior or code injections in memory and
stop them once they start running.

EXIT POINT:
Methods in this phase can detect and block attempts to forward data from the endpoint.
✓ Web Reputation: At this phase, Web reputation protection can block connections to
malicious Web sites, such as Command & Control sites. Again, this protection is applied at
the kernel level blocking connections from the Web browser, or from any other application
running on the endpoint.
✓ Host Intrusion Prevention: Host intrusion prevention detects and blocks malware lateral
movement behavior.
✓ Data Exfiltration Detection: Data Leak Prevention techniques can detect sensitive data
leaving the endpoint and block its movement.
✓ Device Control: Unknown removable media devices can be blocked to prevent data leaving
the endpoint.

Automated Response
Threat detection techniques on the endpoint enables Apex One to give rapid, effective and an
automated response to threats.
Maximum XGen Security
• Infuses high-fidelity machine learning with other advanced detection techniques for the
broadest protection against ransomware and advanced attacks.
• Progressively filters out threats using the most efficient technique for maximum detection
without false positives.
• Blends signature-less techniques, including high-fidelity machine learning, behavioral
analysis, variant protection, census check, application control, exploit prevention and good

file check with other techniques like file reputation, web reputation, and command and control
(C&C) blocking.
• Trend Micro is the first to infuse high-fidelity machine learning which uniquely analyzes files
not only before execution but also during runtime for more accurate detection.
• Noise cancellation techniques like census and whitelist checking at each layer reduce false
positives.
• Instantly shares information on suspicious network activity and files with other security layers
to stop subsequent attacks.
• Advanced ransomware protection monitors for suspicious file encryption activities at the
endpoint, terminates malicious activities, and even recovers lost files if necessary.
✓ Insightful:
Get actionable insights, expanded investigative capabilities, and centralised visibility by using an
advanced EDR toolset, strong SIEM integration, and an open API set. Perform threat investigation
through integrated and extended EDR or by boosting your security teams with the managed
service option.
Leverage techniques that allow you to discover and respond to threats before they compromise
data. Extend detection and response across endpoints, email, and servers.
Apex One integrates new Endpoint Detection & Response capabilities including server-side
metadata sweeping, Indicator of Attack (IOA) behavior hunting, new query & automation
Application Programming Interfaces(API).

✓ All-in-One:
Apex One offers an industry-leading breadth of capabilities from a single user agent. Apex One
offers a powerful EDR with automated detection & response tools, simplifying deployment and
eliminating silos. In an evolving technological landscape, you need security that goes beyond
traditional antivirus. Apex One offers threat detection, response and investigation within a single
agent. Eliminate multiple vendors and consoles and gain deployment flexibility through both SaaS
and on-premises deployment options.

• Apex One – Secure & Optimized
• Apex One leverages a blend of cross-generational threat techniques to provide the broadest
protection against all types of threats. Apex One offers additional threat protection from
programs that exhibit malicious behavior.
• Infuse high-fidelity machine learning which uniquely analyzes files not only before execution
but also during runtime for more accurate detection.
• Apex One can be deployed on site in your network or is available as a service, with full product
parity between the two deployment options.
• Extend control and visibility across hybrid & multi-cloud models. Maintains consistent security
in a hybrid environment.

1.3 Apex One Features & Components
▪ Features:
Vulnerability Protection
Protects endpoint computers from being exploited through operating system Vulnerability Attacks.
Delivers critical patches to legacy operating systems that is no longer being patched by the
vendor. Reduces downtime for recovery with incremental protection against zero-day attacks.

Predictive Machine Learning
Predictive Machine Learning can protect your network from new, previously unidentified, or
unknown threats through advanced file feature analysis and heuristic process monitoring. Apex
One delivers this functionality through a cloud-based machine learning model and introduces a
local model for computers without a network connection.
Behavior Monitoring
Behavior Monitoring constantly monitors and protects Agents from unusual and unauthorized
modifications to the operating system or installed software.

Web Threat Protection
Web Reputation technology protects Agent computers within or outside the corporate network
from malicious and potentially dangerous Web sites. This service breaks the infection chain and
prevents downloading of malicious code. The credibility of Web sites and pages can be verified
by integrating Apex One with the Smart Protection Server or the Trend Micro Smart Protection
Network. The Apex One Suspicious Connection Service monitors the behavior of connections
that endpoint make to potential Command & Control servers and the Browser Exploit Protection
blocks web pages containing malicious scripts.
Data Loss Prevention
Data Loss Prevention safeguards an organization’s digital assets against accidental or deliberate
leakage. Provides visibility and control of data and prevents data loss via USB, email, cloud
storage, etc. Protection for your data at rest, in motion. Detects improper data use based on
keywords, regular expressions, and file attributes. Simplifies deployment and complies with
guidelines and regulations. Provides Device Control by regulating access to external storage
devices & network resources connected to computers. Prevents data loss, leakage and combined
with file scanning, helps to guard against security risks.

Endpoint Detection and Response
Apex One provides actionable insights, expanded investigative capabilities, and centralized
visibility across the network through an advanced Endpoint Detection and Response (EDR)
toolset. Perform threat investigation through integrated EDR or by boosting your security teams
with the Managed Detection and Response (MDR) service option. Endpoint Detection and
Response capabilities are included in Apex One and Apex Central but are licensed separately.
Application Control
Application Control enhances defense against malware or targeted attacks by preventing

unwanted and unknown application from executing on endpoints. Application Control is currently
only supported on Windows endpoint computers.

Sandboxing
Sandboxing provides custom defense against threats identified by endpoints protected by Trend
Micro products in your environment. It allows Security Agents to submit suspicious file to a Cloud
Sandbox, where the file is executed in an isolated environment. The files determined to be
dangerous are submitted to Trend Micro Apex Central for addition to Suspicious Objects list.
Endpoint Encryption
Endpoint Encryption encrypts data on a wide range of devices including laptops and desktops,
USB drives and other removable media, providing full disk, file/folder, and removable media
encryption to prevent unauthorized access and use of private information. Endpoint Encryption is
a standalone product that is licensed and installed separately from Apex One, but its capabilities
can be integrated into Apex One Security Agents through Apex Central policies.
Smart Protection Network (SPN)

The Trend Micro Smart Protection Network is a next-generation cloud-client content security
infrastructure designed to protect customers from security risks and web threats. SPN uses
proactive techniques like Machine Learning, Artificial Intelligence & Behavior Monitoring to
provide customers with advanced protection.

Malware Protection
Endpoint protection is the primary focus of Apex One. Apex One protects endpoint computers
from security risks by scanning files for malware and then performing a specific action for each
security risk detected. To easily monitor, investigate and back-up infected files, Security Agents
can automatically forward infected or suspicious files to a quarantine folder.
Ransomware Protection
Enhanced scan features can identify and block ransomware programs that target documents on
endpoint computers by identifying common behaviors and blocking processes commonly
associated with ransomware programs.
Firewall Protection
The Apex One firewall protects endpoint computers on the network using stateful inspection.
Rules can be created to filter connections by application, IP address, port number and protocol
and then applied to different groups of users.
Device Control
Device Control regulates access to external storage devices and network resources connected
to computers. Device Control helps prevent data loss and leakage, and, combined with file
scanning, helps guard against security risks.
Outbreak Control
Apex One Outbreak Prevention Services shut down infection vectors and rapidly deploys attack
specific security policies to prevent or contain outbreaks before pattern files are available.
Virtual Patching
Vulnerability Protection protects endpoints from being exploited by operating system vulnerability
attacks. It automates the application of virtual patches to endpoint computer before official
patches from the vendor become available.
Cloud-Based Intelligence
Apex One benefits from a global cloud-based repository of threat data through the Trend Micro
Smart Protection Network. Services, such as ActiveUpdate, File Reputation, Web Reputation,
Predictive Machine Learning and more are delivered to Trend Micro products through the cloud-
based Smart Protection Network.
Multi-Platform Support
Apex One provides endpoint protection features for both Windows and Mac operating systems.
Support for Mac endpoints is enabled through a plug-in in Apex One. Not all Apex One
functionality is currently available on Mac endpoint computers.
Simplified Administration
The Apex One Web Management console gives administrators access to all Agents and Servers
on the network. From the Web Management console, administrators can coordinate automatic
deployment of security policies, pattern files, and software updates on every Agent and server.
Off-Premise Management
Apex One provides management to external Security Agents through the Edge Relay Server. This
device provides log collection, sample submission and suspicious list deployment to Agents
outside of the network.

Unified Agent
Apex One provides a wide breadth of capabilities through a single unified agent. This all-in-one
lightweight agent provides deployment flexibility through both Software as a Service (SaaS) and
on-premises options.
▪ Components:

Apex One Server
The Apex One Server is the central repository for all Windows Agent configurations, security risk
logs and updates. The server performs two important functions:
• Installs, monitors and manages Security Agents on Windows endpoints.
• Downloads most of the components needed by Agents.

Apex One (Mac) Server
The Apex One (Mac) Server is the central repository for all Mac Security Agent configurations,
security risk logs, and updates. The server performs two important functions:
• Monitors and manages Security Agents on Mac endpoints.
• Downloads components needed by Security Agents.
Apex One (Mac) Server is activated though a plug-in within Apex One Server.
Database
The database stores all the information Apex One requires to operate. A Microsoft SQL Server
database is required to complete the Apex One setup. Alternately, an SQL Server Express
database can be installed as part of the setup process. The database can be hosted on the same
server as Apex One, or can hosted on a separate server.
Microsoft Internet Information Server

Microsoft Internet Information Server (IIS) makes it possible to access Apex One components
from the Internet, including:
• Apex One Web Management console for management operations
• CGI applications or ISAPI for both Agent and Server functions
• Update components
• Integrated Smart Protection Server
Apex One/Apex One (Mac) Web Management Console

Apex One uses a Web-based administration interface to control policies and endpoint computers.
Administrative users authenticate to the Apex One Web Management console using Apex One
created credentials, or credentials stored in Microsoft Active Directory. Separate Web
Management consoles are available for Apex One and Apex One (Mac).
Apex Central
Apex Central (previously known as Control Manager) provides a single unified interface to
manage, monitor and report across multiple layers of security and deployment models.
Customizable data displays allow administrators to rapidly assess status, identify threats and
respond to incidents. With Apex Central, administrators can manage Apex One, Apex One (Mac),
as well as other Trend Micro products, from a single interface. User-based visibility shows what
is happening across all endpoints, enabling administrators to review policy status and make
changes across all user devices. In the event of a threat outbreak, administrators have complete
visibility of an environment to track how threats have spread.
Direct links to Trend Micro Threat Connect database provides access to actionable threat
intelligence, which allows administrators to explore the complex relationships between malware
instances, creators, and deployment methods. Apex Central is responsible for compiling the
Suspicious Objects for use in Connected Threat Defense.
Security Agents
An Apex One Security Agent on each endpoint protects Windows and Mac computers from
security risks. The Apex One Agent reports to the parent Apex One Server from which it was
installed and sends security events and status information to the Server in real time. Security
Agents can be installed on endpoints computer within and outside the corporate network.

NOTE:
Apex One as a Service extends sensor capabilities for investigations to managed servers running
on a supported Linux operating system.
Apex One Edge Relay Server

The Apex One Edge Relay Server provides off-premise protection for remote computing and
traveling users. It provides visibility and protection for endpoints that leave the local intranet,
without requiring a VPN to connect back to the Apex One Server.
Trend Micro Smart Protection Network

The Trend Micro Smart Protection Network is a cloud-client infrastructure that delivers protection
from emerging threats by continuously evaluating and correlating threat and reputation
intelligence for Websites, email sources, and files.
Smart Protection Server

The Smart Protection Server provides an internal, standalone version of the Smart Protection
Servers for File and Web Reputation services. The Smart Protection Server can also be used to
proxy service requests for Predictive Machine Learning scanning in air-gapped environments.
• Integration Smart Protection Server
✓ Bundled with Apex One, gets installed on the same endpoint where the Apex One server
is installed.
✓ Suitable for small-scale deployments of Apex One.
✓ For larger deployments, the Standalone Smart Protection Server is required.
• Standalone Smart Protection Server
✓ A standalone Smart Protection Server localizes the Smart Protection Network services to
the corporate network to optimize efficiency.
✓ Comes with a customized Operating System, can be installed on the following platforms:
Vmware, Hyper-V server and bare metal.
✓ Has its own management console, not managed from the Apex One / Apex Central web
console.
Trend Micro Active Update Server

Trend Micro Active Update Server serves as the default download source for pattern file and
program updates. Other sources, including Apex Central or Update Agents can be used as the
download location instead of the Active Update Server.
Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents within
an Apex One network. Update Agents serve as local Active Update sites.
Reference Server
Reference Server allows Agents to determine if they are internal or external to the network.
Trend Micro Vision One
Trend Micro Vision One is a threat defense platform that extends XDR capabilities to endpoints
managed by Apex One as a Service. It applies the most effective AI and expert analytics to the
activity data collected from Apex One as a Service to produce fewer, higher-fidelity alerts.

Trend Micro Vision One Data Lake
Trend Micro Vision One Data Lake is a Cloud based repository for XDR telemetry data where
endpoints submit data for storage and use in investigations through Trend Micro Vision One.
Trend Micro Endpoint Encryption

Trend Micro Endpoint Encryption encrypts data on a wide range of devices — both PCs and
Macs, laptops and desktops, USB drives, and other removable media. This solution combines
enterprise wide full disk, file/folder, and removable media encryption to prevent unauthorized
access and use of private information. Endpoint Encryption is an optional, standalone product,
but can be incorporated into policies distributed through Apex Central.
Deep Discovery Analyzer

Deep Discovery Analyzer is a hardware device hosting multiple secure sandbox environments in
which samples submitted by Trend Micro products are analyzed. Sandbox images allow for the
observation of file and network behavior in a natural setting without any risk of compromising the
network.
Deep Discovery Analyzer performs static analysis and behavior simulation to identify potentially
malicious characteristics. During analysis, Deep Discovery Analyzer rates the characteristics in
context and then assigns a risk level to the sample based on the accumulated ratings which is
then forwarded to Apex Central to build the Suspicious Objects List.
Mac Sandbox
Mac Sandbox is hosted service that analyzes possible threats for macOS.
Software as a Service Components

Apex One is available as a Software as a Service offering. Components available as a service
are
accessed from cloud servers hosted by Trend Micro.
• Apex One as a Service
Apex One as a Service allows an organization to deploy and manage Apex One as cloud-
based service and offers full feature parity with the on-premises option.
• Apex Central as a Service
Apex Central as a Service provides Apex Central capabilities as a cloud-based service.
• Sandbox as a Service
This cloud-based Virtual Analyzer allows you to perform sample submission, synchronize
suspicious object lists and take action on user-defined suspicious objects.
▪ Introduction to Integrated Components

Microsoft Active Directory
Apex One integrates with Microsoft™ Active Directory™ to manage Security Agents more
efficiently. Web Management console permissions can be assigned using Active Directory
accounts, endpoint computers without security Agents can be located and automated grouping of
agents based on Active Directory domain can be performed.
iDLP: Integrated Data Loss Prevention

▪ Provides visibility and control of data and prevents data loss via USB, email, cloud storage,
etc.
▪ Integrated with Apex Central to consolidate policy, events, and reporting across DLP
solutions.
iAC: Integrated Endpoint Application Control

▪ Prevents damage from unwanted/unknown applications (executables, DLLs, and other PE
files).
▪ Visibility and policy management via Trend Micro Apex Central.
▪ Coverage of pre-categorized applications that can be selected from our application catalog.
iVP: Integrated Vulnerability Protection

▪ Enhances firewall protection for remote and mobile enterprise endpoints.
▪ Protection with minimal impact on network throughput, performance, or user productivity.
▪ Delivers critical patches to legacy operating systems no longer being patched by the vendor.

