Archive for category Trend Micro

Exchange 2010 EMC not opening “The WinRM client cannot complete the operation within the time specified”

When I open the Microsoft Exchange EMC on a server, the following error message displayed.

Initialization failed

The following error occurred when getting management role assignment for ‘domainname.local/MyBusiness/Users/SBSusers/Administrator’:

Processing data for a remote command failed with the following error message: The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled. For more information, see the about_Remote_Troubleshooting Help topic.

Click here to retry

There are no additional errors in the Eventlogs. The server is running Exchange 2010 SP2. No proxy configured. Windows update is up-to-date. Windows firewall is off.

Exchange is still functioning but there is no management of the service.
The first lead I found here, suggested antivirus.

https://social.technet.microsoft.com/Forums/exchange/en-US/a675a48e-75a3-43c7-b99b-ec86527adb1d/emc-initialization-failed-with-winrm-error-exchange-2010-sp2?forum=exchange2010

As the site is using Trend Micro Worry Free Advanced, I opened the TMWF console, created a new Server container, dragged the server into it from the old container, refreshed the client on the server and can now access the EMC.

Now that I know what caused it, looking over the Trend Knowledge base reveals http://esupport.trendmicro.com/Pages/Unable-to-access-Exchange-2010-Management-Console-.aspx

The issue of not being able to open the Exchange Management console can occur when there is no Internet Connection after a server restart.
This can affect any server coming up without an internet connection as the default configuration of the virus software on the server is configured to look at the internet before allowing connection to the EMC
You can change this behaviour by following the steps in the Trend KB article.

The issue occurs because the Proxy hooks the Exchange 2010 management console query URL and it fails to get score from the Internet because there is no connection.

To resolve the issue:

  1. Ensure that the Exchange Server has Internet connection.
  2. Log on to Worry-Free Business Security (WFBS) web console.
  3. Go to Security Settings > Add group.
  4. Under Group type, select Servers.
  5. Specify a name for the group.
  6. Click Save.

Note: The created group will have the default settings if the Import settings from group check box is unticked.

  1. Disable the Web Reputation and URL Filtering feature for the newly created group.
  2. Go to Security Settings, then select the new group.
  3. Click Configure.
  4. Select the Web Reputation tab and unmark Enable Web Reputation for In-Office and Out-of-Office.
  5. Click Save.
  6. Select URL Filtering and unmark Enable URL Filtering.
  7. Click Save.
  8. Move the Security Agent of the Exchange 2010 Server in the previously edited group.
  9. Go to Security Settings and select the server group where Exchange Server 2010 is listed.

Note: This step refers to the Exchange Server Client/Server Security Agent and not the Messaging Security Agent.

    1. Drag and drop the selected Exchange Server to the group you created.

 

Tags: , ,

Trend Micro TMWF 9 Exchange (Scanmail – Smex) not configurable within the console

When opening the Console, Security Settings, Click the  Exchange server in the list and click “Security Settings” … nothing happens. No popups, no errors, no nothing.

I can’t get into the Antivirus or antispam settings and the agent appears to be offline?

As this console normally opens up http://ExchangeServer:16372/smex/cgiDispatcher.exe?Page=scan/Antispam.htm&Locale=&CurPage=

My first step was to telnet to the Exchange server on port 16372 and, it did not answer.

As Smex runs from within a web server (in my case IIS), I looked at the default website and it  was not running on port 16372.  The port that it was running on did not match the firewall rule.

This means the smex service could not bind to a port when the service starts and as this port did not match the console, I had no hopes of connecting to it.

I change the port in IIS and the firewall rule. Restarted the website and … all fixed !

 

 

Tags: ,

Upgrade to Trend Micro Worry Free 9 causes 10 minute stall when plugging in USB storage

On one of our installations, since installing TMWF9, whenever a USB drive (Hard disk or Flash media) is installed to the Master server, explorer stops responding for 10 minutes.

