Trend Micro, Inc.
May 15, 2017
Trend Micro™ OfficeScan™ 11.0 Service Pack 1 Patch 1
CriticalPatch - Server Build 6355 and Agent Module Build 6159
Contents
- CriticalPatch Release Information
- Document Set
- System Requirements
-
Installation/Uninstallation
- Post-installation Configuration
- Known Issues
- Release History
- Contact Information
- About Trend Micro
- License Agreement
1. CriticalPatch Release Information
Installing this critical patch enables OfficeScan agents to run
in computers running on the Microsoft(TM) Windows(TM) 10 Creators
Update RS2 platform.
Enhancements
The following enhancement is included in this critical patch:
- (JIRA 6313)
Enhancement: This critical patch enables the OfficeScan agent program to support Windows 10 Creators Update RS2.
- (JIRA 7214)
Issue: A blue screen of death (BSOD) occurs when the Trend Micro Common Module (tmcomm.sys) attempts to parse the service name list of a Windows kernel device in the device tree.
Solution: This hotfix updates the Trend Micro Common Module on OfficeScan agents to resolve this issue.
Files Included in this Release
A. Files for Current Issue(s)
-------------------------------------------------------------------
Filename Build Number
------------------------------ ------------
OfficeScan\PCCSRV\Admin\Utility\SQL\*.*
OfficeScan\PCCSRV\Admin\Utility\SQL\
-------------------------------------------------------------------
libSQLDatabaseUpgrade.dll 11.0.0.6355
OfficeScan\PCCSRV\
-------------------------------------------------------------------
CGIShare.dll 11.0.0.6355
SvrSvcSetup.exe 11.0.0.6355
OfficeScan\PCCSRV\Admin\
-------------------------------------------------------------------
Build.exe 2.85.0.1180
Build64.exe 2.85.0.1180
cert5.db
ciussi32.dll 2.0.0.2074
ciussi64.dll 2.0.0.2074
patch.exe 2.85.0.1180
patch64.exe 2.85.0.1180
patchbld.dll 12.21.0.0
PATCHW32.DLL 12.21.0.0
patchw64.dll 12.20.0.0
TmUpdate.dll 2.85.0.1180
TmUpdate64.dll 2.85.0.1180
x500.db
OfficeScan\PCCSRV\Admin\Utility\ClientPackager\
-------------------------------------------------------------------
ClnExtor.ini
ClnPack.exe 11.0.0.6355
ClnPack.ini
OfficeScan\PCCSRV\Admin\Utility\listDeviceInfo\
-------------------------------------------------------------------
listDeviceInfo.exe 6.0.0.1502
OfficeScan\PCCSRV\Autopcc.cfg\
-------------------------------------------------------------------
ApNT.ini
ApNT_X64.ini
OfficeScan\PCCSRV\CmAgent\
-------------------------------------------------------------------
OfcCMAgent.exe 11.0.0.6355
ProductLibrary.dll 11.0.0.6355
En_I18N.dll 5.0.0.2270
En_Utility.dll 5.0.0.2270
TrendAprWrapperDll.dll 5.0.0.2270
zlib.dll 1.2.3.0
libcurl.dll 7.43.0.0
libeay32.dll 1.0.2.10
ssleay32.dll 1.0.2.10
OfficeScan\PCCSRV\Download\
-------------------------------------------------------------------
ClnPack_files.xml
OfficeScan\PCCSRV\Download\Engine\
-------------------------------------------------------------------
BMdriver_x32.sig
BMdriver_x32.zip
BMdriver_x64.sig
BMdriver_x64.zip
bmservice_x32.sig
bmservice_x32.zip
bmservice_x64.sig
bmservice_x64.zip
OfficeScan\PCCSRV\Download\Product\
-------------------------------------------------------------------
DlpLite_Common.zip
DlpLite_Common_x64.zip
OfficeScan\PCCSRV\Engine\
-------------------------------------------------------------------
TmAegisSysEvt.dll 2.974.0.1179
TMBMCLI.dll 2.974.0.1179
TMBMSRV.exe 2.974.0.1179
tmcomeng.dll 2.974.0.1179
tmelapi.dll 1.6.0.1004
TmEngDrv.dll 2.974.0.1179
TMPEM.dll 2.974.0.1179
tmtap.dll 6.0.0.1074
tmwlutil.dll 2.974.0.1179
tmCfwApi.dll 5.83.0.1003
TmPfw.exe 5.83.0.1003
TmPfwApi.dll 5.83.0.1003
OfficeScan\PCCSRV\Engine\x64\
-------------------------------------------------------------------
TmAegisSysEvt.dll 2.974.0.1179
TMBMCLI.dll 2.974.0.1179
TMBMSRV.exe 2.974.0.1179
tmcomeng.dll 2.974.0.1179
tmelapi.dll 1.6.0.1004
TmEngDrv.dll 2.974.0.1179
TMPEM.dll 2.974.0.1179
tmtap.dll 6.0.0.1074
tmwlutil.dll 2.974.0.1179
tmCfwApi.dll 5.83.0.1003
TmPfw.exe 5.83.0.1003
TmPfwApi.dll 5.83.0.1003
OfficeScan\PCCSRV\LWCS\
-------------------------------------------------------------------
Build.exe 2.85.0.1180
cert5.db
ciuas32.dll 1.0.0.2075
ciussi32.dll 2.0.0.2074
patch.exe 2.85.0.1180
patchbld.dll 12.21.0.0
PATCHW32.DLL 12.21.0.0
TmUpdate.dll 2.85.0.1180
x500.db
OfficeScan\PCCSRV\Private\
-------------------------------------------------------------------
RansomwareWidget.ini
OfficeScan\PCCSRV\Private\certificate\
-------------------------------------------------------------------
