SIMATIC Process Control System PCS 7 Trend Micro Office Scan configuration V7.3 including Patch 2
_
_____________
_
_____________
Using virus scanners 1
Configuration
2
SIMATIC
Process Control System PCS 7
Trend Micro Office Scan
configuration V7.3 including Patch 2
Commissioning Manual
08/2009
A5E02634981-01
Legal information
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.
CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.
NOTICE
indicates that an unintended result or situation can occur if the corresponding information is not taken into
account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation for the specific task, in particular its warning notices and
safety instructions. Qualified personnel are those who, based on their training and experience, are capable of
identifying risks and avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be adhered to. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of the
owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Siemens AG
Industry Sector
Postfach 48 48
90026 NÜRNBERG
GERMANY
A5E02634981-01
Ⓟ 08/2009
Copyright © Siemens AG 2009.
Technical data subject to change
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 3
Table of contents
1 Using virus scanners ................................................................................................................................. 5
1.1 Preface...........................................................................................................................................5
1.2 Using virus scanners......................................................................................................................6
1.2.1 Introduction ....................................................................................................................................6
1.2.2 Definitions and information ............................................................................................................6
1.2.3 Principle structure of the virus scanner architecture......................................................................7
1.2.4 Using antivirus software.................................................................................................................8
2 Configuration ............................................................................................................................................. 9
2.1 Introduction ....................................................................................................................................9
2.2 Integrated firewall...........................................................................................................................9
2.3 Manual search..............................................................................................................................10
2.4 Real-time Scan.............................................................................................................................11
2.5 Scheduled Scan...........................................................................................................................13
2.6 Client Privileges and Settings ......................................................................................................14
2.7 Global Client Settings ..................................................................................................................16
2.8 Client Update ...............................................................................................................................17
2.9 Logs .............................................................................................................................................20
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 5
Using virus scanners 1
1.1 Preface
Important information about this whitepaper
The compatibility of the virus scanners recommended for PCS 7 and WinCC has been tested
with the systems. The recommended settings for these virus scanners have been chosen to
ensure the reliable real time operation of PCS 7 is not adversely affected by the virus
scanner software.
These recommendations describe how to discover and make effective as comprehensively
as possible the currently known, best possible compromise between the target, virus and
damage software, and ensure an as determinable as possible time response of the PCS 7
control system can be achieved in all operating phases.
If you choose different settings for the virus scanner, this could have negative effects on the
real-time behavior.
Purpose of this documentation
This documentation describes the recommended settings for virus scanner software in
combination with PCS 7 and WinCC following the virus scanner installation.
Required knowledge
This documentation is aimed at anyone who is involved in configuring, commissioning and
operating automated systems based on SIMATIC PCS 7 or WinCC. Knowledge of
administration and IT techniques for Microsoft Windows operating systems is assumed.
Validity of the documentation
The documentation applies to process control systems equipped with the respective product
version of PCS 7 or WinCC.
NOTICE
Note that certain virus scanners are only approved for certain product versions.
Additional information is available in the Internet at the following address:
http://support.automation.siemens.com/WW/view/en/10154608
Using virus scanners
1.2 Using virus scanners
Trend Micro Office Scan configuration V7.3 including Patch 2
6 Commissioning Manual, 08/2009, A5E02634981-01
1.2 Using virus scanners
1.2.1 Introduction
Using virus scanners in a process control system is only effective when they are part of a
comprehensive security concept. A virus scanner alone cannot protect a process control
system against hostile attacks.
The security concept PCS 7 / WinCC is available on the Internet under:
http://support.automation.siemens.com
Virus scanners should comply with the requirements described in the security concepts of
PCS 7 / WinCC.
1.2.2 Definitions and information
Basic principle
The use of a virus scanner should never inhibit a plant in runtime.
Virus scanners
A virus scanner is a software that detects, blocks or eliminates harmful program routines
(computer viruses, worms, etc.).
Scan engine (scanner module)
The scan engine is a component of the virus scanner software that can examine data for
harmful software.
