Trend Micro Officescan - Terminal Services / Citrix Configuration

Trend Micro OfficeScan 7.x / Terminal Services Notes

Trend Micro now uses OfficeScan for both workstations and servers. Previously
they maintained two products, ServerProtect (which they still maintain for linux)
for servers, and OfficeScan for workstations. ServerProtect is now being phased
out at version 5.58 and now starting with OfficScan 7.x, OfficeScan is now used
for both Windows servers and workstations.

ServerProtect only displayed a system tray icon for the console session, with
OfficeScan, it displays a system tray icon for terminal sessions as well. In
order to prevent the tray icon from loading, the following procedures must be
performed (Citrix and Terminal Servers) although this behavior may be changed
in future releases of OfficeScan.

--------------------------------------------------------------------------------

OfficeScan Tray Utility
c:\program files\trend micro\officescan client\pccntmon.exe

This is a tray utility to interface with the backend services. It is not
required to be running for virus protection, only the "ntrtscan" service
is required.

For Citrix servers, to remove this utility from HKLM\..\Run so that it does
not run a seperate instance for each user, you must make some special changes
otherwise, simply deleting the entry in the registry or sliming down the NTFS
permissions on PCCNTMON.EXE will not work because the service "OfficeScanNT
Listener" will add the permissions and registry entry back each time the service
restarts. Misnaming the entry path also does not work, the listener service
corrects the path as well.

Backup of Registry Key
	Windows Registry Editor Version 5.00
	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
	"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"


To resolve this issue with the PCCNTMON.EXE client running from within
HKLM\..\Run registry key, perform the following procedure on the client.
You must add some provision for it to run for administrators though either
with a logon script or via registry with HKCU\..\Run. This procedures stops
the OfficeScan Listener service from recreating the HKLM\..\Run key:

1. Open c:\program files\trend micro\officescan client\ofcscan.ini
2. Search for the [INI_CLIENT_SETUP_SECTION] and modify the following parameters:
   • NT_RUN_KEY
	From:
		NT_RUN_KEY=OfficeScanNT Monitor
	To:
		NT_RUN_KEY=
   • NT_RUN_KEY_FILE_NAME
	From:
		NT_RUN_KEY_FILE_NAME=pccntmon.exe
	To:
		NT_RUN_KEY_FILE_NAME=
3. Delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OfficeScanNT Monitor

--------------------------------------------------------------------------------

Volume Editing:
	start,run:
	notepad \\cs01\c$\program files\trend micro\officescan client\ofcscan.ini

Delete, Copy, and Paste
	#NT_RUN_KEY=OfficeScanNT Monitor
	#NT_RUN_KEY_FILE_NAME=pccntmon.exe
	NT_RUN_KEY=
	NT_RUN_KEY_FILE_NAME=

--------------------------------------------------------------------------------

Examples: Scripted Loading of PCCNTMON.EXE

set PMON="c:\program files\trend micro\officescan client\pccntmon.exe" -hidewindow
if /i [%SESSIONNAME%]==[console] (
	%PMON%
)
if /i [%USERNAME%]==[administrator] (
	%PMON%
)