<> Trend Micro, Inc. February 24, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Endpoint Sensor(TM) Version 1.6 Build 1290 Readme ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notes: This readme file was current as of the date above. However, all customers are advised to check Trend Micro's web site for documentation updates at: http://docs.trendmicro.com/ Contents =================================================================== 1. About Trend Micro Endpoint Sensor 2. What's New in Version 1.6 Build 1290 3. Documentation Set 4. System Requirements 4.1 Server 4.2 Agent 5. Installation 5.1 Installing the Trend Micro Endpoint Sensor Server 5.2 Installing the Trend Micro Endpoint Sensor Agent 5.3 Upgrading an existing Trend Micro Endpoint Sensor Server 5.4 Uninstalling the Trend Micro Endpoint Sensor Server 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement =================================================================== 1. About Trend Micro Endpoint Sensor ======================================================================== Trend Micro Endpoint Sensor is a context-aware endpoint security monitor designed to speed the discovery, investigation, and response to security incidents. 2. What's New in Version 1.6 Build 1290 ======================================================================== Trend Micro Endpoint Sensor version 1.6 Build 1290 offers the following new features and enhancements: 2.1 Support for Windows 10 Redstone 1 ===================================================================== Trend Micro Endpoint Sensor 1.6 Build 1290 adds support for Windows 10 Redstone 1 (32-bit and 64-bit). 2.2 Compatibility and performance enhancements ===================================================================== Trend Micro Endpoint Sensor 1.6 Build 1290 includes the following compatibility and performance enhancements: - Improved compatibility with 3rd party applications - Additional agent enhancements for better performance 2.3 Security enhancements ===================================================================== Trend Micro Endpoint Sensor 1.6 Build 1290 adds security enhancements to address CVE-2016-2542. 3. Documentation Set ======================================================================== The documentation set for Trend Micro Endpoint Sensor includes the following: - Administrator's Guide -- Contains detailed instructions on how to configure and manage Trend Micro Endpoint Sensor, and explanations on Trend Micro Endpoint Sensor concepts and features. - Installation Guide -- Discusses requirements and procedures for installing the Trend Micro Endpoint Sensor server and agent. - Online help -- Context-sensitive help screens that contain explanations of Trend Micro Endpoint Sensor components and features, as well as procedures needed to configure Trend Micro Endpoint Sensor. - Readme -- Contains late-breaking product information that is not found in the online or printed documentation. Topics include a description of new features, known issues, and product release history. - Support Portal -- Searches through an online database of problem- solving and troubleshooting information. It provides the latest information about known product issues. To access the Support Portal, go to the following website: http://esupport.trendmicro.com View and download product documentation from the Trend Micro Documentation Center: http://docs.trendmicro.com/en-us/enterprise/trend-micro-endpoint -sensor.aspx 4. System Requirements ======================================================================== 4.1 Server =================================================================== Hardware RAM: - 4 GB minimum - 16 GB recommended CPU: At least 2GHz Intel Core2 Duo or compatible - AMD 64 processor - Intel 64 processor Available disk space: - 500 GB minimum - 1 TB recommended Software Operating system: - Windows Server 2008 R2 and later - Windows Server 2012 R2 and later Microsoft Internet Information Services (IIS) 7, 7.5 or 8.5 with the following role services: - Static Content - Default Document - Directory Browsing - HTTP Errors - HTTP Redirection - ASP.NET 4.5 - ASP - CGI - ISAPI Extensions - ISAPI Filters - Request Filtering - IIS Management Console - .NET Framework 4.5.1 - Net FX Extensibility - PHP version 5.4.38 Database: - Microsoft SQL Server 2008 R2 Express - Microsoft SQL Server 2008 R2 (Standard or Enterprise Edition) - Microsoft SQL Server 2012 Express - Microsoft SQL Server 2012 (Standard or Enterprise Edition) - Microsoft SQL Server 2014 Express - Microsoft SQL Server 2014 (Standard or Enterprise Edition) - Microsoft SQL Server 2016 Express - Microsoft SQL Server 2016 (Standard or Enterprise Edition) Web browsers: - Microsoft Internet Explorer 9 or later - The latest version of Google Chrome - The latest version of Mozilla Firefox 4.2 Agent =================================================================== Hardware RAM: - 512 MB minimum for Windows XP - 1 GB minimum for other operating systems CPU: - 2 GHz minimum Available disk space: - 3 GB minimum - 4 GB recommended Software Operating system: _ Windows XP Service Pack 3 (32-bit) _ Windows Vista Service Pack 2 (32-bit and 64-bit) _ Windows 7 Service Pack 1 (32-bit and 64-bit) _ Windows 8 (32-bit and 64-bit) _ Windows 8.1 (32-bit and 64-bit) _ Windows Server 2008 Service Pack 2 (32-bit and 64-bit) _ Windows Server 2008 R2 Service Pack 1 (64-bit) _ Windows Server 2012 (64-bit) _ Windows Server 2012 R2 (64-bit) - Windows 10 Redstone 1 and earlier(32-bit and 64-bit) 5. Installation ======================================================================== TIP: For installation considerations and post-installation details, refer to the Installation Guide. 