Trend Micro products leverage the ‘Smart Protection Network’ (SPN) which is essentially Trend Micros cloud network providing analysis and protection against malware and other malicious threats. The enterprise protection products have the ability to talk direct to the SPN or you can install a local appliance and configure your systems to talk to that and only go to the SPN if they do not have communication to your local appliance.
For reference here are some links for the SPN that may be of interest –
Next I have some useful links for the Trend Micro ‘Smart Protection Server’ (SPS) appliance – this is a locally installed appliance which your Trend Micro products connect to and forward URLs or file hashes for verification.
- Trend Micro SPS Download Page
- Trend Micro SPS Installation and Upgrade Guide
- Trend Micro SPS Administrator Guide
If you are interested in replacing the default self-signed SSL/TLS certificate after deployment then I have created a post on this here – https://www.bytesizedalex.com/trend-micro-smart-protection-server-ssl-tls-certificate-replacement/
In a production environment I strongly recommend the deployment of multiple SPS appliances for load balancing and high availability. Trend Micro products which can be configured to use SPS appliances typically give you the option to either direct traffic to a collection of SPS appliances in order or randomly. When running multiple SPS appliances I would suggest targeting them randomly to balance the load though of course a lot depends on your setup and networking.
I’m going to deploy to my home lab running on VMware ESXi, you can deploy the SPS appliance on other hypervisors – check the installation guide link above for full details.
The minimum hardware requirements are as follows –
- 2 vCPU – 2Ghz frequency recommended
- 2GB RAM
- 30GB hard drive – 35GB is recommended and I would suggest you consider it as the minimum value
- SCSI Controller – LSI Logic SAS
- 1 vNIC – note only the E1000 and VMXNET3 NICs are supported on ESXi
Note the following from the installation guide –
- Smart Protection Server is a CPU-bound application. This means that increasing CPU resources increases the number of simultaneous requests handled
- Network bandwidth may become a bottleneck depending on network infrastructure and the number of simultaneous update requests or connections
- Additional memory might be required if there is a large number of concurrent connections between Smart Protection Servers and endpoints
I created a virtual machine in ESXi, the summary settings are displayed below for reference.
Now it is time to power on the machine with the CD ISO image attached and run through the installation. If you feel the need you can run a memory test using option 2 though I don’t feel there is much need for this on a virtual machine install. Selecting option 1 proceeds with the installation.
The installer will jump between a few screens as it loads drivers and other components, once complete it will return to the installation menu where the option to select an appropriate language is presented.
Next we need to accept the end user license agreement (EULA).
Time to select the appropriate keyboard layout.
The installer provides a summary of the hardware configuration, at this point it would also identify any issues in terms of hardware configuration, e.g lack of resource.
Now we need to configure the appliance hostname and network settings. Obviously this configuration is dependent on your own network setup. In my case I’m going to set everything manually for this appliance. Clicking on the ‘Edit’ button will provide access to the IP address assignment and will then unlock the ‘Miscellaneous Settings’.
This screen presents a world map with yellow icons denoting various regions to aid in time zone configuration.
It is very important to configure a strong password for the appliance root and admin accounts. As always using a lengthy combination of alpha, numeric and special symbols is the best approach.
Finally we are presented with a summary of our settings, clicking to install presents a warning to indicate any data on the disk will be erased as part of the installation.
The virtual machine can now be rebooted and we can then move on to the web configuration. If you check the VM status you will notice that the VMware tools do not show as installed, Trend Micro include the VMXNET3 driver but nothing else. Personally I’ve always installed the tools to benefit from the other features they provide and I’ve never had an issue on my production systems so I always install them at this point.
Install VMware Tools
To install the tools it is necessary to logon to the SPS appliance as the root user, the following commands can then be executed once the VMware tools installation has been launched.
-bash-3.2# mkdir /mnt/cdrom -bash-3.2# mount /dev/cdrom /mnt/cdrom -bash-3.2# cp /mnt/cdrom/VMwareTools-*.tar.gz /tmp -bash-3.2# tar -zxf /tmp/VMwareTools-*.tar.gz -C /tmp -bash-3.2# cd / -bash-3.2# ./tmp/vmware-tools-distrib/vmware-install.pl --default -bash-3.2# rm -f /tmp/VMwareTools-*.tar.gz -bash-3.2# rm -rf /tmp/vmware-tools-distrib
Web Interface Configuration
Once the VM has loaded the console will show a screen similar to the one below. It provides us with the information we need to configure other Trend Micro products to use this SPS appliance as well as giving us the link to the web configuration page.
You will notice that the secure page presents a certificate error, this is due to the fact it is running a self signed certificate. I will create a separate post on how to change the SPS appliance certificate. (Update – here is the link to my post on certificate replacement https://www.bytesizedalex.com/trend-micro-smart-protection-server-ssl-tls-certificate-replacement/)
Logon using the admin credentials created during the installation process.
On first logon the system will walk us through a short setup wizard. There isn’t really much need to change any of these settings, the only two you might consider are the feedback and proxy settings.
Once the wizard is finished the home page is displayed.
It’s now time to configure the last few options – they are highly dependent on the environment so I will simply present them and where necessary provide advice.
First we have the URL block list menu, if you need to specify your own rules you can do so here. –
If you have a Deep Discovery Advisor you can register the SPS to it.
In my production environment I configure SPS appliances to update every 15 minutes – this helps to ensure rapid deployment of definitions etc to help prevent zero hour/day exploits.
I also leave the system to automatically check for program updates as this reduces management overheard and also keeps the appliance up to date with important patches.
Depending on your requirements you can configure log management.
The appliance can be configured for SNMP and to forward notifications via e-mail.
Diagnostics can be generated from the Support menu.
There are other options and settings that I’m not going to discuss in this post – suffice to say at this point the SPS appliance is ready to service requests from Trend Micro products. As I said at the beginning I recommend multiple SPS appliances be deployed to balance load and provide high availability.