1. Critical Patch Release Information
Resolved Known Issues
This Critical Patch resolves the following issue(s):
Unable to select policy targets using Active Directory Organizational Units when deploying an Endpoint Application Control Policy from the Control Manager 7.0 console.
Enhanced Control Manager 7.0 integration to enable support for target assignment of Active Directory computers using the "filter" or "specify targets" functions for Endpoint Application Control policies.
An invalid Endpoint Application Control agent version may appear in the endpoint list of the OfficeScan plug-in console.
Updated the synchronization mechanism of the OfficeScan plug-in to properly display the installed Endpoint Application Control agent version.
The Endpoint Application Control server may be vulnerable to the FileDrop Directory Traversal Remote Code Execution Vulnerability (ZDI-CAN-5640).
This critical patch fixes the vulnerability by ensuring that files uploaded by users logged onto the web console are only allowed in server folders assigned to the logged on user.
The bundled"hashlist-importer" utility tool is unable to import SHA1 lists to the Endpoint Application Control server.
The Endpoint Application Control server has been updated to properly accept SHA1 lists from the "hashlist-importer" utility tool.
The server uninstallation program does not verify that all used network ports are properly closed before finishing the uninstallation process. Some ports may appear to be in use for several seconds after the uninstallation completes, which prevents the re-installation of the server.
The uninstallation program has been enhanced to verify that all used network ports are closed before finishing the uninstallation process.
Opening the web console directly after the installation may result in the "HTTP-404" browser error because not all required processes have started.
The installation program has been enhanced to verify that all required processes have started before displaying the installation "complete" message.
When using the OfficeScan plug-in program to install Endpoint Application Control agents, if the agent installation is unsuccessful, the plug-in console may display the "Installing..." state indefinitely.
The synchronization function of the Endpoint Application Control OfficeScan plug-in has been enhanced to properly display the current installation state of agents.
When in Lockdown mode, endpoints block updates of the Endpoint Application Control agent program.
The product name of the signed installer has been updated to properly allow the Endpoint Application Control agent to detect that an update installation is allowed.
On Windows 10 platforms, the Endpoint Application Control agent reports and registers the temporary User-Mode Driver Framework (UMDF) user accounts used to upgrade the agent from a previous version.
The Endpoint Application Control agent does not register temporary UMDF user account associations in the endpoint list. Note: Temporary UMDF user account information is still accessible using the "SYSTEM" account.
The domain name field may be empty for certain endpoints in the results of the periodic check for changes to endpoint and domain names on the "Management > User Endpoints" page.
Updated the periodic name checking mechanism to help ensure that the correct endpoint domain names are displayed on the periodic check results.
The Endpoint Application Control agent console may not correctly display the server connection status after an agent becomes disconnected from the server.
The Endpoint Application Control agent has been enhanced to always displays the correct connection status.
The content removed from the "Certified Safe Software" list pattern files is not removed from the "Known Applications" list.
The pattern loading component on the server has been enhanced to inspect the existing content in the "Known Applications" list and remove all entries that originated from an earlier pattern version and are no longer present in the current pattern.
The Endpoint Application Control agent console does not show the element "Request permission to use this application" on localized agent console versions.
Corrected the size of the notification window to ensure that the element "Request permission to use this application" is visible on all console versions.
The following enhancements are included in this Critical Patch:
Reduced the update time of the "Certified Safe Software" pattern for "Known Applications" through an incremental update process.
Reduced the initial loading time of the "Certified Safe Software" list pattern through use of a predefined "well-known files" database compiled from the the Trend Micro web service.
Added support for continuing an unfinished inventory scan at the last scanned file when an endpoint is restarted.
You can configure Endpoint Application Control to automatically remove inactive user associations with endpoints from the Users and Endpoints list. Enabled by default, this feature helps to remove excess user data from the database and avoid stability and performance issues caused by one-time or former user access to endpoints.
Policy configuration has been enhanced to allow specialized log tagging of endpoint inventory collections that you can use to dynamically update the "Known applications dynamic search" list. You can use this feature to dynamically update the Known applications list and deploy the updated list to all other endpoints on your network.
Policy configuration has been enhanced to allow specialized log tagging of applications that you can use to dynamically update the "Allowed" or "Blocked" lists using the "Known applications dynamic search" list. You can use this feature to dynamically update the Known applications list on a test endpoint and deploy the updated list to all other endpoints on your network.
