TCSE community - from ACAPacific

My last day with ACA

2010-06-08T11:27:00.002+08:00

Hi All,

I am sorry to inform you starting from tomorrow, I will no longer be part of ACA. With a heavy heart, I'm leaving this TCSE community blog that I have created since 2008.

Hope our paths cross again. Happy Supporting Trend!

Rgds,
TheInstructor

Malware log analysis

2010-04-14T17:01:00.002+08:00

Q: I was analyzing the 30 days malware log file and found hundreds of "BKDR_Generic.DIT" and "TROJ_Generic.DIT" which stated questionable action result - Passed Potential Security Risk. I am sure that I have already enabled Generic Detection by adding few lines in the ofcscan.ini. Anything to worry about?

A: You have done the right thing by enabling generic detection. The purpose of this detection is to make us aware that there is a certain file that is posing some threats. There is a big possibility that this is malicious file. We are just letting it pass because we do not have still an enhanced clean pattern for that one. If we quarantine or delete that file, it is very risky. Why? It is because the file could be a system file or a .dll file that is an important file on Windows. If we quarantine/delete it, there is a chance that your Windows will hang or even BSOD.

The moment you are aware of such generic virus. The next step is to collect them. Compress the files using WinZip and put a password: virus. Send the sample files to us and we will create an enhanced pattern file for you. Also, it will be much better if you use our SIC Tool to further analyze your system for other infections. Then send the sic logs and suspect.zip. Furthermore, send the Virus logs for us to know who are being infected and find the PC that is the one infecting the system.

I hope this helps.

March 2010 Class

2010-04-13T17:07:00.002+08:00

Fellow attendees for March 2010 class. From left is Ms Ong, Wan, Elson, Chin, myself and Raj.

IMSS 7.1 - some fine tuning steps

2010-04-13T11:27:00.002+08:00

q. You might get 550 Access denied - Invalid HELO name from receiving domain (certain domain only) What fine tuning need to be done?

a. There are few things that you can check. First, verify that your MX record has reverse MX record. Some receiving domain will check for this and if you don't comply you will be rejected.

Please refer below for configuration that you might want to fine tune:

1. http://esupport.trendmicro.com/Pages/Receiving-mail-server-replies-with-504-5.5.2-machinename-Helo-command.aspx

2. http://esupport.trendmicro.com/pages/Bogus-HELO-name-used-and-HELO-command-rejected-errors-appear-on-outbou.aspx

3. http://esupport.trendmicro.com/pages/InterScan-Messaging-Security-Suite-IMSS-for-70-Windows-is-unable-to-de.aspx

If you have tried all, but still the problem persist do escalate and make sure you attach together tsmtpd.ini, log.imss and tsmtpd.log in debug mode.

Note: To enable debug you can use CDT else login to IMSS web console Choose Logs > Settings from the menu. Application log level option change to "debug". Replicate the issue. Don't forget to disable the debug option once done.

Reference link for basic info and troubleshooting:
http://esupport.trendmicro.com/Pages/IMSS-70-Windows-basic-info-and-troubleshooting-guide.aspx#P25_1130

OSCE SP1 ; found encrypted as the action in malware log

2010-04-12T12:07:00.001+08:00

q: I found "encrypted" as the result action in malware log for OSCE 10 with SP1

a: This is is a new feature in OfficeScan 10, where the virus logs will show an "encrypted" result. The "Encrypted" result happens when the Scan Engine (VSAPI) is unable to take action (quarantine, delete, rename) on a malware. Instead, the OfficeScan client will just encrypt the malware.

Missing mail log entry for IMSS 7.0

2010-03-26T12:30:00.002+08:00

When you want to trace a mail, you normally will query Message Tracking and put in the sender or recipient name. Let say you tried that and no relevant log entry appear.

You might want to try and query the log file itself. Locate Log folder in IMSS installation folder. Look for file with the name 'mailtrace.log.########'. The # indicates the date.

Probably there is a problem to upload the logs to database.
You might also want to do the following to rectify this issue:
1. Stop all IMSS related services
2. Backup mail_trace_bookmark file which can be found in Program Files\Trend Micro\IMSS\bin by renaming it.
3. Restart all IMSS related services
Note: This should generate new bookmark
4. Install the latest patch (if applicable)

To drop or reject the packets?

2010-03-19T16:43:00.002+08:00

Before you decide which action to enforce on your clients, perhaps you need to understand the effect of doing it.

Drop will drop the packet without response
Reject will reject packet but with response that the packet has been rejected (ICMP unreachable equivalent send to the source)

IMSVA sizing

2010-03-19T16:41:00.002+08:00

q: How many mailboxes can IMSVA handle?
a: It doesn't count by mailboxes in sizing the IMSVA. I have checked with Trend Micro TAM (Technical Account Manager) that 50,000 msg/hr is a good number.

OSCE 10 client with smart scan method

2010-03-19T16:00:00.003+08:00

I hope this answers you (you know who you are) :-)

If your OSCE 10 client is using smart scan method, you can view the following from component version when you right click the OSCE client icon in system tray.

Notice there is no conventional pattern file version (lpt$vpn###)

Refer below for the view from OSCE web console. It will show either conventional pattern file or smart scan agent pattern.

Hope this helps!

Prep for TDA POC

2010-03-11T16:07:00.001+08:00

Threat Discovery Appliance (TDA) is part of Trend Micro Threat Management Services.

Find hidden malware before it steals data and damages your network...read more to know. :-)

Checklist(once identified where to deploy):
- at least 2 ports; management and data port (onboard NIC is for management port)
- IP address, subnet mask, default gateway and DNS configuration
- Product activation code for POC
- Time setting
- proxy information required for product activation and log/report generation
- Registered Services ; DNS, SMTP, FTP, PROXY
- list of network segments / VLANS

to access the web console;

https://tda_ipaddress

to check the port mirroring correctly configured / data successfully mirrored

Login to the web console then open another browser then go to the following URL;

https://tda_ipaddress/html/kmod_main.html
note: look for syn_conntrack more than 500

https://tda_ipaddress/html/rdqa.htm
note:look for ATOP to see the bandwidth should be in Mbps or Kbps

Query on IMSVA

2010-03-11T00:36:00.000+08:00

IMSVA (InterScan Messaging Security Virtual Appliance)
Q:How many users can it support?
A:The sizing is not based on users. Literally, IMSVA can take up to 50,000 msg/hr

Click here for Datasheet

Install Patch 5 for OSCE 8 to support for Windows 7 clients

2010-02-22T14:14:00.002+08:00

On 22 January, 2010 Trend Micro has published Trend Micro OfficeScan 8.0 Service Pack 1 Patch 5 - Build 3510.

Refer to the ReadMe file regarding this patch. One of it is to support for installation on Windows 7 client.

virus log from OSCE 10 client

2010-01-20T10:55:00.002+08:00

q: Where to obtain the physical file of the virus log from your client pc?
a: go to the officescan client installation, look for MISC folder. The content is all logs related ; virus log, spyware log

Upgrade your OSCE 8 to OSCE 10 using client packager

2010-01-19T17:15:00.001+08:00

If you want to create the new packager that can upgrade the existing client to the ver 8 without uninstallation of the client.

There are options which you can modify on the OSCE server’s ofcscan.ini to allow upgrade.

To modify "ofcscan.ini" on the OfficeScan server's "\PCCSRV" folder, then create the client package:

On the "INI_CLIENT_SETUP_SECTION" section:

BypassServerChecking=1 ,

which allows the MSI/exe package can be installed on any OfficeScan client computers, even they are not managed by the package packed server.

BypassUpgradePrivilegeChecking=1 ,

which allows the MSI/exe package can perform client programs upgrade, even the client is configured as it cannot upgrade programs or hot fixes from the server.

You may need to revert back to the original settings once the packager is created.

SMEX 10 is here..

2010-01-19T14:53:00.003+08:00

You can refer the details from here:
http://www.trendmicro.com/download/product.asp?productid=8

what's new?-Supports Microsoft Exchange Server 2010
-Microsoft Active Directory (AD) Integration
can create policy and assign to AD users
- Role Based Access
multiple admin access to different areas in the web console
-Event Tracking in Logs
since multiple admin can access the web console, thus the needs to track the activity for each administrator
-Installation enhancement
-IPv6 support
-Includes Web Reputation Filter
to check the URL from within the email content agaist the web reputation database. This is separate from SPS offering.
-Resource management
allow for tuning CPU resources during scanning

Upgrade checklist
- Server specs
2GB RAM, 10GB free disk space
- Software requirements
Also support Windows 2008 server, Exchange 2010
- Credentials requirements
Local admin
- Activation Code
- Housekeeping of the current logs
Delete older logs. Verify the folder ..\Smex\log is at minimum size.

Note:
1. no restart of MS Exchange is required. Relatively no downtime to the email system
2. if no issues, the upgrade will complete in 30 minutes

List of ports when using NVW and TMCM

2009-12-21T11:37:00.002+08:00

A customer asked, what ports to allow since he deploys two units of NVW the NVW registered to TMCM in the network.

Ports used by NVW and TMCM to communicate:

1. TCP 80 Listening/Outbound (HTTP)
2. TCP 443 Listening/Outbound (HTTPS)
3. UDP 10323 (Inbound)
4. UDP 514 Outbound (Syslog)

Ports used by NVW and protected machines to communicate:

1. TCP 20901-2 Listening & TCP 20903 Interprocess (Damage Cleanup Services). This is also used by Vulnerability Assessment

2. UDP 123 (Inbound). Port used by the Trend Micro Network Time Protocol. It is also used by Network VirusWall to synchronize time with the TMCM server.

3. UDP 10323 (Inbound). Default Heartbeat Port of TMCM for MCP-based agents. Heartbeats will indicate to the TMCM server that an agent is active.

4. 5088 - Peagent

5. 5091 - Threat management agent. You can also modify this port in NVW console > Policy enforcement > TMAgent settings.

SPNT only on single processor?

2009-12-21T11:33:00.002+08:00

I have read up the Student TextBook of Trend MIcro Server Protect Certification Training course. Refer to page 62 of the book it says

"Note: ServerProtect works only on single-processor servers.
When you try to run ServerProtect on a multiprocessor server, a warning appears on the console screen, and the application does not start. "

Please note that the statement above is true for "older version" of SPNT 5.5. However with the release of newer version, SPNT 5.58, 5.7 and 5.8, dual processor is NOW supported.