1.4 Architecture
On – Prem Architecture

SaaS Architecture

Hybrid Architecture
Combination of on-premises and cloud servers and requires Remote Connection Tool in the DMZ
to allow the service product consoles to register to the on-premise Apex Central Server. The
Remote Connection Tool will run as a service named Smart Relay Service.
1.5 Supported Platforms

Apex Central
▪ Hardware Sizing

NOTE: Applicable for On-Premise
▪ OS Platforms
Apex One Server

• Hardware Sizing (without integrated Components enabled)

• Hardware Sizing (With Endpoint Sensor enabled)

• Above estimates are for Apex One Security Agents running on Windows platform.
• Maximum metadata storage and Maximum memory allocation settings are configured on the Apex
Central console in Apex One Server policies. The default 4GB maximum memory allocation settings are
recommended for up to 600 endpoint agents.
• OS Platforms

Apex One Agent
• Sizing
NOTE: Resource spikes may occur if a large number of applications, whether native Windows
or third-party, are running simultaneously on a computer. If the target machine is already running
low on memory and disk space, the Apex One administrator should be critical in upgrading the
necessary hardware components prior to Apex One installation. Applicable for On-Premise &
SaaS
• Supported OS Platforms
NOTE: Applicable for On-Premise & SaaS
Standalone Smart Protection Server

• Hardware Sizing

(File Reputation Services: HTTPS; Web Reputation Services: HTTP; Predictive Machine
Learning: HTTPS)*
Service Gateway
• Specifications
Edge Relay Server

• Hardware Sizing

• Supported Platforms
Database Server
• Supported DB versions (Apex Central)

• Supported DB versions (Apex One)
When doing a fresh installation of Apex One with the SQL 2019 version, it aborts due to a
compatibility issue. To work around the installation failure:
1. Install the new Data-tier Application 18.2 (both x86 and x64 are required) on the Apex One
server.
2. Install or re-run the Apex One server installer again.

1.6 Introduction to Apex One SaaS
Trend Micro Apex One as a Service provides enhanced security against unknown, zero day and
web-based threats on top of and alongside, current endpoint protection solution.
Apex One as a Service provides rapid deployment and simplified administration and maintenance
with the same comprehensive enterprise threat protection as Trend Micro on-premises Apex One.
Apex One as a Service is delivered through an architecture that uses resources more effectively
and optimizes CPU and network utilization.
With this service offering, Trend Micro applies updates and patches to the service on a regular
basis. Administrators log into the Web Management console through a customized URL. Trend
Micro provides feature parity between the on-premise and service version of Apex One. An on-
premise deployment of Apex One can be migrated to Apex One as a Service.
Software as a Service Components

Apex One is available as a Software as a Service offering. Components available as a service
are
accessed from cloud servers hosted by Trend Micro.
• Apex One as a Service
Apex One as a Service allows an organization to deploy and manage Apex One as cloud-
based service and offers full feature parity with the on-premises option.
• Apex Central as a Service
Apex Central as a Service provides Apex Central capabilities as a cloud-based service.
• Sandbox as a Service
This cloud-based Virtual Analyzer allows you to perform sample submission, synchronize
suspicious object lists, and take action on user-defined suspicious objects.

Comparison between Apex One deployed as a SaaS & On-Premise:
Comparison between Apex One Endpoint Sensor and XDR Endpoint

Sensor
XDR Endpoint Sensor is the succeeding version of Apex One Endpoint Sensor which is tightly
integrated with Trend Micro Vision One. The Sensor used in Apex One SaaS is based on how
users deploy Sensors:
• The Apex One Security Agent will use the Apex One Endpoint Sensor (SaaS) when
enabling Endpoint Sensor via Apex Central Policy.
• The Apex One Security Agent will use the XDR Endpoint Sensor when enabling Sensor
through Vision One Endpoint Inventory.

NOTE: This will soon be deprecated & the recommended option is via Trend Micro Vision One
Console
1. The Apex One Endpoint Sensor (SaaS) supports doing live investigation via disIOC
scan, YARA scan, and Registry scan.
2. The XDR Endpoint Sensor supports checking present status via remote shell feature.
3. The Apex One Endpoint Sensor (SaaS) has its own attack discovery detection engine.
After Apex One is registered to Vision One, the Vision One backend server provides
detection capability based on recorded activity data
4. XDR Endpoint Sensor doesn’t have a detection engine. However, the Vision One
backend service provides detection capability based on recorded activity data.
5. This is for Windows only and relies on Apex One EPP.
6. The Apex One Endpoint Sensor (SaaS) is an integrated module of Apex One. If users
would like to install Apex One security agent with other EPP products, they have to install
the Apex One Coexist agent, not the full agent.
7. The XDR Endpoint Sensor is a standalone sensor, and can coexist with Trend Micro
EPP products and 3rd-party EPP products.

Lesson 2: Apex One Basic Configuration
Objectives:
Upon completion of this lesson you will be able to:
• Explain Communication and its ports

• Scan Types
• Configuring Policies & Policy Management
• Log Flow
• Understanding Agent Grouping
• Updates

2.1 Communication Ports
Multiple ports must be allowed through an organization’s firewall to enable Apex One to operate.
* All communications are unidirectional.

Connectivity
For secure connectivity between Apec One Agent with Apex One Server, agent must become
valid by the following flow:
1. Register : The agent registers with server with its endpoint information (such as Mac/IP
address, Hostname, OS version, Language, product version)
2. Acknowledgement : The server acknowledges the registration and put the incoming agent
to the pending list for approval
3. Awaiting Approval : Upon receiving the acknowledge, agent waits for approval by re-
connecting to server regularly for a fixed period of time (e.g. 24 hours)
4. Approval : Server approves registering agents by the following approaches:
• Manual Approval.
• Automatic Approval via the whitelist solutions.
• Automatic Approach via deployment session token
Server-initiated Communications
Apex One uses public-key cryptography to authenticate communications that the Apex
One server initiates on agents. With public-key cryptography, the server keeps a private key and
deploys a public key to all agents. The agents use the public key to verify that incoming
communications are server-initiated and valid. The agents respond if the verification is

successful. The public and private keys are associated with a Trend Micro certificate which is
stored by the setup on the host certificate’s store.
Note:
Apex One does not authenticate communications that agents initiate on the server.
The public and private keys are associated with a Trend Micro certificate. During installation of
the Apex One server, Setup stores the certificate on the host’s certificate store. Use the
Authentication Certificate Manager tool to manage Trend Micro certificates and keys. When
deciding on whether to use a single authentication key across all Apex One servers, take note of
the following:
• Implementing a single certificate key is a common practice for standard levels of security. This
approach balances the security level of your organization and reduces the overhead
associated with maintaining multiple keys.
• Implementing multiple certificate keys across Apex One servers provides a maximum level of
security. This approach increases the maintenance required when certificate keys expire and
need to be redistributed across the servers.
Important: Before reinstalling the Apex One server, ensure that you back up the existing
certificate. After the new installation completes, import the backed up certificate to allow
communication authentication between the Apex One server and Security Agents to continue
uninterrupted. If you create a new certificate during server installation, Security Agents cannot
authenticate server communication because they are still using the old certificate (which no longer
exists).
Agent-initiated Communications
Agents communicate with their Server by sending HTTPS messages to the Apex One Server and
calling ISAPI/CGI commands. These commands invoke certain actions on the Server and the
Server returns a corresponding answer to the Agent's request. These messages can be sent to
the Server as a regular polling messages. While doing this, they also pass information about the
Agent, for example UID, computer name, program version, etc. These calls are processed by the

Agent command handler, which checks if the Agent information is correct, complete and valid. If
it is, the Server points the Agents to the location to download relevant files.
Adding DNS Name/ IPs to Exception List

As Apex One as a Service relies on Internet communication for command-and-control
management, the DNS Name/IPs used by Apex One as a Service needs to be added to the
exception list to ensure endpoints remain protected.
• Ports : Apex One as a Service Servers use the following ports:
o Apex One : TCP 443
o Apex One (Mac): TCP 8443
▪ DNS : Adding DNS names to exception list is recommended so that IP Subnets can be
dynamically approved according to DNS. Registered Apex One DNS names can be found
on the Product Servers screen of Apex Central web console (Directories > Product
Servers)
▪ IP Addresses : Apex One as a Service resides in Microsoft’s Azure Cloud infrastructure
therefore it does not operate on set of IP or IPs. Currently, Apex One as a Service resides
in several regions of the Azure Cloud. Microsoft provides a list of their datacenter IP ranges
at the following locations:
o "name": "AzureCloud.australiaeast"
o "name": "AzureCloud.centralus"
o "name": "AzureCloud.westeurope"
o "name": "AzureCloud.southeastasia"
o “name”: "AzureCloud.japaneast"
o “name”: "AzureCloud.canadacentral"
o “name”: "AzureCloud.centralindia"
▪ URLs : For customers who would like to integrate Apex One as a Service with Trend Micro
Vision One Add-on services, the following common URLs need to be allowed for the server
and agents:
o *.xdr.trendmicro.com
o *.xbc.trendmicro.com
o *.mgcp.trendmicro.com
o *.mdr.trendmicro.com
In addition, the following address should be allowed for agents uploading activity data up
to datalake:

Agent Connection Status
The Apex One Agent connection status depends on the way in which the Apex One server
communicates with the Apex One Agent. The different connection statuses available for the Apex
One Agent include:
Online
The Apex One Agent can connect to the Apex One server for bi-directional communication of the
following:
• Policy settings
• Updates
• Scan commands
• Suspicious Object list synchronization
• Sample submission

• Log submission
Offline
The Apex One Agent has no functional connection with the Apex One server or an Edge Relay
server.
Independent
The Apex One Agent can connect to the server, but communication is limited. While in
Independent mode:
• The Apex One Agent does not accept policy settings from the server
• The Apex One Agent does not initiate scan commands from the server
• The Apex One Agent does not send logs to the server
You can configure Independent Agents with privileges to allow or block component updates if a
functional connection to the Apex One server is available.
End users can manually initiate scans and updates on Agents in Independent mode.
Agent Connection Status on Apex Central

Agent Connection Status on Endpoint
Product Connection Status

Displays the connection status of all managed products that register to the Apex Central as a
Service server

Checking Product Connection Status
• On the Apex Central console, add widget button.
• Add the Product connection status widget.

• Product connection status is visible.
2.2 Scan Types
Security Agents can use one of two scan methods when scanning for security risks. The scan
methods are Smart Scan & Conventional Scan.
Default Scan Type: In this Apex One version, the default scan method for fresh installations is
smart scan. This means that if you perform a fresh Apex One server installation and do not
change the scan method on the web console, all agents that the server manages use smart scan.
If you upgrade the Apex One server from an earlier version and automatic agent upgrade is
enabled, all agents managed by the server still use the scan method configured before the
upgrade. For example, if you upgrade from a previous version of Apex One that supports smart
scan and conventional scan, all upgraded agents that use smart scan continue to use smart scan
and all agents using conventional scan continue to use conventional scan.
Comparison between the 2 scan type methods:

Basis of Comparison Conventional Scan Smart Scan
Scanning behavior The conventional scan Security • The smart scan Security Agent
Agent performs scanning on performs scanning on the local
the local endpoint. endpoint.
• If the Security Agent cannot
determine the risk of the file
during the scan, the Security
Agent verifies the risk by
sending a scan query to a smart
protection source.
• The Security Agent "caches"
the scan query result to improve
the scan performance.
Components in use and All components available on All components available on the
updated the update source, except the update source, except the Virus
Smart Scan Agent Pattern Pattern and Spyware Active-
monitoring Pattern
Typical update source Apex One server Apex One server
Changing the scan method:

1. Go to Agents > Agent Management.
2. In the agent tree, click the root domain icon ( ) to include all agents or select specific domains
or agents.
3. Click Settings > Scan Settings > Scan Methods.
4. Select Conventional scan or Smart scan.

5. If you selected domain(s) or agent(s) in the agent tree, click Save. If you clicked the root
domain icon, choose from the following options:
o Apply to All Agents: Applies settings to all existing agents and to any new agent added
to an existing/future domain. Future domains are domains not yet created at the time you
configured the settings.
o Apply to Future Domains Only: Applies settings only to agents added to future
domains. This option will not apply settings to new agents added to an existing domain
Switching from Smart Scan to Conventional Scan:

The following table outlines some considerations you should be aware of before switching the
scan method that Security Agents use.
1. Number of Security Agents to switch
Switching a relatively small number of Security Agents at a time allows efficient use of the Apex
One server and Smart Protection Server resources. These servers can perform other critical tasks
while Security Agents change scan methods.
2. Timing
When switching scan methods, Security Agents need to download full versions of the required
pattern files for the new scan method.
Consider switching during off-peak hours to minimize the impact to network bandwidth and
interruption to end user daily operations. Trend Micro recommends disabling "Update Now"
on Security Agents during the conversion process.
3. Agent tree settings
Scan method is a granular setting that you can apply on the root, domain, or individual Security
Agent level. When switching the scan method, you can:
o Create a new agent tree domain and assign conventional scan as its scan method.
Any agent you move to this domain will use conventional scan. When you move the agent,
enable the setting Apply settings of new domain to selected agents.
o Select a domain and configure it to use conventional scan. Smart scan agents belonging to
the domain will switch to conventional scan.
o Select one or several smart scan agents from a domain and then switch them to conventional
scan.
Note:
Any changes to the domain’s scan method overrides the scan method you have configured for
individual agents.
Switching from Conventional Scan to Smart Scan:

If you are switching agents from conventional scan to smart scan, ensure that you have set up
Smart Protection Services.
The following table provides other considerations when switching to Smart Scan.

Consideration Details
Product license To use smart scan, ensure that you have activated the
licenses for the following services and that the licenses are
not expired:
• Antivirus
• Web Reputation and Anti-spyware
Apex One server Ensure that agents can connect to the Apex One server. Only
online agents will be notified to switch to smart scan. Offline
agents get notified when they become online. Independent
agents are notified when they become online or, if the agent
has scheduled update privileges, when scheduled update
runs.
Also verify that the Apex One server has the latest
components because smart scan agents need to download
the Smart Scan Agent Pattern from the server.
Number of agents to switch Switching a relatively small number of agents at a time allows
efficient use of Apex One server resources. The Apex
One server can perform other critical tasks while agents
change their scan methods.
Timing When switching to smart scan for the first time, agents need
to download the full version of the Smart Scan Agent Pattern
from the Apex One server. The Smart Scan Pattern is only
used by smart scan agents.
Consider switching during off-peak hours to ensure the
download process finishes within a short amount of time. Also
consider switching when no agent is scheduled to update
from the server. Also temporarily disable "Update Now" on
agents and re-enable it after the agents have switched to
smart scan.
Agent tree settings Scan method is a granular setting that can be set on the root,
domain, or individual agent level. When switching to smart
scan, you can:
• Create a new agent tree domain and assign smart scan as
its scan method. Any agent you move to this domain will
use smart scan. When you move the agent, enable the
setting Apply settings of new domain to selected
agents.
• Select a domain and configure it to use smart scan.
Conventional scan agents belonging to the domain will
switch to smart scan.
• Select one or several conventional scan agents from a
domain and then switch them to smart scan.
Note:

Any changes to the domain's scan method overrides the scan
method you have configured for individual agents.
IPv6 Support Smart scan agents send scan queries to smart protection
sources.
A pure IPv6 smart scan agent cannot send queries directly to
pure IPv4 sources, such as:
• Trend Micro Smart Protection Network
Similarly, a pure IPv4 smart scan agent cannot send queries

to pure IPv6 Smart Protection Servers.
A dual-stack proxy server that can convert IP addresses,
such as DeleGate, is required to allow smart scan agents to
connect to the sources.
Smart Scan:
File Reputation Services: Check the reputation of each file against an extensive in-the-cloud
database. Since the malware information is stored in the cloud, it is available instantly to all users.
The cloud-Agent architecture eliminates the burden of pattern deployment while significantly
reducing the overall Agent footprint. Security Agents must be in Smart Scan mode to use File
Reputation Services.
Web Reputation Services: With one of the largest domain-reputation databases in the world,
Trend Micro Web reputation technology tracks the credibility of Web domains by assigning a
reputation score based on factors such as a Website's age, historical location changes and
indications of suspicious activities discovered through malware behavior analysis. Web reputation
then continues to scan sites and block users from accessing infected ones. Web reputation
features help ensure that the pages that users access are safe and free from Web threats, such
as malware, spyware, and phishing scams that are designed to trick users into providing personal
information. To increase accuracy and reduce false positives, Trend Micro Web reputation

technology assigns reputation scores to specific pages or links within sites instead of classifying
or blocking entire sites, since often, only portions of legitimate sites are hacked and reputations
can change dynamically over time.
SPS - Integrated vs Standalone:
Integrated Smart Protection Server:

