Danny Chang - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Danny Chang

Description:

auto-search will fail (UDP) manual search works (TCP) ... be detected in real-time on NT servers due to OS nature, will be detected on next access ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 38
Provided by: dan9183
Category:

less

Transcript and Presenter's Notes

Title: Danny Chang


1
Technical Training
  • Danny Chang
  • Product Manager
  • Trend Micro Inc.
  • danny_chang_at_trend.com.tw

2
Agenda
  • Whats the problem of previous ServerProtect
  • Whats new in ServerProtect 5.0
  • Inside of a module
  • Comparison chart
  • Why 5.0
  • Compatibility list
  • SKU
  • How to upgrade

3
Whats the problem
  • No single console for ServerProtect NT and
    ServerProtect NW
  • No remote console for ServerProtect NT
  • No NT console for ServerProtect NW
  • No Internet update for ServerProtect NW
  • No incremental pattern update
  • No scan engine and program update
  • No log management provided
  • No security audit
  • System overhead

4
Whats new
  • Single installation and management console for
    both
  • ServerProtect NT and ServerProtect NW
  • Real-time remote management based upon the new
  • three-tier architecture
  • Automatic update of virus pattern file, scan
    engine,
  • and program patch
  • Incremental update of virus pattern files
  • New scan engine architecture for ServerProtect
    NT
  • Task-oriented operation
  • Enhanced notification and logging mechanism

5
Real-time remote management
  • Three-tier architecture
  • A portable Management Console
  • An Information Server
  • Normal Servers

6
Inside management console (I)
  • Portable, can be installed from setup and run on
    any Win32 platform
  • Multi-threaded structure to speed up navigation
  • A console must log on an Information Server to
    initiate management
  • an IS can only be managed by one console
    currently
  • The server tree (including server status) will be
    refreshed in real-time most of the time when
    there is a change
  • Using Winsock with smart port switching to
    communicate with Information Server

7
Inside management console (II)
  • Time-out of a command (action or configuration)
    ranges from 3 minutes to 10 minutes with 10
    seconds per server
  • no error message occurs in the time frame means
    command success
  • error message with server name and error code
  • The time system displayed on the console is
    actually the local time of a Normal Server, not
    that of the console itself
  • The UI bugs of OfficeScan and PC-cillin will
    possibly exist in ServerProtect too
  • Lots of good features in main menu

8
Inside IS (I)
  • The following information is stored in IS
  • server tree (registry)
  • task names (registry)
  • default tasks
  • Novell notification (registry)
  • ActiveUpdate setting (registry)
  • scan profiles (registry)
  • Information Server log (IS.dat)

9
Inside IS (II)
  • IS.dat will store the following information
  • console logon
  • console logout
  • change IS password
  • move IS
  • IS backup
  • IS restore
  • uninstall NS
  • upgade NS
  • remote install NS
  • update IS
  • rollback IS
  • ActiveUpdate download
  • perform task failed
  • delete task failed

10
Inside IS (III)
  • Auto-backup when
  • server tree change
  • add a task/remove a task
  • Scheduled backup of information on IS can be
    configured
  • When an IS down, users can either launch backup
    IS or setup a new IS to connect all existing
    servers back
  • One IS handles at most 50 NS (recommended), less
    if there are NW servers

11
Automatic update (I)
  • Two steps
  • Information Server downloads pattern/engine/progra
    m patch from Trend update server (scheduled
    setting available)
  • Information Server deploys new updates to
    selected Normal Servers (scheduled setting
    available in task)
  • Information Server stores all sources in the
    local directory SpntShare (download) and informs
    Normal Server to get them (deploy)

12
Automatic update (II)
  • Adopts ActiveUpdate module to enable incremental
    pattern update
  • only applies to Normal Server
  • Information Server needs to download all pattern
    files to support this (takes longer than before)
  • Rollback is available
  • can not be done partially, the components you
    updated last time will all be rollbacked
  • On-line registration is optional

13
New Scan engine architecture
  • Both real-time scan and manual scan are done by
    VSAPI kernel driver
  • Increases real-time scan speed by 37.5 (internal
    testing data, comparing with SPNT 4.x)
  • Makes network drive scan possible (no on SPNT
    4.x)
  • Makes personal directory scan possible (no on
    SPNT 4.x)
  • Manual scan speed is improved by multi-thread
  • best performance on multi-CPU servers
  • no information of the file is now being scanned

14
Inside VSAPI kernel driver
  • After an infected file is cleaned, the owner in
    property will be change to administrator
  • An infected file with long file name will become
    short file name if opened in Explorer
  • Compressed layer up to 5 due to kernel mode
    limitation

15
Task Manager
  • Default tasks are provided
  • one-button to update all ServerProtect servers
    one-button to scan all drives of all
    ServerProtect servers with new updates
  • one-button to generate monthly virus statistics
  • Users can also create their own tasks by
    combining the following items to automate routine
    maintenance
  • real-time scan setting, update, scan now, print
    log, export log, purge log, and run statistics
  • one click to handle red alert cases

16
Inside Task Manager
  • Default tasks are created on every NS by IS
    whenever a NS connects to its IS
  • Tasks only apply to NS not covering IS
  • Can not add any item after Update since update
    will require restart service
  • Task content is stored on every NS, IS only
    stores task name, task owner, and servers
  • Default tasks can not be modified due to product
    schedule

17
Enhanced notification (I)
  • Notification on the following events
  • virus infection
  • attempt to change write-protected file
  • real-time scan configuration change
  • NT service/NLM unload
  • virus pattern out-of-date (days are configurable)

