A customer asked, what ports to allow since he deploys two units of NVW the NVW registered to TMCM in the network.
Ports used by NVW and TMCM to communicate:
1. TCP 80 Listening/Outbound (HTTP)
2. TCP 443 Listening/Outbound (HTTPS)
3. UDP 10323 (Inbound)
4. UDP 514 Outbound (Syslog)
Ports used by NVW and protected machines to communicate:
1. TCP 20901-2 Listening & TCP 20903 Interprocess (Damage Cleanup Services). This is also used by Vulnerability Assessment
2. UDP 123 (Inbound). Port used by the Trend Micro Network Time Protocol. It is also used by Network VirusWall to synchronize time with the TMCM server.
3. UDP 10323 (Inbound). Default Heartbeat Port of TMCM for MCP-based agents. Heartbeats will indicate to the TMCM server that an agent is active.
4. 5088 - Peagent
5. 5091 - Threat management agent. You can also modify this port in NVW console > Policy enforcement > TMAgent settings.
Showing posts with label TMCM. Show all posts
Showing posts with label TMCM. Show all posts
Monday, December 21, 2009
Wednesday, November 11, 2009
Manual or scheduled update failed
Issue:
The client was not able to update the pattern of their TMCM 5.0. An error "Unable to create sub directory" appeared which can be seen from the command tracking.
CDT logs captured and findings as follows:
Err 20091030 22:48:08 5620 4436 HttpConnection: Socket connect fail Err 20091030 22:48:08 5620 4436 TmDownloader: Connection fail when try to open resource Inf 20091030 22:48:08 5620 4436 Re-downloaded (3) times Err 20091030 22:48:08 5620 4436 Downloader returns: 4 Err 20091030 22:48:09 5620 4436 can not get required server info file Inf 20091030 22:48:09 5620 4436 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4436] Inf 20091030 22:48:09 5620 4436 UpdateManager endwith 28 (1c0002): ActiveUpdate was unable to connect to
the network. Please verify that the network connection is functional, and
then try again.
Inf 20091030 22:48:09 5620 4436 End TmuUpdateEx()
------------------------------
Inf 20091030 22:48:09 5620 4436 release context for thread: 4436 Err 20091030 22:48:09 5620 4896 Delete Temp dir fail.
Inf 20091030 22:48:09 5620 4896 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4896] Inf 20091030 22:48:09 5620 4896 UpdateManager endwith 16 (100000): ActiveUpdate was unable to complete the
requested file operation. Please try again. If the problem persists,
contact your Trend Micro technical support provider.
Inf 20091030 22:48:09 5620 4896 End TmuDuplicateEx()
------------------------------
Inf 20091030 22:48:09 5620 4896 release context for thread: 4896
------------------------------
Inf 20091030 22:48:09 5620 4896 new context for thread: 4896
------------------------------
Inf 20091030 22:48:09 5620 4896 Set key[KeptPatternMaxCount] value[14] Inf 20091030 22:48:09 5620 4896 TmuSetPropertyEx returned [TRUE]
------------------------------
Inf 20091030 22:48:09 5620 4896 Start TmuDuplicateEx() Err 20091030 22:48:09 5620 4896 Delete Temp dir fail.
Inf 20091030 22:48:09 5620 4896 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4896] Inf 20091030 22:48:09 5620 4896 UpdateManager endwith 16 (100000): ActiveUpdate was unable to complete the
requested file operation. Please try again. If the problem persists,
contact your Trend Micro technical support provider.
Answer:
The issue was possibly on the network side of the client, kindly chek if they were using a proxy on TMCM server.
After checking the proxy setting kindly advice the client to delete all the contents of \Program Files\Trend Micro\Control Manager\AU_Data and try to do again a manual update.
Note: Some of the files are locked and can't be deleted. It was when the Trend MIcro Control Manager service was stopped, then only a complete deletion can be done
The client was not able to update the pattern of their TMCM 5.0. An error "Unable to create sub directory" appeared which can be seen from the command tracking.