openssl.exe
OfficeScan\PCCSRV\Web\Service\
-------------------------------------------------------------------
CGIOCommon.dll 11.0.0.6355
CGIShare.dll 11.0.0.6355
CmdHLClient.dll 11.0.0.6355
CmdHOConsole.dll 11.0.0.6355
DbServer.exe 11.0.0.6355
libCmdHndlrClientV2.dll 11.0.0.6355
libCmdHndlrConsoleV2.dll 11.0.0.6355
OfcNotifyQueue.dll 11.0.0.6355
OfcService.exe 11.0.0.6355
OfcCCCAUpdate.exe 12.0.0.6159
Build.exe 2.85.0.1180
cert5.db
ciuas32.dll 1.0.0.2075
ciussi32.dll 2.0.0.2074
patch.exe 2.85.0.1180
patchbld.dll 12.21.0.0
PATCHW32.DLL 12.21.0.0
TmUpdate.dll 2.85.0.1180
x500.db
OfficeScan\PCCSRV\Web_OSCE\Web\CGI\
-------------------------------------------------------------------
cgiExportInfo.exe 11.0.0.6355
CGIOCommon.dll 11.0.0.6355
CGIShare.dll 11.0.0.6355
SSO_PKIHelper.dll 5.0.0.2270
OfficeScan\PCCSRV\Web_OSCE\Web_console\CGI\
-------------------------------------------------------------------
cgiAuthManagement.exe 11.0.0.6355
CGIOCommon.dll 11.0.0.6355
CGIShare.dll 11.0.0.6355
cgiShowClientAdm.exe 11.0.0.6355
cgiShowWSSAdmin.exe 11.0.0.6355
cgiWebUpdate.exe 11.0.0.6355
cgiCmdNotify.exe 5.0.0.2270
SSO_PKIHelper.dll 5.0.0.2270
TrendAprWrapperDll.dll 5.0.0.2270
cgiWebUpdate.ini
OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\Auth\
-------------------------------------------------------------------
admin_account_info.htm
OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\behavior_monitoring\
-------------------------------------------------------------------
bm_settings.htm
OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\ClientInstall\
-------------------------------------------------------------------
agent_install.htm
WinNTChk.cab
OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\clientmag\
-------------------------------------------------------------------
client_list_2.htm
client_ofsc_services.htm
client_searchwindow.htm
OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\common\
-------------------------------------------------------------------
menu_common.js
OfficeScan\PCCSRV\Web_OSCE\Web_console\RemoteInstallCGI\
-------------------------------------------------------------------
CGIShare.dll 11.0.0.6355
OfficeScan\PCCSRV\WSS\
-------------------------------------------------------------------
Build.exe 2.85.0.1180
cert5.db
ciuas32.dll 1.0.0.2075
ciussi32.dll 2.0.0.2074
patch.exe 2.85.0.1180
patchbld.dll 12.21.0.0
PATCHW32.DLL 12.21.0.0
TmUpdate.dll 2.85.0.1180
x500.db
OfficeScan\PCCSRV\Pccnt\Drv\
-------------------------------------------------------------------
tmactmon.cat
tmactmon.inf
tmactmon.sys 2.974.0.1179
tmevtmgr.cat
tmevtmgr.inf
tmevtmgr.sys 2.974.0.1179
tmcomm.cat
tmcomm.inf
tmcomm.sys 6.60.0.1060
tmlwf.cat
tmlwf.inf
TMLWF.sys 5.83.0.1013
tmwfp.cat
tmwfp.inf
TMWFP.sys 5.83.0.1018
tmwfpins.exe 5.83.0.1003
OfficeScan\PCCSRV\Pccnt\Drv\X64\
-------------------------------------------------------------------
tmactmon.cat
tmactmon.inf
tmactmon.sys 2.974.0.1179
tmevtmgr.cat
tmevtmgr.inf
tmevtmgr.sys 2.974.0.1179
tmcomm.cat
tmcomm.inf
tmcomm.sys 6.60.0.1060
tmlwf.cat
tmlwf.inf
TMLWF.sys 5.83.0.1013
tmwfp.cat
tmwfp.inf
TMWFP.sys 5.83.0.1018
tmwfpins.exe 5.83.0.1003
OfficeScan\PCCSRV\Pccnt\
-------------------------------------------------------------------
ClientConsole.zip
NTRmvRC.dll 11.0.0.6355
NTRtScan.exe 12.0.0.6159
OfficeScan\PCCSRV\Pccnt\Common\
-------------------------------------------------------------------
fcWofieUI.dll 12.0.0.6159
NTRmv.exe 12.0.0.6159
OfcCCCAUpdate.exe 12.0.0.6159
PccNTMon.exe 12.0.0.6159
TmListen.dll 12.0.0.6159
TmListen.exe 12.0.0.6159
TmListenShare.dll 12.0.0.6159
TmSock.dll 12.0.0.6159
CCSF_PTN.zip
CCSF_WIN32.zip
tmCfwApi.dll 5.83.0.1003
TmPfw.exe 5.83.0.1003
TmPfwApi.dll 5.83.0.1003
TmPfwCtl.dll 5.83.0.1003
TmPfwCtl_xp.dll 5.83.0.1034
tmwfpapi.dll 5.83.0.1003
TmopphSmtp.dll 2.0.0.1096
TmopphPop3.dll 2.0.0.1096
OfficeScan\PCCSRV\Pccnt\Win64\X64\
-------------------------------------------------------------------
fcWofieUI.dll 12.0.0.6159
NTRmv.exe 12.0.0.6159
Ntrtscan.exe 12.0.0.6159
OfcCCCAUpdate.exe 12.0.0.6159
PccNTMon.exe 12.0.0.6159
TmListen.exe 12.0.0.6159
TmListen_64x.dll 12.0.0.6159
TmListenShare_64x.dll 12.0.0.6159
TmSock_64x.dll 12.0.0.6159
CCSF_X64.zip
tmCfwApi.dll 5.83.0.1003
TmPfw.exe 5.83.0.1003
TmPfwApi.dll 5.83.0.1003
TmPfwCtl.dll 5.83.0.1003
TmPfwCtl_xp.dll 5.83.0.1034
tmwfpapi.dll 5.83.0.1003
TmopphSmtp.dll 2.0.0.1096
TmopphPop3.dll 2.0.0.1096
B. Files for Previous Issues
Not applicable.