18
Enhanced notification (II)
  • Notification through the following methods
  • message box
  • pager
  • printer
  • SMTP mail
  • SNMP trap
  • NT event log
  • Outbreak alert is available

19
Inside notification (III)
  • NT the notification will be triggered by Normal
    Server
  • NW the notification will be triggered by
    Information Server
  • Message box will not pop-up on the offending
    user/machine, will pop-up on selected servers

20
Enhanced logging
  • Logging on the following events
  • virus infection
  • scan summary
  • system
  • update
  • alert
  • task
  • Basic statistics provided
  • further analysis can be done to transform log
    files to CSV files

21
Inside log
  • Adopt Codebase (like OfficeScan) in SPNT, not a
    text file as in 4.x
  • No problem with 1M records
  • Console loads 1,000 latest records at most to
    save loading time
  • sorting will have problems
  • to view more have to purge all in the list first
  • Console loads short information first to save
    loading time, double-click a record will bring up
    detailed information
  • Central log and scan result will not be
    synchronized

22
Inside setup
  • Single setup program for SPNT and SPNW
  • Serial number
  • only accepts APXX, SPEF, and SPEM
  • With three-component options IS, NS, and
    Management Console
  • Can not enumerate local drives, must install to a
    shared directory with administrator right on NT
    and write privilege on NW
  • Systems Management Server (SMS) partially
    compatible

23
How to check setup is OK
  • Management console
  • check program group in Start
  • Normal Server
  • check a computer icon inside the system tray
  • check service Trend ServerProtect starts
  • check device Trend ServerProtect Filter and
    Trend ServerProtect Scan Engine starts
  • Information Server
  • check service Trend ServerProtect Agent starts

24
Inside domain management
  • Domain is a virtual-tier between IS and NS
  • only makes users easier to link with their
    existing domain structure
  • Domain management is available
  • only in setting
  • no domain setting stored in IS
  • setting stored in NS only
  • console will retrieve setting from the first
    server under a domain to display

25
Inside SPNW
  • Lprotect.nlm and VSAPI.nlm are same as previous
    version
  • Major change is the communication with
    Information Server (a NT) not VPWIN
  • Notification is done by Information Server
  • Schedule jobs are notified by IS too
  • Log is still in text file not database format

26
Major known issues (I)
  • Setup/console and Information Server are cross
    router
  • auto-search will fail (UDP)
  • manual search works (TCP)
  • by server name server using English name in DNS
    environment
  • by IP 1. server using non-English name
  • 2. Non DNS environment

27
UDP
TCP
28
Major known issues (II)
  • The infected files from Windows 98 clients can
    not be detected in real-time on NT servers due to
    OS nature, will be detected on next access
  • Backup software performance drops greatly if the
    files are compressed and with high compression
    ratio (eg. 300M --gt 10M)
  • CPU will go up to 100 if run on MS SQL server,
    users had better exclude the folders

29
Debug log
  • Easy to access
  • main menuDoCreate debug log
  • Hard to analyze
  • for product team only
  • Two output formats
  • to a file good for remote submission
  • to a monitor screen good for on-site debug
  • Suggest to turn on trace all messages
  • Engine debug log is separate
  • \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
    ices\TMFilter\Parameters (users have to create
    Parameters manually)
  • DebugLogFlags 0x1fff //All (users have to
    create a DWORD manually)
  • Into the file Winnt/TMFilter.log

30
Comparison chart
31
Why 5.0
  • Simpler
  • one for ServerProtect NT and ServerProtect NW
  • everything can be updated from Internet
  • tasks available
  • Faster
  • scan
  • incremental update
  • Securer
  • more notifications
  • more audits
  • More flexible
  • portable console
  • more configurations

32
Compatibility list
  • NT Server/Workstation 3.51/4.0 and Windows 2000
  • NetWare 3.x/4.x/5.0 with SFT III
  • Microsoft Cluster Server, Terminal Server, and
    Index Server
  • ARCserve (from CA)
  • Backup Exec (from Veritas)
  • Open File Manager (from St. Bernard)
  • Quota Manager (from NTP Software)
  • pcANYWHERE (from Symantec)
  • Trend VCS 1.6 and above

33
System requirements
  • Information Server NT4 SP1/3/4/5
  • with gateway service for NetWare (if necessary)
  • Normal Server
  • NT 3.51 SP5, NT4 SP1/3/4/5
  • NW 3.x/4.x/5.0
  • Management Console Windows 95/98/NT
  • Network setting TCP/IP, RPC (NT), IPX/SPX (NW),
    DNS (nice to have)

34
SKU
  • Two scenarios
  • server base
  • only counts number of Normal Servers
  • client base
  • counts number of clients protected
  • No more checking on client user license both for
    NT and NetWare
  • paper license only
  • BU should decide its own user license policy
  • for example Taiwan has 4 layers 10, 25, 50,
    unlimited user license
  • Old serial numbers do not work in 5.0

35
How to upgrade
  • Installation program will detect previous version
    of ServerProtect
  • ServerProtect for NT can be upgraded
    automatically and existing configuration will be
    preserved
  • ServerProtect for NetWare will be upgraded
    manually due to the nature of NetWare
  • uninstallation of previous version first
  • installation of new version

36
Product roadmap
  • 5.1
  • pure IP support on NW5
  • SMS fully compliant (1.2 2.0)
  • bug fixing
  • GM 11/25
  • 5.2
  • notification via MAPI mail
  • Novell YES logo
  • bug fixing
  • GM 12/30

37
Q A
Write a Comment
User Comments (0)
About PowerShow.com