5.1 Installing the Trend Micro Endpoint Sensor Server =================================================================== To install the Trend Micro Endpoint Sensor server, perform the following steps: a. Double-click or run endpointsensorsetup.exe. b. On the Welcome screen, click Next. NOTE: The Trend Micro Endpoint Sensor server supports PHP version 5.4.38. The server Setup program is unable to detect the following: - A PHP version that is installed manually - PHP version PHP 5.4 or later As a result, the server Setup program installs PHP version 5.4.38 and modifies the IIS handler to instruct all PHP related files or folder to use the newly installed PHP. c. On the License Agreement screen, select I accept, and then click Next. d. On the Installation Path screen, click Next. e. On the Product Activation screen, type/paste the correct Activation Code, and then click Next. f. On the Database Server screen, select whether to install Microsoft SQL Server 2008 R2 SP2 - Express Edition or connect to an existing SQL server. g. On the Web Console screen, provide new port number(s) or accept the default port(s) for the Trend Micro Endpoint Sensor web console, and then click Next. h. On the Server Identification screen, select between host name or IP address to determine how clients identify the Trend Micro Endpoint Sensor server, and then click Next. i. On the Certificate Import screen, specify a certificate to use with the server by either importing an existing certificate or generating a new one, and then click Next. j. On the Proxy Settings screen, if you intend to connect between the agents and server over a proxy connection, specify your proxy settings below, and then click Next. k. On the Administrator screen, provide the password that the admin account will use, and then click Next. l. On the Ready to Install the Program screen, click Install to start the server installation process. m. On the Installation Complete screen, click Finish. 5.2 Installing the Trend Micro Endpoint Sensor Agent =================================================================== There are 3 methods to install Trend Micro Endpoint Sensor agents: - Local agent installation: install the agent using an agent installation package shared or copied locally to the target endpoint. - Local agent silent installation: install the agent using an agent installation package shared or copied locally to the target endpoint, with no messages or windows shown during its progress This is ideal for a large-scale enterprise deployment, or if installation of the agent will be automated. - Agent installation using OfficeScan: use the OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in to deploy Trend Micro Endpoint Sensor agents to OfficeSCan managed endpoints. Refer to the Installation Guide for agent installation procedures. 5.3 Upgrading an existing Trend Micro Endpoint Sensor Server =================================================================== Existing installations of Trend Micro Endpoint Sensor server version 1.6 can directly upgrade to the 1.6 Build 1290 version. Versions of Trend Micro Endpoint Sensor server earlier than 1.6 need to be uninstalled first before installing this version. It is possible to transfer the configuration and data of the old version to this version. For assistance on this procedure, contact Trend Micro Support for details. 5.4 Uninstalling the Trend Micro Endpoint Sensor Server =================================================================== To remove the Trend Micro Endpoint Sensor server program, perform the following steps: a. Go to Start > Control Panel > Programs and Features. b. Choose Trend Micro Endpoint Sensor, and then click Uninstall. c. On the Setup screen, click Uninstall. d. On the Uninstall Complete screen, click Finish. Trend Micro Endpoint Sensor is removed from the list of installed programs. 6. Post-Installation Configuration ======================================================================== Check whether you can access the Trend Micro Endpoint Sensor web console: https://:8000/ Use the administrator account and the password you set during installation. 7. Known Issues ======================================================================== Here are the known issues in this release: 7.1 Trend Micro Endpoint Sensor does not support pure IPv6 environments. ================================================================ The communication between Trend Micro Endpoint Sensor server and agents is through IPv4. The Trend Micro Endpoint Sensor server uses host names to identify endpoints having both IPv4 and IPv6 addresses. Agents using IPv6 addresses cannot connect to the server. 7.2 Trend Micro Endpoint Sensor server does not support installation on Squid proxy versions earlier than 3.2. ================================================================ Trend Micro Endpoint Sensor server has issues with earlier versions of Squid. However, this has been fixed in Squid versions 3.2 and later. 7.3 The Trend Micro Endpoint Sensor server does not support installation on endpoints used as a Domain Controller. ================================================================= A Domain Controller does not allow the installation of SQL Server or SQL Server Express. 7.4 The Trend Micro Endpoint Sensor agent program is incompatible with Trend Micro(TM) Internet Security, Trend Micro(TM) Deep Security and Trend Micro(TM) Titanium(TM). ================================================================= Do not install the Trend Micro Endpoint Sensor agent program on endpoints running Trend Micro Internet Security, Trend Micro Deep Security, or Trend Micro Titanium. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor agent will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. 7.5 Trend Micro Endpoint Sensor is incompatible with the OfficeScan Corporate Edition USB monitoring Plug-in Service POC build ================================================================= Do not install the Trend Micro Endpoint Sensor server program on endpoints running OfficeScan Corporate Edition USB monitoring Plug-in Service POC build. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor server will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. 