IMSS 7.1 - an upgrade from IMSS 7.0

2009-12-08T14:41:00.002+08:00

Becareful when you inplace upgrade 7.0 to 7.1. It works for me. All the required settings still preserved. However, the IMSS is set to open relay!
You have to remove 0.0.0.0 from IMSS console > Administration > SMTP Routing > Message Rule> Permitted Senders of Relayed Mail.

Test out to telnet IMSS potr 25 and run mail from and rcpt to command to verify that it is now closed relay.

good luck!

Utilpolicy for IMSS for Linux

2009-11-23T10:28:00.002+08:00

I posted earlier on this tool here. It has got a linux version as well. Let me know if you need it. :-)

utilPolicy.tar.gz is a tool to import/export the following
settings:
1. UI->Policy
> Policy List
> Scanning Exceptions
> Internal Addresses
2. UI->IP Filtering
> Overview--enable/disable IP Filtering
> Rules
> NRS
> Approved List
> Blocked List
> Suspicious IP
3. Reports
> Settings--of scheduled reports
4. Logs
> Settings
5. Quarantine & Archive
> Settings (Qurantine & Archive)
6. Administrator
> Updates
> Schedule
> Source
> Notifications
> Events
> Delivery Settings
> Web EUQ Digest
> IMSS Configuration
> Connections
> Components
> LDAP
> POP3
> TMCM Server
> SMTP Routing
> SMTP
> Connections
> Message Rule
> Domain-based Delivery
7. User Quarantine Access
> Select LDAP groups to enable access

proxy pac and IWSS

2009-11-17T16:52:00.005+08:00

Question:
How can we configure users to point to IWSS via "Automatic Proxy Configuration"?

Answer:
1. Have a proxy.pac script ready. You can refer to this basic script.

note:192.168.1.86 is your IWSS IP address andport 8080 is the proxy port

2.Publish proxy.pac in your web server. Make sure your web server recognize the .pac extension by adding in the MIME type to the HTTP Header.

3. Specify your user's browser with the configuration

Remark:
Do feedback on the performance and capability of this configuration. Do you experience any drop in connections?

What is 'Infection source'?

2009-11-12T13:51:00.004+08:00

You can see this from your OfficeScan virus logs.

You may not have the Infection Source if the infection is of trojan, generic malware or backdoor. Most cases in worm typically network worm you will have Infection Source information. Some virus detection doesn't have Infection Source if the infection is local meaning it is not coming from a remote computer. Also, it doesn't require scanning of mapped drives to check or detect infection source since the detection of infection source is based on the NET SESSION on the local computer.

For example, if User A accesses a virus infected share on User B's machine, User B will become listed in the Infected Sources list.

If there are no sources on the private network sharing malware, then nothing will be shown.

Manual or scheduled update failed

2009-11-11T15:19:00.003+08:00

Issue:

The client was not able to update the pattern of their TMCM 5.0. An error "Unable to create sub directory" appeared which can be seen from the command tracking.

CDT logs captured and findings as follows:

Err 20091030 22:48:08 5620 4436 HttpConnection: Socket connect fail Err 20091030 22:48:08 5620 4436 TmDownloader: Connection fail when try to open resource Inf 20091030 22:48:08 5620 4436 Re-downloaded (3) times Err 20091030 22:48:08 5620 4436 Downloader returns: 4 Err 20091030 22:48:09 5620 4436 can not get required server info file Inf 20091030 22:48:09 5620 4436 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4436] Inf 20091030 22:48:09 5620 4436 UpdateManager endwith 28 (1c0002): ActiveUpdate was unable to connect to
the network. Please verify that the network connection is functional, and
then try again.
Inf 20091030 22:48:09 5620 4436 End TmuUpdateEx()
------------------------------
Inf 20091030 22:48:09 5620 4436 release context for thread: 4436 Err 20091030 22:48:09 5620 4896 Delete Temp dir fail.
Inf 20091030 22:48:09 5620 4896 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4896] Inf 20091030 22:48:09 5620 4896 UpdateManager endwith 16 (100000): ActiveUpdate was unable to complete the
requested file operation. Please try again. If the problem persists,
contact your Trend Micro technical support provider.
Inf 20091030 22:48:09 5620 4896 End TmuDuplicateEx()
------------------------------
Inf 20091030 22:48:09 5620 4896 release context for thread: 4896
------------------------------
Inf 20091030 22:48:09 5620 4896 new context for thread: 4896
------------------------------
Inf 20091030 22:48:09 5620 4896 Set key[KeptPatternMaxCount] value[14] Inf 20091030 22:48:09 5620 4896 TmuSetPropertyEx returned [TRUE]
------------------------------
Inf 20091030 22:48:09 5620 4896 Start TmuDuplicateEx() Err 20091030 22:48:09 5620 4896 Delete Temp dir fail.
Inf 20091030 22:48:09 5620 4896 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4896] Inf 20091030 22:48:09 5620 4896 UpdateManager endwith 16 (100000): ActiveUpdate was unable to complete the
requested file operation. Please try again. If the problem persists,
contact your Trend Micro technical support provider.

Answer:

The issue was possibly on the network side of the client, kindly chek if they were using a proxy on TMCM server.

After checking the proxy setting kindly advice the client to delete all the contents of \Program Files\Trend Micro\Control Manager\AU_Data and try to do again a manual update.

Note: Some of the files are locked and can't be deleted. It was when the Trend MIcro Control Manager service was stopped, then only a complete deletion can be done

OSCE 8.0 and Windows 7

2009-11-11T15:17:00.001+08:00

Question:

I have OSCE 8.0 installed in my environment. Is there any patch available to support for Windows 7 client OS?

Answer:
No. You have to upgrade to version 10 in order to support Windows 7. If your license is still valid, you are entitled for free upgrade.

DOWNAD and recycler folder

2009-11-11T11:58:00.003+08:00

I read from Trend Micro Blog about DOWNAD/Conficker. Some interesting note to highlight since recent visit to a customer place I happened to see the virus log and they were few entries with infected path detected in Recycler folder.

"In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines."

What is Recycler Folder and How to remove it
A good reading material from Tech Salsa

If you have used Windows for quite some time now then you must have seen this folder called RECYCLER. But many people don’t know what this folder is and what is it doing in the drive?

What is Recycler folder?

The Recycler folder is used only on NTFS partitions and is referred to as a location where all the deleted files go after they have been deleted by the user. Now you may be wondering if it contains the deleted files then why we have the Recycle Bin.

When a file is deleted it goes to the Recycle Bin but when the Recycle Bin is emptied, the files are stored in this Recycler folder. This is the reason why we can still restore the deleted data in the Windows.

Difference between Recycle Bin and Recycler

Recycle Bin stores the file that are deleted from the computer until it is emptied completely whereas the Recycler folder contains a Recycle Bin for each user that logs on to the computer. (MS article)

Recycled Folder

This is something different than the Recycler folder as Recycled is same as Recycle Bin. That is both Recycled and Recycle Bin are just two different names for the same memory location.

How to delete Recycler Folder

Recycler is a read only folder and that is why it gave error if you tried to delete it. To view the folder, go to Tools -> Folder Options -> View tab and uncheck the option of Hide Protected operating System Files.

Now just right click on the folder, go to Properties and unselect the option of Read Only. Now it can be deleted.

Recycler Virus

There has been identified a virus with the same name that is Recycler.exe which should not be confused with the Recycler folder.

Scan Engine version 9.0 is almost here!

2009-11-02T14:31:00.002+08:00

Scan Engine 9.000 ActiveUpdate (AU) Upload
October 30, 2009

Details

On November 16, 2009 (US PST), Trend Micro will upload Scan Engine (VSAPI) 9.000 to the ActiveUpdate (AU) server.

Trend Micro will release VSAPI 9.000 on these products :

Ø OfficeScan
Ø Client Server Messaging Suite / Client Server Suite
Ø Worry Free Business Security
Ø ServerProtect for NT
Ø Trend Micro Control Manager

Scan Engine 9.000 includes the following enhancements / features :
Ø Support for the detection of files that contain known PDF exploits
Ø Support for shellcode detection
Ø Recognition of the following additional file types:
o Flash Video (FLV)
o Microsoft Document Imaging (MDI)
o Moving Picture Experts Group (MPEG)
o QuickTime (MOV)
o RIFF
o SITX
o ZIP64
Ø Support for the detection of exploits to Microsoft Office vulnerabilities

Recommended Action
Trend Micro recommends that you update your scan engine to provide protection against the latest threats.

For customers who want to test VSAPI 9.000 on selected clients, please download VSAPI 9.000

For 32-bit VSAPI at
http://officescan-p.pre-opr-au.trendmicro.com/activeupdate/engine/engv90kd.zip

For IA 64-bit VSAPI at
http://officescan-p.pre-opr-au.trendmicro.com/activeupdate/engine/engv90_ia64_ntkd.zip

For AMD 64-bit VSAPI at
http://officescan-p.pre-opr-au.trendmicro.com/activeupdate/engine/engv90_amd64_ntkd.zip

Manual instructions on how to apply the scan engine can be found at http://esupport.trendmicro.com/enterprise/default.aspx

Support for Windows 7, both OSCE and WFBS

2009-11-02T11:51:00.002+08:00

Please install Service Pack 1 for your OSCE 10 and WFBS in order to support for Windows 7 Operating System.

Refer here:
OSCE
WFBS

Activating your OSCE 10 with superkey

2009-10-28T11:41:00.004+08:00

Issue:
I have my paper license with the following description:
OfficeScan Superkey (AV+SW+DC+FW)English ver 10.x

I'm upgrading my OSCE 8 to OSCE 10. During the installation wizard, I put in the superkey for the first item which is for antivirus module only. refer below screen shot.

Once upgrade is done, from the web console Administration > Product License under License Information table I can see that "Antivirus for Desktop" and "Antivirus for Servers" both in grace period. The other services "Web Reputation and Anti-Spyware for desktops", "Web Reputation and Anti-Spyware for Servers" and "Damage Cleanup Services" shown as not activated.

What went wrong?

Solution:

Login to the web console. Click on Administration > Product License. Choose the services for which you want to activate or refresh the license information.
There are two things here:

1. For License appear as in grace period or expired despite the license just renewed. This is because you have to update information upon renewing the license. This will allow for the OSCE server to sync with the License Server for the new expiry date, license seats number and other relevant information. Refer to below screen shot. You will have to click on the "Update Information" button.

2. Activating Web Reputation and Damage Cleanup Services for OSCE 10 is actually by using the same key. Hence the name SuperKey. Don't forget to click on the "Update Information" button once you are done.