CDT logs captured and findings as follows:
Err 20091030 22:48:08 5620 4436 HttpConnection: Socket connect fail Err 20091030 22:48:08 5620 4436 TmDownloader: Connection fail when try to open resource Inf 20091030 22:48:08 5620 4436 Re-downloaded (3) times Err 20091030 22:48:08 5620 4436 Downloader returns: 4 Err 20091030 22:48:09 5620 4436 can not get required server info file Inf 20091030 22:48:09 5620 4436 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4436] Inf 20091030 22:48:09 5620 4436 UpdateManager endwith 28 (1c0002): ActiveUpdate was unable to connect to
the network. Please verify that the network connection is functional, and
then try again.
Inf 20091030 22:48:09 5620 4436 End TmuUpdateEx()
------------------------------
Inf 20091030 22:48:09 5620 4436 release context for thread: 4436 Err 20091030 22:48:09 5620 4896 Delete Temp dir fail.
Inf 20091030 22:48:09 5620 4896 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4896] Inf 20091030 22:48:09 5620 4896 UpdateManager endwith 16 (100000): ActiveUpdate was unable to complete the
requested file operation. Please try again. If the problem persists,
contact your Trend Micro technical support provider.
Inf 20091030 22:48:09 5620 4896 End TmuDuplicateEx()
------------------------------
Inf 20091030 22:48:09 5620 4896 release context for thread: 4896
------------------------------
Inf 20091030 22:48:09 5620 4896 new context for thread: 4896
------------------------------
Inf 20091030 22:48:09 5620 4896 Set key[KeptPatternMaxCount] value[14] Inf 20091030 22:48:09 5620 4896 TmuSetPropertyEx returned [TRUE]
------------------------------
Inf 20091030 22:48:09 5620 4896 Start TmuDuplicateEx() Err 20091030 22:48:09 5620 4896 Delete Temp dir fail.
Inf 20091030 22:48:09 5620 4896 Cleanning Temp dir [D:\Program Files\Trend Micro\Control Manager\AU_Data\
AU_Temp\5620_4896] Inf 20091030 22:48:09 5620 4896 UpdateManager endwith 16 (100000): ActiveUpdate was unable to complete the
requested file operation. Please try again. If the problem persists,
contact your Trend Micro technical support provider.
Answer:
The issue was possibly on the network side of the client, kindly chek if they were using a proxy on TMCM server.
After checking the proxy setting kindly advice the client to delete all the contents of \Program Files\Trend Micro\Control Manager\AU_Data and try to do again a manual update.
Note: Some of the files are locked and can't be deleted. It was when the Trend MIcro Control Manager service was stopped, then only a complete deletion can be done
Monday, October 26, 2009
How to set a fixed amount of memory (Enterprise Manager)
Issue:
If using SQL Server on the same system as the TMCM server, and you notice that memory utilization is quite high most of the time occupied with SQL related processes. Probably, you need to set a fixed amount of memory (Enterprise Manager)approximately two-thirds of the total memory for TMCM server.
Suggestion:
To set a fixed amount of memory
1. Expand a server group.
2. Right-click a server, and then click Properties.
3. Click the Memory tab.
4. Click Use a fixed memory size (MB), and then position the fixed memory slider.
If using SQL Server on the same system as the TMCM server, and you notice that memory utilization is quite high most of the time occupied with SQL related processes. Probably, you need to set a fixed amount of memory (Enterprise Manager)approximately two-thirds of the total memory for TMCM server.
Suggestion:
To set a fixed amount of memory
1. Expand a server group.
2. Right-click a server, and then click Properties.
3. Click the Memory tab.
4. Click Use a fixed memory size (MB), and then position the fixed memory slider.
Wednesday, October 14, 2009
Database optimization for TMCM 3.0
Issue:
I have customer installed the old TMCM version 3.0 on MSDE database (free database version one that is bundled in TMCM installer). I will have to perform database performance optimization for Expert on Guard (EoG) service activation. How do I go about and do it?
