CSA & TrendMicro upgrade.exe

wyley.johnson · ‎10-20-2004

Has anybody had an issue with Trend Micro and CSA? Specifically, I have created an exception in the Trojan Rule for Trend Micro\OfficeScan Client\Temp\upgrade.exe to be "downloaded from the network and execute". However, this event is still occurring. Is this similar to the McAfee and Framework Services issue? If so, do you know the name of the file that is calling upgrade.exe which needs to have an exception created?

travis-dennis_2 · ‎10-20-2004

Is CSA firing off the same host or different hosts? Make sure that you include your entire IP range where Trend is installed when you create the exception. The MC should be catching everything that is causing CSA to fire unless you have created a rule to stop logging that particular event.

Hope this helps

wyley.johnson · ‎10-20-2004

It is happening only on the same host. I had created a previous exception that tmlisten.exe was trying to access a certain port. But that is the only other event I have seen for Trend. I have since disabled that exception to see if I can find any associations between the two errors. I am currently waiting for the event to occur again. Any other ideas?

travis-dennis_2 · ‎10-20-2004

Did by chance you send out a softwaree upgrade for CSA at some time in the past and a person with non-admin rights to that box allow the upgrade to occur? If so then please un-install CSA, reboot and re-install it with an account that has local admin privs on the box. Ther ehave been issues in the past with non-admins doing the upgrade.

BTW what version are you on?

wyley.johnson · ‎10-21-2004

This was a fresh install. The agents are still in testmode while I tune the legitimate events. I am running 4.03.720. All users are local admins on their machines.

I am currently waiting for the event to occur again to see if I can find any association with another event.

wyley.johnson · ‎11-15-2004

OKay, the solution is similar to the McAfee and Framework Services trojan issue. You need to make an exception to allow ntrtscan.exe to 'download and execute' to remove the error concerning 'upgrade.exe'.

bahoosh · ‎01-03-2005

There is no solution to this and no exception will fix this. I am running to the same problem on windows 2003 servers only. My XPs and 2000s are OK. This actually prevents Trend to get new sigs which really stinks. However over AV and CSA I tend to pick CSA. We need Okena/CSA team to take a look at this.

TREND LOGS

---------------------------------------

2005/01/03 15:42:32 - [Upgrade Start Time 6.0] == 2005/ 1/ 3 15:42:32

2005/01/03 15:42:34 - [Initialize] Now szUpdateRoot = C:\Program Files\Trend Micro\OfficeScan Client\Temp\2005/01/03 15:42:34 - [IsVersion35OrNot] Can find the new registry value !

2005/01/03 15:42:34 - [IsVersion35OrNot] Version number = 6.0

2005/01/03 15:42:35 - Wait stop to complete, time out 60 seconds

2005/01/03 15:42:35 - Service not stop yet, time out left 59 seconds

2005/01/03 15:42:36 - Service not stop yet, time out left 58 seconds

2005/01/03 15:42:36 - Service not stop yet, time out left 57 seconds

2005/01/03 15:42:37 - Service not stop yet, time out left 56 seconds

2005/01/03 15:42:37 - Service not stop yet, time out left 55 seconds

2005/01/03 15:42:38 - Service not stop yet, time out left 54 seconds

2005/01/03 15:42:38 - Service not stop yet, time out left 53 seconds

2005/01/03 15:42:39 - Service not stop yet, time out left 52 seconds

2005/01/03 15:42:39 - Service not stop yet, time out left 51 seconds

2005/01/03 15:42:40 - Service not stop yet, time out left 50 seconds

2005/01/03 15:42:40 - Service stopped, time out left 50 seconds

2005/01/03 15:42:40 - ==>Stop [Listener] Stop tmlisten successfully !

2005/01/03 15:42:40 - ---> [StopListenService] OK.

2005/01/03 15:42:46 - [CleanUp] Can't find program.zip(C:\Program Files\Trend Micro\OfficeScan Client\Temp\program.zip).

2005/01/03 15:42:46 - [CleanUp] Can't find engine.zip.(C:\Program Files\Trend Micro\OfficeScan Client\Temp\engine.zip)

2005/01/03 15:42:46 - [CleanUp] Can't find pattern.zip(C:\Program Files\Trend Micro\OfficeScan Client\Temp\pattern.zip).

2005/01/03 15:42:46 - [CleanUp] Reset the PRGUPDATE vaule to 0.

2005/01/03 15:42:46 - Service isn't running, call StartService to start

2005/01/03 15:42:47 - Wait start to complete, time out 60 seconds

2005/01/03 15:42:47 - Service started, time out left 60 seconds

2005/01/03 15:42:47 - ==>Start [Listener] Start C:\Program Files\Trend Micro\OfficeScan Client\Temp\tmlisten.exe successfully !

2005/01/03 15:42:47 - ---> [StartListenService] OK.

2005/01/03 15:42:47 -

[Upgrade Stop Time] == 2005/ 1/ 3 15:42:47

---------------------------------------------------

CSA LOGS

---------------------------------------------------

1/3/2005 3:43:22 PM: The program 'C:\Program Files\Trend Micro\OfficeScan Client\Temp\upgrade.exe' was recently downloaded and attempted to execute. The user was queried whether to allow this operation. The user chose 'Terminate (not logged in)'.

-----------------------------------------------------

And again, there IS an exception for this event under trojan detection.

Thanks

jeffasher · ‎01-09-2005

The beta of next version of CSA (CSA 4.5) has built-in application classes, policies, and rule modules to allow AV helper applications to execute properly.

Hopefully CSA 4.5 will still have these rules in the production release.