Trend Micro Server Protect (Windows)

Version 2

    This template assesses the status and overall performance of Trend Micro Server Protect for Windows. You should assign this template on all Normal servers which you want to monitor. This template uses the Windows System Event Log, Windows Service, TCP Port, and PowerShell monitors.

     

    Prerequisites:

    • Before using this template you should open the Trend Micro Server Protect Management Console and create or reconfigure the STATISTIC task on the target Normal server. The STATISTIC task (Run Statistics) should be created as a scheduled task with Hourly frequency. The All Dates time range should be enabled as well as the Export Statistic to CSV file option. The task owner should be Admin and this task should be created as the default task.
    • WinRM should be properly configured on the target server.

    Credentials: Windows administrator on target server.

     

     

    Monitored Components


    Service: Trend Server Protect

         This monitor returns CPU and memory usage of Trend Server Protect service.


    Trend Server Protect TCP Port

         This component monitor tests the ability of a Trend Server Protect service to accept incoming sessions. By default it monitors TCP port 5168.


    Events: Update Failure

         This monitor returns the number of events that occur when there is:

    • A pattern update failure;
    • An engine update failure;
    • A program update failure;
    • An encyclopedia update failure.

         Type of event: Error. Event ID: 3, 5, 7, 9.

         Check Event Viewer for more details.


    Events: Start Scan Failure

         This monitor returns the number of events when the following occurs:

    • An error: starting a real-time scan;
    • An error: starting a manual scan;
    • An error: staring a scheduled scan.

         Type of event: Error. Event ID: 11, 14, 17.

         Check Event Viewer for more details.


    Events: Virus Pattern is Out of Date

         This monitor returns the number of virus pattern is out of date events.

         Type of event: Error. Event ID: 52.

         Check Event Viewer for more details.


    Events: Virus Found

         This monitor returns the number of events that occur when:

    • A virus is found;
    • Virus found during a real-time scan;
    • Virus found during a manual scan;
    • Virus found during a scheduled scan.

         Type of event: Error. Event ID: 1, 101, 102, 103.

         Check Event Viewer for more details.


    Events: Configuration Errors

         This monitor returns the number of events when the following occurs:

    • An error: setting configuration data for real time scanning;
    • An error: performing a scan-now task;
    • An error: performing a pattern update task;
    • An error: purging logs by a task;
    • An error: exporting logs by a task;
    • An error: printing logs by a task;
    • An error: running statistics by a task.

         Type of event: Error. Event ID: 304, 306, 308, 310, 312, 314, 316.

         Check Event Viewer for more details.


    Events: Exception Occurred

         This monitor returns the number of events that occur when:

    • An exception has occurred in "module name;"
    • An exception has occurred in TmRpcSrv;
    • An error: starting a RPC server.

         Type of event: Error. Event ID: 201, 202, 203.

         Check Event Viewer for more details.


    Client Statistics

         This monitor returns Normal Server statistics from an exported CSV file. Returned values are as follows:

              Infected Users – This component returns the number of network users who were detected handling infected files.

              Infected Files – This component returns the number of infected files detected by ServerProtect.

              Non Cleanable Viruses – This component returns the number of viruses detected on the network that could not be cleaned.

              Non Cleanable Files – This component returns the number of infected files that could not be cleaned of their virus code.

              This monitor uses the following arguments:
             
    path_to_CSV_stat_file
              where
         path_to_CSV_stat_file – Full path to exported statistic CSV file.

    Example:
    C:\Program Files\Trend\SProtect\Statistc.CSV

     

    Configuring Windows Remote Management (WinRM)

    1. If not already done so, install PowerShell 2.0 and WinRM on the SAM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.
    2. On the SAM server, open a command prompt as an Administrator. To do this, perform the following step:
    • Go to the Start menu and right-click the cmd.exe and then select Run as Administrator.
    1. Enter the following in the command prompt:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="*"}
    2. On the target server, open a command prompt as an Administrator and enter the following:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}

    where IP address is the IP address of your SAM server.

     

    Portions of this document were originally created by and are excerpted from the following sources:
    TrendMicro, Copyright © 2012. All rights reserved. Available at
    http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CF4QFjAA&url=http%3A%2F%2Fwww.uv.es%2Fdistrisoft%2Fantivirus%2Fcas%2Fman_01_spnt_58_1060_en.pdf&ei=tw4cUOeJKqrY2QXCgIGgDw&usg=AFQjCNGocyArGtBrtOWmt29IlqGYCQhxQQ