Client Manager for Endpoint Protection - Trend not agreeing

(imported topic written by SystemAdmin)

The CMEP dashboard is showing all clients as having up to date signatures, while our Trend console shows 2 clients with old signatures.

Drilling down into the clients, both show Trend Micro OfficeScan Client Pattern Version 6.807.00 while the current version is 6.809.00.

What data does the dashboard look at?

(imported comment written by Danny_Leung91)

Hey jspanitz,

There are differences between the content delivered through CMEP versus Trend CPM. The reason for the overlap, between CMEP and CPM, is due to shared client product support namely, they both support the Trend OfficeScan product.

For the CMEP product, BigFix provides pattern updates Fixlets published on a daily basis. These Fixlets are based on the pattern files that are posted on the Trend Micro pattern updates website: http://www.trendmicro.com/download/pattern.asp.

Whenever a pattern update action is issued, pattern files are downloaded from the Trend Micro public pattern site. The healthy status of CMEP managed Trend clients is based on the current state of those clients compared to the Fixlets. This is then reflected in the CMEP Dashboard.

For the Trend CPM product, the CPM server has a dedicated process that downloads new pattern sets at shorter intervals - typically configured to at few hours. These pattern files are retrieved from a Trend pattern server dedicated for the CPM product. In contrast to CMEP, the CPM server downloads and re-hosts the pattern files locally for the deployment. The CPM Dashboard refers to the most recent available pattern set that is hosted to consider whether a CPM client is healthy.

In that sense, the CPM dashboard would typically have more updated definitions than the CMEP update Fixlets. This may also explain why CMEP reports updated clients whereas CPM reports out of date clients.

In any case, if the CPM product is deployed, you should use the content available from the Trend CPM Dashboard to manage and not the CMEP dashboard.

Thanks,

Danny

(imported comment written by SystemAdmin)

Danny, what you are saying makes sense, however, I’d like to clarify a couple of things. First, we have a standalone Trend console, not CPM. Second, We are using SmartScan, your explanation seems to be based on the older pattern download method.

So in our environment, the Trend clients are getting the SmartScan signature updates from our standalone Trend server and then going to the cloud for the rest or in the case of our standalone trend server being down or the client is off the corporate network, they are going right to Trend’s update servers.

What we saw was that 2 clients did indeed have the older pattern and the rest had the newer pattern. This was confirmed by checking the Trend standalone console / server and by manually checking the clients. However, BigFix was reporting that the same 2 clients had up to date signatures, along with all our other clients. Perhaps the up to date calculation is simply some type of “if signature is >= version xxx, then client is up to date”. Whatever the logic, the BigFix dashboard was not correctly showing the true nature of the environment.

That’s why we are curious about the logic that does the compare and presents clients with two confirmed different signatures as being up to date. This was also the basis for our feature request (http://forum.bigfix.com/viewtopic.php?id=4382) of the dashboard showing the pattern version and time in addition to the currently displayed date.