The Integrated Smart Protection Server is installed on the Apex One Server. It can be installed
during Apex One Server installation or at later point by using the Integrated Smart Protection
Server Installation Tool located in:
...\PCCSRV\Admin\Utility\ISPSInstaller\
This server is only recommended for networks with 1,000 Agents or less, and for test
deployments. The Integrated Smart Protection Server can be enabled through the Apex One Web
Management console.
Enabling or disabling the services related to Smart Protection Server changes the corresponding
parameter in the Ofcserver.ini file. The Apex One Master Service is directly responsible for starting
and stopping the Integrated Smart Protection Server service (iCRCService.exe) in response to
Web Management console commands.
Standalone Smart Protection Server:
The Standalone Smart Protection Server is recommended in the following situations:
• Larger networks of 1000 Agents or more
• Performance issues on Apex One server/not enough resources to contain an integrated
SPS
• Remote office VPN with low bandwidth communication with the Apex One server
• For Load Balancing and High Availability
This server is available as a VMware image that runs CentOS and is compatible with the following
virtual servers:
• VMware ESXi Server 6.5, 6.0 Update 2 and 5.5 Update 3b
• Microsoft Windows Server 2008 R2 with Hyper-V

• Microsoft Windows Server 2012 with Hyper-V
• Microsoft Windows Server 2012 R2 with Hyper-V
• Microsoft Windows Server 2016 with Hyper-V
• Citrix XenServer 7.2, 7.1, 6.5
Connecting to the SPN:
Configuring the SPS:
Security Agents can switch between these Smart Protection sources based on their location
relative to the corporate network. When the Agent detects that it is outside the corporate network,
it will look for the Trend Micro Smart Protection Network, and when it is inside the network, it will
look for pre-designated Smart Protection Servers.

Service Gateway:
A Service Gateway installed in the local network acts as a relay between Trend Micro Vision
One and other products, such as on-premises Trend Micro or third-party products. This allows use
of Trend Micro cloud services while reducing Internet traffic and sharing threat intelligence.

• Smart Protection Services leverages file reputation & web reputation technology to detect
security risks.
• It reduces network bandwidth in a hybrid network by serving as a proxy between connected
applications & Trend Micro Vision One.
• To provide smart protection, on-premises Trend Micro products can perform queries
against Service Gateway virtual appliance.
• It consists of a cloud-based inventory list on Trend Micro Vision One & a local virtual
appliance.
• As a virtual appliance, Service Gateway provides services like Active Update, Smart
Protection Services and Suspicious Object List synchronization to on-premises Trend
Micro products.
• It supports integration of third-party applications to Trend Micro Vision One.
Service Gateway Deployment:

Deploying a Service Gateway Virtual Appliance with Vmware
• On Service Gateway Inventory, Click the Download Virtual Appliance button, select I agree
to the End User License Agreement option, and then click Download Disk Image.

• After downloading the file, open a hypervisor (Vmware Sphere on this demo) and deploy
the .OVA file.
• Select Local File > choose the downloaded OVA file, and then click Next.

• Enter the VM name of the Service Gateway and select its directory then click Next.
• Select available computer resources then click Next.

• Review the initial details, then click Next.
• Select the storage available, then click Next.

• Select the Network to be assigned on the Service Gateway, then click Next.
• Make a final review then click Finish to start the deployment process.

• Verify if the Service Gateway VM had been created on the destination.
Deploying a Service Gateway Virtual Appliance with Microsoft Hyper-V

• On Service Gateway Inventory, Click the Download Virtual Appliance button,
Select Microsoft Hyper-V (VHD) and then select I agree to the End User License
Agreement option, and then click Download Disk Image.

• On Hyper-V Manager, right-click on your machine and New > Virtual Machine
• Click Next

• Specify a name for the Service Gateway virtual appliance and click Next
• Specify Generation 1 and click Next

• Specify the amount of memory needed for the VM based on the system requirements, and
click Next
• Specify the network connection that VM will use, and click Next

• Click Use an existing virtual hard disk, and then click Browse.
• Navigate to the location where you downloaded and extracted the VHD file, select the file,
and then click Open

• Click Next
• Review the settings and click Finish

• From the Hyper-V Manager Virtual Machines list, right-click on the Service Gateway
virtual appliance and click Settings
• Click Processor, specify the number of virtual processors, and then click OK

• From the Hyper-V Manager Virtual Machines list, right-click on the Service Gateway
virtual appliance and click Connect
• Click Start to start the virtual machine. Service installation during the first launch of the
appliance takes approximately 10 minutes.

Configuring Service Gateway
• Access the Service Gateway directly and use the default credentials:
• Login: Admin
• Password (Default): V1SG@2021
• Change the password as soon as you are able to login successfully to the CLI console.
• Type "Enable" to access administrator commands, then type the following:
• configure ipv4 static <Assigned IP address, Subnet Mask, Default Gateway>.
• configure DNS ipv4 <DNS Ip Address>.
• configure Hostname <Name of Service Gateway>.

• After configuring the network, type "connect" to verify if it can reach out to Trend Micro
Vision One Cloud Servers.
• Copy the registration Token and proceed and paste it to putty to register the Service
Gateway.

• Open Putty on a machine that is on the same network as the Service Gateway, and
perform SSH Shell to register Service Gateway to Trend Micro Vision One Console. Login
using the updated credentials > type "enable" > Type "register <Registration Token>".

• To verify, go back to Vison One Console and check the status of Service Gateway
2.3 Configuring Policies

• Begin with one or more base policies from which you create multiple levels of child policies
that get progressively more granular in their detail.
• Policies are intended to be created in a hierarchical structure
• A child policy cannot be copied and its settings cannot be inherited.
• For Example, in a corporate company, child policies can be derived from finance being the
base policy. Parent policy can have a set of child and further descendant policies which
have progressively more specific targeted settings.
• Parent policy can have a set of child and further descendant policies which have
progressively more specific targeted settings.
Understanding Policy List

The policy list displays the information and status of policies created by all users. When a new
endpoint registers to Apex Central, it goes through the filtered policies in the list in descending
order. Apex Central assigns the new endpoint to a filtered policy when the following conditions
are both satisfied:
• The new endpoint matches the target criteria of the policy.
• The policy creator has the permission to manage the new endpoint.
The following table describes the policy list columns that display on the Policy
Management screen. Click a column to sort the data.
Column Description
Priority Displays the priority of the policies
• Apex Central lists policies from the highest to the lowest priority.
• When administrators create a filtered policy, Apex Central saves the
new policy as the lowest priority policy.
• A specified policy takes priority over any filtered policies and remains
on the top of the list. Administrators cannot reorder specified policies.
• Apex Central places draft policies at the bottom of the list.
Policy Displays the name of the policy

Policy Version This column only appears if the selected product is Apex One Security
Agent.
Displays the latest policy version deployed
Note:
Some targets might not have the latest policy version deployed. To view
the current policy deployed on specific targets, click the number in
the Deployed column.
Parent Policy This column only appears if the selected product is Apex One Security
Agent.
If a policy is a child policy (that is, it inherited its settings from a parent
policy), this column shows the name of the parent policy. Otherwise, N/A
displays.

Deviations This column only appears if the selected product is Apex One Security
Agent.
If a policy is a child policy, this column shows the number of settings that
have been changed on the policy and are therefore inconsistent with
settings on the parent policy. If settings are consistent between the policy
and its parent, 0 (zero) displays.
If a policy is not a child policy, N/A displays.
Owner Displays the user who is currently assigned the policy
Note:
The default owner is the user who created the policy.
• If you change the owner of a policy to a user account that does not
have access rights to the specified targets, the new owner can modify
the policy settings but cannot view the policy data.
• You can also assign multiple owners by assigning the policy to an
Active Directory group.
Last Editor Displays the user who last edited the policy
Last Edited This column only appears if the selected product is Apex One Security
Agent.
Displays when the policy was last edited
Targets Displays how administrators select targets for the policy.
• Specified: Uses the browse or search function to select specific
targets for the policy. Specified policies remain static on the top of the
policy list and take priority over filtered policies.
• Filtered: Uses a filter to automatically assign current and future
endpoints to the policy. Administrators can rearrange the priority of
filtered policies. Hover over an item to conveniently view the filter
criteria and make adjustments as necessary.
• None: The policy creator saved the policy as a draft without selecting
any targets.
Deployed Displays the number of targets that have applied the policy settings or
have inactivated product services.
Click the number to view the policy status.
Pending Displays the number of targets that have not applied the policy settings
Offline Displays the number of targets that have offline agents

With Issues Displays the number of targets that have not applied the policy settings
due to unsupported policy deployment, no policy configuration, system
errors, endpoint communication errors with the product server,
unsupported endpoints, locally changed settings, disabled product
services, or partial deployment.

Assign Policy by Labels
Labels can be assigned to endpoints allowing policies to be deployed to any endpoints with that
label. It can be added manually to endpoints, or auto-label rules can assign the labels to any
endpoint that match the rule criteria.
Create Labels
• Click Directories > Users/Endpoints to display the User/Endpoint Directory list.
• Expand Endpoints > Labels and click Add new label

• Type a Name for the Label and Save

Policy Management
I. Creating a new policy:

1. Go to Policies > Policy Management. The Policy Management screen appears.
2. Select the type of product settings from the Product list. The screen refreshes to display
policies created for the selected managed product.
3. Click Create. The Create Policy screen appears.
4. Type a policy name.
5. Specify targets.
Apex Central provides several target selection methods that affect how a policy works.
The policy list arranges the policy targets in the following order:
o Specify Targets: Use this option to select specific endpoints or managed products.
o Filter by Criteria: Use this option to allocate endpoints automatically based on the filtering
criteria.
i. On the Create Policy screen, go to the Targets section, select Filter by Criteria, and
then click Set Filter. The Filter by Criteria screen appears.
ii. Select the following options and define the criteria.

Criteria Description
Match Define keywords based on the host name or Apex Central display name.
keywords
in Note:
Apex Central performs partial matching for single keyword searches. You can
search multiple, comma-separated keywords, however,Apex Central only
provides full string matches for each keyword provided.
IP Define a range of IP addresses and click Add.
addresses
Note:
• Policy management only supports IPv4 addresses.
• When a new managed product or endpoint registers to Apex Central, it
takes about an hour for the managed product or endpoint to become
available for searching by IP address.
Operating Select one or more operation systems from the drop-down list.
systems
Directories Select one of the following directories and define the criteria.
• Product Directory: Select folders from the Product Directory structure
• Active Directory: Select organizational units from an integrated Active
Directory structure
• Apex One domain hierarchy: Type at least one Apex One domain
hierarchy keyword.
iii. Click Save. The Create Policy screen reloads.
o None (Draft only): Use this option to save the policy as a draft without choosing any
targets.
6. Click a managed product feature to expand it and configure its settings. Repeat this step to
configure all features.
7. Click Deploy or Save.
II. Copying policy settings:
Administrators can copy the settings from an existing policy, create a new policy with the same
settings, and deploy the settings to different endpoints or managed products.
Note:
It is not possible to copy the settings of a child Apex One Agent policy. To determine whether
the Apex One Agent policy is a child or a parent, check the Parent Policy column. A clickable
value displays if the policy is a child, and N/A if otherwise.
3. Select a policy from the list.
4. Click Copy Settings. The Copy and Create Policy screen appears.

5. In the Policy Name field, type a name for the policy.
6. Assign Targets to the policy.
7. (Optional) Change settings as necessary.
8. Click Deploy.
Note:
o After clicking Deploy, please wait two minutes for Apex Central to deploy the
policy to the targets. Click Refresh on the Policy Management screen to update
the status information in the policy list.
o Apex Central enforces the policy settings on the targets every 24 hours.
III. Inherited policy settings:
Create a new child policy by inheriting the settings of an existing parent policy. A child policy
cannot be copied and its settings cannot be inherited.
This task requires a parent policy for the Apex One agent. A parent policy for the Apex One agent
has the value N/A displayed under the Parent Policy column.
2. Select Apex One Agent from the Product list. The screen refreshes to display policies created
for the selected managed product.
3. Select a parent policy that does not have locally managed settings.
4. Click Inherit Settings. The Inherit and Create Policy screen appears.
5. In the Policy Name field, type a name for the policy.
6. Assign Targets to the policy.
7. (Optional) Review the settings that can be customized or extended and then make changes
as necessary.
Note:
A setting cannot be customized or extended if the option selected on the parent policy
is Inherit from parent.
For example:
o If the Scheduled Scan setting is customizable, you can change the schedule from weekly
to daily.
o If the scan exclusion list for Real-time Scan can be extended, you can type additional file
names that you deem safe and trustworthy. After the child policy is created, it will add
those file names to the scan exclusion list.
8. Click Deploy.

Note:
o After clicking Deploy, please wait two minutes for Apex Central to deploy the policy to the
targets. Click Refresh on the Policy Management screen to update the status information
in the policy list.
o Apex Central enforces the policy settings on the targets every 24 hours.
IV. Modifying a policy:
Administrators can modify policy targets and settings as necessary. The root account owner can
modify every policy in the list, while other account owners can only modify the policies they
created. After a policy is modified, Apex Central deploys the policy to the targets.
Important:
Each managed product provides different policy settings that you can configure and deploy to
policy targets. You can find a complete list of supported managed products and the policy settings
for each in the Apex Central Widget and Policy Management Guide.
You can download a PDF version of the guide, or view the guide online, using the following link:
https://docs.trendmicro.com/en-us/enterprise/apex-central.aspx
For a parent policy for the Apex One agent, if you modified the targets and settings for specific
features, the modifications will apply to all child policies and deployed to the respective targets.
Some settings on a parent policy support permission, which control the changes allowed on child
policies. Modifications to these parent policy permissions are also applied to child policies and
deployed to targets.
1. Navigate to Policies > Policy Management. The Policy Management screen appears.
3. Click a policy name in the Policy column. The Edit Policy screen appears.
4. Modify the policy.
Note:
Modifying the filtering criteria in a filtered policy can affect target allocation. Apex Central may re-
assign some targets to other filtered policies, or add additional targets to the current policy.
5. Click Deploy.
V. Importing & Exporting Policies:
Export policies for backup or to import to another Apex Central server of the same version.
Note:
• Apex Central exports policy settings but not policy targets.
• A parent policy stays as a parent after the export or import.
• A child policy becomes a parent after the export. Consequently, it is a parent after the import.

• Apex Central cannot import a policy if its name is the same as an existing child policy. If the
existing policy is not a child, Apex Central overwrites it after the import.
3. To export, select one or several policies, click Export Settings, and then save the resulting
policy file.
o If you exported a single policy, the resulting file has the extension *.cmpolicy.
o If you exported several policies, the resulting file is a compressed (*.zip) file containing the
individual .cmpolicy files.
4. To import, click Import Settings and then locate and load the policy file.
o You can import an entire *.zip file or import individual *.cmpolicy files one by one.
o If the policy already exists in the policy list, a confirmation prompt appears, asking if you
want to overwrite the existing policy.
Click OK to proceed.
The screen refreshes and displays the imported policy at the top of the list.
VI. Deleting a policy:
Administrators can remove a policy from the list. Apex Central then re-allocates the targets
associated with the deleted policy if the targets match the filtering criteria of another policy. Those
without a match become endpoints without policies, and they keep the settings defined by the
deleted policy unless a managed product administrator modifies the settings.
Apex Central only allows policy creators to delete their own policies. However, the root account
can delete every policy in the list.
It is not possible to delete an Apex One Agent parent policy with settings inherited by an existing
child policy.
1. Go to Policies > Policy Management.
The Policy Management screen appears.
2. Select the type of product settings from the Product list.
The screen refreshes to display policies created for the selected managed product.
3. Select the policy to delete.
4. Click Delete.
A confirmation screen appears.
5. Click OK
VII. Changing the policy owner:
The default owner of a policy is the user account that created the policy. You can use the Policy
Management screen to change the owner of a policy to any Apex Central user account. You can
also change the policy owner to an Active Directory group, which designates all Active Directory
users within the group as owners of the policy.