Remote access for file shares on servers still works. Sharepoint, Exchange and other services are unaffected. It is just the Explorer Windows on the local server console (Which is used for the Browse feature or File explorer /My Computer).

If you open the Disk Management before inserting the drive, you note that a volume comes up, then it all stalls and the disk is not allocated a drive letter for 10 minutes.

From a command prompt, if you try and move to that disk, it stalls. If you try a non existant disk, it comes back “drive not found”. In this way I know I can navigate using CMD and switch between drive letters to valid letters, just not this new volume.  It seems the drive has started allocating resouces but it is not yet available for use.

If during this time you try and stop the Trend Agent – real-time scan service, it hangs whilst stopping until the 10 minutes is up.

If we halt that service first, USB drives go in and out as normal. If we do not halt it or it restarts, when inserting a drive, Explorer hangs again for 10 minutes.

After 10 minutes, the drive volume appears, Explorer responds and everything goes back to normal.

There are no events recorded in the EventLog 🙁

Tags: , , ,

Real world test of Trend Worry Free Professional

I miss Microsoft ISA/TMG. I miss being able to report staff’s internet usage, solve bottlenecks, isolate PC’s that have downloaded Malware and all the other general IT admin things that go with this.
Along comes Trend Worry Free Professional which allows you to setup your browser to the external proxy in Trend Micro’s Amazon cloud.

You can setup Ldap integration with your AD and then after the staff have used it, do reports on their activity.

This all sounds really nice.

So what are the real world issues with this product?

  • Using it from South Australia and using Proxy servers on the eastern side of Australia, my latency is huge. It adds 30 ms. A slow ADSL2+ connection feels this badly. All my pages are delayed and slow coming up. The experience over fibre or in the eastern states is far less exaggerated.
  •  I keep getting certificate popups. I get it for my email (Especially using Office 365), I get it for many of the HTTPS sites I use.
  • The proxy settings are easy to tamper with. Unless you lock IE settings down or force the settings via Group policy, users can bypass the proxy.
  • I have a few websites that “sometimes work”. One happens to be my webmail. The experience is very hit and miss with the proxy turned on.
  • The built in reports are very basic. They don’t give me enough detail.

Ok, this all sounds really bad. Yes, there are some teething issues and the latency is killing me so why do I love this product ?

  • It filters all my outbound web traffic and removes Malware and viruses instantly as discovered.
  • I can dump the raw logs into Excel an do my own reports.
  • I can have external roaming users logged into this no matter where they are in the world.
  • I have control of what happens on the network.

So if you have Fibre, are in the eastern states or have a client with very little expectations (maybe they are not a big internet user) then this is an awesome tool.

If you are a geek like me, you have to work out if the tool makes your habits safer and live with it, or forge ahead as the speed annoyed you and run other protection.

Don’t forget, this is only version 1, future advancements will help.

Tags: ,

Trend Micro Worry Free 9 attachment blocking

We have just upgraded a client to TMWF9 (Another one in a long list of clients to upgrade). In the products previous configuration, attachment blocking was turned on.
Exceptions were set to allow most Microsoft Office documents in. This included Word Doc and Docx format.

After the upgrade, the attachment policy is still the same. The Doc and Docx files are allowed through however, they are not getting through.

They are being replaced with the text file saying that the attachment was removed due to policy.

We have tried turning the Attachment blocking on / off and turning the exception for Word on and off.

 

We have a case open with Trend. The only work around presently is to disable attachment blocking.

NOTE: Be aware. If Attachment blocking is on, Scanmail stomps around in your email store removing all attachments that match. Even if the attachments were placed into your mailbox years ago. It is not just an attachment blocker but also a remover of existing attachments. Don’t play with attachment blocking until you understand this.

Tags: , ,

Trend Micro Worry Free 9 TMproxy32.dll crash in IE9

After a Trend Micro worry Free 9 upgrade from Trend Micro WorryFree 8, we now see a client with a crash in TmProxy32.dll.