Answer:
You will have to have Query Analyzer. For free tool, you can download one from here. Connect to the database and execute the following commands.
Copy and paste it in the Query Analyzer:
--------- copied start below this line -------------------------------------
use db_ControlManager;
runcate table tb_InValidLog;
delete tb_DeployCommandTracking;
delete tb_tvcscommandlist;
delete tb_tvcsCommandTaskqueue;
delete tb_registeredproductlist where RPL_TotalCount<=0;
update tb_registeredproductlist set RPL_ProductInfoState=0 where RPL_ProductInfo
Backup log db_controlamanger with truncate_only;
DBCC shrinkDatabase(db_controlmanager);
--------- copied end this line ------------------------------------------------
note: dbcontrolmanager.mdf is variable - typically is the name of your TMCM database.
Verify that the command executed successfully.
I hope it helps!
I have customer installed the old TMCM version 3.0 on MSDE database (free database version one that is bundled in TMCM installer). I will have to perform database performance optimization for Expert on Guard (EoG) service activation. How do I go about and do it?
Answer:
You will have to have Query Analyzer. For free tool, you can download one from here. Connect to the database and execute the following commands.
Copy and paste it in the Query Analyzer:
--------- copied start below this line -------------------------------------
use db_ControlManager;
runcate table tb_InValidLog;
delete tb_DeployCommandTracking;
delete tb_tvcscommandlist;
delete tb_tvcsCommandTaskqueue;
delete tb_registeredproductlist where RPL_TotalCount<=0;
update tb_registeredproductlist set RPL_ProductInfoState=0 where RPL_ProductInfo
Backup log db_controlamanger with truncate_only;
DBCC shrinkDatabase(db_controlmanager);
--------- copied end this line ------------------------------------------------
note: dbcontrolmanager.mdf is variable - typically is the name of your TMCM database.
Verify that the command executed successfully.
I hope it helps!
Tuesday, July 14, 2009
OSCE 8.0 SSO login frm TMCM 3.5
issue:
My customer installed TMCM 3.5 and OSCE 8.0. OSCE 8.0 is currently registered to TMCM 3.5 as one of the agents.
OSCE web console url is non-ssl based. When try to access OSCE console from TMCM, TMCM will actually refer to ssl based of the OSCE url and result in broken link since OSCE is actually published at http:// instead of https://
How can this be fixed? User wants to SSO to OSCE console from TMCM 3.5. But her OSCE is http based where as TMCM trying to reach to https based of the URL.
SOlution:
Regarding this, kindly perform the following to have the Officescan run on HTTPS:
1. Unregister Officescan from TMCM and delete the entity as well on the TMCM directory tree
2. On the Officescan server open a command prompt and go to the following folder
C:\Program Files\Trend Micro\Officescan\PCCSRV\
3. Run the following command
svrsvcsetup -enablessl
4. Kindly check if you can now access the Officescan console using HTTPS
5. Register it now to TMCM
6. Kindly check if you can now peform SSO onto TMCM
My customer installed TMCM 3.5 and OSCE 8.0. OSCE 8.0 is currently registered to TMCM 3.5 as one of the agents.
OSCE web console url is non-ssl based. When try to access OSCE console from TMCM, TMCM will actually refer to ssl based of the OSCE url and result in broken link since OSCE is actually published at http://
How can this be fixed? User wants to SSO to OSCE console from TMCM 3.5. But her OSCE is http based where as TMCM trying to reach to https based of the URL.
SOlution:
Regarding this, kindly perform the following to have the Officescan run on HTTPS:
1. Unregister Officescan from TMCM and delete the entity as well on the TMCM directory tree
2. On the Officescan server open a command prompt and go to the following folder
C:\Program Files\Trend Micro\Officescan\PCCSRV\
3. Run the following command
svrsvcsetup -enablessl
4. Kindly check if you can now access the Officescan console using HTTPS
5. Register it now to TMCM
6. Kindly check if you can now peform SSO onto TMCM
Friday, June 12, 2009
Description on few terms in TMCM 5.0 report
Question:
I need a description on report by TMCM 5. I need this information to present the report for management.