Important:
If you change the owner of a policy to a user account that does not have access rights to the
specified targets, the new owner can modify the policy settings but cannot view the policy data.
1. Go to Policies > Policy Management.

The Policy Management screen appears.
2. Select one or more policies to change the owner.
3. Click Change Owner. The Change Policy Owner screen appears.
4. Select a user account from the drop-down list.
5. Click Save to change the owner.

Apex Central sends an email notification to all user accounts assigned
the "Administrator" role.
Policy Structure Apex One
Server Policy:
• Endpoint Sensor Server Settings
• Application Control Server Settings
Security Agent Policy:

• Anti-Malware Policy
o Manual Scan
o Real Time Scan
o Scan Now
o Scheduled Scan

o Scan Actions
o Scan Exclusions
• Device Control Policy
• Endpoint Sensor Policy
• Web Reputation Policy
• Unknown Threat Protection Policy
o Predictive Machine Learning
o Sample Submission
o Suspicious Connection
• Vulnerability Protection Policy
• Scan Exclusion List
o Spyware/Grayware Approved List
o Trusted Program List
• Application Control Policy
• Behavior Monitoring Policy
o Malware Behavior Blocking
o Exception List
Application Control Policy:

• Policy Rules
• Policy Logging
• Policy Deployment
• Policy Server Connection
• User Experience
Endpoint Sensor Policy:

• Registering with Apex Central
• Check Status via Apex Central
• Automatic Updates
• Policy Deployment
• Monitoring Rules
• Managing Submissions
Data Loss Prevention Policy

• Data Loss Prevention Policy
• Data Discovery Policy
For more details, refer: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-

2019-widget-and-policy-management-guide

Security Agent Policies (Additional Services)
Enable additional services in order to allow certain features to function properly.

• Predictive Machine Learning: TMBMSRV.exe, TMCCSF.exe
• Behavior Monitoring: TMBMSRV.exe, TMCCSF.exe
• Device Control: TMBMSRV.exe, dsagent.exe
• Certified Safe Software Service Agent Self-Protection: TMBMSRV.exe
• Firewall: TmPfw.exe
• Browser Exploit Prevention: TMCCSF.exe
• Data Loss Prevention Data Discovery: dsagent.exe
Policy Deployment Flow:
What happens after a policy is deployed from Apex Central to Apex One server?
1. Apex Central deploys policy to Apex One server.

2. Apex One sever dispatches policies to iProduct Servers
3. For SaaS, Apex One server now waits for SaaS agents to poll (default every 10 min)
o On-premise agent will receive server notification immediately
4. After Apex One agents get policy tasks/commands, Apex One agents also notify the sibling
iProduct agents
5. Apex One server marks agent as “deployed successfully” once Agent One agents get the
policies from server
o For iProduct agents, after the policies are applied, iProduct agents report policy status to
corresponding iProduct servers accordingly
6. iProduct servers write iProduct agents’ policy status to database & Apex One server
consolidates all status result from iProduct servers
7. Apex One server then sends consolidate policy results/status to Apex Central.
Policy Deployment Flow (Agents Offline):

Policy Deployment Flow (Agent goes Online):
Policy Deployment Flow (Off-Premise Agents):

Policy Deployment Flow (iProducts):
CASE 1: Default iProduct Policy Settings

By default, iProduct settings are set to “disabled”, this implies iProduct agents are not installed.
Under this situation, after Apex One server dispatches policies to iProduct servers, iProduct
servers will directly respond “successfully deployed” to Apex One server. The very first policy
deployment that enables iProducts settings will trigger iProduct agents installation. Once iProduct
agents are installed, policy setting changes to iProducts will just fall into the normal policy
deployment flow
CASE 2: Apex One server does not have a valid iProduct license
When there is a policy containing settings to enable iProduct settings, before dispatching the
policies to iProduct servers, Apex One server will first check if there are valid licenses; if there is
no valid license, Apex One server will respond “unactuated license” error code to Apex Central
directly. (i.e. iProduct license info are managed by Apex One server).
Policy Deployment Flow (SaaS):

Policy Deployment Triggers:
AFFECTED AFFECTED DEPLOY
SCENARIO USE CASE
ENDPOINTS POLICIES TIMING
All endpoints without policy

New filtered policy Only this policy Immediate
and match the new criteria
CREATE
POLICY
New specified
The specified endpoints Only this policy Immediate
policy
Edit targets All endpoints as long as

(criteria) for filtered they are not in specified All filtered policies Immediate
policy polices
Endpoints in this policy

(If endpoints are removed
Edit targets for from polices,
Only this policy Immediate
specified policy they will be regarded as
EDIT POLICY “new” endpoints
by policy deployment flow)
Edit policy settings

The endpoints in the policy Only this policy Immediate
only
Reorder policies All endpoints as long as

(including policy they are not in specified All filter policies Immediate
removal) polices
120 sec after

New endpoint
Policies applicable to endpoints are
reported to Apex The new endpoints
these new endpoints reported to
Central
NEW OR Apex Central
CHANGED
ENDPOINTS Endpoint property
changes Every 24
The changed endpoints All policies
(which also causes hours
policy changes)
• On
premise:
Apex Central Every
default mechanism 24
POLICY
to ensure all All endpoints All policies hours
ENFORCEMENT
endpoints get • SaaS:
policies Every
10
minutes

20 Mins are needed for Apex One as a Service agents to get the policy deployed and return it’s
status.
Time needed for policy deployment result to reflect on Apex

One as a Service:
There're 2 timing for Apex One as a Service agents to get policy deployed and feedback its policy
status:
• Within 20 minutes
o Creating new policies for the 1st time, or new registered agents that never had a policy
applied (Apex Central checks every 120 seconds to see if there are new agents)
o Admin reorders policies
o Admin edit policy settings or targets (either specified or filtered)
• Wait for next policy enforcement
o New agents that passed Apex Central’s new agent check (every 120 seconds), but didn’t
get an applicable policy (becomes “without policies”)
o Agents that received polices & need to be moved to another policy due to agent property
changes (e.g. location in AU, IP address, etc)
Note: AD-based filtered policies always need to have Apex Central sync the latest AD info first
in order to trigger policy changes.
2.4 Log Flow
Sending logs:
The logs from Update Agent are sent to the Apex One Server(On-Premise).
The logs from Apex One Agent are sent to the Apex One Server(On-Premise).

Logs from Apex One Linux Agent are sent to the Apex One Linux Server.
Logs from Apex One Mac Agent are sent to the Apex One Mac Server.
Receiving logs and forwarding to Apex Central:

Apex One Linux Server receives the logs from Apex One Linux Agent and forwards to Apex One
Server.
Apex One Server (On-Premise) receives the logs from Apex One Agent & Update Agent and
forwards it to Apex Central (On-Premise).
Apex One (Linux Server) receives logs from Apex One Linux Server. Forwards these logs to the
Apex Central (SaaS).
Apex One Mac Server receives the logs from Apex One Mac Agent and forwards to Apex Central.
Data Residency Statement

Apex One SaaS environments in different regions operate independently and are not
interconnected for data privacy and sovereign considerations, and your data will always stay
within the initial data center and cannot be replicated by other regions. Apex One ensures the
complete separation of customer data through the data lifecycle.

2.5 Agent Grouping
Use Agent Grouping to manually or automatically create and manage domains on the Apex
One agent tree.
There are two ways to group Security Agents into domains.
Method Agent Grouping Description
Manual • NetBIOS domain Manual agent grouping defines the domain to which a
newly installed agent should belong. When the agent
• Active Directory
appears in the agent tree, you can move it to another
domain domain or to another Apex One server.
• DNS domain
Manual agent grouping also allows you to create,
manage, and remove domains in the agent tree.
Automatic Custom agent groups Automatic agent grouping uses rules to sort agents in
the agent tree. After you define the rules, you can
access the agent tree to manually sort the agents or
allow Apex One to automatically sort them when
specific events occur.
Manual Agent Grouping

Apex One uses this setting only during fresh agent installations. The installation program checks
the network domain to which a target endpoint belongs. If the domain name already exists in
the agent tree, Apex One groups the agent on the target endpoint under that domain and will
apply the settings configured for the domain. If the domain name does not exist, Apex One adds
the domain to the agent tree, groups the agent under that domain, and then applies the root
settings to the domain and agent.
Configuration:
1. Go to Agents > Agent Grouping.

2. Specify the agent grouping method:
o NetBIOS domain
o Active Directory domain
o DNS domain
3. Click Save.
Manage domains and the agents grouped under them by performing the following tasks:
• Add a domain
• Delete a domain or agent
• Rename a domain
• Move a single agent to another domain
Automatic Agent Grouping

Automatic agent grouping uses rules defined by IP addresses or Active Directory domains. If a
rule defines an IP address or an IP address range, the Apex One server will group agents with a
matching IP address to a specific domain in the agent tree. Similarly, if a rule defines one or
several Active Directory domains, the Apex One server will group agents belonging to a particular
Active Directory domain to a specific domain in the agent tree.
Agents apply only one rule at a time. Prioritize rules so that if any agent satisfies more than one
rule, the rule with the highest priority applies.
Configuration:
1. Go to Agents > Agent Grouping.

2. Select Create custom agent groups for existing Security Agents.
3. Go to the Automatic Agent Grouping section.
4. To start creating rules, click Add and then select either Active Directory or IP Address.
o If you selected Active Directory, see the configuration instructions in Defining Agent
Grouping Rules by Active Directory Domains (https://docs.trendmicro.com/en-
us/enterprise/trend-micro-apex-one-2019-server-online-help/introduction-and-
get/getting-started-with_002/product_short_name-
d_001/client_computer_sing_002/osce-defining-client.aspx#GUID-8B1D2595-5EF8-
4CD7-9DFF-A3C8D46FFB41)
o If you selected IP Address, see the configuration instructions in Defining Agent Grouping
Rules by IP Addresses. (https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-
one-2019-server-online-help/protecting-trend_cli/using-company_name-s/osce-
osce_sm_prot_so.aspx)

5. If you created more than one rule, prioritize the rules by performing these steps:
o Select a rule.
o Click an arrow under the Group Priority column to move the rule up or down the list. The
ID number of the rule changes to reflect the new position.
6. To use the rules during agent sorting:

o Select the check boxes for the rules that you want to use.
o Enable the rules by switching the Status control to On.
Note:
If you do not select the check box for a rule or if you disable a rule, the rule will not be used when
sorting agents in the agent tree. For example, if the rule dictates that any agent should move to a
new domain, the agent will not move and stays in its current domain.
7. Specify a sorting schedule in the Scheduled Domain Creation section.

o Select Enable scheduled domain creation.
o Specify the schedule under Scheduled Domain Creation.
8. Choose from the following options:
Note:Agent sorting will not start after completing this step.
2.5 Updates
All component updates originate from the Trend Micro ActiveUpdate server. When updates are
available, the Apex One server and smart protection sources (Smart Protection Server or Smart
Protection Network) download the updated components. There are no component download
overlaps between the Apex One server and smart protection sources because each one
downloads a specific set of components.
Note:
You can configure both the Apex One server and Smart Protection Server to update from a source
other than the Trend Micro ActiveUpdate server. To do this, you need to set up a custom update
source. If you need assistance setting up this update source, contact your support provider.

Apex One Server and Security Agent Update
The Apex One server downloads most of the components that agents need. The only component
it does not download is the Smart Scan Pattern, which is downloaded by smart protection sources.
If the Apex One server manages a large number of agents, updating may utilize a significant
amount of server computer resources, affecting the server’s stability and performance. To
address this issue, Apex One has an Update Agent feature that allows certain agents to share
the task of distributing updates to other agents.
The following table describes the different component update options for the Apex One server
and agents, and recommendations on when to use them:
Update Option Description Recommendation
ActiveUpdate The Apex One server receives Use this method if there are no
server > Server > Agent updated components from the low-bandwidth sections between
Trend Micro ActiveUpdate server the Apex One server and agents.
(or other update source) and
initiates component update
on agents.
ActiveUpdate The Apex One server receives If there are low-bandwidth
server > Server > Update updated components from the sections between the Apex
Agents > Agent ActiveUpdate server (or other One server and agents, use this
update source) and initiates method to balance the traffic load
component update on the network.
on agents. Agents acting as
Update Agents then
notify agents to update
components.
ActiveUpdate server > UpdateUpdate Agents receive updated Use this method only if you
Agents > Agent components directly from the experience problems updating
ActiveUpdate server (or other Update Agents from the Apex
update source) and One server or from other Update
notifies agents to update Agents.
components.
Under most circumstances,
Update Agents receive updates
faster from the Apex One server
or from other Update Agents than
from an external update source.
ActiveUpdate server > Agent Apex One agents receive Use this method only if you
updated components directly experience problems
from the ActiveUpdate server (or updating agents from the Apex
other update source). One server or from Update
Agents.
Under most
circumstances, agents receive
updates faster from the Apex
One server or from Update
Agents than from an external
update source.

Smart Protection Source Update
A smart protection source (Smart Protection Server or Smart Protection Network) downloads the
Smart Scan Pattern. Smart scan agents do not download this pattern. Agents verify potential
threats against the pattern by sending scan queries to the smart protection source.
Note:
See Smart Protection Sources (https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-
one-2019-server-online-help/protecting-trend_cli/using-company_name-s/osce-
osce_sm_prot_so.aspx#GUID-523B5AFA-4B86-4A42-AAB3-3ED450693792) for more
information about smart protection sources.
The following table describes the update process for smart protection sources.
Update Process Description
ActiveUpdate The Trend Micro Smart Protection Network receives updates from
server > Smart the Trend Micro ActiveUpdate server. Smart scan agents that are
Protection Network not connected to the corporate network send queries to the Trend
Micro Smart Protection Network.
ActiveUpdate A Smart Protection Server (integrated or standalone) receives
server > Smart updates from the Trend Micro ActiveUpdate server. Smart
Protection Server protection agents that are connected to the corporate network send
queries to the Smart Protection Server.
Smart Protection A Smart Protection Server (integrated or standalone) receives
Network > Smart updates from the Trend Micro Smart Protection Network. Smart
Protection Server protection agents that are connected to the corporate network send
queries to the Smart Protection Server.
Server Updates:

Update Apex One server components manually or by configuring an update schedule.
To allow the server to deploy the updated components to agents, enable automatic agent update.
If automatic agent update is disabled, the server downloads the updates but does not deploy them
to the agents.
Update methods include:
• Manual server update: When an update is critical, perform manual update so the server can
obtain the updates immediately.
• Scheduled server update: The Apex One server connects to the update source during the
scheduled day and time to obtain the latest components.
❖ Manually updating the Apex One Server:
Manually update the components on the Apex One server after installing or upgrading the
server and whenever there is an outbreak.
1. Go to Updates > Server > Manual Update.

2. Select the components to update.
3. Click Update.
The server downloads the updated components.
❖ Schedule Updates for the Apex One Server:
Configure the Apex One server to regularly check its update source and automatically
download any available updates. Because agents normally get updates from the server, using
scheduled update is an easy and effective way of ensuring that protection against security
risks is always current.
1. Go to Updates > Server > Scheduled Update.