It crashes out the browser and renders it useless.

I am currently working with Trend Support looking for a solution.

We have 2 workarounds at the moment.

  • Use the Internet Explorer 64 bit – Which leaves you safe and protected
  • Use the Internet Explorer 32 bit but under the add on’s, disable the TmIEPlugInBHO Class (Version 5.82.0.1081) – Which does not leave you safe and protected.

We have so far found one sure fire way to create the crash.

Windows 2008 R2 64bit enterprise server in Remote Desktop hosting mode using IE9 32bit browser and clicking the second tab with the default IE multi-tab setting set to show new tab (Under Tools – internet options – General Tab and then select the tab behaviour to a new page).

Open IE, let the default page come up then click the second tab and click a most popular site (As listed by IE9).

 

The error comes up as:

 

Internet Explorer has stopped working

  • Windows can check online for a solution and close the program
  • Close the program
  • Debug the program

 

Faulting application name: iexplore.exe, version: 9.0.8112.16490, time stamp: 0x51955cca

Faulting module name: TmProxy32.dll, version: 5.82.0.1081, time stamp: 0x52df52ed

Exception code: 0xc000000d

Fault offset: 0x0001e452

Faulting process id: 0x6438

Faulting application start time: 0x01cf7975ee091613

Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Faulting module path: C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

Report Id: b9113ce2-e569-11e3-9b0b-e839352523ea

 

 

The event log shows

 

Log Name:     Application

Source:       Application Error

Date:         27/05/2014 4:10:00 PM

Event ID:     1000

Task Category: (100)

Level:         Error

Keywords:     Classic

User:         N/A

Computer:     ADLTS02.jhg.local

Description:

Faulting application name: iexplore.exe, version: 9.0.8112.16490, time stamp: 0x51955cca

Faulting module name: TmProxy32.dll, version: 5.82.0.1081, time stamp: 0x52df52ed

Exception code: 0xc000000d

Fault offset: 0x0001e452

Faulting process id: 0x6438

Faulting application start time: 0x01cf7975ee091613

Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Faulting module path: C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

Report Id: b9113ce2-e569-11e3-9b0b-e839352523ea

 

The Windows Error reporting logs contains:

 

Version=1

EventType=BEX

EventTime=130456429019247176

ReportType=2

Consent=1

ReportIdentifier=937c35e3-e561-11e3-a983-441ea13d400a

IntegratorReportIdentifier=937c35e2-e561-11e3-a983-441ea13d400a

WOW64=1

Response.type=4

Sig[0].Name=Application Name

Sig[0].Value=iexplore.exe

Sig[1].Name=Application Version

Sig[1].Value=9.0.8112.16490

Sig[2].Name=Application Timestamp

Sig[2].Value=51955cca

Sig[3].Name=Fault Module Name

Sig[3].Value=TmProxy32.dll

Sig[4].Name=Fault Module Version

Sig[4].Value=5.82.0.1081

Sig[5].Name=Fault Module Timestamp

Sig[5].Value=52df52ed

Sig[6].Name=Exception Offset

Sig[6].Value=0001e452

Sig[7].Name=Exception Code

Sig[7].Value=c000000d

Sig[8].Name=Exception Data

Sig[8].Value=00000000

DynamicSig[1].Name=OS Version

DynamicSig[1].Value=6.1.7601.2.1.0.18.10

DynamicSig[2].Name=Locale ID

DynamicSig[2].Value=3081

DynamicSig[22].Name=Additional Information 1

DynamicSig[22].Value=cb1a

DynamicSig[23].Name=Additional Information 2

DynamicSig[23].Value=cb1a56b584ba5e1bcbdf4857a81c9eeb

DynamicSig[24].Name=Additional Information 3

DynamicSig[24].Value=2892

DynamicSig[25].Name=Additional Information 4

DynamicSig[25].Value=2892bce1c4b270ff21520e12f4242258

UI[2]=C:\Program Files (x86)\Internet Explorer\iexplore.exe

UI[3]=Internet Explorer has stopped working

UI[4]=Windows can check online for a solution to the problem.

