New version of IBM BigFix Protection (formerly known as Core Protection Module) is released

KKue · November 3, 2015, 10:38am

IBM BigFix Protection

IBM BigFix Protection is pleased to announce the release of a new version of Core Protection.

Highlights:

Behavior Monitoring Scan Enhancement
The scan capabilities of Behavior Monitoring Scan Enhancement, including Cryptolocker detection by Behavior Monitoring, works in conjunction with Web Reputation Services to verify the prevalence of files downloaded through HTTP channels or email applications. After detecting a newly encountered file, administrators can choose to prompt users before executing the file.
Smart Protection Server Enhancement
The standalone version of the upgraded Smart Protection Server 3.0 is supported. The smart protection server now includes File Reputation Services pattern enhancements and detection capability with reduced memory and bandwidth consumption.
Global Intelligence Command & Control Server Lists
Known Command and Control servers (C&C) servers can now be detected through the Smart Protection Network Global Intelligence list. Web Reputation Services checks all URLs against both the traditional malicious list, and the new Global Intelligence C&C server list.
Network Content Inspection Engine Integration with Command & Control IP List
The Command and Control servers (C&C) IP list works in conjunction with Network Content Inspection Engine (NCIE) to detect network connections with known C&C servers. NCIE detects C&C server contact through any network channel.
Platform and Browser Support
Microsoft Edge and Microsoft Windows 10 (Home, Pro, Education, and Enterprise editions) is now supported with advanced antivirus and personal firewall protection.
Suspicious Connection Settings Enhancement
The Command & Control (C&C) Contact Alert Services now includes global user-defined approved and blocked IP lists and granular action configuration when suspicious connections are detected.

Updated Sites:

Trend Micro Core Protection Module site: version 68
Trend Micro Data Protection site, version 12
Trend Micro Reporting site, version 48
Trend Micro Mac Protection Module site, version 10
Trend Micro Common Firewall site, version 20

Documentation:
For more information about the new release, see the BigFix Protection - Core Protection Module 11.0 SP1 Administrator’s Guide.

We hope you find this latest release useful. Thank you!

Core Protection Team
IBM BigFix

mgoodnow · November 11, 2015, 1:52pm

Accomplished the CPM BES server/relay/sps upgrade process this week. Went smooth with no issues. Running BF v9.2.5 and went from CPM 10.6 SP2 to the new v11 SP1. Have only upgraded a couple of endpoints. So far no issues to report. Very pleased to see the enhanced features that were added with 11.

aasheim · February 15, 2016, 7:44pm

Serious problems to get the client installed at the TEM server:

Core Protection Module - Endpoint Deploy (Version 11 Service Pack 1)

Everythin seems to work well until the end of the installation script where it starts to move folders:

Failed
MoveDir = {value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM" of registry as
string}\Quarantine

CleanFailedMoveDir = {value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM" of registry as
string}\Quarantine

[Scan Now Configuration Ex]

ExcludeTrendProduct = 1

ExcludedFolder =

ExcludedFile =

ExcludedExt =

[Spyware Scan Now Configuration]

Enable = 1

ActionType = 1

__DONE

copy __createfile “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\ondemand.ini"

waithidden “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\TMCPMCLI.exe" CONFIG -i “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\ondemand.ini"

regset “[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM]”
“SetDefaultScanSettingsActionID”="{id of active action}"

// Apply default realtime.ini [real-time settings wizard]

delete realtime.ini

delete “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\realtime.ini"

createfile until __DONE

[Real Time Scan Configuration]

Enable = 1

ScanIncoming = 1

ScanOutgoing = 1

ScanAllFiles = 1

IntelliScan = 1

ExtList =

ScanShutdown = 0

ScanNetwork = 0

ScanCompressed = 1

CompressedLayer = 2

IntelliTrap = 1

EnableExclusion = 1

ActiveAction = 1

EnableUniAct = 1

BkUpIfClean = 1

MoveDir = {value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM" of registry as
string}\Quarantine

CleanFailedMoveDir = {value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM" of registry as
string}\Quarantine

[Spyware Real Time Scan Configuration]

Enable = 1

ActionType = 1

[Real Time Scan Configuration Ex]

ExcludeTrendProduct = 1

ExcludedFolder = {(concatenation “|” of ((if (exists regapp
"besclient.exe") then (pathname of parent folder of regapp “besclient.exe” as
string & “__BESData”) else “C:\Program Files\BigFix Enterprise\BES
Client__BESData”) ; (if (exists regapp “besrelay.exe”) then (pathname of parent
folder of regapp “besrelay.exe” as string) else “C:\Program Files\BigFix
Enterprise\BES Relay”) ; (if (exists value “EnterpriseServerFolder” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server" of registry) then (value
"EnterpriseServerFolder" of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise
Server” of registry as string) else “C:\Program Files\BigFix Enterprise\BES
Server”) ; (if (exists value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM" of registry) then (value
"Application Path" of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of
registry as string) else “C:\Program Files\Trend Micro\Core Protection Module”)
; (if (exists value “InstallPath” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv" of registry) then (value
"InstallPath" of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv” of
registry as string) else “C:\Program Files\Trend Micro\Core Protection Module
Server”)))}

