1. Critical Patch Release Information

Resolved Known Issues

This Critical Patch resolves the following issue(s):

Issue 1 (VRTS-3670)

A directory traversal vulnerability may allow an attacker to extract files from an arbitrary zip file to the specific folder in OfficeScan server.

Solution:

This critical patch updates the OfficeScan server program to remove the vulnerability.

Issue 2 (VRTS-3681)

A directory traversal vulnerability may allow an attacker to log on to the OfficeScan Management Console as a root user.

Solution:

This critical patch updates the OfficeScan server program to remove the vulnerability.

Enhancements

There are no enhancements for this Critical Patch release.

Files Included in this Release

A. Files for Current Issue(s)
-------------------------------------------------------------------
Filename                                               Build Number
------------------------------                         ------------
OfficeScan\PCCSRV\Admin\Utility\EdgeServer\*.*

OfficeScan\PCCSRV\Admin\Utility\SQL\*.*

OfficeScan\PCCSRV\Pccnt\Disk1\*.*

OfficeScan\PCCSRV\
-------------------------------------------------------------------
Autopcc.exe                                            11.0.0.6638             
Autopccp.exe                                           11.0.0.6638             
CGIResUTF8.dll                                         11.0.0.6638             
CGIShare.dll                                           11.0.0.6638             
libeay32.dll                                           1.0.2.16                
OfcPfwCommon.dll                                       12.0.0.6359             
OfcPIPC.dll                                            12.0.0.6359             
SvrSvcSetup.exe                                        11.0.0.6638             

OfficeScan\PCCSRV\Admin\
-------------------------------------------------------------------
Build.exe                                              2.85.0.1180             
Build64.exe                                            2.85.0.1180             
cert5.db                                                    *                  
ciussi32.dll                                           2.0.0.2074              
ciussi64.dll                                           2.0.0.2074              
InstReg.exe                                            12.0.0.6359             
OSCETSCLog.dll                                         12.0.0.6359             
patch.exe                                              2.85.0.1180             
Patch64.exe                                            2.85.0.1180             
patchbld.dll                                           12.21.0.0               
PATCHW32.DLL                                           12.21.0.0               
PatchW64.dll                                           12.20.0.0               
TmUpdate.dll                                           2.85.0.1180             
TmUpdate64.dll                                         2.85.0.1180             
Wizard.exe                                             12.0.0.6359             
Wizard_64x.exe                                         12.0.0.6359             
x500.db                                                     *                  

OfficeScan\PCCSRV\Admin\Utility\ClientPackager\
-------------------------------------------------------------------
ClnExtor.ini                                                *                  
ClnPack.exe                                            11.0.0.6638             
ClnPack.ini                                                 *                  
OfcPfwCommon.dll                                       12.0.0.6359             

OfficeScan\PCCSRV\Admin\Utility\ListDeviceInfo\
-------------------------------------------------------------------
listDeviceInfo.exe                                     6.0.0.1502              

OfficeScan\PCCSRV\Admin\Utility\PolicyExportTool\
-------------------------------------------------------------------
CGIResUTF8.dll                                         11.0.0.6638             

OfficeScan\PCCSRV\Admin\Utility\SQL\
-------------------------------------------------------------------
libSQLDatabaseUpgrade.dll                              11.0.0.6638             

OfficeScan\PCCSRV\Admin\Utility\TMVS\
-------------------------------------------------------------------
DatFHS.dll                                             12.0.0.6359             
libeay32.dll                                           1.0.2.16                
ssleay32.dll                                           1.0.2.16                
TMVS.exe                                               11.0.0.6638             

OfficeScan\PCCSRV\Autopcc.cfg\
-------------------------------------------------------------------
ApNT.ini                                                    *                  
ApNT_X64.ini                                                *                  

OfficeScan\PCCSRV\CmAgent\
-------------------------------------------------------------------
CGIResUTF8.dll                                         11.0.0.6638             
En_I18N.dll                                            5.0.0.2319              
En_Utility.dll                                         5.0.0.2319              
libcurl.dll                                            7.43.0.0                
libeay32.dll                                           1.0.2.16                
Microsoft.VC80.CRT.manifest                                 *                  
msvcm80.dll                                            8.0.50727.762           
msvcp80.dll                                            8.0.50727.762           
msvcr80.dll                                            8.0.50727.762           
OfcCMAgent.exe                                         11.0.0.6638             
ProductLibrary.dll                                     11.0.0.6638             
ProductUI.zip                                               *                  
ssleay32.dll                                           1.0.2.16                
TrendAprWrapperDll.dll                                 5.0.0.2319              
zlib.dll                                               1.2.3.0                 

OfficeScan\PCCSRV\Download\
-------------------------------------------------------------------
ClnPack_files.xml                                           *                  

OfficeScan\PCCSRV\Download\Engine\
-------------------------------------------------------------------
BMdriver_x32.sig                                            *                  
BMdriver_x32.zip                                            *                  
BMdriver_x64.sig                                            *                  
BMdriver_x64.zip                                            *                  
bmservice_x32.sig                                           *                  
bmservice_x32.zip                                           *                  
bmservice_x64.sig                                           *                  
bmservice_x64.zip                                           *                  

OfficeScan\PCCSRV\Download\Product\
-------------------------------------------------------------------
DlpLite_Common.zip                                          *                  
DlpLite_Common_x64.zip                                      *                  

OfficeScan\PCCSRV\Engine\
-------------------------------------------------------------------
TmAegisSysEvt.dll                                      2.974.0.1249            
TMBMCLI.dll                                            2.974.0.1249            
TMBMSRV.exe                                            2.974.0.1249            
tmCfwApi.dll                                           5.83.0.1059             
tmcomeng.dll                                           2.974.0.1249            
tmelapi.dll                                            1.6.0.1004              
TmEngDrv.dll                                           2.974.0.1249            
tmHash.dll                                             5.83.0.1059             
TMPEM.dll                                              2.974.0.1249            
TmPfw.exe                                              5.83.0.1059             
TmPfwApi.dll                                           5.83.0.1059             
TmPfwRul.dll                                           5.83.0.1059             
tmtap.dll                                              6.0.0.1074              
tmwlutil.dll                                           2.974.0.1249            

OfficeScan\PCCSRV\Engine\x64\
-------------------------------------------------------------------
TmAegisSysEvt.dll                                      2.974.0.1249            
TMBMCLI.dll                                            2.974.0.1249            
TMBMSRV.exe                                            2.974.0.1249            
tmCfwApi.dll                                           5.83.0.1059             
tmcomeng.dll                                           2.974.0.1249            
tmelapi.dll                                            1.6.0.1004              
TmEngDrv.dll                                           2.974.0.1249            
tmHash.dll                                             5.83.0.1059             
TMPEM.dll                                              2.974.0.1249            
TmPfw.exe                                              5.83.0.1059             
TmPfwApi.dll                                           5.83.0.1059             
TmPfwRul.dll                                           5.83.0.1059             
tmtap.dll                                              6.0.0.1074              
tmwlutil.dll                                           2.974.0.1249            

OfficeScan\PCCSRV\LWCS\
-------------------------------------------------------------------
Build.exe                                              2.85.0.1180             
cert5.db                                                    *                  
ciuas32.dll                                            1.0.0.2075              
ciussi32.dll                                           2.0.0.2074              
libcurl.dll                                            7.55.1.0                
libeay32.dll                                           1.0.2.16                
patch.exe                                              2.85.0.1180             
patchbld.dll                                           12.21.0.0               
PATCHW32.DLL                                           12.21.0.0               
ssleay32.dll                                           1.0.2.16                
TmUpdate.dll                                           2.85.0.1180             
x500.db                                                     *                  

OfficeScan\PCCSRV\Pccnt\
-------------------------------------------------------------------
ClientConsole.zip                                           *                  
NTMonRes.dll                                           11.0.0.6638             
NTRmvRC.dll                                            11.0.0.6638             
NTRtScan.exe                                           12.0.0.6359             
NTSvcRes.dll                                           11.0.0.6638             

OfficeScan\PCCSRV\Pccnt\Common\
-------------------------------------------------------------------
7z.dll                                                 18.5.0.0                
7z.exe                                                 18.5.0.0                
CCSF_PTN.zip                                                *                  
CCSF_WIN32.zip                                              *                  
CNTAosUnInstaller.exe                                  2.2.0.1334              
com.trendmicro.tmopfirefox.ext.json                         *                  
com.trendmicro.tmopfirefox.ext@trendop.xpi                  *                  
CompRmv.exe                                            12.0.0.6359             
DatFHS.dll                                             12.0.0.6359             
fcWofieUI.dll                                          12.0.0.6359             
ICRCHdler.dll                                          2.7.0.1111              
lib7zWrapper.dll                                            *                  
libcurl.dll                                            7.49.1.0                
libeay32.dll                                           1.0.2.16                
libprotobuf.dat                                             *                  
libprotobuf.dll                                             *                  
NTRmv.exe                                              12.0.0.6359             
OfcCCCAUpdate.exe                                      12.0.0.6359             
OfcPfwCommon.dll                                       12.0.0.6359             
OfcPfwSvc.dll                                          12.0.0.6359             
OfcPIPC.dll                                            12.0.0.6359             
PccNT.exe                                              12.0.0.6359             
PccNTMon.exe                                           12.0.0.6359             
PccNTUpd.exe                                           12.0.0.6359             
perfiCrcPerfMonMgr.dll                                 2.7.0.1111              
ssleay32.dll                                           1.0.2.16                
SurrogateTmListen.exe                                  12.0.0.6359             
tmCfwApi.dll                                           5.83.0.1059             
TmFpHcEx.exe                                           5.83.0.1059             
tmHash.dll                                             5.83.0.1059             
TmListen.dll                                           12.0.0.6359             
TmListen.exe                                           12.0.0.6359             
TmListenShare.dll                                      12.0.0.6359             
TmopCfg.dll                                            2.0.0.1100              
TmopChromeMsgHost32.exe                                2.0.0.1094              
TmopExtIns.exe                                         2.0.0.1094              
TmopIEPlg.dll                                          2.0.0.1094              
TmOPP.dll                                              12.0.0.6359             
TmoppeUrlF.dll                                         2.0.0.1100              
TmopphPop3.dll                                         2.0.0.1096              
TmopphSmtp.dll                                         2.0.0.1096              
TmOsprey.dll                                           2.0.0.1094              
TmPfw.exe                                              5.83.0.1059             
TmPfwApi.dll                                           5.83.0.1059             
TmPfwCtl.dll                                           5.83.0.1059             
TmPfwCtl_xp.dll                                        5.83.0.1059             
TmPfwRul.dll                                           5.83.0.1059             
TmSock.dll                                             12.0.0.6359             
tmufeng.dll                                            3.9.0.1012              
tmwfpapi.dll                                           5.83.0.1059             
UpdGuide.exe                                           12.0.0.6359             
Upgrade.exe                                            12.0.0.6359             
utilPfwInstCondChecker.exe                             12.0.0.6359             
WofieLauncher.exe                                           *                  
xpupg.exe                                              12.0.0.6359             

OfficeScan\PCCSRV\Pccnt\Drv\
-------------------------------------------------------------------
tmactmon.cat                                                *                  
tmactmon.inf                                                *                  
tmactmon.sys                                           2.974.0.1248            
tmcomm.cat                                                  *                  
tmcomm.inf                                                  *                  
tmcomm.sys                                             6.60.0.1067             
tmeevw.cat                                                  *                  
tmeevw.inf                                                  *                  
tmeevw.sys                                             2.0.0.1039              
tmevtmgr.cat                                                *                  
tmevtmgr.inf                                                *                  
tmevtmgr.sys                                           2.974.0.1248            
tmlwf.cat                                                   *                  
tmlwf.inf                                                   *                  
TMLWF.sys                                              5.83.0.1063             
tmlwfins.exe                                           5.83.0.1063             
tmusa.cat                                                   *                  
tmusa.inf                                                   *                  
tmusa.sys                                              2.0.0.1103              
tmwfp.cat                                                   *                  
tmwfp.inf                                                   *                  
TMWFP.sys                                              5.83.0.1063             
tmwfpins.exe                                           5.83.0.1063             

OfficeScan\PCCSRV\Pccnt\Drv\X64\
-------------------------------------------------------------------
tmactmon.cat                                                *                  
tmactmon.inf                                                *                  
tmactmon.sys                                           2.974.0.1248            
tmcomm.cat                                                  *                  
tmcomm.inf                                                  *                  
tmcomm.sys                                             6.60.0.1067             
tmeevw.cat                                                  *                  
tmeevw.inf                                                  *                  
tmeevw.sys                                             2.0.0.1039              
tmevtmgr.cat                                                *                  
tmevtmgr.inf                                                *                  
tmevtmgr.sys                                           2.974.0.1248            
tmlwf.cat                                                   *                  
tmlwf.inf                                                   *                  
TMLWF.sys                                              5.83.0.1063             
tmlwfins.exe                                           5.83.0.1063             
tmusa.cat                                                   *                  
tmusa.inf                                                   *                  
tmusa.sys                                              2.0.0.1103              
tmwfp.cat                                                   *                  
tmwfp.inf                                                   *                  
TMWFP.sys                                              5.83.0.1063             
tmwfpins.exe                                           5.83.0.1063             

OfficeScan\PCCSRV\Pccnt\Win64\X64\
-------------------------------------------------------------------
7z.dll                                                 18.5.0.0                
7z.exe                                                 18.5.0.0                
CCSF_X64.zip                                                *                  
CompRmv.exe                                            12.0.0.6359             
DatFHS.dll                                             12.0.0.6359             
fcWofieUI.dll                                          12.0.0.6359             
ICRCHdler.dll                                          2.7.0.1111              
lib7zWrapper_64x.dll                                        *                  
libcurl.dll                                            7.49.1.0                
libeay32.dll                                           1.0.2.16                
libprotobuf.dat                                             *                  
libprotobuf.dll                                             *                  
NTRmv.exe                                              12.0.0.6359             
Ntrtscan.exe                                           12.0.0.6359             
OfcCCCAUpdate.exe                                      12.0.0.6359             
OfcPfwCommon_64x.dll                                   12.0.0.6359             
OfcPfwSvc_64x.dll                                      12.0.0.6359             
OfcPIPC_64x.dll                                        12.0.0.6359             
OSCETSCLog_64x.dll                                     12.0.0.6359             
PccNT.exe                                              12.0.0.6359             
PccNTMon.exe                                           12.0.0.6359             
PccNTUpd.exe                                           12.0.0.6359             
perfiCrcPerfMonMgr.dll                                 2.7.0.1111              
ssleay32.dll                                           1.0.2.16                
SurrogateTmListen.exe                                  12.0.0.6359             
tmCfwApi.dll                                           5.83.0.1059             
TmFpHcEx.exe                                           5.83.0.1059             
tmHash.dll                                             5.83.0.1059             
TmListen.exe                                           12.0.0.6359             
TmListen_64x.dll                                       12.0.0.6359             
TmListenShare_64x.dll                                  12.0.0.6359             
TmopCfg.dll                                            2.0.0.1100              
TmopExtIns.exe                                         2.0.0.1094              
TmopExtIns32.exe                                       2.0.0.1094              
TmopIEPlg.dll                                          2.0.0.1094              
TmopIEPlg32.dll                                        2.0.0.1094              
TmOPP_64x.dll                                          12.0.0.6359             
TmoppeUrlF.dll                                         2.0.0.1100              
TmopphPop3.dll                                         2.0.0.1096              
TmopphSmtp.dll                                         2.0.0.1096              
TmOsprey.dll                                           2.0.0.1094              
TmOsprey32.dll                                         2.0.0.1094              
TmPfw.exe                                              5.83.0.1059             
TmPfwApi.dll                                           5.83.0.1059             
TmPfwCtl.dll                                           5.83.0.1059             
TmPfwCtl_xp.dll                                        5.83.0.1059             
TmPfwRul.dll                                           5.83.0.1059             
TmSock_64x.dll                                         12.0.0.6359             
tmufeng.dll                                            3.9.0.1012              
tmwfpapi.dll                                           5.83.0.1059             
UpdGuide.exe                                           12.0.0.6359             
Upgrade.exe                                            12.0.0.6359             
utilPfwInstCondChecker.exe                             12.0.0.6359             
WofieLauncher.exe                                           *                  
xpupg.exe                                              12.0.0.6359             