Added additional columns to the policy list that provide a better differentiation between the various endpoint states (no policy, outdated policy, online, or offline) to improve visibility about whether further action is required.
Note: The column configuration for the policy list is saved within the browser and will not change by default. If you have upgraded the server, use the "Reset columns" option from the list menu to enable the new default view or manually select the columns of your preference from the "Select columns" menu.
Added and enabled a fully automated incremental backup and restore process for content in the "Known Applications" log from sources other than the "Certified Safe Software" list to ensure that no data is lost if the "Known Applications" log becomes corrupted.
Enhanced low disk space monitoring helps to avoid critical issues (such as database/log corruption and unresponsive server commands) by safely stopping affected processes before the server runs out of free disk space.
When the remaining disk space is low, the server console displays the current disk space status including the minimum required disk space although certain log collection features are disabled. Once the remaining disk space is increased, any stopped processes are restarted automatically.
To prevent damage during initialization, the Endpoint Application Control server service may not start (or restart) if the free disk space on the server is critically low.
Enhanced the Endpoint Application Control agent console to display blocked events for "Windows Apps" in single-user desktop environments. Displaying block events for "Windows Apps" is not supported if multiple users are logged on.
2. Documentation Set
To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com
- Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product.
To access the Online Help, go to http://docs.trendmicro.com
- Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product.
- Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product.
- Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'.
- Support Portal: The Support Portal contains information on troubleshooting and resolving known issues.
- To access the Support Portal, go to http://esupport.trendmicro.com
3. System Requirements
For information on agent deployment, see Endpoint Application Control online help: https://docs.trendmicro.com/en-us/enterprise/endpoint-application-control.aspx
No uninstallation instructions are provided.
5. Post-installation Configuration
No post-installation steps are required.
6. Known Issues
Known issues in this release:
Endpoint Application Control agents running version 2.0 SP1 Patch 3 display blocked events for "Windows-Apps" only in single-user desktop environments. The agent notification window does not display blocked events for "Windows-Apps" when multiple users are logged on at the same time.
When blocking "Windows-Apps", the agent notification window may display for blocked "Windows-App" files during user log on if the "Windows-App" is pinned to the Windows Start Menu.
To resolve this issue, ensure the blocked "Windows-App" is removed from the Windows Start Menu.
Endpoint Application Control agents running version 2.0 SP1 Patch 3 are not supported on Endpoint Application Control servers running versions prior to 2.0 SP1 Patch 2. To resolve this issue, upgrade the server to version 2.0 SP1 Patch 2 or later.
The server web console renders unexpectedly due to incorrect resource file loading. To resolve this issue, clear the browser cache and refresh the web page.
Endpoint Application Control is unable to properly detect system proxy settings that use SOCKS protocol. To resolve this issue, manually configure proxy settings on the Proxy Settings screen (Administration > Proxy Settings).
After Endpoint Application Control agents are installed using the Endpoint Application Control OfficeScan Plug-in, system accounts such as
IUSR display in [Users and Endpoints]. This is normal behavior. Activity from these accounts should be tracked to allow administrators to monitor system account activity for non-standard behavior.
The system service accounts that are normally not displayed are
SECURITY_NETWORK_SERVICE_RID. These accounts include
NETWORK SERVICE and
- System service IIS accounts that display include the following:
- System service AppPool accounts that display include the following:
- System service Win32_UserAccount accounts that display include the following:
- System service Win32_SystemAccount accounts that display include the following:
PCX\CREATOR GROUP SERVER,
PCX\CREATOR OWNER SERVER,
PCX\ENTERPRISE DOMAIN CONTROLLERS,
PCX\REMOTE INTERACTIVE LOGON,
PCX\TERMINAL SERVER USER
Endpoint Application Control is unable to display correct processor and memory use information in the Server Summary widget (Dashboard > Summary). The information is calculated based on application scope where virtual memory and memory used by runtime platforms are ignored and data are collected by polling on a five-minute interval and by averaging the results. To determine the total current processor and memory use, including virtual and runtime platform memory, use Windows Task Manager.
"Unknown" applications or files may appear under the Configure conflict resolutions (Management > Rules, Add/Edit Rule) screen. This issue may be caused by the following:
- Applications and files are [pending addition] to the TMCSSS database.
- Some data may not be available in the TMCSSS database.
- Endpoint Application Control is unable to connect to the services that provide additional or updated information for files in the local TMCSSS database.