- Description for Unique Infection Destination Count & Unique Infection Source Count.
- Description for N/A.
- Description for Unique Infection Destination Count & Unique Virus/Malware Count.
- Description for Unique Infection Source Count & Unique Virus/Malware Count.
- Description for No action, N/A, Unable to delete file & File passed.
Answer:
The Unique Infection Destination Count & Unique Infection Source Count is just same as Infection Destination Count & Infection Source Count. There's a word "Unique" because of Log Aggregation which is the new feature in TMCM 5.0 version. This means that the logs has already been sorted out. Like for example: Instead of logging 10 malware detection for same infection source and same malware, TMCM will only log this once.
"NA" means that the infection source is blank. If you will check the virus logs from OSCE server, there are rows which the Infection Source is blank. This is the NA in TMCM reports.
No Action - Some files require further investigation to determine whether they are infected with a virus or other instance of malware. To mitigate the impact of potential false positives, OfficeScan will temporarily take no action on certain suspicious files. After Trend Micro determines the correct status of the file, the scan action will be adjusted accordingly.
File passed - These are the detection scanned by Heurisitic scanning in which the file is tagged as suspicious. Since this is not yet included in the pattern file, OfficeScan will set the action to pass to prevent false-positive detection
Unable to delete - these are the malcious files in which OfficeScan cannot delete the file because it is locked for some reason.
Hope these information helps.
I need a description on report by TMCM 5. I need this information to present the report for management.
- Description for Unique Infection Destination Count & Unique Infection Source Count.
- Description for N/A.
- Description for Unique Infection Destination Count & Unique Virus/Malware Count.
- Description for Unique Infection Source Count & Unique Virus/Malware Count.
- Description for No action, N/A, Unable to delete file & File passed.
Answer:
The Unique Infection Destination Count & Unique Infection Source Count is just same as Infection Destination Count & Infection Source Count. There's a word "Unique" because of Log Aggregation which is the new feature in TMCM 5.0 version. This means that the logs has already been sorted out. Like for example: Instead of logging 10 malware detection for same infection source and same malware, TMCM will only log this once.
"NA" means that the infection source is blank. If you will check the virus logs from OSCE server, there are rows which the Infection Source is blank. This is the NA in TMCM reports.
No Action - Some files require further investigation to determine whether they are infected with a virus or other instance of malware. To mitigate the impact of potential false positives, OfficeScan will temporarily take no action on certain suspicious files. After Trend Micro determines the correct status of the file, the scan action will be adjusted accordingly.
File passed - These are the detection scanned by Heurisitic scanning in which the file is tagged as suspicious. Since this is not yet included in the pattern file, OfficeScan will set the action to pass to prevent false-positive detection
Unable to delete - these are the malcious files in which OfficeScan cannot delete the file because it is locked for some reason.
Hope these information helps.
Monday, April 6, 2009
TMCM 3.5 security logs
Concern
+++++++++
Hello, I have customer asking me why at his TMCM, he can see the result for unsuccessful entry. Whereas, when he digged the OSCE log for the day there was nothing related being found, Further looking at the TMCM log, it is found that the time the log was generated at entity was back 8 months. Whereas the time received from entity show yesterday date. My question is why it is taking long time for the OSCE to send the logs to TMCM? Please explain in what condition that this things happen. How to remedy. I will attach together tmcm and officescan log for yesterday. If you look at the Tmcm log, look at the first and second column. Some are of the same day differs only 1 hour which is acceptable. but some are few months different. Should you need more info, please let me know.