How to set a fixed amount of memory (Enterprise Manager)

2009-10-26T15:21:00.002+08:00

Issue:
If using SQL Server on the same system as the TMCM server, and you notice that memory utilization is quite high most of the time occupied with SQL related processes. Probably, you need to set a fixed amount of memory (Enterprise Manager)approximately two-thirds of the total memory for TMCM server.

Suggestion:
To set a fixed amount of memory

1. Expand a server group.

2. Right-click a server, and then click Properties.

3. Click the Memory tab.

4. Click Use a fixed memory size (MB), and then position the fixed memory slider.

malformed email

2009-10-23T16:19:00.001+08:00

Issue:
I have IMSA 7.0 Patch 1. Recently, one of my email is quarantined which can be seen from the web console with the reason "malformed". I noticed from the mail, it has about ~70 image attachments which are the company logo/symbol in that particular mail. I believe that is the reason for the "malformed" issue.

Answer:

Malformed email is quarantined in IMSA due to the following rules setting:

1. Maximum number of entities allowed in each mail message ( usually Maximum attachment or embedded item)
LimitEntities = 64

2. Maximum number of parameters allowed in each header field ( You can change this field to CC and BCC field as well)
LimitHeaderParams=100

3. Maximum number of header fields allowed in each entity
LimitHeaders=500

You will have to edit this setting.

Access the hyperterminal console and log in as root. Locate the following imss.ini file located in /opt/trend/imss/config/ directory.
Change the value of the following parameters to the maximum value needed:
LimitEntities

References:
http://esupport.trendmicro.com/Pages/Frequently-Asked-Questions-FAQ-about-the-mail-transfer-agent-MTA-of-In.aspx
http://esupport.trendmicro.com/7/What-is-malformed-email-and-how-to-avoid-it.aspx

Approving youtube.com

2009-10-23T16:14:00.001+08:00

Issue:
Customer installed IWSS 3.1 on Windows 2003 svr. They enabled the URL filtering and block access to Streaming Media / MP3 category. However, they want to approve www.youtube.com.

I have tried to add in youtube* and *youtube* in the approved URL list. But the youtube page doesn't appear correctly. Some of the page elements are missing. What's wrong.

Answer:
Please try to add the following in the HTTP> URL Filtering > Settings > Approve URL List

- Choose URL keyword and enter the following string

ytimg.com
youtube.com

Note: Actual strings shown after adding them is as follows:

*ytimg.com*
* youtube.com*

Please be informed that youtube has to retrieve files from different servers which are hosted under youtube.com and ytimg.com. The thumbnails/pictures are usually stored under ytimg.com while the actual flv files are located on servers under youtube.com. One example is the “v21.lscache2.c.youtube.com”. The retrieval of the files depends on the current location of the browser requesting the site and depends on which server hosts the requested files.

Procedure to reimage IMSA

2009-10-20T12:46:00.000+08:00

1.1. Backup current config: http://www.trendmicro.com/ftp/documentation/guides/IMSA7.0_SP1_AG.pdf (Page: 93)

1.2. Save the config file after re-imaging IMSA

1.3. Instruction on how to rescue (re-image) can be found in Page 165. You need to download the Solution CD using this link: http://www.trendmicro.com/ftp/products/imsa/IMSA_7.0_Solution_CD.zip

Thanks Law!

Database optimization for TMCM 3.0

2009-10-14T16:54:00.005+08:00

Issue:
I have customer installed the old TMCM version 3.0 on MSDE database (free database version one that is bundled in TMCM installer). I will have to perform database performance optimization for Expert on Guard (EoG) service activation. How do I go about and do it?

Answer:
You will have to have Query Analyzer. For free tool, you can download one from here. Connect to the database and execute the following commands.
Copy and paste it in the Query Analyzer:
--------- copied start below this line -------------------------------------
use db_ControlManager;
runcate table tb_InValidLog;
delete tb_DeployCommandTracking;
delete tb_tvcscommandlist;
delete tb_tvcsCommandTaskqueue;
delete tb_registeredproductlist where RPL_TotalCount<=0;
update tb_registeredproductlist set RPL_ProductInfoState=0 where RPL_ProductInfo
Backup log db_controlamanger with truncate_only;
DBCC shrinkDatabase(db_controlmanager);
--------- copied end this line ------------------------------------------------

note: dbcontrolmanager.mdf is variable - typically is the name of your TMCM database.
Verify that the command executed successfully.

I hope it helps!

Worry Free installed on Apache Web Server

2009-10-14T16:26:00.002+08:00

Issue/concern:
A customer installed Worry Free on Apache Web Server rather than IIS. Now, he is concern since he is going to patch the Apache whether it will affect the Worry Free web console installation. Is there anything to backup?

Answer:

Well actually nothing to backup on WFBS just make sure you have an apache backup. Just incase you need to revert back. Check the apache update’s roll back procedure as well if thre’s any.

On our documentation we can support Apache ver 2.0.63 or later. As long as you are on the range I see no harm.

Allow me to put some of my thoughts into this, although apache is nice and stable Web server we only included it in the package if a client with limited machineries would like to install the product on a non windows server class OS. I suggest you use IIS instead.

Note: you might want to consider backup httpd.conf, c:\etc. For more infor you may google around. :-)

CDI for NVWe2500

2009-10-09T16:34:00.003+08:00

Issue:
A customer reported that her NVWe2500 unit is not able to update either manual or scheduled. Clicking on the update button will take almost forever to come out with the page.

Normally the Available Version column should indicate the latest component version but since the problem occur, she only see N/A as the description.

How to run CDI to further troubleshoot on this issue?

Answer:
The Case Diagnostic Information (CDI) gathers information for diagnostic and debugging purposes. Trend Micro can use this information to diagnose problems and issues with NVWe. You can collect the CDI by clicking on the Administration menu, then the Tools link, and then the download link. The Tools pane will appear.

Save the file to your computer and then send it to Trend Support for further investigation. We cannot open the file as it is encrypted. It can only be read by their service engineering group.

iCrcPtnDP log file

2009-10-06T16:50:00.002+08:00

Issue:
Customer installed OSCE 10, with smart scan scanning method.
Recently, he found out that in this particular folder .\PCCSRV\log folder there are many logs by the name iCrcPtnDPxxxxxx.log (e.g. iCrcPtnDP647700.log). If this continues they are worried that it might used up the HDD space a lot.

Is this log important?

Answer:
This log is just icrc pattern update logs (server smart scan). It is safe to just delete the log from time to time.

I hope it helps.

Trend Micro Anti-Malware Ranked #1 in Real-World Online Testing

2009-10-02T16:35:00.003+08:00

http://us.trendmicro.com/us/trendwatch/core-technologies/competitive-benchmarks/index.html

spam pattern update failed

2009-09-28T10:13:00.003+08:00

Problem:
My customer reported that he can't perform update for the spam pattern of IMSS 7.0 Linux

Refer below information:
1. What was the current build of their IMSS 7.0
* Make it sure that the latest patch was already been applied.
Linux_1633

2. What was the last changes made before the issue occured?
No changes made

3. Are they running another program on the same IMSS server where the database is utilized?
No

4. What is the specs of the server and how many mails are they processing.
Power Edge 6800 Server (Linux RedHat Enterprise) 2nd Dual Core Xeon Processor 7120M, 4MB L3 Cache. 3.00 GHz, 800 FSB 146GB hardrive 4Gb DDR2 RAM

Attached also the screen shot of the error message. Please find the attached CDT log uploaded at ftp://ftp.myatsc.net/UPLOAD/ACA/
MATRADE folder.

Reply from Support:
1. Since the build is 1633 (GM) please download and install the latest service pack and patch: http://www.trendmicro.com/download/product.asp?productid=12

2. Now if issue persists after that step 1, do the following:
- root# mv /opt/trend/imss/temp /opt/trend/imss/temp_090509
- root# mkdir /opt/trend/imss/temp
- root# chown -R imss:imss /opt/trend/imss/temp
- root# mv /opt/trend/imss/lib/AU_Temp /opt/trend/imss/lib/AU_Temp_090509
- root# mv /opt/trend/imss/lib/AU_Cache /opt/trend/imss/lib/AU_Cache_090509
- root# mv /opt/trend/imss/lib/download /opt/trend/imss/lib/download_090509
- root# chown -R imss:imss /opt/trend/imss/lib/AU_Temp /opt/trend/imss/lib/AU_Cache /opt/trend/imss/lib/download

3. If issue still persists, do the following:
- Look and open the file: /opt/trend/imss/lib/aucfg.ini
- Change the debug_level from 5 to "-1" without quotes
- Save the changes and do this command: root# /opt/trend/imss/bin/script/S99IMSS restart
- Enable debug log in UI => Log => Settings => Debug
- Reproduce the issue by clicking the Update in the Summary Page of IMSS for components to be updated or wait for the time the scheduled update to be triggered (screenshot please)
- Collect the following logs
1. All logs inside this folder with same timestamp of the replication: /opt/trend/imss/log/*
2. Get this file: /opt/trend/imss/lib/AU_Log/TmuDump.txt

patch 1 for sp1 installation problem on IMSA

2009-09-28T10:01:00.002+08:00

1. Did the client already update the IMSA for SP1 prior to patch 1?
2. If yes and this happens, we need to ask the client to collect some logs to analyze
a. Connect the pc to IMSA to the CLI (command line) via SSH
b. Go to $IMSA_Home/cdt
c. Open the cdt.ini and check SilentMode=1 is set to zero "0"
bash-3.0# cd /opt/trend/imss/cdt
bash-3.0# vi cdt.ini
d. Save the changes and run it. bash-3.0# ./cdt
e. Select All Events and once the CDT is running, replicate the patch installation.
f. Once the issue occurs, allow CDT to continue running for about 5 mins more. Afterwards, stop CDT and collect the CDT logs. Move the CDT*.zip to /tmp folder and using UI console, export the logs/CDT. Otherwise, you can try the following to move the logs out from the IMSA.

