Issues resolved by hot fixes for OSCE 11.0 SP1 - Trend Micro · PDF fileIssues resolved by hot...

Issues resolved by hot fixes for OSCE 11.0 SP1

[Hotfix_3700] (TT-347284)

Issue: The OfficeScan agent displays the short detection name on the Virus/Malware Logs.

Solution: This hotfix ensures that the OfficeScan agent the long detection name on the Virus/Malware

Logs.

[Hotfix_3704] (TT-350759)

Issue: When the OfficeScan server receives multiple policies from a Control Manager 6.0 server, it applies

only the first policy.

Solution: This hotfix updates the OfficeScan program to ensure that the OfficeScan server can apply

multiple policies from a Control Manager 6.0 server.

Enhancement: This hotfix enables the OfficeScan server to receive only the policies that have been

updated instead of receiving all the policies each time the Control Manager 6.0 server deploys policies.

This helps reduce the impact on OfficeScan's performance especially when the Control Manager 6.0 server

runs regular policy enforcement.

NOTE: This enhancement requires users to install Control Manager 6.0 Hotfix 3359. Contact the

Trend Micro Support Team to request for the Control Manager hotfix.

[Hotfix_3707] (TT-356474)

Issue: After administrators apply OfficeScan Server 11 Service Pack 1 (SP1), the PATH environment

variable changes to "REG_SZ".

Solution: This hotfix updates the OfficeScan server wherein the PATH environment variable remains as

"REG_EXPAND_SZ" even after applying OfficeScan Server 11 SP1.

Issues resolved by hot fixes for OSCE 11.0 SP1 Patch 1

[Hotfix_4978] (TT-346888)

Enhancement: This hot fix enables OfficeScan Data Loss Prevention (DLP) to increase the limit of the

DLP archive file setting on the web console.

[Hotfix_4980] (TT-344248)

Issue: This issue is caused by Trend Micro Local Web Classification Server file had been copied

successfully, but the return is 9009.

Solution: This hotfix resolves this issue.

[Hotfix_4986] (TT-347975)

Issue: Users encounter some unexpected issues in the OfficeScan client wherein the OfficeScan client

queries the database even though there is no specific entry yet from the OfficeScan client to the database.

Solution: This hotfix updates the OfficeScan server by preventing queries from accessing the database

before the client entry is ready.

[Hotfix_4992] (TT-347260)

Issue: The listDeviceInfo tool cannot display any information about a special USB device if its device

information is not in the usual format.

Solution: This hotfix updates the "listDeviceInfo.exe" tool to enable it to display information about USB

devices when the device information is not in the usual format.

[Hotfix_4993] (TT-347908)

Issue: When using the "Sort Agent" option to group OfficeScan agents based on the Active Directory

structure, an unexpected domain structure is created on the Agent Management screen.

Solution: This hotfix updates the OfficeScan server to display the correct Active Directory domain

structure on the Agent Management screen after sorting agents based on Active Directory.

Procedure: To enable the correct grouping of Office agents based on the Active Directory domain

structure on the Agent Management screen:

a. Install this hotfix (see "Installation").

b. Open the "ofcserver.ini" file in the "¥PCCSRV¥Private" folder on the OfficeScan installation

directory.

c. Under the "INI_AD_INTEGRATION_SECTION" section, add the following key and set its value to

"1":

[INI_AD_INTEGRATION_SECTION]

IndividualDC=1

d. Save the changes and close the file.

e. Restart OfficeScan Server Master Service.

[Hotfix_4995] (TT-348589)

Issue: An arithmetic overflow error occurs and triggers the following Microsoft(TM) Windows(TM)

application even log: "Arithmetic overflow error converting expression to data type int."

Solution: This hotfix updates the OfficeScan server database process (dbserver.exe) to reverse the order of

parameters and prevent the arithmetic overflow event.

[Hotfix_4996] (TT-344332,344333)

Issue: When users run the client packager tool in the CLI to create client installation packages, they have

no way to specify a domain where all freshly-installed clients should belong to.

Solution: This hotfix updates the client packager tool to enable users to specify a domain for

freshly-installed clients ¥ using the "/domain" parameter when creating client installation packages through

the CLI.

[Hotfix_4999] (TT-349302)

Issue: Sometimes, an issue related to JSON data prevents the OfficeScan web console from displaying the

contents of the DLP setting page. When this happens, users cannot deploy the DLP settings to clients.

Solution: This hotfix modifies a FlushJson function to resolve the issue and help ensure that the DLP

setting page displays completely and users can deploy the DLP settings to clients.

[Hotfix_5002] (TT-343440)

Issue: The following services provide robust protection but their monitoring mechanisms can strain

system resources, especially on Windows server platforms:

- Unauthorized Change Prevention Service

- Suspicious Connection Service

- Advanced Protection Service

For this reason, these services are disabled by default on Windows Server 2003, 2008, and 2012.

Solution: This hotfix allows users to enable the services above by default on a freshly installed

OfficeScan agent on the Windows Server platform.

Procedure: To enable the services above in freshly installed OfficeScan agents on the Windows Server

platform:


b. Open the "ofcserver.ini" file in the "¥PCCSRV¥ Private" folder of the OfficeScan server.

c. Under the "INI_SERVER_SECTION", manually add the following keys and set each value

to "1".

[INI_SERVER_SECTION]

CheckAegisOnServer=1

CheckNCIEOnServer=1

CheckCCSFOnServer=1


e. Open the "ofcscan.ini" file in the "¥PCCSRV" folder of the OfficeScan server.

f. Under the "ServiceSwitch" section, find the following keys and set each value to "1".

[ServiceSwitch]

EnableAEGISOnServer=1

EnableNCIEOnServer=1

EnableCCSFOnServer=1

g. Save the changes and close the file.

[Hotfix_5007.1] (TT-348204)

Enhancement: This hotfix provides a way for users to configure Trend Micro Data Loss Prevention(TM)

(DLP) Endpoint SDK 6.0 to load the converter dynamic library instead of using "dtoop.exe".

Procedure: To configure the "converter_call_method" setting for DLP and to deploy the setting to

OfficeScan agents:


b. Open the "dlp.ini" file in the "¥PCCSRV¥Private¥" folder on the OfficeScan server.

c. Under the "Configure" section, manually add the "converter_call_method" key and set its

value to "funccall".

[Configure]

converter_call_method = funccall


e. Open the OfficeScan web console and click "Agents > Agent Management > Select domains

or agents > Settings > DLP settings".

f. Click "Save" to deploy the settings to agents".

The OfficeScan server deploys the setting to OfficeScan agents and adds the following key in the "dsa.pro"

file in the "¥Windows¥System32¥ dgagent¥" folder: converter_call_method=funccall

g. Restart all OfficeScan agents.

[Hotfix_5008] (TT-347028,344018)

Issue 1: OfficeScan Data Loss Prevention (DLP) is unable to to block the CD/DVD burning function of

explorer.exe in "USB flash drive" mode.

Solution 1: The hot fix resolves the DLP blocking issue.

Issue 2: Data Loss Prevention only generates a maximum of 200 violation logs even if users burn more

than 200 files (with violations) using the CD/DVD player function of explorer.exe.

Solution 2: The hot fix resolves the issue by enlarging the queue size to 100,000.

[Hotfix_5009] (TT-347873,345955)

This hotfix resolves the following issues:

Issue 1: Access Document Control (ADC) cannot detect files that run from the network drive.

Solution 1: This hotfix ensures that the ADC detection can successfully work on the network drive.

Issue 2: Duplicate DLP violation logs are uploaded to the OfficeScan server at five minute intervals when

the DLP Violation Log database file is corrupted.

Solution 2: This hotfix updates the OfficeScan agent program to ensure that it uploads DLP violation logs

to the OfficeScan server normally.

Procedure: To prevent the OfficeScan agent from sending duplicate DLP violation logs upload to the

OfficeScan server:


b. Open the "Ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan server installation

directory.

c. Under the "Global Setting" section, manually add the "ReindexDLPViolationLog" key and set its

value to "1".

[Global Setting]

ReindexDLPViolationLog=1

Note: To disable the feature, set "ReindexDLPViolationLog=0".


e. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.

f. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to

OfficeScan agents and adds the following registry entry on all OfficeScan agent computers:

Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥Wow6432Node¥

TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥

Misc.

Key: ReindexDLPViolationLog

Type: dword

Value: 1

[Hotfix_5014] (TT-349806)

Issue: When the OfficeScan server receives multiple policies from a Control Manager 6.0 server, it applies

only the first policy.

Solution: This hotfix updates the OfficeScan program to ensure that the OfficeScan server can apply

multiple policies from a Control Manager 6.0 server.

[Hotfix_5015] (TT-340977)

Issue: The OfficeScan client computer may stop responding during a RealTime Scan when both the

Ravage Scan feature and the Browser Exploit Prevention feature are enabled.

Solution: This hotfix updates the OfficeScan agent program to ensure that it can run RealTime Scans

normally when both the Ravage Scan feature and the Browser Exploit Prevention feature are enabled.

[Hotfix_5016] (TT-347072)

Issue: Guest users that do not have the required permissions may be able to change certain OfficeScan 11.0

Service Pack 1web console settings.

Solution: This hotfix adds RBA rules in "TrendAuthDef.xml" and enables the CGI console common to get

more information from the XML file. This helps ensure that users that do not have the required

permissions cannot make changes to the OfficeScan 11.0 Service Pack web console.

[Hotfix_5018] (TT-349429)

Issue: An OfficeScan server without an Integrated Smart Protection Server (ISPS) installed can have a

standalone Smart Protection Server (SPS) as the Smart Scan source. However, the "Standard Smart

Protection Server List" page of the web console indicates that the Smart Scan source is ISPS when

OfficeScan is using an SPS. The issue occurs after users install Critical Patch 4150 on the OfficeScan

server.

Solution: This hotfix ensures that the correct Smart Scan source appears on the "Standard Smart Protection

Server List" page.

[Hotfix_5020] (TT-351541,352232,345081),

Issue 1: When users right-click the OfficeScan agent icon on the system tray and select "Advanced

Schedule Scan Setting" to access the "Scheduled Scan Postpone" dialog box, they can only set the

postpone hour time interval up to "11" hours even when the field should support up to "12" hours.

Solution 1: This hotfix updates the OfficeScan agent program to allow users to set the Scheduled Scan

Postpone hour time interval to "12" hours.

Issue 2: The TMEBC driver does not start during the system boot process because the TMEBC driver file

(TMEBC32.SYS on 32-bit platforms or TMEBC64.SYS on 64-bit platforms) is not in the

C:¥Windows¥system32¥DRIVERS directory while the corresponding registry entry still exists on the

Services screen.

Solution 2: This hotfix resolves this issue by installing the TMEBC driver on OfficeScan agents if the

TMEBC driver is not installed or if the TMEBC driver file is missing.

[JP_Hotfix_5020.1] (TT-352232)

Issue: The TMEBC driver does not start during the system boot process because the TMEBC driver file

(TMEBC32.SYS on 32-bit platforms or TMEBC64.SYS on 64-bit platforms) is not in the

C:¥Windows¥system32¥DRIVERS directory while the corresponding registry entry still exists on the

Services screen.

Solution: This hotfix resolves this issue by installing the TMEBC driver on OfficeScan agents if the

TMEBC driver is not installed or if the TMEBC driver file is missing.

[Hotfix_5024] (TT-351708)

Issue: Users encounter an error while decoding virus files using the VSEncode tool.

Solution: This hotfix updates the OfficeScan server program files to ensure that VSEncode can decode

virus files without issues.

[Hotfix_5028] (TT-352231)

Issue: When users install an OfficeScan agent on a computer running on the 32-bit version of

Microsoft(TM) Windows(TM) 10 Anniversary Update 1607.14393 using a setup package created by the

Agent Packager tool, the OfficeScan agent will still be installed on the default installation path even when

a new path has been specified.

Solution: This hotfix resolves the issue by updating the OfficeScan server program to ensure that setup

packages created by the Agent Packager tool installs OfficeScan agents on the specified installation paths.

[Hotfix_5029] (TT-350647)

Issue: Users encounter a high CPU usage issues when OfficeScan browser plugins are enabled on the

version 11 of the Internet Explorer web browser.

Solution: This hotfix updates the BEP module to prevent the high CPU usage issue.

[Hotfix_5030] (TT-352763)

Issue: When users export the Scan Exclusion Lists for the following scan types from the "Agent

Management" screen of the OfficeScan web console, the generated CSV file will not contain any domain

setting information for OfficeScan agents:

- Manual scans

- Real-time scans

- Scheduled scans

- Scan Now

Solution: This hotfix updates the OfficeScan server files to ensurethat when users export Scan Exclusion

Lists, the domain setting information for each OfficeScan agent appear on the exported CSV files.

[ES_Hotfix_5031] (TT-353148)

Issue: Users encounter a high CPU usage issues when OfficeScan browser plugins are enabled on the

version 11 of the Internet Explorer web browser.

Solution: This hotfix updates the BEP module to prevent the high CPU usage issue.

[Hotfix_5032] (TT-353446)

Issue: The "Resume an interrupted Scheduled Scan" option in the Scheduled Scan Settings does not work

if a scheduled scan was interrupted because the endpoint was switched off.

Solution: This hotfix updates the OfficeScan agent program to ensure that the "Resume an interrupted

Scheduled Scan" feature works properly.

[Hotfix_5035] (TT-354095)

Issue: The firewall detail page of agent console is not refreshed when the security level is changed.

Solution: This hotfix updates the OfficeScan agent program to ensure that the firewall detail page of agent

console is refreshed when the security level is changed.

[Hotfix_5037] (TT-354956)

Issue: The "Real-time Scan Health Check" feature in OfficeScan agent regularly sends its status to the

server even when this feature is disabled. This adds to the network traffic.

Solution: This hotfix updates the OfficeScan agent program to ensure that it does not send "Real-time Scan

Health Check" network packets to the server when the feature is disabled.

[Hotfix_5038] (TT-354896)

Issue 1: The OfficeScan NT Listener service stops responding while managing the Suspicious Connection

Service NCIE function on OfficeScan agents.

Solution 1: This hotfix updates the OfficeScan agent program to improve the way the TmListen service

manages the NCIE function.

Issue 2: A memory allocation issue related to the "OfcNotifyQueue.dll" file can lead to memory leaks

which may trigger "OfcServer.exe" to stop unexpectedly.

Solution 2: This hotfix resolves the memory allocation issue to prevent memory leaks.

[Hotfix_5040] (TT-355334)

Enhancement: This hotfix provides a way for users to enable or disable the Osprey async mode.

Procedure: To enable or disable the Osprey async mode:


b. Open the "ofcscan.ini" file in the "¥PCCSRV" folder of the OfficeScan installation directory.

c. Under the "Global Setting" section, manually add the "OspreyAsyncServerLookup" key and

assign the

preferred value.

[Global Setting]

OspreyAsyncServerLookup=0, disables Osprey async mode =1, enables Osprey async mode





Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro

¥Osprey¥Scan¥Common¥HttpManager¥config

Key:AsyncServerLookup

Type: dword

Value: 0, 1

g. Restart OfficeScan agents.

[Hotfix_5042] (TT-345393)

Issue: The Avaya Scopia log in page stops responding when the AEGIS module does not receive a

response from it within a specific time period.

Solution: This hotfix enables users to disable the self-protection feature of the AEGIS module for

Avaya Scopia to prevent the incompatibility issue and ensure that Avaya Scopia can run normally on

protected computers.

Procedure: To disable the self-protection feature of the AEGIS module in affected computers:


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder of the OfficeScan installation directory.

c. Under the "Global Setting" section, add the following key and set its value to "1".

[Global Setting]

SkipDuplicateSameAccess=1


e. Open the OfficeScan server management console and go to "Agents > Global Agent Settings".

f. Click "Save" to deploy the setting to all clients.

g. Restart the OfficeScan client.

The OfficeScan client program automatically installs the following registry key:

PATH: HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥Services¥tmactmon¥Parameters

KEY:SkipDuplicateSameAccess

TYPE: dword

VALUE: 1, disables the self-protection feature 0, enables the self-protection feature

[Hotfix_5043] (TT-356053)



Solution: This hotfix enables users to disable the self-protection feature of the AEGIS module for

Avaya Scopia to prevent the incompatibility issue and ensure that Avaya Scopia can run normally on

protected computers.





[Global Setting]









TYPE: dword


[Hotfix_5046] (TT-354095)




[Hotfix_5053] (TT-356053)

This hotfix resolves the following issues:

Issue 1: The firewall details page of the OfficeScan client console does not refresh automatically after the

security level setting changes.

Issue 2: The Avaya Scopia log in page stops responding when the AEGIS module does not receive a


Solution 1: This hotfix updates the OfficeScan agent program to ensure that the firewall details page of the

OfficeScan client console refreshes automatically when the security level setting changes.

Solution 2: This hotfix enables users to disable the self-protection feature of the AEGIS module for Avaya

Scopia to prevent the incompatibility issue and ensure that Avaya Scopia can run normally on protected

computers.

[Hotfix_5057] (TT-354124)

Issue: Automatic agent grouping uses rules defined by Microsoft(TM) Windows(TM) Active Directory

(AD) domains. Sometimes, after the OfficeScan server synchronizes AD information from the Windows

server, the status of enabled grouping rules shows a "Warning" sign.

Solution: This hotfix updates the OfficeScan programs to ensure that the enabled grouping rules will not

be affected by the synchronized AD information.

[CP_5060] (TT-357850)

Issue: OfficeScan leaks encrypted account passwords during web console operations. Unauthorized users

could use the leaked encrypted password to log on to the OfficeScan server console.

Solution: This critical patch ensures that OfficeScan does not leak encrypted passwords.

[JP_Hotfix_5061] (TT-354095)




[JP_Hotfix_5062] (TT-358075)

Issue: Guest users that do not have the required permissions may be able to change certain OfficeScan 11.0

Service Pack 1 web console settings.

Solution: This hotfix adds RBA rules in "TrendAuthDef.xml" and enables the CGI console common to get

more information from the XML file. This helps ensure that users that do not have the required

permissions cannot make changes to the OfficeScan 11.0 Service Pack web console.

[Hotfix_5066] (TT-357507)

Issue: The Microsoft(TM) Windows(TM) Event Log generates too many messages.

Solution: This hotfix enables OfficeScan to extend the cache time to 12 hours.

[Hotfix_5067] (TT-358603)

Enhancement: This hotfix improves the checking mechanism of the OfficeScan agent program to protect

the Smart Scan Agent Pattern and Virus Pattern files in endpoints from corruption.

[Hotfix_5068] (TT-359232)

Issue: The detected Virus/Malware information that appears in the OfficeScan web console does not match

the information in the Trend Micro Control Manager(TM) console.

Solution: This hotfix ensures that the OfficeScan server sends the correct Virus/Malware information to

Control Manager so that the information in the OfficeScan web console matches the information in the

Control Manager console.

Procedure: To configure OfficeScan to send the accurate information to Control Manager:


b. Open the "Product.ini" file in the

"¥PCCSRV¥CmAgent" folder on the OfficeScan server installation directory using a text editor.

c. Under the "Configure" section, manually add the following key and set its value to "1".

[Configure]

EnableSFCacheTimeout=1


e. Restart the OfficeScan Control Manager Agent.

[Hotfix_5069] (TT-355701)

Issue: An initialized issue related to the OfficeScan Control Manager Agent service ("OfcCMAgent.exe")

may cause the OfcCMAgent.exe to stop unexpectedly.

Solution: This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.

[Hotfix_5070] (TT-359313)

Issue: The Ransomware Protection function does not reference the prevalence value and simply terminates

the processes (even if these processes meet the expected prevalence value).

Solution: This hotfix ensures that OfficeScan agents check the process chain for Ransomware

identification in this situation. The OfficeScan agents will query the census server for all parent processes

and determine whether or not to terminate the process.

[Hotfix_5071] (TT-357054)

Issue: When there are hotfix updates, the OfficeScan server checks all client components and prompts all

clients with old hotfix versions to apply the updates including those where the No Program Upgrade option

is enabled. This triggers a large number of unnecessary client notifications.

Solution: This hotfix ensures that the OfficeScan server does not notify a client of hotfix updates if the No

Program Upgrade option is enabled in the client.

[Hotfix_5074] (TT-358532)

Issue: When an unreachable OfficeScan agent reports its onstart status to the OfficeScan server, the server

does not automatically set the updateflag for the agent. As a result, the agent will not receive updates until

after a file change event on the OfficeScan server.

Solution: This hotfix enables the OfficeScan server to set the updateflag of unreachable OfficeScan agents

automatically once it receive the onstart status of the agents.

[Hotfix_5077] (SEG-3129)

Issue: Sometimes, the value of the "SourceUUID" setting in the "Ofcserver.ini" file is overwritten which

prevents OfficeScan from updating the suspicious object list.

Solution: This hotfix ensures that the "SourceUUID" setting is not overwritten unexpectedly.

[JP_Hotfix_5078] (SEG-2143)

Issue: Exported CSV files that contain agent information do not differentiate between Windows platforms

from Windows Embedded platforms.

Solution: This hotfix ensures that exported CSV files specifies if an agent runs on a Windows platform or

a Windows Embedded platform.

[Hotfix_5080] (SEG-2745)

Issue: The Vulnerability Scanner may attempt to access an invalid file path which triggers blue screen of

death (BSOD) on computers running Microsoft Windows Vista(TM) or any version released after it, for

example, Windows Server 2008 and later versions.

Solution: This hotfix updates the Vulnerability Scanner to prevent it from attempting to access invalid file

paths.

[Hotfix_5082] (TT-358977)

Enhancement: This hotfix provides an option to enable OfficeScan agents to check the connection to the

Smart Protection Network regularly and to update the status icons on the web console accordingly.

Procedure: To enable the feature on the OfficeScan server and to automatically deploy the setting to all

OfficeScan agents:


b. Open the "Ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan installation directory.

c. Add the following key under the "Global Setting" section and set its value to "1".

[Global Setting]

ChkGlobalWCS=1

Note: To disable the connection checking, set

"ChkGlobalWCS=0".


e. Open the OfficeScan web console and go to the"Agents > Global Agent Settings" screen.



The OfficeScan agent program automatically installs the following registry key:

Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥

PC-cillinNTCorp¥CurrentVersion¥iURL Scan.

Key: ChkGlobalWCS

Type: REG_DWORD

Value: 1

[Hotfix_5085] (SEG5616)

Issue: The Publisher used to export registry keys is named differently in some OfficeScan agents.

Solution: This hotfix ensures that all OfficeScan agents use the same Publisher name.

[Hotfix_5087] (SEG-10203)

Issue: The OfficeScan Behavior Monitoring feature may generate a large number of "TMBMSrvFull.dmp"

dump files on OfficeScan clients.

Solution: This hotfix updates the Behavior Monitoring Service module to resolve the issue.

[Hotfix_5088] (SEG-10012)

Issue: Crash was happened when Unauthorized Change Prevention engine doing policy matching, it cause

a lot of TMBMSrvFull.dmp files on Behavior Monitor folder.

Solution: Fix the issue inside pattern and refine engine flow.

Issues resolved by hot fixes for OSCE 11.0 SP1 (UMH)

[Hotfix_6077] (TT-347401)

Enhancement: This hotfix enables DLP Endpoint SDK 6.0 to support Chrome 51.0.2704.84m with QUIC

enabled.

[Hotfix_6082] (TT-347481)

Issue: A handle leak issue that may occur while the OfficeScan server handles the "ofcserver.ini" file may

corrupt the file.

Solution: This hotfix resolves the issue by ensuring that the OfficeScan server handles the INI properly.

[Hotfix_6084] (TT-347525)

Issue: Users are unable to subscribe to the Control Manager server to get the suspicious object list. They

receive a "-1" return error.

Solution: This hot fix resolves the subscription issue by installing and enabling Local Web Classification

Server (LWCS), instead of LWCS being enabled only.

[Hotfix_6084.1] (TT-347733)

Issue: The User Mode Hooking (UMH) driver causes an unexpected error.

Solution: This hot fix updates the UMH driver to resolve the issue.

[Hotfix_6084.2] (TT-348437,343850)

Issue 1: OfficeScan continues to scan network drives even if the "Scan network drive" setting is disabled

in Real-time Scan.

