Contents
1. Critical Patch Release Information
Resolved Known Issues
This Critical Patch resolves the following issue(s):
Cookie security is not enabled in the OfficeScan web console's HTTP response.
Solution:
This hotfix updates the OfficeScan server files to ensure that cookie security is enabled in HTTP responses.
A directory traversal vulnerability may allow an attacker to modify arbitrary files on the product's management console.
Solution:
This hotfix updates the OfficeScan server program to remove the vulnerability.
After an OfficeScan agent moves to a new OfficeScan server, a mismatched certificate error appears in the OfficeScan system event logs and Windows application event log in both the agent and new server. This happens because the agent sends the move results to the previous server using the new authentication certificate.
Solution:
This hotfix enables the OfficeScan agent to use the original authentication certificate to report the move results to the previous server after it moves to a new server.
Enhancements
There are no enhancements for this Critical Patch release.
Files Included in this Release
A. Files for Current Issue(s) ------------------------------------------------------------------- Filename Build Number ------------------------------ ------------ OfficeScan\PCCSRV\Admin\Utility\EdgeServer\*.* OfficeScan\PCCSRV\Admin\Utility\SQL\*.* OfficeScan\PCCSRV\Pccnt\Disk1\*.* OfficeScan\PCCSRV\ ------------------------------------------------------------------- Autopcc.exe 11.0.0.6598 Autopccp.exe 11.0.0.6598 CGIResUTF8.dll 11.0.0.6598 CGIShare.dll 11.0.0.6598 libeay32.dll 1.0.2.16 OfcPIPC.dll 12.0.0.6311 SvrSvcSetup.exe 11.0.0.6598 OfficeScan\PCCSRV\Admin\ ------------------------------------------------------------------- Build.exe 2.85.0.1180 Build64.exe 2.85.0.1180 cert5.db * ciussi32.dll 2.0.0.2074 ciussi64.dll 2.0.0.2074 InstReg.exe 12.0.0.6311 patch.exe 2.85.0.1180 Patch64.exe 2.85.0.1180 patchbld.dll 12.21.0.0 PATCHW32.DLL 12.21.0.0 PatchW64.dll 12.20.0.0 TmUpdate.dll 2.85.0.1180 TmUpdate64.dll 2.85.0.1180 Wizard.exe 12.0.0.6311 Wizard_64x.exe 12.0.0.6311 x500.db * OfficeScan\PCCSRV\Admin\Utility\ClientPackager\ ------------------------------------------------------------------- ClnExtor.ini * ClnPack.exe 11.0.0.6598 ClnPack.ini * OfficeScan\PCCSRV\Admin\Utility\ListDeviceInfo\ ------------------------------------------------------------------- listDeviceInfo.exe 6.0.0.1502 OfficeScan\PCCSRV\Admin\Utility\PolicyExportTool\ ------------------------------------------------------------------- CGIResUTF8.dll 11.0.0.6598 OfficeScan\PCCSRV\Admin\Utility\SQL\ ------------------------------------------------------------------- libSQLDatabaseUpgrade.dll 11.0.0.6598 OfficeScan\PCCSRV\Admin\Utility\TMVS\ ------------------------------------------------------------------- DatFHS.dll 12.0.0.6311 libeay32.dll 1.0.2.16 ssleay32.dll 1.0.2.16 TMVS.exe 11.0.0.6598 OfficeScan\PCCSRV\Autopcc.cfg\ ------------------------------------------------------------------- ApNT.ini * ApNT_X64.ini * OfficeScan\PCCSRV\CmAgent\ ------------------------------------------------------------------- CGIResUTF8.dll 11.0.0.6598 En_I18N.dll 5.0.0.2319 En_Utility.dll 5.0.0.2319 libcurl.dll 7.43.0.0 libeay32.dll 1.0.2.16 Microsoft.VC80.CRT.manifest * msvcm80.dll 8.0.50727.762 msvcp80.dll 8.0.50727.762 msvcr80.dll 8.0.50727.762 OfcCMAgent.exe 11.0.0.6598 ProductLibrary.dll 11.0.0.6598 ProductUI.zip * ssleay32.dll 1.0.2.16 TrendAprWrapperDll.dll 5.0.0.2319 zlib.dll 1.2.3.0 OfficeScan\PCCSRV\Download\ ------------------------------------------------------------------- ClnPack_files.xml * OfficeScan\PCCSRV\Download\Engine\ ------------------------------------------------------------------- BMdriver_x32.sig * BMdriver_x32.zip * BMdriver_x64.sig * BMdriver_x64.zip * bmservice_x32.sig * bmservice_x32.zip * bmservice_x64.sig * bmservice_x64.zip * OfficeScan\PCCSRV\Download\Product\ ------------------------------------------------------------------- DlpLite_Common.zip * DlpLite_Common_x64.zip * OfficeScan\PCCSRV\Engine\ ------------------------------------------------------------------- TmAegisSysEvt.dll 2.974.0.1241 TMBMCLI.dll 2.974.0.1241 TMBMSRV.exe 2.974.0.1241 tmCfwApi.dll 5.83.0.1059 tmcomeng.dll 2.974.0.1241 tmelapi.dll 1.6.0.1004 TmEngDrv.dll 2.974.0.1241 tmHash.dll 5.83.0.1059 TMPEM.dll 2.974.0.1241 TmPfw.exe 5.83.0.1059 TmPfwApi.dll 5.83.0.1059 TmPfwRul.dll 5.83.0.1059 tmtap.dll 6.0.0.1074 tmwlutil.dll 2.974.0.1241 OfficeScan\PCCSRV\Engine\x64\ ------------------------------------------------------------------- TmAegisSysEvt.dll 2.974.0.1241 TMBMCLI.dll 2.974.0.1241 TMBMSRV.exe 2.974.0.1241 tmCfwApi.dll 5.83.0.1059 tmcomeng.dll 2.974.0.1241 tmelapi.dll 1.6.0.1004 TmEngDrv.dll 2.974.0.1241 tmHash.dll 5.83.0.1059 TMPEM.dll 2.974.0.1241 TmPfw.exe 5.83.0.1059 TmPfwApi.dll 5.83.0.1059 TmPfwRul.dll 5.83.0.1059 tmtap.dll 6.0.0.1074 tmwlutil.dll 2.974.0.1241 OfficeScan\PCCSRV\LWCS\ ------------------------------------------------------------------- Build.exe 2.85.0.1180 cert5.db * ciuas32.dll 1.0.0.2075 ciussi32.dll 2.0.0.2074 libcurl.dll 7.55.1.0 libeay32.dll 1.0.2.16 patch.exe 2.85.0.1180 patchbld.dll 12.21.0.0 PATCHW32.DLL 12.21.0.0 ssleay32.dll 1.0.2.16 TmUpdate.dll 2.85.0.1180 x500.db * OfficeScan\PCCSRV\Pccnt\ ------------------------------------------------------------------- ClientConsole.zip * NTMonRes.dll 11.0.0.6598 NTRmvRC.dll 11.0.0.6598 NTRtScan.exe 12.0.0.6311 NTSvcRes.dll 11.0.0.6598 OfficeScan\PCCSRV\Pccnt\Common\ ------------------------------------------------------------------- 7z.dll 18.5.0.0 7z.exe 18.5.0.0 CCSF_PTN.zip * CCSF_WIN32.zip * CNTAosUnInstaller.exe 2.2.0.1334 com.trendmicro.tmopfirefox.ext.json * com.trendmicro.tmopfirefox.ext@trendop.xpi * CompRmv.exe 12.0.0.6311 DatFHS.dll 12.0.0.6311 fcWofieUI.dll 12.0.0.6311 ICRCHdler.dll 2.7.0.1111 lib7zWrapper.dll * libcurl.dll 7.49.1.0 libeay32.dll 1.0.2.16 libprotobuf.dat * libprotobuf.dll * NTRmv.exe 12.0.0.6311 OfcCCCAUpdate.exe 12.0.0.6311 OfcPfwSvc.dll 12.0.0.6311 OfcPIPC.dll 12.0.0.6311 PccNT.exe 12.0.0.6311 PccNTMon.exe 12.0.0.6311 PccNTUpd.exe 12.0.0.6311 perfiCrcPerfMonMgr.dll 2.7.0.1111 ssleay32.dll 1.0.2.16 SurrogateTmListen.exe 12.0.0.6311 tmCfwApi.dll 5.83.0.1059 TmFpHcEx.exe 5.83.0.1059 tmHash.dll 5.83.0.1059 TmListen.dll 12.0.0.6311 TmListen.exe 12.0.0.6311 TmListenShare.dll 12.0.0.6311 TmopCfg.dll 2.0.0.1100 TmopChromeMsgHost32.exe 2.0.0.1094 TmopExtIns.exe 2.0.0.1094 TmopIEPlg.dll 2.0.0.1094 TmOPP.dll 12.0.0.6311 TmoppeUrlF.dll 2.0.0.1100 TmopphPop3.dll 2.0.0.1096 TmopphSmtp.dll 2.0.0.1096 TmOsprey.dll 2.0.0.1094 TmPfw.exe 5.83.0.1059 TmPfwApi.dll 5.83.0.1059 TmPfwCtl.dll 5.83.0.1059 TmPfwCtl_xp.dll 5.83.0.1059 TmPfwRul.dll 5.83.0.1059 TmSock.dll 12.0.0.6311 tmufeng.dll 3.9.0.1012 tmwfpapi.dll 5.83.0.1059 UpdGuide.exe 12.0.0.6311 Upgrade.exe 12.0.0.6311 utilPfwInstCondChecker.exe 12.0.0.6311 WofieLauncher.exe * xpupg.exe 12.0.0.6311 OfficeScan\PCCSRV\Pccnt\Drv\ ------------------------------------------------------------------- tmactmon.cat * tmactmon.inf * tmactmon.sys 2.974.0.1236 tmcomm.cat * tmcomm.inf * tmcomm.sys 6.60.0.1065 tmeevw.cat * tmeevw.inf * tmeevw.sys 2.0.0.1039 tmevtmgr.cat * tmevtmgr.inf * tmevtmgr.sys 2.974.0.1236 tmlwf.cat * tmlwf.inf * TMLWF.sys 5.83.0.1059 tmlwfins.exe 5.83.0.1059 tmusa.cat * tmusa.inf * tmusa.sys 2.0.0.1103 tmwfp.cat * tmwfp.inf * TMWFP.sys 5.83.0.1059 tmwfpins.exe 5.83.0.1059 OfficeScan\PCCSRV\Pccnt\Drv\X64\ ------------------------------------------------------------------- tmactmon.cat * tmactmon.inf * tmactmon.sys 2.974.0.1236 tmcomm.cat * tmcomm.inf * tmcomm.sys 6.60.0.1065 tmeevw.cat * tmeevw.inf * tmeevw.sys 2.0.0.1039 tmevtmgr.cat * tmevtmgr.inf * tmevtmgr.sys 2.974.0.1236 tmlwf.cat * tmlwf.inf * TMLWF.sys 5.83.0.1059 tmlwfins.exe 5.83.0.1059 tmusa.cat * tmusa.inf * tmusa.sys 2.0.0.1103 tmwfp.cat * tmwfp.inf * TMWFP.sys 5.83.0.1059 tmwfpins.exe 5.83.0.1059 OfficeScan\PCCSRV\Pccnt\Win64\X64\ ------------------------------------------------------------------- 7z.dll 18.5.0.0 7z.exe 18.5.0.0 CCSF_X64.zip * CompRmv.exe 12.0.0.6311 DatFHS.dll 12.0.0.6311 fcWofieUI.dll 12.0.0.6311 ICRCHdler.dll 2.7.0.1111 lib7zWrapper_64x.dll * libcurl.dll 7.49.1.0 libeay32.dll 1.0.2.16 libprotobuf.dat * libprotobuf.dll * NTRmv.exe 12.0.0.6311 Ntrtscan.exe 12.0.0.6311 OfcCCCAUpdate.exe 12.0.0.6311 OfcPfwSvc_64x.dll 12.0.0.6311 OfcPIPC_64x.dll 12.0.0.6311 PccNT.exe 12.0.0.6311 PccNTMon.exe 12.0.0.6311 PccNTUpd.exe 12.0.0.6311 perfiCrcPerfMonMgr.dll 2.7.0.1111 ssleay32.dll 1.0.2.16 SurrogateTmListen.exe 12.0.0.6311 tmCfwApi.dll 5.83.0.1059 TmFpHcEx.exe 5.83.0.1059 tmHash.dll 5.83.0.1059 TmListen.exe 12.0.0.6311 TmListen_64x.dll 12.0.0.6311 TmListenShare_64x.dll 12.0.0.6311 TmopCfg.dll 2.0.0.1100 TmopExtIns.exe 2.0.0.1094 TmopExtIns32.exe 2.0.0.1094 TmopIEPlg.dll 2.0.0.1094 TmopIEPlg32.dll 2.0.0.1094 TmOPP_64x.dll 12.0.0.6311 TmoppeUrlF.dll 2.0.0.1100 TmopphPop3.dll 2.0.0.1096 TmopphSmtp.dll 2.0.0.1096 TmOsprey.dll 2.0.0.1094 TmOsprey32.dll 2.0.0.1094 TmPfw.exe 5.83.0.1059 TmPfwApi.dll 5.83.0.1059 TmPfwCtl.dll 5.83.0.1059 TmPfwCtl_xp.dll 5.83.0.1059 TmPfwRul.dll 5.83.0.1059 TmSock_64x.dll 12.0.0.6311 tmufeng.dll 3.9.0.1012 tmwfpapi.dll 5.83.0.1059 UpdGuide.exe 12.0.0.6311 Upgrade.exe 12.0.0.6311 utilPfwInstCondChecker.exe 12.0.0.6311 WofieLauncher.exe * xpupg.exe 12.0.0.6311 OfficeScan\PCCSRV\Private\ ------------------------------------------------------------------- DlpClc.xml * RansomwareWidget.ini * OfficeScan\PCCSRV\Private\certificate\ ------------------------------------------------------------------- libeay32.dll 1.0.2.16 openssl.exe * ssleay32.dll 1.0.2.16 OfficeScan\PCCSRV\Private\LogServer\ ------------------------------------------------------------------- 7z.dll 18.5.0.0 7z.exe 18.5.0.0 OfcPIPC.dll 12.0.0.6311 OfficeScan\PCCSRV\Web\Service\ ------------------------------------------------------------------- 7z.dll 18.5.0.0 Build.exe 2.85.0.1180 cert5.db * CGIOCommon.dll 11.0.0.6598 CGIResUTF8.dll 11.0.0.6598 CGIShare.dll 11.0.0.6598 ciuas32.dll 1.0.0.2075 ciussi32.dll 2.0.0.2074 CmdHLClient.dll 11.0.0.6598 CmdHOConsole.dll 11.0.0.6598 cme_dll.dll 6.0.0.1539 cme_vxe_dll_static.dll 6.0.0.1539 DatFHS.dll 12.0.0.6311 DbServer.exe 11.0.0.6598 lib7zWrapper.dll * libCmdHndlrClientV2.dll 11.0.0.6598 libCmdHndlrConsoleV2.dll 11.0.0.6598 libcurl.dll 7.58.0.0 libcurl_ofc.dll 7.58.0.0 libeay32.dll 1.0.2.16 NTSvcRes.dll 11.0.0.6598 OfcCCCAUpdate.exe 12.0.0.6311 OfcDownload.dll 11.0.0.6598 OfcHotFix.exe 11.0.0.6598 OfcNotifyQueue.dll 11.0.0.6598 OfcService.exe 11.0.0.6598 patch.exe 2.85.0.1180 patchbld.dll 12.21.0.0 PATCHW32.DLL 12.21.0.0 ssleay32.dll 1.0.2.16 TmUpdate.dll 2.85.0.1180 VerConn.exe 11.0.0.6598 x500.db * OfficeScan\PCCSRV\Web\Service\PLM\ ------------------------------------------------------------------- 7z.dll 18.5.0.0 OfficeScan\PCCSRV\Web_OSCE\Web\CGI\ ------------------------------------------------------------------- cgiExportInfo.exe 11.0.0.6598 CGIOCommon.dll 11.0.0.6598 cgiRecvFile.exe 11.0.0.6598 CGIResUTF8.dll 11.0.0.6598 cgiRqUpd.exe 11.0.0.6598 CGIShare.dll can\ 11.0.0.6598 libeay32.dll 1.0.2.16 SSO_PKIHelper.dll 5.0.0.2319 