Transferring files to / from IMSA

=======
Using FTP
=======
Use the ncftp FTP client to access the external FTP servers (in our case you can upload it here ftp.trend.com.au; user: xxxx and pass: yyyy) and exchange files. The command-line arguments must include username, password and the port number if it is not 21:

bash-3.00# ncftp -u -p -P 2121 10.13.130.253 NcFTP 3.1.9 (Mar 24, 2005) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.13.130.253...
transfer Microsoft FTP Service (Version 5.0).
Logging in...
User training logged in.
Logged in to 10.13.130.253.
ncftp / >

Example:

bash-3.00# cd /tmp
bash-3.00# ncftp -u xxxx -p yyyyy ftp.trend.com.au NcFTP 3.1.9 (Mar 24, 2005) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to ...
transfer Microsoft FTP Service (Version 5.0).
Logging in...
User training logged in.
Logged in.
ncftp / >cd _asiasupport/upload/logs/1-1-271644771
ncftp > put

=======
Using the NFS Client
=======
Using the NFS client from the shell allows one to set up a remote filesystem to which files can be copied:

mount -t nfs -o nolock 10.13.9.186:/data /mnt

Note: Since there is no locking daemon available on IMSA, you have to tell the mount command to not use locking.

These files can then be accessed from non-IMSA devices (Linux, Windows, etc.) that have an NFS client. In other words, in windows machine, create a folder and have it shared (Everyone with Read & Write). Example. I have a machine 10.0.0.1 and I created IMSA folder and shared it so if I access it using windows, it is like: \\10.0.0.1\imsa

NRS activation problem for IMSS 5.7

2009-09-11T15:13:00.002+08:00

Problem:
My customer is still using IMSS 5.7 build 1121 on Windows 2000. No plan to upgrade yet since the hardware is of low specs. Recently he activated the NRS. Upon saving the changes, refer below for message that he received:

-------------------------------------------
The configuration changes have been saved.

However, local DNS server seemed not responding to DNS A-record query for Network Reputation initialization test in time and timed out. As a result, Network Reputation during scan may not be functioning properly. Although mail flow will still continue, it is recommended to follow manual's instructions to troubleshoot, reconfigure and tune local DNS server before fully utilizing this feature.

Some possible reasons may lead to this testing failure are listed here as reference and please refer to manuals for further information:

1. Local DNS server can not respond to A record query.

2. Local DNS server can not look up its root DNS server for sub-domains of a.mail-abuse.com.

3. Slow response from local DNS server and/or intermittent networking connectivity for outgoing DNS queries.

-------------------------------------------

Solution:
Do the following;

1) Stop all IMSS services.

2) Look in the IMSS folder then backup and delete the following files.

licenseprofile3.dat is for NAS
licenseprofile4.dat is for RBL+

You might night not have both files. Just delete these two files if you see them.

3) Restart all IMSS services

4) Enter the NRS Activation Code again.

Open the GUI and click 'Configuration'
Under 'Configuration', click 'Product Licenses'
Under 'Network Reputation Services', click 'View license details'
Enter the NRS Activation Code.

Under 'Configuration', select 'Network Reputation'
Check the box next to 'Enable Network Reputation Service'
Under 'Action:', select 'Default intelligent action'
Click 'Save'

Improving the performance of OfficeScan related clients agents

2009-09-11T12:58:00.002+08:00

You notice poor performance from any of the following:
OfficeScan 7.0 / 7.3 / 8.0 / 10 client
Client Server Messaging Security for SMB (CSM) 3.x Agent
Worry-Free Business Security (WFBS) Standard / Advanced Agent

Please refer to this knowledge base.

1. As a workaround, disable the TSC.exe process from starting at startup
2. If the issue persists, delay the RealTimeScan process from starting at startup
3. If the issue still persists, resize the "PagedPoolSize" registry key
4. If this does not work, run the Case Diagnostic Tool (CDT)

List of endpoint security software that OSCE automatically uninstalls

2009-09-04T14:26:00.002+08:00

This is related to old entry with the topic 'Removal of antivirus product during OSCE installation'.

I came across the below note while reading the Student Textbook for OSCE 10, TCSE course. Thought of sharing it.

"If Trend Micro or third-party endpoint security programs are installed on the computer, check if OfficeScan can automatically uninstall the software and replace it with the OfficeScan client. For a list of endpoint security software that OfficeScan automatically uninstalls, open the following files in {installation path}\PCCSRV\Admin. You can open these files with a text editor like Notepad.

tmuninst.ptn
tmuninst_as.ptn

If the software on the target computer is not included in the list, manually uninstall it first. "

problem in updating your IMSS for linux?

2009-08-27T14:46:00.002+08:00

look for tmudumpt.txt file located in /opt/trend/imss/lib/AU_Log/TmuDump.txt
You should have some indication. If it looks garbage to you, send it to Trend Support.

You might want to run Case Diagnostic Tool as well. Type /opt/trend/imss/cdt/cdt
Case Diagnostic GUI will prompt up. Follow through the wizard.

Collect the log/folder and submit to Trend Support.

August Class

2009-08-12T12:03:00.003+08:00

From left is Nizam, Shahril, Sha, Arniza, Rosdi, Duvell, Bernard, Yatim and Helmi.

ScanMail for Domino 3.0 gets update from TMCM 5.0

2009-08-12T11:56:00.003+08:00

By default your SMD will get the update from Trend Micro ActiveUpdate in the Internet. However, you can specify other Internet update source, namely TMCM.
key in "http:///TVCSDownload/activeupdate"
as the Internet update source.

By default also, your SMD will try to do secure update by means of going through https. So most likely that your update will fail if your URL for TMCM is http based. So make sure you add in the following:

Option I. Use the following command inside the server console:
set conf DisableSecureUpdate=1
The server does not need to restart when this option is used.

Option II. Follow these steps:
1. Open the notes.ini file.
2. Add the DisableSecureUpdate=1 entry as another line inside the notes.ini file. Make sure the last line of file is empty.
3. Save the file and restart the Domino server service.

Monitor the success of updates from the Domino server console.

Hope it helps.

IWSS unable to do schedule update after license expire

2009-08-04T16:19:00.000+08:00

Solution:
Recreate the scheduled task using createatasktool.exe downloaded from

http://solutionfile.trendmicro.com/solutionfile/25483/en/createatasktool.zip

IMSS 7.0 and IWSS 3.1 on the same server machine

2009-07-29T09:32:00.001+08:00

Issue:
When running both IMSS 7.0 and IWSS 3.1 on the same server machine, I notice once the IWSS console service is up, the IMSS console service cannot start and same goes the other way. Is there any workaround for this?

Workaround:
Please note, it is not recommended to install both on the same machine.
It is because both tomcat is using same port 8005 to start the service. You need change the port on either IMSS or IWSS tomcat.

Please do EITHER of the two steps below:
A) On IMSS,
1) Go to \ui\adminUI\conf
2) Edit the file server.xml
3) Search for "8005"
4) Replace it with available port such as "8006"
5) Save
6) Start "Trend Micro IMSS Web Console" service

OR

B) On IWSS
1) Go to \ui\adminUI\conf
2) Edit the file server.xml
3) Search for "8005"
4) Replace it with available port such as "8006"
5) Save
6) Start "Trend Micro Interscan Web Security Suite Console" service

OSCE 8.0 hotfix 3300

2009-07-23T13:19:00.004+08:00

Overview of this hotfix release
enables the OSCE client to control access to external devices. e.g to disable the autorun feature for USB device

note:
- you will not be able to run the hotfix, if it detects your OSCE build doesn't meet the requirement
- supported only on 32bit platforms
- please perform the post installation configuration.
- the device access control feature (DAC) applies to all clients.
- OSCE client will not report unauthorized access logs to the OSCE server. However, user can look for the logs locally in the client machine located at ../Trend Micro/BM/Log

where to get the hotfix?
you may request it from Trend Support.

suggestion for post installation configuration (modify and add to ofcscan.ini). This parameter will just enable the disabling autorun for USB devices.

########################start####################################
[Global Setting]
EnableAEGIS=1
CheckMountPointInterval=300

[AEGIS_DACPolicy]

#PolicyId0=D001 - Device Access Control On Plug in devices (USB)
#PolicyId0=D002 - Device Access Control On CD/DVD
#PolicyId0=D003 - Device Access Control On FLOPPY
#PolicyId0=D004 - Device Access Control On Network Resource
#PolicyId0=D005 - Block AutoRun function on USB devices

# v=0 (disable), 1 (enable)
# w=0 (no pop up), 1 (allow pop up)
# x=0 (pass), 2 (deny access), 4 (Read Only), 5 (Read & Write only), 6 (Read & Execute only)
# y=0 (pass), 2 (deny access)
# z=0 (disable), 1 (enable)

Count=5

Enable=1
PopAlert=0

PolicyId0=D001

Action0=5
Enable0=0

PolicyId1=D002

Action1=0
Enable1=0

PolicyId2=D003

Action2=0
Enable2=0

PolicyId3=D004

Action3=0
Enable3=0

PolicyId4=D005

Action4=2
Enable4=1

########################end####################################

replicating imss 7.0 policy and configuration

2009-07-23T11:33:00.002+08:00

issue:
existing imss 7.0 server behaving funny and we suspect that it's going to crash soon. We actually prepare another server with the same IP address and hostname then start to install IMSS 7.0. Now, how do we replicate the settings on existing server to the newly installed server?

solution:
Use utilpolicy ( you can ask from Trend Support or myself for a copy). It's not published in the KB (ASFAIK). The tool will backup policies and IMSS settings. It doesn't matter if the database user name and password different from the earlier server settings.

Overview of the tool
+++++++++++++++++++++
utilPolicy.exe is a simple tool to import/export policy rules and internal addresses using SQL script.

How to use the tool
+++++++++++++++++++++++++
Run to corresponding command line.
a. To export the policy rules and internal addresses:
utilPolicy.exe -e %exported_file_name%
example: "utilPolicy -e policy.txt"

b. To import the policy rules and internal addresses:
utilPolicy.exe -i %exported_file_name%
example: "utilPolicy -i Policy.txt"

3. Restart the IMSS Policy Service.

IWSS 3.1 backup and restore

2009-07-17T11:50:00.009+08:00

You will need SQL Management Express if you don't want to go through the hassle of doing it from the command prompt.

Download and Install Microsoft SQL Server Management Studio Express
http://www.microsoft.com/downloadS/details.aspx?familyid=C243A5AE-4BD1-4E3D-94B8-5A0F62BF7796&displaylang=en#filelist

note: I installed IWSS 3.1 with the database SQL 2005 Express bundled in the installation. Database name is iwss3. Don't lose the sa password! :-)

To backup

1. Click the database name

2. Then click tasks> backup

3. Choose where you want to store the backup file and click OK

4. To restore, follow the earlier steps 1,2 in the above but this time click restore. Click OK to continue to restore.

To see the space of your database, do the following like in the screen capture:

OSCE 8.0 SSO login frm TMCM 3.5

2009-07-14T14:43:00.001+08:00

issue:
My customer installed TMCM 3.5 and OSCE 8.0. OSCE 8.0 is currently registered to TMCM 3.5 as one of the agents.