Solution 1: This hotfix ensures that OfficeScan correctly implements the "Scan network drive" setting

when performing Real-time Scan.

Issue 2: The OfficeScan agent displays the short detection name on the Virus/Malware Logs.

Solution 2: This hotfix ensures that the OfficeScan agent displays the long detection name on the

Virus/Malware Logs.

[Hotfix_6085] (TT-347807,349431)

Issue: Data Loss Prevention Endpoint causes a Blue Screen ofDeath (BSoD) on Microsoft(TM)

Windows(TM) 10 Redstone.

Solution: This hot fix resolves the BSoD issue on Windows 10 Redstone.

[Hotfix_6085.1] (TT-347931,350401)

Issue: Users are unable to save the settings in the "Device Control Settings" page of the OfficeScan web

console. This situation occurs if they edit the page by selecting theroot domain icon in the "Agent

Management" page of the OfficeScan web console.

Solution: This hot fix updates the OfficeScan server program to resolve this issue.

[Hotfix_6088] (TT-348887)

Issue: When using the Microsoft(TM) Windows domain user account to migrate an OfficeScan database

from codebase to an SQL database, a "conhost.exe" application error might occur while updating the SQL

schema.

Solution: This hotfix uses another method when handling the SQL schema update instead of using the

Windows application program interface (API), which resolves this issue.

Enhancement: This hotfix enhances the OfficeScan folder write permission check before doing the SQL

migration. End users should grant Windows domain users full control permissions to the OfficeScan server

folder and include inheritable permissions from the parent of this object by local administrator or Active

Directory (AD) build-in administrator.

[Hotfix_6091] (TT-348682)

Issue: The OfficeScan Update Agent does not deploy the Suspicious Connection Settings to OfficeScan

clients.

Solution: This hotfix ensures that the OfficeScan Update Agent deploys the Suspicious Connection

Settings to OfficeScan clients.

[Hotfix_6093] (TT-348911)

Enhancement: This hotfix enables DLP Endpoint SDK 6.0 to support Chrome 51.0.2704.106m with

QUIC enabled.

[Hotfix_6094] (TT-347090)

Issue: Users encounter an issue wherein they are unable to open Microsoft(TM) Office 2007 documents

from Microsoft SharePoint 2010 after installing Critical Patch (CP) 6054.

Solution: This hotfix improves on the DRE module of OfficeScan. Since DRE module does not back up

the remote drive file, AEGIS (Behavior Monitoring) should skip sending remote drive file events to the

DRE module.

[Hotfix_6098] (TT-348679)

Issue: Users cannot assign OfficeScan agents to a multilayered domain that has been pre-defined in the

agent computer before agent installation.

Solution: This hot fix updates the OfficeScan server and agent files to allow users to assign agents to

pre-defined multilayer domains.

Procedure: To assign an agent to a multilayered domain that has been pre-defined in the agent computer

before agent installation:

a. Install this hot fix (see "Installation").

b. Open Windows Registry Editor on agent machine.

c. Add following registry information using the information of the preferred domain:

For 32-bit OfficeScan agents:

[HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorpOnce¥CurrentVersio

n]

"Domain"="domain_name"

"Server"="server_name"

"ServerPort"=dword:xxxxxxxx

[HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorpOnce¥CurrentVersio

n¥Internet

Settings]



"UseProxy"=dword:00000000

For 64-bit OfficeScan agents:

[HKEY_LOCAL_MACHINE¥SOFTWARE¥Wow6432Node¥TrendMicro¥PC-cillinNTCorpOn

ce¥CurrentVersion]

"Domain"="domain_name"



[HKEY_LOCAL_MACHINE¥SOFTWARE¥Wow6432Node¥TrendMicro¥PC-cillinNTCorpOn

ce¥CurrentVersion¥Internet Settings]



"UseProxy"=dword:00000000

d. Install the OfficeScan agent.

[Hotfix_6101] (TT-349224)

Issue: The OfficeScan exclusion list does not work on mount points; drives that are mapped as folders to

an existing file system.

Solution: This hotfix ensures that OfficeScan clients receive the complete list of approved devices to

ensure that the exclusion list works normally.

[DE_Hotfix_6103] (TT-348995)

Issue: The "Global Agent Settings" page of the OfficeScan 11.0 Service Pack 1 German version console

contains mistranslated information.

Solution: This hotfix ensures that all the information on the page are translated correctly.

[Hotfix_6105] (TT-348521)

Enhancement: This hotfix enables users to add the "Offline Time" column to the Agent Management

tree and to add the same information to CSV files exported through the "Agent Management" page of the

OfficeScan web console. This column displays the time and date information of the last instance when the

OfficeScan agent cannot connect to the OfficeScan server.

Note: After applying this hot fix, the order of columns in the Agent Management tree will be reset to the

default order.

Procedure: To add the "Offline Time" column to the Agent Management tree:


b. Open the "ofcserver.ini" file in the "¥PCCSRV¥private¥" folder on the OfficeScan server.

c. Add the "ShowNotConnectedTime" key under the

"SERVER_CONSOLE_SECTION" section and set its value to "1".

[SERVER_CONSOLE_SECTION]

ShowNotConnectedTime=1

Note: To hide the "Offline Time" column in the Agent Management tree, set

"ShowNotConnectedTime=0".

d. Reload or reopen the web browser.

[Hotfix_6106] (TT-350909)

Issue: The scan action information that appears in the Control Manager console does not match the

information in OfficeScan logs.

Solution: This hotfix ensures that the OfficeScan server sends the correct scan action results to Control

Manager so that the information in the Control Manager console matches the information on OfficeScan

logs.

[Hotfix_6109] (TT-349291,349315)

Enhancement: This hotfix upgrades the Web Blocking Service module to support IP lookup when there

are no results for URL lookup.

[Hotfix_6110] (TT-347260)

Issue: The listDeviceInfo tool cannot display any information about a special USB device if its device

information is not in the usual format.

Solution: This hotfix updates the "listDeviceInfo.exe" tool to enable it to display information about USB

devices when the device information is not in the usual format.

[Hotfix_6111] (TT-343705)

Issue: A memory allocation issue related to the "OfcNotifyQueue.dll" file can lead to memory leaks which

may trigger "OfcServer.exe" to stop unexpectedly.

Solution: This hotfix resolves the memory allocation issue to prevent memory leaks.

[Hotfix_6112] (TT-349873)

Issue 1: When the Behavior Monitoring service stops unexpectedly, it automatically notifies all its plug-ins

to stop. However, an issue may prevent it from notifying the User Mode Event Hooking plug-in which

results in a high CPU usage issue.

Solution 1: This hotfix ensures that OfficeScan notifies the User Mode Event Hooking plug-in to stop

sending events while the Behavior Monitoring service detects an unhandled exception and to de-initialize

itself. This helps prevent the high CPU issue when the Behavior Monitoring service stops unexpectedly.

Issue 2: Some privilege issues occur when DRE attempts to access a file on a UNC path that breaks the

existing UNC path connection.

Solution 2: This hotfix ensures that the OfficeScan DRE feature works normally on UNC paths.

[Hotfix_6114] (TT-349491)

Issue: An issue prevents users from accessing the "DLP Settings" and "Device control Settings" pages of

the OfficeScan server console.

Solution: This hotfix updates the server program to ensure that users can access the pages normally.

[Hotfix_6118] (TT-346362,343900)

Issue 1: When users attempt to print documents through a Microsoft(TM) Windows(TM) 32-bit

application in an x64 platform, the corresponding Trend Micro Data Loss Prevention(TM) (DLP) violation

log refers to a CD/DVD channel.

Solution 1: This hotfix ensures that the corresponding DLP violation logs refers to the correct channel.

Issue 2: Users can run an application under USB storage devices that they only have READ permission to

access.

Solution 2: This hotfix ensures that only users with the correct application permission can run applications

under USB storage devices.

[Hotfix_6120] (TT-349937)

Issue 1: The OfficeScan server sends configuration change notifications to OfficeScan agents twice.

Solution 1: This hotfix ensures that the OfficeScan server sends only one notification for each set of

configuration changes to OfficeScan agents.

Issue 2: When using the "Sort Agent" option to group OfficeScan agents based on the Active Directory

structure, an unexpected domain structure is created on the Agent Management screen.

Solution 2: This hotfix updates the OfficeScan server to display the correct Active Directory domain

structure on the Agent Management screen after sorting agents based on Active Directory.

Procedure: To enable the correct grouping of Office agents based on the Active Directory domain

structure on the Agent Management screen:



directory.

c. Under the "INI_AD_INTEGRATION_SECTION" section, add the following key and set its

value to "1":


IndividualDC=1


e. Restart OfficeScan Server Master Service.

[Hotfix_6121] (TT-345044)

Issue: If an OfficeScan agent encounters a connection issue while it is being moved from one OfficeScan

server to another, the OfficeScan agent does not unregister from the original server.

Solution: This hotfix ensures that the OfficeScan agent properly unregisters from its original OfficeScan

server if a connection issue occurs.

Procedure:


b. Open the " ofcserver.ini" file in the "¥PCCSRV ¥Private" folder of the OfficeScan installation

directory.

c. Add the following section and key.

[MOVE_CLIENT_SECTION]

EnableDeleteAfterMove= 1


e. Restart the OfficeScan Master Service.

[Hotfix_6122] (TT-350061)

Issue: The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature blocks a valid program.

Solution: This hotfix updates the OfficeScan Behavior Monitoring Local Pattern to ensure that it blocks

the correct programs.

[Hotfix_6126] (TT-350139)

Issue: When the OfficeScan agent scans for virus and malware in a compressed file, the corresponding

Scan Operation Logs display inaccurate total number of detected virus and malware.

Solution: This hotfix updates the OfficeScan agent files to ensure that the Scan Operation Logs display the

correct total number of virus and malware detected from compressed files.

[Hotfix_6126.1] (TT-349445)

Issue: When users attempt to register OfficeScan to a Trend Micro Control Manager(TM) server that

communicates using Transport Layer Security (TLS) 1.2, the registration fails and users encounter an error

on the Control Manager console.

Solution: This hot fix enables OfficeScan to support TLS 1.2. This ensures that it can register to a Control

Manager server using this protocol.

[Hotfix_6127] (TT-350116)

Issue: On the Agent Management web page of OfficeScan server console, the Advanced Search task may

take more than one (1) minute before timing out without displaying the search results.

Solution: This hotfix extends the timeout value to ten (10) minutes, which allows the OfficeScan server to

display the results of the Advanced Search results successfully.

[Hotfix_6128] (TT-347348)

Enhancement: This hotfix contains new versions of the "Trend Micro NSC Firefox Extension" and

"Trend Micro Osprey Firefox Extension". These versions comply with the new security guidelines.

[Hotfix_6129] (TT-347282,349815,350397)

Enhancement 1: This hotfix enables users to configure the OfficeScan server to check if the UID of an

agent exists in the database by generating a compliance report and to notify the client machine to register

again if it has no record of the agent's UID.

Procedure: To enable and configure this enhancement:



directory.

c. Under the "Global Setting" section, manually add the "ProtectionReportFrequency" and

"AutoOnStart" keys and set the preferred value for each.

[Global Setting]

ProtectionReportFrequency=(the frequency in minutes at which the server should check if a

client's UID is in the database through a compliance report, the minimum value is 2 minutes)

AutoOnStart=1, enables the OfficeScan server to trigger an onstart command to agents to register

back to the server if it cannot find the agent's UID in the database=0, disables the command

trigger




OfficeScan agents and adds the following registry entries on all OfficeScan agent computers:

Path:HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion

¥Misc.

Key:ProtectionReportFrequency

Type:REG_DWORD

Value: 2

Key:AutoOnStart

Type:REG_DWORD

Value: 1

Enhancement 2: This hotfix adds a way to configure OfficeScan clients to skip digital signature checking

of OfficeScan client program files while downloading hotfix files and reloading the scan engine.

Procedure: To prevent OfficeScan clients from checking the digital signature of program files while

downloading hotfix files and reloading the scan engine:




[Global Setting]

DOVF=1






Path:

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥Mis

c.

Key:DOVF

Value: 1

[Hotfix_6130] (TT-350849)

Issue: The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature blocks a valid program.

Solution: This hotfix updates the OfficeScan Behavior Monitoring Local Pattern to ensure that it blocks

the correct programs.

[Hotfix_6131] (TT-351400)

Issue: The OfficeScan 11.0 Service Pack 1 server program and the OfficeScan agent Smart Scan common

module uses an OpenSSL version that is affected by certain vulnerabilities.

Solution: This hotfix resolves this issue by updating the OpenSSL component of the server module and

Smart Scan common module.

[Hotfix_6133] (TT-349682)

Issue: When the OfficeScan server manages database queries, sometimes the query process creates a large

number of Que*.tmp files in the "HTTPDB" folder and these files are not removed promptly after the

query process completes.

Solution: This hotfix updates the OfficeScan server files to enhance the error management mechanism for

database query processing to limit the number of Que*.tmp files and ensure that these files are deleted

promptly after a query has been processed completely.

[Hotfix_6135] (TT-349382,349804,351716)/ [JP_Hotfix_6135.1] (TT-351716)

Issue: BSOD occurs when the firewall rule has too many filters.

Solution: This hotfix updates the Network Security Components to prevent the BSOD issue.

Note: OfficeScan client computers should be restarted immediately after installing this hotfix to be able to

use the newly-deployed NSC modules.

[Hotfix_6138] (TT-351092)

Issue: When users assess for unmanaged endpoints, the results for computers that appear "Online" on the

product tree is "Unresolved Active Directory Assessment". This occurs because the AD_GUID vectors

queried from the Active Directory (AD) domain server are uppercase or lowercase variants of vectors

queried from the database.

Solution: This hotfix makes the comparison mechanism case- insensitive to ensure that users can

accurately assess endpoints.

[Hotfix_6140] (TT-351523)

Issue: Several duplicate entries appear in the Behavior Monitoring Exclusion List.

Solution: This hotfix disables the "Save" button on the page immediately after users click on it.

[Hotfix_6140.1] (TT-349969)

Issue: After an OfficeScan agent is remotely installed on a computer, the OfficeScan server maps a new

network driver for the installation. Sometimes, these network drivers are not removed and remain on the

server.

Solution: This hotfix updates the agent remote installation process to ensure that it removes the mapped

network drivers automatically after agent installation.

[Hotfix_6141] (TT-348733,348919)

(348733 EN_Hotfix_6141)

Issue 1: An issue prevents the DLP module from blocking attachments that contain sensitive information

in

Outlook Web App 2003 and 2010.

Solution 1: This hotfix ensures that the DLP module can block attachments with sensitive information in

Outlook Web App 2003 and 2010.

(348919 EN_Hotfix_6141)

Issue 2: An issue related to the scanning of traffic to and from SCOM results in a high disk space usage

issue in the "dgtmpmon" folder.

Solution 2: This hotfix prevents the high disk space usage issue.

[Hotfix_6147] (TT-352003)

Issue: When users run the Agent Packager tool in the CLI to create setup or update packages for the

OfficeScan agent, there is no way to specify a domain where all freshly- installed clients should belong to.

Solution: This hotfix updates the Agent Packager tool to enable users to specify a domain for

freshly-installed agents using the "/domain" parameter when creating setup or update packages for the

OfficeScan agent through the CLI.

[Hotfix_6148] (TT-351433)

Issue: OfficeScan security compliance reports indicate that the WRS is non-compliant because OfficeScan

treats the database service switch flag as the WRS flag.

Solution: This hotfix updates the server program to ensure that it reads the WRS flag from the

"ofcscan.ini" file.

[Hotfix_6149] (TT-352606)

Issue: The ransomware count on the Ransomware Widget does not include all ransomware file detections

because the new ransomware detection log label starts with "Ransom.".

Solution: This hotfix enables the Ransomware Widget to include ransomware detection logs that start with

"Ransom." in the ransomware count.

[Hotfix_6151] (TT-352084)

Issue: The following services provide robust protection but their monitoring mechanisms can strain system

resources, especially on Windows server platforms:

- Unauthorized Change Prevention Service



For this reason, these services are disabled by defaulton Windows Server 2003, 2008, and 2012.

Solution: This hotfix allows users to enable the services above by default on a freshly installed OfficeScan

agent on the Windows Server platform.

Procedure: To enable the services above in freshly installed OfficeScan agents on the Windows Server

platform:


b. Open the "ofcserver.ini" file in the "¥PCCSRV¥

Private" folder of the OfficeScan server.

c. Under the "INI_SERVER_SECTION", manually add the

following keys and set each value to "1".


CheckAegisOnServer=1

CheckNCIEOnServer=1

CheckCCSFOnServer=1


e. Open the "ofcscan.ini" file in the "¥PCCSRV" folder of the OfficeScan server.

f. Under the "ServiceSwitch" section, find the following keys and set each value to "1".

[ServiceSwitch]

EnableAEGISOnServer=1

EnableNCIEOnServer=1

EnableCCSFOnServer=1

g. Save the changes and close the file.

[Hotfix_6152] (TT-350056)

Issue: The DLP module of the OfficeScan agent program may not be able to upgrade successfully if its

registry entry is corrupted.

Solution: This hotfix updates the OfficeScan agent program to ensure that the DLP module can update

successfully.

[JP_Hotfix_6155] (TT-352702)

Issue: A handle leak issue that may occur while the OfficeScan server handles the "ofcserver.ini" file may

corrupt the file.

Solution: This hotfix resolves the issue by ensuring that the OfficeScan server handles the INI properly.

[Hotfix_6157] (TT-351733)

Issue: An incompatibility issue between the OfficeScan Advanced Protection Service and the OfficeScan

Unauthorized Change Prevention Service may cause the OfficeScan Common Client Solution Framework

(TMCCSF.exe) service to stop unexpectedly.

Solution: This hotfix resolves the issue by updating the OfficeScan Common Client Solution Framework

module in OfficeScan 11.0 Service Pack 1.

[Hotfix_6158] (TT-352281)

Issue: The TmCCSF.exe process may trigger a high CPU usage issue when the Advanced Protection

Service is enabled.

Solution: This hotfix updates OfficeScan agent program to prevent the high CPU usage issue.

[Hotfix_6167] (TT-352149)

Issue: On OfficeScan agents, the "Ntrtscan.exe" process stops repeatedly because it cannot start the

VSAPI driver.

Solution: This hotfix updates the OfficeScan agent program to ensure that "Ntrtscan.exe" starts and works

normally.

[Hotfix_6167.1] (TT-350646)

Enhancement: OfficeScan and Data Loss Prevention(DLP) starts support multiple forensic data session in

the violation logs.

[Hotfix_6168] (TT-352886,352245)

Issue 1: When users use "http://dlptest.com" to test the DLP policy, the OfficeScan agent does not block

illegal information on the website.

Solution 1: This hotfix ensures that the DLP module of OfficeScan agents blocks HTP/HTTPS posts in

websites that contain illegal information.

Issue 2: An issue in the DLP module triggers a high CPU usage

Issue related to "SourceTree.exe".

Solution 2: This hotfix resolves the issue in the DLP module to prevent the high CPU usage issue. The

DLP data identifiers expression "UK - RD&E Hospital Number" algorithm may trigger some false alarms.

This hotfix updates the "UK - RD&E Hospital Number" algorithm to help avoid false alarms.

DLP causes Google Chrome to stop responding while users upload an attachment to Gmail by the drag and

drop method.

This hotfix ensures that users can drag and drop file attachments in Gmail on Google Chrome.

Enhancement: This hotfix enables DLP Endpoint SDK 6.0 to support version 53.0.2785.116 m of the

Google Chrome web browser but not its QUIC mode.

[Hotfix_6170] (TT-353233)

Issue: A mismatch issue between the encode and decode calling mechanism prevents the OfficeScan server

from syncing up with the AD domain.

Solution: This hotfix resolves the issue by updating the OfficeScan server program to ensure that the

OfficeScan server syncs up with the AD domain properly.

[Hotfix_6177] (TT-352580)

Enhancement: This hotfix provides a way for users to enable or disable the Osprey async mode.

Procedure:


b. Open the "ofcscan.ini" file in the "¥PCCSRV" folder of the OfficeScan installation directory.

c. Add the key in the "Global Setting" section and assign the preferred value.

[Global Setting]

OspreyAsyncServerLookup=0, disables Osprey async mode=1, enables Osprey async mode





Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥Osprey

¥Scan¥Common¥HttpManager¥config

Key:AsyncServerLookup

Type: dword

[Hotfix_6178] (TT-353384,352548,353648)

Issue 1: Several abnormal messages appear on the Windows 10 Red Stone platform even when the ping

results are successful.

Solution 1: This hotfix updates the OfficeScan agent program to prevent the abnormal messages in

computers running on the Windows 10 Red Stone platform.

Issue 2: The OfficeScan agent may not be able to scan a file successfully if the file is specified by a UNC

path.

Solution 2: This hotfix updates an agent file to ensure that the OfficeScan agent can scan files specified

using UNC paths successfully.

[FR_Hotfix_6181] (TT-353986)

Enhancement 1: This hotfix enables users to configure the OfficeScan server to check if the UID of an

agent exists in the database by generating a compliance report and to notify the client machine to register

again if it has no record of the agent's UID.

Procedure: To enable and configure this enhancement:


b. Open the "Ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan server installation directory.

c. Under the "Global Setting" section, manually add the "ProtectionReportFrequency" and "AutoOnStart"

keys and set the preferred value for each.

[Global Setting]

ProtectionReportFrequency=(the frequency in minutes at which the server should check if a client's UID

is in the database through a compliance report, the minimum value is 2 minutes)

AutoOnStart=1, enables the OfficeScan server to trigger an onstart command to agents to register back to

the server if it cannot find the agent's UID in the database

=0, disables the command trigger


e. Open the OfficeScan web console and go to the"Agents > Global Agent Settings" screen.

f. Click "Save" to deploy the setting to agents.The OfficeScan server deploys the command to OfficeScan

agents and adds the following registry entries on all OfficeScan agent computers:

Path:HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥Misc.

Key:ProtectionReportFrequency

Type:REG_DWORD

Value: 2

Key:AutoOnStart

Type:REG_DWORD

Value: 1

Enhancement 2: This hotfix adds a way to configure OfficeScan clients to skip digital signature checking

of OfficeScan client program files while downloading hotfix files and reloading the scan engine.






[Global Setting]

DOVF=1






Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥Misc.

Key:DOVF

Value: 1

[Hotfix_6182] (TT-353787)

Issue: When an OfficeScan 11.0 Service Pack 1 agent is configured not to upload firewall logs, it may

automatically start uploading these logs after restarting.

Solution: This hotfix updates the OfficeScan agent program to ensure that OfficeScan agents upload

firewall logs only when enabled to do so.

[Hotfix_6183] (TT-349599)

Enhancement: This hotfix improves the checking mechanism of the OfficeScan agent program to protect

the Smart Scan Agent Pattern and Virus Pattern files in endpoints from corruption.

[Hotfix_6184] (TT-354760)

Issue: The OfficeScan web console cannot display the firewall exception list properly if the number of

exceptions in a firewall policy is a multiple of 249.

Solution: This hotfix updates the OfficeScan server programs to ensure that the OfficeScan web console

can successfully display the firewall exception list when the number of exceptions in a firewall policy is a

multiple of 249.

[Hotfix_6187] (TT-354226)

Issue: OfficeScan Data Protection causes Google(TM) Chrome version 53.0.2785.116 hang.

Solution: This hotfix resolves the hang issue when Chrome is running on its QUIC mode.

[Hotfix_6190] (TT-348875)

Issue: USB Floppy cannot be added into Exception of Removable Storage of OfficeScan Data

Protection(DLP) Policy Settings.

Solution: This hotfix resolves can add USB Floppy into Exception of Removable Storage of DLP Policy

Settings.

[Hotfix_6193] (TT-354503,354563,354690)

Issue 1: Several abnormal messages appear on the Windows 10 Red Stone platform even when the ping

results are successful.

Solution 1: This hotfix updates the OfficeScan agent program to prevent the abnormal messages in

computers running on the Windows 10 Red Stone platform.