OfficeScan\PCCSRV\Web_OSCE\Web_Console\CGI\ ------------------------------------------------------------------- cgiAuthManagement.exe 11.0.0.6598 cgiCmdNotify.exe 5.0.0.2319 CGIOCommon.dll 11.0.0.6598 CGIResUTF8.dll 11.0.0.6598 CGIShare.dll 11.0.0.6598 cgiShowClientAdm.exe 11.0.0.6598 cgiShowLogs.exe 11.0.0.6598 cgiShowSummary.exe 11.0.0.6598 cgiShowWSSAdmin.exe 11.0.0.6598 cgiWebUpdate.exe 11.0.0.6598 cgiWebUpdate.ini * libeay32.dll 1.0.2.16 ssleay32.dll 1.0.2.16 SSO_PKIHelper.dll 5.0.0.2319 TrendAprWrapperDll.dll 5.0.0.2319 OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\aegis\ ------------------------------------------------------------------- data_protection.htm * device_control.htm * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\Auth\ ------------------------------------------------------------------- admin_account_info.htm * Admin_User_List.htm * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\behavior_monitoring\ ------------------------------------------------------------------- bm_settings.htm * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\ClientInstall\ ------------------------------------------------------------------- agent_install.htm * WinNTChk.cab * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\clientmag\ ------------------------------------------------------------------- client_list_2.htm * client_ofsc_services.htm * client_searchwindow.htm * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\common\ ------------------------------------------------------------------- menu_common.js * OfficeScan\PCCSRV\Web_OSCE\Web_Console\HTML\common\l10n\ ------------------------------------------------------------------- l10n.aegis.js * l10n.dlp.js * l10n.serveradm.js * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\common\settings\ ------------------------------------------------------------------- setting.dlp.js * OfficeScan\PCCSRV\Web_OSCE\Web_Console\HTML\dlp\ ------------------------------------------------------------------- dlp_FileAttr_addedit.htm * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\serveradm\ ------------------------------------------------------------------- server_proxy.htm * OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\inc\ ------------------------------------------------------------------- config.php * OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\inc\class\common\soap\ ------------------------------------------------------------------- SoapFactory.php * OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\inc\class\proxy\ ------------------------------------------------------------------- HttpTalk.php * OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\widget\repository\widgetPool\ ------------------------------------------------------------------- DeleteWidgetsFromDB.bat * OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgetPool\wp%RETCODE%\inc\ ------------------------------------------------------------------- common.php * config.php * product_auth.php * OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgetPool\wp%RETCODE%\interface\ ------------------------------------------------------------------- analyzeWF.php * OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgets_new\inc\ ------------------------------------------------------------------- common.php * config.php * product_auth.php * OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgets_new\interface\ ------------------------------------------------------------------- analyzeWF.php * OfficeScan\PCCSRV\Web_OSCE\Web_Console\RemoteInstallCGI\ ------------------------------------------------------------------- cgiGetNTDomain.exe 11.0.0.6598 CGIOCommon.dll 11.0.0.6598 CGIResUTF8.dll 11.0.0.6598 CGIShare.dll 11.0.0.6598 Wizard.exe 12.0.0.6311 Wizard_64x.exe 12.0.0.6311 OfficeScan\PCCSRV\WSS\ ------------------------------------------------------------------- Build.exe 2.85.0.1180 cert5.db * ciuas32.dll 1.0.0.2075 ciussi32.dll 2.0.0.2074 patch.exe 2.85.0.1180 patchbld.dll 12.21.0.0 PATCHW32.DLL 12.21.0.0 TmUpdate.dll 2.85.0.1180 x500.db * B. Network Traffic Required in Deployment ------------------------------------------------------------------- Estimated size (in terms of bandwidth) of deployed agent files in this hotfix. - 32-bit agent total = 80.0 MB - 64-bit agent total = 113.2 MB
2. Documentation Set
To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com
- Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product.
To access the Online Help, go to http://docs.trendmicro.com
- Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product.
- Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product.
- Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'.
- Support Portal: The Support Portal contains information on troubleshooting and resolving known issues.
- To access the Support Portal, go to http://esupport.trendmicro.com
3. System Requirements
4. Installation/Uninstallation
Installing
To install:
- Copy the Critical Patch executable file to a temporary folder on the server, for example, "C:\temp".
- Double-click the file. The modules are automatically copied to the correct destination. This Critical Patch installation package automatically rolls back the OfficeScan server to its previous configuration if there are problems during installation. If you encounter problems after installation, do a manual rollback.
Uninstalling
To manually roll back to the previous build:
- Locate the backup folder that the Critical Patch package created in the "\PCCSRV\Backup\CriticalPatch_B6598" directory.
- Stop the OfficeScan Master Service.
- Stop the OfficeScan CMAgent Service.
- Copy the backup modules to the original folders.
- Start the OfficeScan CMAgent Service.
- Start the OfficeScan Master Service.
5. Post-installation Configuration
No post-installation steps are required.
NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product.
6. Known Issues
There are no known issues for this Critical Patch release.
7. Release History
Prior Hotfixes
Only this hotfix was tested for this release. Prior hotfixes were tested at the time of their release.
(TT-356853)
Installing OfficeScan 10.5 Patch 6 by web installation also installs ActiveX on the computer, however, ActiveX is not removed during client uninstallation. As a result, users encounter an error while installing OfficeScan 11 Service Pack 1 Critical Patch 6054 by web installation. This happens because the "WinNTchk.dll" for the ActiveX component cannot be updated when a previous version of the file exists in the installation directory. When this happens, the web installation fails.
Solution:
This hotfix ensures that the OfficeScan server adds the version information of the "WinNTChk.cab" file when it triggers web installation.
(TT-357563)
It is reported that the OfficeScan NT Listener service (TmListen.exe) in OfficeScan 11.0 Service Pack 1 Patch 1 failed to start up on endpoints running Microsoft(TM) Windows(TM) Vista or Windows Server 2008.
Solution:
This hotfix updates the OfficeScan agent program to resolve this issue.
(TT-352284)
The User Mode Hooking (UMH) driver causes an unexpected error.
Solution:
This hotfix updates the UMH driver to resolve this issue.
(TT-357381)
When users export the Scan Exclusion Lists for the following scan types from the "Agent Management" screen of the OfficeScan web console, the generated CSV file will not contain any domain setting information for OfficeScan agents:
- Manual scans
- Real-time scans
- Scheduled scans
- Scan Now
Solution:
This hotfix updates the OfficeScan server files to ensure that when users export Scan Exclusion Lists, the domain setting information for each OfficeScan agent appear on the exported CSV files.
(TT-355584)
In some OfficeScan agents managed by the Update Agent (UA), the T-ball logo on the bottom right portion of the screen turns red since the "NtrtScan.exe" program keeps reloading.
Solution:
This hotfix configures the "Agent Connection" setting to a global setting such that when it is changed, the Setting Aggregation File (SAF) package will be updated accordingly. This update enables the OfficeScan agents (managed by the Update Agent) to send a report to the OfficeScan server and instruct it to clear the configuration flag since there is a new setting.
(TT-358070)
When users run the Agent Packager tool in the CLI to create setup or update packages for the OfficeScan agent, there is no way to specify a domain where all freshly-installed clients should belong to.
Solution:
This hotfix updates the Agent Packager tool to enable users to specify a domain for freshly-installed agents using the "/domain" parameter when creating setup or update packages for the OfficeScan agent through the CLI.
(TT-354263)
The OfficeScan server database may crash if the database backup path follows the universal naming convention (UNC) and the backup username length exceeds 32 characters.
Solution:
This hotfix updates the OfficeScan server files to resolve this issue.
(TT-357598)
The Microsoft(TM) Windows(TM) Event Log generates too many messages.
Solution:
This hotfix enables OfficeScan to extend the cache time to 12 hours.
(TT-357926)
An issue prevents the Data Loss Prevention module from blocking the most current webmail site, for example "Outlook.com".
Solution:
This hotfix resolves this issue.
(TT-357331)
After administrators remove or uninstall the OfficeScan agent, the OfficeScan server removes all the OfficeScan agents from the database. This situation occurs when administrators set an agent unique identifier (UID) as a root domain UID.
Solution:
This hotfix updates the OfficeScan server files to add two check points to resolve this issue.
(TT-356698)
This hotfix provides a way for users to approve programs to run without checks by Meerkat (a detection improvement program that monitors newly encountered programs downloaded through HTTP or email applications).
Procedure:
To approve programs to run without checking by Meerkat:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the "MKWL" key and assign the encrypted string of the full program path.
- [Global Setting]
- MKWL="The encrypted string of the full program path"
- NOTE: The encrypted string of the full program path needs to be provided by OfficeScan SEG engineer.
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
- Path: for x64 platform: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
- Path: for x86 platform HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
- Key: MKWL
- Type: String
- Value: "The encrypted string of the full program path"
(TT-357554)
This hotfix updates Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 to support the following Google Chrome versions:
- 54.0.2840.99
- 55.0.2883.75
(TT-344921)
This hotfix enables the DLP Endpoint SDK 6.0 Webmail channel to share the exception from Email channel.
Procedure:
To configure the "apply_email_wblist_to_webmail" setting for DLP:
- Install this hotfix (see "Installation").
- Open the "dlp.ini" file in the "\PCCSRV\Private\"folder on the OfficeScan server.
- Under the "Configure" section, manually add the "apply_email_wblist_to_webmail" key and set its value.