2. Select Enable scheduled update of the Apex One server.
3. Select the components to update.
4. Specify the update schedule.

For daily, weekly, and monthly updates, the period of time is the number of hours during
which Apex One will perform the update. Apex One updates at any given time during this
time period.
5. Click Save.
Pattern Updates
Apex One uses Trend Micro ActiveUpdate to obtain and distribute updates for specific program
components. Two types of components can be updated:
• Patterns
• Engines
The ActiveUpdate (AU) module is Apex One’s interface to the ActiveUpdate system. As a Trend
Micro common module, this module is developed independently of other products.
Trend Micro releases two types of pattern updates:
Official Pattern Release: Patterns are regularly made available to users as part of an Official
Pattern Release (OPR). Upon release, these patterns are posted on the ActiveUpdate system,
where products can download using the default update source.
Controlled Pattern File Release: These are pre-release version of a Trend Micro virus pattern
file. It is a fully tested pattern file intended to provide additional antivirus protection in between
official pattern file releases.
Incremental Updates

Incremental update technology limits the impact of updates on network bandwidth. This was
originally only available for virus pattern updates, but has now been applied to other patterns. It
does not, however, apply to engine updates.
For each new pattern on the Trend Micro update server, there are several incremental patterns.
Each incremental pattern contains the difference between the malware signatures in the latest
version, and the version to which the increment corresponds.
Increments are provided for the 14 most recent Official Pattern Releases. If the pattern used in a
product is older than any of the 14 incremental patterns, then the latest full pattern is downloaded.
Update Agents
Update Agents are Security Agents that function as alternative update sites for other Agents within
an Apex One network. They permit the deployment of the below settings to Agents whose
connections to the Apex One Server would have been sufficient for regular Agent-Server
messages but not for bandwidth-intensive updates:
• Component updates
• Domain settings
• Agent programs and hot fixes
Update Agents serve as local ActiveUpdate sites. Like the Apex One Server, they offer both full
and incremental patterns to their Agents by way of its own ActiveUpdate folder.
Any Security Agent can be promoted to an Update Agent, but typically, it is recommended that an
Agent on an endpoint computer that remains on at all times be used.
Without Update Agents, all endpoint computers contact the Apex One Server for updates. In
installations with many Security Agent, this can create network traffic issues.

With Update Agent in place, endpoint computers will contact their Update Agents for updates
instead of contacting the Apex One Server. This reduces the amount of network traffic destined
for the Apex One Server. Security Agent are assigned Update Agents based on their IP
addresses.
❖ Automatic
Agent updates can run automatically when certain events occur or when scheduled. In
addition to components, Security Agents also receive updated configuration files during
automatic update. In the Web Management console, click Updates > Agents > Automatic
Update
Event-Triggered Updates
The Server can notify online Agents to update components after it downloads the latest
components, and offline Agents when they restart and then connect to the Server.

Schedule-based Updates
Security Agents with appropriate privileges will run updates based on the schedule.
❖ Manual
When an update is critical, use Manual Update to immediately notify Agents to perform a
component update. In addition to components, Security Agents also receive updated
configuration files automatically during a Manual Update. In the Web Management console,
click Updates > Agents > Manual Update

3.6.6.3 Update Security Agents- Privilege Based Update
Users with update privileges have greater control over how the Apex One Agent on their
computers gets updated.

Lesson 3: Apex One Product
Licensing
Objectives:
• Smart Protection Suite

• Understanding NFR Licenses
• NFR - User Protection
• Customer Licensing Portal (CLP)

3.1 Smart Protection Suite
Smart Protection for Apex One (On-Prem):

Trend Micro Apex One – On Premise is a leading endpoint protection solution which gives you
protection for Endpoints with features like anti-malware, application control, etc.
Smart Protection for Apex One as a Service:

Trend Micro Apex One, redefines endpoint security with breadth of capabilities delivered as a
single tenant cloud solution, with consistency across SaaS/cloud-based deployments.
XDR for Users:
Includes Smart Protection for endpoints on cloud with added security for Email (Office 365 &
Gmail Protection only) and also includes XDR (available for Endpoints & Email)
Smart Protection Suite for Endpoint:
High-Performance Security Suite includes all layers of Endpoint defense to protect your users,
giving you centralized management across Endpoints.
Smart Protection Suite Complete:
Smart Protection Complete includes Smart Protection for Endpoints along with added security for
cloud Applications, Web, Email, and collaboration.

3.2 NFR Licenses
With differentiated solutions our NFR package is designed to deepen the value of our solutions
to secure new sources of revenue for our partners. The new NFR bundle will enable partners to
position Trend Micro solutions to maximize the value of our offerings and explore business
opportunities. The NFR will help our partners to get familiarized with Trend Micro solutions, lab
testing, product demo, customer PoC and internal training.
Below are the available NFR bundles, both free & paid packages.

3.2.1 NFR Welcome (Free for Bronze)
Comprehensive Advanced Threat Protection for Endpoint paired with the Industry Leading
Cloud Email Security Solution offered as a Starter kit to our Partners.
3.2.2 NFR Business Builder (Free for Silver, Gold and Platinum, Paid for Bronze)
This pack offers Hybrid Cloud Security solutions along with Advanced Threat Detection
for Endpoint Protection Suite which covers both SaaS based and on-prem solutions. Trend
Micro's Email Security (CAS), a SaaS based Email security solution for Office365 is also
part of the package.
3.2.3 NFR Business Pro (Paid for Silver, Gold and Platinum)
This pack offers a layered security solution that provides a better way to quickly protect,
detect and respond to new threats by Trend Micro’s Connected Threat Defense thereby
improving visibility and streamlining investigation across the customers IT infrastructure.
The pack includes Advanced Threat Detection for Endpoint, Hybrid Cloud Security, Next
Gen IPS and Breach Detection.
3.2.4 NFR Business Max (Paid for Silver, Gold and Platinum)
A comprehensive security bundle which not only extends detection and response beyond
the endpoint but also includes Network, Email, & Cloud Workload protection, offering
broader visibility and expert security analytics, leading to better detection and swift
response.
The pack includes Advanced Threat Detection for Endpoint, Hybrid Cloud Security, Next
Gen IPS, Breach Detection and Cloud Sandboxing. These solutions connects to Trend
Micro Data Lake for Automated Detection, Sweeping Hunting & Root Cause Analysis.
3.3 NFR - User Protection

Welcome Package:
PACKAGE PRODUCTS IN THE PACKAGE QTY
Welcome Smart Protection for Endpoint (SPE) 25
Kit 1. Worry-Free Business Security Services Subscription
2. ApexOne Endpoint Protection + (Mac)
3. Apex One Vulnerability Protection add-on
4. Apex One Application Control add-on
5. Apex One DLP add-on
6. Apex One as a Service
7. Apex One and Apex Central Full Feature for Windows and Mac
8. Apex One Virtual Device Infrastructure add-on
9. Trend Micro Endpoint Encryption - Full Disk Encryption and File
Encryption
10. Trend Micro Mobile Security 9.x
11. ServerProtect Linux v3.X
12. ServerProtect WIN.NW
13. Control Manager v6, Advanced Edition
Business Builder Package:

Business Smart Protection Complete (SPC) 25
Builder 1. All SPE Capability
2. InterScan Web Security Virtual Appliance 6.x English with DLP
3. IM Security for Microsoft Servers
4. IMSVA 9.x base product, Pre-filter, SPS/ERS, and DLP
5. Email Encryption for IMSVA 9.x
6. InterScan Web Security as a Service
7. Hosted Email Security Subscription
8. Email Security Standard
9. Cloud App Security for Office 365
10.PortalProtect 2.x, Anti-Malware, Content Filter, Advanced DLP,WTP
11.ScanMail for Lotus Domino suite V5.x with Advanced DLP for
Windows and Linux
12.ScanMail Suite with DLP for Microsoft Exchange
13.Apex Central Advanced Edition - Multi-lingual
Business Pro Package:

Pro Trend Micro Apex One Endpoint Sensor 25

Business Max Package:
Max Trend Micro Apex One Endpoint Sensor 25
Trend Micro Apex One as a Service - Endpoint Sensor 25
3.4 Customer Licensing Portal (CLP)
Customer Licensing Portal (CLP) is the online management center for Trend Micro products &
services.
Features:
• Safer
Easily activate and register security products and services from the extensive Trend Micro
product line.
• Smarter
Access all your Trend Micro security products and services from a central location online.
• Simpler
Logon once for access to all Trend Micro products and services on the portal.
Using the Customer Licensing Portal:

1. Logging in to CLP:
• If you are an existing user, log in to the Customer Licensing
Portal (https://clp.trendmicro.com/) using your OLR account.
• You can manage all products and licenses under My Products/Services.

2. Registering a new Trend Micro Account:
• Log in to the Customer Licensing Portal.
• Click the Sign up now link.

• Select No, I am a first time user and enter your product key (Activation or Registration
Code).
• Click Continue.
• Review the Product Information.
• Read the Trend Micro License Agreement terms and tick the check box to accept.
• Click Continue.
• To complete the registration process, enter the Account Information.
• Click Continue to finish the registration.
3. Registering your RK/AC if you have an existing account

• Click Enter Your Key and type your activation code or key.

• Click Continue.
• Review the Product Information.
• Read the Trend Micro License Agreement and tick the check box to accept the terms.
4. Merging licenses in CLP

• Click Merge Products and enter your activation code or key.
NOTE:
If the Merge Products option is not available when using your account this means that your
registered license does not support merging.
• The Merge Products page lists products that support the merge function. However, not
all Trend Micro Products support the license merge function.
Scenario 1: For services such as WFBS-SVC, click sign in to merge two WFBS-SVC
accounts.

Scenario 2: For On Premise products such as WFBS, choose the license you want to
retain. For three or more licenses of the same type, you will be asked which license to
merge.
• Click Merge.

Lesson 4: Introduction to Proof of Concepts
Objectives:
• Introduction to PoC & Demo

• Product Cloud
• Proof-of-Concept
• PoC Use Cases

4.1 Introduction to PoC & Demo
Introduction:
• Proof of Concepts:
A more formalized version of the trial and involves a more targeted and guided implementation of
the product in the customer’s environment. The goal is to provide a high level of understanding of
how the product may function for a specific use case and give the vendor an opportunity to more
closely align the product’s capabilities with the customer’s needs. As it is a more formal
engagement, the customer and vendor should agree on the specific objectives and outcomes
expected as well as the responsibilities of each party (i.e. the customer should devote resources
such as staff and infrastructure and the vendor provide technical support and training). A
POC/POV (Proof of Value) can vary in length, depending on the objectives agreed to at the outset
but great care should be taken by the customer and the vendor to conclude the POC as agreed.
• Demo:
A demonstration, or demo, for short, is a brief overview of the product’s features and capabilities
followed by a live presentation of the product going through various tasks that provide the customer
with a practical understanding of how the product works. It sometime is doing just after product or
solution presentation. With the extensive available of pre-record video, it sometime just refer for
the product demo video clip or sometime access to product demo edition. That typically had feature
limited and use for get the lead. A demo typically is the first time the customer has seen the product
in action (Remember, video product demo clip is also cover this). Demos usually take no more
than 1-2 hours and can be customized to focus on features important to the customer. Demos
may also be recorded so that they can be viewed at the convenience of the customer but this does
not provide an opportunity for questions or customization of the presentation (it due to pre-record
and scripting in nature and prepare in advance).

PoC vs Demo:
• PoC:
• Time Consuming process, as it requires a lot of time on planning & delivering a PoC.
• Slows down the procurement process when it performs tests with multiple vendors.
• Resource intensive as it requires resources for functional tests in the customer’s environment.
• Demo:
• Speed of deployment in a demo takes less time spend on installing/configuring products.
• Configurations are known to work together & does not introduce localized issues found on
customer’s sites.
• There is no need of customer prerequisites like building the supporting infrastructure.
When to Opt for which?

Opt for a PoC when the customer:
• Has some environmental dependencies as in terms of demonstration of solution integration
in their existing setup.
• Has a certain custom use case demonstration requirement which must be agreed by Trend
Micro.
If this is not the case, then Opt for a well thought out demo.
4.2 Product Cloud

Introduction:
“Product Cloud” is a hybrid cloud infrastructure built by the PreSales and Corporate IT teams to
provides Field Sales Engineers and Solution Architects with a powerful and agile platform to
demo, troubleshoot and test Trend Micro products and 3dy party software from anywhere in the
world using only a web browser.
Using Product Cloud to run POC’s offer many benefits including:
• Speed of Deployment – Less time spend installing/configuring products
• Configuration Stability – The configurations are known to work together and doesn’t
introduce localized issues found on customer’s sites
• No Customer Prerequisites – Often one of the biggest delays with POC’s is waiting for
customer to build the supporting infrastructure
• Trend Micro Product Cloud enables partners and employees to conduct an instant, web-based
demo (24x7) of Trend Micro’s top-selling products, and to invite prospects and customers to
conduct a free, self-paced online product trial, complete with step-by-step guidance.

• It’s fast, easy to use (no download, installation or configuration necessary), and will help you
close more business by providing valuable insights on the products, key features and
capabilities of interest to customers.
• Product Cloud enables you to demo, trial and track from one simple console !
Instant Demo:
Instant Demo provides 24x7 web access to Trend Micro’s top selling products, and is pre-loaded
with data to enrich your demo experience.
Steps:
1. Login to the Partner Portal & select Demo Cloud.
2. Choose the desired product instant demo.
3. Available for most of our Top Selling Products.

Trial:

• Trials lets you invite prospects and customers to conduct a free, self-paced online product trial,
complete with step-by-step guidance. Best of all, you’ll be notified when the trial has been
completed, and you’ll receive valuable insights on the key features and capabilities of interest
to your prospects and customers.
• Trial is currently available only for Apex One, Deep Security, SPS & Worry-Free.
• Enables you to track your prospects trial.
• You can also invite your customers via email, social or bulk invite via CSV.

4.3 Proof-of-Concept (PoC)
PoC Cycle:
Step 1:
• Define the success criteria of the PoC.
• PoC start date, finish date and other important dates of the PoC.
• Set out the objectives of the PoC precisely.
Step 2:
• Understand the customer environment and the PoC to be conducted.
• Share the pre-requisites with the customer.
Step 3:
Review and sign-off meetings should be completed and the PoC should Kick-off.
Step 4:
• Manage the PoC.
• Set your performance goals and track the PoC metrics.
Step 5:
Present the PoC results that was performed. Explain the success criteria on how the requirements
are met.
NOTE:
Taking it a step further, applying the lessons learnt from previous POCs would help to fine tune
your approach to future ones. Gathering, learning and evolving!

PoC Deployment Scenarios:
PoC can be deployed in an On-Premise setup as well as a SaaS based model.
Checklist: On-Premise
The requirements for an On-Premise deployment are:

• Apex Central
• Database
• Apex One Server
• Apex One Agent
• Network Connectivity

System Requirements Checklist: On-Premise
Checklist: Apex One SaaS
The requirements for an On-Premise deployment are:

• Apex Central
• Database
• Apex One Server
• Apex One Agent
• Network Connectivity

System Requirements Checklist: Apex One SaaS
PoC Template & Report Format:
To build a standard PoC report after conducting a PoC at a customer’s environment, you
need to have the following key sections in your report:
• Introduction
• Solution Overview
• PoC Architecture that you designed at the customer’s environment

• PoC Success Criteria on how the requirements of the PoC are met, that were initially
discussed
• Pre-requisites
• Additional functionality Overview
PoC Best Practices:
During a PoC, there are a set of guidelines to be followed.