7.6 Trend Micro Endpoint Sensor is incompatible with Bitdefender ================================================================ Do not install the Trend Micro Endpoint Sensor agent program on endpoints running Bitdefender. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor agent will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. 7.7 Trend Micro Endpoint Sensor is incompatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET) 4.1 and below. ================================================================ Do not install the Trend Micro Endpoint Sensor agent program on endpoints running a Microsoft Enhanced Mitigation Experience Toolkit version of 4.1 or lower. The setup program does not check for this incompatibility. The Trend Micro Endpoint Sensor agent will still be installed but will encounter issues. For example, the Trend Micro Endpoint Sensor services may be unable to start. To prevent the issue, it is recommended to upgrade to Microsoft Enhanced Mitigation Experience Toolkit version 5.5 or higher prior to installing. 7.8 The OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in tool is unable to update an agent if OfficeScan Corporate Edition cannot resolve the agent host name. ================================================================ If the OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in is unable to resolve the agent host name, it encounters a timeout error. To resolve this issue, check the DNS settings or manually add an IP address to the HOSTS file. 7.9 The OfficeScan Trend Micro Endpoint Sensor Deployment Tool plug-in tool may be unable to update a Trend Micro Endpoint Sensor agent if the endpoint is going through a Windows update. ================================================================ Windows Update may prevent the OfficeScan Trend Micro Endpoint Sensor Deployment Tool from updating the agent. To ensure a successful agent update, wait for the Windows update to finish, reboot the endpoint, then try updating the agent again. 7.10 Officescan is unable to perform an install, uninstall or upgrade an endpoint's agent if another process locks the folder where the Trend Micro Endpoint Sensor agent is installed. ================================================================ The folder where the Trend Micro Endpoint Sensor agent is installed may be locked by another process during uninstallation. To resolve this issue, reboot the endpoint and try again. If the issue persists, contact Trend Micro support for assistance. 7.11 If OfficeScan Corporate Edition starts scanning during installation, it may cause high CPU usage. ================================================================ A scheduled scan initiated by OfficeScan Corporate Edition during agent installation may severely affect system performance. By default, OfficeScan Corporate Edition scans every new file added to the endpoint. As a workaround, configure OfficeScan to defer scanning until the installation is finished. 7.12 The Trend Micro Endpoint Sensor agent is unable to monitor network events of objects that call Internet Explorer versions 10 and above for internet access. ================================================================= If Internet Explorer version 10 or above is installed in the target endpoint, objects that call on Internet Explorer for internet access may not appear in the monitoring results. Other Internet Explorer versions are not affected. 7.13 Remote uninstallation of the agent may encounter issues if the previous installation did not complete successfully. ================================================================ Uninstallation may encounter issues if the previous installation was not properly completed. To resolve the issue, reboot the endpoint before uninstallation. 7.14 Installing an agent in an endpoint where an agent is already installed creates another entry for that endpoint. ================================================================ Duplicate entries for one endpoint may occur if the agent installer was run in an endpoint where an existing agent was previously installed. To prevent the issue, uninstall the existing agent first before installing a new one. 7.15 The Trend Micro Endpoint Sensor agent may not function correctly if installed in a virtual environment or in a virtual desktop infrastructure (VDI). ================================================================ Trend Micro does not recommend installing agents in a virtual environment or in a virtual desktop infrastructure (VDI). The Trend Micro Endpoint Sensor agent will still be installed but may encounter performance or compatibility issues. If you need to run the agent in a virtual environment or in a VDI, contact technical support for assistance. 7.16 Trend Micro Endpoint Sensor is unable to change its assigned static IP address if the server and agent are installed in the same endpoint. ================================================================ You can only specify a static IP address during installation. If you need to allocate a new name or IP address, reinstall the Trend Micro Endpoint Sensor server and agents. Additionally, ensure that there is only one installation in each endpoint. 7.17 Trend Micro Endpoint Sensor cancels a query command if an agent reboots while receiving the query command. ================================================================ To minimize interruptions, ensure that the Trend Micro Endpoint Sensor server maintains communication with its target endpoints while performing an investigation. 7.18 Trend Micro Endpoint Sensor skips calculation of hash values for files dropped by the legitimate explorer.exe. ================================================================ To improve performance, Trend Micro Endpoint Sensor does not calculate the hash values of files dropped by the legitimate explorer.exe. Trend Micro Endpoint Sensor still includes the dropped files in its investigation and shows all other attributes, but will display blank hash values for these files. 