To resolve this issue, you may need to do one or all of the following:
- Look up the relevant SHA-1 hash values on the Logs > Query screen to determine if and where they exist in the environment.
- Verify the Internet connection of the Endpoint Application Control server and retry later. An Internet connection provides additional and updated information.
The Key Performance Indicators widget displays "--" for periods that contain incomplete data because the Endpoint Application Control server is unable to distinguish between inactivity and absence of data . To resolve this issue, verify your log purging schedules (Logs > Maintenance screen) and make sure not to purge data at a schedule that cuts into any indicator schedules.
A simple search can perform the search based on all data columns instead of the displayed columns due to processing resource and time considerations. To search within specific columns, use dynamic search. For more information about dynamic search, see the Endpoint Application Control online help: http://docs.trendmicro.com/en-us/enterprise/endpoint-application-control.aspx
The Add or Edit Rule screen is unable to display correct path information where drive letters other than
D will be missing if matching is based on File paths and Location: Any local storage is allowed. To resolve this issue, select Location: empty to display all matched paths.
The Endpoint Application Control server web console is unable to resolve SHA-1 hash value shortcuts to their actual paths. In Windows, shortcuts are special link files. Unless otherwise implemented inside the web browser, shortcuts are not resolved to their target files. The Endpoint Application Control web console can only use the actual file, not the shortcut. To resolve this issue, follow the steps below:
- Click Select Files. The file window browser appears.
- Right-click the shortcut and select follow the shortcut.
- Select Open file location. The shortcut target appears.
- Click OK.
Data entries in the Query screen (Logs > Query) may not be display in order when it is accessed for the first time. To resolve this issue, manually click a column name to sort.
Widget data on Dashboard may not be updated immediately after changes are applied. To resolve the issue, do one of the following:
- Refresh the browser window.
- Log off and then log on the web console.
While accessing the server web console, browser memory consumption can increase sharply depending on the browser type, browser version, and usage time. Some browsers may not call destruction events. To resolve the issue, do one or more of the following:
- Use an up-to-date browser version.
- Use a different supported browser.
- Refresh or reopen the browser window occasionally.
Percentage information in the User and Endpoint Summary table and the chart may not always match. Charts display percentage among the top values, but the table shows the percentage relative to all values.
On the Application, Rule, and Policy Events widget, the top and bottom values may disappear after deleting conditions and then reopening the settings page.
The Period setting may not be saved for the Applications, Rule, and Policy Events widgets if they are also saved as templates. To resolve this issue, manually set Period for each of the Application, Rule, and Policy Events widget on your Dashboard. For more information, see the topic on Application, Rule, and Policy Events Widget in Endpoint Application Control online help: http://docs.trendmicro.com/en-us/enterprise/endpoint-application-control.aspx
Endpoint Application Control may experience a certificate chain error on a computer with which the server console is accessed remotely and that the server is installed on Internet Information Services. To resolve this issue, follow the steps below to import the root CA certificate from the server installation folder to the remote endpoint experiencing the issue:
- Deploy the root CA certificate:
- Go to the Endpoint Application Control server installation folder.
- Copy the CA certificate TMEAC_CA_Cer.pem and save it to the desktop.
- Rename the certificate file to a .CER file, for example, TM-CA.cer
- Configure the MMC Snap-in:
- On the server platform, go to the Start menu, run "mmc" and press Enter.
- Go to File > Add/Remove Snap-Ins.
- From the list of Available snap-ins, choose Certificates and click Add >.
- In the pop-up window, select Computer account and click Next.
- Select Another computer and browse for the remote computer experiencing the issue.
- Click Next to finish the configuration.
- Import the CA certificate:
- In the MMC, go to Console Root > Trusted Root Certificate Authorities/Certificates > Certificates.
- Right-click Trusted Root Certificate Authorities/Certificates.
- On the Context menu, click All Tasks > Import.
- Select the previously exported public key file that contains the TM-CA.cer file and import it.
- Verify that the CA is imported to the trust store.
Endpoint Application Control server widgets only display data for the connected server, and are unable to display integrated data from multiple Endpoint Application Control servers. Endpoint Application Control only shares data across servers via Control Manager. To integrate data from several servers, the Control Manager version of widgets would need to implement their own logic and processing. To resolve the issue [cluster separate Endpoint Application Control servers to create a single source of data. Any server belonging to the cluster returns the same information to widgets.
The Control Manager KPI widget will continue to display last known indicator values even when all Endpoint Application Control servers are removed. The widget only updates when new data is available. Consider deleting the widget if it is no longer needed.