C. Network Traffic Required in Deployment
Estimated size (in terms of bandwidth) of deployed agent files in this hot fix.
- 32-bit agent total = 58.7 MB
- 64-bit agent total = 71.2 MB
Back to top
2. Document Set
To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com.
Back to top
3. System Requirements
You must install OfficeScan 11.0 Service Pack 1 with Patch 1 before installing this CriticalPatch.
Back to top
4. Installation/Uninstallation
Installation
To install:
- Copy the CriticalPatch executable file to a temporary folder on the server, for example, "C:\temp".
- Double-click the file. The modules are automatically copied to the correct destination.
This CriticalPatch installation package automatically rolls back the OfficeScan server to its previous configuration if there are problems during installation.
If you encounter problems after installation, do a manual rollback.
Uninstallation
To manually roll back to the previous build:
- Locate the backup folder that the CriticalPatch package created in the "\PCCSRV\Backup\CriticalPatch_B6355" directory.
- Stop the OfficeScan Master Service.
- Stop the OfficeScan CMAgent Service.
- Copy the backup modules to the original folders.
- Start the OfficeScan CMAgent Service.
- Start the OfficeScan Master Service.
Back to top
5. Post-installation Configuration
No post-installation steps are required.
Note: Trend Micro recommends that you update your scan engine and
virus pattern files immediately after installing the product.
Back to top
6. Known Issues
There are no known issues for this CriticalPatch release.
Back to top
7. Release History
Visit the following web site for more information about updates to this product:
http://www.trendmicro.com/download.
Prior Releases
Note: Only this CriticalPatch was tested for this release. Prior Hotfixes/CriticalPatches were tested at the time of their release.
- OfficeScan 11.0
- OfficeScan 11.0 SP1
- OfficeScan 11.0 SP1 Patch1
- Hotfix 6250 (SBM 356853)
Issue: Installing OfficeScan 10.5 Patch 6 by web installation also installs ActiveX on the computer, however, ActiveX uninstallation. As a result, users encounter an error is not removed during client while installing OfficeScan 11 Service Pack 1 Critical Patch 6054 by web installation. This happens because the "WinNTchk.dll" for the ActiveX component cannot be updated when a previous version of the file exists in the installation directory. When this happens, the web installation fails.
Solution: This hotfix ensures that the OfficeScan server adds the version information of the "WinNTChk.cab" file when it triggers web installation.
- Hotfix 6252 (SBM 357563)
Issue: It is reported that the OfficeScan NT Listener service (TmListen.exe) in OfficeScan 11.0 Service Pack 1 Patch 1 failed to start up on endpoints running Microsoft(TM) Windows(TM) Vista or Windows Server 2008.
Solution: This hotfix updates the OfficeScan agent program to resolve this issue.
- Hotfix 6252 (SBM 352284)
Issue: The User Mode Hooking (UMH) driver causes an unexpected error.
Solution: This hotfix updates the UMH driver to resolve this issue.
- Hotfix 6252 (SBM 357381)
Issue: When users export the Scan Exclusion Lists for the following scan types from the "Agent Management" screen of the OfficeScan web console, the generated CSV file will not contain any domain setting information for OfficeScan agents:
- Manual scans
- Real-time scans
- Scheduled scans
- Scan Now
Solution: This hotfix updates the OfficeScan server files to ensure that when users export Scan Exclusion Lists, the domain setting information for each OfficeScan agent appear on the exported CSV files.
- Hotfix 6252 (SBM 355584)
Issue: In some OfficeScan agents managed by the Update Agent (UA), the T-ball logo on the bottom right portion of the screen turns red since the "NtrtScan.exe" program keeps reloading.
Solution: This hotfix configures the "Agent Connection" setting to a global setting such that when it is changed, the Setting Aggregation File (SAF) package will be updated accordingly. This update enables the OfficeScan agents (managed by the Update Agent) to send a report to the OfficeScan server and instruct it to clear the configuration flag since there is a new setting.
- Hotfix 6258 (SBM 354263)
Issue: The OfficeScan server database may crash if the database backup path follows the universal naming convention (UNC) and the backup username length exceeds 32 characters.
Solution: This hotfix updates the OfficeScan server files to resolve this issue.
- Hotfix 6258 (SBM 357598)
Issue: The Microsoft(TM) Windows(TM) Event Log generates too many messages.
Solution: This hotfix enables OfficeScan to extend the cache time to 12 hours.
- Hotfix 6258 (SBM 357926)
Issue: DLP does not block the most current webmail site like Outlook.com.
Solution: This hotfix resolves this issue.
- Hotfix 6258 (SBM 357331)
Issue: After administrators remove or uninstall the OfficeScan agent, the OfficeScan server removes all the OfficeScan agents from the database. This situation occurs when administrators set an agent unique identifier (UID) as a root domain UID.
Solution: This hotfix updates the OfficeScan server files to add two check points to resolve this issue.
- Hotfix 6258 (SBM 356698)
Enhancement: This hotfix provides a way for users to approve programs to run without checks by Meerkat (a detection improvement program that monitors newly encountered programs downloaded through HTTP or email applications).
Procedure: To approve programs to run without checking by Meerkat:
a. Install this hotfix (see "Installation").
b. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
c. Under the "Global Setting" section, manually add the "MKWL" key and assign the encrypted string of the full program path.