OfficeScan\PCCSRV\Private\
-------------------------------------------------------------------
DlpClc.xml                                                  *                  
RansomwareWidget.ini                                        *                  

OfficeScan\PCCSRV\Private\certificate\
-------------------------------------------------------------------
libeay32.dll                                           1.0.2.16                
openssl.exe                                                 *                  
ssleay32.dll                                           1.0.2.16                

OfficeScan\PCCSRV\Private\LogServer\
-------------------------------------------------------------------
7z.dll                                                 18.5.0.0                
7z.exe                                                 18.5.0.0                
OfcPIPC.dll                                            12.0.0.6359             

OfficeScan\PCCSRV\Web\Service\
-------------------------------------------------------------------
7z.dll                                                 18.5.0.0                
Build.exe                                              2.85.0.1180             
cert5.db                                                    *                  
CGIOCommon.dll                                         11.0.0.6638             
CGIResUTF8.dll                                         11.0.0.6638             
CGIShare.dll                                           11.0.0.6638             
ciuas32.dll                                            1.0.0.2075              
ciussi32.dll                                           2.0.0.2074              
CmdHLClient.dll                                        11.0.0.6638             
CmdHOConsole.dll                                       11.0.0.6638             
cme_dll.dll                                            6.0.0.1539              
cme_vxe_dll_static.dll                                 6.0.0.1539              
DatFHS.dll                                             12.0.0.6359             
DbServer.exe                                           11.0.0.6638             
lib7zWrapper.dll                                            *                  
libCmdHndlrClientV2.dll                                11.0.0.6638             
libCmdHndlrConsoleV2.dll                               11.0.0.6638             
libcurl.dll                                            7.58.0.0                
libcurl_ofc.dll                                        7.58.0.0                
libeay32.dll                                           1.0.2.16                
NTSvcRes.dll                                           11.0.0.6638             
OfcCCCAUpdate.exe                                      12.0.0.6359             
OfcDownload.dll                                        11.0.0.6638             
OfcHotFix.exe                                          11.0.0.6638             
OfcNotifyQueue.dll                                     11.0.0.6638             
OfcPfwCommon.dll                                       12.0.0.6359             
OfcService.exe                                         11.0.0.6638             
patch.exe                                              2.85.0.1180             
patchbld.dll                                           12.21.0.0               
PATCHW32.DLL                                           12.21.0.0               
ssleay32.dll                                           1.0.2.16                
TmUpdate.dll                                           2.85.0.1180             
VerConn.exe                                            11.0.0.6638             
x500.db                                                     *                  

OfficeScan\PCCSRV\Web\Service\PLM\
-------------------------------------------------------------------
7z.dll                                                 18.5.0.0                

OfficeScan\PCCSRV\Web_OSCE\Web\CGI\
-------------------------------------------------------------------
cgiExportInfo.exe                                      11.0.0.6638             
cgiImportInfo.exe                                      11.0.0.6638             
CGIOCommon.dll                                         11.0.0.6638             
cgiRecvFile.exe                                        11.0.0.6638             
CGIResUTF8.dll                                         11.0.0.6638             
cgiRqUpd.exe                                           11.0.0.6638             
CGIShare.dll                                           11.0.0.6638             
DatFHS.dll                                             12.0.0.6359             
libeay32.dll                                           1.0.2.16                
OfcPfwCommon.dll                                       12.0.0.6359             
SSO_PKIHelper.dll                                      5.0.0.2319              

OfficeScan\PCCSRV\Web_OSCE\Web_Console\CGI\
-------------------------------------------------------------------
cgiAuthManagement.exe                                  11.0.0.6638             
cgiCmdNotify.exe                                       5.0.0.2319              
CGIOCommon.dll                                         11.0.0.6638             
CGIResUTF8.dll                                         11.0.0.6638             
CGIShare.dll                                           11.0.0.6638             
cgiShowClientAdm.exe                                   11.0.0.6638             
cgiShowLogs.exe                                        11.0.0.6638             
cgiShowSummary.exe                                     11.0.0.6638             
cgiShowWSSAdmin.exe                                    11.0.0.6638             
cgiWebUpdate.exe                                       11.0.0.6638             
cgiWebUpdate.ini                                            *                  
libeay32.dll                                           1.0.2.16                
OfcPfwCommon.dll                                       12.0.0.6359             
ssleay32.dll                                           1.0.2.16                
SSO_PKIHelper.dll                                      5.0.0.2319              
TrendAprWrapperDll.dll                                 5.0.0.2319              

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\aegis\
-------------------------------------------------------------------
data_protection.htm                                         *                  
device_control.htm                                          *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\Auth\
-------------------------------------------------------------------
admin_account_info.htm                                      *                  
Admin_User_List.htm                                         *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\behavior_monitoring\
-------------------------------------------------------------------
bm_settings.htm                                             *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\ClientInstall\
-------------------------------------------------------------------
agent_install.htm                                           *                  
WinNTChk.cab                                                *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\clientmag\
-------------------------------------------------------------------
client_list_2.htm                                           *                  
client_ofsc_services.htm                                    *                  
client_searchwindow.htm                                     *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\common\
-------------------------------------------------------------------
menu_common.js                                              *                  

OfficeScan\PCCSRV\Web_OSCE\Web_Console\HTML\common\l10n\
-------------------------------------------------------------------
l10n.aegis.js                                               *                  
l10n.dlp.js                                                 *                  
l10n.serveradm.js                                           *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\common\settings\
-------------------------------------------------------------------
setting.dlp.js                                              *                  

OfficeScan\PCCSRV\Web_OSCE\Web_Console\HTML\dlp\
-------------------------------------------------------------------
dlp_FileAttr_addedit.htm                                    *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\serveradm\
-------------------------------------------------------------------
server_proxy.htm                                            *                  

OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\inc\
-------------------------------------------------------------------
config.php                                                  *                  

OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\inc\class\common\soap\
-------------------------------------------------------------------
SoapFactory.php                                             *                  

OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\inc\class\proxy\
-------------------------------------------------------------------
HttpTalk.php                                                *                  

OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\widget\repository\widgetPool\
-------------------------------------------------------------------
DeleteWidgetsFromDB.bat                                     *                  

OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgetPool\wp%RETCODE%\inc\
-------------------------------------------------------------------
common.php                                                  *                  
config.php                                                  *                  
product_auth.php                                            *                  

OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgetPool\wp%RETCODE%\interface\
-------------------------------------------------------------------
analyzeWF.php                                               *                  

OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgets_new\inc\
-------------------------------------------------------------------
common.php                                                  *                  
config.php                                                  *                  
product_auth.php                                            *                  

OfficeScan\PCCSRV\WEB_OSCE\Web_Console\HTML\widget\repository\widgets_new\interface\
-------------------------------------------------------------------
analyzeWF.php                                               *                  

OfficeScan\PCCSRV\Web_OSCE\Web_Console\RemoteInstallCGI\
-------------------------------------------------------------------
cgiGetNTDomain.exe                                     11.0.0.6638             
CGIOCommon.dll                                         11.0.0.6638             
CGIResUTF8.dll                                         11.0.0.6638             
CGIShare.dll                                           11.0.0.6638             
Wizard.exe                                             12.0.0.6359             
Wizard_64x.exe                                         12.0.0.6359             

OfficeScan\PCCSRV\WSS\
-------------------------------------------------------------------
Build.exe                                              2.85.0.1180             
cert5.db                                                    *                  
ciuas32.dll                                            1.0.0.2075              
ciussi32.dll                                           2.0.0.2074              
patch.exe                                              2.85.0.1180             
patchbld.dll                                           12.21.0.0               
PATCHW32.DLL                                           12.21.0.0               
TmUpdate.dll                                           2.85.0.1180             
x500.db                                                     *                  


B. Network Traffic Required in Deployment
-------------------------------------------------------------------
   Estimated size (in terms of bandwidth) of deployed agent files 
   in this critical patch.
   - 32-bit agent total = 80.0 MB
   - 64-bit agent total = 113.2 MB



                        

2. Documentation Set

To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com

  • Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product.

To access the Online Help, go to http://docs.trendmicro.com

  • Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product.
  • Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product.
  • Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'.
  • Support Portal: The Support Portal contains information on troubleshooting and resolving known issues.
  • To access the Support Portal, go to http://esupport.trendmicro.com

3. System Requirements

1. Trend Micro OfficeScan 11.0 SP1 - Patch 1 Build 6242 - English - Windows - x32-x64

4. Installation/Uninstallation

Installing

To install:

  1. Copy the Critical Patch executable file to a temporary folder on the server, for example, "C:\temp".
  2. Double-click the file. The modules are automatically copied to the correct destination. This Critical Patch installation package automatically rolls back the OfficeScan server to its previous configuration if there are problems during installation. If you encounter problems after installation, do a manual rollback.

Uninstalling

To manually roll back to the previous build:

  1. Locate the backup folder that the Critical Patch package created in the "\PCCSRV\Backup\CriticalPatch_B6638" directory.
  2. Stop the OfficeScan Master Service.
  3. Stop the OfficeScan CMAgent Service.
  4. Copy the backup modules to the original folders.
  5. Start the OfficeScan CMAgent Service.
  6. Start the OfficeScan Master Service.

5. Post-installation Configuration

No post-installation steps are required.

NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product.

6. Known Issues

There are no known issues for this Critical Patch release.

7. Release History

Prior Hotfixes


Only this hotfix was tested for this release. Prior hotfixes were tested at the time of their release.

Issue 1 of Hotfix 6250

(TT-356853)

Installing OfficeScan 10.5 Patch 6 by web installation also installs ActiveX on the computer, however, ActiveX is not removed during client uninstallation. As a result, users encounter an error while installing OfficeScan 11 Service Pack 1 Critical Patch 6054 by web installation. This happens because the "WinNTchk.dll" for the ActiveX component cannot be updated when a previous version of the file exists in the installation directory. When this happens, the web installation fails.

Solution:

This hotfix ensures that the OfficeScan server adds the version information of the "WinNTChk.cab" file when it triggers web installation.

Issue 1 of Hotfix 6252

(TT-357563)

It is reported that the OfficeScan NT Listener service (TmListen.exe) in OfficeScan 11.0 Service Pack 1 Patch 1 failed to start up on endpoints running Microsoft(TM) Windows(TM) Vista or Windows Server 2008.

Solution:

This hotfix updates the OfficeScan agent program to resolve this issue.

Issue 2 of Hotfix 6252

(TT-352284)

The User Mode Hooking (UMH) driver causes an unexpected error.

Solution:

This hotfix updates the UMH driver to resolve this issue.

Issue 3 of Hotfix 6252

(TT-357381)

When users export the Scan Exclusion Lists for the following scan types from the "Agent Management" screen of the OfficeScan web console, the generated CSV file will not contain any domain setting information for OfficeScan agents:

  • Manual scans
  • Real-time scans
  • Scheduled scans
  • Scan Now

Solution:

This hotfix updates the OfficeScan server files to ensure that when users export Scan Exclusion Lists, the domain setting information for each OfficeScan agent appear on the exported CSV files.

Issue 4 of Hotfix 6252

(TT-355584)

In some OfficeScan agents managed by the Update Agent (UA), the T-ball logo on the bottom right portion of the screen turns red since the "NtrtScan.exe" program keeps reloading.

Solution:

This hotfix configures the "Agent Connection" setting to a global setting such that when it is changed, the Setting Aggregation File (SAF) package will be updated accordingly. This update enables the OfficeScan agents (managed by the Update Agent) to send a report to the OfficeScan server and instruct it to clear the configuration flag since there is a new setting.

Issue 5 of Hotfix 6252

(TT-358070)

When users run the Agent Packager tool in the CLI to create setup or update packages for the OfficeScan agent, there is no way to specify a domain where all freshly-installed clients should belong to.

Solution:

This hotfix updates the Agent Packager tool to enable users to specify a domain for freshly-installed agents using the "/domain" parameter when creating setup or update packages for the OfficeScan agent through the CLI.

Issue 1 of Hotfix 6258

(TT-354263)

The OfficeScan server database may crash if the database backup path follows the universal naming convention (UNC) and the backup username length exceeds 32 characters.

Solution:

This hotfix updates the OfficeScan server files to resolve this issue.

Issue 2 of Hotfix 6258

(TT-357598)

The Microsoft(TM) Windows(TM) Event Log generates too many messages.

Solution:

This hotfix enables OfficeScan to extend the cache time to 12 hours.

Issue 3 of Hotfix 6258

(TT-357926)

An issue prevents the Data Loss Prevention module from blocking the most current webmail site, for example "Outlook.com".

Solution:

This hotfix resolves this issue.

Issue 4 of Hotfix 6258

(TT-357331)

After administrators remove or uninstall the OfficeScan agent, the OfficeScan server removes all the OfficeScan agents from the database. This situation occurs when administrators set an agent unique identifier (UID) as a root domain UID.

Solution:

This hotfix updates the OfficeScan server files to add two check points to resolve this issue.

Enhancement 1 of Hotfix 6258

(TT-356698)

This hotfix provides a way for users to approve programs to run without checks by Meerkat (a detection improvement program that monitors newly encountered programs downloaded through HTTP or email applications).

Procedure:

To approve programs to run without checking by Meerkat:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the "MKWL" key and assign the encrypted string of the full program path.
  • [Global Setting]
  • MKWL="The encrypted string of the full program path"
  • NOTE: The encrypted string of the full program path needs to be provided by OfficeScan SEG engineer.
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path: for x64 platform: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
  • Path: for x86 platform HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
  • Key: MKWL
  • Type: String
  • Value: "The encrypted string of the full program path"

Enhancement 2 of Hotfix 6258

(TT-357554)

This hotfix updates Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 to support the following Google Chrome versions:

  • 54.0.2840.99
  • 55.0.2883.75

Enhancement 3 of Hotfix 6258

(TT-344921)

This hotfix enables the DLP Endpoint SDK 6.0 Webmail channel to share the exception from Email channel.

Procedure:

To configure the "apply_email_wblist_to_webmail" setting for DLP:

  1. Install this hotfix (see "Installation").
  2. Open the "dlp.ini" file in the "\PCCSRV\Private\"folder on the OfficeScan server.
  3. Under the "Configure" section, manually add the "apply_email_wblist_to_webmail" key and set its value.
  • [Configure]
  • apply_email_wblist_to_webmail=true
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
  3. Click "Save" to deploy the settings to agents". The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:

apply_email_wblist_to_webmail=true

  1. Restart all OfficeScan agents.

Enhancement 4 of Hotfix 6258

(TT-344921)

This hotfix enables DLP Endpoint SDK 6.0 to support Lotus Notes Webmail with its add-ons installed for Bank of Chengdu.

Procedure:

To configure the "inet_enhanced_dwa_parser"setting for DLP:

  1. Install this hotfix (see "Installation").
  2. Open the "dlp.ini" file in the "\PCCSRV\Private\"folder on the OfficeScan server.
  3. Under the "Configure" section, manually add the "inet_enhanced_dwa_parser" key and set its value.
  • [Configure]
  • inet_enhanced_dwa_parser=true
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
  3. Click "Save" to deploy the settings to agents".
  • The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:inet_enhanced_dwa_parser=true
  1. Restart all OfficeScan agents.

Issue 1 of Hotfix 6263

(TT-357949)

Automatic agent grouping uses rules defined by Microsoft(TM) Windows(TM) Active Directory (AD) domains. Sometimes, after the OfficeScan server synchronizes AD information from the Windows server, the status of enabled grouping rules shows a "Warning" sign.