- [Configure]
- apply_email_wblist_to_webmail=true
- Save the changes and close the file.
- Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
- Click "Save" to deploy the settings to agents". The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:
apply_email_wblist_to_webmail=true
- Restart all OfficeScan agents.
(TT-344921)
This hotfix enables Data Loss Prevention Endpoint SDK 6.0 to support Lotus Notes Webmail with its add-ons installed for Bank of Chengdu.
Procedure:
To configure the "inet_enhanced_dwa_parser"setting for DLP:
- Install this hotfix (see "Installation").
- Open the "dlp.ini" file in the "\PCCSRV\Private\"folder on the OfficeScan server.
- Under the "Configure" section, manually add the "inet_enhanced_dwa_parser" key and set its value.
- [Configure]
- inet_enhanced_dwa_parser=true
- Save the changes and close the file.
- Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
- Click "Save" to deploy the settings to agents".
- The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:inet_enhanced_dwa_parser=true
- Restart all OfficeScan agents.
(TT-357949)
Automatic agent grouping uses rules defined by Microsoft(TM) Windows(TM) Active Directory (AD) domains. Sometimes, after the OfficeScan server synchronizes AD information from the Windows server, the status of enabled grouping rules shows a "Warning" sign.
Solution:
This hotfix updates the OfficeScan programs to ensure that the enabled grouping rules will not be affected by the synchronized AD information.
(TT-357004)
In Windows Vista/2008 or later clients, OfficeScan displays an incorrect firewall driver version number. The correct version number is 5.83.1003, but the version number that OfficeScan displays is 5.82.1050.
Solution:
This hotfix ensures that the OfficeScan server references the "tmlwf.sys" and "tmwfp.sys" files to determine the correct version number of the common firewall driver.
(TT-357915)
While using the "Export Scan Exclusions" button, the "Scan Exclusion List (File Extensions)" function generates a "N/A" message in the exported CSV file when the "Scan Exclusion List (Files)" value is empty. This issue only happens in the "Scan Now" configuration.
Solution:
This hotfix updates the OfficeScan programs to resolve this issue so that users can generate correct information in the CSV file.
(TT-357769)
OfficeScan leaks encrypted account passwords during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.
Solution:
This hotfix updates the OfficeScan server program to ensure that OfficeScan does not leak encrypted passwords.
(TT-358146)
If users set the default browser to Chrome and click on hyperlinks from other applications, the Chrome page shows a "try to access to an unexpected site "--disable-quic"" message.
Solution:
This hotfix ensures that the Chrome page will not access unexpected "--disable-quic" sites when users click hyperlinks from other applications once they set Chrome as the default browser.
(TT-356728)
Data Loss Prevention(TM) (DLP) blocks Exodus-jabber applications unexpectedly.
Solution:
This hotfix ensures that Exodus-jabber works normally even when DLP is enabled on the endpoint machines.
The Qastor application fails because Trend Micro's firewall takes too much time to check the hash of the related executable image. This situation causes a timeout on the application's connection to the server.
Solution:
This hotfix updates the Network Security Components to ensure that Trend Micro's firewall will asynchronously compute the hash value of the executable image that initiated a connection. While the firewall computes the hash, all rules of the Application Filter will be unavailable until the hash value is computed, preventing the system from blocking the application from its connection.
Procedure:
To apply and deploy the solution globally:
- Install this hotfix (see "Installation") and wait until the new Network Security Components has been deployed to agents.
- Restart the agent computers.
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
- Add "AsyncHash=1" and "ALEPend=1" under the "Global Setting" section.
[Global Setting]
- AsyncHash=1
- ALEPend=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\PFW
- Key: AsyncHash
- Type: REG_DWORD
- Value: 1
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmWfp\Parameters
- Key: ALEPend
- Type: REG_DWORD
- Value: 1
(TT-356873)
This hotfix enables users to generate the Secure Sockets Layer (SSL) certificate with SHA256 signature algorithm and 2048-bit public key for the OfficeScan web site which is installed on Microsoft Internet Information Services (IIS) or Apache(TM) HTTP Server through the "SvrSvcSetup.exe" tool.
Procedure:
To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually renew the IIS SSL certificate:
- Install this hotfix (see "Installation").
- Log on as administrator, open a command prompt, and navigate to the "\PCCSRV\" directory.
- Run the following command:
SvrSvcSetup.exe -GenIISCert
A new SSL certificate is generated and is automatically added to the IIS SSL certificate store.
- Open the IIS Manager console (inetmgr.exe).
- Right-click the OfficeScan web site, and then click "Edit Bindings...".
- When the "Site Bindings" window opens, select "https type" and click "Edit...".
- Select the newly-created SSL certificate and click "OK". NOTE: Click the "View..." option to view the 2048-bit public key.
- Click "Close".
To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually renew the Apache SSL certificate:
- Install this hotfix (see "Installation").
- Log on as administrator, open a command prompt, and navigate to the "\PCCSRV\" directory.
- Run the following command:
SvrSvcSetup.exe -GenApacheCert
A new SSL certificate is generated and is automatically added to the Apache SSL certificate store. - Stop the following services:
- OfficeScan Master Service
- Apache Service
- Start the following services:
- Apache Service
- OfficeScan Master Service
(TT-358436)
OfficeScan can synchronize suspicious objects and retrieve actions against these objects from a Control Manager server. However, an expired suspicious object is still synchronized to OfficeScan that makes false detections on the agent.
Solution:
This hotfix updates the OfficeScan programs to ensure that the expired suspicious objects will not be detected.
(TT-357701)
The "Agent Management" page of the OfficeScan web console may not display all OfficeScan agents if the domain has a large number of OfficeScan agents.
Solution:
This hotfix resolves the issue by updating the mechanism used by the SQL table containing the OfficeScan agent information.
(TT-354253)
The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature may block valid programs without leaving a record of the block action in the detection log.
Solution:
This hotfix updates the OfficeScan Behavior Monitoring program to ensure that it blocks the correct programs.
(TT-354682)
On x86 platforms, the Aegis module sends Meerkat detection information to the OfficeScan server and displays a pop-up dialog box that allows users to click on the "Allow Once" button. However, even after users clicked on this button, Meerkat still blocks the application.
Solution:
This hotfix updates Meerkat to check the payload of API events to prevent this issue from happening.
(TT-356152)
The OfficeScan User-Mode Hooking (UMH) function prevents the "java.exe" program from working properly.
Solution:
This hotfix adds "java.exe" onto the OfficeScan UMH whitelist pattern to ensure that the "java.exe" program works properly.
(TT-357370)
The OfficeScan UMH function prevents the WebISO software from working properly.
Solution:
This hotfix adds the WebISO software into the OfficeScan UMH whitelist pattern to ensure that the WebISO software works properly.
(TT-358458)
Users may still be able to access web sites that the Trend Micro URL Filtering Engine (TMUFE) failed to rate because of connection issues.
Solution:
This hotfix provides a way for users to configure OfficeScan to automatically block access to web sites if the TMUFE cannot rate the web sites.
Procedure:
To configure OfficeScan to automatically block access to web sites that the TMUFE cannot rate:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory using a text editor.
- Under the "Global Setting" section, manually add the following key and set its value to "1".
- [Global Setting]
- URLFilterErrMode=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\URLFilter\config
- Key: ErrMode
- Type: dword
- Value: 1
For Microsoft(TM) Windows(TM) 7/8/10 and Windows Server 2008 R2/2012/2016:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\Scan\Common\URLFilter\config
- Key: ErrMode
- Type: dword
- Value: 1
- Restart the OfficeScan agents.
(TT-349044)
The detected Virus/Malware information that appears in the OfficeScan web console does not match the information in the Trend Micro Control Manager(TM) console.
Solution:
This hotfix ensures that the OfficeScan server sends the correct Virus/Malware information to Control Manager so that the information in the OfficeScan web console matches the information in the Control Manager console.
Procedure:
To configure OfficeScan to send the accurate information to Control Manager:
- Install this hotfix (see "Installation").
- Open the "Product.ini" file in the "\PCCSRV\CmAgent" folder on the OfficeScan server installation directory using a text editor.
- Under the "Configure" section, manually add the following key and set its value to "1".
- [Configure]
- EnableSFCacheTimeout=1
- Save the changes and close the file.
- Restart the OfficeScan Control Manager Agent.
(TT-358714)
On the "Agents > Agent Management" section of the OfficeScan web console, when users run an advanced search for OfficeScan agents running with Update Agent "Disabled" status, the search results always display both OfficeScan agents running with Update Agent "Enabled" status and "Disabled" status.
Solution:
This hotfix updates the OfficeScan server program to ensure that when users run an advanced search for OfficeScan agents running with Update Agent "Disabled" status, it displays the correct result.
(TT-359007)
OfficeScan agents report their antivirus status information to the Microsoft(TM) Windows(TM) Security Center (WSC) when the system starts. However, after the system restarts, WSC displays that the OfficeScan antivirus reports are turned off.
Solution:
This hotfix updates the OfficeScan agent program to resolve this issue.
(TT-358753)
The OfficeScan NT Listener service ("TmListen.exe") may stop unexpectedly after the OfficeScan agent encounters a mismatch certificate error. When this happens, the agent update is unsuccessful.
Solution:
This hotfix updates the OfficeScan agent program to prevent the "TmListen.exe" from stopping unexpectedly and ensures that the OfficeScan agent can handle the mismatch certificate error properly.
(TT-359384)
DLP does not block the drag-and-drop of files from current Webmail sites (such as "Outlook.office.com" or "Outlook.live.com) when users use Google Chrome to access these Webmail sites.
Solution:
This hotfix ensures that OfficeScan does not leak sensitive information when users use Google Chrome to access these Webmail sites.
(TT-356199)
This hotfix enables the Data Loss Prevention (DLP) Endpoint SDK 6.0 module to support version 55.0.2883.87 of the Google(TM) Chrome(TM) web browser and version 50.1.0 of the Mozilla(TM) Firefox(TM) web browser.
(TT-354730)
This hotfix enhances the OfficeScan server to support Active Directory subgroups for OfficeScan user accounts.
Procedure:
To enable the new service settings:
- Install this hotfix (see "Installation").
- Open the "ofcserver.ini" file in the "\PCCSRV\Private" folder on the OfficeScan installation directory.
- Under the "INI_AD_INTEGRATION_SECTION" section, manually add the following key and set its value to "1".
- [INI_AD_INTEGRATION_SECTION]
- RBAMultilayerInheritanceForADUser=1
- Save the changes and close the file.
An issue related to the AEGIS module of the OfficeScan agent program may cause certain operating systems to stop responding.
Solution:
This hotfix updates the Behavior Monitoring Service module to resolve the issue.
(TT-359424)
After installing hotfixes on OfficeScan 11.0 Service Pack 1 and activating the OfficeScan Firewall on agents, the Firewall logs display corrupted characters on both the agent console and the OfficeScan server web console.
Solution:
This hotfix updates the OfficeScan Firewall to ensure that the Firewall logs display the correct information on both the agent console and the OfficeScan server web console.
(TT-355684)
OfficeScan 11.0 Service Pack 1 (SP1) Critical Patch (CP) Build 6054 is unable to use the Sesame mobile application on endpoints.
Solution:
This hotfix ensures that the User-Mode Hooking (UMH) does not hook the "ZWProtectVirtualMemory" API when the "Aclayer.dll" file exists.
(TT-358910)
Data Loss Prevention(TM) (DLP) does not block large files inside ZIP archives, even if the boundary of the file size exceeds the maximum value.
Solution:
This hotfix ensures that DLP properly blocks large files inside a ZIP archives.
(TT-358910)
Microsoft Access (.mdb) files cannot be recovered to USB storage from the Data Loss Prevention backup folder.
Solution:
This hotfix ensures that Data Loss Prevention can successfully recover Microsoft Access (.mdb) files.
(TT-355833)
The Listdeviceinfo tool cannot get information from external devices such as "LaCie Rugged THB USB3 SCSI Disk Device".
Solution:
This hotfix resolves this tool issue.
(TT-358489)
OfficeScan Behavior Monitoring feature is unable to get the device type correctly when users launch programs by running as administrators (using administrator privileges).
Solution:
This hotfix updates the Behavior Monitoring Service module to resolve this issue.
(TT-359534)
An initialized issue related to the OfficeScan Control Manager Agent service ("OfcCMAgent.exe") may cause the OfcCMAgent.exe to stop unexpectedly.
Solution:
This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.
(TT-356903)
A signature verification issue related to the AEGIS module of the OfficeScan agent program may cause certain operating systems to stop unexpectedly.
Solution:
This hotfix updates the Behavior Monitoring Service module to resolve the issue.
Reported Issue from CP B6285
After installing OfficeScan Service Pack 1 (SP1) Patch 1, the OfficeScan Smart Scan Pattern cannot be updated.
Solution:
Solutions for Issue reported from CP B6285
This critical patch updates the ActiveUpdate module to resolve the issue.