OSCE web console url is non-ssl based. When try to access OSCE console from TMCM, TMCM will actually refer to ssl based of the OSCE url and result in broken link since OSCE is actually published at http:// instead of https://

How can this be fixed? User wants to SSO to OSCE console from TMCM 3.5. But her OSCE is http based where as TMCM trying to reach to https based of the URL.

SOlution:
Regarding this, kindly perform the following to have the Officescan run on HTTPS:

1. Unregister Officescan from TMCM and delete the entity as well on the TMCM directory tree

2. On the Officescan server open a command prompt and go to the following folder

C:\Program Files\Trend Micro\Officescan\PCCSRV\

3. Run the following command

svrsvcsetup -enablessl

4. Kindly check if you can now access the Officescan console using HTTPS

5. Register it now to TMCM

6. Kindly check if you can now peform SSO onto TMCM

TREND MICRO MALWARE ADVISORY - Zero day security exploit in Microsoft Video streaming ActiveX control MsVidCtl

2009-07-08T21:10:00.001+08:00

Topic: MPEG2TuneRequest Exploit Leads to KILLAV Malware

Details:
Earlier today, TrendLabs has been alerted of a zero-day exploit in Microsoft Video streaming ActiveX control MsVidCtl (Advisory 972890). Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive redirections and lands them to download a JPG file containing the exploit. Trend Micro detects it as JS_DLOADER.BD.

Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.

Affected Software
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems _______________________________________________________________________________

Recommended Action
· Update your AV products to current CPR 6.252.03 or higher
_______________________________________________________________________________

Detection
Trend Micro JS_DLOADER.BD and WORM_KILLAV.AI with current CPR 6.252.03 or higher:
http://www.trendmicro.com/download/pattern-cpr.asp
Malicious URLs: are currently being block by WRS

OSCE SSO from TMCM 3.5

2009-07-08T21:05:00.003+08:00

problem:
My customer installed TMCM 3.5 and OSCE 8.0 where OSCE 8.0 is currently registered to TMCM 3.5 as one of the agents.

OSCE web console url is non-ssl based. When try to access OSCE console from TMCM, TMCM will actually refer to ssl based of the OSCE url and result in broken link since OSCE is actually published at http:// instead of https://

How can this be fixed? User wants to SSO to OSCE console from TMCM 3.5. But her OSCE is http based where as TMCM trying to reach to https based of the URL.

answer:
Regarding this, kindly perform the following to have the Officescan run on HTTPS:

1. Unregister Officescan from TMCM adn delete teh entuty as well on the TMCM directory tree 2. On the Officescan server open a command prompt and go to the following folder

C:\Program Files\Trend Micro\Officescan\PCCSRV\

3. Run the following command

svrsvcsetup -enablessl

4. Kindly check if you can now access the Officescan console using HTTPS 5. Register it now to TMCM

Train the Trainer @ ACA SG

2009-07-08T20:59:00.003+08:00

Thanks Brian for the photo. He's the instructor. The one wearing green shirt and tie.

June class

2009-06-29T09:39:00.001+08:00

16th June until 19th June.

Description on few terms in TMCM 5.0 report

2009-06-12T17:32:00.002+08:00

Question:
I need a description on report by TMCM 5. I need this information to present the report for management.

- Description for Unique Infection Destination Count & Unique Infection Source Count.
- Description for N/A.
- Description for Unique Infection Destination Count & Unique Virus/Malware Count.
- Description for Unique Infection Source Count & Unique Virus/Malware Count.
- Description for No action, N/A, Unable to delete file & File passed.

Answer:

The Unique Infection Destination Count & Unique Infection Source Count is just same as Infection Destination Count & Infection Source Count. There's a word "Unique" because of Log Aggregation which is the new feature in TMCM 5.0 version. This means that the logs has already been sorted out. Like for example: Instead of logging 10 malware detection for same infection source and same malware, TMCM will only log this once.

"NA" means that the infection source is blank. If you will check the virus logs from OSCE server, there are rows which the Infection Source is blank. This is the NA in TMCM reports.

No Action - Some files require further investigation to determine whether they are infected with a virus or other instance of malware. To mitigate the impact of potential false positives, OfficeScan will temporarily take no action on certain suspicious files. After Trend Micro determines the correct status of the file, the scan action will be adjusted accordingly.

File passed - These are the detection scanned by Heurisitic scanning in which the file is tagged as suspicious. Since this is not yet included in the pattern file, OfficeScan will set the action to pass to prevent false-positive detection

Unable to delete - these are the malcious files in which OfficeScan cannot delete the file because it is locked for some reason.

Hope these information helps.

Removal of other antivirus product brand during OSCE installation

2009-06-12T17:28:00.002+08:00

Question:
Will OSCE installer, automatically remove Microsoft Forefront?

Answer:
It will not automatically remove Microsoft Forefront anti-virus software.
I would suggest for you to manually uninstall the Microsoft Forefront antivirus and after that, kindly install the OfficeScan anti-virus software.

Actually, when OfficeScan client is installed, it automatically removes the following products first:

1. Authentium(TM) Command AntiVirus for Windows Enterprise 4.9x
2. Computer Associates (CA) eTrust(TM) Antivirus 8.1.655
3. eScan(TM) for Windows 8.0.653.1
4. ESET(TM) NOD32(TM) Antivirus build 3.0.642
5. ESET(TM) NOD32(TM) Antivirus 3.0.667.0
6. Kaspersky(TM) Anti-Virus 6.0.3.837
7. McAfee(TM) Total Protection
8. McAfee ePolicy Agent 3.6.0.574
9. McAfee VirusScan Enterprise 8.7.0.570
10. Norman(TM) Virus Control 5.99.0600
11. Symantec(TM) 11.0.780.1109 Endpoint Protection
12. Symantec 11.0.2010.25 Endpoint Protection MR 2
13. Symantec Endpoint Protection 11.0.3001.2224
14. Symantec Endpoint Protection 11.0.4000.2295
15. Symantec 11.0.4000.2295 Endpoint Protection 64-bit Edition

Hope this info helps.

Worm Neeris family exploits the same vulnerability MS08-067

2009-06-09T17:51:00.002+08:00

If you haven't patched with MS08-067 which is KB958644, you better take the action now! Not only DOWNAD, you are also susceptible for attack by neeris family..

OSCE patch installation failed!

2009-06-09T17:48:00.001+08:00

Question:
I have tried to install few patches for a customer's OSCE server which runs on x64 Windows 2003 server. The error is "Installation Failed!". One of the patches, OSCE_80_WinSP1_Patch2. It's just rollback and the build number from web console > about still shows version 3013. Even after server reboot.

What went wrong? Need your advice. Attached is the tmpatch.log

Answer:
Here is the analysis of the tmpatch.log (***note that it might vary depends on the case)

The patch installation failed because some files cannot be replaced.

Error Log:
----------------------------
[2009-06-08:16:05:26][cgiRecvFile.exe : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\pftB~tmp\FileGroup9\cgiRecvFile.exe->C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web_OSCE\Web\CGI\cgiRecvFile.exe fail]
Fail.
----------------------------

From the log above, the installation failed because the installer is unable to replace the file 'cgiRecvFile.exe'.

Try doing the following:

1. Stop OfficeScan service
2. Rename cgiRecvFile.exe to cgiRecvFile.exe.bak

**This file can be found on C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web_OSCE\Web\CGI\

3. Then try to install the patch again.

If problem persist, please check the updated tmpatch.log!

Questions on IMSS event logs

2009-06-03T11:24:00.002+08:00

Questions:
Currently, we found a lot of errors from Trend Micro Interscan Messaging Security Suite (IMSS).
1. What are these errors about?

-----------------error#1----------------------
2009/05/23 00:15:50 GMT+08:00
Write socket FAIL!2009/05/23 00:15:50 GMT+08:00
D1B55AA6-934D-4BF7-AE5F-D8DD6AA7489E
ERROR: id, WRITE ERROR AT 2232
2009/05/23 00:15:50 GMT+08:00
D1B55AA6-934D-4BF7-AE5F-D8DD6AA7489E
>> .\r\n

2009/05/23 00:16:40 GMT+08:00
ERROR: Downstream server close the connection, the reason maybe excess downstream mail size limit or local disk is full.
2009/05/23 00:16:40 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: id, WRITE ERROR AT 1528
2009/05/23 00:16:40 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
>> .\r\n

-----------------end error#1----------------------

2. Where can we configure the period of expiry for the email?
3. Does IMSS notify the user if the message has expired?

-----------------error#2----------------------
2009/05/23 00:24:39 GMT+08:00
f0208a7b-afa8-4e8f-b434-88fe441a1ee7
Push email into OK
2009/05/23 00:24:39 GMT+08:00
BAD MAIL FROM , Unable to deliver message to .
2009/05/23 00:24:39 GMT+08:00
ca273a4c-5244-4507-9df1-b6b030b495da
Push email into OK
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: AF file expired

2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: ERROR DELIVERING MAIL - TIMESTAMP AND REASON HAS BEEN UPDATED IN AF FILE
2009/05/23 00:24:39 GMT+08:00
CA273A4C-5244-4507-9DF1-B6B030B495DA
ERROR: MDA finish, delivery fail since , spend <4299633> ms. eMail is deleted

-----------------end error#2----------------------

Answers:

1. The possible reasons for this issue are:
• Issues with the downstream server (e.g. filter settings for attachments)
• Insufficient space in the local hard drive where IMSS is installed
• Compatibility issues with the Gigabit Ethernet Network Interface Card (NIC)

The WRITE ERROR occurs because these required resources for writing data are not available. To resolve the issue, do either of these options:
• Modify the IsntSmtp.ini file
• If IMSS is installed in the local hard drive, make sure that 500 MB (minimum required free disk space) is available for mail storage
• Ensure compatibility if using a Gigabit Ethernet NIC

Modify the IsntSmtp.ini file:
a. Open the ..\IMSS\IsntSmtp.ini file.
b. Add the following parameter under the “[Delivery-Advanced]” section: "Transfer827=yes"
c. Save the changes.

Ensure compatibility if using a Gigabit Ethernet NIC:
a. Upgrade the NIC driver or downgrade to a 100 MBPS network card.
b. If using either a half-duplex or full duplex setting, change the switch from one setting to the other by configuring the port switch.