Solution:

This hotfix updates the OfficeScan programs to ensure that the enabled grouping rules will not be affected by the synchronized AD information.

Issue 2 of Hotfix 6263

(TT-357004)

In Windows Vista/2008 or later clients, OfficeScan displays an incorrect firewall driver version number. The correct version number is 5.83.1003, but the version number that OfficeScan displays is 5.82.1050.

Solution:

This hotfix ensures that the OfficeScan server references the "tmlwf.sys" and "tmwfp.sys" files to determine the correct version number of the common firewall driver.

Issue 3 of Hotfix 6263

(TT-357915)

While using the "Export Scan Exclusions" button, the "Scan Exclusion List (File Extensions)" function generates a "N/A" message in the exported CSV file when the "Scan Exclusion List (Files)" value is empty. This issue only happens in the "Scan Now" configuration.

Solution:

This hotfix updates the OfficeScan programs to resolve this issue so that users can generate correct information in the CSV file.

Issue 4 of Hotfix 6263

(TT-357769)

OfficeScan leaks encrypted account passwords during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.

Solution:

This hotfix updates the OfficeScan server program to ensure that OfficeScan does not leak encrypted passwords.

Issue 5 of Hotfix 6263

(TT-358146)

If users set the default browser to Chrome and click on hyperlinks from other applications, the Chrome page shows a "try to access to an unexpected site "--disable-quic"" message.

Solution:

This hotfix ensures that the Chrome page will not access unexpected "--disable-quic" sites when users click hyperlinks from other applications once they set Chrome as the default browser.

Issue 6 of Hotfix 6263

(TT-356728)

Data Loss Prevention(TM) (DLP) blocks Exodus-jabber applications unexpectedly.

Solution:

This hotfix ensures that Exodus-jabber works normally even when DLP is enabled on the endpoint machines.

Issue 7 of Hotfix 6263

The Qastor application fails because Trend Micro's firewall takes too much time to check the hash of the related executable image. This situation causes a timeout on the application's connection to the server.

Solution:

This hotfix updates the Network Security Components to ensure that Trend Micro's firewall will asynchronously compute the hash value of the executable image that initiated a connection. While the firewall computes the hash, all rules of the Application Filter will be unavailable until the hash value is computed, preventing the system from blocking the application from its connection.

Procedure:

To apply and deploy the solution globally:

  1. Install this hotfix (see "Installation") and wait until the new Network Security Components has been deployed to agents.
  2. Restart the agent computers.
  3. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
  4. Add "AsyncHash=1" and "ALEPend=1" under the "Global Setting" section.

[Global Setting]

  • AsyncHash=1
  • ALEPend=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:

Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\PFW

  • Key: AsyncHash
  • Type: REG_DWORD
  • Value: 1

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmWfp\Parameters

  • Key: ALEPend
  • Type: REG_DWORD
  • Value: 1

Enhancement 1 of Hotfix 6263

(TT-356873)

This hotfix enables users to generate the Secure Sockets Layer (SSL) certificate with SHA256 signature algorithm and 2048-bit public key for the OfficeScan web site which is installed on Microsoft Internet Information Services (IIS) or Apache(TM) HTTP Server through the "SvrSvcSetup.exe" tool.

Procedure:

To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually renew the IIS SSL certificate:

  1. Install this hotfix (see "Installation").
  2. Log on as administrator, open a command prompt, and navigate to the "\PCCSRV\" directory.
  3. Run the following command: SvrSvcSetup.exe -GenIISCert

A new SSL certificate is generated and is automatically added to the IIS SSL certificate store.

  1. Open the IIS Manager console (inetmgr.exe).
  2. Right-click the OfficeScan web site, and then click "Edit Bindings...".
  3. When the "Site Bindings" window opens, select "https type" and click "Edit...".
  4. Select the newly-created SSL certificate and click "OK". NOTE: Click the "View..." option to view the 2048-bit public key.
  5. Click "Close".

To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually renew the Apache SSL certificate:

  1. Install this hotfix (see "Installation").
  2. Log on as administrator, open a command prompt, and navigate to the "\PCCSRV\" directory.
  3. Run the following command: SvrSvcSetup.exe -GenApacheCert A new SSL certificate is generated and is automatically added to the Apache SSL certificate store.
  4. Stop the following services:
  • OfficeScan Master Service
  • Apache Service
  1. Start the following services:
  • Apache Service
  • OfficeScan Master Service

Issue 1 of Hotfix 6267

(TT-358436)

OfficeScan can synchronize suspicious objects and retrieve actions against these objects from a Control Manager server. However, an expired suspicious object is still synchronized to OfficeScan that makes false detections on the agent.

Solution:

This hotfix updates the OfficeScan programs to ensure that the expired suspicious objects will not be detected.

Issue 2 of Hotfix 6267

(TT-357701)

The "Agent Management" page of the OfficeScan web console may not display all OfficeScan agents if the domain has a large number of OfficeScan agents.

Solution:

This hotfix resolves the issue by updating the mechanism used by the SQL table containing the OfficeScan agent information.

Issue 3 of Hotfix 6267

(TT-354253)

The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature may block valid programs without leaving a record of the block action in the detection log.

Solution:

This hotfix updates the OfficeScan Behavior Monitoring program to ensure that it blocks the correct programs.

Issue 1 of Hotfix 6271

(TT-354682)

On x86 platforms, the Aegis module sends Meerkat detection information to the OfficeScan server and displays a pop-up dialog box that allows users to click on the "Allow Once" button. However, even after users clicked on this button, Meerkat still blocks the application.

Solution:

This hotfix updates Meerkat to check the payload of API events to prevent this issue from happening.

Issue 2 of Hotfix 6271

(TT-356152)

The OfficeScan User-Mode Hooking (UMH) function prevents the "java.exe" program from working properly.

Solution:

This hotfix adds "java.exe" onto the OfficeScan UMH whitelist pattern to ensure that the "java.exe" program works properly.

Issue 3 of Hotfix 6271

(TT-357370)

The OfficeScan UMH function prevents the WebISO software from working properly.

Solution:

This hotfix adds the WebISO software into the OfficeScan UMH whitelist pattern to ensure that the WebISO software works properly.

Issue 4 of Hotfix 6271

(TT-358458)

Users may still be able to access web sites that the Trend Micro URL Filtering Engine (TMUFE) failed to rate because of connection issues.

Solution:

This hotfix provides a way for users to configure OfficeScan to automatically block access to web sites if the TMUFE cannot rate the web sites.

Procedure:

To configure OfficeScan to automatically block access to web sites that the TMUFE cannot rate:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory using a text editor.
  3. Under the "Global Setting" section, manually add the following key and set its value to "1".
  • [Global Setting]
  • URLFilterErrMode=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\URLFilter\config
  • Key: ErrMode
  • Type: dword
  • Value: 1

For Microsoft(TM) Windows(TM) 7/8/10 and Windows Server 2008 R2/2012/2016:

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\Scan\Common\URLFilter\config
  • Key: ErrMode
  • Type: dword
  • Value: 1
  1. Restart the OfficeScan agents.

Issue 1 of Hotfix 6274

(TT-349044)

The detected Virus/Malware information that appears in the OfficeScan web console does not match the information in the Trend Micro Control Manager(TM) console.

Solution:

This hotfix ensures that the OfficeScan server sends the correct Virus/Malware information to Control Manager so that the information in the OfficeScan web console matches the information in the Control Manager console.

Procedure:

To configure OfficeScan to send the accurate information to Control Manager:

  1. Install this hotfix (see "Installation").
  2. Open the "Product.ini" file in the "\PCCSRV\CmAgent" folder on the OfficeScan server installation directory using a text editor.
  3. Under the "Configure" section, manually add the following key and set its value to "1".
  • [Configure]
  • EnableSFCacheTimeout=1
  1. Save the changes and close the file.
  2. Restart the OfficeScan Control Manager Agent.

Issue 2 of Hotfix 6274

(TT-358714)

On the "Agents > Agent Management" section of the OfficeScan web console, when users run an advanced search for OfficeScan agents running with Update Agent "Disabled" status, the search results always display both OfficeScan agents running with Update Agent "Enabled" status and "Disabled" status.

Solution:

This hotfix updates the OfficeScan server program to ensure that when users run an advanced search for OfficeScan agents running with Update Agent "Disabled" status, it displays the correct result.

Issue 3 of Hotfix 6274

(TT-359007)

OfficeScan agents report their antivirus status information to the Microsoft(TM) Windows(TM) Security Center (WSC) when the system starts. However, after the system restarts, WSC displays that the OfficeScan antivirus reports are turned off.

Solution:

This hotfix updates the OfficeScan agent program to resolve this issue.

Issue 4 of Hotfix 6274

(TT-358753)

The OfficeScan NT Listener service ("TmListen.exe") may stop unexpectedly after the OfficeScan agent encounters a mismatch certificate error. When this happens, the agent update is unsuccessful.

Solution:

This hotfix updates the OfficeScan agent program to prevent the "TmListen.exe" from stopping unexpectedly and ensures that the OfficeScan agent can handle the mismatch certificate error properly.

Issue 5 of Hotfix 6274

(TT-359384)

DLP does not block the drag-and-drop of files from current Webmail sites (such as "Outlook.office.com" or "Outlook.live.com) when users use Google Chrome to access these Webmail sites.

Solution:

This hotfix ensures that OfficeScan does not leak sensitive information when users use Google Chrome to access these Webmail sites.

Enhancement 1 of Hotfix 6274

(TT-356199)

This hotfix enables the Data Loss Prevention (DLP) Endpoint SDK 6.0 module to support version 55.0.2883.87 of the Google(TM) Chrome(TM) web browser and version 50.1.0 of the Mozilla(TM) Firefox(TM) web browser.

Enhancement 1 of Hotfix 6277

(TT-354730)

This hotfix enhances the OfficeScan server to support Active Directory subgroups for OfficeScan user accounts.

Procedure:

To enable the new service settings:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcserver.ini" file in the "\PCCSRV\Private" folder on the OfficeScan installation directory.
  3. Under the "INI_AD_INTEGRATION_SECTION" section, manually add the following key and set its value to "1".
  • [INI_AD_INTEGRATION_SECTION]
  • RBAMultilayerInheritanceForADUser=1
  1. Save the changes and close the file.

Issue 1 of Hotfix 6281

An issue related to the AEGIS module of the OfficeScan agent program may cause certain operating systems to stop responding.

Solution:

This hotfix updates the Behavior Monitoring Service module to resolve the issue.

Issue 2 of Hotfix 6281

(TT-359424)

After installing hotfixes on OfficeScan 11.0 Service Pack 1 and activating the OfficeScan Firewall on agents, the Firewall logs display corrupted characters on both the agent console and the OfficeScan server web console.

Solution:

This hotfix updates the OfficeScan Firewall to ensure that the Firewall logs display the correct information on both the agent console and the OfficeScan server web console.

Issue 3 of Hotfix 6281

(TT-355684)

OfficeScan 11.0 Service Pack 1 (SP1) Critical Patch (CP) Build 6054 is unable to use the Sesame mobile application on endpoints.

Solution:

This hotfix ensures that the User-Mode Hooking (UMH) does not hook the "ZWProtectVirtualMemory" API when the "Aclayer.dll" file exists.

Issue 4 of Hotfix 6281

(TT-358910)

Data Loss Prevention(TM) (DLP) does not block large files inside ZIP archives, even if the boundary of the file size exceeds the maximum value.

Solution:

This hotfix ensures that DLP properly blocks large files inside a ZIP archives.

Issue 5 of Hotfix 6281

(TT-358910)

Microsoft Access (.mdb) files cannot be recovered to USB storage from the Data Loss Prevention backup folder.

Solution:

This hotfix ensures that Data Loss Prevention can successfully recover Microsoft Access (.mdb) files.

Issue 6 of Hotfix 6281

(TT-355833)

The Listdeviceinfo tool cannot get information from external devices such as "LaCie Rugged THB USB3 SCSI Disk Device".

Solution:

This hotfix resolves this tool issue.

Issue 1 of Hotfix 6292

(TT-358489)

OfficeScan Behavior Monitoring feature is unable to get the device type correctly when users launch programs by running as administrators (using administrator privileges).

Solution:

This hotfix updates the Behavior Monitoring Service module to resolve this issue.

Issue 2 of Hotfix 6292

(TT-359534)

An initialized issue related to the OfficeScan Control Manager Agent service ("OfcCMAgent.exe") may cause the OfcCMAgent.exe to stop unexpectedly.

Solution:

This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.

Issue 3 of Hotfix 6292

(TT-356903)

A signature verification issue related to the AEGIS module of the OfficeScan agent program may cause certain operating systems to stop unexpectedly.

Solution:

This hotfix updates the Behavior Monitoring Service module to resolve the issue.

Issue 4 of Hotfix 6292

Reported Issue from CP B6285

After installing OfficeScan Service Pack 1 (SP1) Patch 1, the OfficeScan Smart Scan Pattern cannot be updated.

Solution:

Solutions for Issue reported from CP B6285

This critical patch updates the ActiveUpdate module to resolve the issue.

Enhancement 1 of Hotfix 6292

(TT-360032)

This hotfix enables the Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 module to support the following Google(TM) Chrome(TM) versions:

  • Chrome 55.0.2883.87
  • Chrome 56.0.2924.87

Enhancement 2 of Hotfix 6292

(TT-357707)

This hotfix enables the Address Space Layout Randomization (ASLR) of Data Loss Prevention (DLP) Endpoint SDK 6.0 for DLL injection.

Issue 1 of Hotfix 6299

(TT-359477)

The OfficeScan User Mode Hooking (UMH) function may cause the "mkdir.exe" program to stop unexpectedly.

Solution:

This hotfix updates the OfficeScan User Mode Hooking module to resolve this issue.

Issue 2 of Hotfix 6299

(TT-357853)

When the "Protect documents against unauthorized encryption or modification" feature of Ransomware Protection is enabled, the OfficeScan agent may prevent a valid program from running if the size of the program file is too large.

Solution:

This hotfix updates the OfficeScan agent program to resolve this issue.

Issue 3 of Hotfix 6299

(TT-360097)

The Server Tuner tool optimizes the performance of the OfficeScan server. However, its Maximum Client Connections setting does not work.

Solution:

This hotfix updates the OfficeScan server program to ensure that the tool's Maximum Client Connections setting works normally.

Issue 4 of Hotfix 6299

(TT-359331)

The OfficeScan Behavior Monitoring program ("TMBMSRV.exe") crashes when the "MeerkatSkipUNC" option is enabled.

Solution:

This hotfix updates the OfficeScan Behavior Monitoring program to correct this issue.

Issue 5 of Hotfix 6299

(TT-359521)

When users upload files from the SMB folder to the internal website and iDLP is enabled, the upload may be interrupted intermittently.

Solution:

This hotfix enables iDLP to check if a file is from SMB before it attempts to access the file information. If the source file is an SMB file, iDLP will then Impersonate to download the file.

Issue 6 of Hotfix 6299

(TT-357721)

The library license of the third-party application Dymola conflicts with DLP.

Solution:

This hotfix adds "dymola.exe" and "license_check.exe" to the approved list to remove the conflict.

Issue 7 of Hotfix 6299

(TT-359522)

When OfficeScan parses the contents of a policy that it receives from Control Manager, some space characters may be removed from the policy which changes certain settings when applied to OfficeScan.

Solution:

This hotfix ensures that OfficeScan can parse and apply Control Manager policies properly.

Issue 1 of Hotfix 6300

OfficeScan leaks encrypted account passwords during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.

Solution:

This hotfix ensures that OfficeScan does not leak encrypted passwords.

Issue 1 of Hotfix 6302

(SEG-1587)

The "Quarantine malware variants detected in memory" feature needs to be enabled before the Memory Inspection Pattern (MIP) can be updated on OfficeScan agents.