(TT-360032)
This hotfix enables the Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 module to support the following Google(TM) Chrome(TM) versions:
- Chrome 55.0.2883.87
- Chrome 56.0.2924.87
(TT-357707)
This hotfix enables the Address Space Layout Randomization (ASLR) of Data Loss Prevention (DLP) Endpoint SDK 6.0 for DLL injection.
(TT-359477)
The OfficeScan User Mode Hooking (UMH) function may cause the "mkdir.exe" program to stop unexpectedly.
Solution:
This hotfix updates the OfficeScan User Mode Hooking module to resolve this issue.
(TT-357853)
When the "Protect documents against unauthorized encryption or modification" feature of Ransomware Protection is enabled, the OfficeScan agent may prevent a valid program from running if the size of the program file is too large.
Solution:
This hotfix updates the OfficeScan agent program to resolve this issue.
(TT-360097)
The Server Tuner tool optimizes the performance of the OfficeScan server. However, its Maximum Client Connections setting does not work.
Solution:
This hotfix updates the OfficeScan server program to ensure that the tool's Maximum Client Connections setting works normally.
(TT-359331)
The OfficeScan Behavior Monitoring program ("TMBMSRV.exe") crashes when the "MeerkatSkipUNC" option is enabled.
Solution:
This hotfix updates the OfficeScan Behavior Monitoring program to correct this issue.
(TT-359521)
When users upload files from the SMB folder to the internal website and iDLP is enabled, the upload may be interrupted intermittently.
Solution:
This hotfix enables iDLP to check if a file is from SMB before it attempts to access the file information. If the source file is an SMB file, iDLP will then Impersonate to download the file.
(TT-357721)
The library license of the third-party application Dymola conflicts with DLP.
Solution:
This hotfix adds "dymola.exe" and "license_check.exe" to the approved list to remove the conflict.
(TT-359522)
When OfficeScan parses the contents of a policy that it receives from Control Manager, some space characters may be removed from the policy which changes certain settings when applied to OfficeScan.
Solution:
This hotfix ensures that OfficeScan can parse and apply Control Manager policies properly.
OfficeScan leaks encrypted account passwords during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.
Solution:
This hotfix ensures that OfficeScan does not leak encrypted passwords.
(SEG-1587)
The "Quarantine malware variants detected in memory" feature needs to be enabled before the Memory Inspection Pattern (MIP) can be updated on OfficeScan agents.
Solution:
This hotfix updates the OfficeScan agent program to resolve this issue.
(SEG-1781)
Sometimes, the value of the "SourceUUID" setting in the "Ofcserver.ini" file is overwritten which prevents OfficeScan from updating the suspicious object list.
Solution:
This hotfix ensures that the "SourceUUID" setting is not overwritten unexpectedly.
(SEG-2639)
Sometimes, OfficeScan does not create system dump files when an exception error occurs.
Solution:
This hotfix ensures that OfficeScan catches exception system codes and creates the corresponding system dump files when it encounters these codes.
(TT-359200)
The "TMBMSRV.exe" process stops responding when debug log is enabled.
Solution:
This hotfix resolves the issue by ensuring that the debug log output function receives the correct information.
(SEG-2785)
Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs simultaneously with an encryption software.
Solution:
This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption software.
(SEG-1474)
The Agent Connectivity widget displays inaccurate total number of connected clients for each Smart Protection Server information.
Solution:
This hotfix updates the OfficeScan server program to ensure that the Agent Connectivity widget displays accurate information.
(SEG-3508)
The OfficeScan server automatically notifies an OfficeScan client to change its GUID after it determines that there is a duplicate GUID. However, the OfficeScan server does not generate an event log if it cannot notify the client for some reason. This hotfix provides a way for users to enable the OfficeScan server if it cannot notify an OfficeScan client to change its GUID.
Procedure:
To enable the OfficeScan server to generate an event log if it cannot notify an OfficeScan client to change its GUID when it detects duplicate GUIDs:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory using a text editor.
- Under the "INI_SERVER_SECTION" section, locate the following key and set its value to "1".
- [INI_SERVER_SECTION]
- Event_Log_Flag=1
- Save the changes and close the file.
- Restart the OfficeScan Master Service.
(SEG-2354)
When users set the firewall exception rule to a single IP, the IP address does not appear on the OfficeScan agent console.
Solution:
This hotfix ensures that the IP address appears on the OfficeScan agent console.
(SEG-3487)
It takes a long time to export the scan exclusion list from the OfficeScan web console.
Solution:
This hotfix improves the export function to enable OfficeScan to export the scan exclusion list faster.
(SEG-1442)
A Microsoft Windows Security audit failure by "tmevtmgr.sys" appears in the Windows system event log.
Solution:
This hotfix resolves the issue by enabling the build option in the AEGIS driver to include a "path hash".
(SEG-3616)
When an OfficeScan agent downloads a file that does not have a valid digital signature, the file path information in the corresponding system event log will be truncated on the OfficeScan web console.
Solution:
This hotfix ensures that system event logs display the complete file path information on the OfficeScan web console.
(SEG-3016)
This hotfix enables Data Loss Prevention Endpoint SDK 6.0 starts to support the following Google Chrome versions:
- Google Chrome(TM) 57.0.2987.98
- Google Chrome 57.0.2987.110
(SEG-1991), (SEG-2660)
After users install hotfixes on OfficeScan 11.0 Service Pack 1 and activate the OfficeScan Firewall on agents running Windows XP, the Firewall service encounters network access issues.
Solution:
This hotfix updates the OfficeScan Firewall to resolve the network access issues.
Procedure:
Restart the endpoint to update the Common Firewall module of OfficeScan agents.
(TT-350467)
This hotfix enables the Behavior Monitoring approved list to support the asterisk (*) and question mark (?) wildcard characters in program path names and file names.
(SEG-3533), (SEG-2785), (SEG-3668)
Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs simultaneously with an encryption software.
Solution:
This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption software.
(SEG-1715)
It takes a long time for the Windows Disk Manager to start when OfficeScan's Ravage Scan feature is enabled.
Solution:
This hotfix enables users to configure the OfficeScan Ravage Scan feature to skip a specific virtual hard disk to allow the Disk Manager to start normally.
Procedure:
To enable the Ravage Scan feature to skip a specific virtual hard disk:
- Install this hotfix (see "Installation").
- Open the Registry Editor.
- Add the following key:
- Path: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters]
- Type:dword
- Key: SkipVirtualHarddisk
- Data Value:00000001
- Restart the OfficeScan client computer.
(SEG-2673)
PccNT.exe stops unexpectedly because the following agent registry contains a value that is larger than the maximum supported value.
- Path: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]
- Type: dword:7fffffff
- Key: TotalScanned
Solution:
This hotfix updates the "fcWofieUI.dll" (for 32-bit) and "fcWofieUI_64x.dll" (for 64-bit) OfficeScan agent files to solve this issue.
(TT-359608)
Users cannot run a manual sync on the "Suspicious Object List Setting" page when the "Enable Suspicious URL list" option is disabled.
Solution:
This hotfix ensures that manual sync can complete successfully when the "Enable Suspicious URL list" option is disabled.
(SEG-3289)
The error-handling mechanism of POP3 and SMTP scans may attempt to access tmp files which can trigger the TmListen service to stop unexpectedly.
Solution:
This hotfix resolves the issue by ensuring that the error-handling mechanism accesses only valid local file paths.
(VRTS-615), (VRTS-393), (VRTS-283)
Reported Issues from CP B6325
- Issue 1: When the Web Reputation Service (WRS) of the OfficeScan agent program blocks access to a certain webpage, it displays the "Website blocked by Trend Micro OfficeScan" alert page instead. This alert page may be affected by XSS vulnerabilities.
- Issue 2: Encrypted account passwords may leak out during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.
Reported Enhancements from CP B6325
- Enhancement 1: This critical patch updates the OfficeScan agent program to improve its self-protection mechanism to protect against a local attacker to inject malicious code.
Solution:
Solutions for Issues reported from CP B6325
- Solution 1: This critical patch updates the OfficeScan agent program to resolve the XSS vulnerabilities.
- Solution 2: This critical patch ensures that encrypted passwords are secure during web console operations.
(TT-358992)
Users cannot access the "Advanced Search" web page from the "Firewall Profile Settings" page of the OfficeScan web console.
Solution:
This hotfix updates the OfficeScan server program files to ensure that users can access the "Advanced Search" web page from the "Firewall Profile Settings" page.
(SEG-1891)
The DLP module may not work normally while other programs are uploading files to the Internet.
Solution:
This hotfix ensures that the DLP module works normally when other programs are to uploading files to the Internet.
(SEG-3345)
The OfficeScan agent blocks a program that has been downloaded from an email message or through HTTP even when the program is in the approved list.
Solution:
This hotfix ensures that OfficeScan agents block the correct programs.
(SEG-2468)
The OfficeScan web console takes longer than usual to load because of a large number of DB_FLUSH commands.
Solution:
This hotfix minimizes the number of DB_FLUSH commands to ensure that the OfficeScan web console loads normally.
(SEG-3919)
When enabling the OfficeScan debug log, clicking on the "Save" button twice overwrites the specified debug log path in the "ofcdebug.ini" file. When this happens, debug logs are saved in another location.
Solution:
This hotfix enables OfficeScan to always use the default log path if only the log name is set on the web console.
(SEG-2232)
Duplicate DLP violation logs are generated when users attempt to print a PDF file that contains sensitive information in Adobe(TM) Reader.
Solution:
This hotfix applies the App White Cache mechanism according to process name to enable DLP to treat multiple print operations from "AcroRd32.exe" that occur within a one second period as one event. This helps prevent duplicate violation logs.
(SEG-3931)
When DLP detects that sensitive information was sent through an email message in "outlook.com", the OfficeScan agent generates a blank "Activity/Channel" log.
Solution:
This hotfix resolves this issue by updating the OfficeScan agent.
(SEG-5361)
This hotfix enables DLP Endpoint SDK 6.0 to support Chrome 58.0.3029.81.
(SEG-5633)
This hotfix provides a way to configure the AEGIS module in OfficeScan clients to skip Virtual Disks during scans.
Procedure:
To configure the AEGIS module to skip Virtual Disks during scans:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\"folder of the OfficeScan server.
- Under the "Global Setting" section, manually add the following key and set its value to "1".
- [Global Setting]
- SkipVirtualHarddisk=1
- Save the changes and close the file.
- Open the OfficeScan server management console and click "Agents > Global Agent Settings" on the main menu to access the "Global Agent Settings" page.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to agents and adds the following registry entry on all agent computers:
- Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters
- Key: SkipVirtualHarddisk
- Type: dword
- Value: 1
(SEG-3575)
If it detects a suspicious POP3 mail message, it will be possible to set not to send notification from OfficeScan client.
Procedure:
To stop sending suspicious POP3 mail messages from OfficeScan clients, please follow the steps below.
- Install this HotFix (see "4.1 Installation procedure").
- Open the "ofcscan.ini" file in the "PCCSRV" folder in the OfficeScan server installation folder.
- Add the "Enable Disclaimer" key to the [Global Setting] section and set the value to "0".
- [Global Setting]
- EnableDisclaimer = 0
Note: To send a mail notification that added a disk reamer, set the value to "1".
- Save the changes and close the file.
- Open the OfficeScan Web console and select Clients> Global Client Settings.
- Click Save to distribute the settings to the client. The OfficeScan client program automatically sets the following registry key:
- Key name: HKEY_LOCAL_MACHINE \ SOFTWARE \ TrendMicro \ Osprey \ Scan \ Common \
- MailManager \ config
- Name: EnableDisclaimer
- Type: dword
- Data: 0
- Restart the OfficeScan client.
(SEG-5041)
The operating system version of registered OfficeScan servers installed on Windows Server 2012 R2 appears as "6.2 (build 9200)" instead of "6.3 (build 9600)" on the Control Manager web console.
Solution:
This hotfix resolves this issue by ensuring that OfficeScan servers installed on Windows Server 2012 R2 register to the Control Manager server using operating system version "6.3 (build 9600)".
(SEG-6181)
OfficeScan agents running Data Loss Prevention(TM) (DLP) may experience a Blue Screen of Death (BSoD) when accessing files in shared (SMB) folders.
Solution:
This hotfix resolves the BSoD issue when accessing files in shared (SMB) folders.
Repack 1 update: (June 30 2017)
Trend Micro Common Module may trigger a (BSOD) when the OfficeScan agent attempts to parse the service name list of a Windows kernel device in the device tree.
NOTE: This fix is included in Hotfix build 6390 and higher
Solution:
Repack 1 update:
This critical patch updates the Trend Micro Common Module to prevent a blue screen of death (BSOD) when the OfficeScan agent attempts to parse the service name list of a Windows kernel device in the device tree.
(SEG-6313)
This critical patch enables the OfficeScan agent program to support Windows 10 Creators Update RS2.
(TT-360007)
The OfficeScan Web Reputation feature blocks normal access to websites if the endpoint also has the Symantec Data Loss Prevention application running.
