Hi all,
Does anyone know if the Trend Micro Firewall that comes with Bigfix Protection can be modified by a user on the endpoint to allow a certain program and/or open up extra ports? At the moment it looks like it can only be changed by a configuration profile but sometimes it is necessary for some (power)users to punch a hole now and then. There does not seem to be a UI and CPM documentation has nothing on this. Perhaps there is some field experience out there? Like to hear from you, thanks!
Hi @RichardB
Yes, this is possible, but not very handy. The manageability of CPM is very poor, but so is the work around.
First of all, every task you create (firewall, web reputation exclusion, etc…) is just in fact an .ini file that is getting copied to your clients.
For Firewall:
"{((value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string) & “…\OfficeScan Client\PFW”)}\new_cfw_policy.ini
So it will be in C:\Program Files (x86)\Trend Micro\OfficeScan Client\PFW (if default installation and 64x bit machines).
There you will find the .ini files for the firewall (I did not look into that yet, so can’t help you with editing it).
You need to have Admin Rights on the computer to edit the .ini files.
Besides that, it also depends on how your self protection is configured. Normally you configure it so that no registry, installation folder or service can be edited/deleted/stopped/… If that’s the case, then you first need to change that on the endpoint (through BigFix console, there is no way of unloading the program) and then you can start editing the file.
So is it possible, yes (although I didn’t test it). Is it handy… well, i’ll let you decide 
Hope this helps. If you have any questions left, let me know!
Indeed CPM manageability is a bit so-so but your addition makes sense. I know any user-made change will also undermine the uniformity in FW configuration throughout the deployment. Also, any revised configuration that gets deployed will overwrite the users settings again. Also not an ideal situation. But thank you for you comment on this and I will see what we can do with it.
@RichardB what’s the program version your using?
CPM 11.0 SP1 (11.0.3042) with BF client 9.2.8
CPM 11.0 SP1 by default has the client self protection enabled. But you can easily disable it by playing around the registry. Like @steini44 suggested everything is configured in the .ini files and this can be easily changed by anyone who has access to these files and then you have to re-run the adptr.exe with the .ini parameters to take effect, again this has to be a custom coded one.