Virus signature file (virus pattern file or virus definition file)
This file provides the virus signatures to the scan engine, which uses it to search through
data for harmful software.
Virus scan client
The virus scan client is a computer which is examined for viruses and managed by the virus
server.
Virus scan server
The virus scan server is a computer which centrally manages virus scan clients, loads virus
signature files and deploys them on the virus scan clients.
Using virus scanners
1.2 Using virus scanners
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 7
1.2.3 Principle structure of the virus scanner architecture
A virus scan server receives its virus signatures from the update server of the respective
virus scan manufacturer in the Internet or from an upstream virus scan server and manages
its virus scan clients.
Remote access to the virus scan server is available via web console.
Virus scan server Web console
Virus scan client Virus scan client Virus scan client
Internet
Using virus scanners
1.2 Using virus scanners
Trend Micro Office Scan configuration V7.3 including Patch 2
8 Commissioning Manual, 08/2009, A5E02634981-01
1.2.4 Using antivirus software
Information for configuration of local virus scanners
Integrated firewall of the virus scanner
The local Windows firewall is used as of PCS 7 V7.0 and configured with the SIMATIC
Security Control (SSC) component. The firewalls integrated in the virus scanners are
therefore not installed.
Manual scan (manual scan, on demand scan)
A manual scan should never be performed on virus scan clients during process mode
(runtime). This should take place at regular intervals, e.g. during maintenance, on all
computers of the system.
Automatic scan (auto-protect, on-access scanning)
With automatic scanning, it is sufficient to check the incoming data traffic.
Scheduled scan (planned search, on demand scan)
A scheduled scan should never be performed on virus scan clients during process mode
(runtime).
Displaying messages
To ensure that process mode is not inhibited, no messages should be displayed on the
virus scan clients.
Drives
To avoid overlapping scanning of network drives, only local drives are scanned.
E-mail scan
Scanning of e-mail can be disabled except on the engineering station which receives e-
mails.
Division into groups
Organize your virus scan clients in groups.
Deployment of the virus signature (pattern update)
The deployment of the virus signatures to the virus scan clients is performed by the
upstream virus scan server. Test the virus signatures in a test system before deploying
them in process mode to ensure that work correctly. Distribute the virus signatures
manually to the respective groups.
Update the virus scan engine
Do not conduct the virus scan engine update in runtime as these updates will probably
require you to restart the virus scan client.
Note on installation
The software installation must be carried out from a virus-free storage location (e.g. from a
file server with its own virus scanner or from a certified DVD). During the software
installation, automatic changes are often carried out in the operating system. An enabled
virus scanner must not obstruct or falsify the software installation.
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 9
Configuration 2
2.1 Introduction
Only Corporate Edition V7.3 of the Trend Micro "OFFICE Scan" virus scanner has been
approved for some versions of PCS 7. The settings described below that have changed in
comparison to the standard version were tested for PCS7.
Approved virus scanners for the following PCS 7 versions
You can find the latest overview of the virus scanners authorized for a PCS 7 version at the
following Internet address:
http://support.automation.siemens.com/WW/view/en/10154608
2.2 Integrated firewall
The "Install Enterprise Client Firewall" option can be disabled at the time of installation.