Issue 2: The OfficeScan agent may not be able to scan a file successfully if the file is specified by a UNC

path.

Solution 2: This hotfix updates an agent file to ensure that the OfficeScan agent can scan files specified

using UNC paths successfully.

[Hotfix_6196] (TT-352967,353712,354440)

Issue 1: Some drivers cannot be loaded in Microsoft(TM) Windows(TM) 10 when both UEFI and Secure

Boot are enabled.

Solution 1: This hotfix updates a new driver with the "Microsoft Windows Hardware Compatibility

Publisher" digital signature to ensure that drivers can be loaded successfully.

Issue 2: The Avaya Scopia(TM) log in page stops responding when the AEGIS module does not receive a


Solution 2: This hotfix enables users to disable the self- protection feature of the AEGIS module for Avaya

Scopia to prevent the incompatibility issue and ensure that Avaya Scopia runs normally on protected

computers.

Procedure 2: To disable the self-protection feature of the AEGIS module in affected computers:


b. Stop the OfficeScan agent service.

c. Open the Registry Editor.

d. Add the following key and set its value to "1".

PATH:HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥Services¥tmactmon¥Parameters


TYPE:dword

VALUE: 1, disables the self-protection feature

0, enables the self-protection feature

e. Start the OfficeScan agent service.

Issue 3: After upgrading to OfficeScan 11.0 Service Pack 1 Build 6134, the OfficeScan web console stops

responding when users delete a domain in the "Agent Management > Manage Agent Tree > Remove

Domain/Agent" screen.

Solution 3: This hotfix ensures that users can delete domains normally in the "Agent Management >

Manage Agent Tree > Remove Domain/Agent" screen.

[Hotfix_6199] (TT-353736)

Enhancement: This hotfix improves the index mechanism for the SQL table containing the OfficeScan

agent information.

[JP_CP_6206] (TT-356190)

Issue: After apply CP6125, windows machine becomes Very Slow, OfficeScan agent encounters

performance issues during a RealTime Scan when the Ravage Scan feature is enabled.

Solution: Repack the CP6125 to resolve it

[Hotfix_6209] (TT-353132)

Issue: Sometimes, the wrong license information appears on the OfficeScan "Product License" page after

users click on the "Update Information" button.

Solution: This hotfix ensures that the "Update Information" button works normally and that the correct

license information appears on the OfficeScan "Product License" page.

[Hotfix_6212] (TT-352273)

Issue 1: The UMH driver triggers an unexpected error.

Solution 1: This hotfix updates the UMH driver to resolve the issue.

Issue 2: The UMH driver triggers an unexpected error in the Windows 10 Red Stone platform.


[Hotfix_6213] (TT-355509)

Issue: When a user changes the computer name of an OfficeScan agent that is registered to Trend Micro

Control Manager(TM), the corresponding computer name information on the Control Manager console

does not change.

Solution: This hot fix adds a function that automatically updates the OfficeScan agent's computer name

information on the Control Manager console after a user edits the computer name of the OfficeScan agent.

[Hotfix_6213.1] (TT-352977)

Issue: When users deploy an OfficeScan policy from Control Manager using the "PolicyExportTool.exe"

utility, the exported policy displays the wrong component type for the comOSCECCCA component.

Solution: This hotfix ensures that when the "PolicyExportTool.exe" utility exports OfficeScan policies

from Control Manager, the exported policies display the correct component types.

[Hotfix_6214] (TT-353505)

Issue: The "Date/Time" field on the "Spyware/Grayware Log" page of the OfficeScan server console

displays the time when the server received each Security Risk log instead of the date and time that a

malware was detected on an OfficeScan agent.

Solution: This hotfix corrects the "Date/Time" information on the "Spyware/Grayware Log" page.

[Hotfix_6214.1] (TT-355109)

Issue: The "Unmanaged Endpoints" page of the OfficeScan web console may not display the progress of

the agent installation task if a selected endpoint under the Active Directory (AD) contains an ampersand

character "&".

Solution: This hotfix ensures that the "Unmanaged Endpoints" page displays the progress of the agent

installation task.

[Hotfix_6216] (TT-350316)



Solution: This hotfix enables users to disable the self-protection feature of the AEGIS module for Avaya


computers.





[Global Setting]







PATH:HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥Services¥tmactmon¥Parameters


TYPE:dword

VALUE: 1, disables the self-protection feature

0, enables the self-protection feature

[JP_Hotfix_6217] (TT-355734)

Issue: The "dsu_convert.exe" tool stops unexpectedly and triggers an error message when it encounters

multibyte characters in the "DomainSetting.ini" file.

Solution: This hot fix resolves this issue by enabling the "dsu_convert.exe" tool to support multibyte

characters.

[Hotfix_6221] (TT-355317)

Issue: Setting "RmvTmTDI=1" removes the following OfficeScan agent drivers which can trigger WRS to

stop working.

- TMTDI.sys

- TMEEVW.sys

- TMUSA.sys

Solution: This hotfix provides a new option that allows users to prevent OfficeScan from removing the

"TMEEVW.sys" and "TMUSA.sys" drivers when "RmvTmTDI" is enabled to ensure that WRS still works

normally under this scenario.

Procedure: To enable OfficeScan to remove only the "TMTDI.sys" driver when "RmvTmTDI=1":


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥"folder of the OfficeScan installation directory.


[Global Setting]

RmvTmTDI=1

KeepOspreyWhenRmvTmTDI=1






PATH:HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥Misc.

KEY:KeepOspreyWhenRmvTmTDI

TYPE:DWORD

VALUE: 1

[Hotfix_6223] (TT-349600)

Enhancement: This hotfix adds settings for the following OfficeScan services on the domain level of

Windows server platforms.

- Behavior Monitoring Service

- Firewall Service

- Trend Micro Data Loss Prevention(TM) (DLP) Service



Procedure: To enable the new service settings:



directory.

c. Under the "INI_SERVER_SECTION" section, manually add the following key and set its value to

"1".


SupportToConfigureServerPlatformForMultiClient=1


[DE_Hotfix_6224] (TT-356025)

Issue 1: The UMH driver triggers an unexpected error.


Issue 2: The UMH driver triggers an unexpected error in the Windows 10 Red Stone platform.


[Hotfix_6227] (TT-355419)

Issue 1: Copy a content of a cell from one to another in Microsoft Excel may cause system unresponsive.

Solution 1: The hot fix resolves the hang issue.

Issue 2: When set MAX_FILE_SIZE and MAX_CHECK_FILE_SIZE and try to block *.*, the files inside

a zip will still be blocked even its size is big enough.

Solution 2: Fix the isssue and make the blocking size check the same when a file is within or without a zip

file.

[Hotfix_6231] (TT-354728)

Enhancement: This hotfix provides a way for users to configure OfficeScan agents to automatically

disconnect an established connection and to re-establish a connection when the network isolation feature is

triggered from a Control Manager server.



b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan installation directory.

c. Under the "Global Setting" section, manually add the following key and set its value to "1".

[Global Setting]

cnqConnectionTermination=1



f. Click "Save" to deploy the setting to clients.

Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro ¥PC-cillinNTCorp¥CurrentVersion¥Misc.

Key: cnqConnectionTermination

Type: DWORD

Value: 0 = OfficeScan does not support network re-establish

1 = OfficeScan supports network re-establish

Note: This function works only on computers that retrieve its IP address from the DHCP server

automatically.

[Hotfix_6244] (TT-349527)

Issue: When an OfficeScan client detects malware, the corresponding pop-up window indicates that the

instance has been "resolved" instead of "detected". This occurs even when the OfficeScan client cannot

perform the required action on the malware.

Solution: This hotfix ensures that the pop-up window correctly indicates that the malware has been

"detected".

[Hotfix_6250] (TT-356853)

Issue: Installing OfficeScan 10.5 Patch 6 by web installation also installs ActiveX on the computer,

however, ActiveX uninstallation. As a result, users encounter an error is not removed during client while

installing OfficeScan 11 Service Pack 1 Critical Patch 6054 by web installation. This happens because the

"WinNTchk.dll" for the ActiveX component cannot be updated when a previous version of the file exists in

the installation directory. When this happens, the web installation fails.

Solution: This hotfix ensures that the OfficeScan server adds the version information of the

"WinNTChk.cab" file when it triggers web installation.

[Hotfix_6252] (TT-358070)

Issue 1: It is reported that the OfficeScan NT Listener service (TmListen.exe) in OfficeScan 11.0 Service

Pack 1 Patch 1 failed to start up on endpoints running Microsoft(TM) Windows(TM) Vista or Windows

Server 2008.

Solution 1: This hotfix updates the OfficeScan agent program to resolve this issue.

(TT352284)

Issue 2: The User Mode Hooking (UMH) driver causes an unexpected error.

Solution 2: This hotfix updates the UMH driver to resolve thisIssue.

(TT357381)

Issue 3: When users export the Scan Exclusion Lists for the following scan types from the "Agent

Management" screen of the OfficeScan web console, the generated CSV file will not contain any domain

setting information for OfficeScan agents:

- Manual scans

- Real-time scans

- Scheduled scans

- Scan Now

Solution 3: This hotfix updates the OfficeScan server files to ensure that when users export Scan

Exclusion Lists, the domain setting information for each OfficeScan agent appear on the exported CSV

files.

(TT355584)

Issue 4: In some OfficeScan agents managed by the Update Agent (UA), the T-ball logo on the bottom

right portion of the screen turns red since the "NtrtScan.exe" program keeps reloading.

Solution 4: This hotfix configures the "Agent Connection" setting to a global setting such that when it is

changed, the Setting Aggregation File (SAF) package will be updated accordingly. This update enables the

OfficeScan agents (managed by the Update Agent) to send a report to the OfficeScan server and instruct it

to clear the configuration flag since there is a new setting.

[Hotfix_6258] (TT-354263,357598,355833,357926,357331,356698,357554,344921,356965)

(TT354263)

Issue 1: The OfficeScan server database may crash if the database backup path follows the universal

naming convention (UNC) and the backup username length exceeds 32 characters.

Solution 1: This hotfix updates the OfficeScan server files to resolve this issue.

(TT357598)

Issue 2: The Microsoft(TM) Windows(TM) Event Log generates too many messages.

Solution 2: This hotfix enables OfficeScan to extend the cache time to 12 hours.

(TT357926)

Issue 3: DLP does not block the most current webmail site like Outlook.com.

Solution 3: This hotfix resolves this issue.

(TT357331)

Issue 4: After administrators remove or uninstall the OfficeScan agent, the OfficeScan server removes all

the OfficeScan agents from the database. This situation occurs when administrators set an agent unique

identifier (UID) as a root domain UID.

Solution 4: This hotfix updates the OfficeScan server files to add two check points to resolve this issue.

(TT356698)

Enhancement 1: This hotfix provides a way for users to approve programs to run without checks by

Meerkat (a detection improvement program that monitors newly encountered programs downloaded

through HTTP or email applications).

Procedure 1: To approve programs to run without checking by Meerkat:



c. Under the "Global Setting" section, manually add the "MKWL" key and assign the encrypted string

of the full program path.

[Global Setting]

MKWL="The encrypted string of the full program path"

Note: The encrypted string of the full program path needs to be provided by OfficeScan SEG engineer.





Path: for x64 platform

HKEY_LOCAL_MACHINE¥SOFTWARE¥Wow6432Node¥TrendMicro¥PC-cillinNTCorp¥CurrentVersi

on¥Misc.

for x86 platform

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥Misc.

Key:MKWL

Type: String

Value: "The encrypted string of the full program path"

(TT357554)

Enhancement 2: This hotfix updates the Data Loss Prevention Endpoint SDK 6.0 to support the following

Google Chrome versions:

- 54.0.2840.99

- 55.0.2883.75

(TT344921)

Enhancement 3: This hotfix enables Data Loss Prevention Endpoint SDK 6.0 Webmail channel to share

the exception from Email channel.

Procedure 3: To configure the "apply_email_wblist_to_webmail" setting for DLP:



c. Under the "Configure" section, manually add the "apply_email_wblist_to_webmail" key and set its

value.

[Configure]

apply_email_wblist_to_webmail = true


e. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or

agents > Settings > DLP settings".


The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in the

"dsa.pro" file in the "¥Windows¥System32¥dgagent¥" folder:

apply_email_wblist_to_webmail=true


(TT344921)

Enhancement 4: This hotfix enables the Data Loss Prevention Endpoint SDK 6.0 to support Lotus Notes

Webmail with its add-ons installed for Bank of Chengdu.

Procedure 4: To configure the "inet_enhanced_dwa_parser"setting for DLP:



c. Under the "Configure" section, manually add the "inet_enhanced_dwa_parser" key and set

its value.

[Configure]

inet_enhanced_dwa_parser = true



or

agents > Settings > DLP settings".


The OfficeScan server deploys the settings to OfficeScan agents and adds the following key

in the "dsa.pro" file in the "¥Windows¥System32¥dgagent¥" folder:

inet_enhanced_dwa_parser=true


[Hotfix_6263] (TT-357949,357004,357915,357769,358146,356728,356873)

(TT357949)

Issue 1: Automatic agent grouping uses rules defined by Microsoft(TM) Windows(TM) Active Directory


server, the status of enabled grouping rules shows a "Warning"sign.

Solution 1: This hotfix updates the OfficeScan programs to ensure that the enabled grouping rules will not

be affected by the synchronized AD information.

(TT357004)

Issue 2: In Microsoft(TM) Windows(TM) Vista/2008 or later clients, OfficeScan displays an incorrect

firewall driver version number. The correct version number is 5.83.1003, but the version number that

OfficeScan displays is 5.82.1050.

Solution 2: This hotfix ensures that the OfficeScan server references the "tmlwf.sys" and "tmwfp.sys" files

to determine the correct version number of the common firewall driver.

(TT357915)

Issue 3: While using the "Export Scan Exclusions" button, the "Scan Exclusion List (File Extensions)"

function generates a "N/A" message in the exported CSV file when the "Scan Exclusion List (Files)" value

is empty. This issue only happens in the "Scan Now" configuration.

Solution 3: This hotfix updates the OfficeScan programs to resolve this issue so that users can generate

correct information in the CSV file.

(TT357769)

Issue 4: OfficeScan leaks encrypted account passwords during web console operations. Unauthorized

users could use the leaked encrypted password to log on to the OfficeScan server console.

Solution 4: This hotfix updates the OfficeScan server program to ensure that OfficeScan does not leak

encrypted passwords.

(TT358146)

Issue 5: If user set the default browser to Chrome and click on hyperlinks from other applications, the

Chrome page shows a "try to access to an unexpected site "--disable-quic"" message.

Solution 5: This hotfix ensures that the Chrome page will not access unexpected "--disable-quic" sites

when users click hyperlinks from other applications once they set Chrome as the default browser.

(TT356728)

Issue 6: DLP blocks Exodus-jabber applications unexpectedly.

Solution 6: This hotfix ensures that Exodus-jabber works normally even when DLP is enabled on the

endpoint machines.

(TT356873)

Enhancement: This hotfix enables users to generate the Secure Sockets Layer (SSL) certificate with

SHA256 signature algorithm and 2048-bit public key for the OfficeScan web site which is installed on

Microsoft(TM) Internet Information Services (IIS) or Apache(TM) HTTP Server through the

"SvrSvcSetup.exe" tool.

Procedure: To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for

manually renew the IIS SSL certificate:


b. Log on as administrator, open a command prompt, and navigate to the "¥PCCSRV¥" directory.

c. Run the following command:

SvrSvcSetup.exe -GenIISCert

A new SSL certificate is generated and is automatically added to the IIS SSL certificate store.

d. Open the IIS Manager console (inetmgr.exe).

e. Right-click the OfficeScan web site, and then click "Edit Bindings...".

f. When the "Site Bindings" window opens, select "https type" and click "Edit...".

g. Select the newly-created SSL certificate and click "OK".

Note: Click the "View..." option to view the 2048-bit public key.

h. Click "Close".

To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually

renew the Apache SSL certificate:




SvrSvcSetup.exe -GenApacheCert

A new SSL certificate is generated and is automatically added to the Apache SSL certificate

store.

d. Stop the following services:

- OfficeScan Master Service

- Apache Service

e. Start the following services:

- Apache Service


[Hotfix_6263.1] (TT-348161)

Issue: The Qastor application fails because Trend Micro's firewall takes too much time to check the hash

of the related executable image. This situation causes a timeout on the application's connection to the

server. ~

Solution: This hot fix updates the Network Security Components to ensure that Trend Micro's firewall

will asynchronously compute the hash value of the executable image that initiated a connection. While

the firewall computes the hash, all rules of the Application Filter will be unavailable until the hash value is

computed, preventing the system from blocking the application from its connection.

Procedure: To apply and deploy the solution globally:

a. Install this hot fix (see "Installation") and wait until the new Network Security Components has been

deployed to agents.

b. Restart the agent computers.

c. Open the "Ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan server installation directory.

d. Add "AsyncHash=1" and "ALEPend=1" under the "Global Setting" section.

[Global Setting]

AsyncHash=1

ALEPend=1

e. Save the changes and close the file.

f. Open the OfficeScan web console and go to the "Agents > Global Agent Settings" screen.

g. Click "Save" to deploy the setting to agents.

The OfficeScan server deploys the command to OfficeScan agents and adds the following registry

entry on all OfficeScan agent computers:


NSC¥PFW

Key:AsyncHash

Type: REG_DWORD

Value: 1

Path: HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥

services¥tmWfp¥Parameters

Key:ALEPend

Type: REG_DWORD

Value: 1

[Hotfix_6267] (TT-358436,357701,354253)

(TT358436)

Issue 1: OfficeScan can synchronize suspicious objects and retrieve actions against these objects from a

Control Manager server. However, an expired suspicious object is still synchronized to OfficeScan that

makes false detections on the agent.

Solution 1: This hotfix updates the OfficeScan programs to ensure that the expired suspicious objects will

not be detected.

(TT357701)

Issue 2: The "Agent Management" page of the OfficeScan web console may not display all OfficeScan

agents if the domain has a large number of OfficeScan agents.

Solution 2: This hotfix resolves the issue by updating the mechanism used by the SQL table containing the

OfficeScan agent information.

(TT354253)

Issue 3: The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature may block valid programs

without leaving a record of the block action in the detection log.

Solution 3: This hotfix updates the OfficeScan Behavior Monitoring program to ensure that it blocks the

correct programs.

[Hotfix_6271] (TT-354682,356152,357370,358458)

(TT354682)

Issue 1: On x86 platforms, the Aegis module sends Meerkat detection information to the Officescan server

and displays a pop-up dialog box that allows users to click on the "Allow Once" button. However, even

after users clicked on this button, Meerkat still blocks the application.

Solution 1: This hotfix updates Meerkat to check the payload of API events to prevent this issue from

happening.

(TT356152)

Issue 2: The OfficeScan User-Mode Hooking (UMH) function prevents the "java.exe" program from

working properly.

Solution 2: This hotfix adds "java.exe" onto the OfficeScan UMH whitelist pattern to ensure that the

"java.exe" program works properly.

(TT357370)

Issue 3: The OfficeScan UMH function prevents the WebISO software from working properly.

Solution 3: This hotfix adds the WebISO software into the OfficeScan UMH whitelist pattern to ensure

that the WebISO software works proeprly.

(TT358458)

Issue 4: Users may still be able to access web sites that the Trend Micro URL Filtering Engine (TMUFE)

failed to rate because of connection issues.

Solution 4: This hotfix provides a way for users to configure OfficeScan to automatically block access to

web sites if the TMUFE cannot rate the web sites.

Procedure:

To configure OfficeScan to automatically block access to web sites that the TMUFE cannot rate:


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥"folder on the OfficeScan server installation

directory using a text editor.


[Global Setting]

URLFilterErrMode=1



f. Click "Save" to deploy the setting to agents.

The OfficeScan server deploys the command to OfficeScan agents and adds the following registry

entry on all OfficeScan agent computers:

Path:

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥NSC¥TmProxy¥Scan¥Common¥URLFilter¥con

fig

Key:ErrMode

Type: dword

Value: 1

For Microsoft(TM) Windows(TM) 7/8/10 and

Windows Server 2008 R2/2012/2016:

Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥Osprey¥Scan¥Common¥URLFilter¥config

Key:ErrMode

Type: dword

Value: 1

g. Restart the OfficeScan agents.

[Hotfix_6274] (TT-349044,358714,359007,358753,358095,356199)

(TT349044)

Issue 1: The detected Virus/Malware information that appears in the OfficeScan web console does not

match the information in the Trend Micro Control Manager(TM) console.

Solution 1: This hotfix ensures that the OfficeScan server sends the correct Virus/Malware information to





b. Open the "Product.ini" file in the "¥PCCSRV¥CmAgent" folder on the OfficeScan server

installation directory using a text editor.


[Configure]




(TT358714)

Issue 2: On the "Agents > Agent Management" section of the OfficeScan web console, when users run an

advanced search for OfficeScan agents running with Update Agent "Disabled" status, the search results

always display both OfficeScan agents running with Update Agent "Enabled" status and "Disabled" status.

Solution 2: This hotfix updates the OfficeScan server program to ensure that when users run an advanced

search for OfficeScan agents running with Update Agent "Disabled" status, it displays the correct result.

(TT359007)

Issue 3: OfficeScan agents report their antivirus status information to the Microsoft(TM) Windows(TM)

Security Center (WSC) when the system starts. However, after the system restarts, WSC displays that the

OfficeScan antivirus reports are turned off.


(TT358753)

Issue 4: The OfficeScan NT Listener service ("TmListen.exe") may stop unexpectedly after the OfficeScan

agent encounters a mismatch certificate error. When this happens, the agent update is unsuccessful.

Solution 4: This hotfix updates the OfficeScan agent program to prevent the "TmListen.exe" from

stopping unexpectedly and ensures that the OfficeScan agent can handle the mismatch certificate error

properly.

(TT359384)

Issue 5: DLP does not block the drag-and-drop of files from current Webmail sites (such as

"Outlook.office.com" or "Outlook.live.com) when users use Google Chrome to access these Webmail sites.

Solution 5: This hotfix ensures that OfficeScan does not leak sensitive information when users use Google

Chrome to access these Webmail sites.

(TT356199)

Enhancement: This hotfix enables the Data Loss Prevention (DLP) Endpoint SDK 6.0 module to support

version 55.0.2883.87 of the Google(TM) Chrome(TM) web browser and version 50.1.0 of the

Mozilla(TM) Firefox(TM) web browser.

[Hotfix_6277] (TT-354730,358776)

Enhancement: This hotfix enhances the OfficeScan server to support Active Directory subgroups for

OfficeScan user accounts.



b. Open the "ofcserver.ini" file in the "¥PCCSRV¥Private" folder on the OfficeScan

installation directory.

c. Under the "INI_AD_INTEGRATION_SECTION" section, manually add the following key and set its

value to "1".


RBAMultilayerInheritanceForADUser=1


[Hotfix_6281] (TT-359424,355684,358910,355833,356731)

(TT359424)

Issue 1: After installing hotfixes on OfficeScan 11.0 Service Pack 1 and activating the OfficeScan Firewall

on agents, the Firewall logs display corrupted characters on both the agent console and the OfficeScan

server web console.

Solution 1: This hotfix updates the OfficeScan Firewall to ensure that the Firewall logs display the correct

information on both the agent console and the OfficeScan server web console.

(TT355684)

Issue 2: OfficeScan 11.0 Service Pack 1 (SP1) Critical Patch (CP) Build 6054 is unable to use the Sesame

mobile application on endpoints.

Solution 2: This hotfix ensures that the User-Mode Hooking (UMH) does not hook the

"ZWProtectVirtualMemory" API when the "Aclayer.dll" file exists.

(TT358910)

Issue 3: Data Loss Prevention does not block large files inside ZIP archives, even if the boundary of the

file size exceeds the maximum value.

Solution 3: This hotfix ensures that Data Loss Prevention properly blocks large files inside a ZIP archives.

(TT358910)

Issue 4: Microsoft Access (.mdb) files cannot be recovered to USB storage from the Data Loss Prevention

backup folder.

Solution 4: This hotfix ensures that Data Loss Prevention can successfully recover Microsoft Access

(.mdb) files.

