Trend Micro OfficeScan

Trend Micro OfficeScan is a security and virus scanning product that can further contextualize data about your users.

Before You Begin

Trend Micro OfficeScan cannot send syslog directly to InsightIDR. However, there are two methods you can use for InsightIDR to read Trend Micro data:

You must be a Trend Micro OfficeScan administrator in order to configure any changes within the appliance.

Configure NXLog to capture OfficeScan events

To use NXLog to capture the OfficeScan events:

  1. Configure the OfficeScan event source in InsightIDR
  2. Configure OfficeScan to log its events into the Windows Application log
  3. Install NXLog onto the OfficeScan server and configure NXLog to collect the OfficeScan events and forward them to InsightIDR

Configure InsightIDR to collect data from the event source

Unlike other event sources, you should configure the Trend Micro OfficeScan event source before you configure the appliance itself.

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Trend Micro OfficeScan in the event sources search bar.
    • In the Product Type filter, select Virus Scan.
  3. Select the Trend Micro OfficeScan event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.

  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select a collection method and specify a port and a protocol. For the Trend Micro OfficeScan event source, it is recommended that you select Syslog - TCP. Choose to encrypt the event source and download the Rapid7 Certificate.
    • Note that you need to Rapid7 Certificate when configuring nxlog on the Trend Micro OfficeScan server.
  9. Click the Save button.

Configure OfficeScan Events

First ensure that the Trend Micro OfficeScan server events are written into the Windows Application log before events can be sent anywhere else.

To write server events to the Windows application log:

  1. Sign in to your Trend Micro OfficeScan console as the root user.
  2. On the left menu, select Notifications > Administrator Notifications > Standard Notifications.
  3. Select the NT Event Log tab on the right.
  4. In the “Spyware/Grayware Detections” section, check on the Enable notification via NT Event Log box.
  5. You can accept the default message, or modify the message using the following variables:
TypeVariableDescription
Virus/Malware%vVirus/Malware name
Virus/Malware%sEndpoint with virus/malware
Virus/Malware%iIP address of the endpoint
Virus/Malware%cMAC address of the endpoint
Virus/Malware%mDomain of the endpoint
Virus/Malware%pLocation of virus/malware
Virus/Malware%yDate and time of virus/malware detection
Virus/Malware%eVirus Scan Engine version
Virus/Malware%rVirus Pattern version
Virus/Malware%aAction performed on the security risk
Virus/Malware%nName of the user logged on to the infected endpoint
Spyware/Grayware%sEndpoint with spyware/grayware
Spyware/Grayware%iIP address of the endpoint
Spyware/Grayware%mDomain of the endpoint
Spyware/Grayware%yDate and time of spyware/grayware detection
Spyware/Grayware%nName of the user logged on to the endpoint at the time of detection
Spyware/Grayware%TSpyware/Grayware and scan result
Spyware/Grayware%vSpyware/Grayware name
Spyware/Grayware%aAction performed on the security risk
  1. Click the Save button.
  2. Select the Criteria tab.
  3. In the “Spyware/Grayware Detections” section, select the Send notifications when spyware/grayware is detected radio button.
  4. Click the Save button.
trendmicro NT events.png

You can read more information about Administrator Notifications from the following Trend Micro links:

Generate a Test Event

You can generate an event in OfficeScan to test whether or not events are being written into the Windows Application log as expected.

To do so, you can download a test malware file or string called “eicar” for this exact purpose. Follow the directions here: http://docs.trendmicro.com/all/ent/de/v1.5/en-us/de_1.5_olh/ctm_ag/ctm1_ag_ch8/t_test_eicar_file.htm

Configure NXLog

You can use NXLog to capture events from the OfficeScan server.

To do so:

  1. Install NXLog onto your Trend Micro OfficeScan server. Stop the NXLog service if it has started.
  2. Copy the Rapid7 Certificate to the location specified in the nxlog.conf file, or C:\Program Files (x86)\nxlog\cert\Rapid7CA.pem
  3. Replace the contents of the nxlog.conf file with the following:
## See the nxlog reference manual about more configuration options ## It should be installed locally and is also available ## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html ## Please set the ROOT to the folder your nxlog was installed into, ## otherwise it will not start. #define ROOT C:\Program Files\nxlog define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log # Include fileop when rotating logs or while debugging <Extension fileop> Module xm_fileop </Extension> <Extension json> Module xm_json </Extension> <Extension syslog> Module xm_syslog </Extension> #This input module will read in TrendMicro events from the Windows Application log. #First, configure TrendMicro OfficeScan to write its logs to the Application log. #These events should go into the Application log on the TrendMicro OfficeScan server. #The event codes for Trend are Event IDs 500, 600, 700, and 800. Check your application log #and adjust this module to collect the events desired. #Finally, the logs are forwarded to InsightIDR in Snare format. This is the format expected #in the TrendMicro OfficeScan event source. <Input eventlog> Module im_msvistalog ReadFromLast False Query <QueryList> \ <Query Id="0"> \ <Select Path="Application">*</Select> \ </Query> \ </QueryList> <Exec> if ($EventID == 500 OR $EventID == 600 OR $EventID == 700 OR $EventID == 800) {$Message = replace($Message, "\t", " "); $Message = replace($Message, "\n", " "); \ $Message = replace($Message, "\r", " "); \ $raw_event = $Message; \ to_syslog_snare();} \ else drop(); </Exec> </Input> #This output module forwards the events to your InsightIDR collector using #secure syslog. If you wish to use another output method, please see the nxlog documentation. <Output ssl_tcp_out> Module om_ssl #Change this to the IP address of your Insight collector Host 10.2.1.34 #Change this to the port the event source is configured to use Port 5667 CAFile C:\Program Files (x86)\nxlog\cert\Rapid7CA.pem #AllowUntrusted TRUE </Output> # If following other files, add to input path; i.e. eventlog, file1, file2 => ssl_tcp_out <Route EventLog> Path eventlog => ssl_tcp_out </Route>
  1. Edit the contents of the nxlog.conf file to direct the Trend Micro OfficeScan events to the InsightIDR Collector.
  2. Save the file and then start the NXLog service.

Verify the Configuration

To verify that this configuration works, look for events in InsightIDR that are in the following format:

2015-04-06 15:32:12 PVBTMAV.mycompany.com WARNING 500 NT AUTHORITY\SYSTEM Virus/Malware: Eicar_test_1 Computer: IT68 Domain: tor\Platte_city\ File: C:\Users\jsmith\Desktop\New Text Document.txt Date/Time: 4/6/2015 15:31:35 Result: Virus successfully detected, cannot perform the Clean action (Quarantine)

Configure Trend Micro Control Manager

If you also have Trend Micro Control Manager, you can configure OfficeScan to forward its data to the Control Manager, which can then forward it to a syslog server. The following instructions are for Control Manager version 6.0.

To configure syslog forwarding:

  1. Sign in to the Control Manager console.
  2. From the top menu, select Administration > Event Center> General Event Settings.
  3. In the “SysLog Settings” box, enter the IP address of the InsightIDR collector and unique server port you want to receive OfficeScan data.
  4. Click the Save button.
pasted image 0.png
  1. From the top menu, select Administration > Event Center.
  2. Expand the Alert section and for each event, select the Recipients link.
  3. On the “Recipients” page, check on the boxes for Windows event log notification and Syslog.
  4. Click the Save button.
  5. Click the OK button to finish the configuration.
Edit_Recipients.png

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.