Do’s:
• Remember than POC’s define an SE
• Understand the value of the opportunity
• Should the POC to be run in Product Cloud? (Cloud Demo)
• Know your competition
• Proper planning prevents poor performance
• Over-estimate the time required
• Have an outcome in mind
• Schedule regular check-in sessions
• Handover POC’s to colleagues when absent
• Log support issues on behalf of the client
• Escalate to Trend SE if POC at risk
Dont’s:
• Offer a POC unless absolutely necessary
• Start a POC without agreed success criteria
• Wait for the customer to reach out to you
• Assume the customer is technically savvy

• Assume no news is good news, always do a follow up
4.4 PoC Use Cases

USE CASE 1: Basic Anti-Virus Test using Eicar
Pre-Requisites:
1. On Apex Central, go to Policy > Policy Management.
2. Click on your Defined Policy and scroll down to Real-time Scan Settings.
3. Make sure the ff. options are checked.

4. Scroll down and click on Deploy.
5. Wait for the policy to be Deployed. Check on the security agent that Real-time Scan is
green. Make sure that the pattern is also up-to-date by clicking on Update.
Policy & Security Agent should look like this after Policy Configuration:

Testing & Results:
1. Go to EICAR.org (http://www.eicar.org/download/eicar.com)
2. Scroll down to the test files and click on any or all of the samples.
3. Detection for EICAR samples should be immediately be picked up by real time scanning.

USE CASE 2: WRS blocking – Malicious URL
Pre-Requisites:
1. Login to Apex Central and go to Policy > Policy Management
2. Click on your Defined Policy and scroll down to Web Reputation Settings
3. Confirm the following settings are checked (enabled)

4. Click on Deploy.
5. Wait for the policy to be Deployed. Check on the security agent that Real-time Scan is
green. Make sure that the pattern is also up-to-date by clicking on Update.

Testing & Results:
1. Open a web browser and use the following URLs to test Web Reputation
2. URL Rating Results:

• For additional rating verification of Web Reputation, you may use KB1056027
3. C&C Callback

4. WICAR
• You may click on the various test criteria in WICAR for additional detection test

USE CASE 3: Install Coexist Agent and convert to Full mode

Testing & Results:
1. Download the Coexist Agent.

2. Install on Endpoint.
3. Uninstall 3rd Party AV

4. Convert the Coexist Agent to Full Mode
5. Verify successful conversion of Coexist Agent to Full Mode

USE CASE 4: Machine Learning
Pre-Requisites:
1. Login to Apex Central and go to Policy > Policy Management.
2. Put a check on Enable Predictive Machine Learning and set the following actions:
• File: Log Only
• Process: Terminate

Testing & Results:
1. Download a malware sample on the client machine and execute it.

2. You should get a detection for Predictive Machine Learning.

3. Click on the detection to view the Predictive Machine Learning logs.

USE CASE 5: Sandboxing
Pre-Requisites:
• Programs not known to Trend Micro (download through web browsers or email channels).
• Heuristic detection of processes (downloaded through supported web browsers or email
channels).
• Low prevalence autorun programs on removable storage.
Sample Submission should look like this after Policy Configuration:

Testing & Results:
1. Go to Agents > Agent Management.

2. In the agent tree, click the root domain icon ( ) to include all agents or select specific
domains or agents.
3. Click Settings > Sample Submission Settings.
The Sample Submission Settings screen appears.
4. Select Enable suspicious file submission to Virtual Analyzer.
5. Click Save.
6. Samples once submitted by Apex One can be tracked under Submissions tab of Deep
Discovery Analyzer console.

USE CASE 6: Trust Permission: “Application can execute other
process”
Pre-Requisites:
1. On a test endpoint, download COMMAND MINI and extract it on a folder named C:\tmp
2. Download and place LINE INSTALLER (https://www.download3k.com/Install-LINE.html) on
the same folder; C:\tmp

3. Login to Apex Central and go to Policy > Policy Resources > Application Control
Criteria and create a “Block” criteria.
Block criteria: to block path C:\tmp\*.* and click Save.
4. Create another criteria for “Allow”.

• Trust Permission: Application can execute other processes
• Match Method: Hash values
• SHA-256:
F49F13B0AC5D15B564A26D9ECB47AFEAF86BD708D61585063C30D2A36494CEA4

5. Deploy the new rules as an Application Control Policy:
• Policies > “Policy Name” > Application Control Settings > Assign Rule

Testing & Results:
1. On the test machine, launch C:\tmp\LineInst.exe

• Expected Result: Blocked
2. Launch C:\tmp\cmder_mini\cmder.exe
• Expected Result: Allowed

3. Launch exe using the Cmder.exe tool.
• Expected Result: Allowed
4. Trying re-launching LineInst.exe again by double-clicking on it.

• Expected Result: Blocked

USE CASE 7: Vulnerability Protection
Pre-Requisites:
TEST ENDPOINT (TE)
1. Login to Apex Central and go to Policy > Policy Management
2. Put a check on Vulnerability Protection and enable Intrusion Prevention Rule - 1009490:
• Status: Enabled
• Identifier: 1009490
• Rule Name: Block Administrative Share - 1 (ATT&CK T1077, T1105)
• Mode: Detect Only

Security Agent on the Test Endpoint (TE) should look like this after it is
updated by the policy:

Testing & Results:
NOTE:
Both endpoints must be on the same network and sub-net.
Credentials to access the Test Endpoint (TE) must have administrative privileges.
ATTACK ENDPOINT (AE)

1. Perform a ping test to see if the Test Endpoint (TE) is reachable from the Attack Endpoint
(AE).
2. If ping is:
• Successful: Open Network or a folder then proceed to step 3.
• Unsuccessful: Check and troubleshoot network settings until ping is successful.
3. On the address bar, type in \\<IP address of TE>\C$ and press Enter.
4. You will be prompted to input the Test Endpoint (TE) admin credentials.
5. Press OK. If the provided credentials is successful logging in to the Test Endpoint (TE) admin
shares, you should be able to see its contents from the Attack Endpoint (AE). Else, check
admin permissions and try again.

6. A notification won't appear on the endpoint. Check Log Query on Apex Central for the
detection.
Detections > Logs > Log Query > Intrusion Prevention
On this example, we can see from the logs that Affected IP Address 92.168.146.128 was
accessed by an Attack Source with an IP address of 192.168.146.134.

USE CASE 8: Data Loss Prevention
Pre-Requisites:
1. Login to Apex Central and go to Policy > Policy Management.
2. On the Product drop down, choose Apex One Data Loss Prevention then click on Create.
3. Provide a Policy Name. Under Targets, click Set Filter beside Filter by Criteria.
• Click on Directories and choose Product Directory.
• Select Apex Central as a Service then click Save.

4. Under Apex One DLP, put a check on Enable Data Loss Prevention and click on Add.
5. On the DLP Settings, navigate the Available templates drop down and choose Category-
base templates.
• Scroll down and select all the templates, then click on Add.
• Go the step #2 Channel.

6. Check all available channels, then click on step #3 Action.

7. Select the following actions for detected DLP violations then hit Save.
8. Click on Deploy.
9. Go back to Policy Management and choose Apex One Security Agent under Product.
Click the policy you are currently managing.
• Under Additional Service Settings, make sure that Data Protection Service for
Windows Desktop is checked.
• If checked, leave it be. If not, put a check on it and hit Save
NOTE:
Give the new the policy settings a few minutes to take effect. You may check the status of the
policy by clicking on the number of machines under the Deployed column.

Testing & Results:
1. Open Notepad and type in the following information.

• Your full name
• Date of birth
• Credit card number with security code on the back
• Social security number
2. On the upper left of Notepad, go to File and click on Print.

• Choose Microsoft XPS Document Writer, then Print.
• If you have an actual printer attached, you may choose that instead.

• You should get a detection for Data Loss Prevention on the endpoint.
• Additionally, you can also check the Logs in Apex Central for the detection.

USE CASE 9: Generate Root Cause Analysis report upon
filename
Testing & Results :

1. Download and configure Apex One API Test Center
2. Get necessary information from host

3. Generate RCA
4. View Root Cause Analysis report

Lesson 5: Competitive Advantage
Objectives:
• Competitive Advantage
• The Forrester Wave
• NSS Labs
• Gartner

5.1 Competitive Advantage
Apex One leverages a blend of cross-generational threat techniques to provide the broadest
protection against all types of threats. More than just a scan, Apex One Vulnerability Protection
uses a host-based intrusion prevention system (HIPS) to virtually patch known and unknown
vulnerabilities before a patch is available or deployable. Leverage techniques that allow you to
discover and respond to threats before they compromise data. Extend detection and response
across endpoints, email, and servers. Provides Effective security for your sensitive data. Enhanced
application control against malicious software. Has central visibility & Control. Apex One’s
competitive features are:
• Hybrid – Environment Feature
Supports hybrid deployment & extends visibility and control across on-premises, cloud, and
hybrid deployment models.
• Automation & Visibility
Provides advanced automated threat detection and response against an ever-growing variety
of threats, including fileless and ransomware. Trend Micro’s cross-generational blend of
modern techniques provides highly tuned endpoint protection that maximises performance
and effectiveness. Provides an all-in-one centralized visibility.
• Data Retention
Data retention module provides continued storage of data & data loss prevention module
protects data from being lost.
• Data Privacy
Prevents unauthorized transmission of digital assets.
• Actionable insights
Apex One introduces expanded endpoint detection and response (EDR) capabilities. It also
connects to Trend Micro’s managed detection and response (MDR) service option that boosts
in-house teams with threat hunting and alert monitoring.

• Automated detection & Response
Apex One is built upon the XGen™ security techniques, which is a cross-generational blend
of threat defense functionality that intelligently applies the right technology at the right time.
The product includes the industry’s timeliest virtual patching capabilities powered by Trend
Micro’s Zero Day Initiative, along with a range of modern technologies to detect and block
advanced attacks, including fileless threats.
• Custom intelligence= IOC, STIX, YARA
Custom intelligence enables you to record detailed system-level activities and perform multi-
level search across endpoints using rich-search criteria such as OpenIOC, Yara, STIX and
suspicious objects.
These competitive capabilities of Apex One gains advantage over other competitors in providing a
strong solution for securing the endpoints.
5.2 IDC Market Share
Trend Micro moved upward in the corporate Endpoint Security market

in 2021 to capture the share, at 9.2%

5.3 Gartner
Trend Micro Named a Leader Once Again

in the 2021 Gartner® Magic Quadrant™ for Endpoint Protection Platforms (EPP)2
We believe Trend Micro Apex One™ endpoint security provides you with protection trusted by
analysts and customers alike.
“Reliable vendor that I would call my own team!”
“Trend Micro Apex One™ as a Service dashboard landing page summary is very
user friendly and I would say what admins would want to see.”
“Protection, technology, service, integration, everything top of the class!”
– Gartner Peer Insights, November 2021

5.4 The Forrester Wave
Trend Micro a Leader with the highest ranking in the current offering category in
the first ever XDR vendor New Wave™ evaluation, Q4 2021!
The 2019 Forrester Wave demonstrates that Trend Micro is a strong and reliable choice
for endpoint protection.
“Trend Micro is the best fit for companies that need a robust, easy to operate
security suite.”
“Offers strong cross-telemetry detection, investigation, and response.”
“Trend Micro has loyal customers confident in the security efficacy of the offering.”
– The Forrester New Wave™: Extended Detection and Response (XDR) Providers, Q4
2021
Trend Micro is Named a Leader in The Forrester Wave™: Endpoint Security
Software as a Service, Q2 2022!
“Trend Micro offers comprehensive endpoint threat prevention, threat detection,

secure configuration, attack response, and data security capabilities...”
“Its extended detection capabilities are robust and accessible from Trend Micro
Vision One™...”
– The Forrester Wave™: Endpoint Security Software as a Service, Q2 2022

Lesson 6: Introduction to Advance
Solutions
Objectives:
Endpoint Detection & Response (EDR)

• Common Questions
• Trend Micro Endpoint Detection & Response (EDR) Solution
• Primary Capabilities of EDR Solution
• Adaptive Security Architecture
• EDR Features

Endpoint Detection & Response (EDR)
Common Questions:
An advanced persistent threat (APT) is a broad term used to describe an attack campaign in
which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in
order to mine highly sensitive data.
What is the extent of the breach?
• Point of entry
• Lateral Movement
• Data Exfilteration
How did the breach happen?
• Social Engineering
• Spear Phishing Email
• External USB
What did the hacker or malware do while it was active?
• Command & Control
• Data Discovery/Asset
• Data Exfiltration
How do we restore the system with confidence that all traces are destroyed?
This leads to Trend Micro’s EDR Solution.
Trend Micro Endpoint Detection & Response (EDR) Solution:

And indeed, Endpoint Detection and Response (EDR) has the answers to this questions:
By EDR’s Pre-Detection where Assessment/Sweeping takes place, it helps you identify if you are
protected or not, finds out if the malware is already in your network or not.
By EDR’s Post-Detection where Investigation/Sweeping takes place, it helps you investigate what
exactly happened in your network and how did it happen, helps to analyze and identify who else
is affected and what remediation steps has to be taken.
Endpoint Detection & Response:
EDR (Endpoint Detection and Response) is a solution that:

• Allows you to continuously monitor endpoints

• Records all activities that could be suspicious
• Provide ability to search for suspicious & malicious activities centrally by a threat analyst
EDR solutions must provide the following four primary capabilities:

• Detect security incidents
Leverage a full portfolio of advanced detection techniques against an ever-growing variety of
threats. By integrating endpoint protection and EDR in a single agent, we get a
comprehensive detection and response solution with automation and remediation
capabilities.
• Contain the incident at the endpoint
• Investigate security incidents
• Provide remediation guidance
Root cause analysis and impact assessment
Get complete visibility into the attack vector, spread, and extent of the impact of advanced threats
across endpoint, servers, and email. Incident response staff can quickly perform impact
assessments, determine the root cause of the detection, and take proactive measures to
remediate and update security.
Layering in global threat intelligence, the Trend Micro Smart Protection Network™ provides clarity
and assistance to threat investigators. And with access to the Trend Micro Threat Connect
service, you have a comprehensive database of threat information.
Adaptive Security Architecture
The adaptive security architecture is a useful framework to help organizations classify existing
and potential security investments to ensure that there is a balanced approach to security
investments.
Endpoint Detection and Response (EDR) provides the solutions that enable the bottom half of the
adaptive security architecture.

EDR Features:
1. Impact Assessment (QUICK HEALTH CHECK)
• Impact assessment (IA) is basically a quick search of objects that is ran over metadata that
is stored on the Apex Server. This task is not executed on endpoints.
• Impact Assessment works when an analyst receives an IoC and runs it over the metadata
stored on the Apex Server to see if their environment is compromised.
• Average time results for “Impact Assessment” is between 10 to 15 seconds.
NOTE: The term “Impact Assessment” is unique to Trend Micro. It may differ with on other
vendors. Just remember the following keywords for your reference: Quick Health Check /
Sweeping / Assessment / Threat Hunting / Impact scope Evaluation

You can navigate Apex One for Impact Assessment:
• From Critical Threat dashboard
• From Threat Intel VA SO and CI (Virtual Analyzer Suspicious Object (VA SO) and Custom
Intelligence (CI))
• From Preliminary Investigation
2. Root Cause Analysis (DRILL DOWN EVENTS)
• Root Cause Analysis (RCA) is the graphical representation of how the infection and/or
suspicious activities occurred. (e.g.: patient zero, entry point)
• Root Cause Analysis (RCA) can be initiated from various points
– Automatically from Critical Threat and Virtual Analyzer/User-Defined SO and In-
Memory Detailed Investigation
– Manually from Preliminary Investigation**
• Root Cause Analysis result generation in SaaS is < 10 seconds.
• RCA on-premise is < 10 mins. Time-out of RCA is 24 hours.
NOTE: Various vendors may use different terms in describing “Root Cause Analysis”. Here
are a few synonymous terms with this functionality: Drill down events / Infection Chain
analysis / Attack Kill Chain / Forensic Graph
• If an assessment returns a match, administrators may generate a root cause analysis to:
– List all related objects to the specified criteria
– Identify if any of the related objects are noteworthy
– Review the sequence of events leading to the execution of the matched object.
• Generating a root cause analysis may take some time to complete.

