Trend Micro Endpoint Application Control v2.0 Patch 1

1 Trend Micro Endpoint Application Control Patch 1. Best Practice Guide About this document Trend Micro Endpoint Application Control is an Application whitelisting solution that uses whitelists to Control which applications are permitted to execute on an Endpoint . It helps to stop the execution of malware, unlicensed software, and other unauthorized and unknown software on your corporate endpoints. This guide is intended to help users to get the best productivity out of the product. It contains a collection of best practices which are based on knowledge gathered from previous enterprise deployments, lab validations, and lessons learned in the field.

2 Examples and considerations in this document provide guidance only and do not represent strict design requirements. The guidelines in this document do not apply to every environment but will help guide you through the decisions that you need to configure Endpoint Application Control for optimum performance. Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme file and the latest version of the applicable user documentation.

3 This document is designed to be used in conjunction with the following guides, all of which provides more detail about Endpoint Application Control than are given here: Trend Micro Endpoint Application Control Installation and Admin Guides _____. This Best Practice Guide Contains: Deployment considerations and recommendations Product sizing guide Recommended system and hardware requirements for Server and Agents Guide to policy deployment Sever tuning properties Backup and Disaster Recovery procedure Endpoint Application Control tools 1 Copyright 2015 Trend Micro Inc.

4 INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. THE NAMES OF COMPANIES, PRODUCTS, PEOPLE, CHARACTERS, AND/OR DATA MENTIONED HEREIN ARE FICTITIOUS AND ARE IN NO. WAY INTENDED TO REPRESENT ANY REAL INDIVIDUAL, COMPANY, PRODUCT, OR EVENT, UNLESS OTHERWISE NOTED. COMPLYING WITH ALL APPLICABLE COPYRIGHT LAWS IS THE RESPONSIBILITY OF THE USER. COPYRIGHT 2016 Trend Micro INCORPORATED. ALL RIGHTS RESERVED. NO PART OF THIS PUBLICATION MAY BE REPRODUCED, PHOTOCOPIED, STORED IN A RETRIEVAL SYSTEM, OR TRANSMITTED WITHOUT THE EXPRESS PRIOR WRITTEN CONSENT OF Trend Micro INCORPORATED.

5 ALL OTHER BRAND AND PRODUCT NAMES ARE TRADEMARKS OR REGISTERED TRADEMARKS OF THEIR RESPECTIVE COMPANIES OR ORGANIZATIONS. AUTHOR: RAYMOND F. VILLAFANIA. RELEASED: APRIL 13, 2016. 2 Copyright 2015 Trend Micro Inc. Terms and Abbreviations The following are the Terms and Abbreviations used in this document: Abbreviation Terminology Description TMEAC Trend Micro Endpoint Application Control Trend Micro Endpoint Application Control Patch 1. EAC Endpoint Application Control Trend Micro Endpoint Application Control Patch 1. AC Server Endpoint Application Control Server Server Component AC Agent Endpoint Application Control Agent Agent Component WebUI Management Console Web Console PLS Plug-in Manager Service OfficeScan Plug-in Service TMCSSS Trend Micro Certified Safe Software Service Whitelist Pattern 3 Copyright 2015 Trend Micro Inc.

6 Table of Contents i. About this document.. 1. ii. Copyright.. 2. iii. Terms and Abbreviations.. 3. iv. Table of Contents .. 4. 1 Product Information .. 5. About Trend Micro Endpoint Application Control . 6. Product Features .. 7. New in TMEAC . 8. 2 Sizing Guide and Product . 9. Server Scaling Recommendations . 9. Server Memory Use Allocation .. 10. Server and Agent Requirements 10. Recommended Browser for Web UI Management . 11. Excluding Endpoint Application Control from AV Real-time Scan . 11. 3 Installation and Deployment.

7 12. Main Components .. 13. Deployment Planning .. 14. Installation Guidelines . 15. AC Server .. 15. AC Agent .. 15. 4 Rules and Policy Best Practice . 18. Rule Basics .. 18. Managing Rules (Rule Screen) 18. Rule Types 19. Add/Edit Rules Screen . 20. General Guidelines . 22. 4 Copyright 2015 Trend Micro Inc. Application Scanning Flow .. 23. Application Scanning Flow with Trusted Source .. 24. Policy Basics . 25. Managing Policies (Policy Screen) .. 25. Add/Edit Policy Screen .. 26. Policy Guidelines . 27. Policy Deployment Flow 28.

8 Creating Rules and Deploying Policies 29. Understanding the Threat .. 29. Preventing Malware Execution 30. Stopping "Drive-by" Exploit 31. Application Usage Policy .. 32. Lockdown Policy . 32. Default Catch All Policy . 33. Roll-Your-Own Policy .. 33. 5 Administration and Configuration . 34. Server and Agent Management . 34. Component Updates .. 34. Active Directory Integration .. 34. Trend Micro OfficeScan Integration as a Plug-In Service 35. Trend Micro Control Manager Integration as a Managed Server 35. Agent-Server SSL Communication.

9 35. Web Console Management .. 36..1 Dashboard and Widgets .. 36..2 User Accounts . 36..3 Logs Query 36. 6 Product Tools 37. Hashlist-Importer .. 37. 7 Backup and Disaster Recovery . 38. Full Backup .. 38. 5 Copyright 2015 Trend Micro Inc. 1 Product Information It is important to remember that Application Control software is not a replacement of a regular Anti-Virus program which utilize file signature or Blacklist pattern to detected malicious files and applications . Rather, Endpoint Application Control adds additional layer of protection by allowing only approved applications or Whitelist to run on an Endpoint .

10 The table below is a simple illustration about the difference between Blacklisting and Whitelisting approach when protecting endpoints from unknown or unwanted files and applications . Whitelisting Blacklisting Default-deny Default-allow Operates using a list of approved software Operates using a list of unapproved/malicious software applications not on the approved list of softwares are denied execution applications not on the unapproved list of softwares are allowed to execute Table 1 Whitelisting vs Blacklisting Approach About Trend Micro Endpoint Application Control A number of new malwares such as those that are used in targeted attacks can evade traditional.