[Global Setting]
MKWL="The encrypted string of the full program path"
Note: The encrypted string of the full program path needs to be provided by OfficeScan SEG engineer.
d. Save the changes and close the file.
e. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
f. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
Path: for x64 platform
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
for x86 platform
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
Key: MKWL
Type: String
Value: "The encrypted string of the full program path"
- Hotfix 6258 (SBM 357554)
Enhancement: This hotfix updates the Data Loss Prevention Endpoint SDK 6.0 to support the following Google Chrome versions:
- 54.0.2840.99
- 55.0.2883.75
- Hotfix 6258 (SBM 344921)
Enhancement: This hotfix enables Data Loss Prevention Endpoint SDK 6.0 Webmail channel to share the exception from Email channel.
Procedure: To configure the "apply_email_wblist_to_webmail" setting for DLP:
a. Install this hot fix (see "Installation").
b. Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
c. Under the "Configure" section, manually add the "apply_email_wblist_to_webmail" key and set its value.
[Configure]
apply_email_wblist_to_webmail = true
d. Save the changes and close the file.
e. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
f. Click "Save" to deploy the settings to agents".
The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:
apply_email_wblist_to_webmail=true
g. Restart all OfficeScan agents.
- Hotfix 6258 (SBM 344921)
Enhancement: This hotfix enables the Data Loss Prevention Endpoint SDK 6.0 to support Lotus Notes Webmail with its add-ons installed for Bank of Chengdu.
Procedure: To configure the "inet_enhanced_dwa_parser" setting for DLP:
a. Install this hot fix (see "Installation").
b. Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
c. Under the "Configure" section, manually add the "inet_enhanced_dwa_parser" key and set its value.
[Configure]
inet_enhanced_dwa_parser = true
d. Save the changes and close the file.
e. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
f. Click "Save" to deploy the settings to agents".
The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:
inet_enhanced_dwa_parser=true
g. Restart all OfficeScan agents.
- Hotfix 6263/6281 (SBM 357949)
Issue: Automatic agent grouping uses rules defined by Microsoft(TM) Windows(TM) Active Directory (AD) domains. Sometimes, after the OfficeScan server synchronizes AD information from the Windows server, the status of enabled grouping rules shows a "Warning" sign.
Solution: This hotfix updates the OfficeScan programs to ensure that the enabled grouping rules will not be effected by the synchronized AD information.
- Hotfix 6263/6281 (SBM 357004)
Issue: In Microsoft(TM) Windows(TM) Vista/2008 or later clients, OfficeScan displays an incorrect firewall driver version number. The correct version number is 5.83.1003, but the version number that OfficeScan displays is 5.82.1050.
Solution: This hotfix ensures that the OfficeScan server references the "tmlwf.sys" and "tmwfp.sys" files to determine the correct version number of the common firewall driver.
- Hotfix 6263/6281 (SBM 357915)
Issue: While using the "Export Scan Exclusions" button, the "Scan Exclusion List (File Extensions)" function generates a "N/A" message in the exported CSV file when the "Scan Exclusion List (Files)" value is empty. This issue only happens in the "Scan Now" configuration.
Solution: This hotfix updates the OfficeScan programs to resolve this issue so that users can generate correct information in the CSV file.
- Hotfix 6263/6281 (SBM 357769)
Issue: OfficeScan leaks encrypted account passwords during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.
Solution: This hotfix updates the OfficeScan server program to ensure that OfficeScan does not leak encrypted passwords.
- Hotfix 6263/6281 (SBM 358146)
Issue: If user set the default browser to Chrome and click on hyperlinks from other applications, the Chrome page shows a "try to access to an unexpected site "--disable-quic"" message.
Solution: This hotfix ensures that the Chrome page will not access unexpected "--disable-quic" sites when users click hyperlinks from other applications once they set Chrome as the default browser.
- Hotfix 6263/6281 (SBM 356728)
Issue: DLP blocks Exodus-jabber applications unexpectedly.
Solution: This hotfix ensures that Exodus-jabber works normally even when DLP is enabled on the endpoint machines.
- Hotfix 6263/6281 (SBM 356873)
Enhancement: This hotfix enables users to generate the Secure Sockets Layer (SSL) certificate with SHA256 signature algorithm and 2048-bit public key for the OfficeScan web site which is installed on Microsoft(TM) Internet Information Services (IIS) or Apache(TM) HTTP Server through the "SvrSvcSetup.exe" tool.
Procedure: To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually renew the IIS SSL certificate:
a. Install this hotfix (see "Installation").
b. Log on as administrator, open a command prompt, and navigate to the "\PCCSRV\" directory.
c. Run the following command:
SvrSvcSetup.exe -GenIISCert
A new SSL certificate is generated and is automatically added to the IIS SSL certificate store.
d. Open the IIS Manager console (inetmgr.exe).
e. Right-click the OfficeScan web site, and then click "Edit Bindings...".
f. When the "Site Bindings" window opens, select "https type" and click "Edit...".
g. Select the newly-created SSL certificate and click "OK".
Note: Click the "View..." option to view the 2048-bit public key.
h. Click "Close".
To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually renew the Apache SSL certificate:
a. Install this hot fix (see "Installation").
b. Log on as administrator, open a command prompt, and navigate to the "\PCCSRV\" directory.
c. Run the following command:
SvrSvcSetup.exe -GenApacheCert
A new SSL certificate is generated and is automatically added to the Apache SSL certificate store.
d. Stop the following services:
- OfficeScan Master Service
- Apache Service
e. Start the following services:
- Apache Service
- OfficeScan Master Service
- Hotfix 6267/6281 (SBM 358436)
Issue: OfficeScan can synchronize suspicious objects and retrieve actions against these objects from a Control Manager server. However, an expired suspicious object is still synchronized to OfficeScan that makes false detections on the agent.
Solution: This hotfix updates the OfficeScan programs to ensure that the expired suspicious objects will not be detected.
- Hotfix 6267/6281 (SBM 357701)
Issue: The "Agent Management" page of the OfficeScan web console may not display all OfficeScan agents if the domain has a large number of OfficeScan agents.