Configuration
2.3 Manual search
Trend Micro Office Scan configuration V7.3 including Patch 2
10 Commissioning Manual, 08/2009, A5E02634981-01
2.3 Manual search
Settings in the "Manual Scan Settings" dialog box
"Scan Target" area
"Scan mapped drives and shared folders on the network" check box: Disabled
Figure 2-1 Dialog box "Manual Scan Settings"
Configuration
2.4 Real-time Scan
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 11
2.4 Real-time Scan
Settings in the "Real-time Scan Settings" dialog box
"Scan Target" area
Check box "Enable Real-time scan": Enabled
"Scan Incoming File" check box: Enabled
Option button "Use IntelliScan – Detect true file type": Enabled
"Scan mapped drives and shared folders on the network" check box: Disabled
Figure 2-2 "Real-time Scan Settings" dialog box: Figure 1 of 2
Configuration
2.4 Real-time Scan
Trend Micro Office Scan configuration V7.3 including Patch 2
12 Commissioning Manual, 08/2009, A5E02634981-01
"Scan Action" area
"Display an alert message on the client when a virus is detected" check box: Disabled
"Use the same action for all types" check box: Enabled;
Setting selected for the "All Types" type in the "Action1" column: Pass
Figure 2-3 "Real-time Scan Settings" dialog box: Figure 2 of 2
Configuration
2.5 Scheduled Scan
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 13
2.5 Scheduled Scan
The "Enable Scheduled Scan" check box must be disabled during runtime for PC stations
operating in process mode (runtime).
Check box "Enable Scheduled Scan": Disabled
Figure 2-4 Dialog box "Scheduled search settings"
Configuration
2.6 Client Privileges and Settings
Trend Micro Office Scan configuration V7.3 including Patch 2
14 Commissioning Manual, 08/2009, A5E02634981-01
2.6 Client Privileges and Settings
Setting in the "Client Privileges and Settings" dialog box
The following areas must be disabled:
"Antivirus", "Mail Scan", "Toolbox", "Proxy Settings" and "Update Privileges"
"Display Mail Scan tab" check box: Disabled
"Display Toolbox tab" check box: Disabled
"Allow the client user to configure proxy settings" check box: Disabled
"Perform 'Update Now!'" check box: Disabled
"Enable scheduled update" check box: Disabled
Figure 2-5 "Client Privileges and Settings" dialog box: Figure 1 of 2
Configuration
2.6 Client Privileges and Settings
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 15
"Update settings" area
Check box "Enable Scheduled Update": Disabled
Check box "Forbid program upgrade and hot fix deployment": Enabled
Figure 2-6 "Client Privileges and Settings" dialog box: Figure 2 of 2
Configuration
2.7 Global Client Settings
Trend Micro Office Scan configuration V7.3 including Patch 2
16 Commissioning Manual, 08/2009, A5E02634981-01
2.7 Global Client Settings
Settings in the "Global Client Settings" dialog box
The global settings relate to all virus scan clients registered on the virus scan server.
"Alert Settings" area
"Show the OfficeScan splash screen at startup" check box: Disabled
Check box "Show the alert icon on the Windows taskbar, if …": Disabled
Figure 2-7 Dialog box "General client settings"
Configuration
2.8 Client Update
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 17
2.8 Client Update
Information on updates
Do not perform an update of the virus scan engine in process mode (runtime) because some
updates require a reboot of the virus scan client.
Settings in the "Client Update" dialog box
"Update Source" area
Option button "Standard update source (update from Office Server)": Enabled
Figure 2-8 "Client Update" dialog box: "Update Source" area
Configuration
2.8 Client Update
Trend Micro Office Scan configuration V7.3 including Patch 2
18 Commissioning Manual, 08/2009, A5E02634981-01
"Automatic Deployment" area
"Deploy to clients immediately after OfficeScan server downloads a new component"
check box: Disabled
"Deploy to clients for OfficeScan clients only and excluding rooming clients when they are
restarted)" check box: Disabled
Figure 2-9 "Client Update" dialog box: "Automatic Deployment" area
Configuration
2.8 Client Update
Trend Micro Office Scan configuration V7.3 including Patch 2
Commissioning Manual, 08/2009, A5E02634981-01 19
"Manual Deployment" area
Option button "Manually select clients": Enabled
Figure 2-10 "Client Update" dialog box: "Manual Deployment" area
Configuration
2.9 Logs
Trend Micro Office Scan configuration V7.3 including Patch 2
20 Commissioning Manual, 08/2009, A5E02634981-01
2.9 Logs
Check the deployment of the virus signatures in the dialog box "Client update logs"
Figure 2-11 "Client Update Logs" dialog box