Solution:

This hotfix updates the OfficeScan agent program to resolve this issue.

Issue 2 of Hotfix 6302

(SEG-1781)

Sometimes, the value of the "SourceUUID" setting in the "Ofcserver.ini" file is overwritten which prevents OfficeScan from updating the suspicious object list.

Solution:

This hotfix ensures that the "SourceUUID" setting is not overwritten unexpectedly.

Issue 3 of Hotfix 6302

(SEG-2639)

Sometimes, OfficeScan does not create system dump files when an exception error occurs.

Solution:

This hotfix ensures that OfficeScan catches exception system codes and creates the corresponding system dump files when it encounters these codes.

Issue 1 of Hotfix 6306

(TT-359200)

The "TMBMSRV.exe" process stops responding when debug log is enabled.

Solution:

This hotfix resolves the issue by ensuring that the debug log output function receives the correct information.

Issue 2 of Hotfix 6306

(SEG-2785)

Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs simultaneously with an encryption software.

Solution:

This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption software.

Issue 1 of Hotfix 6308

(SEG-1474)

The Agent Connectivity widget displays inaccurate total number of connected clients for each Smart Protection Server information.

Solution:

This hotfix updates the OfficeScan server program to ensure that the Agent Connectivity widget displays accurate information.

Enhancement 1 of Hotfix 6310

(SEG-3508)

The OfficeScan server automatically notifies an OfficeScan client to change its GUID after it determines that there is a duplicate GUID. However, the OfficeScan server does not generate an event log if it cannot notify the client for some reason. This hotfix provides a way for users to enable the OfficeScan server if it cannot notify an OfficeScan client to change its GUID.

Procedure:

To enable the OfficeScan server to generate an event log if it cannot notify an OfficeScan client to change its GUID when it detects duplicate GUIDs:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory using a text editor.
  3. Under the "INI_SERVER_SECTION" section, locate the following key and set its value to "1".
  • [INI_SERVER_SECTION]
  • Event_Log_Flag=1
  1. Save the changes and close the file.
  2. Restart the OfficeScan Master Service.

Issue 1 of Hotfix 6313

(SEG-2354)

When users set the firewall exception rule to a single IP, the IP address does not appear on the OfficeScan agent console.

Solution:

This hotfix ensures that the IP address appears on the OfficeScan agent console.

Issue 2 of Hotfix 6313

(SEG-3487)

It takes a long time to export the scan exclusion list from the OfficeScan web console.

Solution:

This hotfix improves the export function to enable OfficeScan to export the scan exclusion list faster.

Issue 3 of Hotfix 6313

(SEG-1442)

A Microsoft Windows Security audit failure by "tmevtmgr.sys" appears in the Windows system event log.

Solution:

This hotfix resolves the issue by enabling the build option in the AEGIS driver to include a "path hash".

Issue 4 of Hotfix 6313

(SEG-3616)

When an OfficeScan agent downloads a file that does not have a valid digital signature, the file path information in the corresponding system event log will be truncated on the OfficeScan web console.

Solution:

This hotfix ensures that system event logs display the complete file path information on the OfficeScan web console.

Enhancement 1 of Hotfix 6313

(SEG-3016)

This hotfix enables Data Loss Prevention Endpoint SDK 6.0 starts to support the following Google Chrome versions:

  • Google Chrome(TM) 57.0.2987.98
  • Google Chrome 57.0.2987.110

Issue 1 of Hotfix 6314

(SEG-1991), (SEG-2660)

After users install hotfixes on OfficeScan 11.0 Service Pack 1 and activate the OfficeScan Firewall on agents running Windows XP, the Firewall service encounters network access issues.

Solution:

This hotfix updates the OfficeScan Firewall to resolve the network access issues.

Procedure:

Restart the endpoint to update the Common Firewall module of OfficeScan agents.

Enhancement 1 of Hotfix 6315

(TT-350467)

This hotfix enables the Behavior Monitoring approved list to support the asterisk (*) and question mark (?) wildcard characters in program path names and file names.

Issue 1 of Hotfix 6317

(SEG-3533), (SEG-2785), (SEG-3668)

Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs simultaneously with an encryption software.

Solution:

This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption software.

Issue 1 of Hotfix 6325

(SEG-1715)

It takes a long time for the Windows Disk Manager to start when OfficeScan's Ravage Scan feature is enabled.

Solution:

This hotfix enables users to configure the OfficeScan Ravage Scan feature to skip a specific virtual hard disk to allow the Disk Manager to start normally.

Procedure:

To enable the Ravage Scan feature to skip a specific virtual hard disk:

  1. Install this hotfix (see "Installation").
  2. Open the Registry Editor.
  3. Add the following key:
  • Path: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters]
  • Type:dword
  • Key: SkipVirtualHarddisk
  • Data Value:00000001
  1. Restart the OfficeScan client computer.

Issue 2 of Hotfix 6325

(SEG-2673)

PccNT.exe stops unexpectedly because the following agent registry contains a value that is larger than the maximum supported value.

  • Path: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]
  • Type: dword:7fffffff
  • Key: TotalScanned

Solution:

This hotfix updates the "fcWofieUI.dll" (for 32-bit) and "fcWofieUI_64x.dll" (for 64-bit) OfficeScan agent files to solve this issue.

Issue 3 of Hotfix 6325

(TT-359608)

Users cannot run a manual sync on the "Suspicious Object List Setting" page when the "Enable Suspicious URL list" option is disabled.

Solution:

This hotfix ensures that manual sync can complete successfully when the "Enable Suspicious URL list" option is disabled.

Issue 4 of Hotfix 6325

(SEG-3289)

The error-handling mechanism of POP3 and SMTP scans may attempt to access tmp files which can trigger the TmListen service to stop unexpectedly.

Solution:

This hotfix resolves the issue by ensuring that the error-handling mechanism accesses only valid local file paths.

Issue 1 of Hotfix 6331

(VRTS-615), (VRTS-393), (VRTS-283)

Reported Issues from CP B6325

  • Issue 1: When the Web Reputation Service (WRS) of the OfficeScan agent program blocks access to a certain webpage, it displays the "Website blocked by Trend Micro OfficeScan" alert page instead. This alert page may be affected by XSS vulnerabilities.
  • Issue 2: Encrypted account passwords may leak out during web console operations. Unauthorized users could use the leaked encrypted password to log on to the OfficeScan server console.

Reported Enhancements from CP B6325

  • Enhancement 1: This critical patch updates the OfficeScan agent program to improve its self-protection mechanism to protect against a local attacker to inject malicious code.

Solution:

Solutions for Issues reported from CP B6325

  • Solution 1: This critical patch updates the OfficeScan agent program to resolve the XSS vulnerabilities.
  • Solution 2: This critical patch ensures that encrypted passwords are secure during web console operations.

Issue 2 of Hotfix 6331

(TT-358992)

Users cannot access the "Advanced Search" web page from the "Firewall Profile Settings" page of the OfficeScan web console.

Solution:

This hotfix updates the OfficeScan server program files to ensure that users can access the "Advanced Search" web page from the "Firewall Profile Settings" page.

Issue 3 of Hotfix 6331

(SEG-1891)

The DLP module may not work normally while other programs are uploading files to the Internet.

Solution:

This hotfix ensures that the DLP module works normally when other programs are to uploading files to the Internet.

Issue 1 of Hotfix 6342

(SEG-3345)

The OfficeScan agent blocks a program that has been downloaded from an email message or through HTTP even when the program is in the approved list.

Solution:

This hotfix ensures that OfficeScan agents block the correct programs.

Issue 2 of Hotfix 6342

(SEG-2468)

The OfficeScan web console takes longer than usual to load because of a large number of DB_FLUSH commands.

Solution:

This hotfix minimizes the number of DB_FLUSH commands to ensure that the OfficeScan web console loads normally.

Issue 3 of Hotfix 6342

(SEG-3919)

When enabling the OfficeScan debug log, clicking on the "Save" button twice overwrites the specified debug log path in the "ofcdebug.ini" file. When this happens, debug logs are saved in another location.

Solution:

This hotfix enables OfficeScan to always use the default log path if only the log name is set on the web console.

Issue 4 of Hotfix 6342

(SEG-2232)

Duplicate DLP violation logs are generated when users attempt to print a PDF file that contains sensitive information in Adobe(TM) Reader.

Solution:

This hotfix applies the App White Cache mechanism according to process name to enable DLP to treat multiple print operations from "AcroRd32.exe" that occur within a one second period as one event. This helps prevent duplicate violation logs.

Issue 1 of Hotfix 6348

(SEG-3931)

When DLP detects that sensitive information was sent through an email message in "outlook.com", the OfficeScan agent generates a blank "Activity/Channel" log.

Solution:

This hotfix resolves this issue by updating the OfficeScan agent.

Enhancement 1 of Hotfix 6348

(SEG-5361)

This hotfix enables DLP Endpoint SDK 6.0 to support Chrome 58.0.3029.81.

Enhancement 2 of Hotfix 6348

(SEG-5633)

This hotfix provides a way to configure the AEGIS module in OfficeScan clients to skip Virtual Disks during scans.

Procedure:

To configure the AEGIS module to skip Virtual Disks during scans:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\"folder of the OfficeScan server.
  3. Under the "Global Setting" section, manually add the following key and set its value to "1".
  • [Global Setting]
  • SkipVirtualHarddisk=1
  1. Save the changes and close the file.
  2. Open the OfficeScan server management console and click "Agents > Global Agent Settings" on the main menu to access the "Global Agent Settings" page.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to agents and adds the following registry entry on all agent computers:
  • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters
  • Key: SkipVirtualHarddisk
  • Type: dword
  • Value: 1

Enhancement 3 of Hotfix 6348

(SEG-3575)

If it detects a suspicious POP3 mail message, it will be possible to set not to send notification from OfficeScan client.

Procedure:

To stop sending suspicious POP3 mail messages from OfficeScan clients, please follow the steps below.

  1. Install this HotFix (see "4.1 Installation procedure").
  2. Open the "ofcscan.ini" file in the "PCCSRV" folder in the OfficeScan server installation folder.
  3. Add the "Enable Disclaimer" key to the [Global Setting] section and set the value to "0".
  • [Global Setting]
  • EnableDisclaimer = 0

NOTE: To send a mail notification that added a disk reamer, set the value to "1".

  1. Save the changes and close the file.
  2. Open the OfficeScan Web console and select Clients> Global Client Settings.
  3. Click Save to distribute the settings to the client. The OfficeScan client program automatically sets the following registry key:
  • Key name: HKEY_LOCAL_MACHINE \ SOFTWARE \ TrendMicro \ Osprey \ Scan \ Common \
  • MailManager \ config
  • Name: EnableDisclaimer
  • Type: dword
  • Data: 0
  1. Restart the OfficeScan client.

Issue 1 of Hotfix 6350

(SEG-5041)

The operating system version of registered OfficeScan servers installed on Windows Server 2012 R2 appears as "6.2 (build 9200)" instead of "6.3 (build 9600)" on the Control Manager web console.

Solution:

This hotfix resolves this issue by ensuring that OfficeScan servers installed on Windows Server 2012 R2 register to the Control Manager server using operating system version "6.3 (build 9600)".

Issue 1 of Hotfix 6351

(SEG-6181)

OfficeScan agents running Data Loss Prevention(TM) (DLP) may experience a Blue Screen of Death (BSoD) when accessing files in shared (SMB) folders.

Solution:

This hotfix resolves the BSoD issue when accessing files in shared (SMB) folders.

Issue 1 of Critical Patch 6355

Repack 1 update: (June 30 2017)

Trend Micro Common Module may trigger a (BSOD) when the OfficeScan agent attempts to parse the service name list of a Windows kernel device in the device tree.

NOTE: This fix is included in Hotfix build 6390 and higher

Solution:

Repack 1 update:

This critical patch updates the Trend Micro Common Module to prevent a blue screen of death (BSOD) when the OfficeScan agent attempts to parse the service name list of a Windows kernel device in the device tree.

Enhancement 1 of Critical Patch 6355

(SEG-6313)

This critical patch enables the OfficeScan agent program to support Windows 10 Creators Update RS2.

Issue 1 of Hotfix 6369

(TT-360007)

The OfficeScan Web Reputation feature blocks normal access to websites if the endpoint also has the Symantec Data Loss Prevention application running.

Solution:

This hotfix updates the OfficeScan agent module to ensure that the OfficeScan Web Reputation feature does not conflict with the Symantec Data Loss Prevention application.

Issue 1 of Hotfix 6371

(SEG-4799)

The OfficeScan Behavior Monitoring feature may cause certain computers to lock up intermittently when TMEAC is installed.

Solution:

This hotfix updates the Behavior Monitoring Service module to resolve the issue.

Issue 1 of Hotfix 6373

(SEG-3443)

When the OfficeScan agent connects to SSL-VPN and the MAC address field is empty, the OfficeScan agent will attempt to resolve the IP and MAC addresses repeatedly but the SSL-VPN IP address still does not appear in the network cards list on the agent console.

Solution:

This hotfix updates the OfficeScan agent program to prevent it from attempting to resolve the IP and MAC addresses when the MAC address field is empty. It also helps ensure that the IP address appears on the OfficeScan agent console.

Issue 2 of Hotfix 6373

(SEG-5477)

The OfficeScan agent does not successfully upgrade even after applying new hotfix files.

Solution:

This hotfix resolves the OfficeScan agent upgrade issue.

Issue 3 of Hotfix 6373

(SEG-6873)

The administrator cannot register USB information that includes the pound sign (#) or "and" sign (&) in the Data Loss Prevention (DLP) exception list.

Solution:

This hotfix resolves this issue.

Issue 1 of Hotfix 6383

(TT-359895)

The OfficeScan server cannot check the signature on a Control Manager policy if the policy settings contain non-ASCII characters.

Solution:

This hotfix enables the OfficeScan server to handle non-ASCII strings in Control Manager policies to ensure that the server can check the signature of these policies.

Issue 2 of Hotfix 6383

(SEG-6323)

Enabling the NT RealTime Scan causes OfficeScan agents to freeze. This issue occurs because OpenSSL uses the AES-NI instruction set, which is not supported by some CPU types.

Solution:

This hotfix resolves this issue by updating the OpenSSL component.

Issue 3 of Hotfix 6383

(SEG-6391)

The Microsoft(TM) Internet Explorer(TM) browser does not interpret double-byte strings correctly. Thus, user accounts do not display correctly.

Solution:

This hotfix adds a function to determine whether a string contains double-byte characters, which resolves this issue.

Issue 4 of Hotfix 6383

(SEG-6528)

The OfficeScan agent console ("Pccnt.exe") may stop unexpectedly if the "Unauthorized Change Prevention Service" is enabled. When this happens, it will affect the performance of the endpoint.

Solution:

This hotfix updates the OfficeScan agent program to prevent "Pccnt.exe" from stopping unexpectedly and ensures that the OfficeScan agent can work properly without affecting the performance of the endpoint.

Issue 5 of Hotfix 6383

(SEG-7273)

On computers running on the Microsoft Windows(TM) 10 platform, the Data Loss Prevention(TM) (DLP) network filter driver is installed with the Transport Driver Interface (TDI) network filter driver.

Solution:

This hotfix updates the operating system version determination mechanism to ensure that the correct driver is installed. This hotfix also provides a Windows Filtering Platform (Windows) driver replacement mechanism that replaces the TDI driver with the correct driver.

Enhancement 1 of Hotfix 6383

(SEG-8017)

This hotfix enables Data Loss Prevention Endpoint SDK 6.0 to support Google(TM) Chrome version 59.0.3071.86.

Issue 1 of Hotfix 6390

(SEG-7214), (SEG-8297)

A blue screen of death (BSOD) occurs when the Trend Micro Common Module (tmcomm.sys) attempts to parse the service name list of a Windows kernel device in the device tree.

