TABLE OF CONTENTS
This guide covers the items you should review and configure to get your Trend Micro Worry Free tenant up and running based on your organizational requirements.
The complete Trend Micro Worry Free Services online help can be viewed here.
To access your Worry Free management console, use the below URL. On the sign in page, enter your account username and password.
https://wfbs-svc-nabu.trendmicro.com/?TenantID=66c2U
The Worry Free management console has a very robust online help system. For detailed information and step-by-step instructions, you should reference the online help system. If you are new to Worry Free, check out the How-To Videos provided by Trend Micro.
If you need further assistance, please submit a ticket via the Evolve IP Support Page, or use the information listed in the Worry Free Technical Support page.
You are billed for the number of server & desktop licenses (seats) allocated to your Worry Free tenant, not what you use. If you need to change the number of seats allocated to your Worry Free tenant, please submit a ticket via the Evolve IP Support Page or contact your Evolve IP Client Technology Advisor (CTA).
To view your allocation, sign into the Worry Free management console, navigate to Administration > Licensing Information, and check the desktop/server seat count.
To view the number of seats you are using, navigate to Security Agents and check the number next to All Security Agents.
When a new Worry Free tenant is provisioned, the user account created during the provisioning process is assigned the tenant administrator role. This account has special permissions to view product licensing and to manage user accounts within the Worry Free Management Console.
There can only be one tenant admin, and the tenant admin is the only account that can manage user accounts in the Worry Free management console.
Additionally, when a tenant admin creates user accounts in the Worry Free management console, the usernames chosen must be unique across all Worry Free tenants managed by Evolve IP. Therefore, if you receive a message that a username has already been taken, it's because that username is being used in another Worry Free tenant managed by Evolve IP.
To manage the tenant admin account, sign into the Trend Micro Products/Services Portal, and click on My Account in the top-right corner of the page.
Using the tenant admin account, sign into the Worry Free Management Console, and go to Administration > User Accounts
The Worry Free management console has 3 predefined roles that can be assigned to user accounts. These roles cannot be changed, and new roles cannot be created.
| Role | Description |
|---|---|
| Administrator | Can access all features and functions except user account management. |
| Support Administrator | Can access all Security Agent management features and can also create reports. |
| Auditor | View only access to most features and functions. |
You reset your account password on the sign-in page. Evolve IP cannot reset passwords for you.
When you reset your password, the email address associated with your user account will receive an email notification with instructions.
Important Note: The email notification will have a "From" address of support@evolveip.net, but it will come from the Trend Micro email servers. This may trigger anti-spoofing rules in your email gateway, and therefore, we recommend whitelisting the Trend Micro email relay servers. Trend Micro Email Relay Servers
|
Administration settings include the below. For detailed information about these settings, consult the online help from within the Worry Free Management Portal:
Administration > Notifications
Configure Worry Free to send email messages for Action Required and Warning events. If needed, you can customize the messaging in your alerts and warnings along with the ability to set thresholds for the warning events. All emails are sent out in plain text from the Trend Micro email servers using a from address of WFBS-SVC@TrendMicro.com.
Note: At the top of the Notifications configuration page is a link to an online help page that defines the variables (Trend calls them tokens) that can be used in your emails. Pay close attention to the Alert Type column. The variables listed can only work in those types of alerts. |
Security Agents > Manual Groups
Manual Groups are custom groups that you create to categorize your endpoints and apply custom policies. Each group has its own set of policy settings, and the policy settings can be copied/replicated to other groups. To create new groups, click the Add icon in the top-right of the Security Agents area.
Note: The groups cannot be nested, and they are sorted alphabetically. |
The default groups are the permanent, out-of-the-box groups used to apply policies against endpoints that have not been assigned to a custom group or a domain group if AD sync is enabled. Both of the default groups have their own set of policies.
The Server (Default) group is for endpoints running Windows Server. The Device (Default) group is for endpoints running Windows client operating systems, Mac OS, Android, and iOS.
Evolve IP can define the default policy settings to get you started. However, we strongly suggest you take the time to become familiar with all of the policy settings, and make changes based on your requirements. |
Here are some suggestions when creating manual groups for your endpoints.
Manage endpoints based on specific criteria, such as an IP address range or operating system. There are two default, out-of-the-box filter groups to start with. To create new filters, click the Add icon in the top-right of the Security Agents area.
Filter criteria include:
One might think you go to the POLICIES section to manage all polices within Worry Free. However, this is not the case. Instead, you go here to manage global policy settings.