7.19 Trend Micro Endpoint Sensor server is unable to perform auto-purge on databases with sizes exceeding 4 GB if the server uses SQL Express. ================================================================ SQL Server Express is suitable only for a small number of connections. Due to the limitations of SQL Express, Trend Micro recommends Microsoft SQL Server Standard or Enterprise Edition for large networks. 7.20 After the investigation has been cancelled, the Trend Micro Endpoint Sensor server may show the status of some endpoints as still being processed for investigation. ================================================================ The server stops updating the Results screen once an investigation is cancelled. However, if an endpoint is in the middle of being investigated, Trend Micro Endpoint Sensor will finish the investigation for that endpoint, but will no longer proceed with the remaining endpoints. 7.21 If a previous investigation is cancelled and a new investigation is started, the new investigation may take a while to start. ================================================================ If the user cancels the investigation, investigations for all remaining pending endpoints are dropped, and Trend Micro Endpoint Sensor will just complete the investigation for the current endpoint before stopping completely. This investigation can take some time to complete. Note that the previous investigation has to completely stop before a new investigation can begin. 7.22 If OfficeScan encounters an error deploying to a specific endpoint, the Trend Micro Endpoint Sensor Deployment tool may continue to show an 'installing' status for that endpoint until the timeout period is reached. ================================================================ This is because the error code sent by OfficeScan agent has not reached the Trend Micro Endpoint Sensor Deployment tool. As a result, the Trend Micro Endpoint Sensor Deployment tool will continue to show an 'installing' status until the timeout period is reached. If this occurs, try deploying again later. If the problem persist, contact Trend Micro support for assistance. 7.23 New agents are unable to retrieve investigation commands if a database is restored from backup or reverted to a previous snapshot. ================================================================ If a database is restored from backup or reverted to a previous snapshot, new agents that were not yet included in the records of the database backup will be unable to retrieve investigation commands. To resolve the issue, re-register the agent. 7.24 In the Monitoring Logs, endpoints where a previous version of Trend Micro Endpoint Sensor agent is still installed are assigned to the 'Unknown' category. ================================================================ To resolve the issue, ensure that all endpoint agents are upgraded to the same version as the server. 7.25 Investigation results may include file, process, or module initialization events that were specified in the kernel whitelist. ================================================================ Trend Micro Endpoint Sensor loads the Endpoint Sensor Trusted Pattern to whitelist specific kernel mode events. However, this pattern will take some time to load. As a result, Trend Micro Endpoint Sensor includes all file, process, or module initialization events occurring during this delay, even those specified in the pattern. 7.26 In Control Manager, double-byte characters in the Object List tab of the Root Cause Chain screen are converted into garbage characters if exported to a CSV file. ================================================================ In Control Manager, double-byte characters appear normal on the Root Cause Chain screen. However, if the results are converted to CSV using the Object List tab's Export feature, double-byte characters are not converted properly. 7.27 The Trend Micro Endpoint Sensor Esclient service may not start successfully after a reboot initiated by a Windows update. ================================================================ Windows Update may prevent some services from starting while it updates its components. The Esclient service may not start. This is due to a time exceed timeout of 30 seconds alloted for services. To resolve this issue, manually start the Trend Micro Endpoint Sensor server service. As a workaround, you can edit the registry to increase the time exceed timeout for services: 1. Click Start, click Run, type regedit, and then click OK. 2. Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control. 3. On the Edit menu, point to New, and then click DWORD Value. 4. Type ServicesPipeTimeout, and then press ENTER. 5. On the Edit menu, click Modify. 6. In the Value data box, type '180000', and then click OK. 7. Restart the system. 7.28 Other Trend Micro products which support integration with Trend Micro Endpoint Sensor may still refer to the software as "Deep Discovery Endpoint Sensor". ================================================================ Additonally, existing modules and documentation may still also refer to the software as "Deep Discovery Endpoint Sensor" in some places. This will be fixed in recent releases of the integrated product. Contact Trend Micro support to see if an upgrade or hotfix that fixes this issue is already available for your Trend Micro product. 8. Release History ======================================================================== Trend Micro Endpoint Sensor 1.6 Build 1290 February 24, 2017 Trend Micro Endpoint Sensor 1.6 Repack August 10, 2016 Trend Micro Endpoint Sensor 1.6 May 12, 2016 Deep Discovery Endpoint Sensor 1.5 December 20, 2015 Deep Discovery Endpoint Sensor 1.0 May 30, 2014 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 25 years' experience, we deliver top-ranked security that fits our customers' needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2016, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, and Trend Micro Endpoint Sensor are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://www.trendmicro.com/en/purchase/license