Trend Micro OfficeScan

Trend Micro OfficeScan is a security and virus scanning product that can further contextualize data about your users.

Before You Begin

Trend Micro OfficeScan cannot send syslog directly to InsightIDR. However, there are two methods you can use for InsightIDR to read Trend Micro data:

You must be a Trend Micro OfficeScan administrator in order to configure any changes within the appliance.

Configure NXLog to capture OfficeScan events

To use NXLog to capture the OfficeScan events:

  1. Configure the OfficeScan event source in InsightIDR
  2. Configure OfficeScan to log its events into the Windows Application log
  3. Install NXLog onto the OfficeScan server and configure NXLog to collect the OfficeScan events and forward them to InsightIDR

Configure the OfficeScan Event Source

Unlike other event sources, you should configure the Trend Micro OfficeScan event source before you configure the appliance itself.

To do so:

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Virus Scan icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select a collection method and specify a port and a protocol. For the Trend Micro OfficeScan event source, it is recommended that you select Syslog - TCP. Choose to encrypt the event source and download the Rapid7 Certificate.
    • Note that you need to Rapid7 Certificate when configuring nxlog on the Trend Micro OfficeScan server.
  9. Click the Save button.

Configure OfficeScan Events

First ensure that the Trend Micro OfficeScan server events are written into the Windows Application log before events can be sent anywhere else.

To write server events to the Windows application log:

  1. Sign in to your Trend Micro OfficeScan console as the root user.
  2. On the left menu, select Notifications > Administrator Notifications > Standard Notifications.
  3. Select the NT Event Log tab on the right.
  4. In the “Spyware/Grayware Detections” section, check on the Enable notification via NT Event Log box.
  5. You can accept the default message, or modify the message using the following variables:

Type

Variable

Description

Virus/Malware

%v

Virus/Malware name

Virus/Malware

%s

Endpoint with virus/malware

Virus/Malware

%i

IP address of the endpoint

Virus/Malware

%c

MAC address of the endpoint

Virus/Malware

%m

Domain of the endpoint

Virus/Malware

%p

Location of virus/malware

Virus/Malware

%y

Date and time of virus/malware detection

Virus/Malware

%e

Virus Scan Engine version

Virus/Malware

%r

Virus Pattern version

Virus/Malware

%a

Action performed on the security risk

Virus/Malware

%n

Name of the user logged on to the infected endpoint

Spyware/Grayware

%s

Endpoint with spyware/grayware

Spyware/Grayware

%i

IP address of the endpoint

Spyware/Grayware

%m

Domain of the endpoint

Spyware/Grayware

%y

Date and time of spyware/grayware detection

Spyware/Grayware

%n

Name of the user logged on to the endpoint at the time of detection

Spyware/Grayware

%T

Spyware/Grayware and scan result

Spyware/Grayware

%v

Spyware/Grayware name

Spyware/Grayware

%a

Action performed on the security risk

  1. Click the Save button.
  2. Select the Criteria tab.
  3. In the “Spyware/Grayware Detections” section, select the Send notifications when spyware/grayware is detected radio button.
  4. Click the Save button.

You can read more information about Administrator Notifications from the following Trend Micro links:

Generate a Test Event

You can generate an event in OfficeScan to test whether or not events are being written into the Windows Application log as expected.

To do so, you can download a test malware file or string called “eicar” for this exact purpose. Follow the directions here: http://docs.trendmicro.com/all/ent/de/v1.5/en-us/de_1.5_olh/ctm_ag/ctm1_ag_ch8/t_test_eicar_file.htm

Configure NXLog

You can use NXLog to capture events from the OfficeScan server.