Solution: This hotfix resolves the issue by updating the mechanism used by the SQL table containing the OfficeScan agent information.
- Hotfix 6267/6281 (SBM 354253)
Issue: The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature may block valid programs without leaving a record of the block action in the detection log.
Solution: This hotfix updates the OfficeScan Behavior Monitoring program to ensure that it blocks the correct programs.
- Hotfix 6271/6281 (SBM 354682)
Issue: On x86 platforms, the Aegis module sends Meerkat detection information to the Officescan server and displays a pop-up dialog box that allows users to click on the "Allow Once" button. However, even after users clicked on this button, Meerkat still blocks the application.
Solution: This hotfix updates Meerkat to check the payload of API events to prevent this issue from happening.
- Hotfix 6271/6281 (SBM 356152)
Issue: The OfficeScan User-Mode Hooking (UMH) function prevents the "java.exe" program from working properly.
Solution: This hotfix adds "java.exe" onto the OfficeScan UMH whitelist pattern to ensure that the "java.exe" program works properly.
- Hotfix 6271/6281 (SBM 357370)
Issue: The OfficeScan UMH function prevents the WebISO software from working properly.
Solution: This hotfix adds the WebISO software into the OfficeScan UMH whitelist pattern to ensure that the WebISO software works proeprly.
- Hotfix 6271/6281 (SBM 358458)
Issue: Users may still be able to access web sites that the Trend Micro URL Filtering Engine (TMUFE) failed to rate because of connection issues.
Solution: This hotfix provides a way for users to configure OfficeScan to automatically block access to web sites if the TMUFE cannot rate the web sites.
Procedure: To configure OfficeScan to automatically block access to web sites that the TMUFE cannot rate:
a. Install this hotfix (see "Installation").
b. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installationdirectory using a text editor.
c. Under the "Global Setting" section, manually add the following key and set its value to "1".
[Global Setting]
URLFilterErrMode=1
d. Save the changes and close the file.
e. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
f. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\URLFilter\config
Key: ErrMode
Type: dword
Value: 1
For Microsoft(TM) Windows(TM) 7/8/10 and Windows Server 2008 R2/2012/2016:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\Scan\Common\URLFilter\config
Key: ErrMode
Type: dword
Value: 1
g. Restart the OfficeScan agents.
- Hotfix 6274/6281 (SBM 349044)
Issue: The detected Virus/Malware information that appears in the OfficeScan web console does not match the information in the Trend Micro Control Manager(TM) console.
Solution: This hotfix ensures that the OfficeScan server sends the correct Virus/Malware information to Control Manager so that the information in the OfficeScan web console matches the information in the Control Manager console.
Procedure: To configure OfficeScan to send the accurate information to Control Manager:
a. Install this hotfix (see "Installation").
b. Open the "Product.ini" file in the "\PCCSRV\CmAgent" folder on the OfficeScan server installation directory using a text editor.
c. Under the "Configure" section, manually add the following key and set its value to "1".
[Configure]
EnableSFCacheTimeout=1
d. Save the changes and close the file.
e. Restart the OfficeScan Control Manager Agent.
- Hotfix 6274/6281 (SBM 358714)
Issue: On the "Agents > Agent Management" section of the OfficeScan web console, when users run an advanced search for OfficeScan agents running with Update Agent "Disabled" status, the search results always display both OfficeScan agents running with Update Agent "Enabled" status and "Disabled" status.
Solution: This hotfix updates the OfficeScan server program to ensure that when users run an advanced search for OfficeScan agents running with Update Agent "Disabled" status, it displays the correct result.
- Hotfix 6274/6281 (SBM 359007)
Issue: OfficeScan agents report their antivirus status information to the Microsoft(TM) Windows(TM) Security Center (WSC) when the system starts. However, after the system restarts, WSC displays that the OfficeScan antivirus reports are turned off.
Solution: This hotfix updates the OfficeScan agent program to resolve this issue.
- Hotfix 6274/6281 (SBM 358753)
Issue: The OfficeScan NT Listener service ("TmListen.exe") may stop unexpectedly after the OfficeScan agent encounters a mismatch certificate error. When this happens, the agent update is unsuccessful.
Solution: This hotfix updates the OfficeScan agent program to prevent the "TmListen.exe" from stopping unexpectedly and ensures that the OfficeScan agent can handle the mismatch certificate error properly.
- Hotfix 6274/6281 (SBM 359384)
Issue: DLP does not block the drag-and-drop of files from current Webmail sites (such as "Outlook.office.com" or "Outlook.live.com) when users use Google Chrome to access these Webmail sites.
Solution: This hotfix ensures that OfficeScan does not leak sensitive information when users use Google Chrome to access these Webmail sites.
- Hotfix 6274/6281 (SBM 356731)
Issue: Enabling the Browser Exploit Protection (BEP) function causes Microsoft(TM) Internet Explorer 11 to crash when combined with Trend Micro add-ins (BEP) and the vSentry product from Bromium.
Solution: This hotfix resolves this issue.
- Hotfix 6274/6281 (SBM 356199)
Enhancement: This hotfix enables the Data Loss Prevention (DLP) Endpoint SDK 6.0 module to support version 55.0.2883.87 of the Google(TM) Chrome(TM) web browser and version 50.1.0 of the Mozilla(TM) Firefox(TM) web browser.
- Hotfix 6277 (SBM 354730)
Enhancement: This hotfix enhances the OfficeScan server to support Active Directory subgroups for OfficeScan user accounts.
Procedure: To enable the new service settings:
a. Install this hotfix (see "Installation").
b. Open the "ofcserver.ini" file in the "\PCCSRV\Private" folder on the OfficeScan installation directory.
c. Under the "INI_AD_INTEGRATION_SECTION" section, manually add the following key and set its value to "1".
[INI_AD_INTEGRATION_SECTION]
RBAMultilayerInheritanceForADUser=1
d. Save the changes and close the file.