Solution:
This hotfix updates the OfficeScan agent module to ensure that the OfficeScan Web Reputation feature does not conflict with the Symantec Data Loss Prevention application.
(SEG-4799)
The OfficeScan Behavior Monitoring feature may cause certain computers to lock up intermittently when TMEAC is installed.
Solution:
This hotfix updates the Behavior Monitoring Service module to resolve the issue.
(SEG-3443)
When the OfficeScan agent connects to SSL-VPN and the MAC address field is empty, the OfficeScan agent will attempt to resolve the IP and MAC addresses repeatedly but the SSL-VPN IP address still does not appear in the network cards list on the agent console.
Solution:
This hotfix updates the OfficeScan agent program to prevent it from attempting to resolve the IP and MAC addresses when the MAC address field is empty. It also helps ensure that the IP address appears on the OfficeScan agent console.
(SEG-5477)
The OfficeScan agent does not successfully upgrade even after applying new hotfix files.
Solution:
This hotfix resolves the OfficeScan agent upgrade issue.
(SEG-6873)
The administrator cannot register USB information that includes the pound sign (#) or "and" sign (&) in the Data Loss Prevention (DLP) exception list.
Solution:
This hotfix resolves this issue.
(TT-359895)
The OfficeScan server cannot check the signature on a Control Manager policy if the policy settings contain non-ASCII characters.
Solution:
This hotfix enables the OfficeScan server to handle non-ASCII strings in Control Manager policies to ensure that the server can check the signature of these policies.
(SEG-6323)
Enabling the NT RealTime Scan causes OfficeScan agents to freeze. This issue occurs because OpenSSL uses the AES-NI instruction set, which is not supported by some CPU types.
Solution:
This hotfix resolves this issue by updating the OpenSSL component.
(SEG-6391)
The Microsoft(TM) Internet Explorer(TM) browser does not interpret double-byte strings correctly. Thus, user accounts do not display correctly.
Solution:
This hotfix adds a function to determine whether a string contains double-byte characters, which resolves this issue.
(SEG-6528)
The OfficeScan agent console ("Pccnt.exe") may stop unexpectedly if the "Unauthorized Change Prevention Service" is enabled. When this happens, it will affect the performance of the endpoint.
Solution:
This hotfix updates the OfficeScan agent program to prevent "Pccnt.exe" from stopping unexpectedly and ensures that the OfficeScan agent can work properly without affecting the performance of the endpoint.
(SEG-7273)
On computers running on the Microsoft Windows(TM) 10 platform, the Data Loss Prevention(TM) (DLP) network filter driver is installed with the Transport Driver Interface (TDI) network filter driver.
Solution:
This hotfix updates the operating system version determination mechanism to ensure that the correct driver is installed. This hotfix also provides a Windows Filtering Platform (Windows) driver replacement mechanism that replaces the TDI driver with the correct driver.
(SEG-8017)
This hotfix enables Data Loss Prevention Endpoint SDK 6.0 to support Google(TM) Chrome version 59.0.3071.86.
(SEG-7214), (SEG-8297)
A blue screen of death (BSOD) occurs when the Trend Micro Common Module (tmcomm.sys) attempts to parse the service name list of a Windows kernel device in the device tree.
Solution:
This hotfix updates the Trend Micro Common Module on OfficeScan agents to resolve this issue.
(SEG-7541)
OfficeScan agents installed on Windows 10 platforms may cause the endpoint to freeze or become unresponsive when both Windows Defender and the OfficeScan agent are running at the same time.
Solution:
This hotfix updates compatibility support to prevent the system from freezing by disabling Windows Defender when the OfficeScan Agent loads.
(SEG-7585)
The OfficeScan agent does not successfully update specific pattern files when the OfficeScan server and client have different build versions.
Solution:
This hotfix resolves the issue concerning OfficeScan agents not successfully updating specific pattern files.
(SEG-6421)
Windows Defender is not disabled automatically after the OfficeScan agent is installed on a Windows 2016 server computer.
Solution:
This hotfix ensures that Windows Defender is disabled automatically after the OfficeScan agent is installed on a Windows 2016 server computer and the computer restarts.
(SEG-8356)
The Virus Scan Engine (VSAPI) fails to roll back on a Microsoft(TM) Windows(TM) 10 platform.
Solution:
This hotfix updates the OfficeScan agent program to ensure that VSAPI can roll back successfully on a Windows 10 platform.
(SEG-7747)
The OfficeScan Master Service stops unexpectedly while receiving a huge amount of policy information from Control Manager which triggers OfficeScan to generate a large number of dump files under the "PCCSRV\Web\Service" folder.
Solution:
This hotfix enables the OfficeScan Master Service to handle a huge amount of policy information from Control Manager.
(TT-354095)
The firewall details page of the OfficeScan client console does not refresh automatically after the security level setting changes.
Solution:
This hotfix is to show a message to prompt to close all windows of the OfficeScan client console and reopen the console in order to refresh the UI.
(TT-357507)
The Windows Event Log generates too many messages.
Solution:
This hotfix enables OfficeScan to extend the cache time to 12 hours.
(TT-355701)
An initialized issue related to the OfficeScan Control Manager Agent service ("OfcCMAgent.exe") may cause the OfcCMAgent.exe to stop unexpectedly.
Solution:
This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.
(TT-357054)
When there are hotfix updates, the OfficeScan server checks all client components and prompts all clients with old hotfix versions to apply the updates including those where the No Program Upgrade option is enabled. This triggers a large number of unnecessary client notifications.
Solution:
This hotfix ensures that the OfficeScan server does not notify a client of hotfix updates if the No Program Upgrade option is enabled in the client.
(TT-358532)
When an unreachable OfficeScan agent reports its onstart status to the OfficeScan server, the server does not automatically set the updateflag for the agent. As a result, the agent will not receive updates until after a file change event on the OfficeScan server.
Solution:
This hotfix enables the OfficeScan server to set the updateflag of unreachable OfficeScan agents automatically once it receives the onstart status of the agents.
(SEG-2143)
Exported CSV files that contain agent information do not differentiate between Windows platforms from Windows Embedded platforms.
Solution:
This hotfix ensures that exported CSV files specifies if an agent runs on a Windows platform or a Windows Embedded platform.
(SEG-2745)
The Vulnerability Scanner may attempt to access an invalid file path which triggers blue screen of death (BSOD) on computers running Microsoft Windows Vista(TM) or any version released after it, for example, Windows Server 2008 and later versions.
Solution:
This hotfix updates the Vulnerability Scanner to prevent it from attempting to access invalid file paths.
(SEG-9011)
Sometimes, the Behavior Monitoring Service module of OfficeScan 11.0 Service Pack 1 agents may conflict with the Schwab application which can trigger the Schwab application to stop unexpectedly.
Solution:
This hotfix updates the Behavior Monitoring Service module and provides a way for users to configure OfficeScan to ensure that the Schwab application works properly.
Procedure:
To apply and deploy the solution globally:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the "SkipKernelExceptionEvent" key and set its value to "1".
- [Global Setting]
- SkipKernelExceptionEvent=1
- NOTE: To disable the feature, set "SkipKernelExceptionEvent=0".
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS
- Key: SkipKernelExceptionEvent
- Type: REG_DWORD
- Value: 1
- Restart the OfficeScan agents.
(TT-358603)
This hotfix improves the checking mechanism of the OfficeScan agent program to protect the Smart Scan Agent Pattern and Virus Pattern files in endpoints from corruption.
(TT-356627)
This hotfix adds an assessment mode for ransomware. In assessment mode, OfficeScan will not terminate the suspected ransomware process but creates a log for it.
Procedure:
To enable assessment mode:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
- Under the "Global Setting" section, manually add the following keys and set each to "1".
- [Global Setting]
- EnableADCAssessMode=1
- Value:
- 0 = OfficeScan does not support ransomware assessment mode
- 1 = OfficeScan supports ransomware assessment mode
- EnableADCAssessModeNotification=1
- Value:
- 0 = no popup notification in the system tray icon
- 1 = a popup notification appears in the system tray icon
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to clients.
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS
- Key: EnableADCAssessMode
- Type: DWORD
- Value:
- 0 = OfficeScan does not support ransomware assessment mode
- 1 = OfficeScan supports ransomware assessment mode
- Key: EnableADCAssessModeNotification
- Type: DWORD
*Value:
- 0 = does not have popup notification in system tray icon
- 1 = have popup notification in system tray icon
(VRTS-392)
An issue related to the DLP file system driver may cause an RWX vulnerability in web browsers.
Solution:
This hotfix updates DLP Endpoint SDK 6.0 to resolve the vulnerability.
(SEG-9560)
It takes a long time to copy files using the RDP clipboard when DLP is enabled.
Solution:
This hotfix resolves the issue by adding the RDP process "mstsc.exe" into the approved list.
(VRTS-1012)
Remote unauthenticated attackers may be able to query NT domains through the OfficeScan XG "cgiGetNTDomain.exe" process.
Solution:
This removes the vulnerability.
(VRTS-1022)
A vulnerability may allow a remote unauthenticated attacker to send CGI requests to run "cgiRqUpd.exe" on the OfficeScan server and trigger "cgiRqUpd.exe" to stop unexpectedly. When this happens, a large number of dump files are generated which can eventually take up a large portion of disk space.
Solution:
This hotfix resolves the vulnerability.
(SEG-10228)
In Windows 2016 server, the Windows Defender service does not stop when the OfficeScan agent is installed or when the latest hotfix is installed on the existing OfficeScan agent.
Solution:
This hotfix ensures that the Windows Defender service stops automatically after the OfficeScan client is installed or updated with the latest hotfix.
NOTE: You need to restart the computer after applying this hotfix.
(VRTS-1115)
Web server details gathered from the banner may allow attackers to search and launch automated attacks from commonly-found web sites which may lead to website defacement or denial of service.
Solution:
This hotfix resolves the vulnerability.
(SEG-4529)
When users enable the "ViewLogonName" parameter in "ofcscan.ini", either a user name or "system" should appear on the "logon user name" in virus logs. However, the field remains blank, sometimes.
Solution:
This hotfix updates the OfficeScan agent program to ensure that the "logon user name" field in virus logs always displays the correct information.
(SEG-8981)
This hotfix provides an option to enable OfficeScan agents to check the connection to the Smart Protection Network regularly and to update the status icons on the web console accordingly.
Procedure:
To enable the feature on the OfficeScan server and to automatically deploy the setting to all OfficeScan agents:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
- Add the following key under the "Global Setting" section and set its value to "1".
- [Global Setting]
- ChkGlobalWCS=1
- NOTE: To disable the connection checking, set "ChkGlobalWCS=0".
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to all clients.
- Restart the OfficeScan client.
- The OfficeScan agent program automatically installs the following registry key:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\iURL Scan.
- Key: ChkGlobalWCS
- Type: REG_DWORD
- Value: 1
(SEG-10688)
If you click on the "Update" button on the agent console while the TmListener service is stopped, the page returns an "Component update is complete" message.
Solution:
This hotfix enables OfficeScan to disable the "Update" button automatically when the TmListener service stops and to display a tooltip when the mouse pointer hovers over the button.
(SEG-10651)
If a newly-installed OfficeScan agent cannot connect to the OfficeScan server within a specific time period, the agent cannot report that it is online and does not appear on the OfficeScan web console.
Solution:
This hotfix provides a way for users to extend the connection time to prevent this issue from occurring.
Procedure:
To apply and deploy the solution globally:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the following keys and set the preferred value for each.
- [Global Setting]
- EnableCheckHostLoadHttpTimeoutSecond=1
- NOTE: To disable the feature, set "EnableCheckHostLoadHttpTimeoutSecond=0".
- LoadHttpTimeoutSecond=30
- NOTE: You can set the timeout value to 30, 60, 90, or 180 seconds based on your needs.
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:
- Path:
- for x64 platform:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion
- for x86 platform:HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\
- Key: EnableCheckHostLoadHttpTimeoutSecond
- Type: REG_DWORD
- Value: 1
- Key: LoadHttpTimeoutSecond
- Type: REG_DWORD
- Value: 30
- Restart the OfficeScan agents.
- NOTE: If OfficeScan agents does not receive the setting from the OfficeScan server, please consider updating OfficeScan agents using Client Packager Installation or the AutoPCC utility.
(SEG-6917)
The following OfficeScan 11.0 Service Pack 1 hotfixes are affected by an issue related to the OfficeScan Firewall module which may cause the Firewall service to encounter network access issues.
- Hotfix 6277
- Hotfix 6281
- Hotfix 6292
Solution:
This hotfix updates the OfficeScan Firewall to resolve the network access issues.
NOTE: You must restart the endpoint after applying this hotfix to update the Common Firewall module on affected OfficeScan agents.
(SEG-11074)
The Windows Security Center cannot recognize if the OfficeScan Antivirus is enabled when there is no antispyware license.
Solution:
This hotfix updates the OfficeScan agent program to help ensure that the Windows Security Center can determine whether the OfficeScan Antivirus is enabled or not.