Solution:

This hotfix updates the Trend Micro Common Module on OfficeScan agents to resolve this issue.

Issue 1 of Hotfix 6396

(SEG-7541)

OfficeScan agents installed on Windows 10 platforms may cause the endpoint to freeze or become unresponsive when both Windows Defender and the OfficeScan agent are running at the same time.

Solution:

This hotfix updates compatibility support to prevent the system from freezing by disabling Windows Defender when the OfficeScan Agent loads.

Issue 2 of Hotfix 6396

(SEG-7585)

The OfficeScan agent does not successfully update specific pattern files when the OfficeScan server and client have different build versions.

Solution:

This hotfix resolves the issue concerning OfficeScan agents not successfully updating specific pattern files.

Issue 3 of Hotfix 6396

(SEG-6421)

Windows Defender is not disabled automatically after the OfficeScan agent is installed on a Windows 2016 server computer.

Solution:

This hotfix ensures that Windows Defender is disabled automatically after the OfficeScan agent is installed on a Windows 2016 server computer and the computer restarts.

Issue 4 of Hotfix 6396

(SEG-8356)

The Virus Scan Engine (VSAPI) fails to roll back on a Microsoft(TM) Windows(TM) 10 platform.

Solution:

This hotfix updates the OfficeScan agent program to ensure that VSAPI can roll back successfully on a Windows 10 platform.

Issue 5 of Hotfix 6396

(SEG-7747)

The OfficeScan Master Service stops unexpectedly while receiving a huge amount of policy information from Control Manager which triggers OfficeScan to generate a large number of dump files under the "PCCSRV\Web\Service" folder.

Solution:

This hotfix enables the OfficeScan Master Service to handle a huge amount of policy information from Control Manager.

Issue 6 of Hotfix 6396

(TT-354095)

The firewall details page of the OfficeScan client console does not refresh automatically after the security level setting changes.

Solution:

This hotfix is to show a message to prompt to close all windows of the OfficeScan client console and reopen the console in order to refresh the UI.

Issue 7 of Hotfix 6396

(TT-357507)

The Windows Event Log generates too many messages.

Solution:

This hotfix enables OfficeScan to extend the cache time to 12 hours.

Issue 8 of Hotfix 6396

(TT-355701)

An initialized issue related to the OfficeScan Control Manager Agent service ("OfcCMAgent.exe") may cause the OfcCMAgent.exe to stop unexpectedly.

Solution:

This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.

Issue 9 of Hotfix 6396

(TT-357054)

When there are hotfix updates, the OfficeScan server checks all client components and prompts all clients with old hotfix versions to apply the updates including those where the No Program Upgrade option is enabled. This triggers a large number of unnecessary client notifications.

Solution:

This hotfix ensures that the OfficeScan server does not notify a client of hotfix updates if the No Program Upgrade option is enabled in the client.

Issue 10 of Hotfix 6396

(TT-358532)

When an unreachable OfficeScan agent reports its onstart status to the OfficeScan server, the server does not automatically set the updateflag for the agent. As a result, the agent will not receive updates until after a file change event on the OfficeScan server.

Solution:

This hotfix enables the OfficeScan server to set the updateflag of unreachable OfficeScan agents automatically once it receives the onstart status of the agents.

Issue 11 of Hotfix 6396

(SEG-2143)

Exported CSV files that contain agent information do not differentiate between Windows platforms from Windows Embedded platforms.

Solution:

This hotfix ensures that exported CSV files specifies if an agent runs on a Windows platform or a Windows Embedded platform.

Issue 12 of Hotfix 6396

(SEG-2745)

The Vulnerability Scanner may attempt to access an invalid file path which triggers blue screen of death (BSOD) on computers running Microsoft Windows Vista(TM) or any version released after it, for example, Windows Server 2008 and later versions.

Solution:

This hotfix updates the Vulnerability Scanner to prevent it from attempting to access invalid file paths.

Issue 13 of Hotfix 6396

(SEG-9011)

Sometimes, the Behavior Monitoring Service module of OfficeScan 11.0 Service Pack 1 agents may conflict with the Schwab application which can trigger the Schwab application to stop unexpectedly.

Solution:

This hotfix updates the Behavior Monitoring Service module and provides a way for users to configure OfficeScan to ensure that the Schwab application works properly.

Procedure:

To apply and deploy the solution globally:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the "SkipKernelExceptionEvent" key and set its value to "1".
  • [Global Setting]
  • SkipKernelExceptionEvent=1
  • NOTE: To disable the feature, set "SkipKernelExceptionEvent=0".
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:  
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS
  • Key: SkipKernelExceptionEvent
  • Type: REG_DWORD
  • Value: 1
  1. Restart the OfficeScan agents.

Enhancement 1 of Hotfix 6396

(TT-358603)

This hotfix improves the checking mechanism of the OfficeScan agent program to protect the Smart Scan Agent Pattern and Virus Pattern files in endpoints from corruption.

Enhancement 2 of Hotfix 6396

(TT-356627)

This hotfix adds an assessment mode for ransomware. In assessment mode, OfficeScan will not terminate the suspected ransomware process but creates a log for it.

Procedure:

To enable assessment mode:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Under the "Global Setting" section, manually add the following keys and set each to "1".
  • [Global Setting]
  • EnableADCAssessMode=1
  • Value:

    • 0 = OfficeScan does not support ransomware assessment mode
    • 1 = OfficeScan supports ransomware assessment mode
  • EnableADCAssessModeNotification=1
  • Value:
    • 0 = no popup notification in the system tray icon
    • 1 = a popup notification appears in the system tray icon
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to clients.
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS
  • Key: EnableADCAssessMode
  • Type: DWORD
  • Value:

    • 0 = OfficeScan does not support ransomware assessment mode
    • 1 = OfficeScan supports ransomware assessment mode
  • Key: EnableADCAssessModeNotification
  • Type: DWORD *Value:
    • 0 = does not have popup notification in system tray icon
    • 1 = have popup notification in system tray icon

Issue 1 of Hotfix 6404

(VRTS-392)

An issue related to the DLP file system driver may cause an RWX vulnerability in web browsers.

Solution:

This hotfix updates DLP Endpoint SDK 6.0 to resolve the vulnerability.

Issue 2 of Hotfix 6404

(SEG-9560)

It takes a long time to copy files using the RDP clipboard when DLP is enabled.

Solution:

This hotfix resolves the issue by adding the RDP process "mstsc.exe" into the approved list.

Issue 1 of Hotfix 6410

(VRTS-1012)

Remote unauthenticated attackers may be able to query NT domains through the OfficeScan XG "cgiGetNTDomain.exe" process.

Solution:

This removes the vulnerability.

Issue 2 of Hotfix 6410

(VRTS-1022)

A vulnerability may allow a remote unauthenticated attacker to send CGI requests to run "cgiRqUpd.exe" on the OfficeScan server and trigger "cgiRqUpd.exe" to stop unexpectedly. When this happens, a large number of dump files are generated which can eventually take up a large portion of disk space.

Solution:

This hotfix resolves the vulnerability.

Issue 3 of Hotfix 6410

(SEG-10228)

In Windows 2016 server, the Windows Defender service does not stop when the OfficeScan agent is installed or when the latest hotfix is installed on the existing OfficeScan agent.

Solution:

This hotfix ensures that the Windows Defender service stops automatically after the OfficeScan client is installed or updated with the latest hotfix.

NOTE: You need to restart the computer after applying this hotfix.

Issue 1 of Hotfix 6415

(VRTS-1115)

Web server details gathered from the banner may allow attackers to search and launch automated attacks from commonly-found web sites which may lead to website defacement or denial of service.

Solution:

This hotfix resolves the vulnerability.

Issue 2 of Hotfix 6415

(SEG-4529)

When users enable the "ViewLogonName" parameter in "ofcscan.ini", either a user name or "system" should appear on the "logon user name" in virus logs. However, the field remains blank, sometimes.

Solution:

This hotfix updates the OfficeScan agent program to ensure that the "logon user name" field in virus logs always displays the correct information.

Enhancement 1 of Hotfix 6415

(SEG-8981)

This hotfix provides an option to enable OfficeScan agents to check the connection to the Smart Protection Network regularly and to update the status icons on the web console accordingly.

Procedure:

To enable the feature on the OfficeScan server and to automatically deploy the setting to all OfficeScan agents:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Add the following key under the "Global Setting" section and set its value to "1".
  • [Global Setting]
  • ChkGlobalWCS=1
  • NOTE: To disable the connection checking, set "ChkGlobalWCS=0".
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to all clients.
  4. Restart the OfficeScan client.
  • The OfficeScan agent program automatically installs the following registry key:
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\iURL Scan.
  • Key: ChkGlobalWCS
  • Type: REG_DWORD
  • Value: 1

Issue 1 of Hotfix 6421

(SEG-10688)

If you click on the "Update" button on the agent console while the TmListener service is stopped, the page returns an "Component update is complete" message.

Solution:

This hotfix enables OfficeScan to disable the "Update" button automatically when the TmListener service stops and to display a tooltip when the mouse pointer hovers over the button.

Issue 2 of Hotfix 6421

(SEG-10651)

If a newly-installed OfficeScan agent cannot connect to the OfficeScan server within a specific time period, the agent cannot report that it is online and does not appear on the OfficeScan web console.

Solution:

This hotfix provides a way for users to extend the connection time to prevent this issue from occurring.

Procedure:

To apply and deploy the solution globally:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the following keys and set the preferred value for each.
  • [Global Setting]
  • EnableCheckHostLoadHttpTimeoutSecond=1
  • NOTE: To disable the feature, set "EnableCheckHostLoadHttpTimeoutSecond=0".
  • LoadHttpTimeoutSecond=30
  • NOTE: You can set the timeout value to 30, 60, 90, or 180 seconds based on your needs.
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:
  • Path:

    • for x64 platform:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion
    • for x86 platform:HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\
  • Key: EnableCheckHostLoadHttpTimeoutSecond
  • Type: REG_DWORD
  • Value: 1
  • Key: LoadHttpTimeoutSecond
  • Type: REG_DWORD
  • Value: 30
  1. Restart the OfficeScan agents.
  • NOTE: If OfficeScan agents does not receive the setting from the OfficeScan server, please consider updating OfficeScan agents using Client Packager Installation or the AutoPCC utility.

Issue 3 of Hotfix 6421

(SEG-6917)

The following OfficeScan 11.0 Service Pack 1 hotfixes are affected by an issue related to the OfficeScan Firewall module which may cause the Firewall service to encounter network access issues.

  • Hotfix 6277
  • Hotfix 6281
  • Hotfix 6292

Solution:

This hotfix updates the OfficeScan Firewall to resolve the network access issues.

NOTE: You must restart the endpoint after applying this hotfix to update the Common Firewall module on affected OfficeScan agents.

Issue 4 of Hotfix 6421

(SEG-11074)

The Windows Security Center cannot recognize if the OfficeScan Antivirus is enabled when there is no antispyware license.

Solution:

This hotfix updates the OfficeScan agent program to help ensure that the Windows Security Center can determine whether the OfficeScan Antivirus is enabled or not.

Issue 5 of Hotfix 6421

(SEG-8988)

The OfficeScan Behavior Monitoring feature may prevent users from renaming folders on network drives.

Solution:

This hotfix updates the Behavior Monitoring module to resolve the issue.

Procedure:

To apply and deploy the solution globally:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder in the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the "SkipDfsClient" key and set its value to "1".
  • [Global Setting]
  • SkipDfsClient=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmactmon\Parameters
  • Key: SkipDfsClient
  • Type: DWORD
  • Value: 1

Issue 6 of Hotfix 6421

(SEG-10066)

An issue related to the OfficeScan Behavior Monitoring feature may cause the memory usage to increase unexpectedly on OfficeScan client computers.

Solution:

This hotfix updates the Behavior Monitoring module to resolve the issue.

Enhancement 1 of Hotfix 6421

(SEG-1689)

This hotfix provides a way for users to configure OfficeScan agents to automatically disconnect an established connection and to re-establish a connection when the OfficeScan server triggers a network isolation function. Users can move OfficeScan agents to specific domains that are defined to apply network isolation.

Procedure:

To enable the new service settings:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Under the "Global Setting" section, manually add the following keys and set values.
  • [Global Setting]
  • PFWPolicyWithConnectionReset=1
  • Value:

    • 0 = OfficeScan does not support network isolation
    • 1 = OfficeScan supports network isolation
  • PFWPolicyWithConnectionResetDomainList=Domain_Name
  • For example: Workgroup, Domain1
  • Provide a domain name or domain list use for network isolation.
  • PFWPolicyWithConnectionResetDurationInSec=30
  • Value:

    • 0 = Disable connection reset (default value)
    • 30 = Rest connection in 30 seconds
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to clients.
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
  • Key: PFWPolicyWithConnectionReset
  • Type: DWORD
  • Value:

    • 0 = OfficeScan does not support network isolation
    • 1 = OfficeScan supports network isolation
  • Key: PFWPolicyWithConnectionResetDomainList
  • Type: String
  • Value: Domain_name set by user
  • Example: Workgroup, Domain1
  • Key: PFWPolicyWithConnectionResetDurationInSec
  • Type: DWORD
  • Value:

    • 0 = Disable connection reset
    • 30 = Rest connection in 30 seconds

Enhancement 2 of Hotfix 6421

(SEG-7553)

This hotfix provides an option to configure the interval in which the OfficeScan agent sends Spyware logs to the server.

Procedure:

To enable the feature on the OfficeScan server and to automatically deploy the setting to all OfficeScan agents:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder in the OfficeScan installation directory.
  3. Add the following key under the "Global Setting" section and set the value ("X") to the number of minutes that the OfficeScan agent sends logs.
  • [Global Setting]
  • SpywareSendLogPeriod=X (for example 45)
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to all agents.
  4. The OfficeScan agent program automatically installs the following registry key:
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ PC-cillinNTCorp\CurrentVersion\Misc.
  • Key: SpywareSendLogPeriod
  • Type: REG_DWORD
  • Value: 2D
  1. Restart the OfficeScan agents.

Enhancement 3 of Hotfix 6421

(SEG-10953), (SEG-11404)

This hotfix enables Data Loss Prevention Endpoint SDK 6.0 starts to support the following Google Chrome versions:

  • Google Chrome version 60.0.3112.78
  • Google Chrome version 60.0.3112.90

Issue 1 of Critical Patch 6426

(VRTS-986)

A vulnerability may allow a attacker to download the specific file from the OfficeScan server through HTTP requests.

Solution:

This Critical Patch resolves the vulnerability.

Issue 2 of Critical Patch 6426

(VRTS-989)

A PHP file in OfficeScan 11 may be vulnerable to an MITM/RCE vulnerability.

Solution:

This Critical Patch resolves the potential vulnerability.

Issue 3 of Critical Patch 6426

(VRTS-1012)

An attacker may be able to query NT domains through the OfficeScan 11 process.

Solution:

This removes the vulnerability.

Issue 4 of Critical Patch 6426

(VRTS-1018)

A vulnerability may allow remote attackers to query PHP information while the specific php file runs.

Solution:

This Critical Patch secures the information in specific php file.

Issue 5 of Critical Patch 6426

(VRTS-1022)

A vulnerability may allow a attacker to send CGI requests to run and stop the OfficeScan 11 process unexpectedly.

Solution:

This Critical Patch resolves the vulnerability.

Issue 6 of Critical Patch 6426

(VRTS-1052)

A vulnerability may allow a attacker to stop the OfficeScan 11 process unexpectedly by forcing the specific parameter to exceed that limit.

Solution:

This Critical Patch resolves the vulnerability.

Issue 1 of Hotfix 6429

(SEG-7697)

The Trend Micro iCRC Common Module cannot perform an SSL handshake with Smart Protection Server on endpoints running Windows Server 2003 using TLS 1.2 after applying OpenSSL 1.0.2.