- Hotfix 6281 (SBM 359424)
Issue: After installing hotfixes on OfficeScan 11.0 Service Pack 1 and activating the OfficeScan Firewall on agents, the Firewall logs display corrupted characters on both the agent console and the OfficeScan server web console.
Solution: This hotfix updates the OfficeScan Firewall to ensure that the Firewall logs display the correct information on both the agent console and the OfficeScan server web console.
- Hotfix 6281 (SBM 355684)
Issue: OfficeScan 11.0 Service Pack 1 (SP1) Critical Patch (CP) Build 6054 is unable to use the Sesame mobile application on endpoints.
Solution: This hotfix ensures that the User-Mode Hooking (UMH) does not hook the "ZWProtectVirtualMemory" API when the "Aclayer.dll" file exists.
- Hotfix 6281 (SBM 358910)
Issue1: Data Loss Prevention does not block large files inside ZIP archives, even if the boundary of the file size exceeds the maximum value.
Solution1: This hotfix ensures that Data Loss Prevention properly blocks large files inside a ZIP archives.
Issue2: Microsoft Access (.mdb) files can not be recovered to USB storage from the Data Loss Prevention backup folder.
Solution2: This hotfix ensures that Data Loss Prevention can successfully recover Microsoft Access (.mdb) files.
- Hotfix 6281 (SBM 355833)
Issue: The Listdeviceinfo tool cannot get information from external devices such as "LaCie Rugged THB USB3 SCSI Disk Device".
Solution: This hotfix resolves this tool issue.
- Hotfix 6281.1 (SBM 357771)
Issue: An issue related to the AEGIS module of the OfficeScan agent program may cause certain operating systems to stop responding.
Solution: This hot fix updates the Behavior Monitoring Service module to resolve the issue.
- Hotfix 6282 (SBM 360127)
Issue: The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature blocks a valid program.
Solution: This hotfix updates the OfficeScan Behavior Monitoring Local Pattern to solve the issue.
- Critical Patch 6285 (SBM 359321)
Issue: After installing hotfixes on OfficeScan 11.0 Service Pack 1 server, the Smart Scan Pattern may not be able to update properly from the Integrated Smart Protection Server.
Solution: This hotfix updates the OfficeScan ActiveUpdate module to ensure that the Smart Scan Pattern can be updated normally from the Integrated Smart Protection Server.
- Hotfix 6292 (SBM 358489)
Issue: OfficeScan Behavior Monitoring feature is unable to get the device type correctly when users launch programs by running as administrators (using administrator privileges).
Solution: This hotfix updates the Behavior Monitoring Service module to resolve this issue.
- Hotfix 6292 (SBM 359534)
Issue: An initialized issue related to the OfficeScan Control Manager Agent service ("OfcCMAgent.exe") may cause the OfcCMAgent.exe to stop unexpectedly.
Solution: This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.
- Hotfix 6292 (SBM 356903)
Issue: A signature verification issue related to the AEGIS module of the OfficeScan agent program may cause certain operating systems to stop unexpectedly.
Solution: This hotfix updates the Behavior Monitoring Service module to resolve the issue.
- Hotfix 6292 (SBM 360032)
Enhancement: This hotfix enables the Data Loss Prevention (DLP) Endpoint SDK 6.0 module starts to support the following Google Chrome versions:
- Google (TM) Chrome(TM) 55.0.2883.87
- Google (TM) Chrome(TM) 56.0.2924.87
- Hotfix 6292 (SBM 357707)
Enhancement: This hotfix enables the Address Space Layout Randomization (ASLR) of Data Loss Prevention (DLP) Endpoint SDK 6.0 for DLL injection.
- Hotfix 6299 (SBM 359477)
Issue: The OfficeScan User Mode Hooking (UMH) function may cause the "mkdir.exe" program to stop unexpectedly.
Solution: This hotfix updates the OfficeScan User Mode Hooking module to resolve this issue.
- Hotfix 6299 (SBM 357853)
Issue: When the "Protect documents against unauthorized encryption or modification" feature of Ransomware Protection is enabled, the OfficeScan agent may prevent a valid program from running if the size of the program file is too large.
Solution: This hotfix updates the OfficeScan agent program to resolve this issue.
- Hotfix 6299 (SBM 360097)
Issue: The Server Tuner tool optimizes the performance of the OfficeScan server. However, its Maximum Client Connections setting does not work.
Solution: This hotfix updates the OfficeScan server program to ensure that the tool's Maximum Client Connections setting works normally.
- Hotfix 6299 (SBM 357054)
Issue: When there are hotfix updates, the OfficeScan server checks all client components and prompts all clients with old hotfix versions to apply the updates including those where the No Program Upgrade option is enabled. This triggers a large number of unnecessary client notifications.
Solution: This hotfix ensures that the OfficeScan server does not notify a client of hotfix updates if the No Program Upgrade option is enabled in the client.
- Hotfix 6299 (SBM 359331)
Issue: The OfficeScan Behavior Monitoring program ("TMBMSRV.exe") crashes when the "MeerkatSkipUNC" option is enabled.
Solution: This hotfix updates the OfficeScan Behavior Monitoring program to correct this issue.
- Hotfix 6299 (SBM 359521)
Issue: When users upload files from the SMB folder to the internal website and iDLP is enabled, the upload may be interrupted intermittently.
Solution: This hotfix enables iDLP to check if a file is from SMB before it attempts to access the file information. If the source file is an SMB file, iDLP will then Impersonate to download the file.
- Hotfix 6299 (SBM 357721)
Issue: The library license of the third-party applicationDymola conflicts with DLP.
Solution: This hotfix adds "dymola.exe" and "license_check.exe" to the approved list to remove the conflict.
- Hotfix 6299 (SBM 359522)
Issue: When OfficeScan parses the contents of a policy that it receives from Control Manager, some space characters may be removed from the policy which changes certain settings when applied to OfficeScan.