2. Where can we configure the period of expiry for the email?
==> You can configure it through:
a. IMSS console > Configuration > SMTP Routing > Delivery > Advance
b. Check 'Maximum retry period' value. This is the period of expiry for the mail.

3. Does IMSS notify the user if the message has expired?
==> By default, IMSS will send NDR notification to senders if the mail/s were not successfully sent.
You can check this settings also in \ISNTSmtp.ini:

Delivery-Advanced]
MaximumHopCount=15
MasqueradeDomain=
DisableReceivedHeader=no
DNSAuthoritativeBitCheck=no

Question on ScanMail for Lotus Domino

2009-06-03T11:20:00.002+08:00

Question:
Does ScanMail for Domino supports clusters on different platform? i.e. Linux and Windows.

Answer:
Yes, SMD supports cluster on different platform. As long as Domino nodes are clustered, SMD can support it. Take note that Domino is not platform dependent then as well as with Scanmail (SMD). This will only replicate the database.

More details will be updated soon....Wait up!

Can SPNT 5.7 Information Server manages SPNT 5.58 Normal server

2009-06-03T11:15:00.002+08:00

Question:
Can Server Protect 5.7 Information server manages 5.58 Normal server?

Answer:
SPNT 5.7 should manage Normal Server with its same version. If customer's Normal server is 5.58 then they should upgrade it to 5.7 version. SPNT 5.7 version also works with 32-bit platform. You may refer to the README:

---------------------from read me--------------------------------
What's New
1. Supports both 32-bit and 64-bit operating system platforms
-----------------------------------------------------------------

IDS-SYN flood in the OSCE firewall log

2009-05-20T15:32:00.002+08:00

Question/Concern/Inquiry:
Hi, I received this OfficeScan logs from my customer asking why there are lots of entries on IDS-SYN flood. How to fix this? Is it because of the machine is infected or not properly patch? Please help to clarify.

Solution/Recommendation:
Two hosts use a SYN FLOOD packet to "shake hands" before establishing a TCP connection. During an attempt to connect, some of the target machine’s resources, such as the memory, may be in use so it does accept the request.

Some attacks take advantage of this TCP feature to flood the target machine with requests that it cannot process. These are called half-open sessions and is a type of Denial of Service (DoS) attack. The connection count between 172.16.1.13 and 168.168.1.186 exceed the default value 64,and this trigger the SYNFLOOD IDS filter.

This is a design specification because of the default SynfloodHalpOpen count is set to 64, if the connection count exceed, IDS rules will be trigged. You can check with the administrators of the company to check why it is sending TCP flood connections by using packet capture (wireshark).

We can also change OSCE Client setting to enlarge the SYNFLOOD halfopen count to workaround: Find the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw\Parameters\ IdsSynFloodHalfOpen (DWORD): Default 64 IdsSynFloodSynPerSec (DWORD): Default 4 Change IdsSynFloodHalfOpen to 256 If they still encounter a problem, change IdsSynFloodHalfOpen to 512

Hope this helps.

May Class

2009-05-20T15:14:00.003+08:00

The class was conducted from 12-15th May. Quite a big class this time around.
From left is Mr Chung, Anthony,Najib,Faizal,Shahrul,myself,Azrin,Rohaizat and Ganesh.

Wishing you guys best of luck for the coming exam. ;-)

Mail queue issue

2009-05-19T15:23:00.000+08:00

Question/Concern/Inquiry:
A customer reported his IMSS 7.0 has got problem with the mail queue issue. He started to notice this problem since early last week. The delivery queue could grow up to thousands. REstart the SMTP service will decrease the queue number but after a while it will grow again.

I notice the following error in System Event log since the date that my customer noticed of the problem.
"April 20, 2009 8:00:10 PM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with:"

Solution/Recommendation:
Based on your message, you have a queuing issue. This was caused by the DNS, policy and the network connection problem. In the logs; == April 24, 2009 11:42:23 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with:
April 24, 2009 11:44:34 AM,abcmail,IMSS Daemon is stopped April 24, 2009 11:45:08 AM,abcmail,IMSS Daemon Service starts running .....
April 24, 2009 11:45:25 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocessbig: Smtp server responded error with: 421 Internal configuration error April 24, 2009 11:45:25 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocess: Smtp server responded error with: 421 Internal configuration error April 24, 2009 11:48:39 AM,abcmail,IMSS Daemon is stopped April 24, 2009 11:48:51 AM,abcmail,IMSS Daemon Service starts running .....
April 24, 2009 11:49:15 AM,abcmail,Mail Sender processing folder C:\Program Files\Trend Micro\IMSS\queue\reprocessbig: Smtp server responded error with: 552 Message exceeds fixed maximum message size ==

You have a lot of messages queued in \IMSS\queue\reprocess. It only happens when;
* Administrator requested reprocessing of the quarantined mail
* When the action "Change recipient to" is performed
* When the action "Send notifications" is performed and is configured to attach the original mail

To isolate the issue, do the following:
1. Do you have a policy (for example SPAM policy) which has an action "change recipient"? Do you have also an action of "send notifications"? Or do you have a frequest "reprocess" on the quarantined messages like "resend"?
2. If you have a lot of messages in \IMSS\queue\reprocess folder, do these:
a. Stop IMSS services
b. Rename the \IMSS\queue\reprocess folder (for example, reprocess_old) c. Create a new one (for example, reprocess under \IMSS\queue\) and restart the IMSS services

3. Please try increasing the following values on imss.ini to improve the performance of the scanner:

=======================
proc_max_worker_proc=25
proc_thread_per_proc=15
=======================

Save the changes and then restart the IMSS services and see if the problem will still persist.

4. Please check in tsmtpd.ini and set IdleWaitingSecond to "60". See below:

FROM
==
# 9.2
# SMTP client session timeout (seconds).
# If server does not respond for timeout period, then close session.
# Recommended maximum = 60 (to avoid wasting time on dead mails) # #IdleWaitingSecond=30 ==

TO
==
# 9.2
# SMTP client session timeout (seconds).
# If server does not respond for timeout period, then close session.
# Recommended maximum = 60 (to avoid wasting time on dead mails) # IdleWaitingSecond=60 ==

Save the file and restart IMSS SMTP service

5. Also, move files under /mque/resend/ to mque/outbox/pool then, a. Restart "Trend Micro IMSS SMTP Service.
b. Observe for few minutes

OSCE 10 is here!

2009-05-18T09:18:00.000+08:00

The OfficeScan 10.0 GM build 1068R1 was posted on the Trend Micro website on May 15th as scheduled. This GA build is the same as the one that was uploaded to the Beta FTP server for all Beta participants to download.

Note: Due to an issue with the original OfficeScan 10.0 GA product package available for download from the Trend site early on May 15th, you may have encountered the following error when trying to install OfficeScan 10.0.

“Program too big to fit in memory"

This issue has now been resolved. If you encountered this error please download the current package from the Trend website.

http://www.trendmicro.com/download/product.asp?productid=5

Installing Server Protect for EMC Celerra

2009-05-07T14:52:00.003+08:00

Make sure you read the Getting Started Guide and the ReadMe file.

Points worth highlighting here will be the preinstallation tasks. Make sure it's ready before you plan for your visit to do the installation.

1. Make sure the EMC Celerra of supported version
2. AV user Account and Antivirus Group configured
3. CAVA already installed
4. Servers met the specified requirement

The installation is just the same like the Server Protect for NT. However, make sure the target server is not installed with OfficeScan nor other antivirus software that's doing protection for the server. This is because, it will conflict with Server Protect Normal. Refer to this knowledge base.
If both running, the worst case is neither OSCE nor Server Protect will detect the infection.

Once installed, you need to test the scanning with the Eicar test file. Try to download the file from the Internet will prompt you that 'access is denied'. That's just the simple notification you will receive. You will need to test the CAVA working or not by copying the test file into the mapped drive at the EMC box. The same error message should appear.

Verify the infection from the management console at the scan result menu.

Encountered an error while trying to download certain filev ia IWSVA/IWSS

2009-04-27T10:40:00.000+08:00

Question/Concern/Inquiry:
Based on your email, you had encountered an error while trying to download certain filev ia IWSVA.

I had check the screenshot that you had sent and found out that the error occured was caused by popup blocker. Most if the new browser had a built in popup blocker if you were going to look on your Browser the popup to download the file had been blocked.

To resolve this issue you can do the following;

1. Log in to your IWSVA.
2. Click HTTP>HTTP SCAN>Policies
3. At the right pane click the Virus Scan Global Policy 4. Click the Virus Scan Rule tab.
5. Under Large File Hnadling Choose Deffered Scanning.
6. Click Save.

Network Viruswall to exclude mobile device from assessment

2009-04-23T09:57:00.002+08:00

Question:
Saril of NRE asked me on how to exclude mobile devices from assessment by Network Viruswall.

Answer:
To exclude smart phones/PDA from being assessed by Network Viruswall you can either;

1. Add in the smart phones/PDA IP address or MAC Address in the Global Exception List
2. Tick option to "Disable endpoint detection for non-windows Operating Systems" in the Network Viruswall console > Policy Enforcement > Policies.

Hope this helps.

Manually delete PEAgent for Network Viruswall

2009-04-23T09:37:00.002+08:00

Question/Concern/Inquiry:
Based on your message, you moved the NVWe and would like to re-deploy the PE agent. During uninstallation of PE Agent at vista machine, you encounter the following error whenever try to remove the PE Agent via Add/Remove Program .."..another installation is in progress.." If we try to use self installer i.e. peagent_config.exe we will receive the same error too.

Solution/Recommendation:

Please follow the steps below to manually uninstall the PE Agent to these machine:

1. On System Tray, right click PEAgent icon, then click "Uninstall Real-Time Scan".
2. Right click PEAgent icon, then click Exit.
3. Run command "\%WinDir%\PEAgent\PEAgent.exe /delete".
4. Delete the folder \%WinDir%\PEAgent.

April Class

2009-04-13T10:14:00.003+08:00

This month class was conducted from 7th to 10th April. Three participants ; Henny from HP Singapore, Fariz from Felda Prodata and Azizan from Sapura Synergy.

[Trend Micro Advisory] NEW WORM_DOWNAD.E/Conficker Variant

2009-04-10T17:48:00.003+08:00

NEW WORM_DOWNAD.E/Conficker Variant
04/09/2009

Details

This is a pro-active notification that Trend Micro received a new sample of DOWNAD and named it as WORM_DOWNAD.E Trend Micro has flagged this worm as noteworthy due to the increased potential for damage, and propagation. Including its ability to propagate via the Server service vulnerability.