Solution:

This hotfix updates the Trend Micro iCRC Common Module and provides a way for users to enable the Trend Micro iCRC Common Module to communicate with Smart Protection Server using TLS 1.0.

Procedure:

To apply and deploy the solution globally:

  1. Open the "ICRCHdler.ini" file in the "\PCCSRV\Pccnt" folder on the OfficeScan server installation directory.
  2. Under the "Default" section, manually add the following key and set its value to "4".
  • [Default]
  • SSLVersion=4
  1. Save the changes and close the file.
  2. Install this hotfix (see "Installation").
  3. After upgrading the agent program, the OfficeScan server adds the following entries on all OfficeScan agent computers:
  • Path: The OfficeScan agent installation directory.
  • File: ICRCHdler.ini
  • Key: SSLVersion=4

Issue 2 of Hotfix 6429

(SEG-10748)

The error message that appears when a user provides a user name or password with an invalid character for proxy authentication does not accurately describe the issue.

Solution:

This hotfix updates the error message to inform users that the provided proxy setting user name or password contains an invalid character.

Issue 3 of Hotfix 6429

(SEG-10844)

When configured, the OfficeScan Agent displays the following scan pop-up dialog box when users connect to a removable storage device. "A USB storage device was plugged in to the computer. Do you want Trend Micro OfficeScan to scan the device for security risks?"

Solution:

This hotfix updates the scan pop-up dialog box to display the following message. "A removable storage device was plugged in to the computer. Do you want Trend Micro OfficeScan to scan the device for security risks?"

Issue 4 of Hotfix 6429

(SEG-10980)

The account and password setting for the external proxy server do not support the hash special character "#".

Solution:

This hotfix resolves a broken jquery Ajax call to ensure that the account and password setting for the external proxy server supports special characters.

Enhancement 1 of Hotfix 6434

(SEG-11628)

The hotfix provides the implementation of BIN number's regular expression and validators.

Enhancement 2 of Hotfix 6434

(SEG-12203)

This hotfix enables Data Loss Prevention Endpoint SDK 6.2 to bypass iTunes blocking and so that iPhone can still be charged while Device Control is enabled.

Procedure:

To enable Data Loss Prevention Endpoint SDK 6.2 to bypass iTunes blocking and so that iPhone can still be charged while Device Control is enabled:

  1. Install this hotfix (see "Installation").
  2. Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
  3. Under the "Configure" section, manually add the "bypass_itunes_nonstor_usb_dc" key and set its value.
  • [Configure]
  • bypass_itunes_nonstor_usb_dc=true
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
  3. Click "Save" to deploy the settings to agents. The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder: bypass_itunes_nonstor_usb_dc=true

Issue 1 of Hotfix 6439

(SEG-12179)

Tablets running Windows 10 (Redstone) may encounter a "Blue Screen of Death" (BSOD) when trying to enter a sleep state.

Solution:

This hotfix notifies the driver to stop sending event information after entering standby mode. After the tablet comes out of standby mode, the driver starts sending event information again.

Procedure:

To enable the new service settings:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Under the "Global Setting" section, manually add the following key and set its value to "10".
  • [Global Setting]
  • PowerMonitorTime=10
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS\
  • Key: PowerMonitorTime
  • Type: DWORD
  • Value: 10 = Set PowerMonitorTime to 10 seconds, max 60 seconds
  1. Restart the OfficeScan agents.

Issue 1 of Hotfix 6443

(SEG-13165)

Scheduled scan is postponed because OfficeScan detects full screen mode even when there are no windows in full screen mode.

Solution:

This hotfix enables OfficeScan to ignore windows that do not have visible content during full screen mode detection.

Enhancement 1 of Hotfix 6443

(SEG-12586)

This hotfix enables users to update the following registry keys to specify the sender and subject of email notifications for malicious email messages.

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Osprey\Scan\Common\MailManager\config
  • Name: DisclaimerAddress
  • Name: DisclaimerSubject

Issue 1 of Hotfix 6447

(SEG-8096)

When the system installs or upgrades the Cisco VPN software, it tries to access some registry keys under the TmLwf registry key, which causes the software installation to fail.

Solution:

This hotfix adds a key to disable the self-protection only function of the TmLwf registry key, which resolves this issue.

Procedure:

To enable the new service settings:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Under the "Global Setting" section, manually add the following key and set its value to "1".
  • [Global Setting]
  • SP_DisableTmLwfRegistryKeyProtection=1
  • Value: 1 = Disable TmLwf registry key self-protection only
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to clients.
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS
  • Key: SP_DisableTmLwfRegistryKeyProtection
  • Type: DWORD
  • Value: 1 = Disable TmLwf registry key self-protection only
  1. Restart the OfficeScan agents

Issue 2 of Hotfix 6447

(SEG-13656)

The file description field indicates the Common Client Real-time Scan Service ("Ntrtscan.exe") is 32-bit even when it is running on a 64-bit operating system.

Solution:

This hotfix updates the OfficeScan agent program to ensure that the correct information appears on the file description field.

Issue 3 of Hotfix 6447

(SEG-12830)

A protected computer may stop responding or respond slowly while extracting the "AFUDOS.exe" file from a ZIP file. Sometimes, the computer may also stop unexpectedly while the Behavior Monitoring engine performs policy matching.

Solution:

This hotfix removes the lock scope to prevent protected computers from stopping unexpectedly and enables OfficeScan to use the try-catch method to capture an exception and help prevent a handle leak issue.

Issue 4 of Hotfix 6447

(SEG-13700)

The OfficeScan Behavior Monitoring feature may cause certain third-party programs that are in its approved list to stop responding.

Solution:

This hotfix updates the Behavior Monitoring module to resolve the issue.

Procedure:

To apply and deploy the solution globally:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the "SkipNotificationEvent" key and set its value to "1".
  • [Global Setting]
  • AegisSkipNotificationEvent=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS
  • Key: SkipNotificationEvent
  • Type: DWORD
  • Value: 1
  1. Restart the OfficeScan agents

Enhancement 1 of Hotfix 6451

(SEG-14071)

This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.2 to support Google Chrome 61.0.3163.79

Issue 1 of Hotfix 6454

(SEG-14058)

Virus detection logs do not appear on the agent console if the name of the agent installation folder contains multibyte characters.

Solution:

This hotfix ensures that virus detection logs appear on OfficeScan agent console.

Issue 1 of Hotfix 6458

(SEG-13979)

Users cannot migrate the OfficeScan database from CodeBase to an SQL server database using an SQL server account password that contains a semicolon ";"

Solution:

This hotfix ensures that users can migrate the OfficeScan database under the scenario described above.

Issue 1 of Hotfix 6459

(SEG-13737)

Virus log information cannot be parsed properly because the names of infected files are parsed with the tab character delimiter. As a result, virus logs cannot be displayed.

Solution:

This hotfix enables OfficeScan to use a space as the delimiter character when writing virus logs. This helps ensure that it can parse and display virus logs properly.

Issue 2 of Hotfix 6459

(SEG-14671)

OfficeScan 11.0 Service Pack 1 still blocks the Spyrus USB drive after it is added to the USB exception list.

Solution:

This hotfix resolves the issue by updating the Data Loss Prevention(TM) (DLP) module to ensure that it can parse the device information of the Spyrus USB drive.

Issue 1 of Hotfix 6460

(SEG-9629)

Some 32- or 64-bit specific information on the OfficeScan web console do not match the corresponding information on the Control Manager web console.

Solution:

This hotfix ensures that the OfficeScan server sends the correct information to Control Manager so that the information it displays is always consistent with the information on the OfficeScan web console.

Enhancement 1 of Hotfix 6461

(SEG-16146)

This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.2 to support version 62 of the Google Chrome web browser.

Issue 1 of Hotfix 6462

(SEG-16832)

Blue Screen of Death (BSOD) may occur after applying Microsoft KB4043961 on computers running on Windows 10 Fall Creators Update (Redstone 3) and protected by OfficeScan 11 Service Pack 1.

Solution:

This hotfix prevents the BSOD issue on affected computers.

Issue 1 of Hotfix 6473

(SEG-10738)

The "viveportdesktophelper.exe" application cannot start in protected computers.

Solution:

This hotfix updates the Behavior Monitoring driver and adds two settings to enable the "viveportdesktophelper.exe" application to start normally on protected computers.

Procedure:

To enable the new settings:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Under the "Global Setting" section, manually add the following keys and set the values to "1" to enable both settings.
  • [Global Setting]
  • SkipVolume=1
  • SkipVirtualHarddisk=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the new settings to clients.
  • Path: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ services\tmactmon\Parameters]
  • Key: SkipVolume = 1 (Dword)
  • Key: SkipVirtualHarddisk = 1 (Dword)
  1. Restart the OfficeScan client computer.

Issue 2 of Hotfix 6473

(SEG-12965)

A syntax error occurs when users move an OfficeScan agent to another domain which causes the domain tree to disappear from the agent console.

Solution:

This hotfix resolves the issue by changing the flush method on the OfficeScan server.

Issue 3 of Hotfix 6473

(SEG-15477)

The Service Pack build version information disappears from the registry after the "SVRSVCSETUP.exe" tool runs.

Solution:

This hotfix resolves the issue by enabling the "SVRSVCSETUP.exe" tool to backup and restore the registry.

Issue 4 of Hotfix 6473

(SEG-15975)

A vulnerability may allow remote attackers to query widget information while the specific php file runs.

Solution:

This hotfix secures the information in specific php file.

Issue 5 of Hotfix 6473

(SEG-17239)

The EXE package of the OfficeScan agent forces the user's business software to stop unexpectedly.

Solution:

This hotfix ensures that the EXE package does not affect the user's business software.

Issue 6 of Hotfix 6473

(SEG-15032)

When an agent update stalls, the number of agents in the update queue may reach the number of online agents.

Solution:

This hotfix enables the AddNotifyRecord() function to check the status of an agent before updating the counters and inserting the record into the queue.

Issue 1 of Hotfix 6475

(SEG-17726)

The wrong OfficeScan client platform information appears on the OfficeScan web console.

Solution:

This hotfix updates the OfficeScan agent program to ensure that it sends the correct platform information to the server.

Issue 2 of Hotfix 6475

(SEG-17314)

When the Advanced Protection Service is disabled in an OfficeScan agent, smvptn files accumulate and are not cleaned promptly.

Solution:

This hotfix resolves the issue by updating the NTRT module to check the current smv patterns to keep only the two most recent versions and delete all older versions.

Issue 3 of Hotfix 6475

(SEG-18237)

An interoperability issue between the TDI network filter driver and Citrix XenApp on Microsoft(TM) Windows(TM) 7 can cause the Citrix client to disconnect unexpectedly.

Solution:

This hotfix enables users to change the installation of the TDI (saknet.sys) and WFP (dlpnetfltr.sys) network filter driver based on the customized settings.

Procedure:

To configure the new setting for DLP:

  1. Install this hotfix (see "Installation").
  2. Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
  3. Under the "Configure" section, manually add the "enable_wfp" key and set its value to "true".
  • [Configure]
  • enable_wfp = true
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
  3. Click "Save" to deploy the settings to agents. The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the "dsa.pro" file in the</br> "\Windows\System32\dgagent\" folder:
  • enable_wfp=true

Issue 1 of Hotfix 6488

(SEG-18382)

The OfficeScan agent can be configured to use a specific IP address (IP Template) via the Windows Registry for communication with the OfficeScan server. However, the OfficeScan 11.0 Service Pack 1 agent does not support IPv6 addresses for the IP Template.

Solution:

This hotfix updates the OfficeScan agent program to resolve this issue.

Enhancement 1 of Hotfix 6488

(SEG-17037)

This hotfix updates the Trend Micro Osprey Firefox Extension and enables it to support Firefox 51 and later versions.

Enhancement 1 of Hotfix 6492

(SEG-19689)

This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.2 starts to support Google Chrome version 63.

Issue 1 of Hotfix 6493

(SEG-19005)

The OfficeScan Behavior Monitoring feature may trigger high CPU usage on protected computers.

Solution:

This hotfix updates the Behavior Monitoring module to prevent the high CPU usage issue.

Issue 1 of Hotfix 6501

(SEG-20316)

The system information, product information, product version, and entity icon do not update automatically after users apply Critical Patch 6469 to the Corp server.

Solution:

This hotfix updates the OfficeScan 11.0 Service Pack 1 server file to ensure that the system information, product information, product version, and entity icon are updated correctly.

Issue 2 of Hotfix 6501

(SEG-20372)

Some information in exported Excel files do not match the information on the OfficeScan server management console.

Solution:

This hotfix updates the OfficeScan server file to ensure that the exported information matches the corresponding information on the OfficeScan server management console.

Issue 3 of Hotfix 6501

(SEG-19381)

The OfficeScan web console indicates that a failed suspicious object list synchronization with Trend Micro Control Manager(TM) was successful.

Solution:

The hotfix changes the time-out value for the suspicious object list synchronization with Control Manager from 0 to 45 seconds to ensure that the correct synchronization task result appears on the OfficeScan web console.

Issue 4 of Hotfix 6501

(SEG-20949)

Under certain scenarios, some OfficeScan processes may stop unexpectedly.

Solution:

This hotfix updates the Behavior Monitoring module to enhance the self-protect feature of OfficeScan processes.

Enhancement 1 of Hotfix 6502

(SEG-21031)

Duplicate violation logs may be generated for certain samples.

Procedure:

To configure the new settings for DLP:

  1. Install this hotfix (see "Installation").
  2. Open the "dlp.ini" file in the "\PCCSRV\Private\" folder on the OfficeScan server.
  3. Under the "Configure" section, manually add the following keys and set all to "true".
  • [Configure]
  • LOG_THROTTLE=true
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents > Settings > DLP settings".
  3. Click "Save" to deploy the settings to agents. The OfficeScan server deploys the settings to OfficeScan agents and adds the keys in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder.

Enhancement 1 of Hotfix 6503

(SEG-21886)

This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome(TM) 64.

Issue 1 of Hotfix 6504

(SEG-19753)

If multiple plug-in service (PLS) versions are available, the OfficeScan Control Manager Agent (CMAgent) reports the version and status information of all these available versions to the Trend Micro Control Manager(TM) server. This prevents the Control Manager server from determining which PLS version is currently installed on each OfficeScan client.

Solution:

This hotfix sets a filter criterion to enable the OfficeScan CMAgent to report only the version and status information of the PLS version that is currently installed on the OfficeScan client to the Control Manager server.

Issue 1 of Hotfix 6505

(SEG-23087)

OfficeScan agents receive C&C callback detected alerts for IPs in the approved list.

Solution:

This hotfix resolves a file path issue to help ensure that IPs in the approved list do not trigger C&C callback detected alerts.

Issue 2 of Hotfix 6505

(SEG-17611)

The Data Loss Prevention(TM) (DLP) services and IMAPI driver may stop responding or stop unexpectedly during CD/DVD burning operations in Microsoft(TM) Windows(TM) Explorer.

Solution:

This hotfix resolves the issue by updating the DLP module to correct the CD/DVD burning cache read operation in DLP services and refines the flow of the CD/DVD burning event wait in IMAPI driver.

Issue 3 of Hotfix 6505

(SEG-22504)

32-bit OfficeScan processes may stop unexpectedly on 64-bit platforms.

Solution:

This hotfix resolves the issue by updating how the DLP module matches path names when locating the "wow64.dll" path.

Issue 1 of Hotfix 6509

(SEG-23617)

The certificate of the "saknet.sys" file is valid from March 23, 2016 to June 28, 2017 only.

Solution:

This hotfix replaces the ""saknet.sys"" file in the Trend Micro Data Loss Prevention(TM) (DLP) module with a ""saknet.sys"" file that contains a valid certificate.

Enhancement 1 of Hotfix 6509

(SEG-23512)

This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome 64.