(SEG-8988)
The OfficeScan Behavior Monitoring feature may prevent users from renaming folders on network drives.
Solution:
This hotfix updates the Behavior Monitoring module to resolve the issue.
Procedure:
To apply and deploy the solution globally:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder in the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the "SkipDfsClient" key and set its value to "1".
- [Global Setting]
- SkipDfsClient=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
- Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters
- Key: SkipDfsClient
- Type: DWORD
- Value: 1
(SEG-10066)
An issue related to the OfficeScan Behavior Monitoring feature may cause the memory usage to increase unexpectedly on OfficeScan client computers.
Solution:
This hotfix updates the Behavior Monitoring module to resolve the issue.
(SEG-1689)
This hotfix provides a way for users to configure OfficeScan agents to automatically disconnect an established connection and to re-establish a connection when the OfficeScan server triggers a network isolation function. Users can move OfficeScan agents to specific domains that are defined to apply network isolation.
Procedure:
To enable the new service settings:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
- Under the "Global Setting" section, manually add the following keys and set values.
- [Global Setting]
- PFWPolicyWithConnectionReset=1
- Value:
- 0 = OfficeScan does not support network isolation
- 1 = OfficeScan supports network isolation
- PFWPolicyWithConnectionResetDomainList=Domain_Name
- For example: Workgroup, Domain1
- Provide a domain name or domain list use for network isolation.
- PFWPolicyWithConnectionResetDurationInSec=30
- Value:
- 0 = Disable connection reset (default value)
- 30 = Rest connection in 30 seconds
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to clients.
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
- Key: PFWPolicyWithConnectionReset
- Type: DWORD
- Value:
- 0 = OfficeScan does not support network isolation
- 1 = OfficeScan supports network isolation
- Key: PFWPolicyWithConnectionResetDomainList
- Type: String
- Value: Domain_name set by user
- Example: Workgroup, Domain1
- Key: PFWPolicyWithConnectionResetDurationInSec
- Type: DWORD
- Value:
- 0 = Disable connection reset
- 30 = Rest connection in 30 seconds
(SEG-7553)
This hotfix provides an option to configure the interval in which the OfficeScan agent sends Spyware logs to the server.
Procedure:
To enable the feature on the OfficeScan server and to automatically deploy the setting to all OfficeScan agents:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder in the OfficeScan installation directory.
- Add the following key under the "Global Setting" section and set the value ("X") to the number of minutes that the OfficeScan agent sends logs.
- [Global Setting]
- SpywareSendLogPeriod=X (for example 45)
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to all agents.
- The OfficeScan agent program automatically installs the following registry key:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ PC-cillinNTCorp\CurrentVersion\Misc.
- Key: SpywareSendLogPeriod
- Type: REG_DWORD
- Value: 2D
- Restart the OfficeScan agents.
(SEG-10953), (SEG-11404)
This hotfix enables Data Loss Prevention Endpoint SDK 6.0 starts to support the following Google Chrome versions:
- Google Chrome version 60.0.3112.78
- Google Chrome version 60.0.3112.90
(VRTS-986)
A vulnerability may allow a attacker to download the specific file from the OfficeScan server through HTTP requests.
Solution:
This Critical Patch resolves the vulnerability.
(VRTS-989)
A PHP file in OfficeScan 11 may be vulnerable to an MITM/RCE vulnerability.
Solution:
This Critical Patch resolves the potential vulnerability.
(VRTS-1012)
An attacker may be able to query NT domains through the OfficeScan 11 process.
Solution:
This removes the vulnerability.
(VRTS-1018)
A vulnerability may allow remote attackers to query PHP information while the specific php file runs.
Solution:
This Critical Patch secures the information in specific php file.
(VRTS-1022)
A vulnerability may allow a attacker to send CGI requests to run and stop the OfficeScan 11 process unexpectedly.
Solution:
This Critical Patch resolves the vulnerability.
(VRTS-1052)
A vulnerability may allow a attacker to stop the OfficeScan 11 process unexpectedly by forcing the specific parameter to exceed that limit.
Solution:
This Critical Patch resolves the vulnerability.
(SEG-7697)
The Trend Micro iCRC Common Module cannot perform an SSL handshake with Smart Protection Server on endpoints running Windows Server 2003 using TLS 1.2 after applying OpenSSL 1.0.2.
Solution:
This hotfix updates the Trend Micro iCRC Common Module and provides a way for users to enable the Trend Micro iCRC Common Module to communicate with Smart Protection Server using TLS 1.0.
Procedure:
To apply and deploy the solution globally:
- Open the "ICRCHdler.ini" file in the "\PCCSRV\Pccnt" folder on the OfficeScan server installation directory.
- Under the "Default" section, manually add the following key and set its value to "4".
- [Default]
- SSLVersion=4
- Save the changes and close the file.
- Install this hotfix (see "Installation").
- After upgrading the agent program, the OfficeScan server adds the following entries on all OfficeScan agent computers:
- Path: The OfficeScan agent installation directory.
- File: ICRCHdler.ini
- Key: SSLVersion=4
(SEG-10748)
The error message that appears when a user provides a user name or password with an invalid character for proxy authentication does not accurately describe the issue.
Solution:
This hotfix updates the error message to inform users that the provided proxy setting user name or password contains an invalid character.
(SEG-10844)
When configured, the OfficeScan Agent displays the following scan pop-up dialog box when users connect to a removable storage device. "A USB storage device was plugged in to the computer. Do you want Trend Micro OfficeScan to scan the device for security risks?"
Solution:
This hotfix updates the scan pop-up dialog box to display the following message. "A removable storage device was plugged in to the computer. Do you want Trend Micro OfficeScan to scan the device for security risks?"
(SEG-10980)
The account and password setting for the external proxy server do not support the hash special character "#".
Solution:
This hotfix resolves a broken jquery Ajax call to ensure that the account and password setting for the external proxy server supports special characters.
(SEG-11628)
The hotfix provides the implementation of BIN number's regular expression and validators.
(SEG-12203)
This hotfix enables Data Loss Prevention Endpoint SDK 6.2 to bypass iTunes blocking and so that iPhone can still be charged while Device Control is enabled.
Procedure:
To enable Data Loss Prevention Endpoint SDK 6.2 to bypass iTunes blocking and so that iPhone can still be charged while Device Control is enabled:
- Install this hotfix (see "Installation").
- Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
- Under the "Configure" section, manually add the "bypass_itunes_nonstor_usb_dc" key and set its value.
- [Configure]
- bypass_itunes_nonstor_usb_dc=true
- Save the changes and close the file.
- Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
- Click "Save" to deploy the settings to agents. The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder: bypass_itunes_nonstor_usb_dc=true
(SEG-12179)
Tablets running Windows 10 (Redstone) may encounter a "Blue Screen of Death" (BSOD) when trying to enter a sleep state.
Solution:
This hotfix notifies the driver to stop sending event information after entering standby mode. After the tablet comes out of standby mode, the driver starts sending event information again.
Procedure:
To enable the new service settings:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
- Under the "Global Setting" section, manually add the following key and set its value to "10".
- [Global Setting]
- PowerMonitorTime=10
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS\
- Key: PowerMonitorTime
- Type: DWORD
- Value: 10 = Set PowerMonitorTime to 10 seconds, max 60 seconds
- Restart the OfficeScan agents.
(SEG-13165)
Scheduled scan is postponed because OfficeScan detects full screen mode even when there are no windows in full screen mode.
Solution:
This hotfix enables OfficeScan to ignore windows that do not have visible content during full screen mode detection.
(SEG-12586)
This hotfix enables users to update the following registry keys to specify the sender and subject of email notifications for malicious email messages.
- Key: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\Scan\Common\MailManager\config
- Name: DisclaimerAddress
- Name: DisclaimerSubject
(SEG-8096)
When the system installs or upgrades the Cisco VPN software, it tries to access some registry keys under the TmLwf registry key, which causes the software installation to fail.
Solution:
This hotfix adds a key to disable the self-protection only function of the TmLwf registry key, which resolves this issue.
Procedure:
To enable the new service settings:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
- Under the "Global Setting" section, manually add the following key and set its value to "1".
- [Global Setting]
- SP_DisableTmLwfRegistryKeyProtection=1
- Value: 1 = Disable TmLwf registry key self-protection only
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to clients.
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS
- Key: SP_DisableTmLwfRegistryKeyProtection
- Type: DWORD
- Value: 1 = Disable TmLwf registry key self-protection only
- Restart the OfficeScan agents
(SEG-13656)
The file description field indicates the Common Client Real-time Scan Service ("Ntrtscan.exe") is 32-bit even when it is running on a 64-bit operating system.
Solution:
This hotfix updates the OfficeScan agent program to ensure that the correct information appears on the file description field.
(SEG-12830)
A protected computer may stop responding or respond slowly while extracting the "AFUDOS.exe" file from a ZIP file. Sometimes, the computer may also stop unexpectedly while the Behavior Monitoring engine performs policy matching.
Solution:
This hotfix removes the lock scope to prevent protected computers from stopping unexpectedly and enables OfficeScan to use the try-catch method to capture an exception and help prevent a handle leak issue.
(SEG-13700)
The OfficeScan Behavior Monitoring feature may cause certain third-party programs that are in its approved list to stop responding.
Solution:
This hotfix updates the Behavior Monitoring module to resolve the issue.
Procedure:
To apply and deploy the solution globally:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the "SkipNotificationEvent" key and set its value to "1".
- [Global Setting]
- AegisSkipNotificationEvent=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS
- Key: SkipNotificationEvent
- Type: DWORD
- Value: 1
- Restart the OfficeScan agents
(SEG-14071)
This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.2 to support Google Chrome 61.0.3163.79
(SEG-14058)
Virus detection logs do not appear on the agent console if the name of the agent installation folder contains multibyte characters.
Solution:
This hotfix ensures that virus detection logs appear on OfficeScan agent console.
(SEG-13979)
Users cannot migrate the OfficeScan database from CodeBase to an SQL server database using an SQL server account password that contains a semicolon ";"
Solution:
This hotfix ensures that users can migrate the OfficeScan database under the scenario described above.
(SEG-13737)
Virus log information cannot be parsed properly because the names of infected files are parsed with the tab character delimiter. As a result, virus logs cannot be displayed.
Solution:
This hotfix enables OfficeScan to use a space as the delimiter character when writing virus logs. This helps ensure that it can parse and display virus logs properly.
(SEG-14671)
OfficeScan 11.0 Service Pack 1 still blocks the Spyrus USB drive after it is added to the USB exception list.
Solution:
This hotfix resolves the issue by updating the Data Loss Prevention(TM) (DLP) module to ensure that it can parse the device information of the Spyrus USB drive.
(SEG-9629)
Some 32- or 64-bit specific information on the OfficeScan web console do not match the corresponding information on the Control Manager web console.
Solution:
This hotfix ensures that the OfficeScan server sends the correct information to Control Manager so that the information it displays is always consistent with the information on the OfficeScan web console.
(SEG-16146)
This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.2 to support version 62 of the Google Chrome web browser.
(SEG-16832)
Blue Screen of Death (BSOD) may occur after applying Microsoft KB4043961 on computers running on Windows 10 Fall Creators Update (Redstone 3) and protected by OfficeScan 11 Service Pack 1.
Solution:
This hotfix prevents the BSOD issue on affected computers.
(SEG-10738)
The "viveportdesktophelper.exe" application cannot start in protected computers.
Solution:
This hotfix updates the Behavior Monitoring driver and adds two settings to enable the "viveportdesktophelper.exe" application to start normally on protected computers.
Procedure:
To enable the new settings:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
- Under the "Global Setting" section, manually add the following keys and set the values to "1" to enable both settings.
- [Global Setting]
- SkipVolume=1
- SkipVirtualHarddisk=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the new settings to clients.
- Path: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ services\tmactmon\Parameters]
- Key: SkipVolume = 1 (Dword)
- Key: SkipVirtualHarddisk = 1 (Dword)
- Restart the OfficeScan client computer.
(SEG-12965)
A syntax error occurs when users move an OfficeScan agent to another domain which causes the domain tree to disappear from the agent console.
Solution:
This hotfix resolves the issue by changing the flush method on the OfficeScan server.
(SEG-15477)
The Service Pack build version information disappears from the registry after the "SVRSVCSETUP.exe" tool runs.
Solution:
This hotfix resolves the issue by enabling the "SVRSVCSETUP.exe" tool to backup and restore the registry.
(SEG-15975)
A vulnerability may allow remote attackers to query widget information while the specific php file runs.
Solution:
This hotfix secures the information in specific php file.
(SEG-17239)
The EXE package of the OfficeScan agent forces the user's business software to stop unexpectedly.
Solution:
This hotfix ensures that the EXE package does not affect the user's business software.
(SEG-15032)
When an agent update stalls, the number of agents in the update queue may reach the number of online agents.
Solution:
This hotfix enables the AddNotifyRecord() function to check the status of an agent before updating the counters and inserting the record into the queue.