Please visit Trend Micro’s DOWNAD Information page for the latest information:
http://us.trendmicro.com/us/threats/conficker-worm/

Arrival
This worm may be downloaded unknowingly by a user when visiting malicious Web sites.

This worm executes only after meeting any of the following trigger condition:
Any day before May 3, 2009

Propagation Routine
This worm propagates by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode.

This worm also attempts to propagate via the same vulnerability through the internet using external IP addresses by checking if the system is directly connected to the internet.

Other Details
This worm creates the temporary file in %System%/0{Random}.tmp which is a SYS file and is detected by Trend Micro as TROJ_DOWNAD.E. It then creates a service using this temporary file, thus the malicious routines of this malware are also exhibited in the system. After creating the service, the temporary file is deleted.

It then patches %System%\drivers\tcpip.sys in memory to modify the limitation of TCP maximum half-connection attempts number. After doing this, the created driver service is unloaded and deleted, leaving no trace in the registry.

It creates a thread that opens a random port to communicate with a remote computer. This worm also creates the following mutex “Global\{Random}” to ensure that only one instance of itself is running in memory:

_________________________________________________________________________________

Trend Micro Solutions
·VSAPI Pattern - Since OPR 5.953.00
·Intellitrap pattern - detected as PAK_Generic.001
·Damage Cleanup Template - DCT OPR 1026
_________________________________________________________________________________

DOWNAD/Conficker Best Practices
1. Patch Windows systems with the MS08-067
2. Verify OfficeScan Client Edition is up to date and proper sttings
http://esupport.trendmicro.com/pages/How-to-configure-Trend-Micro-products-for-best-protection-against-malw.aspx
3. Follow recommended solutions and protection

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EE&VSect=Sn
_________________________________________________________________________________

SPNT 5.7 is not for Windows 2003 server 32 bit

2009-04-08T16:58:00.003+08:00

Your concern as spoken over the phone as follows:
ServerProtect 5.58 installed on Windows 2003 server has problem to update with the latest component (scan engine and pattern file). It’s a fresh installation and you faced this problem since last week.

Information required:

Please forward to me tmudump.txt file (you can perform a search in C:\Program Files\Trend\Sprotect folder)
Screen shot of the error message (I’ve record down in text, however if I need to escalate this to Trend Support a screen shot will help)
Have you installed the latest patch for your ServerProtect 5.58? http://www.trendmicro.com/ftp/products/patches/spnt_558_win_en_patch7.exe
Screen shot of the update page screen. ( I want to see the current component version)
Please forward to me server.ini file from spntshare directory.

Feedback from customer:
She actually installed SPNT 5.7 on Windows 2003 32 bit. I asked her to remove SPNT 5.7 and install SPNT 5.58 instead. That solved the problem not able to update the scan engine and pattern file.

Another case is solved.

Removing spyware from "exclusion list" in your IWSS

2009-04-07T16:00:00.000+08:00

If you add spyware into the exclusion list, it will no longer detected as spyware the next time around. Until you remove the entry from SPYWAREEXCEPTIONLIST.INI by default located in your IWSS installation folder.

very simple test that's available at the Conficker Working Group's site.

2009-04-06T14:03:00.001+08:00

Do you want to check if you are infected with Conficker or Downad worm family? Verify from this test site Conficker Eye Chart

TMCM 3.5 security logs

2009-04-06T10:30:00.003+08:00

Concern
+++++++++
Hello, I have customer asking me why at his TMCM, he can see the result for unsuccessful entry. Whereas, when he digged the OSCE log for the day there was nothing related being found, Further looking at the TMCM log, it is found that the time the log was generated at entity was back 8 months. Whereas the time received from entity show yesterday date. My question is why it is taking long time for the OSCE to send the logs to TMCM? Please explain in what condition that this things happen. How to remedy. I will attach together tmcm and officescan log for yesterday. If you look at the Tmcm log, look at the first and second column. Some are of the same day differs only 1 hour which is acceptable. but some are few months different. Should you need more info, please let me know.

Suggested solution
+++++++++++++++++++++
"Generated at entity" means that the information log was generated at the OfficeScan. "Received from entity" means the the information log was received by Control Manager. From the log, it showed that OfficeScan generated the log on 6/9/2008 and was uploaded to Control Manager on 2/4/2009. There are several reasons for this kind of issue. Below are the possible reason:

1. TMCM purged already the logs (depending on Purge settings) but the particular log is still on OfficeScan.
2. The log was queued on OfficeScan.
3. OfficeScan was offline during that time.

We can adjust the polling of logs from Agent.ini file. Agent.ini normally located in ..OfficeScan\PCCSRV\CmAgent\

More details on parameter to edit, I'd recommend you submit to Trend Portal. Anyway the number indicated in agent.ini is in seconds.

Backup your OSCE configuration before reinstallation or upgrade

2009-03-31T12:09:00.002+08:00

Let say you need to remove your current OSCE server and perform a fresh install. What files to backup?

1. HTTPDB folder
2. PFW folder if you enable the firewall
3. ofcscan.ini

Make sure when you go through the wizard, you retain the older configuration of server client 5 digits communication port, web server configuration whether by IP address or hostname and the port number of the web server i.e. 8080, 80.

I hope it helps.

Squid cache on IWSVA 3.1

2009-03-26T17:02:00.000+08:00

The default size limit of the entire cache is 588 MB (this is defined in the cache_dir parameter). The objects in the cache will be considered STALE after the following time:

FTP – 10080 minutes or 7 days
HTTP – 4320 minutes or 3 days

This is defined by the refresh_pattern parameter. Refer to the squid.conf file for further details.

URL cache for IWSS/IWSVA3.1

2009-03-25T16:54:00.001+08:00

IWSS/IWSVA 3.1 includes Web Reputation feature. This feature relies on DNS queries to Trend Micro data centers for each new URL request. Reputations are cached for a period of 35 minutes by default and new reputation requests for that URL are provided without the need for additional queries.

March 2009 Class

2009-03-23T10:32:00.004+08:00

From left is Ikhwal, Son, Dung, Sha, Hartini and Suhaini.
Dung and Son from VietInBank. Ikhwal from one of the local partner. Hartini and Suhaini from TelBru.

[Malware Advisory] WORM_Downad.KK - Activates on April Fool's Day

2009-03-23T10:30:00.001+08:00

Dear All,

We would like to inform you that we have received new updates from our Global Update Center.

Topic: WORM_Downad.KK – Activates on April Fool’s Day

Advisory Release Date: March 18, 2009

Details

Worm_downad had infected more than 15 million computers, making it one of the widespread infections in recent times.

A new variant of worm_downad (aka Conficker) is expected to be launched on April Fool’s day.

Trend Micro detects this new variant as worm_downad.kk. More information can be found at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T. Trend Micro detects this malware starting with pattern file 5.885.00.

Compared to the old variants, worm_downad.kk is more sophisticated. Here are a few of the payloads :

· Connects to various time servers to determine the current date and time.

· Register itself as a system service to ensure auto execution every startup.

· Deletes a registry key to prevent system startup in safe mode.

· Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)

· Blocks access to security and antivirus websites.

· Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time.

_______________________________________________________________________

Recommended Action

· Enable Web Reputation Service

· Make sure that you have the latest virus definitions (at least pattern file 5.885.00)

· Run a FULL system scan to ensure that malware does not exist on your PC

· Apply MS 08-067

· Ensure strong password practice

· Disable autorun.inf for removeable devices

· For file sharing server, don’t share to everyone.

Server Protect NT Normal Server

2009-02-25T17:14:00.002+08:00

Checklist for SPNT normal server installation:

1. log in as administrator
2. Verify if the target drive/directory is administrative shared from windows explorer \\servername\c$ try to create a text file. If allowed means we are okay to do the installation
3. From Windows services (services.msc) verify that Remote Procedure Call (RPC) service and Remote Registry Services are started ; startup type automatically
4. If the servers are hardened, please verify with the server owner/vendor with the problem that you face. By right, if you comply to #1-3 you should be able to install SPNT normal server successfully!

Image Setup utility is not supported on Vista

2009-02-16T12:52:00.003+08:00

When creating image, you can use the Image Setup Utility (imgsetup.exe). The Image Setup Utility helps you use the hard drive imaging technology to deploy the client. Run this tool after OSCE client is installed on the image and before the copies of the image is made. It will ask the OfficeScan client to regenerate a GUID once the image is loaded on new machines.

In OfficeScan 8.0, the GUID is checked upon registration. Duplicate GUIDs are listed in the \pccsrv\chkguid.log file. Client listed in this file has a duplicate GUID. To force a client to generate a new one, you need to run Verify Connection from the management console. A scheduled Verify Connection may be set up to run once a day. Result of this Verify connection task can be found in \pccsrv\verconn.log file.

This utility is however not supported on Vista

Interpreting the X-header

2009-02-12T17:58:00.005+08:00

What does the X-header means?
++++++++++++++++++++++++

The first line detailing the product in used which is IMSS version 7 and the spam pattern information as highlighted in green color.

The second line indicates the spam score for the message is 12.814 whereas the detection threshold is 6.0. The value ‘1’ indicates it is detected as a spam.

Report false-positives?
+++++++++++++++++

This can be done by following the steps below:
a. Save the original copies of the spam emails received in *.msg or *.eml format.
b. Put all the samples in a folder and compress/zip it with a password (example: novirus).
c. Send the message to the following email addresses:

Address false-positives to: false[at]support.trendmicro.com.

Address false-negatives to: spam[at]support.trendmicro.com.

Trend Micro Anti-spam engineer will fine tune their processes to avoid such incident from happening again.

Malware Advisory - [PE_VIRUX.A AWARENESS]

2009-02-10T09:41:00.003+08:00

PE_VIRUX.A is a polymorphic file infector capable of infecting .exe and .scr files. This file infector may be downloaded unknowingly by a user when visiting malicious Web sites.

For more information about this malware, please see the following link:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_VIRUX.A

Solutions available:
I. Trend Micro strongly recommends updating your pattern file to the latest OPR (Official Pattern Release). OPR 5.821.00 already includes detection for PE_VIRUX.A.

II. If in case your network is already experiencing infections from this malware, the following product settings are recommended:

1. Set first product action to clean

2. Set second product action to pass
note: Use a specific action for each virus/malware type

You can consider applying the preventive measures below:

a. Download from trusted sites or sources only. Unknown sites will possibly direct the user’s browser to malicious websites to download scripts or executables that can infect machines.

b. Make sure that downloaded or copied files are scanned by Trend Micro antivirus first before executing them.

c. Ensure that OfficeScan Web Reputation Services is enabled and the security level is configured as “Medium”.