Suggested solution
+++++++++++++++++++++
"Generated at entity" means that the information log was generated at the OfficeScan. "Received from entity" means the the information log was received by Control Manager. From the log, it showed that OfficeScan generated the log on 6/9/2008 and was uploaded to Control Manager on 2/4/2009. There are several reasons for this kind of issue. Below are the possible reason:
1. TMCM purged already the logs (depending on Purge settings) but the particular log is still on OfficeScan.
2. The log was queued on OfficeScan.
3. OfficeScan was offline during that time.
We can adjust the polling of logs from Agent.ini file. Agent.ini normally located in ..OfficeScan\PCCSRV\CmAgent\
More details on parameter to edit, I'd recommend you submit to Trend Portal. Anyway the number indicated in agent.ini is in seconds.
+++++++++
Hello, I have customer asking me why at his TMCM, he can see the result for unsuccessful entry. Whereas, when he digged the OSCE log for the day there was nothing related being found, Further looking at the TMCM log, it is found that the time the log was generated at entity was back 8 months. Whereas the time received from entity show yesterday date. My question is why it is taking long time for the OSCE to send the logs to TMCM? Please explain in what condition that this things happen. How to remedy. I will attach together tmcm and officescan log for yesterday. If you look at the Tmcm log, look at the first and second column. Some are of the same day differs only 1 hour which is acceptable. but some are few months different. Should you need more info, please let me know.
Suggested solution
+++++++++++++++++++++
"Generated at entity" means that the information log was generated at the OfficeScan. "Received from entity" means the the information log was received by Control Manager. From the log, it showed that OfficeScan generated the log on 6/9/2008 and was uploaded to Control Manager on 2/4/2009. There are several reasons for this kind of issue. Below are the possible reason:
1. TMCM purged already the logs (depending on Purge settings) but the particular log is still on OfficeScan.
2. The log was queued on OfficeScan.
3. OfficeScan was offline during that time.
We can adjust the polling of logs from Agent.ini file. Agent.ini normally located in ..OfficeScan\PCCSRV\CmAgent\
More details on parameter to edit, I'd recommend you submit to Trend Portal. Anyway the number indicated in agent.ini is in seconds.
Thursday, January 15, 2009
Installing MS SQL 2005 Express on other drives.
Let say this is for Trend Micro Control Manager 5.0. When you run the installation, you will have to choose the database selection. If you choose "Install Microsoft SQL Express", the only thing that you can specify is the SA password. You can't choose the installation path for your database, hence the database will be installed to C:\ following the TMCM installation.
If you need to install the database component on D drive for example, I would suggest that you run installation for MS SQL Express seperately. Look for SQLEXPR.exe from TMCM installation folder. You will go through the installation wizard. When you come to this screen, select Browse button to browse for the target installation path.
Friday, December 26, 2008
Resetting TMCM 5.0 password
If you forgot your password to login to TMCM console, you can reset it. However, you cannot forget the username that you used to login (yes, there are people who forgot even the username). Please refer to the knowledge base solution ID: 1038174 for resetting password via OSQL command line.
If using osql command line doesn't help, you might want to try using this tool QTODBC. Let me know if you can't find the tool in the Internet. For those who are using licensed SQL server, probably you can use the SQL Enterprise Manager. Please refer to the knowledge base solution ID : 1037073
Hope this helps.
If using osql command line doesn't help, you might want to try using this tool QTODBC. Let me know if you can't find the tool in the Internet. For those who are using licensed SQL server, probably you can use the SQL Enterprise Manager. Please refer to the knowledge base solution ID : 1037073
Hope this helps.
Friday, December 19, 2008
MSDE/ SQL 2005 database installation
Something to take note when you install IWSS, IMSS or TMCM which require database component and your option is to install MSDE/SQL 2005 database, make sure the option for authentication is set to 'SQL Server Authentication'. If you are installing on existing SQL server, choose Mixed Authentication Mode.
You may refer to this knowledge base from Microsoft website should you need to verify and change the system administrator password in MSDE or SQL Server 2005 Express Edition.
You may refer to this knowledge base from Microsoft website should you need to verify and change the system administrator password in MSDE or SQL Server 2005 Express Edition.