To do so:

  1. Install NXLog onto your Trend Micro OfficeScan server. Stop the NXLog service if it has started.
  2. Copy the Rapid7 Certificate to the location specified in the nxlog.conf file, or C:\Program Files (x86)\nxlog\cert\Rapid7CA.pem
  3. Replace the contents of the nxlog.conf file with the following:
nxlog.conf
1
## See the nxlog reference manual about more configuration options
2
## It should be installed locally and is also available
3
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html
4
 
5
## Please set the ROOT to the folder your nxlog was installed into,
6
## otherwise it will not start.
7
 
8
#define ROOT C:\Program Files\nxlog
9
define ROOT C:\Program Files (x86)\nxlog
10
 
11
Moduledir %ROOT%\modules
12
CacheDir %ROOT%\data
13
Pidfile %ROOT%\data\nxlog.pid
14
SpoolDir %ROOT%\data
15
LogFile %ROOT%\data\nxlog.log
16
 
17
# Include fileop when rotating logs or while debugging
18
<Extension fileop>
19
     Module xm_fileop
20
</Extension>
21
 
22
<Extension json>
23
     Module        xm_json
24
</Extension>
25
  
26
<Extension syslog>
27
     Module        xm_syslog
28
</Extension>
29
 
30
#This input module will read in TrendMicro events from the Windows Application log. 
31
#First, configure TrendMicro OfficeScan to write its logs to the Application log.
32
#These events should go into the Application log on the TrendMicro OfficeScan server.
33
#The event codes for Trend are Event IDs 500, 600, 700, and 800.  Check your application log
34
#and adjust this module to collect the events desired.
35
#Finally, the logs are forwarded to InsightIDR in Snare format.  This is the format expected
36
#in the TrendMicro OfficeScan event source.
37
<Input eventlog>
38
Module        im_msvistalog
39
ReadFromLast    False
40
Query <QueryList> \
41
           <Query Id="0"> \
42
           <Select Path="Application">*</Select> \
43
           </Query> \
44
          </QueryList>
45
<Exec>
46
if ($EventID == 500 OR $EventID == 600 OR $EventID == 700 OR $EventID == 800) {$Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); \
47
                        $Message = replace($Message, "\r", " "); \
48
                        $raw_event = $Message; \
49
                        to_syslog_snare();} \
50
            else drop();
51
</Exec>
52
</Input>
53
 
54
#This output module forwards the events to your InsightIDR collector using
55
#secure syslog.  If you wish to use another output method, please see the nxlog documentation.
56
<Output ssl_tcp_out>
57
     Module      om_ssl
58
     #Change this to the IP address of your Insight collector
59
     Host        10.2.1.34
60
     #Change this to the port the event source is configured to use
61
     Port        5667
62
     CAFile         C:\Program Files (x86)\nxlog\cert\Rapid7CA.pem
63
     #AllowUntrusted         TRUE
64
</Output>
65
 
66
# If following other files, add to input path; i.e. eventlog, file1, file2 => ssl_tcp_out
67
<Route EventLog>
68
     Path        eventlog => ssl_tcp_out
69
</Route>
  1. Edit the contents of the nxlog.conf file to direct the Trend Micro OfficeScan events to the InsightIDR Collector.
  2. Save the file and then start the NXLog service.

Verify the Configuration

To verify that this configuration works, look for events in InsightIDR that are in the following format:

text
1
2015-04-06 15:32:12 PVBTMAV.mycompany.com WARNING 500 NT AUTHORITY\SYSTEM Virus/Malware: Eicar_test_1 Computer: IT68 Domain: tor\Platte_city\ File: C:\Users\jsmith\Desktop\New Text Document.txt Date/Time: 4/6/2015 15:31:35 Result: Virus successfully detected, cannot perform the Clean action (Quarantine)

Configure Trend Micro Control Manager

If you also have Trend Micro Control Manager, you can configure OfficeScan to forward its data to the Control Manager, which can then forward it to a syslog server. The following instructions are for Control Manager version 6.0.

To configure syslog forwarding:

  1. Sign in to the Control Manager console.
  2. From the top menu, select Administration > Event Center> General Event Settings.
  3. In the “SysLog Settings” box, enter the IP address of the InsightIDR collector and unique server port you want to receive OfficeScan data.
  4. Click the Save button.
  1. From the top menu, select Administration > Event Center.
  2. Expand the Alert section and for each event, select the Recipients link.
  3. On the “Recipients” page, check on the boxes for Windows event log notification and Syslog.
  4. Click the Save button.
  5. Click the OK button to finish the configuration.

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.