Solution: This hotfix ensures that OfficeScan can parse and apply Control Manager policies properly.
- Hotfix 6302 (JIRA 1587)
Issue: The "Quarantine malware variants detected in memory" feature needs to be enabled before the Memory Inspection Pattern (MIP) can be updated on OfficeScan agents.
Solution: This hotfix updates the OfficeScan agent program to resolve this issue.
- Hotfix 6302 (JIRA 1781)
Issue: Sometimes, the value of the "SourceUUID" setting in the "Ofcserver.ini" file is overwritten which prevents OfficeScan from updating the suspicious object list.
Solution: This hotfix ensures that the "SourceUUID" setting is not overwritten unexpectedly.
- Hotfix 6302 (JIRA 2639)
Issue: Sometimes, OfficeScan does not create system dump files when an exception error occurs.
Solution: This hotfix ensures that OfficeScan catches exception system codes and creates the corresponding system dump files when it encounters these codes.
- Hotfix 6306 (SBM 359200)
Issue: The "TMBMSRV.exe" process stops responding when debug log is enabled.
Solution: This hotfix resolves the issue by ensuring that the debug log output function receives the correct information.
- Hotfix 6306 (JIRA 2785)
Issue: Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs simultaneously with an encryption software.
Solution: This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption software.
- Hotfix 6308 (JIRA 1474)
Issue: The Agent Connectivity widget displays inaccurate total number of connected clients for each Smart Protection Server information.
Solution: This hotfix updates the OfficeScan server program to ensure that the Agent Connectivity widget displays accurate information.
- Hotfix 6310 (JIRA 3508)
Enhancement: The OfficeScan server automatically notifies an OfficeScan client to change its GUID after it determines that there is a duplicate GUID. However, the OfficeScan server does not generate an event log if it cannot notify the client for some reason. This hotfix provides a way for users to enable the OfficeScan server if it cannot notify an OfficeScan client to change its GUID.
Procedure: To enable the OfficeScan server to generate an event log if it cannot notify an OfficeScan client to change its GUID when it detects duplicate GUIDs:
a. Install this hotfix (see "Installation").
b. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory using a text editor.
c. Under the "INI_SERVER_SECTION" section, locate the following key and set its value to "1".
[INI_SERVER_SECTION]
Event_Log_Flag=1
d. Save the changes and close the file.
e. Restart the OfficeScan Master Service.
- Hotfix 6313 (JIRA 2354)
Issue: When users set the firewall exception rule to a single IP, the IP address does not appear on the OfficeScan agent console.
Solution: This hotfix ensures that the IP address appears on the OfficeScan agent console.
- Hotfix 6313 (JIRA 3487)
Issue: It takes a long time to export the scan exclusion list from the OfficeScan web console.
Solution: This hotfix improves the export function to enable OfficeScan to export the scan exclusion list faster.
- Hotfix 6313 (JIRA 1442)
Issue: A Microsoft Windows Security audit failure by "tmevtmgr.sys" appears in the Windows system event log.
Solution: This hotfix resolves the issue by enabling the build option in the AEGIS driver to include a "path hash".
- Hotfix 6313 (JIRA 3616)
Issue: When an OfficeScan agent downloads a file that does not have a valid digital signature, the file path information in the corresponding system event log will be truncated on the OfficeScan web console.
Solution: This hotfix ensures that system event logs display the complete file path information on the OfficeScan web console.
- Hotfix 6313 (JIRA 3016)
Enhancement: This hot fix enables Data Loss Prevention Endpoint SDK 6.0 starts to support the following Google Chrome versions:
- Google Chrome(TM) 57.0.2987.98
- Google Chrome(TM) 57.0.2987.110
- Hotfix 6314 (JIRA 1991, JIRA 2660)
Issue: After users install hotfixes on OfficeScan 11.0 Service Pack 1 and activate the OfficeScan Firewall on agents running Windows XP, the Firewall service encounters network access issues.
Solution: This hotfix updates the OfficeScan Firewall to resolve the network access issues.
Note: Restart the endpoint to update the Common Firewall module of OfficeScan agents.
- Hotfix 6315 (SBM 350467)
Enhancement: This hotfix enables the Behavior Monitoring approved list to support the asterisk (*) and question mark (?) wildcard characters in program path names and file names.
- Hotfix 6317 (JIRA 3533, JIRA 2785, JIRA 3668)
Issue: Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs simultaneously with an encryption software.
Solution: This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption software.
- Hotfix 6325 (JIRA 1715)
Issue: It takes a long time for the Windows Disk Manager to start when OfficeScan's Ravage Scan feature is enabled.
Solution: This hotfix enables users to configure the OfficeScan Ravage Scan feature to skip a specific virtual hard disk to allow the Disk Manager to start normally.
Procedure: To enable the Ravage Scan feature to skip a specific virtual hard disk:
a. Install this hotfix (see "Installation").
b. Open the Registry Editor.
c. Add the following key:
Path: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters]
Type: dword
Key: SkipVirtualHarddisk
Data Value: 00000001
d. Restart the OfficeScan client computer.
- Hotfix 6325 (JIRA 2673)
Issue: PccNT.exe stops unexpectedly because the following agent registry contains a value that is larger than the maximum supported value.
Path: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]
Type: dword:7fffffff
Key: TotalScanned
Solution: This hotfix updates the "fcWofieUI.dll" (for 32-bit) and "fcWofieUI_64x.dll" (for 64-bit) OfficeScan agent files to solve this issue.
- Hotfix 6325 (SBM 359608)
Issue: Users cannot run a manual sync on the "Suspicious Object List Setting" page when the "Enable Suspicious URL list" option is disabled.
Solution: This hotfix ensures that manual sync can complete successfully when the "Enable Suspicious URL list" option is disabled.