After removing all Endpoint Application Control servers from Server Visibility in Control Center, rules continue to display in the Rule Management widget. The widget only updates when new data is available. Consider deleting the widget if it no longer needed. The Rule Management widget caches rules in order to provide rule synchronization among connected Endpoint Application Control servers.
7. Release History
Only this patch was tested for this release. Prior hotfixes were tested at the time of their release.
The "User Name" and "User ID" columns in CSV and Microsoft(TM) Excel files exported from "Endpoint Inventories" view are always empty.
This hotfix resolves the issue by updating the third-party export plugin to support complex data types like lists of structured data.
Changes to the dashboard are not stored in the user's profile and as a result, the settings may be lost during product upgrades.
This hotfix resolves this issue by updating the dashboard settings synchronization task to work with recent versions of the runtime environment (PHP).
The dashboard is not rendered when "host headers" are set to "mandatory" in Internet Information Services (IIS) when hardening the operating system (OS).
Under certain conditions, Endpoint Application Control agents with a SYSTEM user profile that was created after all other user profiles on the endpoint may run an Inventory Scan automatically after restarting.
This hotfix ensures that these Endpoint Application Control agents do not run an Inventory Scan automatically or overwrite the last inventory scan date after restarting.
Applications that create new files, installers for example, and that match a trusted source rule with level "Permanent" may not be able to run file operations successfully while the agent records file changes triggered by concurrent Input/Output (IO) operations.
This hotfix reduces the time that the agent spends in recording file changes to help ensure that the affected applications can run file operations successfully.
Under certain conditions, agents with newly-created user profiles on the endpoint may send a large number of ping requests to the server. This can overload the server and make it unavailable.
This hotfix ensures that agents do not send too many ping requests when there are new users on the endpoint.
In Endpoint Policies, changes to the "Display notifications popups" or "Display the system tray icon" settings require the agent to restart.
This hotfix the server to send changes to these settings to the agent console so agents can apply the changes immediately without the need to restart.
Endpoint Application Control 2.0 Service Pack 1 Patch 1 agents do not support server builds released before version 2.0 Service Pack 1 Patch 1. To work around this issue, users need to upgrade the server.
This hotfix enables Endpoint Application Control 2.0 Service Pack 1 Patch 1 agents to support server versions released before version 2.0 Service Pack 1 Patch 1.
Endpoint Application Control 2.0 Service Pack 1 Patch 2 agents do not support server builds released before version 2.0 Service Pack 1 Patch 1. To work around this issue, users need to upgrade the server.
This hotfix enables Endpoint Application Control 2.0 Service Pack 1 Patch 2 agents to support server versions released before version 2.0 Service Pack 1 Patch 1.
The Trend Micro OfficeScan(TM) add-on cannot deploy Endpoint Application Control 2.0 Service Pack 1 Patch 1 by standard ActiveUpdate (AU). To work around this issue, users need to set an alternate AU source and follow guidelines for hotfix/patch installation.
This hotfix makes the update available by AU.
The OfficeScan add-on cannot deploy Endpoint Application Control 2.0 Service Pack 1 Patch 2 by standard AU. To work around this issue, users need to set an alternate AU source and follow guidelines for hotfix/patch installation.
This hotfix makes the update available by AU.
An issue causes the Endpoint Application Control server to reject the inventory from agents.
This hotfix resolves the issue by creating an empty hash for the inventory database.
Special characters in the Microsoft(TM) Windows(TM) account username are not encoded which prevents AcAgentUI from loading resource files normally.
This hotfix ensures that special characters in Windows account usernames are encoded properly so that AcAgentUI can load the resource files normally.
Windows logon screen hangs on startup. This is caused by the OS attempting to load DLLs for certificate evaluation, which are blocked by the agent, resulting in a deadlock.
This patch resolves an issue related to the certificate system before starting the agent.
Support for Windows 10 - version 1703 (Creators Update)
8. Contact Information
A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees.
Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.
NOTE: This information is subject to change without notice.
9. About Trend Micro
Smart, simple, security that fits
As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information.
Copyright 2018, Trend Micro Incorporated. All rights reserved.
Trend Micro, Endpoint Application Control, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.
10. License Agreement
View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/license-agreements/
Third-party licensing agreements can be viewed:
- By selecting the "About" option in the application user interface
- By referring to the "Legal" page of the Administrator's Guide