Bypass server checking for OSCE client packager

2009-02-06T11:43:00.002+08:00

You might want to add in this parameter before creating the client packager if you want to execute the client packager off the corporate network where there is no connection back to the OfficeScan server. The impact if you don't have this parameter, your installation may stall or fail for the client packager installation keeps trying to check the OSCE server and failed to connect.

Edit the following file.

1. Open the ofcscan.ini file on the OfficeScan server (..\PCCSRV\ofcscan.ini)
2. Under the header INI_CLIENT_SETUP_SECTION, add the BypassServerChecking=1 parameter.
3. Save and close the file.
4. Recreate the Client Packager setup file and deploy this to the clients.

Hope it helps.

Tool - autorun eater

2009-02-06T10:38:00.003+08:00

Din and Hafizi shared with me about this tool that they deployed to their end users to avoid problem with the worm spreading via thumb drives.

The tool is called Autorun Eater. It will remove any suspicious 'autorun.inf' files even before the user attempts to access the drive. These files are auto-backup'ed in case of false positives. If you have OfficeScan already installed, it can work hand in hand. OfficeScan will detect the autorun.inf if only user access the drive. So, when you have autorun eater it is a proactive step.

note: The tool produces a goat sound effect upon starting. You might want to turn off the volume.

January class

2009-01-30T10:35:00.000+08:00

Hafizi and Din from MOHA. Hopefully to see you both come here and sit for the TCSE exam! Good Luck. :-)

Analyzing your OSCE virus log for worm_downad

2009-01-23T09:13:00.003+08:00

Click for larger image

If you look at your OSCE virus log and found 'x' under column Infected file. That indicates the machine has not been patched with MS08-067.

Further explanation:

"If there is WORM_DOWNAD detection in IE temp folder + WORM_DOWAD detection in system folder for the file named x and real time scan able to delete the file means that malware is Propagatng via MS08‐067 and machines are still not patched with MS08‐067."

Do you still fighting against this worm? Good Luck! I hope this information helps.

January Class in Brunei

2009-01-15T15:04:00.000+08:00

Thanks to Syafiq for the photos. Yeah, you should apologize for the delay in sending me the photos! :-) Anyway, I had a fun time teaching all of you though I had to talk non-stop to finish up the syllabus in time.

Good Luck for exams! Tell me the good news only. By the way, they are from Ministry of Foreign Affairs and Trade.

Installing MS SQL 2005 Express on other drives.

2009-01-15T11:51:00.004+08:00

Let say this is for Trend Micro Control Manager 5.0. When you run the installation, you will have to choose the database selection. If you choose "Install Microsoft SQL Express", the only thing that you can specify is the SA password. You can't choose the installation path for your database, hence the database will be installed to C:\ following the TMCM installation.

If you need to install the database component on D drive for example, I would suggest that you run installation for MS SQL Express seperately. Look for SQLEXPR.exe from TMCM installation folder. You will go through the installation wizard. When you come to this screen, select Browse button to browse for the target installation path.

Using GMER to detect rootkit malware

2009-01-15T10:33:00.005+08:00

GMER is a free tool which you can use to detect rootkit malware. DownAD is one of it. If you suspect that your machine is infected with a rootkit, you may want to run GMER. Item highlighted in red are the identified rootkit malware.

From the identification, you can do proper cleanup. Once done, you may need to rerun GMER to verify that the rootkit has been successfully removed.

Best Practice - How to clean Worm_Downad.AD with OfficeScan

2009-01-13T09:47:00.002+08:00

Trend Micro has seen an increase of Worm_Downad.AD infection or its variants.

Symptom
· Users cannot login using their windows credentials because it is locked out
· Increase traffic at port 445

The following components are needed in order to completely clean the infected machines:
· Latest virus pattern file (lpt$vpn.xxx)
· Rootkit Common Module (RCM) 2.2.1016
· GeneriClean Technology
· Damage Cleanup Template (DCT) 1002
· Damage Cleanup Engine (DCE) 6.0.1169
· Scan engine (VSAPI) 8.911
· Microsoft 08-67 patch

Recommended Action

Using OfficeScan (OSCE) 8.0
1. Apply MS08-67 patch -- http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
2. Update now to ensure you have the latest components
3. Deploy the latest Damage Cleanup Engine (DCE) 6.0.1169 via OSCE server. DCE 6.0.1169 can be downloaded at http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/DCEv6.0.1169.zip
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-124134
4. If VSAPI 8.911 is not yet uploaded to AU, apply VSAPI 8.911 to the OSCE server. You can download the files at http://www.trendmicro.com/download/engine.asp#prod_5
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-122633
5. Once all the update components are up-to-date, invoke a “scan now” from the OSCE server
6. Machines that are infected with Worm_Downad.AD or its variants requires a reboot to completely clean the machine.

Using OfficeScan (OSCE) 7.x
1. Apply MS08-67 patch -- http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
2. Update now to ensure you have the latest components
3. Deploy the latest Damage Cleanup Engine (DCE) 6.0.1169 via OSCE server. DCE 6.0.1169 can be downloaded at http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/DCEv6.0.1169.zip
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-124134
4. Install Rootkit Common Module on each OSCE 7.x clients
a. download the file (DTtool.zip) at FTP site
b. extract and copy these files to the windows\system32\drivers folder
Dttool.exe
Tmcomm.inf
Tmcomm.sys
Tmengdrv.dll
c. open command prompt and go to windows\system32\drivers and run
Dttool.exe install
Dttool.exe start
5. If VSAPI 8.911 is not yet uploaded to AU, apply VSAPI 8.911 to the OSCE server. You can download the files at http://www.trendmicro.com/download/engine.asp#prod_5
Visit KB article for details -- http://esupport.trendmicro.com/support/search.do?cmd=displayKC&docType=kc&externalId=PUB-en-122633
6. Once all the update components are up-to-date, invoke a “scan now” from the OSCE server
7. Machines that are infected with Worm_Downad.AD or its variants requires a reboot to completely clean the machine.

Resetting TMCM 5.0 password

2008-12-26T11:33:00.004+08:00

If you forgot your password to login to TMCM console, you can reset it. However, you cannot forget the username that you used to login (yes, there are people who forgot even the username). Please refer to the knowledge base solution ID: 1038174 for resetting password via OSQL command line.

If using osql command line doesn't help, you might want to try using this tool QTODBC. Let me know if you can't find the tool in the Internet. For those who are using licensed SQL server, probably you can use the SQL Enterprise Manager. Please refer to the knowledge base solution ID : 1037073

Hope this helps.

Merry Xmas and Happy New Year

2008-12-26T11:17:00.002+08:00

Hello all! The year is getting to the end where we will have to bid farewell to 2008 and welcome 2009. I hope everyone is enjoying the holidays! Merry Xmas and Happy New Year to all!!

Send Large Files by Email

2008-12-23T09:36:00.003+08:00

Often, Siclog or other logs that you need to submit to Support Engineer may grow to a large size that restricting you from attaching it via email. Alternative? You can upload it to an FTP site OR try this service offered by You Send It. Other websites offering the same service are in here.

Upon uploading a file to the website, an email is sent to the recipient, where they are given a link to download the file. It's that easy!

December Class

2008-12-22T11:22:00.003+08:00

Lyn and Wind are two kind ladies. :-) Thank you for being understanding. I am sorry that even DimDim.com that time were not on my side when the 'conversion' server became unavailable to convert the powerpoint slides.

Wish you all the best in the exam!

MSDE/ SQL 2005 database installation

2008-12-19T09:06:00.005+08:00

Something to take note when you install IWSS, IMSS or TMCM which require database component and your option is to install MSDE/SQL 2005 database, make sure the option for authentication is set to 'SQL Server Authentication'. If you are installing on existing SQL server, choose Mixed Authentication Mode.

You may refer to this knowledge base from Microsoft website should you need to verify and change the system administrator password in MSDE or SQL Server 2005 Express Edition.

Online Support System

2008-12-15T17:13:00.004+08:00

You can say goodbye to the good ol' asia[at]support.trendmicro.com from now on. Please welcome to the new and updated online support system which can be reached here.

All support cases should be submitted through there and each cases will be assigned with service request ID. Do provide your real email address in "Send Reply-To" field because the reply from Trend Support will be sent to this account.

Happy Supporting Trend!

Top Infectors for Asian countries

2008-12-12T14:18:00.005+08:00

I handled a number of cases for the past few months regarding the spread of autorun malware via thumb drive. Thank you Azril for the latest malware sample, :p

This statistic from Trend Micro researcher will give you some insights, do read it here.

If disabling the autorun feature is agreeable to the end users, you might want to consider deploying this tool.

JS_DLOAD.MD/IE7 0-day Exploit

2008-12-12T09:58:00.002+08:00

Details

On December 10, 2008 2:06pm (GMT +8) TrendLabs received a report stating that there is a zero day IE7 exploit discovered in a China forum. The said toolkit was being sold in China underground community. The exploit method used is a Heap Spray on SDHTML that affects the following platform :

Internet Explorer 7.0 (7.0.5730.13)

Windows XP / Windows 2003

The behavior of the malware after exploit is it will download/redirect to the following URL's wwwwyyyyy.cn and qqqqttrr.cn

As of December 10, 2008 2:06PM (GMT +8) Microsoft does not have any patch on this exploit.

Solution

URL FILTERING:

Domain

cc4y7.cn {BLOCKED}

wwwwyyyyy.cn {BLOCKED}

qqqqttrr.cn {BLOCKED}

www-onlinedown.com {BLOCKED}

hxxp://wieyou.com/iiee/explore.exe {BLOCKED}

hxxp://baidu.bbtu001.com {BLOCKED}

sllwrnm5.cn {BLOCKED}

VSAPI:

December 10, 2008 12:13:29 PM OPR 5.699.00 has been released including the following detections:

TROJ_GAMETHI.BPF
TROJ_PATCH.KU

OPR: 5.701.00 is already released

JS_DLOAD.MD
TSPY_ONLINEG.EJH
TSPY_ONLINEG.EJG
TSPY_ONLINEG.EJG
TSPY_ONLINEG.HAV
TSPY_ONLINEG.EJG
TSPY_ONLINEG.ADR

VIRUS REPORT:

More detailed description of this malware can be found at the following link:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOAD%2EMD