Danny Chang

1
Technical Training

• Danny Chang
• Product Manager
• Trend Micro Inc.
• danny_chang_at_trend.com.tw

2
Agenda

• Whats the problem of previous ServerProtect
• Whats new in ServerProtect 5.0
• Inside of a module
• Comparison chart
• Why 5.0
• Compatibility list
• SKU
• How to upgrade

3
Whats the problem

• No single console for ServerProtect NT and
  ServerProtect NW
• No remote console for ServerProtect NT
• No NT console for ServerProtect NW
• No Internet update for ServerProtect NW
• No incremental pattern update
• No scan engine and program update
• No log management provided
• No security audit
• System overhead

4
Whats new

• Single installation and management console for
  both
• ServerProtect NT and ServerProtect NW
• Real-time remote management based upon the new
• three-tier architecture
• Automatic update of virus pattern file, scan
  engine,
• and program patch
• Incremental update of virus pattern files
• New scan engine architecture for ServerProtect
  NT
• Task-oriented operation
• Enhanced notification and logging mechanism

5
Real-time remote management

• Three-tier architecture
• A portable Management Console
• An Information Server
• Normal Servers

6
Inside management console (I)

• Portable, can be installed from setup and run on
  any Win32 platform
• Multi-threaded structure to speed up navigation
• A console must log on an Information Server to
  initiate management
• an IS can only be managed by one console
  currently
• The server tree (including server status) will be
  refreshed in real-time most of the time when
  there is a change
• Using Winsock with smart port switching to
  communicate with Information Server

7
Inside management console (II)

• Time-out of a command (action or configuration)
  ranges from 3 minutes to 10 minutes with 10
  seconds per server
• no error message occurs in the time frame means
  command success
• error message with server name and error code
• The time system displayed on the console is
  actually the local time of a Normal Server, not
  that of the console itself
• The UI bugs of OfficeScan and PC-cillin will
  possibly exist in ServerProtect too
• Lots of good features in main menu

8
Inside IS (I)

• The following information is stored in IS
• server tree (registry)
• task names (registry)
• default tasks
• Novell notification (registry)
• ActiveUpdate setting (registry)
• scan profiles (registry)
• Information Server log (IS.dat)

9
Inside IS (II)

• IS.dat will store the following information
• console logon
• console logout
• change IS password
• move IS
• IS backup
• IS restore
• uninstall NS
• upgade NS
• remote install NS
• update IS
• rollback IS
• ActiveUpdate download
• perform task failed
• delete task failed

10
Inside IS (III)

• Auto-backup when
• server tree change
• add a task/remove a task
• Scheduled backup of information on IS can be
  configured
• When an IS down, users can either launch backup
  IS or setup a new IS to connect all existing
  servers back
• One IS handles at most 50 NS (recommended), less
  if there are NW servers

11
Automatic update (I)

• Two steps
• Information Server downloads pattern/engine/progra
  m patch from Trend update server (scheduled
  setting available)
• Information Server deploys new updates to
  selected Normal Servers (scheduled setting
  available in task)
• Information Server stores all sources in the
  local directory SpntShare (download) and informs
  Normal Server to get them (deploy)

12
Automatic update (II)

• Adopts ActiveUpdate module to enable incremental
  pattern update
• only applies to Normal Server
• Information Server needs to download all pattern
  files to support this (takes longer than before)
• Rollback is available
• can not be done partially, the components you
  updated last time will all be rollbacked
• On-line registration is optional

13
New Scan engine architecture

• Both real-time scan and manual scan are done by
  VSAPI kernel driver
• Increases real-time scan speed by 37.5 (internal
  testing data, comparing with SPNT 4.x)
• Makes network drive scan possible (no on SPNT
  4.x)
• Makes personal directory scan possible (no on
  SPNT 4.x)
• Manual scan speed is improved by multi-thread
• best performance on multi-CPU servers
• no information of the file is now being scanned

14
Inside VSAPI kernel driver

• After an infected file is cleaned, the owner in
  property will be change to administrator
• An infected file with long file name will become
  short file name if opened in Explorer
• Compressed layer up to 5 due to kernel mode
  limitation

15
Task Manager

• Default tasks are provided
• one-button to update all ServerProtect servers
  one-button to scan all drives of all
  ServerProtect servers with new updates
• one-button to generate monthly virus statistics
• Users can also create their own tasks by
  combining the following items to automate routine
  maintenance
• real-time scan setting, update, scan now, print
  log, export log, purge log, and run statistics
• one click to handle red alert cases

16
Inside Task Manager

• Default tasks are created on every NS by IS
  whenever a NS connects to its IS
• Tasks only apply to NS not covering IS
• Can not add any item after Update since update
  will require restart service
• Task content is stored on every NS, IS only
  stores task name, task owner, and servers
• Default tasks can not be modified due to product
  schedule

17
Enhanced notification (I)

• Notification on the following events
• virus infection
• attempt to change write-protected file
• real-time scan configuration change
• NT service/NLM unload
• virus pattern out-of-date (days are configurable)