Global Policy settings apply to all managed endpoints in your Worry Free tenant. This includes:
*Important However, policies configured against manual groups or a domain group (AD synced OU), do accept the wildcard * character for folders and files. |
Where applicable, the global exception lists can be overridden by policy settings configured against a manual group or a domain group (AD synced OU). |
Each Manual Group in Worry Free has its own set of policy settings. To access a group's policy settings, select the group, and click the Configure Policy button.
Note that the policy settings for a manual group can be copied/replicated to another group.
In larger deployments, we recommend creating some empty groups and pre-configure them with certain settings that can be replicated to new groups in the future. For example, you could create a few groups with the word TEMPLATE in their name. Each template group would have a different set of policies settings, which you can replicate to new groups as a starting point.
For a full list of policy settings and their descriptions, consult the Worry Free Online Help.
Domain groups are created when you sync your Active Directory (AD) organizational unit structure to Worry Free. Each OU in your AD is represented as a Domain Group.
When it comes to policy settings, domain groups follow an inheritance architecture with each group inheriting the policy settings of its parent group. If needed, you can break the inheritance.
Policy settings are configurable in all Manual Groups and all Domain Groups when syncing Active Directory. The settings in a Manual Group can be replicated to another Manual Group. The settings in Domain Groups are inherited from their parent group, but the inheritance can be broken.
For detailed information about each setting, consult the online help from within the Worry Free management console.
From here you can do the following:
Choose an operating system to configure in the policy. If needed, turn off all policy modules for the operating systems that will not be configured for the policy. For example, if you're configuring a policy for Mac computers, turn off all of the modules in the Windows operating system.
Note that the Windows operating system has the most policy settings. The others are limited in the amount of settings.
Select the modules you wish to enable/disable & configure.
Behavior Monitoring & Firewall are only available on the Windows OS. |
Select the modules you wish to enable/disable & configure.
Data Loss Prevention is only available for the Windows OS. |
Select the modules you wish to enable/disable & configure.
The Access Control modules are only available for the Windows OS. |
These exception lists override the global exception lists. They are not in addition to the global exception lists.
Also, there is no way to copy a global exception list into these exception lists. So, plan accordingly, and consider creating empty group templates as described in the above policy groups section. This will allow you to make changes to the template group, and then copy/replicate the changes to other groups.
Blocked URLs are not available on the Mac operating system. |
Manage a user's interactions with the agent installed on their endpoint. This includes giving a user the permissions to run a manual scan, view firewall settings, and configure alert settings.
You can also prevent users and other processes from modifying the Trend Micro program files, registries, and processes. Enabling this setting is highly recommended.
Administration > Active Directory Settings
Active Directory integration allows you to manage your endpoints using your Active Directory (AD) organizational unit (OU) structure. You can set up automatic synchronization with your Active Directory structure using the Trend Micro Common Active Directory Synchronization Tool.
The following are some general notes and observations that are not included with the integration instructions provided by Trend Micro. This should help with planning and troubleshooting your AD integration.
Here's an example screenshot of what a synced AD OU structure looks like in the Worry Free management portal.
There are 2 ways to deploy the Windows agent:
The following requirements must be met before installing the agent:
Whichever method you use to deploy the agent, you should consider a few things:
By default, the Trend Micro "ActiveUpdate" service in the agent checks for updates hourly.
The ActiveUpdate service provides the latest downloads of virus pattern files, scan engines, and program files through the Internet. ActiveUpdate does not interrupt network services or require you to restart endpoints.
Additionally, the ActiveUpdate service supports incremental updates of pattern files. Rather than downloading the entire pattern file each time, the ActiveUpdate service can download only the portion of the file that is new, and append it to the existing pattern file. This efficient update method can substantially reduce bandwidth needed to update your antivirus software.
For detailed information about the agent update processes and the components that get updated, check the online help under the Security Agent Management section.
The ransomware protection in Worry Free uses the Behavior Monitoring feature within the agent. Because ransomware is a rapidly moving target, the behavior monitoring feature will likely cause some false positives.
To deal with these false positives, you'll need to exclude certain applications from being watched by behavioral monitoring, which can be done globally or within each individual policy.
To exclude apps globally: Policies > Global Exception Lists > Trusted Windows Program List
To exclude apps in a policy: Windows OS > Exception Lists > Scan Exclusions
In the Reports section, you can create & schedule (weekly & monthly) PDF reports to view summaries and details about detected threats. Reports also include rankings to identify the most vulnerable endpoints.
You cannot create an inventory/status report from the Reports section of the Worry Free management console.
However, there is a manual workaround for creating an inventory/status report, which is to export a CSV file in the Security Agents section.
Note: You can export any view of your endpoints (Manual Groups, Domain OUs, or Filters). |