ExcludedFile =

ExcludedExt =

__DONE

copy __createfile “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\realtime.ini"

waithidden “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\TMCPMCLI.exe" CONFIG -i “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\realtime.ini"

regset “[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM]”
“SetCPMRealTimeSettingsActionID”="{id of active action}"

// Apply default global.ini [global settings wizard]

delete global.ini

delete “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\global.ini"

createfile until __DONE

[Global Setting]

GlobalLargeCompressedFileScanSetting = 1

MaximumExtractFileSize = 2

CompressedFileCount = 100

OleLayer = 3

ExcludeExchangeStore = 1

ZipCleanOnOff = 0

EnableAssessment = 0

CookieScanner = 0

DiskReserved = 60

__DONE

copy __createfile “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\global.ini"

waithidden “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\TMCPMCLI.exe" CONFIG -i “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\global.ini"

regset “[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM]”
“SetCPMGlobalSettingsActionID”="{id of active action}"

// Switch Site for beta and production

if {(name of current site as string as lowercase) contains
"beta"}

// Switch opr AU to pre-opr AU for beta

regset “[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM\AuUpdater]”
“CloudUrl”=“http://esp-p.pre-opr-au.trendmicro.com/activeupdate”

// Switch BigFix compliance for beta

regset
"[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM\BigFixCompliance\License]"
“SiteName”=“Trend Core Protection Module BETA”

regset
"[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM\BigFixCompliance\License]"
“SiteURL”=“http://sync.bigfix.com/cgi-bin/bfgather/trendcpmbeta”

else

// recovery pre-opr AU to opr AU for CPM 10.5 beta

regset “[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM\AuUpdater]”
“CloudUrl”=“http://esp-p.activeupdate.trendmicro.com/activeupdate”

// recovery BigFix compliance for CPM 10.5 beta

regset
"[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM\BigFixCompliance\License]"
“SiteName”=“Trend Core Protection Module”

regset
"[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM\BigFixCompliance\License]"
“SiteURL”=“http://sync.bigfix.com/cgi-bin/bfgather/trendcpm”

endif

waithidden “{(value “Application Path” of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as
string)}\BigFixLicenseChecker.exe"

// set install time.

regset “[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\client]”
“InstallTime”="{apparent registration server time}"

// Enable Endpoint Autoupdate automatically

if {(exists key “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” whose
(exists value “Application Path” whose (exists (it as folder) whose (exists file
"TMCPMAuUpdater.exe" of it)) of it) of registry) AND (not exists setting
"CPM_InRollbackState" whose (exists value whose (it as integer = 1) of it) of
client) AND ((exists key
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc."
whose (exists value “ProgramVer” whose (it as string as version >= “1.5”) of
it) of registry))}

// Windows: Set flag

regset “[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\client]”
“EnableAutoUpdate”=dword:00000001

//Unsubscribe the custom site if the site has been
subscribed.

if {exists site
"CustomSite_FileOnlyCustomSite_CPMAutoUpdate"}

custom site unsubscribe CustomSite_FileOnlyCustomSite_CPMAutoUpdate on
"{parameter “action issue date” of action}"

endif

// Subscribe to Custom Site

custom site subscribe CustomSite_FileOnlyCustomSite_CPMAutoUpdate as
"FileOnlyCustomSite_CPMAutoUpdate" on “{parameter “action issue date” of
action}”

//End - Enable Endpoint Autoupdate automatically

endif

// if necessary, reboot the machine.

if {x64 of operating system}

if {(exists key
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HIPS"
whose (exists value “NeedRebootForDrivers” of it) of x64 registry) OR (exists
key "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HIPS"
whose (exists value “NeedRebootForDrivers” of it) of registry) OR (exists key
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Volatile"
of registry)}

// reboot

action requires restart {“CPM_DEPLOY”}

else

//in case of any pending file rename operations

//action may require restart {“CPM_DEPLOY”}

endif

else

if {(exists key
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HIPS"
whose (exists value “NeedRebootForDrivers” of it) of registry) OR (exists key
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Volatile"
of registry)}

// reboot

action requires restart {“CPM_DEPLOY”}

else

//in case of any pending file rename operations

//action may require restart {“CPM_DEPLOY”}

endif

// OfficeScan installation reboot check

if {(exists file “CPMInstallResult.log” whose (exists line whose (it as
string contains “Status=6”) of it) of windows folder)}

action requires restart {“CPM_DEPLOY”}

endif

ChuxinZhao · February 16, 2016, 3:29am

Hi,

Can you collect the log from %WINDOWS%\CPMInstallResult.log?

Is this a clean installation or upgrade?

Have you open a support case with IBM or Trend Micro?

aasheim · February 16, 2016, 6:08am

Yes, Service request created. Here is the lines from the CPMInstallResult.log:

[InstallResult]
StartTime=2016/02/16 00:05:45
Status=3
Error=-19
FinishTime=2016/02/16 00:26:00