Issue 1 of Hotfix 6515

(VRTS-2227)

The UMH driver does not check the length of incoming data when processing IOCTL requests. This can cause tmumh.sys driver exploit vulnerability.

Solution:

This hotfix resolves the vulnerability by enabling the UMH driver to filter long IRP packets.

Issue 2 of Hotfix 6515

(SEG-21807)

Manual scans may not be able to completely scan a network drive when triggered using the "PccNt.exe filepath" command.

Solution:

This hotfix resolves the issue by ensuring that the PccNt.exe process waits for the manual scan to complete.

Issue 3 of Hotfix 6515

(SEG-24287)

The OfficeScan server cannot apply a Trend Micro Control Manager(TM) policy if the policy settings contain any UTF-8 character.

Solution:

This hotfix enables the OfficeScan server to handle UTF-8 strings in Control Manager policies to resolve the issue.

Issue 4 of Hotfix 6515

(VRTS-2185)

An issue related to the Trend Micro OfficeScan Firewall driver may cause multiple Privilege Escalation and Pool Corruption vulnerabilities.

Solution:

This hotfix updates the Trend Micro OfficeScan Firewall driver to resolve the vulnerabilities.

Enhancement 1 of Hotfix 6515

(SEG-24294)

This hotfix enables Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 to support Google Chrome 65.

Issue 1 of Hotfix 6519

(SEG-23706)

The "Offline Time" column on the OfficeScan web console displays inaccurate information.

Solution:

This hotfix updates the OfficeScan server files to ensure that the correct offline time information appears in the "Offline Time" column.

Issue 2 of Hotfix 6519

(SEG-23706)

The OfficeScan server may export the wrong agent list information because there is not enough buffer memory.

Solution:

This hotfix enlarges the buffer size to fix this issue.

Issue 3 of Hotfix 6519

(SEG-25099)

There is a spelling error in the "Action on Exception Rule" page of the OfficeScan agent console.

Solution:

This hotfix updates the OfficeScan agent program to correct the spelling error on the page.

Issue 1 of Hotfix 6537

(SEG-26207), (SEG-25423)

Blue screen of death (BSOD) occurs on Microsoft(TM) Surface(TM) computers protected by OfficeScan 11.0.

Solution:

This hotfix updates the OfficeScan Behavior Monitoring feature to prevent the BSOD issue on protected Microsoft Surface computers.

Issue 2 of Hotfix 6537

(SEG-25025)

OfficeScan client computers running on Microsoft Windows(TM) 10 slow down when opening the right-click (shell) menu.

Solution:

This hotfix updates the Data Loss Prevention(TM) (DLP) module to prevent OfficeScan client computers running on Windows 10 from slowing down while opening the right-click menu.

Issue 3 of Hotfix 6537

(SEG-24773)

OfficeScan uninstallation may fail because certificate verification takes too long to complete.

Solution:

This hotfix enables users to configure the timeout value for certificate verification to help ensure that uninstallation proceeds normally.

Procedure:

To set the timeout value for certificate verification during OfficeScan uninstallation:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file using a text editor.
  3. Add the following key and set its value to the preferred timeout value in seconds divided by five. For example, to set the timeout to 15 seconds, set:
  • [Global Settings]
  • WaitCheckSignTimes=3

NOTE: The default value is "3".

  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to clients.

Issue 4 of Hotfix 6537

(SEG-24846)

An issue prevents OfficeScan from detecting file attachments in Gmail.

Solution:

The hotfix resolves the issue by enabling OfficeScan to parse file attachments using an HTTP and HTTP/2 parser.

Issue 5 of Hotfix 6537

(SEG-26522)

"DbServer.exe" stops unexpectedly because of a Scan Operation log generated when a scheduled database compression task fails.

Solution:

This hotfix enables the database to delete the Scan Operation log once it has recovered successfully.

Issue 6 of Hotfix 6537

(SEG-21108)

A high CPU usage issue occurs when OfficeScan's Behavior Monitoring module communicates with the User-Mode Hook Event module.

Solution:

This hotfix updates the Behavior Monitoring module to resolve the issue.

Issue 7 of Hotfix 6537

(SEG-25338)

The OfficeScan Behavior Monitoring feature may cause performance issues while the OfficeScan agent unloads on a protected computer.

Solution:

This hotfix updates the Behavior Monitoring module to resolve the issue.

Enhancement 1 of Hotfix 6537

(SEG-23154)

This hotfix improves OfficeScan's security checking feature for digital signatures during program deployment in air gap network environments by allowing users to configure the interval of the uploading digital signature check failure logs.

This hotfix also decommissions the following settings:

  • CheckDigitalSignatureForHotfix
  • CheckDigitalSignatureForUpgrade
  • DOVF

Procedure:

To configure the interval of the uploading digital signature check failure logs:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Under the "Global Setting" section, manually add the following key and set it to the time interval in seconds.
  • [Global Setting]
  • DSInvalidLogUploadInterval=3600(default, sec)
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to clients.

    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro \PC-cillinNTCorp\CurrentVersion\Misc.
    • Key:DSInvalidLogUploadInterval
    • Type: DWORD
    • Value: 3600

Enhancement 2 of Hotfix 6537

(SEG-24943)

This hotfix implements a periodic purging mechanism for open file tables to prevent a potential memory leak issue in the DLP user-mode scanning service.

Enhancement 3 of Hotfix 6537

(SEG-26977)

This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome 66.0.3359.117.

Enhancement 4 of Hotfix 6537

(SEG-27655)

This hotfix allows users to configure OfficeScan to automate the process of moving a large number of OfficeScan clients to another OfficeScan server or specific domain and/or to uninstall OfficeScan agents.

Procedure:

To enable the new settings:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder of the OfficeScan server installation directory using a text editor.
  3. Under the "Global Setting" section, manually add the following keys and set both values to "1".
  • [Global Setting]
  • EnableMoveNATClient=1
  • MoveNATClientRemoveEmptyDomain=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent endpoints:
  • Only "EnableMoveNATClient" will be deployed to client in the following path:
  • For x64 platforms:
  • HKEYLOCALMACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
  • For x86 platforms:
  • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
  • Key: EnableMoveNATClient
  • Type: DWORD
  • Value: 1

Issue 1 of Hotfix 6542

(VRTS-1730)

A user can elevate the privileges of a regular account to an administrator account through the OfficeScan management console.

Solution:

This hotfix resolves the vulnerability to help ensure that users cannot gain administrator privileges through the OfficeScan management console without the proper authorization.

Issue 2 of Hotfix 6542

(SEG-28887)

The Recent file list is missing from the right-click menu on the Microsoft(TM) Windows(TM) taskbar and from the "Start" menu when the Data Loss Prevention(TM) (DLP) Service is enabled.

Solution:

This hotfix resolves this issue by updating the file event scanning procedure for "RuntimeBroker.exe" with the Microsoft Windows Jump List under the "automaticdestinations-ms" folder.

Issue 3 of Hotfix 6542

(SEG-28758)

An OfficeScan agent displays the IM blocking message on the DLP service log when users open Skype even when DLP is disabled.

Solution:

This hotfix ensures that when users open Skype for Desktop, the OfficeScan agent displays the IM blocking message on the service log only when DLP is enabled.

Issue 4 of Hotfix 6542

(SEG-27362)

A blue screen of death (BSoD) occurs while updating the Scan Engine (VSAPI)on the OfficeScan agent server platform. This issue occurs when OfficeScan queries the "tmcomm.sys" file after the system unloads the Tmcomm driver.

Solution:

The hotfix updates the Tmcomm driver to resolve this issue.

Enhancement 1 of Hotfix 6542

(SEG-29381)

This hotfix enables DLP Endpoint SDK 6.0 to support Google Chrome 67.0.3396.62.

Issue 1 of Hotfix 6544

(VRTS-2475), (VRTS-2477), (VRTS-2479)

An attacker may craft a malicious request and cause AMSP to help on creating a process that provides SYSTEM privileges to the attackers.

Solution:

This hotfix updates the AMSP file ("coreCommandmanager.dll") to resolve this issue.

Issue 2 of Hotfix 6544

(SEG-16012)

The OfficeScan server may hang because there are too many "cgiOnScan.exe" processes almost running at the same time. This situation occurs when the schedule scan runs on many OfficeScan agents.

Solution:

The hotfix resolves this issue by adding a random waiting time function for OfficeScan agents while calling the "cgiOnScan.exe" function.

Issue 1 of Hotfix 6548

(SEG-31306)

Compliance reports may indicate that the Common Firewall Driver of an OfficeScan agent is inconsistent with the latest version on the OfficeScan server and needs to be updated even when the component is up-to-date.

Solution:

This hotfix ensures that compliance reports display the correct agent component status.

Enhancement 1 of Hotfix 6548

(SEG-29947)

This hotfix adds a hidden key to allow users to configure whether "CNTAoSUninstaller.exe" removes the Trend Micro Endpoint Sensor agent when uninstalling the OfficeScan agent.

Procedure:

To prevent "CNTAoSUninstaller.exe" from removing the Trend Micro Endpoint Sensor agent when uninstalling the OfficeScan agent:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "OfficeScan\PCCSRV\" folder on the OfficeScan server.
  3. Under the "Global Setting" section, manually add the "SkipTMESRemoval" key and set its value equal to "1".
  • [Global Setting]
  • SkipTMESRemoval=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers.
  4. The OfficeScan server deploys the settings to OfficeScan agents and adds the registry key under [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]
  • "SkipTMESRemoval=1"

Enhancement 2 of Hotfix 6548

(SEG-27655), (SEG-30985)

This hotfix allows users to configure OfficeScan to automate the process of moving a large number of OfficeScan clients to another OfficeScan server or specific domain and/or to uninstall OfficeScan agents.

Procedure:

To enable the new settings:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder of the OfficeScan server installation directory using a text editor.
  3. Under the "Global Setting" section, manually add the following keys and set both values to "1".
  • [Global Setting]
  • EnableMoveNATClient=1
  • MoveNATClientRemoveEmptyDomain=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent endpoints:
  • Only "EnableMoveNATClient" will be deployed to client in the following path:
  • For x64 platforms:
  • HKEYLOCALMACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
  • For x86 platforms:
  • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\
  • Key: EnableMoveNATClient
  • Type: DWORD
  • Value: 1

Issue 1 of Hotfix 6550

(SEG-32418)

On 64-bit Microsoft(TM) Windows(TM) platforms, the Process Hacker tool can kill the OfficeScan agent service and process even when the OfficeScan self-protection feature is enabled.

Solution:

This hotfix resolves this issue by updating the Behavior Monitoring module.

Enhancement 1 of Hotfix 6550

(SEG-31900)

This hotfix enables Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 to skip the Domain Name System (DNS) from resolving customized web sites.

Procedure:

To configure the new setting for DLP:

  1. Install this hotfix (see "Installation").
  2. Open the "dlp.ini" file in the "\PCCSRV\Private\" folder of the OfficeScan server installation directory using a text editor.
  3. Under the "Configure" section, manually add the "BYPASS_DNS_RESOLVE_WEBSITES" key and set its value.
  • [Configure]
  • BYPASS_DNS_RESOLVE_WEBSITES=example1.com,example2.com
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Agent Management > 6. Select domains or agents > Settings > DLP settings" screen.
  3. Click "Save" to deploy the setting to agents". The OfficeScan server deploys the setting to OfficeScan agents and adds the following key in the "dsa.pro" file in the "\Windows\System32\dgagent\" folder:
  • BYPASS_DNS_RESOLVE_WEBSITES=example1.com,example2.com

Issue 1 of Hotfix 6554

(SEG-30222)

An issue prevents the Data Loss Prevention(TM) (DLP) services from detecting when files from a ZIP file are being copied and burned to a CD or DVD.

Solution:

This hotfix resolves the issue so that DLP can detect and block these events.

Issue 2 of Hotfix 6554

(SEG-26891)

After the OfficeScan server syncs with a Trend Micro Control Manager(TM) server, the Suspicious Object list file "bl.zip" does not shrink after a large number of Suspicious Objects expire on Control Manager.

Solution:

This hotfix ensures that OfficeScan cleans the relevant database content completely before adding new information form Control Manager.

Enhancement 1 of Hotfix 6554

(SEG-31290)

This hotfix updates the requirements for the Trusted Programs List to exclude processes from suspicious activity monitoring. This allows OfficeScan agents to work around an interoperability issue that may cause a high CPU usage issue with the Virus Scan Engine (VSAPI).

Enhancement 2 of Hotfix 6554

(SEG-31323)

This hotfix enables the DLP module to support Google Chrome 68.0.3440.84.

Issue 1 of Hotfix 6556

(SEG-33936)

When users register an OfficeScan server to Trend Micro Control Manager(TM) through the OfficeScan web console, the notification message about the integrated Smart Scan server does not appear.

Solution:

This hotfix resolves the issue by updating the related comparison statement to use the correct variable, "iSupportMajorVersion" instead of "iMajorVersion".

Enhancement 1 of Hotfix 6562

(SEG-33533)

The Suspicious Connection Service has been enhanced to allow you to block network connections made to addresses in the Global C&C IP List.

Procedure:

Procedure: To enable the blocking action for the Suspicious Connection Service:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\"folder on the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the "MKWL" key and assign the encrypted string of the full program path.
  • [Global Setting]
  • GlobalActionForCNP=1
  • GlobalActionForRR=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path: for x86 platform: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\NCIE
  • Path: for x64 platform: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\NCIE
  • Key: GlobalActionForCNP
  • Key: GlobalActionForRR
  • Type: DWORD
  • Value: 1

Notes: Currently this feature cannot be modified through the server console and is only provided through global settings deployment.

Issue 1 of Hotfix 6566

(SEG-26387)

Users may not be able to open Microsoft(TM) Excel(TM) files when a third-party encryption software runs and Behavior Monitoring Services are enabled.

Solution:

This hotfix enables users to configure the Behavior Monitoring Services to skip events related to Excel to help solve the issue.

Procedure:

To apply and deploy the solution globally:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the "SkipTWFD" and set it to "1".
  • [Global Setting]
  • SkipTWFD=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmactmon\Parameters
  • Key: SkipTWFD
  • Type: DWORD
  • Value: 1
  1. Restart the OfficeScan agent

Issue 2 of Hotfix 6566

(SEG-33319)

OfficeScan agents may report an incorrect Firewall policy status to the OfficeScan agent tree.

Solution:

This hotfix updates the OfficeScan agent program to ensure that the OfficeScan agent reports the correct Firewall policy information.

Issue 3 of Hotfix 6566

(SEG-35251)

The alternate update source information remains in the "ous.ini" file after users delete the information from the OfficeScan web console.

Solution:

This hotfix removes a duplicate entry for the alternate update source information from the "ous.ini" file to solve this issue.

Issue 1 of Hotfix 6567

(SEG-36415)

OfficeScan 11.0 agents may cause programs to become unresponsive when the Certified Safe Software Service is enabled. This occurs because the OfficeScan agent is unable to correctly resolve proxy settings to the correct Trend Micro server.

Solution:

This hotfix updates the OfficeScan agent program to resolve this issue.

Enhancement 1 of Hotfix 6567

(SEG-35575)

This hotfix enables the Data Loss Prevention(TM) (DLP) module to support Google Chrome 68.0.3440.106 and 69.0.3497.81.

Enhancement 2 of Hotfix 6567

(SEG-35613)

This hotfix enables the OfficeScan agent to trigger Damage Cleanup Services (DCS) to clean computers of file-based and network viruses, and virus and worm remnants (Trojans, registry entries, and viral files) when the OfficeScan NT RealTime Scan ("Ntrtscan.exe") service or the OfficeScan agent computer restarts.

Procedure:

To enable the OfficeScan agent to trigger DCS to clean computers automatically when Ntrtscan.exe or the OfficeScan agent computer restarts:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory using a text editor.
  3. Under the "Global Setting" section, manually add the following key and set its value to "1".
  • [Global Setting]
  • LaunchDCSBootup=1
  • NOTE: To disable the setting, set this key to "0".
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:
  • Path:
  • for x64 platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
  • for x86 platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.