- Hotfix 6325 (JIRA 3289)
Issue: The error-handling mechanism of POP3 and SMTP scans may attempt to access tmp files which can trigger the TmListen service to stop unexpectedly.
Solution: This hotfix resolves the issue by ensuring that the error-handling mechanism accesses only valid local file paths.
- Critical Patch 6325 (VRTS-283, VRTS-393, VRTS-615)
Issue1: When the Web Reputation Service (WRS) of the OfficeScan agent program blocks access to a certain webpage, it displays the "Website blocked by Trend Micro OfficeScan" alert page instead. This alert page may be affected by XSS vulnerabilities.
Solution1: This critical patch updates the OfficeScan agent program to resolve the XSS vulnerabilities.
Issue2: Encrypted account passwords may leak out during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.
Solution2: This critical patch ensures that encrypted passwords are secure during web console operations.
Enhancement: This critical patch updates the OfficeScan agent program to improve its self-protection mechanism to protect against a local attacker to inject malicious code.
- Hotfix 6331 (SBM 358992)
Issue: Users cannot access the "Advanced Search" web page from the "Firewall Profile Settings" page of the OfficeScan web console.
Solution: This hotfix updates the OfficeScan server program files to ensure that users can access the "Advanced Search" web page from the "Firewall Profile Settings" page.
- Hotfix 6331 (JIRA 1891)
Issue: The DLP module may not work normally while other programs are uploading files to the Internet.
Solution: This hotfix ensures that the DLP module works normally when other programs are to uploading files to the Internet.
- Hotfix 6342 (JIRA 3345)
Issue: The OfficeScan agent blocks a program that has been downloaded from an email message or through HTTP even when the program is in the approved list.
Solution: This hotfix ensures that OfficeScan agents block the correct programs.
- Hotfix 6342 (JIRA 2468)
Issue: The OfficeScan web console takes longer than usual to load because of a large number of DB_FLUSH commands.
Solution: This hotfix minimizes the number of DB_FLUSH commands to ensure that the OfficeScan web console loads normally.
- Hotfix 6342 (JIRA 3919)
Issue: When enabling the OfficeScan debug log, clicking on the "Save" button twice overwrites the specified debug log path in the "ofcdebug.ini" file. When this happens, debug logs are saved in another location.
Solution: This hotfix enables OfficeScan to always use the default log path if only the log name is set on the web console.
- Hotfix 6342 (JIRA 2232)
Issue: Duplicate DLP violation logs are generated when users attempt to print a PDF file that contains sensitive information in Adobe(TM) Reader.
Solution: This hotfix applies the App White Cache mechanism according to process name to enable DLP to treat multiple print operations from "AcroRd32.exe" that occur within a one second period as one event. This helps prevent duplicate violation logs.
- Hotfix 6348 (JIRA 3931)
Issue: When DLP detects that sensitive information was sent through an email message in "outlook.com", the OfficeScan agent generates a blank "Activity/Channel" log.
Solution: This hotfix resolves this issue by updating the OfficeScan agent.
- Hotfix 6348 (JIRA 5361)
Enhancements: This hotfix enables DLP Endpoint SDK 6.0 to support Chrome 58.0.3029.81.
- Hotfix 6348 (JIRA 5633)
Enhancements: This hotfix provides a way to configure the AEGIS module in OfficeScan clients to skip Virtual Disks during scans.
Procedure: To configure the AEGIS module to skip Virtual Disks during scans:
a. Install this hotfix (see "Installation").
b. Open the "ofcscan.ini" file in the "\PCCSRV\"folder of the OfficeScan server.
c. Under the "Global Setting" section, manually add the following key and set its value to "1".
[Global Setting]
SkipVirtualHarddisk=1
d. Save the changes and close the file.
e. Open the OfficeScan server management console and click "Agents > Global Agent Settings" on the main menu to access the "Global Agent Settings" page.
f. Click "Save" to deploy the setting to agents.
The OfficeScan server deploys the command to agents and adds the following registry entry on all agent computers:
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters
Key: SkipVirtualHarddisk
Type: dword
Value: 1
- Hotfix 6350 (JIRA 5041)
Issue: The operating system version of registered OfficeScan servers installed on Windows Server 2012 R2 appears as "6.2 (build 9200)" instead of "6.3 (build 9600)" on the Control Manager web console.
Solution: This hotfix resolves this issue by ensuring that OfficeScan servers installed on Windows Server 2012 R2 register to the Control Manager server using operating system version "6.3 (build 9600)".
- Hotfix 6351 (JIRA 6181)
Issue: OfficeScan agents running Data Loss Prevention may experience a Blue Screen of Death (BSoD) when accessing files in shared (SMB) folders.
Solution: This hotfix resolves the BSoD issue when accessing files in shared (SMB) folders.
Back to top
8. Contact Information
A license to Trend Micro software
usually includes the right to product updates, pattern file updates, and
basic technical support for one (1) year from the date of purchase only.
After the first year, you must renew Maintenance on an annual basis at
Trend Micro's then-current Maintenance fees.
Contact Trend Micro via fax, phone,
and email, or visit our website to download evaluation copies of Trend
Micro products.
http://www.trendmicro.com/us/about-us/contact/index.html
Note: This information is subject to
change without notice.
Back to top
9. About Trend Micro
Smart, simple, security that fits
As a global leader in IT security, Trend Micro develops innovative
security solutions that make the world safe for businesses and
consumers to exchange digital information.
Copyright 2017, Trend Micro Incorporated. All rights reserved.
Trend Micro, OfficeScan, Data Loss Prevention, and the t-ball logo
are trademarks of Trend Micro Incorporated and are registered in
some jurisdictions. All other marks are the trademarks or
registered trademarks of their respective companies.
Back to top
10. License Agreement
View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/license-agreements/.
Third-party licensing agreements can be viewed:
- By selecting the "About" option in the application user interface
- By referring to the "Legal" page of the Administrator's Guide
Back to top