(SEG-17726)
The wrong OfficeScan client platform information appears on the OfficeScan web console.
Solution:
This hotfix updates the OfficeScan agent program to ensure that it sends the correct platform information to the server.
(SEG-17314)
When the Advanced Protection Service is disabled in an OfficeScan agent, smvptn files accumulate and are not cleaned promptly.
Solution:
This hotfix resolves the issue by updating the NTRT module to check the current smv patterns to keep only the two most recent versions and delete all older versions.
(SEG-18237)
An interoperability issue between the TDI network filter driver and Citrix XenApp on Microsoft(TM) Windows(TM) 7 can cause the Citrix client to disconnect unexpectedly.
Solution:
This hotfix enables users to change the installation of the TDI (saknet.sys) and WFP (dlpnetfltr.sys) network filter driver based on the customized settings.
Procedure:
To configure the new setting for DLP:
- Install this hotfix (see "Installation").
- Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
- Under the "Configure" section, manually add the "enable_wfp" key and set its value to "true".
- [Configure]
- enable_wfp = true
- Save the changes and close the file.
- Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
- Click "Save" to deploy the settings to agents. The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the</br> "\Windows\System32\dgagent\" folder:
- enable_wfp=true
(SEG-18382)
The OfficeScan agent can be configured to use a specific IP address (IP Template) via the Windows Registry for communication with the OfficeScan server. However, the OfficeScan 11.0 Service Pack 1 agent does not support IPv6 addresses for the IP Template.
Solution:
This hotfix updates the OfficeScan agent program to resolve this issue.
(SEG-17037)
This hotfix updates the Trend Micro Osprey Firefox Extension and enables it to support Firefox 51 and later versions.
(SEG-19689)
This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.2 starts to support Google Chrome version 63.
(SEG-19005)
The OfficeScan Behavior Monitoring feature may trigger high CPU usage on protected computers.
Solution:
This hotfix updates the Behavior Monitoring module to prevent the high CPU usage issue.
(SEG-20316)
The system information, product information, product version, and entity icon do not update automatically after users apply Critical Patch 6469 to the Corp server.
Solution:
This hotfix updates the OfficeScan 11.0 Service Pack 1 server file to ensure that the system information, product information, product version, and entity icon are updated correctly.
(SEG-20372)
Some information in exported Excel files do not match the information on the OfficeScan server management console.
Solution:
This hotfix updates the OfficeScan server file to ensure that the exported information matches the corresponding information on the OfficeScan server management console.
(SEG-19381)
The OfficeScan web console indicates that a failed suspicious object list synchronization with Trend Micro Control Manager(TM) was successful.
Solution:
The hotfix changes the time-out value for the suspicious object list synchronization with Control Manager from 0 to 45 seconds to ensure that the correct synchronization task result appears on the OfficeScan web console.
(SEG-20949)
Under certain scenarios, some OfficeScan processes may stop unexpectedly.
Solution:
This hotfix updates the Behavior Monitoring module to enhance the self-protect feature of OfficeScan processes.
(SEG-21031)
Duplicate violation logs may be generated for certain samples.
Procedure:
To configure the new settings for DLP:
- Install this hotfix (see "Installation").
- Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
- Under the "Configure" section, manually add the following keys and set all to "true".
- [Configure]
- LOG_THROTTLE=true
- Save the changes and close the file.
- Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
- Click "Save" to deploy the settings to agents. The OfficeScan server deploys the settings to OfficeScan agents and adds the keys in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder.
(SEG-21886)
This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome(TM) 64.
(SEG-19753)
If multiple plug-in service (PLS) versions are available, the OfficeScan Control Manager Agent (CMAgent) reports the version and status information of all these available versions to the Trend Micro Control Manager(TM) server. This prevents the Control Manager server from determining which PLS version is currently installed on each OfficeScan client.
Solution:
This hotfix sets a filter criterion to enable the OfficeScan CMAgent to report only the version and status information of the PLS version that is currently installed on the OfficeScan client to the Control Manager server.
(SEG-23087)
OfficeScan agents receive C&C callback detected alerts for IPs in the approved list.
Solution:
This hotfix resolves a file path issue to help ensure that IPs in the approved list do not trigger C&C callback detected alerts.
(SEG-17611)
The Data Loss Prevention(TM) (DLP) services and IMAPI driver may stop responding or stop unexpectedly during CD/DVD burning operations in Microsoft(TM) Windows(TM) Explorer.
Solution:
This hotfix resolves the issue by updating the DLP module to correct the CD/DVD burning cache read operation in DLP services and refines the flow of the CD/DVD burning event wait in IMAPI driver.
(SEG-22504)
32-bit OfficeScan processes may stop unexpectedly on 64-bit platforms.
Solution:
This hotfix resolves the issue by updating how the DLP module matches path names when locating the "wow64.dll" path.
(SEG-23617)
The certificate of the "saknet.sys" file is valid from March 23, 2016 to June 28, 2017 only.
Solution:
This hotfix replaces the ""saknet.sys"" file in the Trend Micro Data Loss Prevention(TM) (DLP) module with a ""saknet.sys"" file that contains a valid certificate.
(SEG-23512)
This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome 64.
(VRTS-2227)
The UMH driver does not check the length of incoming data when processing IOCTL requests. This can cause tmumh.sys driver exploit vulnerability.
Solution:
This hotfix resolves the vulnerability by enabling the UMH driver to filter long IRP packets.
(SEG-21807)
Manual scans may not be able to completely scan a network drive when triggered using the "PccNt.exe filepath" command.
Solution:
This hotfix resolves the issue by ensuring that the PccNt.exe process waits for the manual scan to complete.
(SEG-24287)
The OfficeScan server cannot apply a Trend Micro Control Manager(TM) policy if the policy settings contain any UTF-8 character.
Solution:
This hotfix enables the OfficeScan server to handle UTF-8 strings in Control Manager policies to resolve the issue.
(VRTS-2185)
An issue related to the Trend Micro OfficeScan Firewall driver may cause multiple Privilege Escalation and Pool Corruption vulnerabilities.
Solution:
This hotfix updates the Trend Micro OfficeScan Firewall driver to resolve the vulnerabilities.
(SEG-24294)
This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 to support Google Chrome 65.
(SEG-23706)
The "Offline Time" column on the OfficeScan web console displays inaccurate information.
Solution:
This hotfix updates the OfficeScan server files to ensure that the correct offline time information appears in the "Offline Time&qu column.
(SEG-23706)
The OfficeScan server may export the wrong agent list information because there is not enough buffer memory.
Solution:
This hotfix enlarges the buffer size to fix this issue.
(SEG-25099)
There is a spelling error in the "Action on Exception Rule" page of the OfficeScan agent console.
Solution:
This hotfix updates the OfficeScan agent program to correct the spelling error on the page.
(SEG-26207), (SEG-25423)
Blue screen of death (BSOD) occurs on Microsoft(TM) Surface(TM) computers protected by OfficeScan 11.0.
Solution:
This hotfix updates the OfficeScan Behavior Monitoring feature to prevent the BSOD issue on protected Microsoft Surface computers.
(SEG-25025)
OfficeScan client computers running on Microsoft Windows(TM) 10 slow down when opening the right-click (shell) menu.
Solution:
This hotfix updates the Data Loss Prevention(TM) (DLP) module to prevent OfficeScan client computers running on Windows 10 from slowing down while opening the right-click menu.
(SEG-24773)
OfficeScan uninstallation may fail because certificate verification takes too long to complete.
Solution:
This hotfix enables users to configure the timeout value for certificate verification to help ensure that uninstallation proceeds normally.
Procedure:
To set the timeout value for certificate verification during OfficeScan uninstallation:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file using a text editor.
- Add the following key and set its value to the preferred timeout value in seconds divided by five. For example, to set the timeout to 15 seconds, set:
- [Global Settings]
- WaitCheckSignTimes=3
NOTE: The default value is "3".
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to clients.
(SEG-24846)
An issue prevents OfficeScan from detecting file attachments in Gmail.
Solution:
The hotfix resolves the issue by enabling OfficeScan to parse file attachments using an HTTP and HTTP/2 parser.
(SEG-26522)
"DbServer.exe" stops unexpectedly because of a Scan Operation log generated when a scheduled database compression task fails.
Solution:
This hotfix enables the database to delete the Scan Operation log once it has recovered successfully.
(SEG-21108)
A high CPU usage issue occurs when OfficeScan's Behavior Monitoring module communicates with the User-Mode Hook Event module.
Solution:
This hotfix updates the Behavior Monitoring module to resolve the issue.
(SEG-25338)
The OfficeScan Behavior Monitoring feature may cause performance issues while the OfficeScan agent unloads on a protected computer.
Solution:
This hotfix updates the Behavior Monitoring module to resolve the issue.
(SEG-23154)
This hotfix improves OfficeScan's security checking feature for digital signatures during program deployment in air gap network environments by allowing users to configure the interval of the uploading digital signature check failure logs.
This hotfix also decommissions the following settings:
- CheckDigitalSignatureForHotfix
- CheckDigitalSignatureForUpgrade
- DOVF
Procedure:
To configure the interval of the uploading digital signature check failure logs:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
- Under the "Global Setting" section, manually add the following key and set it to the time interval in seconds.
- [Global Setting]
- DSInvalidLogUploadInterval=3600(default, sec)
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to clients.
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro \PC-cillinNTCorp\CurrentVersion\Misc.
- Key:DSInvalidLogUploadInterval
- Type: DWORD
- Value: 3600
(SEG-24943)
This hotfix implements a periodic purging mechanism for open file tables to prevent a potential memory leak issue in the DLP user-mode scanning service.
(SEG-26977)
This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome 66.0.3359.117.
(SEG-27655)
This hotfix allows users to configure OfficeScan to automate the process of moving a large number of OfficeScan clients to another OfficeScan server or specific domain and/or to uninstall OfficeScan agents.
Procedure:
To enable the new settings:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder of the OfficeScan server installation directory using a text editor.
- Under the "Global Setting" section, manually add the following keys and set both values to "1".
- [Global Setting]
- EnableMoveNATClient=1
- MoveNATClientRemoveEmptyDomain=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent endpoints:
- Only "EnableMoveNATClient" will be deployed to client in the following path:
- For x64 platforms:
- HKEYLOCALMACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
- For x86 platforms:
- HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
- Key: EnableMoveNATClient
- Type: DWORD
- Value: 1
(VRTS-1730)
A user can elevate the privileges of a regular account to an administrator account through the OfficeScan management console.
Solution:
This hotfix resolves the vulnerability to help ensure that users cannot gain administrator privileges through the OfficeScan management console without the proper authorization.
(SEG-28887)
The Recent file list is missing from the right-click menu on the Microsoft(TM) Windows(TM) taskbar and from the "Start" menu when the Data Loss Prevention(TM) (DLP) Service is enabled.
Solution:
This hotfix resolves this issue by updating the file event scanning procedure for "RuntimeBroker.exe" with the Microsoft Windows Jump List under the "automaticdestinations-ms" folder.
(SEG-28758)
An OfficeScan agent displays the IM blocking message on the DLP service log when users open Skype even when DLP is disabled.
Solution:
This hotfix ensures that when users open Skype for Desktop, the OfficeScan agent displays the IM blocking message on the service log only when DLP is enabled.
(SEG-27362)
A blue screen of death (BSoD) occurs while updating the Scan Engine (VSAPI)on the OfficeScan agent server platform. This issue occurs when OfficeScan queries the "tmcomm.sys" file after the system unloads the Tmcomm driver.
Solution:
The hotfix updates the Tmcomm driver to resolve this issue.
(SEG-29381)
This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome 67.0.3396.62.
(VRTS-2475), (VRTS-2477), (VRTS-2479)
An attacker may craft a malicious request and cause AMSP to help on creating a process that provides SYSTEM privileges to the attackers.
Solution:
This hotfix updates the AMSP file ("coreCommandmanager.dll") to resolve this issue.
(SEG-16012)
The OfficeScan server may hang because there are too many "cgiOnScan.exe" processes almost running at the same time. This situation occurs when the schedule scan runs on many OfficeScan agents.
Solution:
The hotfix resolves this issue by adding a random waiting time function for OfficeScan agents while calling the "cgiOnScan.exe" function.
(SEG-31306)
Compliance reports may indicate that the Common Firewall Driver of an OfficeScan agent is inconsistent with the latest version on the OfficeScan server and needs to be updated even when the component is up-to-date.
Solution:
This hotfix ensures that compliance reports display the correct agent component status.
(SEG-29947)
This hotfix adds a hidden key to allow users to configure whether "CNTAoSUninstaller.exe" removes the Trend Micro Endpoint Sensor agent when uninstalling the OfficeScan agent.
Procedure:
To prevent "CNTAoSUninstaller.exe" from removing the Trend Micro Endpoint Sensor agent when uninstalling the OfficeScan agent:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "OfficeScan\PCCSRV\" folder on the OfficeScan server.