    • Key: LaunchDCSBootup
    • Type: REG_DWORD
    • Value: 1

Issue 1 of Hotfix 6570

(SEG-36052)

There are some vulnerabilities in the 7z version used by OfficeScan.

Solution:

This hotfix upgrades the 7z component to the latest version to resolve the vulnerabilities.

Issue 1 of Hotfix 6573

(SEG-35974)

Sometimes, the OfficeScan "VerConn.exe" function stops unexpectedly and the event is recorded in "Application-EventLog".

Solution:

This hotfix improves the way "verconn.exe" handles internal data to prevent this issue.

Issue 1 of Hotfix 6576

(SEG-36826)

On computers running Microsoft(TM) Windows(TM) 10 April 2018 Update (RS4), users cannot update the OfficeScan client program using an update package created by the Client Packager Tool because some OfficeScan agent drivers are still running.

Solution:

This hotfix updates the OfficeScan server program to resolve this issue.

Issue 2 of Hotfix 6576

(SEG-37478)

The OfficeScan Master Service may stop unexpectedly if the OfficeScan server cannot parse the domain hierarchy of OfficeScan agents before generating the debug log.

Solution:

This hotfix updates the OfficeScan server program to resolve the issue.

Issue 3 of Hotfix 6576

(SEG-37707)

OfficeScan agents may send the wrong Firewall policy status to the OfficeScan agent tree. This happens because of a timing issue that prevents OfficeScan agents from sending the current Firewall policy status to the OfficeScan server.

Solution:

This hotfix updates the OfficeScan agent program to ensure that OfficeScan agents send the correct Firewall policy information to the OfficeScan server.

Issue 1 of Hotfix 6578

(SEG-38903)

UTF-8 characters appear garbled in exported Data Loss Prevention(TM) (DLP) log CSV files.

Solution:

This hotfix updates the OfficeScan server program to ensure that UTF-8 characters are displayed normally on DLP log CSV files.

Issue 1 of Critical Patch 6583

(SEG-41179)

Endpoints may become unresponsive if the OfficeScan agent has Behavior Monitoring (version 2.974.1238) enabled due to an internal value mismatch.

Solution:

This Critical Patch updates the Behavior Monitoring service to version 2.974.1241 and corrects the internal value matching.

Enhancement 1 of Critical Patch 6583

(SEG-39954)

This Critical Patch adds an option to configure OfficeScan agents to stop sending census queries for a specified amount of time when it detects the specified number of failed census queries. This can help prevent performance issues in protected computers.

Procedure:

To configure the maximum number of failed census queries and the period of time OfficeScan agents should stop sending census queries:

  1. Install this Critical Patch (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server.
  3. Under the "Global Setting" section, manually add the following keys and set the preferred value for each:
  • [Global Setting]
  • CensusFailedCnt = X (Census query failed count, default is 5, supports 5 - 100)
  • CensusSuspendPeriod = Y (Census query suspend period, default is 180 seconds, supports 0 - 3600)
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entries on all OfficeScan agent endpoints:
  • x86 Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
  • x64 Path: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.
  • Key: CensusFailedCnt and CensusSuspendPeriod
  • Type: dword
  • Value: 5 and 180 (default value)

Enhancement 2 of Critical Patch 6583

(SEG-38464)

This critical patch enables the OfficeScan 11 Service Pack 1 Patch 1 agent program to support Microsoft(TM) Windows(TM) 10 (version 1809) October 2018 Update.

Issue 1 of Hotfix 6585

(SEG-39252)

The Trend Micro Data Loss Prevention(TM) (DLP) service stops unexpectedly while files are attached to web mail and stops the file upload.

Solution:

This hotfix updates the FtpParser in the DLP module to resolve this issue.

Issue 2 of Hotfix 6585

(SEG-38186)

Issues related to the OfficeScan Behavior Monitoring feature may prevent users from accessing network drives and cause Microsoft(TM) Outlook(TM) to stop responding.

Solution:

This hotfix resolves the issues by updating the Behavior Monitoring module and enabling users to configure certain settings in the registry.

Procedure:

To apply and deploy the solution globally:

  1. Install this hotfix (see "Installation").
  2. Open the "ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan server installation directory.
  3. Under the "Global Setting" section, manually add the following three keys and set all to "1".
  • [Global Setting]
  • AegisSkipDesktopINI=1
  • AegisSkipRemoteDirectory=1
  • AegisSkipRemoteDirectoryByPath=1
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS
  • Key: SkipDesktopINI
  • Key: SkipRemoteDirectory
  • Key: SkipRemoteDirectoryByPath
  • Type: DWORD
  • Value: 1
  1. Restart the OfficeScan agent.

Issue 3 of Hotfix 6585

(SEG-30222)

An issue prevents the Data Loss Prevention(TM) (DLP) services from detecting when files from a ZIP file are being copied and burned to a CD or DVD.

Solution:

This hotfix resolves the issue so that DLP can detect and block these events.

Issue 4 of Hotfix 6585

(SEG-39246)

Scheduled Scan is triggered unexpectedly when OfficeScan detects the Google Drive File Stream desktop application on an agent computer.

Solution:

This hotfix updates the OfficeScan agent program to ensure that scheduled scan works normally on agent computers.

Enhancement 1 of Hotfix 6585

(SEG-40485)

This hotfix updates the DLP module to support Google(TM) Chrome(TM) 71.

Issue 1 of Hotfix 6587

(SEG-41375)

When starting on a 64-bit platform, the OfficeScan NT Listener service "TmListen.exe" may stop unexpectedly while the OfficeScan agent verifies the decompressed agent file.

Solution:

This hotfix updates "TmListen.exe" to ensure that it can start up successfully on 64-bit platforms.

Issue 2 of Hotfix 6587

(SEG-40888)

The OfficeScan server sends the wrong Data Loss Prevention(TM) (DLP) log file size information to the Trend Micro Control Manager(TM) server.

Solution:

This hotfix updates the OfficeScan server program to ensure that the correct DLP log file size is sent to the Control Manager server.

Issue 1 of Hotfix 6591

(SEG-43365)

The OfficeScan server may not report the "Last Startup" and "Offline Time" information of OfficeScan agents to the registered Trend Micro Control Manager(TM) server.

Solution:

This hotfix resolves the issue to ensure that the "Last Startup" and "Offline Time" information of OfficeScan agents are sent to the Control Manager server so the information appears on the Control Manager web console.

Issue 2 of Hotfix 6591

(SEG-41807)

The content of notification email messages is inconsistent with the information on the web console.

Solution:

This hotfix updates the OfficeScan server program to resolve the problem.

Issue 1 of Hotfix 6594

(SEG-44000)

An issue prevents the OfficeScan Data Loss Prevention(TM) (DLP) module from retrieving the serial number of portable hard disks.

Solution:

This hotfix resolves the issue by updating the DLP module.

Issue 1 of Hotfix 6596

(SEG-44478)

An exception error triggers the OfficeScan Master Service to stop unexpectedly while extracting a pattern file from a compressed file.

Solution:

This hotfix updates the OfficeScan Master Service to enable it to handle the exception.

Issue 2 of Hotfix 6596

(SEG-45429)

An error that resulted from a previous action prevents the OfficeScan agent console from opening.

Solution:

This hotfix updates the OfficeScan agent program to resolve the issue.

Issue 1 of Critical Patch 6598

(VRTS-3005)

Cookie security is not enabled in the OfficeScan web console's HTTP response.

Solution:

This hotfix updates the OfficeScan server files to ensure that cookie security is enabled in HTTP responses.

Issue 2 of Critical Patch 6598

(VRTS-3171)

A directory traversal vulnerability may allow an attacker to modify arbitrary files on the product's management console.

Solution:

This hotfix updates the OfficeScan server program to remove the vulnerability.

Issue 1 of Hotfix 6600

(SEG-44481)

A large number of "SECURITY_PRODUCT_STATE_ON" Windows Event Logs are generated on Windows 10 RS5 computers.

Solution:

This hotfix updates the conditions for Windows Security Center un-registration to help prevent too many "SECURITY_PRODUCT_STATE_ON" Windows Event Logs.

Issue 2 of Hotfix 6600

(SEG-46406)

The Trend Micro Data Loss Prevention(TM) (DLP) clipboard information is stored in a temporary file which may potentially lead to leakage of sensitive information.

Solution:

This issue updates the DLP module to ensure that its clipboard information is not stored in a temporary file.

Issue 3 of Hotfix 6600

(SEG-47191)

After an OfficeScan agent moves to a new OfficeScan server, a mismatched certificate error appears in the OfficeScan system event logs and Windows application event log in both the agent and new server. This happens because the agent sends the move results to the previous server using the new authentication certificate.

Solution:

This hotfix enables the OfficeScan agent to use the original authentication certificate to report the move results to the previous server after it moves to a new server.

Issue 4 of Hotfix 6600

(SEG-45698)

An issue related to the OfficeScan agent console program (PccNt.exe) may cause a handle leak.

Solution:

This hotfix resolves the issue by updating the OfficeScan agent program.

Issue 1 of Hotfix 6603

(SEG-47979)

The "Scans Network Drive" feature of Manual Scan may not work properly on OfficeScan agent computers.

Solution:

This hotfix updates the OfficeScan agent program to make sure Manual Scan can scan network drives and folders mapped to OfficeScan agent endpoints.

Issue 2 of Hotfix 6603

(SEG-48086)

The "HLog" folder disappeared from the OfficeScan agent installation folder which prevents the TmListen service from creating the "HLog\Cgi" folder during startup.

Solution:

This hotfix updates "TmLIsten.exe" to enable it to create the "HLog" folder before creating the "HLog\Cgi" folder.

Enhancement 1 of Hotfix 6607

(SEG-49153)

This hotfix updates the OfficeScan web console to ensure that invalid UNC paths cannot be added into the Behavior Monitoring exception list.

Issue 1 of Hotfix 6619

(SEG-44691)

Individual files get locked by OfficeScan agent, when customer adds individual files into exclusion lists.

Solution:

This hotfix updates the User-Mode Hooking module to solve this issue.

Issue 2 of Hotfix 6619

(SEG-49455)

The Suspicious Object List (file) does not appear on the OfficeScan agent.

Solution:

This hotfix resolves this issue by updating the related database transaction.

Issue 3 of Hotfix 6619

(SEG-51069)

The OfficeScan web console does not allow users to save more than 497 exceptions in a firewall policy.

Solution:

This hotfix updates the OfficeScan server and agent programs to allow users to successfully save more than 497 exceptions in a firewall policy.

Enhancement 1 of Hotfix 6619

(SEG-50057)

This hotfix enables the Trend Micro Data Loss Prevention(TM) Endpoint SDK 6.0 to support up to version 74 of the 32 and 64-bit Google Chrome(TM) web browser.

Issue 1 of Critical Patch 6623

(SEG-50752)

The Data Loss Prevention(TM) (DLP) Service may prevent the system from starting the VirtualBox Virtual Machine normally.

Solution:

This critical patch resolves the issue by updating the DLP module.

Enhancement 1 of Critical Patch 6623

(SEG-50774)

This critical patch enables the Apex One security agent program to support Microsoft Windows(TM) 10 (version 1903) May 2019 Update.

Issue 1 of Hotfix 6627

(SEG-52828)

An issue related to the OfficeScan NT Listener service ("TmListen.exe") may cause high CPU usage after the OfficeScan agent executes a manual or scheduled scan.

Solution:

This hotfix updates the OfficeScan agent program to resolve this issue.

Issue 2 of Hotfix 6627

(VRTS-3162)

An attacker may be able to force the OfficeScan agent to load a malicious .dll file.

Solution:

This hotfix updates the OfficeScan agent program to resolve this DLL injection vulnerability.

Issue 3 of Hotfix 6627

(SEG-52173)

In the Traditional Chinese version of the OfficeScan agent console, users are redirected to a non-existent webpage after clicking on the details link located in the virus log page.

Solution:

This hotfix updates the agent program to resolve this issue.

Issue 4 of Hotfix 6627

(SEG-53290)

The Data Loss Prevention(TM) (DLP) module cannot detect folder and file names that contain double-byte characters.

Solution:

This hotfix updates the DLP module to resolve this issue.

Issue 5 of Hotfix 6627

(SEG-47240)

The 3rd-party ICE WebStart program cannot be launched while the OfficeScan Firewall service is running.

Solution:

This hotfix updates the Trend Micro OfficeScan Firewall driver and provides a way to prevent this issue from occurring.

Procedure:

To enable the new settings:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder of the OfficeScan server installation directory using a text editor.
  3. Under the "Global Setting" section, manually add the following key and set its value to "256".
  • [Global Setting]
  • PFW_KEventMaxCount=256
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent endpoints:
  • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmWfp\Parameters
  • Key: KEventMaxCount
  • Type: REG_DWORD
  • Value: 256 (0x100)
  1. Restart the OfficeScan agents.

Issue 1 of Hotfix 6629

(SEG-53496)

When Web Reputation Services (WRS) is disabled, OfficeScan agents still search for available Smart Protection Servers (SPS) to send Web Reputation queries to which can keep the network busy.

Solution:

This hotfix adds an option to prevent OfficeScan agents from searching for Local Web Classification Servers (LWCS) to send Web Reputation queries to when WRS is disabled.

Procedure:

To enable this option globally:

  1. Install this hotfix (see "Installation").
  2. Open the "Ofcscan.ini" file in the "\PCCSRV\" folder on the OfficeScan installation directory.
  3. Add the following key under the "ICRC_SCAN_INI_SECTION" section and set its value to "0".
  • [ICRC_SCAN_INI_SECTION]
  • WCSServiceSearchIfDisabled=0
  1. Save the changes and close the file.
  2. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.
  3. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:
  • Path:
    • 32-bit: HKEYLOCALMACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\iURL Scan
    • 64-bit: HKEYLOCALMACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\iURL Scan
  • Key: ServiceSearchIfDisabled
  • Type: DWORD
  • Value: 0

Issue 1 of Critical Patch 6631

(SEG-53555)

It may take longer than usual to access network drives from an OfficeScan agent computer when the Behavior Monitoring feature is enabled.

Solution:

This critical patch updates the Behavior Monitoring module to resolve this issue.

Issue 2 of Critical Patch 6631

(VRTS-3162)

An attacker may be able to force the OfficeScan agent to load a malicious .dll file.

Solution:

This critical patch updates the OfficeScan agent program to resolve this DLL injection vulnerability.

Enhancement 1 of Hotfix 6632

(SEG-57032)

This hotfix enables the Trend Micro Data Loss Prevention(TM) Endpoint SDK 6.0 to support up to version 76 of the 32 and 64-bit Google Chrome(TM) web browser.

Issue 1 of Hotfix 6633

(SEG-56659)

A communication issue occurs when an OfficeScan agent is transferred from an OfficeScan server to an Apex One server, which prevents the OfficeScan agent from synchronizing the SSL port setting from the new Apex One server.

Solution:

This hotfix updates the OfficeScan agent program to resolve the issue.

Enhancement 1 of Hotfix 6634

(SEG-59804)

This hotfix updates Trend Micro Data Loss Prevention(TM) (DLP) Endpoint SDK 6.0 to support version 77 of the Google Chrome web browser.

8. Contact Information

A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees.

Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products.

http://www.trendmicro.com/us/about-us/contact/index.html

NOTE: This information is subject to change without notice.

9. About Trend Micro

Smart, simple, security that fits

As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information.

Copyright 2019, Trend Micro Incorporated. All rights reserved.

Trend Micro, OfficeScan, Data Loss Prevention, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies.

10. License Agreement

View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/license-agreements/

Third-party licensing agreements can be viewed:

  • By selecting the "About" option in the application user interface
  • By referring to the "Legal" page of the Administrator's Guide