(TT355833)

Issue 5: The Listdeviceinfo tool cannot get information from external devices such as "LaCie Rugged

THB USB3 SCSI Disk Device".

Solution 5: This hotfix resolves this tool issue.

(TT349044)

Issue 6: The detected Virus/Malware information that appears in the OfficeScan web console does not

match the information in the Trend Micro Control Manager(TM) console.

Solution 6: This hotfix ensures that the OfficeScan server sends the correct Virus/Malware information to





b. Open the "Product.ini" file in the

"¥PCCSRV¥CmAgent" folder on the OfficeScan server installation directory using a text editor.


[Configure]




(TT358714)

Issue 7: On the "Agents > Agent Management" section of the OfficeScan web console, when users run an

advanced search for OfficeScan agents running with Update Agent "Disabled" status, the search results

always display both OfficeScan agents running with Update Agent "Enabled" status and "Disabled" status.

Solution 7: This hotfix updates the OfficeScan server program to ensure that when users run an advanced

search for OfficeScan agents running with Update Agent "Disabled" status, it displays the correct result.

(TT359007)

Issue 8: OfficeScan agents report their antivirus status information to the Microsoft(TM) Windows(TM)




(TT358753)

Issue 9: The OfficeScan NT Listener service ("TmListen.exe") may stop unexpectedly after the OfficeScan

agent encounters a mismatch certificate error. When this happens, the agent update is unsuccessful.

Solution 9: This hotfix updates the OfficeScan agent program to prevent the "TmListen.exe" from

stopping unexpectedly and ensures that the OfficeScan agent can handle the mismatch certificate error

properly.

(TT359384)



Solution10: This hotfix ensures that OfficeScan does not leak sensitive information when users use

Google Chrome to access these Webmail sites.

(TT354682)

Issue 11: On x86 platforms, the Aegis module sends Meerkat detection information to the Officescan

server and displays a pop-up dialog box that allows users to click on the "Allow Once" button. However,

even after users clicked on this button, Meerkat still blocks the application.

Solution11: This hotfix updates Meerkat to check the payload of API events to prevent this issue from

happening.

(TT356152)

Issue 12: The OfficeScan User-Mode Hooking (UMH) function prevents the "java.exe" program from

working properly.

Solution 12: This hotfix adds "java.exe" onto the OfficeScan UMH whitelist pattern to ensure that the

"java.exe" program works properly.

(TT357370)

Issue 13: The OfficeScan UMH function prevents the WebISO software from working properly.

Solution13: This hotfix adds the WebISO software into the OfficeScan UMH whitelist pattern to ensure

that the WebISO software works proeprly.

(TT358458)

Issue 14: Users may still be able to access web sites that the Trend Micro URL Filtering Engine (TMUFE)

failed to rate because of connection issues.

Solution 14: This hotfix provides a way for users to configure OfficeScan to automatically block access to

web sites if the TMUFE cannot rate the web sites.

Procedure: To configure OfficeScan to automatically block access to web sites that the TMUFE cannot

rate:


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan server installation

directory using a text editor.


[Global Setting]

URLFilterErrMode=1



f. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan

agents and adds the following registry ¥entry on all OfficeScan agent computers:

Path:

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥NSC¥TmProxy¥Scan¥Common¥URLFilter¥con

fig

Key:ErrMode

Type: dword

Value: 1

For Microsoft(TM) Windows(TM) 7/8/10 and Windows Server 2008 R2/2012/2016:

Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥Osprey¥Scan¥Common¥URLFilter¥config

Key:ErrMode

Type: dword

Value: 1


(TT358436)

Issue 15: OfficeScan can synchronize suspicious objects and retrieve actions against these objects from a

Control Manager server. However, an expired suspicious object is still synchronized to OfficeScan that

makes false detections on the agent.

Solution15: This hotfix updates the OfficeScan programs to ensure that the expired suspicious objects will

not be detected.

(TT357701)

Issue 16: The "Agent Management" page of the OfficeScan web console may not display all OfficeScan

agents if the domain has a large number of OfficeScan agents.

Solution16: This hotfix resolves the issue by updating the mechanism used by the SQL table containing

the OfficeScan agent information.

(TT354253)

Issue 17: The OfficeScan 11.0 Service Pack 1 Behavior Monitoring feature may block valid programs

without leaving a record of the block action in the detection log.

Solution17: This hotfix updates the OfficeScan Behavior Monitoring program to ensure that it blocks the

correct programs.

(TT357949)

Issue 18: Automatic agent grouping uses rules defined by Microsoft(TM) Windows(TM) Active Directory


server,the status of enabled grouping rules shows a "Warning" sign.

Solution18: This hotfix updates the OfficeScan programs to ensure that the enabled grouping rules will not

be effected by the synchronized AD information.

(TT357004)

Issue 19: In Microsoft(TM) Windows(TM) Vista/2008 or later clients, OfficeScan displays an incorrect



Solution19: This hotfix ensures that the OfficeScan server references the "tmlwf.sys" and "tmwfp.sys"

files to determine the correct version number of the common firewall driver.

(TT357915)

Issue 20: While using the "Export Scan Exclusions" button, the "Scan Exclusion List (File Extensions)"

function generates a "N/A" message in the exported CSV file when the "Scan Exclusion List (Files)" value

is empty. This issue only happens in the "Scan Now" configuration.

Solution 20: This hotfix updates the OfficeScan programs to resolve this issue so that users can generate

correct information in the CSV file.

(TT357769)



Solution 21: This hotfix updates the OfficeScan server program to ensure that OfficeScan does not leak

encrypted passwords.

(TT358146)



Solution 22: This hotfix ensures that the Chrome page will not access unexpected "--disable-quic" sites


(TT356728)

Issue 23: DLP blocks Exodus-jabber applications unexpectedly.

Solution23: This hotfix ensures that Exodus-jabber works normally even when DLP is enabled on the

endpoint machines.

(TT356731)

Issue 24: Enabling the Browser Exploit Protection (BEP) function causes Microsoft(TM) Internet Explorer

11 to crash when combined with Trend Micro add-ins (BEP) and the vSentry product from Bromium.


(TT356199)

Enhancement 1: This hotfix enables the Data Loss Prevention (DLP) Endpoint SDK 6.0 module to

support version 55.0.2883.87 of the Google(TM) Chrome(TM) web browser and version 50.1.0 of the

Mozilla(TM) Firefox(TM) web browser.

(TT356873)

Enhancement 2: This hotfix enables users to generate the Secure Sockets Layer (SSL) certificate with

SHA256 signature algorithm and 2048-bit public key for the OfficeScan web site which is installed on

Microsoft(TM) Internet Information Services (IIS) or Apache(TM) HTTP Server through the

"SvrSvcSetup.exe" tool.

Procedure: To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for

manually renew the IIS SSL certificate:



c. Run the following command: SvrSvcSetup.exe -GenIISCert

A new SSL certificate is generated and is automatically added to the IIS SSL certificate

store.





Note: Click the "View..." option to view the 2048-bit public key.

h. Click "Close".

To generate the SSL certificate with SHA256 signature algorithm and 2048-bit public key for manually

renew the Apache SSL certificate:




SvrSvcSetup.exe -GenApacheCert

A new SSL certificate is generated and is automatically added to the Apache SSL certificate

store.

d. Stop the following services:


- Apache Service

e. Start the following services:

- Apache Service


[Hotfix_6281.1] (TT-357771)

Issue: An issue related to the AEGIS module of the OfficeScan agent program may cause certain operating

systems to stop responding.

Solution: This hot fix updates the Behavior Monitoring Service module to resolve the issue.

[CP_6285] (TT-359321)

Issue: After installing OfficeScan Service Pack (SP1) Patch 1, the OfficeScan Smart Scan Pattern cannot

be updated.

Solution: This critical patch updates the ActiveUpdate module to resolve the issue.

[Hotfix_6292] (TT-358489,359534,356903)

(TT358489)

Issue 1: OfficeScan Behavior Monitoring feature is unable to get the device type correctly when users

launch programs by running as administrators (using administrator privileges).

Solution 1: This hotfix updates the Behavior Monitoring Service module to resolve this issue.

(TT359534)

Issue 2: An initialized issue related to the OfficeScan Control Manager Agent service

("OfcCMAgent.exe") may cause the OfcCMAgent.exe to stop unexpectedly.

Solution 2: This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.

(TT356903)

Issue 3: A signature verification issue related to the AEGIS module of the OfficeScan agent program may

cause certain operating systems to stop unexpectedly.

Solution 3: This hotfix updates the Behavior Monitoring Service module to resolve the issue.

(TT360032)

Enhancement 1: This hotfix enables the Data Loss Prevention (DLP)

Endpoint SDK 6.0 module starts to support the following Google Chrome versions:

- Google (TM) Chrome(TM) 55.0.2883.87

- Google (TM) Chrome(TM) 56.0.2924.87

(TT357707)

Enhancement 2: This hotfix enables the Address Space Layout Randomization (ASLR) of Data Loss

Prevention (DLP) Endpoint SDK 6.0 for DLL injection.

[Hotfix_6299] (TT-359331,359477,357853,360097,357054,359521,359522)

(TT359477)

Issue 1: The OfficeScan User Mode Hooking (UMH) function may cause the "mkdir.exe" program to stop

unexpectedly.

Solution 1: This hotfix updates the OfficeScan User Mode Hooking module to resolve this issue.

(TT357853)

Issue 2: When the "Protect documents against unauthorized encryption or modification" feature of

Ransomware Protection is enabled, the OfficeScan agent may prevent a valid program from running if the

size of the program file is too large.


(TT360097)

Issue 3: The Server Tuner tool optimizes the performance of the OfficeScan server. However, its

Maximum Client Connections setting does not work.

Solution 3: This hotfix updates the OfficeScan server program to ensure that the tool's Maximum Client

Connections setting works normally.

(TT357054)

Issue 4: When there are hotfix updates, the OfficeScan server checks all client components and prompts all



Solution 4: This hotfix ensures that the OfficeScan server does not notify a client of hotfix updates if the

No Program Upgrade option is enabled in the client.

(TT359331)

Issue 5: The OfficeScan Behavior Monitoring program ("TMBMSRV.exe") crashes when the

"MeerkatSkipUNC" option is enabled.

Solution 5: This hotfix updates the OfficeScan Behavior Monitoring program to correct this issue.

(TT359521)

Issue 6: When users upload files from the SMB folder to the internal website and iDLP is enabled, the

upload may be interrupted intermittently.

Solution 6: This hotfix enables iDLP to check if a file is from SMB before it attempts to access the file

information. If the source file is an SMB file, iDLP will then Impersonate to download the file.

(TT357721)

Issue 7: The library license of the third-party application Dymola conflicts with DLP.

Solution 7: This hotfix adds "dymola.exe" and "license_check.exe" to the approved list to remove the

conflict.

(TT359522)

Issue 8: When OfficeScan parses the contents of a policy that it receives from Control Manager, some

space characters may be removed from the policy which changes certain settings when applied to

OfficeScan.

Solution 8: This hotfix ensures that OfficeScan can parse and apply Control Manager policies properly.

[Hotfix_6302] (SEG-1587,SEG-1781,SEG-2639,SEG-2727)

(JIRA1587)

Issue 1: The "Quarantine malware variants detected in memory" feature needs to be enabled before the

Memory Inspection Pattern (MIP) can be updated on OfficeScan agents.


(JIRA1781)

Issue 2: Sometimes, the value of the "SourceUUID" setting in the "Ofcserver.ini" file is overwritten which

prevents OfficeScan from updating the suspicious object list.

Solution 2: This hotfix ensures that the "SourceUUID" setting is not overwritten unexpectedly.

(JIRA2639)

Issue 3: Sometimes, OfficeScan does not create system dump files when an exception error occurs.

Solution 3: This hotfix ensures that OfficeScan catches exception system codes and creates the

corresponding system dump files when it encounters these codes.

[Hotfix_6306] (TT-359200,SEG-2785)

(TT359200)

Issue 1: The "TMBMSRV.exe" process stops responding when debug log is enabled.

Solution 1: This hotfix resolves the issue by ensuring that the debug log output function receives the

correct information.

(JIRA2785)

Issue 2: Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs

simultaneously with an encryption software.

Solution 2: This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption

software.

[Hotfix_6308] (SEG-1474)

(JIRA1474)

Issue 1: The Agent Connectivity widget displays inaccurate total number of connected clients for each

Smart Protection Server information.

Solution 1: This hotfix updates the OfficeScan server program to ensure that the Agent Connectivity

widget displays accurate information.

[Hotfix_6310] (SEG-3508)

(JIRA3508)

Enhancement: The OfficeScan server automatically notifies an OfficeScan client to change its GUID after

it determines that there is a duplicate GUID. However, the OfficeScan server does not generate an event

log if it cannot notify the client for some reason. This hotfix provides a way for users to enable the

OfficeScan server if it cannot notify an OfficeScan client to change its GUID.

Procedure: To enable the OfficeScan server to generate an event log if it cannot notify an OfficeScan

client to change its GUID when it detects duplicate GUIDs:


b. Open the "Ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan server installation directory

using a text editor.

c. Under the "INI_SERVER_SECTION" section, locate the following key and set its value to "1".


Event_Log_Flag=1


e. Restart the OfficeScan Master Service.

[Hotfix_6313] (SEG-1442,SEG-2354,SEG-3487,SEG-3616,SEG-3016,SEG-3455)

(JIRA2354)

Issue 1: When users set the firewall exception rule to a single IP, the IP address does not appear on the

OfficeScan agent console.

Solution 1: This hotfix ensures that the IP address appears on the OfficeScan agent console.

(JIRA3487)

Issue 2: It takes a long time to export the scan exclusion list from the OfficeScan web console.

Solution 2: This hotfix improves the export function to enable OfficeScan to export the scan exclusion list

faster.

(JIRA1442)

Issue 3: A Microsoft Windows Security audit failure by "tmevtmgr.sys" appears in the Windows system

event log.

Solution 3: This hotfix resolves the issue by enabling the build option in the AEGIS driver to include a

"path hash".

(JIRA3616)

Issue 4: When an OfficeScan agent downloads a file that does not have a valid digital signature, the file

path information in the corresponding system event log will be truncated on the OfficeScan web console.

Solution 4: This hotfix ensures that system event logs display the complete file path information on the

OfficeScan web console.

[Hotfix_6314] (SEG-2660)

(JIRA1991, JIRA2660)

Issue: After users install hotfixes on OfficeScan 11.0 Service Pack 1 and activate the OfficeScan Firewall

on agents running Windows XP, the Firewall service encounters network access issues.

Solution: This hotfix updates the OfficeScan Firewall to resolve the network access issues.

Note: Restart the endpoint to update the Common Firewall module of OfficeScan agents.

[Hotfix_6315] (TT-350467)

Enhancement: This hotfix enables the Behavior Monitoring approved list to support the asterisk (*) and

question mark (?) wildcard characters in program path names and file names.

[Hotfix_6317] (SEG-3533,SEG-2809)

(JIRA3533, JIRA2785, JIRA3668)

Issue: Blue screen of death (BSOD) occurs when the OfficeScan agent AEGIS module runs

simultaneously with an encryption software.

Solution: This hotfix enables the AEGIS module of OfficeScan agents to work normally with encryption

software.

[CP_6325] (VRTS-283,VRTS-393,VRTS-615)

(VRTS-283)

Issue 1: When the Web Reputation Service (WRS) of the OfficeScan agent program blocks access to a

certain webpage, it displays the "Website blocked by Trend Micro OfficeScan" alert page instead. This

alert page may be affected by XSS vulnerabilities.

Solution 1: This critical patch updates the OfficeScan agent program to resolve the XSS vulnerabilities.

(VRTS-393)

Issue 2: Encrypted account passwords may leak out during web console operations. Unauthorized users


Solution 2: This critical patch ensures that encrypted passwords are secure during web console operations.

(VRTS-615)

Enhancement: This critical patch updates the OfficeScan agent program to improve its self-protection

mechanism to protect against a local attacker to inject malicious code.

[Hotfix_6325] (TT-359608,SEG-1715,SEG-2673,SEG-3289)

(JIRA1715)

Issue 1: It takes a long time for the Windows Disk Manager to start when OfficeScan's Ravage Scan

feature is enabled.

Solution 1: This hotfix enables users to configure the OfficeScan Ravage Scan feature to skip a specific

virtual hard disk to allow the Disk Manager to start normally.

Procedure: To enable the Ravage Scan feature to skip a specific virtual hard disk:


b. Open the Registry Editor.

c. Add the following key:

Path:[HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥services¥tmactmon¥Parameters]

Type:dword

Key: SkipVirtualHarddisk

Data Value: 00000001

d. Restart the OfficeScan client computer.

(JIRA2673)

Issue 2: PccNT.exe stops unexpectedly because the following agent registry contains a value that is larger

than the maximum supported value.

Path: [HKEY_LOCAL_MACHINE¥SOFTWARE¥Wow6432Node¥

TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥Misc.]

Type: dword:7fffffff

Key:TotalScanned

Solution 2: This hotfix updates the "fcWofieUI.dll" (for 32-bit) and "fcWofieUI_64x.dll" (for 64-bit)

OfficeScan agent files to solve this issue.

(TT359608)

Issue 3: Users cannot run a manual sync on the "Suspicious Object List Setting" page when the "Enable

Suspicious URL list" option is disabled.

Solution 3: This hotfix ensures that manual sync can complete successfully when the "Enable Suspicious

URL list" option is disabled.

(JIRA3289)

Issue 4: The error-handling mechanism of POP3 and SMTP scans may attempt to access tmp files which

can trigger the TmListen service to stop unexpectedly.

Solution 4: This hotfix resolves the issue by ensuring that the error-handling mechanism accesses only

valid local file paths.

[JP_Hotfix_6325.1] (SEG-2812)

(SEG-3487)

Issue: Garbled characters appear in POP3 email notification for malicious email message contents.

Solution: This hotfix resolves the issue by changing the text encoding format for POP3 email notifications

from West Europe to shift-JIS.

NOTE: This time registry deployment solution is not supported in offline OfficeScan agents.


(TT358992)

Issue 1: Users cannot access the "Advanced Search" web page from the "Firewall Profile Settings" page of

the OfficeScan web console.

Solution 1: This hotfix updates the OfficeScan server program files to ensure that users can access the

"Advanced Search" web page from the "Firewall Profile Settings" page.

(JIRA1891)

Issue 2: The DLP module may not work normally while other programs are uploading files to the Internet.

Solution 2: This hotfix ensures that the DLP module works normally when other programs are to

uploading files to the Internet.

[Hotfix_6332] (TT-355401,356199,354983,356408,353933,355208)

Issue 1: AutoCAD(TM) closes unexpectedly after users enable the Trend Micro Data Loss

Prevention(TM) function on computers protected by OfficeScan Agent.

Solution 1: This hot fix adds AutoCAD into the approved list to ensure that it works normally on

computers protected OfficeScan Agent while the Data Loss Prevention function is enabled.

Issue 2: Boot2Docker does not launch on Windows 7/10 when users enable the Trend Micro Data Loss

Prevention(TM).

Solution 2: This hot fix ensures that Boot2Docker works normally on Windows 7/10 computers protected

OfficeScan Agent while the Data Loss Prevention function is enabled.

Issue 3: Users can delete files under USB storage devices that they only have READ permission to access.

Solution 3: This hotfix ensures that only users with the correct application permission can run applications

under USB storage devices.

[RU_Hotfix_6334] (SEG-1989,SEG-4705,SEG-4671)

Enhancement: This hotfix enables the Behavior Monitoring approved list to support the asterisk (*) and

question mark (?) wildcard characters in program path names and file names.


(JIRA3345)

Issue 1: The OfficeScan agent blocks a program that has been downloaded from an email message or

through HTTP even when the program is in the approved list.

Solution 1: This hotfix ensures that OfficeScan agents block the correct programs.

(JIRA2468)

Issue 2: The OfficeScan web console takes longer than usual to load because of a large number of

DB_FLUSH commands.

Solution 2: This hotfix minimizes the number of DB_FLUSH commandsto ensure that the OfficeScan web

console loads normally.

(JIRA3919)

Issue 3: When enabling the OfficeScan debug log, clicking on the "Save" button twice overwrites the

specified debug log path in the "ofcdebug.ini" file. When this happens, debug logs are saved in another

location.

Solution 3: This hotfix enables OfficeScan to always use the default log path if only the log name is set on

the web console.

(JIRA2232)

Issue 4: Duplicate DLP violation logs are generated when users attempt to print a PDF file that contains

sensitive information in Adobe(TM) Reader.

Solution 4: This hotfix applies the App White Cache mechanism according to process name to enable DLP

to treat multiple print operations from "AcroRd32.exe" that occur within a one second period as one event.

This helps prevent duplicate violation logs.


(JIRA 3931)

Issue: When DLP detects that sensitive information was sent through an email message in "outlook.com",

the OfficeScan agent generates a blank "Activity/Channel" log.

Solution: This hotfix resolves this issue by updating the OfficeScan agent.

(JIRA 5361)

Enhancements: This hotfix enables DLP Endpoint SDK 6.0 to support Chrome 58.0.3029.81.

(JIRA 5633)

Enhancements: This hotfix provides a way to configure the AEGIS module in OfficeScan clients to skip

Virtual Disks during scans.

Procedure: To configure the AEGIS module to skip Virtual Disks during scans:


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥"folder of the OfficeScan server.


[Global Setting]

SkipVirtualHarddisk=1


e. Open the OfficeScan server management console and click "Agents > Global Agent Settings"

on the main menu to access the "Global Agent Settings" page.


The OfficeScan server deploys the command to agents and adds the following registry entry

on all agent computers:

Path:

HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥services¥tmactmon¥Parameters

Key: SkipVirtualHarddisk

Type: dword

Value: 1

[Hotfix_6350] (SEG-5041,SEG-5993)

(JIRA 5041)

Issue: The operating system version of registered OfficeScan servers installed on Windows Server 2012

R2 appears as "6.2 (build 9200)" instead of "6.3 (build 9600)" on the Control Manager web console.

Solution: This hotfix resolves this issue by ensuring that OfficeScan servers installed on Windows Server

2012 R2 register to the Control Manager server using operating system version "6.3 (build 9600)".

[Hotfix_6351] (SEG-6181)

(JIRA 6181)

Issue: OfficeScan agents running Data Loss Prevention may experience a Blue Screen of Death (BSoD)

when accessing files in shared (SMB) folders.

Solution: This hotfix resolves the BSoD issue when accessing files in shared (SMB) folders.

[CP_6355CP_6367(L10n)] (SEG-6313)

(JIRA 6313)

Enhancement: This critical patch enables the OfficeScan agent program to support Windows 10 Creators

Update RS2.

(JIRA 7214)

Issue: A blue screen of death (BSOD) occurs when the Trend Micro Common Module (tmcomm.sys)

attempts to parse the service name list of a Windows kernel device in the device tree.

Solution: This hotfix updates the Trend Micro Common Module on OfficeScan agents to resolve this

issue.

[Hotfix_6369] (TT-360007,359870)

(SBM 360007)

Issue: The OfficeScan Web Reputation feature blocks normal access to websites if the endpoint also has

the Symantec Data Loss Prevention application running.

Solution: This hotfix updates the OfficeScan agent module to ensure that the OfficeScan Web Reputation

feature does not conflict with the Symantec Data Loss Prevention application.

[Hotfix_6370(control release)] (SEG-1689)

(JIRA 1689)

Enhancements: This hotfix provides a way for users to configure OfficeScan agents to automatically

disconnect an established connection and to re-establish a connection when the OfficeScan server triggers

a network isolation function. Users can move OfficeScan agents to specific domains that are defined to

apply network isolation.




c. Under the "Global Setting" section, manually add the following keys and set values.

[Global Setting]

PFWPolicyWithConnectionReset=1

Value: 0 = OfficeScan does not support network isolation

1 = OfficeScan supports network isolation

PFWPolicyWithConnectionResetDomainList=Domain_Name

For example: Workgroup, Domain1

Provide a domain name or domain list use for network isolation.

PFWPolicyWithConnectionResetDurationInSec=30

Value: 0 = Disable connection reset

30 = Rest connection in 30 seconds (default value)




Path:

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥Misc.

Key: PFWPolicyWithConnectionReset

Type: DWORD

Value: 0 = OfficeScan does not support network isolation

1 = OfficeScan supports network isolation

Key: PFWPolicyWithConnectionResetDomainList

Type: String

Value: Domain_name set by user

Example: Workgroup, Domain1

Key: PFWPolicyWithConnectionResetDurationInSec

Type: DWORD

Value: 0 = Disable connection reset

30 = Rest connection in 30 seconds

Note: Restart the endpoint to update the Common Firewall module of OfficeScan agents.

[Hotfix_6371] (SEG-4799)

(JIRA 4799)

Issue: The OfficeScan Behavior Monitoring feature may cause certain computers to lock up intermittently

when TMEAC is installed.


[Hotfix_6373] (SEG-5477)

(JIRA 3443)

Issue: When the OfficeScan agent connects to SSL-VPN and the MAC address field is empty, the

OfficeScan agent will attempt to resolve the IP and MAC addresses repeatedly but the SSL-VPN IP

address still does not appear in the network cards list on the agent console.

Solution: This hotfix updates the OfficeScan agent program to prevent it from attempting to resolve the IP

and MAC addresses when the MAC address field is empty. It also helps ensure that the IP address appears

on the OfficeScan agent console.

(JIRA 5477)

Issue: The OfficeScan agent does not successfully upgrade even after applying new hotfix files.

Solution: This hotfix resolves the OfficeScan agent upgrade issue.

(JIRA 6873)

Issue: The administrator cannot register USB information that includes the pound sign (#) or "and" sign

(&) in the Data Loss Prevention (DLP) exception list.


[Hotfix_6380] (VRTS-694)

(VRTS-693)

Issue: The OfficeScan ToolBox service is affected by the Windows unquoted service path vulnerability.

Solution: This hotfix reinstalls the service to remove the vulnerability.

[Hotfix_6383]

(TT-359895,SEG-3443,SEG-6323,SEG-6391,SEG-6528,SEG-6873,SEG-7273,SEG-8017,SEG-7944)

(TT359895)

Issue: The OfficeScan server cannot check the signature on a Control Manager policy if the policy settings

contain non-ASCII characters.

Solution: This hotfix enables the OfficeScan server to handle non-ASCII strings in Control Manager

policies to ensure that the server can check the signature of these policies.

(JIRA 6323)

Issue: Enabling the NT RealTime Scan causes OfficeScan agents to freeze. This issue occurs because

OpenSSL uses the AES-NI instruction set, which is not supported by some CPU types.

Solution: This hotfix resolves this issue by updating the OpenSSL component.

(JIRA 6391)

Issue: The Microsoft(TM) Internet Explorer browser does not interpret double-byte strings correctly. Thus,

user accounts do not display correctly.

Solution: This hotfix adds a function to determine whether a string contains double-byte characters, which

resolves this issue.

(JIRA 6528)

Issue: The Trend Micro OfficeScan Agent Console ("Pccnt.exe") may stop unexpectedly if the

"Unauthorized Change Prevention Service" is enabled. When this happens, it will affect the performance

of the endpoint.

Solution: This hotfix updates the OfficeScan agent program to prevent "Pccnt.exe" from stopping

unexpectedly and ensures that the OfficeScan agent can work properly without affecting the performance

of the endpoint.

(JIRA 7273)

Issue: On computers running on the Microsoft(TM) Windows(TM) 10 platform, the Data Loss Prevention

(DLP) network filter driver is installed with the Transport Driver Interface (TDI) network filter driver.

Solution: This hotfix updates the operating system version determination mechanism to ensure that the

correct driver is installed. This hotfix also provides a Microsoft(TM) Windows Filtering Platform

(Windows) driver replacement mechanism that replaces the TDI driver with the correct driver.

[Hotfix_6390] (SEG-7214,SEG-2537,SEG-8323)

(JIRA 7214)

Issue: A blue screen of death (BSOD) occurs when the Trend Micro Common Module (tmcomm.sys)

attempts to parse the service name list of a Windows kernel device in the device tree.

Solution: This hotfix updates the Trend Micro Common Module on OfficeScan agents to resolve this

issue.

[CP_6392] (VRTS-337,VRTS-339,VRTS-972)

(VRTS-337, VRTS-339)

Issue: A Remote Code Execution (RCE) vulnerability on the OfficeScan server can allow attackers to

execute commands on the server using query string variable.

Solution: This hot fix resolves the RCE vulnerability.

(VRTS-972)

Issue: The 3rd party AmMap application has multiple cross-site scripting (XSS) vulnerabilities that allows

remote attackers to inject arbitrary web or HTML scripts.

Solution: This hot fix resolves the XSS vulnerability.

[Hotfix_6396]

(TT-354095,357507,355701,357054,358532,358603,SEG-2143,SEG-2745,SEG-7541,SEG-7585,SEG-642

1,SEG-8356,SEG-7747,SEG-9011)

(JIRA 7541)

Issue: OfficeScan agents installed on Windows 10 platforms may cause the endpoint to freeze or become

unresponsive when both Windows Defender and the OfficeScan agent are running at the same time.

Solution: This hotfix updates compatibility support to prevent the system from freezing when the

OfficeScan Agent loads.

(JIRA 7585)

Issue: The OfficeScan agent does not successfully update specific pattern files when the OfficeScan server

and client have different build versions.

Solution: This hotfix resolves the issue concerning OfficeScan agents not successfully updating specific

pattern files.

(JIRA 6421)

Issue: Windows Defender is not disabled automatically after the OfficeScan agent is installed on a

Windows 2016 server computer.

Solution: This hotfix ensures that Windows Defender is disabled automatically after the OfficeScan agent

is installed on a Windows 2016 server computer and the computer restarts.

(JIRA 8356)

Issue: The Virus Scan Engine (VSAPI) fails to roll back on a Microsoft(TM) Windows(TM) 10 platform.

Solution: This hotfix updates the OfficeScan agent program to ensure that VSAPI can roll back

successfully on a Windows 10 platform.

(JIRA 7747)

Issue: The OfficeScan Master Service stops unexpectedly while receiving a huge amount of policy

information from Control Manager which triggers OfficeScan to generate a large number of dump files

under the "PCCSRV¥Web¥Service" folder.

Solution: This hotfix enables the OfficeScan Master Service to handle a huge amount of policy

information from Control Manager.

(SBM 354095)

Issue: The firewall details page of the OfficeScan client console does not refresh automatically after the

security level setting changes.

Solution: This hotfix is to show a message to prompt to close all windows of the OfficeScan client console

and reopen the console in order to refresh the UI.

(SBM 357507)

Issue: The Microsoft(TM) Windows(TM) Event Log generates too many messages.

Solution: This hotfix enables OfficeScan to extend the cache time to 12 hours.

(SBM 355701)

Issue: An initialized issue related to the OfficeScan Control Manager Agent service ("OfcCMAgent.exe")

may cause the OfcCMAgent.exe to stop unexpectedly.

Solution: This hotfix updates the OfficeScan Control Manager Agent program to prevent from this issue.

(SBM 357054)

Issue: When there are hotfix updates, the OfficeScan server checks all client components and prompts all



Solution: This hotfix ensures that the OfficeScan server does not notify a client of hotfix updates if the No

Program Upgrade option is enabled in the client.

(SBM 358532)

Issue: When an unreachable OfficeScan agent reports its onstart status to the OfficeScan server, the server

does not automatically set the updateflag for the agent. As a result, the agent will not receive updates until

after a file change event on the OfficeScan server.

Solution: This hotfix enables the OfficeScan server to set the updateflag of unreachable OfficeScan agents

automatically once it receive the onstart status of the agents.

(JIRA 2143)

Issue: Exported CSV files that contain agent information do not differentiate between Windows platforms

from Windows Embedded platforms.

Solution: This hotfix ensures that exported CSV files specifies if an agent runs on a Windows platform or

a Windows Embedded platform.

(JIRA 2745)

Issue: The Vulnerability Scanner may attempt to access an invalid file path which triggers blue screen of

death (BSOD) on computers running Microsoft Windows Vista(TM) or any version released after it, for

example, Windows Server 2008 and later versions.

Solution: This hotfix updates the Vulnerability Scanner to prevent it from attempting to access invalid file

paths.

(JIRA 9011)

Issue: Sometimes, the Behavior Monitoring Service module of OfficeScan 11.0 Service Pack 1 agents may

conflict with the Schwab application which can trigger the Schwab application to stop unexpectedly.

Solution: This hotfix updates the Behavior Monitoring Service module and provides a way for users to

configure OfficeScan to ensure that the Schwab application works properly.




c. Under the "Global Setting" section, manually add the "SkipKernelExceptionEvent" key and set its value

to "1".

[Global Setting]

SkipKernelExceptionEvent=1

NOTE: To disable the feature, set "SkipKernelExceptionEvent=0".



f. Click "Save" to deploy the setting to agents. The OfficeScan server deploys the command to OfficeScan

agents and adds the following registry entries on all OfficeScan agent computers:

Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥AEGIS

Key: SkipKernelExceptionEvent

Type: REG_DWORD

Value: 1


[Hotfix_6396 CP_6396(JP)] (TT-356627)

Enhancement: This hotfix provide assessment mode for ransomware. In assessment mode, OfficeScan

will not terminate the process and just log for it.




c. Under the "Global Setting" section, manually add the following keys and set values.

[Global Setting]

EnableADCAssessMode=1

Value: 0 = OfficeScan does not support ransomeware assessment mode

1 = OfficeScan supports ransomewareassessment mode

EnableADCAssessModeNotification=1

Value: 0 = does not have popup notification in system tray icon

1 = have popup notification in system tray icon




Path:

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥AEGIS

Key: EnableADCAssessMode

Type: DWORD

Value: 0 = OfficeScan does not support ransomware assessment mode

1 = OfficeScan supports ransomware assessment mode

Key: EnableADCAssessModeNotification

Type: DWORD


1 = have popup notification in system trayicon

[Hotfix_6404] (VRTS-392,SEG-9560)

(VRTS-392)

Issue: An issue related to the DLP file system driver may cause an RWX vulnerability in web browsers.

Solution: This hotfix updates DLP Endpoint SDK 6.0 to resolve the vulnerability.

(JIRA 9560)

Issue: It takes a long time to copy files using the RDP clipboard when DLP is enabled.

Solution: This hotfix resolves the issue by adding the RDP process "mstsc.exe" into the approved list.

[Hotfix_6410] (SEG-10277,SEG-10228,VRTS-1012,VRTS-1022)

(VRTS-1012)

Issue: Remote unauthenticated attackers may be able to query NT domains through the OfficeScan XG

"cgiGetNTDomain.exe" process.

Solution: This removes the vulnerability.

(VRTS-1022)

Issue: A vulnerability may allow a remote unauthenticated attacker to send CGI requests to run

"cgiRqUpd.exe" on the OfficeScan server and trigger "cgiRqUpd.exe" to stop unexpectedly. When this

happens, a large number of dump files are generated which can eventually take up a large portion of disk

space.

Solution: This hotfix resolves the vulnerability.

(JIRA 10228)

Issue: In Windows 2016 server, the Windows Defender service does not stop when the OfficeScan agent is

installed or when the latest hotfix is installed on the existing OfficeScan agent.

Solution: This hotfix ensures that the Windows Defender service stops automatically after the OfficeScan

client is installed or updated with the latest hotfix.

Note: You need to restart the computer after applying this hotfix.

[Hotfix_6415] (VRTS-1115,SEG-4529,SEG-8981)

(JIRA 8981)

Enhancement: This hotfix provides an option to enable OfficeScan agents to check the connection to the

Smart Protection Network regularly and to update the status icons on the web console accordingly.

Procedure: To enable the feature on the OfficeScan server and to automatically deploy the setting to all

OfficeScan agents:



c. Add the following key under the "Global Setting" section and set its value to "1".

[Global Setting]

ChkGlobalWCS=1

Note: To disable the connection checking, set "ChkGlobalWCS=0".





The OfficeScan agent program automatically installs the following registry key:

Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥iURL

Scan.

Key: ChkGlobalWCS

Type: REG_DWORD

Value: 1

[Hotfix_6421]

(SEG-1689,SEG-6917,SEG-7553,SEG-8988,SEG-10066,SEG-10688,SEG-10651,SEG-10953,SEG-11074

,SEG-11404,SEG-11344)

(JIRA 10688)

Issue: If you click on the "Update" button on the agent console while the TmListen service is stopped, the

page returns an "Component update is complete" message.

Solution: This hotfix enables OfficeScan to disable the "Update" button automatically when the

TmListener service stops and to display a tooltip when the mouse pointer hovers over the button.

(JIRA 10651)

Issue: If a newly-installed OfficeScan agent cannot connect to the OfficeScan server within a specific time

period, the agent cannot report that it is online and does not appear on the OfficeScan web console.

Solution: This hotfix provides a way for users to extend the connection time to prevent this issue from

occurring.




directory.

c. Under the "Global Setting" section, manually add the following keys and set the preferred

value for each.

[Global Setting]

EnableCheckHostLoadHttpTimeoutSecond=1

NOTE: To disable the feature, set "EnableCheckHostLoadHttpTimeoutSecond=0".

LoadHttpTimeoutSecond=30

NOTE: You can set the timeout value to 30, 60, 90, or 180 seconds based on your needs.





Path:

for x64 platform

HKEY_LOCAL_MACHINE¥SOFTWARE¥Wow6432Node¥TrendMicro¥PC-cillinNTCorp¥Cu

rrentVersion

for x86 platform

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥

Key: EnableCheckHostLoadHttpTimeoutSecond

Type: REG_DWORD

Value: 1

Key: LoadHttpTimeoutSecond

Type: REG_DWORD

Value: 30


NOTE: If OfficeScan agents does not receive the setting from the OfficeScan server, please

consider updating OfficeScan agents using Client Packager Installation or the AutoPCC utility.

(JIRA 6917)

Issue: The following OfficeScan 11.0 Service Pack 1 hotfixes are affected by an issue related to the

OfficeScan Firewall module which may cause the Firewall service to encounter network access issues.

- Hotfix 6277

- Hotfix 6281

- Hotfix 6292


Note: You must restart the endpoint after applying this hotfix to update the Common Firewall module on

affected OfficeScan agents.

(JIRA 11074)

Issue: The Windows Security Center cannot recognize if the OfficeScan Antivirus is enabled when there is

no antispyware license.

Solution: This hotfix updates the OfficeScan agent program to help ensure that the Windows Security

Center can determine whether the OfficeScan Antivirus is enabled or not.

(JIRA 8988)

Issue: The OfficeScan Behavior Monitoring feature may prevent users from renaming folders on network

drives.

Solution: This hotfix updates the Behavior Monitoring module to resolve the issue.



b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder in the OfficeScan server installation

directory.

c. Under the "Global Setting" section, manually add the "SkipDfsClient" key and set its value to

"1".

[Global Setting]

SkipDfsClient=1




The OfficeScan server deploys the command to OfficeScan agents and adds the following

registry entry on all OfficeScan agent computers:

Path:

HKEY_LOCAL_MACHINE¥SYSTEM¥CurrentControlSet¥services¥tmactmon¥Parameters

Key: SkipDfsClient

Type: DWORD

Value: 1

(JIRA 10066)

Issue: An issue related to the OfficeScan Behavior Monitoring feature may cause the memory usage to

increase unexpectedly on OfficeScan client computers.


[CP_6426 CP_6442] (VRTS-986,VRTS-989,VRTS-1018,VRTS-1052)

(VRTS 986)

Issue: A vulnerability may allow a attacker to download the specific file from the OfficeScan server

through HTTP requests.

Solution: This Critical Patch resolves the vulnerability.

(VRTS 989)

Issue: A PHP file in OfficeScan 11 may be vulnerable to an MITM/RCE vulnerability.

Solution: This Critical Patch resolves the potential vulnerability.

(VRTS 1012)

Issue: An attacker may be able to query NT domains through the OfficeScan 11 process.


(VRTS 1018)

Issue: A vulnerability may allow remote attackers to query PHP information while the specific php file

runs.

Solution: This Critical Patch secures the information in specific php file.

(VRTS 1022)

Issue: A vulnerability may allow a attacker to send CGI requests to run and stop the OfficeScan 11 process

unexpectedly.


(VRTS 1052)

Issue: A vulnerability may allow a attacker to stop the OfficeScan 11 process unexpectedly by forcing the

specific parameter to exceed that limit.



(JIRA 7697)

Issue: The Trend Micro iCRC Common Module cannot perform an SSL handshake with Smart Protection

Server on endpoints running Windows Server 2003 using TLS 1.2 after applying OpenSSL 1.0.2.

Solution: This hotfix updates the Trend Micro iCRC Common Module and provides a way for users to

enable the Trend Micro iCRC Common Module to communicate with Smart Protection Server using TLS

1.0.


a. Open the "ICRCHdler.ini" file in the "¥PCCSRV¥Pccnt" folder on the OfficeScan server

installation directory.

b. Under the "Default" section, manually add the following key and set its value to "4".

[Default]

SSLVersion = 4


e. Install this hotfix (see "Installation").

f. After upgrading the agent program, the OfficeScan server adds the following entries on all

OfficeScan agent computers:

Path: The OfficeScan agent installation directory.

File: ICRCHdler.ini

Key: SSLVersion = 4

(JIRA 10748)

Issue: The error message that appears when a user provides a user name or password with an invalid

character for proxy authentication does not accurately describe the issue.

Solution: This hotfix updates the error message to inform users that the provided proxy setting user name

or password contains an invalid character.

(JIRA 10844)

Issue: When configured, the OfficeScan Agent displays the following scan pop-up dialog box when users

connect to a removable storage device. "A USB storage device was plugged in to the computer. Do you

want Trend Micro OfficeScan to scan the device for security risks?"

Solution: This hotfix updates the scan pop-up dialog box to display the following message.

"A removable storage device was plugged in to the computer. Do you want Trend Micro

OfficeScan to scan the device for security risks?"

(JIRA 10980)

Issue: The account and password setting for the external proxy server do not support the hash special

character "#".

Solution: This hotfix resolves a broken jquery Ajax call to ensure that the account and password setting for

the external proxy server supports special characters.

[Hotfix_6434] (SEG-11628,SEG-12203)

(JIRA 11628)

Enhancement: The hotfix provides the implementation of BIN number's regular expression and validators.

(JIRA 12203)

Enhancement: This hot fix enables Data Loss Prevention Endpoint SDK 6.2 to bypass iTunes blocking

and so that iPhone can still be charged while Device Control is enabled.

Procedure: To configure the new setting for DLP:



c. Under the "Configure" section, manually add the "bypass_itunes_nonstor_usb_dc" key and set its value.

[Configure]

bypass_itunes_nonstor_usb_dc = true


e. Open the OfficeScan web console and click "Agents > Agent Management > Select domains or agents >

Settings > DLP settings".

f. Click "Save" to deploy the settings to agents. The OfficeScan server deploys the settings to OfficeScan

agents and adds the following key in the "dsa.pro" file in the "¥Windows¥System32¥dgagent¥" folder:

bypass_itunes_nonstor_usb_dc=true

[Hotfix_6439] (SEG-12179)

(JIRA 12179)

Issue: Tablets running Windows 10 (Redstone) may encounter a "Blue Screen of Death" (BSOD) when

trying to enter a sleep state.

Solution: This hotfix notifies the driver to stop sending event information after entering standby mode.

After the tablet comes out of standby mode, the driver starts sending event information again.





[Global Setting]

PowerMonitorTime=10





Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥AEGIS¥

Key: PowerMonitorTime

Type: DWORD

Value: 10 = Set PowerMonitorTime to 10 seconds, max 60 seconds


[Hotfix_6443] (SEG-13165,SEG-12586)

(JIRA 13165)

Issue: Scheduled scan is postponed because OfficeScan detects full screen mode even when there are no

windows in full screen mode.

Solution: This hotfix enables OfficeScan to ignore windows that do not have visible content during full

screen mode detection.


(JIRA 8096)

Issue: When the system installs or upgrades the Cisco VPN software, it tries to access some registry keys

under the TmLwf registry key, which causes the software installation to fail.

Solution: This hotfix adds a key to disable the self-protection only function of the TmLwf registry key,

which resolves this issue.





[Global Setting]

SP_DisableTmLwfRegistryKeyProtection=1

Value: 1 = Disable TmLwf registry key self-protection only




Path:

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥PC-cillinNTCorp¥CurrentVersion¥AE

GIS

Key: SP_DisableTmLwfRegistryKeyProtection

Type: DWORD


g. Restart the OfficeScan agents

(JIRA 13656)

Issue: The file description field indicates the Common Client Real-time Scan Service ("Ntrtscan.exe") is

32-bit even when it is running on a 64-bit operating system.

Solution: This hotfix updates the OfficeScan agent program to ensure that the correct information appears

on the file description field.

(JIRA 12830)

Issue: A protected computer may stop responding or respond slowly while extracting the "AFUDOS.exe"

file from a ZIP file. Sometimes, the computer may also stop unexpectedly while the Behavior Monitoring

engine performs policy matching.

Solution: This hotfix removes the lock scope to prevent protected computers from stopping unexpectedly

and enables OfficeScan to use the try-catch method to capture an exception and help prevent a handle leak

issue.

(JIRA 13700)

Issue: The OfficeScan Behavior Monitoring feature may cause certain third-party programs that are in its

approved list to stop responding.





directory.

c. Under the "Global Setting" section, manually add the "AegisSkipNotificationEvent" key and

set its value to "1".

[Global Setting]

AegisSkipNotificationEvent=1






Key: SkipNotificationEvent

Type: DWORD

Value: 1


[CP_6448] (VRTS-1228)

(VRTS-1228)

Issue: Loading the UMH dynamic-link library (DLL) on other applications may make the applications

vulnerable to DLL hijacking attacks.


[Hotfix_6451] (SEG-14071)

(JIRA 14071)

Enhancement: This hotfix enables DLP Endpoint SDK 6.2 starts to support the following Google Chrome

versions:

- Google Chrome 61.0.3163.79

[Hotfix_6454] (SEG-14058)

(JIRA 14058)

Issue: Virus detection logs do not appear on the agent console if the name of the agent installation folder

contains multibyte characters.

Solution: This hotfix ensures that virus detection logs appear on OfficeScan agent console.

Issues resolved by hot fixes for OSCE XG

[CP_1315] (TT-356677)

Issue 1: In OfficeScan XG, users may observe that "OfcService.exe" crashes and OfficeScan agents keep

updating in some situations.

Solution 1: This critical patch replaces the OfficeScan server files to resolve the issue.

Issue 2: The OfficeScan XG server program and the OfficeScan agent Smart Scan common module uses

an OpenSSL version that is affected by certain vulnerabilities.

Solution 2: This critical patch resolves this issue by updating the OpenSSL component of the server

module and Smart Scan common module.

[CP_1352] (VRTS-283,VRTS-393,VRTS-615)

(VRTS-283)

Issue 1: When the Web Reputation Service (WRS) of the OfficeScan agent program blocks access to a



Solution 1: This critical patch updates the OfficeScan agent program to resolve the XSS vulnerabilities.

(VRTS-393)




(VRTS-615)


mechanism to protect against a local attacker to inject malicious code.

[CP_1429] (VRTS-283,VRTS-393,VRTS-615)

Issue: When the Web Reputation Service (WRS) of the OfficeScan agent program blocks access to a



Solution: This hotfix updates the OfficeScan agent program to resolve the XSS vulnerabilities.

(VRTS-393)




(VRTS-615)


mechanism to protect against a local attacker to inject malicious

[Hotfix_1253] (TT-355172)

Issue: The DLP module cannot block users from sending out email messages with illegal file attachments

through Webmail.

Solution: This hotfix updates the HTTPS parser to ensure that the DLP module can block users from

sending out email messages with illegal file attachments through Webmail.

[Hotfix_1254] (TT-355446)

Issue: The "Unmanaged Endpoints" page of the OfficeScan web console may not display the progress of

the agent installation task if a selected endpoint under the Active Directory (AD) contains an ampersand

character "&".

Solution: This hotfix ensures that the "Unmanaged Endpoints" page displays the progress of the agent

installation task.