Tuesday, September 16, 2008
Trend Micro Control Manager 5.0
What's new in TMCM 5.0? Why you should upgrade to the latest version if you are currently running on TMCM 3.5 or older version. Here are the reasons:
1. Improved Reports and Report Templates
Users can now create their own report templates. And, allowing users to query information from the Control Manager database.
2. Improved User Access Control
Allow administrators to specify which Control Manager menu items users can access.
3. Improved Product Directory Management and Monitoring
OfficeScan-like view for products with multiple clients
4. Product License Deployment Support
Control Manager administrators can view the status of all ACs of registered managed products or ACs that other users input. They also can see which managed products use the AC.
Upgrade?
The upgrade process is so straightforward through the wizard. You will still be using MSDE as the database. Please refer to the Installation guide should you need to refer on items to backup before the upgrade exercise.
Do let me know if you require the guide contains screen shots of the upgrade process.
Fresh install?
This is easier! But bear in mind that there should not be any instance of MSDE, SQL server or any kind of database already installed in the target server if you want to use the SQL 2005 bundled with TMCM 5.0 installation. Also, please supply a complex password for the sa account when prompted during the database installation.
I have prepared the screen shot for the fresh install too. If you need it, don't hesitate to contact me. :-)
1. Improved Reports and Report Templates
Users can now create their own report templates. And, allowing users to query information from the Control Manager database.
2. Improved User Access Control
Allow administrators to specify which Control Manager menu items users can access.
3. Improved Product Directory Management and Monitoring
OfficeScan-like view for products with multiple clients
4. Product License Deployment Support
Control Manager administrators can view the status of all ACs of registered managed products or ACs that other users input. They also can see which managed products use the AC.
Upgrade?
The upgrade process is so straightforward through the wizard. You will still be using MSDE as the database. Please refer to the Installation guide should you need to refer on items to backup before the upgrade exercise.
Do let me know if you require the guide contains screen shots of the upgrade process.
Fresh install?
This is easier! But bear in mind that there should not be any instance of MSDE, SQL server or any kind of database already installed in the target server if you want to use the SQL 2005 bundled with TMCM 5.0 installation. Also, please supply a complex password for the sa account when prompted during the database installation.
I have prepared the screen shot for the fresh install too. If you need it, don't hesitate to contact me. :-)
Tuesday, July 22, 2008
Complex password required
When installing TMCM 5.0 on MSDE / SQL server 2005 Express Edition (the default database that is bundled with the TMCM installation), you will be prompted to assign a password for the username 'sa'. Make sure you give a complex password. Otherwise, you may get the following error message like in the screen shot.
Monday, June 23, 2008
URL for license renewal
Whenever you want to do a renewal for your Trend Micro Products, you need to be connected to the Internet. Let say the server e.g. TMCM server has restricted Internet access i.e. only to ActiveUpdateserver, Windows Update and etc.
What is/are the exact URL(s) that you need to allow for TMCM to do the renewal successfully?
Answer: The exact website that should be allowed are the https://olr.trendmicro.com and http://licenseupdate.trendmicro.com
What is/are the exact URL(s) that you need to allow for TMCM to do the renewal successfully?
Answer: The exact website that should be allowed are the https://olr.trendmicro.com and http://licenseupdate.trendmicro.com
Tuesday, April 8, 2008
Database already exist
You want to install IMSS which requires installation of database (MSDE or MS SQL) as the component. When the prompt for Database settings appear, you choose the first option "Default MSDE". However, you cannot proceed to install MSDE because it is already detecting the previous version of MS SQL database on the server. You are sure you want to use MSDE as the database. From Add Remove Program, there is no copy of previous database installation.
To remedy this, you need to delete the following registry key:
HLM\Software\Microsoft\MSSQLServer
Delete the entire folder of "MSSQLServer". Reboot the server and try again.
To remedy this, you need to delete the following registry key:
HLM\Software\Microsoft\MSSQLServer
Delete the entire folder of "MSSQLServer". Reboot the server and try again.
Subscribe to:
Posts (Atom)