- Under the "Global Setting" section, manually add the "SkipTMESRemoval" key and set its value equal to "1".
- [Global Setting]
- SkipTMESRemoval=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers.
- The OfficeScan server deploys the settings to OfficeScan agents and adds the registry key under [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]
- "SkipTMESRemoval=1"
(SEG-27655), (SEG-30985)
This hotfix allows users to configure OfficeScan to automate the process of moving a large number of OfficeScan clients to another OfficeScan server or specific domain and/or to uninstall OfficeScan agents.
Procedure:
To enable the new settings:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder of the OfficeScan server installation directory using a text editor.
- Under the "Global Setting" section, manually add the following keys and set both values to "1".
- [Global Setting]
- EnableMoveNATClient=1
- MoveNATClientRemoveEmptyDomain=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent endpoints:
- Only "EnableMoveNATClient" will be deployed to client in the following path:
- For x64 platforms:
- HKEYLOCALMACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
- For x86 platforms:
- HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
- Key: EnableMoveNATClient
- Type: DWORD
- Value: 1
(SEG-32418)
On 64-bit Microsoft(TM) Windows(TM) platforms, the Process Hacker tool can kill the OfficeScan agent service and process even when the OfficeScan self-protection feature is enabled.
Solution:
This hotfix resolves this issue by updating the Behavior Monitoring module.
(SEG-31900)
This hotfix enables Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 to skip the Domain Name System (DNS) from resolving customized web sites.
Procedure:
To configure the new setting for DLP:
- Install this hotfix (see "Installation").
- Open the "dlp.ini" file in the "\PCCSRV\Private\" folder of the OfficeScan server installation directory using a text editor.
- Under the "Configure" section, manually add the "BYPASS_DNS_RESOLVE_WEBSITES" key and set its value.
- [Configure]
- BYPASS_DNS_RESOLVE_WEBSITES=example1.com,example2.com
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Agent Management > 6. Select domains or agents > Settings > DLP settings" screen.
- Click "Save" to deploy the setting to agents". The OfficeScan server deploys the setting to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:
- BYPASS_DNS_RESOLVE_WEBSITES=example1.com,example2.com
(SEG-30222)
An issue prevents the Data Loss Prevention(TM) (DLP) services from detecting when files from a ZIP file are being copied and burned to a CD or DVD.
Solution:
This hotfix resolves the issue so that DLP can detect and block these events.
(SEG-26891)
After the OfficeScan server syncs with a Trend Micro Control Manager(TM) server, the Suspicious Object list file "bl.zip" does not shrink after a large number of Suspicious Objects expire on Control Manager.
Solution:
This hotfix ensures that OfficeScan cleans the relevant database content completely before adding new information form Control Manager.
(SEG-31290)
This hotfix updates the requirements for the Trusted Programs List to exclude processes from suspicious activity monitoring. This allows OfficeScan agents to work around an interoperability issue that may cause a high CPU usage issue with the Virus Scan Engine (VSAPI).
(SEG-31323)
This hotfix enables the DLP module to support Google Chrome 68.0.3440.84.
(SEG-33936)
When users register an OfficeScan server to Trend Micro Control Manager(TM) through the OfficeScan web console, the notification message about the integrated Smart Scan server does not appear.
Solution:
This hotfix resolves the issue by updating the related comparison statement to use the correct variable, "iSupportMajorVersion" instead of "iMajorVersion".
(SEG-33533)
The Suspicious Connection Service has been enhanced to allow you to block network connections made to addresses in the Global C&C IP List.
Procedure:
Procedure: To enable the blocking action for the Suspicious Connection Service:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the "MKWL" key and assign the encrypted string of the full program path.
- [Global Setting]
- GlobalActionForCNP=1
- GlobalActionForRR=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
- Path: for x86 platform: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\NCIE
- Path: for x64 platform: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\NCIE
- Key: GlobalActionForCNP
- Key: GlobalActionForRR
- Type: DWORD
- Value: 1
Notes: Currently this feature cannot be modified through the server console and is only provided through global settings deployment.
(SEG-26387)
Users may not be able to open Microsoft(TM) Excel(TM) files when a third-party encryption software runs and Behavior Monitoring Services are enabled.
Solution:
This hotfix enables users to configure the Behavior Monitoring Services to skip events related to Excel to help solve the issue.
Procedure:
To apply and deploy the solution globally:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the "SkipTWFD" and set it to "1".
- [Global Setting]
- SkipTWFD=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
- Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmactmon\Parameters
- Key: SkipTWFD
- Type: DWORD
- Value: 1
- Restart the OfficeScan agent
(SEG-33319)
OfficeScan agents may report an incorrect Firewall policy status to the OfficeScan agent tree.
Solution:
This hotfix updates the OfficeScan agent program to ensure that the OfficeScan agent reports the correct Firewall policy information.
(SEG-35251)
The alternate update source information remains in the "ous.ini" file after users delete the information from the OfficeScan web console.
Solution:
This hotfix removes a duplicate entry for the alternate update source information from the "ous.ini" file to solve this issue.
(SEG-36415)
OfficeScan 11.0 agents may cause programs to become unresponsive when the Certified Safe Software Service is enabled. This occurs because the OfficeScan agent is unable to correctly resolve proxy settings to the correct Trend Micro server.
Solution:
This hotfix updates the OfficeScan agent program to resolve this issue.
(SEG-35575)
This hotfix enables the Data Loss Prevention(TM) (DLP) module to support Google Chrome 68.0.3440.106 and 69.0.3497.81.
(SEG-35613)
This hotfix enables the OfficeScan agent to trigger Damage Cleanup Services (DCS) to clean computers of file-based and network viruses, and virus and worm remnants (Trojans, registry entries, and viral files) when the OfficeScan NT RealTime Scan ("Ntrtscan.exe") service or the OfficeScan agent computer restarts.
Procedure:
To enable the OfficeScan agent to trigger DCS to clean computers automatically when Ntrtscan.exe or the OfficeScan agent computer restarts:
- Install this hotfix (see "Installation").
- Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory using a text editor.
- Under the "Global Setting" section, manually add the following key and set its value to "1".
- [Global Setting]
- LaunchDCSBootup=1
- NOTE: To disable the setting, set this key to "0".
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:
- Path:
- for x64 platform
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
- for x86 platform
- HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
- Key: LaunchDCSBootup
- Type: REG_DWORD
- Value: 1
(SEG-36052)
There are some vulnerabilities in the 7z version used by OfficeScan.
Solution:
This hotfix upgrades the 7z component to the latest version to resolve the vulnerabilities.
(SEG-35974)
Sometimes, the OfficeScan "VerConn.exe" function stops unexpectedly and the event is recorded in "Application-EventLog".
Solution:
This hotfix improves the way "verconn.exe" handles internal data to prevent this issue.
(SEG-36826)
On computers running Microsoft(TM) Windows(TM) 10 April 2018 Update (RS4), users cannot update the OfficeScan client program using an update package created by the Client Packager Tool because some OfficeScan agent drivers are still running.
Solution:
This hotfix updates the OfficeScan server program to resolve this issue.
(SEG-37478)
The OfficeScan Master Service may stop unexpectedly if the OfficeScan server cannot parse the domain hierarchy of OfficeScan agents logre generating the debug log.
Solution:
This hotfix updates the OfficeScan server program to resolve the issue.
(SEG-37707)
OfficeScan agents may send the wrong Firewall policy status to the OfficeScan agent tree. This happens because of a timing issue that prevents OfficeScan agents from sending the current Firewall policy status to the OfficeScan server.
Solution:
This hotfix updates the OfficeScan agent program to ensure that OfficeScan agents send the correct Firewall policy information to the OfficeScan server.
(SEG-38903)
UTF-8 characters appear garbled in exported Data Loss Prevention(TM) (DLP) log CSV files.
Solution:
This hotfix updates the OfficeScan server program to ensure that UTF-8 characters are displayed normally on DLP log CSV files.
(SEG-41179)
Endpoints may become unresponsive if the OfficeScan agent has Behavior Monitoring (version 2.974.1238) enabled due to an internal value mismatch.
Solution:
This Critical Patch updates the Behavior Monitoring service to version 2.974.1241 and corrects the internal value matching.
(SEG-39954)
This Critical Patch adds an option to configure OfficeScan agents to stop sending census queries for a specified amount of time when it detects the specified number of failed census queries. This can help prevent performance issues in protected computers.
Procedure:
To configure the maximum number of failed census queries and the period of time OfficeScan agents should stop sending census queries:
- Install this Critical Patch (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server.
- Under the "Global Setting" section, manually add the following keys and set the preferred value for each:
- [Global Setting]
- CensusFailedCnt = X (Census query failed count, default is 5, supports 5 - 100)
- CensusSuspendPeriod = Y (Census query suspend period, default is 180 seconds, supports 0 - 3600)
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent endpoints:
- x86 Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
- x64 Path: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
- Key: CensusFailedCnt and CensusSuspendPeriod
- Type: dword
- Value: 5 and 180 (default value)
(SEG-38464)
This critical patch enables the OfficeScan 11 Service Pack 1 Patch 1 agent program to support Microsoft(TM) Windows(TM) 10 (version 1809) October 2018 Update.
(SEG-39252)
The Trend Micro Data Loss Prevention(TM) (DLP) service stops unexpectedly while files are attached to web mail and stops the file upload.
Solution:
This hotfix updates the FtpParser in the DLP module to resolve this issue.
(SEG-38186)
Issues related to the OfficeScan Behavior Monitoring feature may prevent users from accessing network drives and cause Microsoft(TM) Outlook(TM) to stop responding.
Solution:
This hotfix resolves the issues by updating the Behavior Monitoring module and enabling users to configure certain settings in the registry.
Procedure:
To apply and deploy the solution globally:
- Install this hotfix (see "Installation").
- Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
- Under the "Global Setting" section, manually add the following three keys and set all to "1".
- [Global Setting]
- AegisSkipDesktopINI=1
- AegisSkipRemoteDirectory=1
- AegisSkipRemoteDirectoryByPath=1
- Save the changes and close the file.
- Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
- Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS
- Key: SkipDesktopINI
- Key: SkipRemoteDirectory
- Key: SkipRemoteDirectoryByPath
- Type: DWORD
- Value: 1
- Restart the OfficeScan agent.
(SEG-30222)
An issue prevents the Data Loss Prevention(TM) (DLP) services from detecting when files from a ZIP file are being copied and burned to a CD or DVD.
Solution:
This hotfix resolves the issue so that DLP can detect and block these events.
(SEG-39246)
Scheduled Scan is triggered unexpectedly when OfficeScan detects the Google Drive File Stream desktop application on an agent computer.
Solution:
This hotfix updates the OfficeScan agent program to ensure that scheduled scan works normally on agent computers.
(SEG-40485)
This hotfix updates the DLP module to support Google(TM) Chrome(TM) 71.
(SEG-41375)
When starting on a 64-bit platform, the OfficeScan NT Listener service "TmListen.exe" may stop unexpectedly while the OfficeScan agent verifies the decompressed agent file.
Solution:
This hotfix updates "TmListen.exe" to ensure that it can start up successfully on 64-bit platforms.
(SEG-40888)
The OfficeScan server sends the wrong Data Loss Prevention(TM) (DLP) log file size information to the Trend Micro Control Manager(TM) server.
Solution:
This hotfix updates the OfficeScan server program to ensure that the correct DLP log file size is sent to the Control Manager server.
(SEG-43365)
The OfficeScan server may not report the "Last Startup" and "Offline Time" information of OfficeScan agents to the registered Trend Micro Control Manager(TM) server.
Solution:
This hotfix resolves the issue to ensure that the "Last Startup" and "Offline Time" information of OfficeScan agents are sent to the Control Manager server so the information appears on the Control Manager web console.
(SEG-41807)
The content of notification email messages is inconsistent with the information on the web console.
Solution:
This hotfix updates the OfficeScan server program to resolve the problem.
(SEG-44000)
An issue prevents the OfficeScan Data Loss Prevention(TM) (DLP) module from retrieving the serial number of portable hard disks.
Solution:
This hotfix resolves the issue by updating the DLP module.
(SEG-44478)
An exception error triggers the OfficeScan Master Service to stop unexpectedly while extracting a pattern file from a compressed file.
Solution:
This hotfix updates the OfficeScan Master Service to enable it to handle the exception.
(SEG-45429)
An error that resulted from a previous action prevents the OfficeScan agent console from opening.
Solution:
This hotfix updates the OfficeScan agent program to resolve the issue.
8. Contact Information
A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees.
Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.
http://www.trendmicro.com/us/about-us/contact/index.html
NOTE: This information is subject to change without notice.
9. About Trend Micro
Smart, simple, security that fits
As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information.
Copyright 2019, Trend Micro Incorporated. All rights reserved.
Trend Micro, OfficeScan, Data Loss Prevention, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.
10. License Agreement
View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/license-agreements/
Third-party licensing agreements can be viewed:
- By selecting the "About" option in the application user interface
- By referring to the "Legal" page of the Administrator's Guide