[Hotfix_1255] (TT-355573)

Issue: The "Update Agent" drop down list in the "Add IP Range and Update Source" page displays only

one Update Agent even when multiple Update Agents are available. As a result, users cannot select any

other Update Agent.

Solution: This hotfix updates the OfficeScan server files to ensure that the "Update Agent" drop down list

displays all available Update Agents.

[Hotfix_1262] (TT-356409)

Issue: When the OfficeScan server receives a policy from a Control Manager 6.0 server and the policy

contains space characters, OfficeScan will not be able to apply the policy effectively.

Solution: This hotfix updates the OfficeScan server files to ensure that the OfficeScan server can parse

space characters in policies correctly and implement these policies successfully.

[Hotfix_1265] (TT-356681,356463)

Issue 1: The OfficeScan server console returns gateway errors when trying to export the agent list using

the following views:

- Anti-spyware View

- Data Protection View

- Firewall View

Solution 1: This hot fix updates the export function to properly retrieve the complete agent list inventory

for all views.

Issue 2: The OfficeScan Master Service suffers a crash after attempting to reuse freed memory.

Solution 2: This hot fix ensures that the OfficeScan Master Service release the memory after no other

procedures are referencing.

Issue 1: The OfficeScan server console returns gateway errors when trying to export the agent list using

the following views:

- Anti-spyware View

- Data Protection View

- Firewall View

Solution 1: This hot fix updates the export function to properly retrieve the complete agent list inventory

for all views.

Issue 2: The OfficeScan Master Service suffers a crash after attempting to reuse freed memory.

Solution 2: This hot fix ensures that the OfficeScan Master Service release the memory after no other

procedures are referencing.

[Hotfix_1265.1] (TT-356615,356820)

Enhancement: This hot fix updates the Data Loss Prevention Endpoint SDK 6.2 to support Google

Chrome version 54.0.2840.99.

[Hotfix_1267] (TT-357679)

Issue: The OfficeScan web console is affected by a remote file inclusion (RFI) vulnerability.

Solution: This hotfix updates the OfficeScan web console program to resolve the vulnerability.

[Hotfix_1269] (TT-356494,357105)

Enhancement: Trend Micro Predictive Machine Learning uses advanced machine learning technology to

correlate threat information and perform in-depth file analysis to detect emerging unknown security risks

through digital DNA fingerprinting, API mapping, and other file features.

This hot fix updates OfficeScan agent programs and the Contextual Intelligence Engine ("tmxfalcon.dll")

to provide more accurate and efficient functions in Trend Micro Predictive Machine Learning.

[Hotfix_1270.1] (TT-354880)

Issue: OfficeScan's DLP blocks the following software applications:

- Skype for Business (SFB) Cloud Storage Channel

- Office Telemetry

Solution: This hot fix updates the OfficeScan's iDLP module to resolve this issue.

[Hotfix_1277] (TT-357706,357326,354880,356820,357553)

Issue 1: Trend Micro Data Loss Prevention(TM) (DLP) module blocks Skype for Business unexpectedly

and caused a false alert on Cloud Storage channel.

Solution 1: This hotfix updates the HTTPS parser to ensure that the DLP module does not block

communication of Skype for Business.

Issue 2: The DLP cannot block the violative documents with a policy that only includes File Attribute.

Solution 2: This hotfix updates the matching result to ensure that the DLP module can block violative

documents.

[Hotfix_1289] (TT-357043,358146,357664,356522)

(TT357043)

Issue 1: After users upgrade OfficeScan agents to OfficeScan XG on a computer running on the 32-bit

version of Microsoft(TM) Windows(TM), OfficeScan agents may keep restarting hourly.

Solution 1: This hotfix resolves this issue by updating the OfficeScan server program to ensure that

OfficeScan agents upgrade to OfficeScan XG properly.

(TT358146)



Solution 2: This hot fix ensures that the Chrome page will not access unexpected "--disable-quic" sites


(TT357664)

Issue 3: In Microsoft(TM) Windows(TM) Vista/2008 or later clients,OfficeScan displays an incorrect



Solution 3: This hotfix ensures that the OfficeScan server references the "tmlwf.sys" and "tmwfp.sys" files

to determine the correct version number of the common firewall driver

(TT356522)

Enhancement: This hotfix enhances the sample submission process from the OfficeScan server to the

Deep Discovery Analyzer (DDAN) server through a proxy server. This hotfix also enhances the error

handling functions for sample submission analysis.

To configure for the proxy, please refer to following:

New keys:

--------------------------

UseProxy=1

ProxyServer=xxx.xxx.xxx.xxx

ProxyPort=xxxx

ProxyLogin=xxxx

ProxyPwd=xxxx

--------------------------

Add the new keys to the "Sample_Submission" section of

of the cDdaSvr.ini file as follows:

Sample_Submission]

OfcDdaServerRegistered=1

Server=xxx.xxx.xxx.xxx

APIKey=xxxxxxxx

UseProxy=1

ProxyServer=xxx.xxx.xxx.xxx

ProxyPort=xxxx

ProxyLogin=xxxxx

ProxyPwd=xxxxx

[Hotfix_1292] (TT-354631)

(TT354631)

Enhancement: This hotfix adds a way to configure OfficeScan clients to skip digital signature checking of

OfficeScan client program files while downloading hotfix files and reloading the scan engine.




b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder of the OfficeScan installation

directory.


[Global Setting]

DOVF=1


e. Open the OfficeScan server management console and go to "Agents > Global Agent

Settings".





PC-cillinNTCorp¥CurrentVersion¥Misc.

Key: DOVF

Value: 1

[Hotfix_1293] (TT-358410,358027)

Issue: The TmListen.exe service of the OfficeScan agent stops unexpectedly after the OfficeScan agent

encounters a certificate mismatch.

Solution: This hotfix enhances error-handling mechanism on the OfficeScan agent to prevent

TmListen.exe from stopping unexpectedly until the agent can handle the certificate mismatch event.

[Hotfix_1308_replaced_by_[CP_1315]

(TT-352397,358345,358044,358404,358940,358516,357444,358095)

(TT352397)

Issue 1: The "Last Spyware Detection(Real-time)" agent information column name shows as "Last

Spyware Scan(Real-time)" in the exported CSV file.

Solution 1: This hotfix updates the program and modifies the "Last Spyware Scan(Real-time)" column

name to "Last Spyware Detection(Real-time)" in the CSV file.

(TT358345)

Issue 2: SQL exceptions somehow continue to occur in the system event log and causes Internet

Information Services (IIS) to crash.

Solution 2: This hotfix updates the OfficeScan server files to ensure that the OfficeScan server and IIS

server works properly.

(TT358044)

Issue 3: The Microsoft(TM) Windows(TM) Event Log generates too many messages.

Solution 3: This hotfix enables OfficeScan to extend the cache time to 12 hours.

(TT358404)

Issue 4: On some OfficeScan agents managed by the Update Agent (UA), the OfficeScan agent icon on the

Microsoft(TM) Windows(TM) task bar may be shaded red and blue repeatedly and shows a "Protection at

Risk" message. This issue occurs since the Real-time Scan service is not functional.

Solution 4: This hotfix updates the OfficeScan server and agent programs to ensure that the OfficeScan

agents managed by the Update Agent can work normally without errors.

(TT358940)

Issue 5: Compatibility issues occur between the third-party OpenSSL libraries used in the new types of

processors (for example, the Apollo Lake Intel(TM) Pentium(R) processor).

Solution 5: This hotfix replaces the OfficeScan server files to resolve this issue.

(TT358516)

Issue 6: A performance enhancement introduced a negative side effect that causes a memory leak on

"NTRtScan.exe".

Solution 6: This hotfix disables the performance enhancement to resolve this issue.

(TT358095)



Solution 7: This hotfix ensures that OfficeScan does not leak sensitive information when users use Google

Chrome to access these Webmail sites.

(TT357444)

Enhancement: This hotfix enables users to generate the Secure Sockets Layer (SSL) certificate with

SHA-256 signature algorithm and 2048-bit public key for the OfficeScan web site, which is installed on

Microsoft(TM) Internet Information Services (IIS) through the "SvrSvcSetup.exe" tool.

Procedure: To generate the SSL certificate with SHA-256 signature algorithm and 2048-bit public key,

and manually renew the IIS SSL certificate:



c. Run the following command: SvrSvcSetup.exe -GenIISCert

A new SSL certificate is generated and is automatically added to the IIS SSL certificate store.





Note: Click the "View..." option to view the SHA256 signature algorithm and 2048-bit public key.

h. Click "Close".

[Hotfix_1314_replaced_by_[CP_1315] (TT-357421,358192,359293)

(TT357421)

Issue 1: The OfficeScan NT Real-time Scan service ("Ntrtscan.exe") may stop unexpectedly on endpoints

running Microsoft(TM) Windows(TM) Embedded 7.

Solution 1: This hotfix updates the OfficeScan agent program to resolve this issue on affected endpoints.

(TT358192)

Issue 2: The "Unmanaged Endpoints of Schedule Assessment" report displays many OfficeScan agents as

"Managed by another OfficeScan server" even though the endpoints are managed by the OfficeScan server.

Solution 2: This hotfix resolves the issue by changing the checking mechanism on the OfficeScan server to

be case insensitive.

(TT359293)

Issue 3: The virus outbreak notifications only display a single entry.

Solution 3: This hotfix replaces the OfficeScan server files to resolve this issue.

[Hotfix_1318] (TT-359826)

Issue: The OfficeScan XG Behavior Monitoring feature blocks a valid program.

Solution: This hotfix updates the OfficeScan Behavior Monitoring Local Pattern to solve the issue.

[Hotfix_1321] (TT-359260,359630,358898,360065,359660,SEG-1194)

(SEG-1194)

Issue 1: An OfficeScan agent that cannot connect to the OfficeScan server during startup will not be able

to trigger scheduled updates.

Solution 1: This hot fix updates the OfficeScan XG server and agent files to ensure that agents can still

trigger scheduled updates when these agents cannot connect to OfficeScan server during startup.

(TT359260)

Issue 2: The OfficeScan NT Real-time Scan service may cause the Microsoft(TM) Windows(TM) system

to hang.

Solution 2: This hotfix updates the Behavior Monitoring Core Service programs of the OfficeScan agent to

resolve this issue.

(TT359630)

Issue 3: Microsoft(TM) Outlook takes some time to load whenever DLP is enabled.

Solution 3: This hotfix resolves the issue wherein Microsoft Outlook takes too long to launch by updating

the "sakfile.sys" file of DLP by adding "Outlook.exe" onto the exception list.

(TT358898, TT360065)

Enhancement 1: This hot fix enables Data Loss Prevention Endpoint SDK 6.0 starts to support the

following Google Chrome versions:

- Google Chrome(TM) 55.0.2883.87


(TT359660)

Enhancement 2: This hot fix enables Data Loss Prevention Endpoint SDK 6.2 to support Microsoft

OneNote 2016 with *.one file type.

[Hotfix_1322] (TT-359257,359636,359535)

(TT359535)




(TT359636)

Issue 2: When users export the settings from a root domain to a subdomain, the subdomain does not inherit

the sample submission settings.

Solution 2: This hotfix ensures that the OfficeScan server sets the flag to "ofcscan.ini" when exporting

settings so that the subdomain inherits all the settings from the root domain.

(TT359257)

Issue 3: Microsoft(TM) Skype for Business hangs when the OfficeScan agent is running.

Solution 3: This hotfix updates the OfficeScan agent module files inside the Common Client Solution

Framework (CCSF) to prevent third-party software from hanging.

(TT359535)




(TT359636)

Issue 2: When users export the settings from a root domain to a subdomain, the subdomain does not inherit

the sample submission settings.

Solution 2: This hotfix ensures that the OfficeScan server sets the flag to "ofcscan.ini" when exporting

settings so that the subdomain inherits all the settings from the root domain.

(TT359257)

Issue 3: Microsoft(TM) Skype for Business hangs when the OfficeScan agent is running.

Solution 3: This hotfix updates the OfficeScan agent module files inside the Common Client Solution

Framework (CCSF) to prevent third-party software from hanging.

[Hotfix_1325] (TT-356626)

Enhancement: This hotfix updates the OfficeScan Data Loss Prevention(TM) (DLP) module to enable its

Device Control feature to work on portable devices with read-only permission.





[Global Setting]

InstallDLPWpdDriver=1




Path:

HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro PC-cillinNTCorp¥CurrentVersion¥DlpLite

Key: InstallDLPWpdDriver

Type: DWORD

Value: 0 = Device Control does not work on portable devices with read-only permission

1 = Device Control works on portable devices with read-only permission


(SEG-1927)



Solution 1: This hotfix ensures that OfficeScan does not leak encrypted passwords.

(TT359497)

Issue 2: Certain processes running on the email channel may trigger policies in other channels.

~

Solution 2: This hotfix updates OfficeScan's rule matching method to ensure that processes will trigger

only the policies for the current channel.

(SEG-1362, SEG-1365)

Issue 3: The Integrated Smart Protection Server and the standalone Smart Protection Server cannot parse

the information in the "User Agent" header because it is in the wrong format.

Solution 3: This hotfix ensures that the iCRC common module adds information into the "User Agent"

header in the correct format.


(SEG-2329)

Issue 1: The OfficeScan agent installs an unnecessary certificate "ofcsslagent" on the agent computer.

Solution 1: This hotfix removes the "ofcsslagent" certificate and ensures that the OfficeScan agent no

longer installs this to agent computers.

(SEG-2473)

Issue 2: The OfficeScan NT Firewall service still appears on the Windows Action Center console after the

OfficeScan agent is uninstalled from the computer.

Solution 2: This hotfix updates the OfficeScan agent programs to successfully unregister its Firewall

service from the Windows Action Center console.

(SEG-2160)

Issue 3: The maximum size for a single file to upload is 5 MB but the OfficeScan client still attempts to

upload files that are larger than 5 MB to the server. This causes heavy traffic on the server.

Solution 3: This hotfix syncs the 5 MB limit to OfficeScan clients to ensure that the clients do not attempt

to upload larger files to the OfficeScan server.

(SEG-1175)

Enhancement: This hotfix allows users to disable the email multi-part scan mode in the DLP function of

OfficeScan agents.

Procedure: To disable the email multi part scan mode in the DLP function and globally deploy this setting

to all OfficeScan agents:


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder of the OfficeScan server.


[Global Setting]

EnableDlpMPScan=0

NOTE: To enable the setting again, set "EnableDlpMPScan=1".


e. Open the OfficeScan server management console and click "Agents > Global Agent Settings" on the

main menu to access the "Global Agent Settings" page.


The OfficeScan server deploys the command to agents and adds the following registry entry on all agent

computers:

Path: HKLM¥SYSTEM¥SOFTWARE¥Wow6432Node¥TrendMicro¥

PC-cillinNTCorp¥CurrentVersion¥DlpLite

Key: EnableMPScan

Type: dword

Value: 0

[Hotfix_1340] (SEG-2701,SEG-1640,SEG-3355,SEG-1184,SEG-3016)

(SEG-2701)

Issue: Users cannot remove items from the "Favorites" menu on the OfficeScan web console.

Solution: This hotfix updates the OfficeScan files to enable users to delete items from the "Favorites"

menu.

(SEG-1640)

Issue: The DLP version appears as 0.0.0 on both the management console and agent console.

Solution: This hotfix ensures that the correct DLP version appears on both the management console and

agent console.

(SEG-3355)

Issue: OfficeScan agents report their antivirus status information to the Microsoft(TM) Windows(TM)



Solution: This hotfix updates the OfficeScan agent program to resolve this issue.

(SEG-1184)

Issue: Certain processes running on the email channel may trigger policies in other channels.

Solution: This hotfix updates OfficeScan's rule matching method to ensure that processes will trigger only

the policies for the current channel.

(SEG-3016)

Enhancement: This hot fix enables Data Loss Prevention Endpoint SDK 6.0 starts to support the

following Google Chrome versions:



[Hotfix_1341] (SEG-2319)





computers.





[Global Setting]








KEY: SkipDuplicateSameAccess

TYPE: dword



(SEG-2354)

Issue 1: When users set the firewall exception rule to a single IP, the IP address does not appear on the

OfficeScan agent console.

Solution 1: This hotfix ensures that the IP address appears on the OfficeScan agent console.

(SEG-2420)

Issue 2: The suspicious object URL detection function does not work when the OfficeScan agent is offline.

Solution 2: This hotfix enables the suspicious object URL detection function to work when the OfficeScan

agent is offline.

(SEG-3372)

Issue 3: Sensitive information detected in email messages in "outlook.com" and "outlook.office.com" are

displayed in the logs as HTTP channels and not as webmail channels.

Solution 3: This hotfix updates the DLP module to make sure OfficeScan assigns the correct channels in

the logs.

(SEG-3237)

Issue 4: An issue prevents OfficeScan agents from blocking webmail attachments that contain sensitive

information in "outlook.com".

Solution 4: This hotfix updates the DLP module to make sure the OfficeScan agent can block webmail

attachments in "outlook.com".


(SEG-2594)

Issue 1: The OfficeScan Behavior Monitoring feature may cause certain operating systems to stop

unexpectedly when users launch an Intel driver packed as a self-extracting RAR file.


(SEG-3160)

Issue 2: When users click the "Specify Domain Credentials" button on the OfficeScan XG web console,

account information of the Active Directory Integration account cannot be saved Properly.

Solution 2: This hotfix updates the OfficeScan server program to prevent it from this issue.

[Hotfix_1347] (SEG-3734)

(SEG-3734)

Issue: This issue occurs because the Web Reputation Services is disabled, OfficeScan agents still search

for available Smart Protection Servers (SPS) to send Web Reputation queries to which can keep the

network busy.

Solution: This hot fix adds an option to prevent OfficeScan agents from searching for Local Web

Classification Servers (LWCS) when the WRS is disabled.

Procedure: To enable this option:



c. Add the following key under the "ICRC_SCAN_INI_SECTION" section and set its value to "0".

[ICRC_SCAN_INI_SECTION]

WCSServiceSearchIfDisabled=0

d. Open the OfficeScan web console and go to the "Networked Computers > Global Client Settings"

screen.

e. Click "Save" to deploy the setting to clients. The OfficeScan client program automatically installs

the following registry key:

Path:

HKLM¥SOFTWARE¥TrendMicro¥Pc-cillinNTCorp¥CurrentVersion¥

iURL Scan¥

Key: ServiceSearchIfDisabled

Value: 0

[Hotfix_1349] (TT-360059,SEG-3093,SEG-4276)

(SEG-4276)

Issue 1: OfficeScan agents keep on upgrading when the "PostponedInst" folder contains a file with a lower

version even when the timestamp on the file is current.

Solution 1: This hotfix resolves the issue by adding more checking mechanisms on OfficeScan agents.

(SEG-3093)

Issue 2: The integrated DLP API hook does not work on Windows 10 RedStone 2 (RS2) RTM build

(15063).


(TT360059)

Issue 3: The FortiClient VPN program may encounter connection issues on computers protected by

OfficeScan XG.

Solution 3: This hotfix resolves a compatibility issue between FortiClient VPN and the DLP module.


(SEG-1256)

Issue 1: The OfficeScan Behavior Monitoring feature may cause certain computers to lock up

intermittently.


(SEG-3260)

Issue 2: The OfficeScan Behavior Monitoring feature may block Adobe Acrobat Reader intermittently.

Solution 2: This hotfix updates the Behavior Monitoring UMH addon module to resolve the issue.

(SEG-4711)

Issue 3: The OfficeScan server cannot check the signature on a Control Manager policy if the policy

settings contain non-ASCII characters.

~

Solution 3: This hotfix enables the OfficeScan server to handle non-ASCII strings in Control Manager


[Hotfix_1355] (SEG-4824,SEG-3830)

(SEG-3830)

Issue 1: The OfficeScan User Mode Hooking (UMH) function may trigger a false alarm when users access

a specific website.

Solution 1: This hotfix updates the OfficeScan User Mode Hooking module to resolve this issue.

(SEG-4824)

Issue 2: DLP generates duplicate violation event logs when users send an email message using Outlook.

Solution 2: This hotfix enables the DLP multipart feature in Outlook to prevent duplicate violation event

logs when users send email messages in Outlook.

[Hotfix_1358] (SEG-4985)

(SEG-4985)

Issue: This hotfix aim at resolving the application failure due to Personal Firewall of Trend. The failure is

about executable image hashing take too much time and cause a timeout on application connection to its

server.

Solution: This hot fix updates the Network Security Components to ensure that Trend Micro's firewall will

asynchronously compute the hash value of the executable image that initiated a connection. While the

firewall computes the hash, all rules of the Application Filter will be unavailable until the hash value is


[Hotfix_1359] (SEG-5670)

(JIRA 4008)

Issue: The information in the "Message" field in Administrator Notifications cannot be saved successfully

if the field contains a tab delimiter.

Solution: This hotfix updates the OfficeScan server files to ensure that the information can be saved

successfully.

[Hotfix_1368]

(TT-359239,SEG-1266,SEG-2425,SEG-4948,SEG-4800,SEG-6057,SEG-5807,SEG-3749,SEG-4620,SEG

-5561)

(TT359239)





(JIRA 1266)

Issue: The UMH driver may block a certain application from running from a UNC path when the "Enable

program inspection to detect and blocked compromised executable files" option is enabled.

Solution: This hotfix updates the UMH driver to ensure that the application can run from a UNC path

while the "Enable program inspection to detect and blocked compromised executable files" option is

enabled.

(JIRA 2425)

Issue: It takes a long time to load a remote PST file in Microsoft(TM) Outlook(TM) when DLP is enabled.

Solution: This hotfix ensures that Outlook can load remote PST files normally when DLP is enabled.

(JIRA 4948)

Issue: The upload of files from an SMB path to the Internet may stop unexpectedly when DLP is enabled.

Solution: This hotfix adds an SMB checking mechanism that enables DLP to check if a file is from an

SMB path before it attempts to access the file information. If the source file is an SMB file, DLP then

Impersonates to facilitate the download.

(JIRA 4800)



(JIRA 5807)

Issue: The Listdeviceinfo tool cannot get information from the following external devices:

- LaCie Rugged THB USB3 SCSI Disk Device.

- Seagate(R) Backup+ Hub BK SCSI Disk Device.

- Seagate BUP BL SCSI Disk Device.

Solution: This hotfix resolves this tool issue.

(JIRA 3749)

Issue: The TmListen.exe service of the OfficeScan agent stops unexpectedly when Web Reputation

Service is running.

Solution: This hotfix updates the OfficeScan agent programs to prevent TmListen.exe from stopping

unexpectedly.

(JIRA 4620)

Issue: The agent grouping status switches off unexpectedly after AD synchronization.

Solution: This hotfix updates the OfficeScan server files to ensure that the agent grouping status remains

the same after AD synchronization.

(JIRA 5561)

Issue: The OfficeScan agent keeps its old build number even after applying all the latest hotfixes.

Solution: This hotfix ensures that the TmListen service checks the "[Hotfix_history.ini" file and updates

the build number during start up.


(JIRA 5527)

Issue: On computers running on the Microsoft(TM) Windows(TM) 10 platform, the DLP network filter

driver is installed with the TDI network filter driver.


correct driver is installed. This hotfix also provides a WFP driver replacement mechanism that replaces the

TDI driver with the correct driver.

(JIRA 6408)

Issue: The DLP module may not work normally while other programs are uploading files to the Internet.

Solution: This hotfix ensures that the DLP module works normally when other programs are to uploading

files to the Internet.

(JIRA 5843)

Issue: When the DLP multipart scan feature is enabled, all violations triggered in Microsoft Outlook for

different users appear under the first login user.

Solution: This hotfix enables the DLP module to check the process owner according to process ID before

scanning to ensure that each violation appears under the correct user account.

(JIRA 2791)

Issue: BSOD occurs when the "Suspicious Connection Settings" are enabled.

Solution: This hotfix updates the Network Content Inspection Engine to prevent the BSOD issue.


(JIRA 3077)

Issue: The "Suspicious Object List Setting page" has a wording error.

Solution: This hotfix corrects the wording of the "Suspicious Object List Setting" page.

(JIRA 7326)

Issue: When using the Microsoft(TM) SQL database, OfficeScan may receive ADO exception errors

caused by a NULL value passing onto a stored procedure.