18
Enhanced notification (II)

• Notification through the following methods
• message box
• pager
• printer
• SMTP mail
• SNMP trap
• NT event log
• Outbreak alert is available

19
Inside notification (III)

• NT the notification will be triggered by Normal
  Server
• NW the notification will be triggered by
  Information Server
• Message box will not pop-up on the offending
  user/machine, will pop-up on selected servers

20
Enhanced logging

• Logging on the following events
• virus infection
• scan summary
• system
• update
• alert
• task
• Basic statistics provided
• further analysis can be done to transform log
  files to CSV files

21
Inside log

• Adopt Codebase (like OfficeScan) in SPNT, not a
  text file as in 4.x
• No problem with 1M records
• Console loads 1,000 latest records at most to
  save loading time
• sorting will have problems
• to view more have to purge all in the list first
• Console loads short information first to save
  loading time, double-click a record will bring up
  detailed information
• Central log and scan result will not be
  synchronized

22
Inside setup

• Single setup program for SPNT and SPNW
• Serial number
• only accepts APXX, SPEF, and SPEM
• With three-component options IS, NS, and
  Management Console
• Can not enumerate local drives, must install to a
  shared directory with administrator right on NT
  and write privilege on NW
• Systems Management Server (SMS) partially
  compatible

23
How to check setup is OK

• Management console
• check program group in Start
• Normal Server
• check a computer icon inside the system tray
• check service Trend ServerProtect starts
• check device Trend ServerProtect Filter and
  Trend ServerProtect Scan Engine starts
• Information Server
• check service Trend ServerProtect Agent starts

24
Inside domain management

• Domain is a virtual-tier between IS and NS
• only makes users easier to link with their
  existing domain structure
• Domain management is available
• only in setting
• no domain setting stored in IS
• setting stored in NS only
• console will retrieve setting from the first
  server under a domain to display

25
Inside SPNW

• Lprotect.nlm and VSAPI.nlm are same as previous
  version
• Major change is the communication with
  Information Server (a NT) not VPWIN
• Notification is done by Information Server
• Schedule jobs are notified by IS too
• Log is still in text file not database format

26
Major known issues (I)

• Setup/console and Information Server are cross
  router
• auto-search will fail (UDP)
• manual search works (TCP)
• by server name server using English name in DNS
  environment
• by IP 1. server using non-English name
• 2. Non DNS environment

27
UDP
TCP
28
Major known issues (II)

• The infected files from Windows 98 clients can
  not be detected in real-time on NT servers due to
  OS nature, will be detected on next access
• Backup software performance drops greatly if the
  files are compressed and with high compression
  ratio (eg. 300M --gt 10M)
• CPU will go up to 100 if run on MS SQL server,
  users had better exclude the folders

29
Debug log

• Easy to access
• main menuDoCreate debug log
• Hard to analyze
• for product team only
• Two output formats
• to a file good for remote submission
• to a monitor screen good for on-site debug
• Suggest to turn on trace all messages
• Engine debug log is separate
• \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
  ices\TMFilter\Parameters (users have to create
  Parameters manually)
• DebugLogFlags 0x1fff //All (users have to
  create a DWORD manually)
• Into the file Winnt/TMFilter.log

30
Comparison chart
31
Why 5.0

• Simpler
• one for ServerProtect NT and ServerProtect NW
• everything can be updated from Internet
• tasks available
• Faster
• scan
• incremental update
• Securer
• more notifications
• more audits
• More flexible
• portable console
• more configurations

32
Compatibility list

• NT Server/Workstation 3.51/4.0 and Windows 2000
• NetWare 3.x/4.x/5.0 with SFT III
• Microsoft Cluster Server, Terminal Server, and
  Index Server
• ARCserve (from CA)
• Backup Exec (from Veritas)
• Open File Manager (from St. Bernard)
• Quota Manager (from NTP Software)
• pcANYWHERE (from Symantec)
• Trend VCS 1.6 and above

33
System requirements

• Information Server NT4 SP1/3/4/5
• with gateway service for NetWare (if necessary)
• Normal Server
• NT 3.51 SP5, NT4 SP1/3/4/5
• NW 3.x/4.x/5.0
• Management Console Windows 95/98/NT
• Network setting TCP/IP, RPC (NT), IPX/SPX (NW),
  DNS (nice to have)

34
SKU

• Two scenarios
• server base
• only counts number of Normal Servers
• client base
• counts number of clients protected
• No more checking on client user license both for
  NT and NetWare
• paper license only
• BU should decide its own user license policy
• for example Taiwan has 4 layers 10, 25, 50,
  unlimited user license
• Old serial numbers do not work in 5.0

35
How to upgrade

• Installation program will detect previous version
  of ServerProtect
• ServerProtect for NT can be upgraded
  automatically and existing configuration will be
  preserved
• ServerProtect for NetWare will be upgraded
  manually due to the nature of NetWare
• uninstallation of previous version first
• installation of new version

36
Product roadmap

• 5.1
• pure IP support on NW5
• SMS fully compliant (1.2 2.0)
• bug fixing
• GM 11/25
• 5.2
• notification via MAPI mail
• Novell YES logo
• bug fixing
• GM 12/30

37
Q A