3. Isolation (STOP THE BLEED)
Make immediate response:

• From “Preliminary Investigation” results, one or many endpoint can be isolated from network,
based on Windows Filtering Platform feature.
• All communication from/to this endpoint would be blocked except between the Apex One
agent and server.
• When crisis is relieved, you can restore endpoint connectivity from endpoint view (task
Restore, Directories -> Users/Endpoint)
• « Isolate Endpoint » can be done from RCA result, Detailed Investigation results and
Endpoint view
• Suspicious Object can be used to block the malicious traffic (IP, DNS, URL*) and process
(SHA-1)
• To block process/file on sha-1 from Suspicious Object, Apex One AppControl must be
enabled
4. Live Investigation (DIG FURTHER)

• “Impact Assessment” provides threat hunting capabilities to all the endpoint environment over
meta-data that are stored in Apex Server db. By design to be immediate, “Impact
Assessment” doesn’t provide a real-time view on endpoint system (run only on Apex Server
meta-data DB).
• As part of threat hunting process, it can be required to scan memory and disk with specific
indicator or to look at running process. Detailed investigations perform the investigation on
the current system state (live).
NOTE:
MacOS not supported yet
• Detailed Investigation methods available:
– Search in-memory using Yara files
– Search on-disk using OpenIOC files
– Search in-registry with custom criteria
• “Detailed Investigation” task can be run once or can be scheduled regularly (same
settings).
• Can also be initiated from Impact Analysis page.
• Average Detailed Investigation timing result is about 40 min.
{Agent polling (every 10 min) + Detailed Investigation task (10 min) + Upload Results}
• Choose between One-Time Investigation or Schedule Investigation.
• If you have selected Schedule Investigation, you can set Schedule, Frequency and Time.
• Results are available on Detailed Investigation page and all previous results are retained
until period limit (license).
• Tasks can be stopped (under processing) or deleted
5. Attack Discovery (INCIDENT AUTO DETECT)

• Indicator Of Comprise is a piece of information that can be used to search for or identify
potentially compromised systems
– Examples : file hash, mutex, reg key, IP, URLs, HTTP header, email address
– Format : OpenIOC, Cybox, IODEF
• Indicator Of Attack describes actors, Atomic actions and their relations that could reveal
on-going attack
– Examples : new user account creation, unusual network activities, API hooking, DLL
injection, unusual use of legitimate executable
– Format : Prioprietary
• Generic IOC could be used as IOA IOA-based detection engine.
• ADE: Focus on technics used by attacker rather than component identification or threat
“pattern” matching
• Detect behavior based on the given relational objects & actions
• ADE log can be a starting point for threat investigation
• 80~ ADE rules mapped with MITRE ATT & CK
Investigation – Response – Remediation Model:

Threat Investigation can be of two types, historical investigation & Live investigation.
Historical Investigation (Hunting):
• Analyzes impact caused by Open IoC, STIX, UDSO, VASO, Custom Search.
• Root cause analysis will be done.
• The endpoint with these preliminary results are isolated and expects future perfect
response.
Live Investigation (Known Suspicious):
• Live investigation for YARA rules in memory process and IoC file exist & Registry is
scheduled.
• Detailed interactive chain is forwarded for root cause analysis.
• Expects future perfect response.
Actions taken:
• Terminate Object
• Add to SO repository
• Isolate Endpoint
• Restore Endpoint
• Block IP Address (in the upcoming release)

Lesson 7: Trend Micro Vision One and Zero
Trust Strategy
Objectives:
Objectives:
Upon completion
• Why EDR isofSimply
this lesson you will: be able to:
not Enough
• • EDR
Why Threat Actors look
is Simply beyond :the endpoint
not Enough
• • Challenges
Threat Actors look beyond the endpoint
• Trend• Micro Vision One
Challenges
• Zero
• Trend MicroTrust Approach
Vision One
• • Trend
Zero Micro Vision One on Any Device, Any Network, Any Location, Any Cloud
Trust Approach
• • Trend
TrendMicro
MicroZero Trust
Vision OneStrategy
on Any Device, Any Network, Any Location, Any
• Endpoint
Cloud Basecamp
• • Fewer, Micro– Zero
TrendHigh Fidelity alerts
Trust with XDR
Strategy
• • Trend MicroBasecamp
Endpoint Vision One at Cybersecurity Platform
• • Trend Micro
Fewer, HighVision – Integration
One alerts
– Fidelity with XDR
• • Trend
TrendMicro
MicroVision One– at
VisionOne XDR WorkbenchPlatform
Cybersecurity Demo
• Trend Micro Vision One – Integration

• Trend Micro Vision One – XDR Workbench Demo

7.1 Why EDR is Simply not Enough
With today’s ever-evolving threat landscape, you need capabilities that help you detect and
respond rapidly to threats breaching your defenses. Today, many organizations use multiple,
separate security layers to detect threats across their email, endpoints, servers, cloud
infrastructure, and networks.
Investigating threats across all these disparate solutions makes for a very piecemeal and manual
investigation process that can miss threats altogether due to lack of visibility and correlation.
Solution such as EDR only looks at endpoints, missing threats that pass-through user emails,
servers, cloud workloads, and networks. This results in a very limited view of the attacker’s
activities and an inadequate, incomplete response.
However, making EDR simply not enough, as :
• EDR functionality has traditionally been provided as a point solution at one specific
security layer
• Siloed tools often leads to manually correlate & prioritize threats
• Lack of integrated contextual visibility results in an incomplete view of the breach
Threat actors look beyond the endpoint

For threat actors, it’s been a boon of opportunity as almost everything these days are migrating
to cloud-based software as a service (SaaS),as they look to exploit a growing number of
connected devices.
Recently, it has been observed, phishing techniques are being updated with what appears as a
calculated attempt to take the advantage of rapid adoption of cloud-based SaaS. The new
techniques are designed to both evade detection and increase the likelihood of a successful
phish.

The unfolding of a new phishing campaign
On the execution of a successful phish or password attack against a user and taking over an
account in a Microsoft® Office 365™ tenant environment, the threat actor harvests a contact list
for targets and send an email to the list.
Because the email comes from an account within the Office 365 platform, it inherits the standard
and expected user trappings, such as stored signatures. Additionally, based on extended mail
headers, the recipient and the recipient email system would have seen the incoming mail as
originating from the Office 365 tenant space.
This campaign’s carefully crafted emails further challenged users’ abilities to discern the phish.
The threat actors themed the lure as a secure, encrypted email. They did so by basing the
message on the legitimate secure email provider, which generally requires a user to click on a
link in an email.
In these cases, the “View Message” link is rewritten by the Advanced Threat Protection (ATP)
SafeLinks, a URL rewrite service provided by Microsoft to help protect users from malicious
URLs. Because URLs can get unwieldy, there are several services that map shorter URLs. This
shortened URL is another strategy that may bypass URL filters. Not only this URL then goes to
Microsoft OneDrive, but it provides a quick link to a Microsoft OneNote™ stored on the OneDrive.

Threat actors are sending massive spam emails distributing Locky Ransomware
The cybercriminals behind this email campaign appear to be using social engineering tactics to
entice users into opening a file attachment, which in turn downloads the Locky ransomware and
encrypts users’ data.
The infection chain of this ransomware campaign starts with a socially engineered email. Threat
actors send social engineered email containing an archive which has an embedded VBscript file.
When executed, the script connects to command and control (C&C) servers to download the
Locky Ransomware, which then encrypts the users’ data locally as well as the files on network
shares. It has also been observed recently that “Fake voicemail email notifications” are being
used by this ransomware campaign as well.
Therefore, without the tools to identify threat indicators, detection is dangerously slow

Challenges
Instead of the security perimeter being entombed in a box at the data center edge, the perimeter
is now everywhere an enterprise needs it to be — a dynamically created policy-based secure
access service edge. A home-based worker brings up a VPN connection that creates a secure
tunnel to take him straight into the data center. This might be fine when the company expects
10% to 20% of its employees to work remotely at any given time, but now the numbers might
approach 50% or 70%. This creates contention for resources and a poor VPN experience for all.
What is more, workers are routing a bunch of internet traffic to the data center along with traffic
destined for on-premises applications. There is another set of challenge that we are facing is lack
of visibility as data and users are everywhere, a user from one location can access that data
residing in another location. How do we correlate the activities such as:
• Which data has been accessed?

• Which Cloud app has been used?
• Is there any risk associated with it and many more?
Most of the organizations trust & assume that data is safe, and the apps that we are leveraging
are safe. But the fact is we are not 100% sure of what is going on.

Here are certain challenges/ questions that a work from home user is facing lately.
• Should each WFH user, remote user sits behind firewall / IPS /IDS device to protect
themselves?
• But what happens when users aren't on the VPN?
• How is traffic secured for SaaS?
• What about visibility for users who are not on the enterprise network?
Hence, the key challenges that remains are:

• Trust by Default
• Multiple Silo Tools
• Cloud & Mobility

7.2 Trend Micro Vision One
Trend Micro Vision One is a purpose-built threat defense platform that provides added value and
new benefits beyond XDR solutions, allowing you to see more and respond faster. It collects and
correlates data across email, endpoint, servers, cloud workloads, and networks, enabling visibility
and analysis that is difficult or impossible to achieve otherwise. Providing deep and broad
extended detection and response (XDR) capabilities that collect and automatically correlate data
across multiple security layers—email, endpoints, servers, cloud workloads, and networks—
Trend Micro Vision One prevents the majority of attacks with automated protection.
Native sensors and protection points—coupled with the XDR capabilities that stitch together threat
activity across layers— allow for the quick detection of complex attacks that bypass prevention.
This provides an unmatched understanding of the activity data in your environment and a
balanced approach to security, as teams can quickly see the story of an attack and respond faster
and more confidently. The visibility and efficiency that is provided by Trend Micro Vision One
makes great security teams even better, enabling them to do more with less.
Hence, Trend Micro Vision One is a single Platform providing Zero Trust Risk Insights
Functionality, Zero Trust Secure Access Functionality and XDR Functionality as a solution to
resolve the key challenges. It provides:
● Prioritized alerts based on one expert alert schema to interpret data in a standard and
meaningful way
● A consolidated view to uncover events and the attack path across security layers
● Guided investigations to understand the impact and identify the path to resolution
● SASE Functionality : This model combines networking and network security services, such
as ZTNA, CASB, SWG, DLP and more, into a single comprehensive, integrated solution
that supports all traffic, applications and users.
● XDR Functionality : By integrating with multiple platform and providing a centralized
visibility.

Science of XDR
XDR delivers visibility into data across networks, clouds, endpoints, and applications while
applying analytics and automation to detect, analyze, hunt, and remediate threats.
We can distinguish 2 types of components:

• The Core, composed of Trend Micro Vision One that collects and correlates data across
email, endpoint, servers, cloud workloads, and networks, enabling visibility and analysis that
is difficult or impossible to achieve otherwise.
• The Edge, each and every XDR sensor or agent that sends activity from the machine to the
core.

Fewer, High – Fidelity alerts with XDR
XDR or cross-layer detection and response goes further. XDR collects activity information from
not only the endpoints but also from email, containers, and network. To the SIEM, it sends a
single, high-fidelity alert that tells the story of this attack from beginning to end.

XDR for Users
XDR breaks down these silos using a holistic approach to detection and response. XDR collects
and correlates detections and deep activity data across multiple security layers – email, endpoint,
server, cloud workloads, and network. Automated analysis of this superset of rich data means
threats are detected faster, and security analysts are equipped to do more thorough investigations
and take quick, subsequent action. The more data sources and security vectors you bring into the
single, integrated XDR platform will present greater correlation opportunities and will result in a
more comprehensive investigation and response. For example, today an analyst might use an
EDR tool to get detailed visibility for suspicious activity on managed endpoints but then have a
separate siloed view of network security alerts and traffic analysis. As for the cloud workloads,
they likely have limited visibility to suspicious activity (perhaps using tools like EDR that aren’t
tailored to this different environment). All parts of the environment generate many noisy alerts that
are likely sent to a SIEM. The analyst can see the alerts but not a detailed record of all the activity
between alerts, so they miss important attack details and are left buried in alerts without context
or way to connect related events. XDR brings the layers together so security analysts can see the
bigger picture and quickly explain what may be happening in the enterprise.

Apex One SaaS with XDR
Apex One SaaS when connected with Trend Micro Vision One gets an XDR Add – on. XDR
provides with the graphic replay communication activity, lateral movement of the attack and
provides the entire information on attack, the 1st target and C&C.
Registering Apex One SaaS with Trend Micro Vision

One
Trend Micro Vision One XDR automatically connects the product from Customer Licensing Portal.
Customer’s Apex One SaaS, CAS or both the products will be auto connected and register to
Vision One platform when they first logon to portal.

You need to select same region for Trend Micro Vision One instance as Apex One SaaS since
the cross-site correlation is not supported yet.
Trend Micro Vision One – Integration

● Log in to Trend Micro XDR.
● Select Product Connection
● On the Product Connector window, click on Connect Product > Select Product Name and
Click to generate the enrollment token.

● Copy the enrollment token.
● On the product console, under Administration , register with the Enrollment token.

● Product Connector window shows the connected products.
Endpoint Basecamp (XBC)
Trend Micro Endpoint Basecamp is a program running in endpoint to provide a robust channel for
Trend Micro deploy endpoint application. When a customer wants to deploy more endpoint
applications, Endpoint Basecamp will download the endpoint application package from Trend
Micro backend and install it. The customer does not need to do another agent deployment for the
new endpoint application.
Trend Micro Endpoint Basecamp also provides the common functions to endpoint applications,
which includes the following:
• Authentication: Trend Micro service and endpoint application can

authenticate with each other via Endpoint Basecamp's authentication mechanism.

• Application performance data:
▪ Endpoint Basecamp collects agent process performance data and crash

counts for further development enhancement.
▪ No personal / privacy data are collected.
Endpoint applications are executable files that perform endpoint-related tasks such as collecting
information and performing actions in endpoints. The user must enable this function from Trend
Micro Vision One before the endpoint application is deployed.
The current available endpoint applications deployed via Endpoint Basecamp are the following:
• Endpoint Sensor (xES) and Endpoint Response application - Enabled from Vison
One Endpoint Inventory
• Assessment Tool for Windows Endpoints - from Vision One Security Assessment
It is a pure user-mode application without system/application event interception behavior. It does
not include kernel driver and there is no possibility to create endpoint failure.
Basecamp (XBC) vs XDR
• The XDR sensor is one of the “plug-ins” of the basecamp

• More plug-ins are possible to enable other features beyond the XDR sensor
• We install basecamp in our endpoint. Basecamp talks to Vision One
• When we enable XDR, the module is pushed from Vision One to basecamp

XBC Installation ways: Agent Download from Apex
Central
• Download the SaaS Agent from Apex Central
• The SaaS Agent will install:

• Apex One as a Service protection agent
• Vision One basecamp
• A single package will install both the protection agent and the XDR sensor
• Reboot then computer to finalise the protection agent installation, then

• Select the endpoint on Vision One and click “Enable” for Vision One to deploy the full XDR
sensor remotely.
Trend Micro Cybersecurity Platform
● Trend Micro’s cybersecurity platform delivers enterprise-wide threat defense. Fueled by

decades of security expertise, global threat research, and continuous innovation, our
cybersecurity platform protects hundreds of thousands of organizations and millions of
individuals across clouds, networks, devices, and endpoints.
● At the heart of the Trend Micro cybersecurity platform is Trend Micro Vision One. It is a
cloud-based security operations hub that enables organizations to gain visibility across
the enterprise, understand risks, and rapidly detect & respond to incidents. With visibility,
risk insight, and management across your complete environment, Trend Micro Vision One
delivers enterprise-wide threat defense that enables organizations to be more agile,
providing the flexibility to adapt quickly to new business and compliance needs.