Solution: This hotfix updates the OfficeScan file to prevent this issue from occurring.

(JIRA 5414)

Issue: Microsoft(TM) Internet Explorer stops responding when it transfers files using Microsoft(TM)

SharePoint.


(JIRA 7410)

Issue: When Data Loss Prevention (DLP) detects that sensitive information was sent through an email

message, the OfficeScan agent generates a blank "Activity/Channel" log.


[Hotfix_1378] (VRTS-694)

(VRTS 694)

Issue: The OfficeScan ToolBox service and "TMSmartRelayService" are affected by the Windows

unquoted service path vulnerability.

Solution: This hotfix reinstalls the services to remove the vulnerability.


(JIRA 7412)

Issue: Multiple Data Loss Prevention (DLP) violation events appear after the first user justification

window. This issue occurs when users send sensitive content using Microsoft(TM) Outlook.

Solution: This hotfix resolves this issue by refining the timestamp recording mechanism of the sent email

item. After applying this hotfix, the system only records the timestamp after it returns the user justification

action to filter out the incorrect triggered email event caused by Microsoft Outlook.

(JIRA 7327)

Enhancement: This hot fix enables Data Loss Prevention Endpoint SDK 6.0 to support Google(TM)

Chrome version 59.0.3071.86

(JIRA 7223)


and so that iPhone can still be charged while Device Control is enabled.

To configure the new setting for DLP:



c. Under the "Configure" section, manually add the "bypass_itunes_nonstor_usb_dc" key and set

its value.

[Configure]





f. Click "Save" to deploy the settings to agents.

The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in

the "dsa.pro" file in the "¥Windows¥System32¥dgagent¥" folder:


[Hotfix_1382] (SEG-4973)

(JIRA 4973)

Enhancement: This hot fix provides additional details in the Component Update Details log files. It

includes the following information:

- Domain Hierarchy of endpoint

- IP Address of endpoint

[Hotfix_1386] (SEG-5899)

(JIRA 5899)

Issue: The OfficeScan Knowledge Base (KB) article 1105079 does not work successfully under certain

situations.

Solution: This hotfix updates the certificate handling process for both Trend Micro Smart Scan Server

service and Trend Micro Smart Protection Query Handler service, which resolves this issue.

[Hotfix_1389] (SEG-7202)

(JIRA 7202)

Issue: The following error message appears when the OfficeScan installer attempts to connect to the SQL

Server: "Unable to connect to SQL server"

Solution: This hotfix resolves the issue by enabling InstallShield to use the SERVERPROPERTY

metadata function.

(JIRA 6515)

Issue: Users are redirected to the US version of the Threat Encyclopedia instead of to the specific spyware

log information after clicking the link to a spyware log in the OfficeScan web console.

Solution: This hotfix updates the OfficeScan server file to ensure that the users are redirected to the

correct spyware encyclopedia page after clicking the link on a spyware log.

[Hotfix_1393] (SEG-7967,SEG-9014)

(JIRA 7967)

Issue: Users encounter a sharing violation issue related to the ntrtscan and iexplorer processes after

enabling the OfficeScan Predictive Machine Learning feature in a computer that has a multiple core CPU.

Solution: This hotfix changes to add some sharing mode for the file open.

(JIRA 9014)

Issue: An issue related to the OfficeScan UMH driver triggers BSOD.

Solution: This hotfix updates the UMH driver to resolve the issue.

(JIRA 9203)







[Hotfix_1396] (SEG-9985,SEG-6282)

(JIRA 9985)

Issue: An issue related to the DLP file system driver may cause an RWX vulnerability in web browsers.

Solution: This hotfix updates DLP Endpoint SDK 6.0 to resolve the vulnerability.

[Hotfix_1399] (SEG-7413)

(JIRA 7413)

Issue: The DLP violation statistics may not be accurate when multiple logged in users send email

messages simultaneously.

Solution: This hotfix helps ensure that the DLP violation statistics are accurate by enabling the DLP

module to differentiate email messages from different users based on sprocess IDs.

[Hotfix_1402] (TT-352886,350067,353933,355208,SEG-9974,SEG-2232,SEG-6031)

(JIRA 9974)

Issue: When the "Send mail" button is clicked twice within five seconds, iDLP blocks sensitive

information but still sends the email message out.

Solution: This hotfix updates the iDLP module to ensure that it blocks sensitive information and prevents

the email message from being sent out.

(TT352886)

Issue: The DLP data identifiers expression "UK - RD&E Hospital Number" algorithm may trigger some

false alarms.

Solution: This hotfix updates the "UK - RD&E Hospital Number" algorithm to help avoid false alarms.

(TT350067)

Issue: A protected computer may stop responding when users copy and paste the contents of a cell to

another cell in Microsoft(TM) Excel(TM).

Solution: This hotfix ensures that users can copy and paste the contents of a cell to another cell in Excel

normally on protected computers.

(TT353933)

Issue: Users can delete files from USB storage devices that they only have READ permission to access.

Solution: This hotfix ensures that only users with the correct application permission can run applications

in USB storage devices.

(TT355208)

Issue: Boot2Docker does not launch on versions 7 and 10 of Microsoft Windows(TM) 710 when DLP is

enabled.

Solution: This hotfix ensures that Boot2Docker works normally on Windows 7 and 10 computers

protected by the OfficeScan Agent when DLP is enabled.

(JIRA 2232)

Issue: Duplicate DLP violation logs are generated when users attempt to print a PDF file that contains

sensitive information in Adobe(TM) Reader.

Solution: This hotfix applies the App White Cache mechanism according to process name to enable DLP

to treat multiple print operations from "AcroRd32.exe" that occur within a one second period as one event.

This helps prevent duplicate violation logs.

(JIRA 6031)

Issue: The DLP module causes high CPU when Microsoft Visual Studio is running.

Solution: The hotfix resolves the high CPU usage issue of the DLP service due to the redundant scan of

network events triggered by Microsoft Visual Studio, IncrediBuild and the Microsoft build.

JP_[Hotfix_1412] (SEG-1362,SEG-1365)

Issue: The Local Server cannot parse the information in the "User Agent" header because it is in the wrong

format.

Solution: This hotfix ensures that the iCRC common module adds information into the "User Agent"

header in the correct format.

JP_[Hotfix_1415] (SEG-2173,SEG-2473)

Issue: An error appears on the OfficeScan web console after users click on the number of ransomware

detected link on the Ransomware widget.

Solution: This hotfix updates the OfficeScan program files so that users can view the number of detected

ransomware after clicking on the link on the Ransomware widget.

JP_[Hotfix_1417] (SEG-2160)

Issue: The maximum size for a single file to upload is 5 MB but the OfficeScan client still attempts to

upload files that are larger than 5 MB to the server. This causes heavy traffic on the server.

Solution: This hotfix syncs the 5 MB limit to OfficeScan clients to ensure that the clients do not attempt to

upload larger files to the OfficeScan server.

DE_[Hotfix_1420] (SEG-2766,SEG-2701)

(SEG-2766)

Issue 1: The OfficeScan NT Real-time Scan service may cause the Microsoft(TM) Windows(TM) system

to hang.

Solution 1: This hotfix updates the Behavior Monitoring Core Service programs of the OfficeScan agent

to resolve this issue.






computers.





[Global Setting]








KEY: SkipDuplicateSameAccess

TYPE: dword


DE_[Hotfix_1423] (SEG-3227,SEG-3119)

(SEG-3227)

Issue: OfficeScan agents report their antivirus status information to the Microsoft(TM) Windows(TM)



Solution: This hotfix updates the OfficeScan agent program to resolve this issue.


Issue: Encounter dead lock when launch application. The OfficeScan Behavior Monitoring feature may

cause certain operating systems to stop unexpectedly when users launch an Intel driver packed as a

self-extracting RAR file.


FR_[Hotfix_1442] (SEG-4616,SEG-5702,SEG-4910)

Enhancement: This hotfix enables Administrators to use an apostrophe (') in the "Description" text box

when they add or modify a web console account.

KO_[Hotfix_1445] (SEG-6008)

(SEG-6008)

Issue: The 32-bit installer generated by the Client Packager tool does not work.

Solution: This hotfix ensures that users can install OfficeScan clients using the 32-bit installer package

generated by the Client Packager tool.





KO_[Hotfix_1454] (SEG-3830)

(JIRA 3830)

Issue: The OfficeScan User Mode Hooking (UMH) function may trigger a false alarm when users access a

specific website

Solution: This hotfix updates the OfficeScan User Mode Hooking module to resolve this issue.


(JIRA 6515)

Issue: Users are redirected to the US version of the Threat Encyclopedia instead of to the specific spyware

log information after clicking the link to a spyware log in the OfficeScan web console.

Solution: This hotfix updates the OfficeScan server file to ensure that the users are redirected to the

correct spyware encyclopedia page after clicking the link on a spyware log.









Issue: The Publisher used to export registry keys is named differently in some OfficeScan agents.

Solution: This hotfix ensures that all OfficeScan agents use the same Publisher name.

[Hotfix_1468] (SEG-9443)





Issues resolved by hot fixes for OSCE XG Patch 1

[CP_1641] (VRTS-972)

(VRTS-972)

Issue: The 3rd party AmMap application has multiple cross-site scripting (XSS) vulnerabilities that allows

remote attackers to inject arbitrary web or HTML scripts.

Solution: This hot fix resolves the XSS vulnerability.

[CP_1680] (VRTS-989,VRTS-1018,VRTS-1020,VRTS-1052,SEG-11451,SEG-10130)

(VRTS 986)

Issue: A vulnerability may allow a attacker to download the specific file from the OfficeScan server

through HTTP requests.


(VRTS 989)

Issue: A PHP file in OfficeScan XG may be vulnerable to an MITM/RCE vulnerability.

Solution: This Critical Patch resolves the potential vulnerability.

(VRTS 994)

Issue: Attackers may be able to launch Pre-Auth Server Side Request Forgery attacks through the specific

php functionality.

Solution: This Critical Patch resolves this issue by updating the specific php file and hard-coding it to

connect to the Trend Online Help page.

(VRTS 1012)

Issue: An attacker may be able to query NT domains through the OfficeScan XG process.


(VRTS 1014, VRTS 1022)

Issue: A vulnerability may allow a attacker to send CGI requests to run and stop the OfficeScan XG

process unexpectedly.


(VRTS 1018)

Issue: A vulnerability may allow remote attackers to query PHP information while the specific php file

runs.

Solution: This Critical Patch secures the information in specific php file.

(VRTS 1020)

Issue: The OfficeScan XG program may be affected by a host header injection vulnerability.


(VRTS 1052)

Issue: A vulnerability may allow a attacker to stop the OfficeScan XG process unexpectedly by forcing the

specific parameter to exceed that limit.


(SEG 11451)

Issue: The Realtime Scan is disabled unexpectedly after Autopcc runs.

Solution: This Critical Patch ensures that Real-time Scan is not disabled unexpectedly after Autopcc runs.

(SEG 10130)

Issue: The contents of the CCSF ZIP file cannot be extracted successfully which prevents some

OfficeScan agents from updating successfully.

Solution: This Critical Patch enables OfficeScan to attempt to extract the contents of the CCSF ZIP file

continuously even when other process are using the file.

[CP_1708] (VRTS-989,VRTS-1018,VRTS-1020,VRTS-1052,SEG-9066)

(JIRA 9298)

Issue: A sharing violation prevents Autopcc from working on computers where the OfficeScan agent is

already installed.

Solution: This critical patch creates a new backup folder to prevent the sharing violation and ensure that

Autopcc works normally on OfficeScan agent computers.

(JIRA 12165)



Solution: This critical patch changes to add some sharing mode for the file open.

(JIRA 12255)

Issue: In the Windows Server 2003 platform, OfficeScan agents display the following message even when

the program components are up-to-date. "Update Now: You have not received a new update in 1 days."

Solution: This critical patch updates the OfficeScan agent program to resolve the issue.

(JIRA 11606)

Issue: OfficeScan agents receive C&C callback detected alerts for IPs in the approved list.

Solution: This critical patch resolves a file path issue to help ensure that IPs in the approved list do not

trigger C&C callback detected alerts.

(JIRA 11651) / (JIRA 3758)

Issue: The OfficeScan server cannot register to the EdgeServer when TLS 1.0 is disabled.

Solution: This critical patch enables the EdgeServer to support TLS 1.1 and 1.2.

[CP_1737] (VRTS-1228,SEG-12946)

(JIRA 12946)

Issue: After moving an OfficeScan agent from one OfficeScan server to another through the web console,

the agent might not able to upgrade successfully.

Solution: This critical patch updates the OfficeScan agent program to resolve the issue.

[Hotfix_1640]

(VRTS-986,VRTS-994,VRTS-1014,VRTS-1022,SEG-7326,SEG-7829,SEG-7354,SEG-4418,SEG-7580,S

EG-4973,SEG-8495,SEG-9269,SEG-7825)

(JIRA 1256)

Issue: The OfficeScan Behavior Monitoring feature may cause certain computers to lock up intermittently.


(JIRA 3260)

Issue: The OfficeScan Behavior Monitoring feature may block Adobe Acrobat Reader intermittently.

Solution: This hotfix updates the Behavior Monitoring UMH addon module to resolve the issue.

(JIRA 4711)





(JIRA 3830)


specific website.


(JIRA 4824)

Issue: DLP generates duplicate violation event logs when users send an email message using Outlook.

Solution: This hotfix enables the DLP multipart feature in Outlook to prevent duplicate violation event

logs when users send email messages in Outlook.

(JIRA 4985)

Issue: This hotfix aim at resolving the application failure due to Personal Firewall of Trend. The failure is

about executable image hashing take too much time and cause a timeout on application connection to its

server.

Solution: This hot fix updates the Network Security Components to ensure that Trend Micro's firewall will

asynchronously compute the hash value of the executable image that initiated a connection. While the

firewall computes the hash, all rules of the Application Filter will be unavailable until the hash value is


(JIRA 4008)

Issue: The information in the "Message" field in Administrator Notifications cannot be saved successfully

if the field contains a tab delimiter.

Solution: This hotfix updates the OfficeScan server files to ensure that the information can be saved

successfully.

(TT359239)





(JIRA 1266)

Issue: The UMH driver may block a certain application from running from a UNC path when the "Enable

program inspection to detect and blocked compromised executable files" option is enabled.

Solution: This hotfix updates the UMH driver to ensure that the application can run from a UNC path

while the "Enable program inspection to detect and blocked compromised executable files" option is

enabled.

(JIRA 2425)



(JIRA 4948)





(JIRA 4800)



(JIRA 5807)


- LaCie Rugged THB USB3 SCSI Disk Device.

- Seagate(R) Backup+ Hub BK SCSI Disk Device.

- Seagate BUP BL SCSI Disk Device.

Solution: This hotfix resolves this tool issue.

(JIRA 3749)

Issue: The TmListen.exe service of the OfficeScan agent stops unexpectedly when Web Reputation

Service is running.

Solution: This hotfix updates the OfficeScan agent programs to prevent TmListen.exe from stopping

unexpectedly.

(JIRA 4620)




(JIRA 5561)


Solution: This hotfix ensures that the TmListen service checks the "hotfix_history.ini" file and updates the

build number during start up.

(JIRA 5527)

Issue: On computers running on the Microsoft(TM) Windows(TM) 10 platform, the DLP network filter

driver is installed with the TDI network filter driver.


correct driver is installed. This hotfix also provides a WFP driver replacement mechanism that replaces the

TDI driver with the correct driver.

(JIRA 6408)

Issue: The DLP module may not work normally while other programs are uploading files to the Internet.

Solution: This hotfix ensures that the DLP module works normally when other programs are to uploading

files to the Internet.

(JIRA 5843)

Issue: When the DLP multipart scan feature is enabled, all violations triggered in Microsoft Outlook for

different users appear under the first login user.

Solution: This hotfix enables the DLP module to check the process owner according to process ID before

scanning to ensure that each violation appears under the correct user account.

(JIRA 2791)

Issue: BSOD occurs when the "Suspicious Connection Settings" are enabled.

Solution: This hotfix updates the Network Content Inspection Engine to prevent the BSOD issue.

(JIRA 3830)


specific website.


(JIRA 5202)

Issue: The OfficeScan Behavior Monitoring feature may cause certain operating systems to stop

unexpectedly when users launch an Intel driver packed as a self-extracting RAR file.


(JIRA 4800)



(JIRA 2425)



(TT348875)

Issue: A USB floppy disk drive cannot be added into the exception list of removable storage devices in the

DLP Policy Settings.

Solution: This hotfix ensures that users can add USB floppy disk drives into the DLP exception list of

removable storage in the DLP Policy Settings.

(TT355419)

Issue: The Lumension Heat patching software may stop unexpectedly when DLP is enabled.

Solution: This hotfix resolves the issue by preventing DLP from excluding the following two processes:

- XMLDeltaParser.exe

- DAgent.exe

(JIRA 5807)


- LaCie Rugged THB USB3 SCSI Disk Device

- Seagate(R) Backup+ Hub BK SCSI Disk Device

- Seagate BUP BL SCSI Disk Device


(TT357926)

Issue: DLP does not block the most current webmail sites like "Outlook.com".


(TT356728)

Issue: DLP blocks the Exodus Jabber program unexpectedly.

Solution: This hotfix ensures that the Exodus Jabber program works normally when DLP is enabled on the

endpoint machines.

(TT358910)

Issue: Microsoft Access (.mdb) files cannot be recovered to USB storage from the DLP backup folder.

Solution: This hotfix ensures that DLP can successfully recover Microsoft Access (.mdb) files.

(JIRA 4948)





(TT358095)

Issue: DLP does not block users from dragging and dropping files on to current webmail sites such as

"Outlook.office.com" or "Outlook.live.com in Google Chrome.

Solution: This hotfix ensures that OfficeScan can effectively block sensitive information from leaking

when users use Google Chrome to access webmail sites.

(JIRA 6008)

Issue: The 32-bit installer generated by the Client Packager tool does not work.

Solution: This hotfix ensures that users can install OfficeScan clients using the 32-bit installer package

generated by the Client Packager tool.

(JIRA 3077)

Issue: The "Suspicious Object List Setting page" has a wording error.

Solution: This hotfix corrects the wording of the "Suspicious Object List Setting" page.

(JIRA 7326)




(JIRA 5414)

Issue: Microsoft(TM) Internet Explorer stops responding when it transfers files using Microsoft(TM)

SharePoint.


(JIRA 7410)

Issue: When Data Loss Prevention (DLP) detects that sensitive information was sent through an email

message, the OfficeScan agent generates a blank "Activity/Channel" log.


(JIRA 7412)

Issue: Multiple Data Loss Prevention (DLP) violation events appear after the first user justification

window. This issue occurs when users send sensitive content using Microsoft(TM) Outlook.

Solution: This hotfix resolves this issue by refining the timestamp recording mechanism of the sent email

item. After applying this hotfix, the system only records the timestamp after it returns the user justification

action to filter out the incorrect triggered email event caused by Microsoft Outlook.

(JIRA 6632)




(JIRA 3830)


specific website.


(JIRA 7326)




(VRTS 1014)


"fcgiOfcDDA.exe" on the OfficeScan server and trigger " fcgiOfcDDA.exe " to stop unexpectedly. When

this happens, a large number of dump files are generated which can eventually take up a large portion of

disk space.


(VRTS 1022)


"cgiRqUpd.exe" on the OfficeScan server and trigger "cgiRqUpd.exe" to stop unexpectedly. When this

happens, a large number of dump files are generated which can eventually take up a large portion of disk

space.


(JIRA 7829)

Issue: The list of supported platforms in the "Additional Service Settings" page of the OfficeScan XG web

console does not include the new Windows Server 2016 platform.

Solution: This hotfix adds the new Windows Server 2016 platform to the supported platform list on the

"Additional Service Settings" page.

(JIRA 7354)


Solution: This hotfix ensures that the TmListen service checks the "hotfix_history.ini" file and updates the

build number during start up.

(VRTS 994)

Issue: Attackers may be able to launch Pre-Auth Server Side Request Forgery attacks through the

"help_Proxy.php" functionality.

Solution: This hotfix resolves this issue by updating the "help_Proxy.php" file and hard-coding it to

connect to the Trend Online Help page.

(JIRA 4418)

Issue: OfficeScan clients running on Windows platforms stop responding while shutting down or

restarting.

Solution: This hotfix prevents this issue by improving the way processes read information using the

lookaside list when the Unauthorized Change Prevention Service is de-initializing.

(JIRA 7825)

Issue: The Outbreak Prevention Policy cannot block access to SMB shared folders.

Solution: This hotfix enables OfficeScan to terminate the current connection when enabling the Outbreak

Prevention Policy to help ensure that the policy can block access to SMB folders successfully.



b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan installation

directory.

c. Under the "Global Setting" section, manually add the following key and set its value to

"1".

[Global Setting]

cnqConnectionTermination=1




Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro

¥PC-cillinNTCorp¥CurrentVersion¥Misc.

Key: cnqConnectionTermination

Type: DWORD

Value:

0 = OfficeScan does not support network re-establish

1 = OfficeScan supports network re-establish

Note: This function works only on computers that retrieve its IP address from the

DHCP server automatically.

(JIRA 7580)

Issue: An issue prevents users from adding another gateway IP address for an endpoint location.

Solution: This hotfix ensures that users can configure additional gateway IP addresses for an endpoint

location.

(VRTS 986)

Issue: A vulnerability may allow a remote unauthenticated attacker to download the "crypt.key" file from

the OfficeScan server through HTTP requests.


(JIRA 5670)

Enhancement: This hotfix enables DLP Endpoint SDK 6.0 to support Chrome 58.0.3029.81.

(JIRA 6057)


(JIRA 4910)

Enhancement: This hotfix enables Administrators to use an apostrophe (') in the "Description" text box

when they add or modify a web console account.

(JIRA 6057)


(JIRA 7327)

Enhancement: This hot fix enables Data Loss Prevention Endpoint SDK 6.0 to support Google(TM)

Chrome version 59.0.3071.86

(JIRA 7223)


and so that iPhone can still be charged while Device Control is enabled. To configure the new setting for

DLP:



c. Under the "Configure" section, manually add the "bypass_itunes_nonstor_usb_dc" key and set

its value.

[Configure]





f. Click "Save" to deploy the settings to agents.

The OfficeScan server deploys the settings to OfficeScan agents and adds the following key in

the "dsa.pro" file in the "¥Windows¥System32¥dgagent¥" folder:


(JIRA 4973)

Enhancement: This hot fix provides additional details in the Component Update Details log files. It

includes the following information:

- Domain Hierarchy of endpoint

- IP Address of endpoint

(JIRA 8495)

Enhancement: This hot fix enables Data Loss Prevention Endpoint SDK 6.2 to support the following

Google(TM) Chrome versions:

- Google(TM) Chrome version 58.0.3029.110m.

- Google(TM) Chrome version 59.0.3071.86

(JIRA 9269)

Enhancement: This hot fix enables Data Loss Prevention Endpoint SDK 6.2 to support the following

Google(TM) Chrome versions:

- Google(TM) Chrome version 58.0.3029.110m.

- Google(TM) Chrome version 59.0.3071.86

(SBM 356627)

Enhancement: This hotfix adds an assessment mode for ransomware. In assessment mode, OfficeScan

will not terminate the suspected ransomware process but creates a log for it.

Procedure: To enable assessment mode:



c. Under the "Global Setting" section, manually add the following keys and set each to "1".

[Global Setting]

EnableADCAssessMode=1



EnableADCAssessModeNotification=1

Value: 0 = no popup notification in the system tray icon

1 = a popup notification appears in the system tray icon




Path:


Key: EnableADCAssessMode

Type: DWORD



Key: EnableADCAssessModeNotification

Type: DWORD


1 = have popup notification in system tray icon

[Hotfix_1656] (VRTS-1012,SEG-9014)

(JIRA 9014)

Issue: An issue related to the OfficeScan UMH driver triggers BSOD.

Solution: This hotfix updates the UMH driver to resolve the issue.

(VRTS 1012)

Issue: Remote unauthenticated attackers may be able to query NT domains through the OfficeScan XG

"cgiGetNTDomain.exe" process.