● For end users, the Trend Micro Apex One portfolio protects your users on any device, any
application, anywhere. It enables you to apply multiple layers of protection across
endpoint, email, web, and software as a service (SaaS) application to defend your users
regardless of device, application, network, or location.
● For networks, the Trend Micro Network One portfolio includes powerful network security
capabilities for stopping attacks and detecting advanced threats on the network. It includes
the ability to defend against attacks and shield vulnerabilities with our market leading
NGIPS, Tipping Point. Fast, efficient, and powered by data from the leading vulnerability
bug bounty program (Zero Day Initiative) and the Trend Micro Smart Protection Network,
Tipping Point delivers high performance security across multiple network deployments.
For advanced threat discovery and custom sandboxing capabilities, Deep Discovery
works across the network in conjunction with Tipping Point, the Smart Protection Suites,
and Deep Security to detect threats and monitor for breach indicators. For OT
environments, TXOne Networks products deliver specialized network security to stop
attacks before they reach your mission critical OT environments.
● For protecting physical, virtual, cloud & container environments, we leverage Trend Micro
Cloud One to automate the protection of workloads, files, applications, and more,
consistently and efficiently. Leveraging a single platform with multiple built-in services,
organizations can consolidate security tools and more easily comply with regulations like
GDPR, PCI, and more.
● Powering the Trend Micro cybersecurity platform is Trend Micro Research, delivering
advanced threat research and intelligence to our customers and helping to shape the
direction of our platform.
Security for Users
● Trend Micro’s cybersecurity platform delivers enterprise-wide threat defense. Fueled by

decades of security expertise, global threat research, and continuous innovation, our

cybersecurity platform protects hundreds of thousands of organizations and millions of
individuals across clouds, networks, devices, and endpoints.
● At the heart of the Trend Micro cybersecurity platform is Trend Micro Vision One. It is a
cloud-based security operations hub that enables organizations to gain visibility across
the enterprise, understand risks, and rapidly detect & respond to incidents. With visibility,
risk insight, and management across your complete environment, Trend Micro Vision One
delivers enterprise-wide threat defense that enables organizations to be more agile,
providing the flexibility to adapt quickly to new business and compliance needs.
For end users, the Trend Micro Apex One portfolio protects your users on any device, any
application, anywhere. It enables you to apply multiple layers of protection across endpoint, email,
web, and software as a service (SaaS) application to defend your users regardless of device,
application, network, or location.
● For networks, the Trend Micro Network One portfolio includes powerful network security
capabilities for stopping attacks and detecting advanced threats on the network. It includes
the ability to defend against attacks and shield vulnerabilities with our market leading
NGIPS, Tipping Point. Fast, efficient, and powered by data from the leading vulnerability
bug bounty program (Zero Day Initiative) and the Trend Micro Smart Protection Network,
Tipping Point delivers high performance security across multiple network deployments.
For advanced threat discovery and custom sandboxing capabilities, Deep Discovery
works across the network in conjunction with Tipping Point, the Smart Protection Suites,
and Deep Security to detect threats and monitor for breach indicators. For OT
environments, TXOne Networks products deliver specialized network security to stop
attacks before they reach your mission critical OT environments.
● For protecting physical, virtual, cloud & container environments, we leverage Trend Micro
Cloud One to automate the protection of workloads, files, applications, and more,
consistently and efficiently. Leveraging a single platform with multiple built-in services,
organizations can consolidate security tools and more easily comply with regulations like
GDPR, PCI, and more.
● Powering the Trend Micro cybersecurity platform is Trend Micro Research, delivering
advanced threat research and intelligence to our customers and helping to shape the
direction of our platform.

Lesson 8: Troubleshooting
Objectives:
• Basic Troubleshooting Steps

• Policy Deployment Issue
• Communication Issues
8.1• Basic Troubleshooting Steps
Performance Issues
• Server Crash Disaster Recovery
• Raising Support Case via Partner Portal

8.1 Troubleshooting
• Start by looking for a solution on available resources:

i. Describing the issue you are facing on google search
ii. Look for a knowledge base(KB) on success.trendmicro.com
• If you get a valid solution that resolves the issue, then follow the steps and resolve it.
• Else collect necessary details like:
✓ Issue description
✓ Steps followed
✓ KB referred
✓ Issue isolation
✓ Collect Diagnostic logs using CDT tool
• Raise a support case & share these details.

8.2 Policy Deployment Issue
• Check Apex Central Policy Deployment Status.

• Deploy the status.
• If few agents fail, collect the agent debug log and check if it matches other configuration issues
below.
• If most agents fail, check the customer environment.
o If the issue is co-existence of Apex One Server & Apex Central, follow the steps in
KB1122426: Steps to resolve known issues when installing Apex One and Apex Central
on the same machine.
o If the issue is related to 3rd Party CA Certificate, follow the steps in KB1122205:
Configuring Apex One to use a certificate signed by corporate Certificate Authority.
o If the issue is due to SQL connection:
If the SQL connection is available, collect the Apex One debug log and check if it
matches other configuration issues below.
If the SQL connection is not available, fix SQL connection issue.

8.3 Communication Issues
Verify the connection from server to agent

i. Identify the agent IP and listening port:
• To identify from the server, navigate to Agents > Agent Management > Locate the endpoint.
You can identify the IP Address for the endpoint, and the listening port configured.
NOTE: For accurate results, the IP address should be verified on the agent side as
communication issues could prevent the IP Address from updating on the console correctly
when it changes at the endpoint.
• To identify from the endpoint, open a command prompt and run ipconfig to find the IP
Address, and then right-click on the agent icon in the system tray and choose "Component
Versions".
At the top of the window will display the listening port.

ii. On the OfficeScan/Apex One server:
• Open Internet Explorer.
• In the address bar, enter the following address replacing the IP and port where indicated:
https://<endpoint IP>:<agentport>/?CAVIT
CAVIT must be capitalized. For agents before OfficeScan XG SP1, http must be used instead of
https as the communication did not switch to https until XG SP1.
• Hit Enter.
For a successful connection, a warning about the certificate will appear. This is expected as
the agent uses an internal signed certificate. Proceed past the warning and a page with a
string of text starting with !CRYPT! should appear.
If an error or blank page appears, this test is failed and communication is not occurring.

Verify the connection from agent to server
i. Identify the Server IP/FQDN and listening ports.
• IP/FQDN can be gotten from the web console address, ipconfig as in Step 1, or web
console by Web Console > Administration > Agent Connection.
• Ports can be identified either by:
o Web Console > Administration > Agent Connection
o IIS Manager > Sites > OfficeScan > Edit Bindings

ii. Open a web browser on the testing endpoint.
iii. In the address bar, enter the following address replacing the IP and port where indicated:
https://<OSCE|Apex One SERVER IP>:<https port>/officescan/cgi/cgionstart.exe
For agents before OfficeScan XG SP1, http must be used instead of https as the
communication did not switch to https until XG SP1. The HTTP port (default 8080) should
also be used in this case.
A blank page with a -2 should appear in the upper-left if successful.
iv. Also verify if the agent is configured to use these correct ports and IP/FQDN:
• Right-click the agent in the system tray.
• Choose "Component Versions".
• Verify the Server name/port: line is correct.

Test Smart Scan Connection
From a testing endpoint, open a web browser and enter the following address replacing the IP
and port where indicated:
https://<OSCE|Apex One Server IP/FQDN>:<HTTPS

PORT>/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104
When using this test, the "Do not save encrypted page to disk" setting must be disabled as shown
below. Otherwise, the test will fail.

Verify that ports are open
If any of the above steps failed, we will want to verify we can reach the remote port on the machine
to verify if the port is blocked/closed, or we are getting an unexpected response.
To test a port before Windows 8.1/2012 R2:
i. Download the PortQry Tool from Microsoft and extract it to the machine you want to test
from.
ii. Run from a command-line:
PortQry.exe –n <remote IP/FQDN> -e <port>
Example from server to endpoint using information from above:

Example from endpoint to server using information from above:
To test a port from Windows 8.1/2012 R2 and up:

i. Open a Powershell window on the machine testing from.
ii. Use the Test-NetConnection command:
Test-NetConnection –ComputerName “<ComputerName>” (or IP) –Port
<PortNumber>
Example from server to endpoint using information from above:

Example from endpoint to server using information from above:
Verify that Windows Firewall allows Port

i. Open a command prompt on the machine to verify.
ii. Run the following command to verify the port state with the Windows Firewall:
Netsh firewall show state
Example:
NOTE: For this troubleshooting topic, refer to the KB: 1037975

8.4 Performance Issues
Isolate performance problems or compatibility issues with 3rd party applications.

1. Basic Checks
• Check the Resource Utilization before & after Isolation
• Post enabling, Integrated Components/Modules
2. Isolate the service causing the problem
Disable Services One at a time & observe system behavior
Unauthorised Change Prevention Service
• Trend Micro Firewall Service
• Trend Micro TMProxy Service
• Trend Micro TMListen Service
In case of any behavioral change, log the Service.

Follow KB to collect the Performance logs
• Step 1: KB1056425
Identifying and resolving performance-related issues caused by the Behavior Monitoring and
Device Control
• Step 2: KB1123639
Share details with Trend Micro Technical Support team
Important:
If Unauthorized Change Prevention Service is enabled, disable it in Apex One management
console
NOTE: For this troubleshooting topic, refer to the KB: 1095752

8.5 Server Crash Disaster Recovery
1. Apex One Server Configuration Backup:
Apex One Main Apex One Backup

Server Server
• Backup Server Configuration

• Agent configuration via Server Migration Tool
• Website configuration
• Database Backup
Backup:
✓ <Server installation folder>\PCCSRV\ofcscan.ini
✓ <Server installation folder>\PCCSRV\Private\ofcserver.ini
Website Configuration Backup:
• Open cmd.exe.
• Navigate to %windir%\system32\inetsrv\.
• Execute following command to back up the configuration: appcmd.exe add backup
<backupname>
Configuration should be backed up under the
%windir%\system32\inetsrv\backup\<backupname> folder.
Database Backup:
Before taking the database backup, stop Apex One Server services; Backup the database using
Microsoft SQL Studio.

2. Apex One Recovery from Backup:
• Recovery from
backup
• Agent
Apex One configuration
Apex One
Main Server • Website Backup Server
configuration
• Before recovering the Apex One server, please stop the following services:
✓ Apex One Master Service
➢ Endpoint Service
➢ Application Control Service
➢ Advanced Threat Assessment Service
➢ Vulnerability Protection Service
✓ WWW Publishing Service
• Unregister from Apex Central.
• Agent configuration using the Server Migration Tool.
• Restore website configuration.
• SQL server database recovery.
• Setup Privilege using svrsvcsetup.exe.
• Start:
✓ Apex One Master Service
➢ Endpoint Service
➢ Application Control Service
➢ Advanced Threat Assessment Service
➢ Vulnerability Protection Service
✓ WWW Publishing Service
• Make sure Apex One Server is working properly.
• Register to Apex Central.
3. Offsite Backup Consideration
Apex One Agents
Apex One Apex One

Main Server DNS Server Backup Server

Since both the main Apex One server and Apex One backup server have to use the same FQDN,
please make sure all agents are available to connect to the correct Apex One server by switching
the DNS setting properly.
Important:
This method works only when Apex one server is installed using FQDN.
NOTE: For this troubleshooting topic, refer to the KB: 1123738, download the Trend Micro Apex
One™ and iServices Disaster Recovery Guide.
8.6 Raising Support Case via Partner

Portal

1. Login to the Partner Portal:
Create a new request.

Submit Support Request.
Login to the Partner Portal and go to Post-Sales Support.

2. Create a new request:
3. Submit Support Request:
Create a new request, fill in the details like:

• End user account search
• Add Product Profile details and make sure the product details are updated else fill in the
updated details.

3. Submit Support Case
4. Manage Product Profile & Manage Cases
• Manage Product Profile by editing/deleting profile on Post-Sales Support Page.

• To create a new Product Profile, click on Add New.
• Manage cases on the Post-Sales Support Page.
• To check the details of the case, click case number and go to the case details page.

Best Practice Guide
Following are the reference links to the Best Practice Guide:

• Apex Central Best Practice Guide:
https://success.trendmicro.com/solution/1122451
This will provide you in-depth information about Apex Central 2019 operation practice, as
well as some tips to help prevent and identify threats in your site.
• Best practices for Apex One : https://success.trendmicro.com/solution/1122306

This will provide the best practices for malware protection for Trend Micro Apex One™ as
a Service ,Trend Micro Apex One™, and Trend Micro Apex One™ (Mac). This gives you
an insight on the offerings of Apex One:
• Effective detection and response

• Modern technology to block latest threats, including fileless malware
• The industry’s most timely virtual patching
It develops the understanding of product deployment in an effective manner and provides the
ability to manage it by formulating the response plans.

www.trendmicro.com
Asia Pacific, Middle East and Africa

Handbook Student

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Handbook Student

Uploaded by

Copyright:

Available Formats

ADVANCED

@2022 Trend Micro Inc. P a g e 2 | 224

@2022 Trend Micro Inc. P a g e 3 | 224

• Position Trend Micro Solutions

@2022 Trend Micro Inc. P a g e 4 | 224

Hybrid Cloud Security

@2022 Trend Micro Inc. P a g e 5 | 224

Trend Micro Smart Protection Network

Visibility and Control

Trend Micro XGen™ Security

@2022 Trend Micro Inc. P a g e 6 | 224

@2022 Trend Micro Inc. P a g e 7 | 224

@2022 Trend Micro Inc. P a g e 8 | 224

1.2 Key Challenges

Serious Threats continue to hit Endpoints!

@2022 Trend Micro Inc. P a g e 9 | 224

@2022 Trend Micro Inc. P a g e 10 | 224

Fileless malware targets Microsoft Office/Office 365, PDF documents:

• Endpoint Security Challenges

@2022 Trend Micro Inc. P a g e 11 | 224

@2022 Trend Micro Inc. P a g e 12 | 224

@2022 Trend Micro Inc. P a g e 13 | 224

• Endpoint STRATEGY Re-Defined with Apex One

@2022 Trend Micro Inc. P a g e 14 | 224

@2022 Trend Micro Inc. P a g e 15 | 224

@2022 Trend Micro Inc. P a g e 16 | 224

@2022 Trend Micro Inc. P a g e 17 | 224

@2022 Trend Micro Inc. P a g e 18 | 224

@2022 Trend Micro Inc. P a g e 19 | 224

Maximum XGen Security

@2022 Trend Micro Inc. P a g e 20 | 224

@2022 Trend Micro Inc. P a g e 21 | 224

@2022 Trend Micro Inc. P a g e 22 | 224

@2022 Trend Micro Inc. P a g e 23 | 224

@2022 Trend Micro Inc. P a g e 24 | 224

@2022 Trend Micro Inc. P a g e 25 | 224

Data Loss Prevention

@2022 Trend Micro Inc. P a g e 26 | 224

Application Control enhances defense against malware or targeted attacks by preventing

@2022 Trend Micro Inc. P a g e 27 | 224

Smart Protection Network (SPN)

@2022 Trend Micro Inc. P a g e 28 | 224

@2022 Trend Micro Inc. P a g e 29 | 224

@2022 Trend Micro Inc. P a g e 30 | 224

@2022 Trend Micro Inc. P a g e 32 | 224

Microsoft Internet Information Server

Apex One/Apex One (Mac) Web Management Console

@2022 Trend Micro Inc. P a g e 33 | 224

Apex One Edge Relay Server

Trend Micro Smart Protection Network

Smart Protection Server

Trend Micro Active Update Server

@2022 Trend Micro Inc. P a g e 34 | 224

Trend Micro Endpoint Encryption

Deep Discovery Analyzer

Software as a Service Components

▪ Introduction to Integrated Components

@2022 Trend Micro Inc. P a g e 35 | 224

iDLP: Integrated Data Loss Prevention

iAC: Integrated Endpoint Application Control

iVP: Integrated Vulnerability Protection

@2022 Trend Micro Inc. P a g e 36 | 224

@2022 Trend Micro Inc. P a g e 37 | 224

@2022 Trend Micro Inc. P a g e 38 | 224