(JIRA 7249)

Issue: The OfficeScan Predictive Machine Learning feature blocks users from publishing documents from

Microsoft Outlook.

Solution: This hotfix changes the share write property of the ATSE to resolve this issue.

(JIRA 7730)

Issue: BSOD occurs when users run Microsoft Office on OfficeScan client computers.

Solution: This hotfix removes an unnecessary string comparison step to ensure that Microsoft Office runs

normally on protected computers.

(JIRA 8631)

Issue: Sometimes, the Windows Security Center indicates that OfficeScan is not running even when it is

enabled and running and sends users an important message to enable the OfficeScan Antivirus.

Solution: This hotfix updates the OfficeScan agent file to resolve the issue.

(JIRA 9007)

Issue: OfficeScan agents display the following message even when the program components are

up-to-date."Update Now: You have not received a new update in 1 days."

Solution: This hotfix updates the OfficeScan agent program to resolve the issue.

[Hotfix_1666] (VRTS-1115,SEG-9016,SEG-10356)

(VRTS 1115)

Issue: Web server details gathered from the banner may allow attackers to search and launch automated

attacks from commonly-found web sites which may lead to website defacement or denial of service.


(JIRA 10356)




(JIRA 9016)

Issue: An issue related to the Unauthorized Change Prevention service can prevent the OfficeScan Device

Control feature from applying the correct policies in computers running on the Windows 10 platform.

Solution: This hotfix allows users to enable OfficeScan to support the detection and termination of

processes on USB drives using the "run as admin" feature. This helps resolve the issue.

Procedure: To enable the new settings:




[Global Setting]

EnableDACTerminate=1



g. Click "Save" to deploy the setting to clients.


Key: EnableDACTerminate

Type: DWORD

Value: 1

f. Restart the Behavior Monitoring service on clients.

[TC_Hotfix_1678] (SEG-11133)

(VRTS 1115)

Issue: Web server details gathered from the banner may allow attackers to search and launch automated

attacks from commonly-found web sites which may lead to website defacement or denial of service.


(SEG 10356)




(SEG 9016)

Issue: An issue related to the Unauthorized Change Prevention service can prevent the OfficeScan Device

Control feature from applying the correct policies in computers running on the Windows 10 platform.

Solution: This hotfix allows users to enable OfficeScan to support the detection and termination of

processes on USB drives using the "run as admin" feature. This helps resolve the issue.

Procedure: To enable the new settings:


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder on the OfficeScan installation

directory.


[Global Setting]

EnableDACTerminate=1





Key: EnableDACTerminate

Type: DWORD

Value: 1

g. Restart the Behavior Monitoring service on clients.

[Hotfix_1682] (SEG-6486)

(JIRA 6486)

Issue: Users may not be able to access an internal web application while the Browser Exploit Prevention

feature is enabled.

Solution: This hotfix updates the Microsoft(TM) Internet Explorer(TM) Javascript hooking logic to

resolve this issue.

[Hotfix_1692]


2,SEG-12076,SEG-7783,SEG-7318,VRTS-1284)

(VRTS 1284)

Issue: A Use-After-Free vulnerability affecting the firewall driver may cause the computer to stop

unexpectedly.


(JIRA 11492)

Issue: When DLP is enabled on Microsoft(TM) Windows(TM) 10.14393 platforms, "mscorsvw.exe" stops

responding.

Solution: This hotfix resolves the issue by updating the iDLP module to add "mscorsvw.exe" to its

approved list.

(JIRA 10631)

Issue: The extension names of quarantined files disappear after these files are restored from the quarantine

folder. This happens because the file extension name exclusion list is overwritten with an empty string

during file restoration.

Solution: This hotfix enables OfficeScan to restore the complete file extension name exclusion list to

ensure that quarantined files are restored with the correct extension names.

(JIRA 11771)

Issue: The "file extensions" field under the "File Attributes DLP identifier" section does not accept entries

that contain an underscore "_".

Solution: This hotfix updates the Trend Micro Data Loss Prevention(TM) (DLP) module to enable the

"file extensions" field to support the underscore character "_".

(JIRA 6439)

Issue: When DLP is enabled on Windows 8.1 platforms, some programs may stop unexpectedly.

Solution: This hotfix resolves the issue by updating the iDLP module to enable it to retrieve the correct

path to the Microsoft "wow64.dll" module.

(JIRA 8975)

Issue: An issue prevents the DLP module from parsing sender email address information on OWA web

mail.

Solution: This hotfix add a function in the iDLP module which helps ensure that it can parse sender

information in Office 365 web mail correctly.

(JIRA 10980)

Issue: The account and password setting for the external proxy server do not support the hash special

character "#".

Solution: This hotfix resolves a broken jquery Ajax call to ensure that the account and password setting for

the external proxy server supports special characters.

(JIRA 11342)

Issue: An issue related to the Anti-exploit Protection function might cause Internet Explorer to stop

unexpectedly.

Solution: This hotfix updates the OfficeScan Agent files to resolve the issue.

(JIRA 12076)

Issue: The following OfficeScan 12.0 Patch 1 hotfixes are affected by an issue related to the OfficeScan

Firewall module which may cause the Firewall service to encounter network access issues and application

connection timeout issues.

- Hotfix 6277

- Hotfix 6281

- Hotfix 6292

- Hotfix 1358


Note: You must restart the endpoint after applying this hotfix to update the Common Firewall

module on affected OfficeScan agents.

(JIRA 7783)




- Hotfix 6277

- Hotfix 6281

- Hotfix 6292

- Hotfix 1358




(JIRA 7318)




- Hotfix 6277

- Hotfix 6281

- Hotfix 6292

- Hotfix 1358




(JIRA 9646)

Issue: There is a compatibility issue between some printers and OfficeScan predictive machine learning.

Solution: This hotfix fixed the compatibility issue.

(JIRA 11404)

Enhancement: This hotfix enables DLP Endpoint SDK 6.0 to support the following Google Chrome

versions:



(JIRA 12182)

Enhancement: This hotfix enables DLP Endpoint SDK 6.0 to support the following Google Chrome

versions:



(JIRA 4974)

Enhancement: This hotfix enables OfficeScan to send detected pattern information to the Control

Manager server to add to the "Detailed Virus/Malware Information" data view of ad hoc queries. This

feature also requires the application of Control Manager Hotfix 3630 or any later hotfix on the Control

Manager server.

[Hotfix_1708]

(SEG-9298,SEG-12165,SEG-12255,SEG-11754,SEG-11495,SEG-11606,SEG-11651,SEG-3758)

(JIRA 9298)

Issue: A sharing violation prevents Autopcc from working on computers where the OfficeScan agent is

already installed.

Solution: This hotfix creates a new backup folder to prevent the sharing violation and ensure that Autopcc

works normally on OfficeScan agent computers.

(JIRA 12165)




(JIRA 12255)

Issue: In the Windows Server 2003 platform, OfficeScan agents display the following message even when

the program components are up-to-date. "Update Now: You have not received a new update in 1 days."


(JIRA 11606)

Issue: OfficeScan agents receive C&C callback detected alerts for IPs in the approved list.

Solution: This hotfix resolves a file path issue to help ensure that IPs in the approved list do not trigger

C&C callback detected alerts.

(JIRA 11651) / (JIRA 3758)

Issue: The OfficeScan server cannot register to the EdgeServer when TLS 1.0 is disabled.

Solution: This hotfix enables the EdgeServer to support TLS 1.1 and 1.2.

(JIRA 9066)

Enhancement: This critical patch enhances the Behavior Monitoring and Predictive Machine Learning

features to better detect and prevent ransomware infections from files, and improves the protection against

ransomware threats during outbreak situations.

(JIRA 11754)

Enhancement: This hotfix speeds up the approved and blocked list comparison for supported web

services, including Dropbox, Google Drive, Gmail, and others.

(JIRA 11495)

Enhancement: This hotfix adds the "Japan: Driving License Number" validator.

[Hotfix_1709] (SEG-11641)

(JIRA 11641)

Enhancement: This hotfix allows Trend Micro Predictive Machine Learning to detect emerging unknown

security risks threats found in suspicious processes or files originating from any channels.

[Hotfix_1714]


08)

(JIRA 10553)

Issue: The OfficeScan agent status information on the Control Manager web console does not match the

information in the OfficeScan web console.

Solution: This hotfix ensures that the OfficeScan agent status information on the Control Manager web

console is consistent with the information on the OfficeScan web console.

(JIRA 10964)

Issue: The OfficeScan Predictive Machine Learning feature blocks users from publishing documents from

Microsoft Outlook.

Solution: This hotfix moves the file property extraction step to a later stage to ensure that users can

publish documents from Microsoft Outlook.

(JIRA 11381)

Issue: The OfficeScan agent reports a false positive detection after enabling the Anti-exploit Protection

feature.

Solution: This hotfix updates the OfficeScan agent to prevent the false positive detection.

(JIRA 11966)

Issue: BSOD occurs on protected computers running on unsupported Windows versions.

Solution: This hotfix removes the API hooking mechanism for unsupported Windows versions to prevent

BSOD in these computers.

(JIRA 9408)

Issue: An issue prevents users from browsing through folders in Huawei smart phones connected to a

protected computer when the OfficeScan Data Protection Service is enabled.

Solution: This hotfix enables OfficeScan to discard Huawei smart phone cdrom device instance to ensure

that users can browse folders in a connected Huawei smart phone in MTP mode.

(JIRA 9246)

Issue: An issue prevents users from using the Huawei Mobile Broadband Airtel 4G Model device

connected to a protected computer when the OfficeScan Data Protection Service is enabled.

Solution: This hotfix enables OfficeScan to discard the Huawei Mobile Broadband Airtel 4G Model

device instance to ensure that users can browse the Internet using the device when the OfficeScan Data

Protection Service is enabled.

(JIRA 11396)

Enhancement: This hotfix enables DLP Endpoint SDK 6.2 to use the Data Protection Application Pattern

to support Google Chrome and the list of approved processes.

(JIRA 10766)

Enhancement: This hotfix updates the pop-up message that appears when OfficeScan agents that are

being moved to another OfficeScan server have mismatched certificates.

(JIRA 12808)

Enhancement: This hotfix adds the ""Nigeria: Verve IIN (Issuer Identification Number"" validator.

[Hotfix_1717] (SEG-10791,SEG-11327,SEG-11705,SEG-13146,SEG-13181,SEG-13293)

(JIRA 10791)

Issue: The OfficeScan Behavior Monitoring feature may cause certain third-party programs that are in its

approved list to stop responding.





directory.



[Global Setting]








Type: DWORD

Value: 1


(JIRA 11327)

Issue: The OfficeScan Behavior Monitoring feature may cause a protected computer to stop responding

while the feature checks the file signature on a UNC path.


(JIRA 11705)

Issue: The OfficeScan Behavior Monitoring feature may cause performance issues while the protected

computer runs certain programs that are in the Behavior Monitoring approved list.





directory.



[Global Setting]








Type: DWORD

Value: 1


(JIRA 13146/JIRA 13181)

Issue: BSOD occurs while a protected computer starts up because the UMH driver attempts to access a

corrupted cache.

Solution: This hotfix updates the UMH module to resolve the issue.

(JIRA 13293)

Issue: The MPS feature of iDLP cannot be disabled on OfficeScan agents.

Solution: This hotfix provides a way for users to disable the MPS feature on OfficeScan agents.

Procedure: To disable the email multi part scan mode in the DLP function and globally deploy this setting

to all OfficeScan agents:


b. Open the "ofcscan.ini" file in the "¥PCCSRV¥" folder of the OfficeScan server.


[Global Setting]

EnableDlpMPScan=0

NOTE: To enable the setting again, set "EnableDlpMPScan=1".


e. Open the OfficeScan server management console and click "Agents > Global Agent Settings"

on the main menu to access the "Global Agent Settings" page.


The OfficeScan server deploys the command to agents and adds the following registry entry on

all agent computers:

Path:

HKLM¥SYSTEM¥SOFTWARE¥Wow6432Node¥TrendMicro¥ PC-cillinNTCorp¥CurrentVersion¥DlpLit

e

Key: EnableMPScan

Type: dword

Value: 0

Note: The OfficeScan agent needs to reload after enabling/disabling the MPS feature.

(JIRA 13723)

Issue: The DLP version appears as 0.0.0 on both the management console and agent console.

Solution: This hotfix ensures that the correct DLP version appears on both the management console and

agent console.

[Hotfix_1721]


07,SEG-12080,SEG-12552,SEG-13772,SEG-13380,SEG-12859)

(JIRA 4624)

Issue: The OfficeScan Behavior Monitoring feature may cause certain approved third-party programs to

take longer to load on protected computers.


(JIRA 11500/JIRA 12079)

Issue: DLP Endpoint SDK 6.2 sometimes cannot block users from uploading files that contain sensitive

information to "outlook.live.com" and "facebook.com".

Solution: This hotfix updates the DLP module to enhance support for both websites to ensure that the

module can block files with sensitive information from being uploaded onto these websites.

(JIRA 12101/JIRA 12045)

Issue: The Trend Micro Unauthorized Change Prevention Service uses up a large amount of CPU

resources.


(JIRA 12552)

Issue: The OfficeScan manual scan exclusion feature may not work properly while the suspected malware

process is still running.


(JIRA 13772/13380)

Issue: When the system installs or upgrades the Cisco VPN software, it tries to access some registry keys

under the TmLwf registry key, which causes the software installation to fail.

Solution: This hotfix adds a key to disable the self-protection only function of the TmLwf registry key,

which resolves this issue.





[Global Setting]

SP_DisableTmLwfRegistryKeyProtection=1





Path:


Key: SP_DisableTmLwfRegistryKeyProtection

Type: DWORD



(JIRA 12859)

Issue: A user requests for a way to add the following information into DLP log notifications under the

digital asset email notifications:

- Process

- Source

- Destination

- Incident ID

Solution: This hotfix updates the OfficeScan Master Service to support the following tokens in DLP log

notifications.

- %PROCESS%

- %SOURCE%

- %DESTINATION%

- %VIOLATIONID%

[Hotfix_1729] (SEG-1056)

(JIRA 1056)

Enhancements: This hotfix updates the Trend Micro Osprey Firefox Extension and enables it to support

Firefox 51 and later versions.


(JIRA 14538)

Issue: Enabling the Browser Exploit Prevention (BEP) feature causes Microsoft Internet Explorer to crash

when opening certain websites that were added to the Web Reputation Approved List.

Solution: This hotfix updates the Browser Exploit Prevention component to resolve the issue.




directory.

c. Under the "Global Setting" section, manually add the "DisableJSHook" key and set its value to

"1".

[Global Setting]

DisableJSHook=1





Path: HKEY_LOCAL_MACHINE¥SOFTWARE¥TrendMicro¥AMSP¥SAL

Key: DisableJSHook

Type: DWORD

Value: 1


(JIRA 14855)

Issue: Enabling the Browser Exploit Prevention (BEP) feature may cause customers to encounter an error

when accessing certain websites that were added to the Web Reputation Approved List.

Solution: This hotfix updates the Browser Exploit Prevention component to resolve the issue.

(JIRA 13231)

Issue: DLP Endpoint SDK 6.2 blocks VirtualBox from launching in Headless Mode.

Solution: This hotfix updates the DLP module to skip API event inspection from all VirtualBox processes.

Enhancements from hot fixes for OSCE 11.0 SP1 Patch 1

[JP Hot fix 5086.u](SEG-8667)

Enhancement: Third-party Product Uninstallation - The OfficeScan installation program now

automatically removes the following products before installing the OfficeScan client:

The English versions of the following third-party products with the English version of

OfficeScan:

o Symantec Endpoint Protection 12.1.6318.6100 - JP (x86 and x64)

o Symantec Endpoint Protection 12.1.7004.6500 - JP (x86 and x64)

Enhancements from hot fixes for OSCE 11.0 SP1 (UMH)

[Hot fix 6087.u](TT-348155)

[Hot fix 6090.u](TT-346873)

[Hot fix 6097.u](TT-349045,349059)

[Hot fix 6104.u](TT-348846)

[Hot fix 6108.u](TT-348904)

[TC_Hot fix 6132.u](TT-349992,349993,349994)

[Hot fix 6142.u](TT-351493)

[Hot fix 6152.u](TT-347017)

[Hot fix 6153.u](TT-349847)

[JP_Hot fix 6165.u](TT-351941)

[TC_Hot fix 6169.u](TT-353279)

[Hot fix 6172.u](TT-353508)

[Hot fix 6209.u](TT-354689)

[Hot fix 6220.u](TT-354193)

[Hot fix 6245.u](TT-351070)

[Hot fix 6247.u](TT-356316)

[Hot fix 6256.u](TT-355959)

[JP_Hot fix 6276.u](TT-358241)

[Hot fix 6280.u](TT-351592,348795)

[Hot fix 6323.u](SEG-3921)

[KO_Hot fix 6349.u](SEG-4200)

[JP_Hot fix 6373.u](TT-359490)

[Hot fix 6374.u](SEG-7394)

[JP_Hot fix 6391.u](SEG-7611)

[Hot fix 6401.u](SEG-8707)

[SC_Hot fix 6412.u](SEG-10254)

[Hot fix 6413.u](SEG-10254)



[Hot fix 6449.u](SEG-14047)




OfficeScan:

o System Center Endpoint Protection 4.5.216.0 x86/x

o Symantec Endpoint Protection 12.1.1101.401 x86/x

o Symantec Endpoint Protection 12.1.3001.165 x86/x

o Symantec Endpoint Protection 12.1.4100.4126 x86/

o Symantec Endpoint Protection 12.1.4100.4126 x86










o Sophos Anti-Virus 10.6.3.537 x86/x64

o Sophos AutoUpdate 5.2.0.276 x86/x64

o Sophos Client Firewall 2.9.5 x86/x64

o Sophos Network Threat Protection 1.2.2.50 x86/x6

o Sophos Patch Agent 1.0.308.0 x86/x64

o Sophos Remote Management System 4.0.6 x86/x6

o Sophos System Protection 1.3.0 x86/x64

o Sophos 10.3

o Sophos 10.5

o Sophos 10.6

o Kaspersky 10.0.3361

o Panda Endpoint Agent 7.30.02.0000 x86/x64

o Panda Free Antivirus 7.84.00.0000 x86/x64

o Panda Free Antivirus 8.20.00.0000 x86/x64

o ESET NOD32 Antivirus 9.0.377.1 x86/x64


o ESET NOD32 Antivirus 4.2.40.27 CHT x86/x64


o McAfee Agent 4.8.0.641 x86/x64


o McAfee VirusScan Enterprise 8.8.02004 x86/x64

o McAfee Endpoint Encryption 4.1.0.577 x86/x64



o Avira Server Security 13.0.0.3736 x86/x64

o AhnLab V3 Internet Security 9.0.17.870 x86/x64

Enhancements from hot fixes for OSCE XG

[Hot fix 1258.u](TT-354875)

[Hot fix 1278.u](TT-357211)

[Hot fix 1316.u](TT-359988)

[Hot fix 1330.u](SEG-2270)

[Hot fix 1351.u](SEG-2191)

[Hot fix 1353.u](SEG-3925)

[Hot fix 1356.u](SEG-5205)

[Hot fix 1357.u](SEG-4270)

[Hot fix 1366.u](SEG-5856)

[Hot fix 1370.u](SEG-5747)

[Hot fix 1373.u](SEG-5399,SEG-6368)

[Hot fix 1374.u](SEG-6989,SEG-6990,SEG-7006,SEG-7007)

[Hot fix 1377.u](SEG-7409)

[Hot fix 1383.u](SEG-8229)

[Hot fix 1384.u](SEG-8228)

[Hot fix 1387.u](SEG-8204)

[Hot fix 1388.u](SEG-8930)

[Hot fix 1390.u](SEG-8482,SEG-8786,SEG-9182)

[Hot fix 1395.u](SEG-8206)

[TC_Hot fix 1458.u](SEG-8117)


[DE_Hot fix 1463.u](SEG-9565)





OfficeScan:

o Symantec Endpoint Protection 14.0.2332.0100 x86/x64


o Symantec Endpoint Security 12.1.3001.165 x64











o Kaspersky Endpoint Security 10 for Windows 10.2.4.674

o Kaspersky Security Center Network Agent 10.2.434


o McAfee DLP Endpoint 9.3.200.23 x86/x64

o McAfee Drive Encryption - 7.1.0.389 x86/x64

o McAfee Endpoint Encryption for Files and Folders 4.2.0.164 x86/x64

o McAfee Agent - 4.8.0.1500 x86/x64


o McAfee Endpoint Security Platform 10.5.0 x86/x64

o McAfee Endpoint Security Threat Prevention 10.5.0 x86/x64

o Sophos Anti-Virus 10.7.2.49 x86/x64

o Sophos AutoUpdate 5.7.220 x86/x64

o Sophos AutoUpdate 5.7.51 x86/x64

o Sophos Endpoint Defense 1.0.0.265 x86/x64

o Sophos Network Threat Protection 1.2.2.50 x86/x64

o Sophos Client Firewall 2.9.5 x86/x64

o Sophos System Protection 1.3.1 x86/x64

o Trend Micro Security Agent 6.0.1204 x86/x64

o ESET Endpoint Security 5.0.2126.0 x86/x64

o Traps 3.4.0.15678 x86/x64

o Traps 3.4.3.19949 x86/x64

o Traps 4.0.0.24417 x86/x64

o ESET Endpoint Security 6.4.2014.0 x86/x64

o FortiClient 5.2.5.0658 x86/x64

o ESET Endpoint Antivirus 6.3.2016.0 x86/x64

o Cisco FireAmp 5.1.1 x86/x64

Enhancements from hot fixes for OSCE XG Patch 1

[Hot fix 1599.u](SEG-6449)

[Hot fix 1632.u](SEG-9002)

[Hot fix 1674.u](SEG-10450)

[Hot fix 1677.u](SEG-10798)

[Hot fix 1681.u](SEG-11437)

[Hot fix 1685.u](SEG-11762)

[Hot fix 1691.u](SEG-11059,SEG-10897)

[Hot fix 1711.u](SEG-13043)

[Hot fix 1717.u](SEG-12977,SEG-13573)

[Hot fix 1722.u](SEG-13367,SEG-13689,SEG-13849)

[Hot fix 1728.u](SEG-14157)

[Hot fix 1730.u](SEG-14234)

[Hot fix 1734.u](SEG-14703,SEG-14684,SEG-14290,SEG-14685)




OfficeScan:



o Symantec Endpoint Security 12.1.7004.6500 x86/x64




o Symantec DLP 14.6.0100.01043 x64

o System Center Endpoint Protection 4.7.213.0 x86/x64

o ESET File Security 4.5.12017.0 x64 for Server platforms

o ESET Endpoint Antivirus 5.0.2254.0 x64

o ESET Endpoint Antivirus 5.0.2126 x86/x64

o ESET Endpoint Antivirus 5.0.2265 x86/x64





o McAfee Endpoint Security Firewall 10.2.0 x86/x64



o McAfee Endpoint Security Web Control 10.2.0 x86/x64

o McAfee Endpoint Security Firewall 10.5.0 x86/x64



o McAfee Endpoint Security Web Control 10.5.0 x86/x64

o McAfee Product Improvement Program 1.6.0.623 x86/x64



o AVG Internet Security 17.5.3022 x86/x64

o Avira Free Antivirus 15.0.29.32 x64

o Pacific Seeds Remote Client 5.2.0.0591 x64

o F-Secure PSB Workstation Security 12.01 x86/x64

o Kaspersky Endpoint Security 10.3.0.6294 x86/x64

o Kaspersky Endpoint Security 10 for Windows 10.2.5.3201 x86/x64

o Kaspersky Security Center Network Agent 10.2.434 x86/x64

o Kaspersky AES Encryption Module 1.1.0.73 x86/x64

o Bitdefender Endpoint Security Tools 6.2.19.899 x64

Issues resolved by hot fixes for OSCE 11.0 SP1 - Trend Micro · PDF fileIssues resolved by hot...

Documents

Transcript of Issues resolved by hot fixes for OSCE 11.0 SP1 - Trend Micro · PDF fileIssues resolved by hot...