UI[5]=Check online for a solution and close the program

UI[6]=Check online for a solution later and close the program

UI[7]=Close the program

LoadedModule[0]=C:\Program Files (x86)\Internet Explorer\iexplore.exe

LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll

LoadedModule[2]=C:\Windows\syswow64\kernel32.dll

LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll

LoadedModule[4]=C:\Windows\syswow64\ADVAPI32.dll

LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll

LoadedModule[6]=C:\Windows\SysWOW64\sechost.dll

LoadedModule[7]=C:\Windows\syswow64\RPCRT4.dll

LoadedModule[8]=C:\Windows\syswow64\SspiCli.dll

LoadedModule[9]=C:\Windows\syswow64\CRYPTBASE.dll

LoadedModule[10]=C:\Windows\syswow64\USER32.dll

LoadedModule[11]=C:\Windows\syswow64\GDI32.dll

LoadedModule[12]=C:\Windows\syswow64\LPK.dll

LoadedModule[13]=C:\Windows\syswow64\USP10.dll

LoadedModule[14]=C:\Windows\syswow64\SHLWAPI.dll

LoadedModule[15]=C:\Windows\syswow64\SHELL32.dll

LoadedModule[16]=C:\Windows\syswow64\ole32.dll

LoadedModule[17]=C:\Windows\syswow64\urlmon.dll

LoadedModule[18]=C:\Windows\syswow64\OLEAUT32.dll

LoadedModule[19]=C:\Windows\syswow64\iertutil.dll

LoadedModule[20]=C:\Windows\syswow64\WININET.dll

LoadedModule[21]=C:\Windows\syswow64\Normaliz.dll

LoadedModule[22]=C:\Windows\system32\IMM32.DLL

LoadedModule[23]=C:\Windows\syswow64\MSCTF.dll

LoadedModule[24]=C:\Windows\system32\IEFRAME.dll

LoadedModule[25]=C:\Windows\syswow64\PSAPI.DLL

LoadedModule[26]=C:\Windows\system32\OLEACC.dll

LoadedModule[27]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

LoadedModule[28]=C:\Windows\syswow64\comdlg32.dll

LoadedModule[29]=C:\Program Files (x86)\Internet Explorer\IEShims.dll

LoadedModule[30]=C:\Windows\system32\Secur32.dll

LoadedModule[31]=C:\Windows\system32\profapi.dll

LoadedModule[32]=C:\Windows\syswow64\WS2_32.dll

LoadedModule[33]=C:\Windows\syswow64\NSI.dll

LoadedModule[34]=C:\Windows\system32\dnsapi.DLL

LoadedModule[35]=C:\Windows\system32\iphlpapi.DLL

LoadedModule[36]=C:\Windows\system32\WINNSI.DLL

LoadedModule[37]=C:\Windows\system32\RpcRtRemote.dll

LoadedModule[38]=C:\Windows\system32\MSHTML.dll

LoadedModule[39]=C:\Windows\system32\VERSION.dll

LoadedModule[40]=C:\Windows\system32\d2d1.dll

LoadedModule[41]=C:\Windows\system32\DWrite.dll

LoadedModule[42]=C:\Windows\system32\dxgi.dll

LoadedModule[43]=C:\Windows\system32\dwmapi.dll

LoadedModule[44]=C:\Windows\system32\CRYPTSP.dll

LoadedModule[45]=C:\Windows\syswow64\WINTRUST.dll

LoadedModule[46]=C:\Windows\syswow64\CRYPT32.dll

LoadedModule[47]=C:\Windows\syswow64\MSASN1.dll

LoadedModule[48]=C:\Windows\system32\d3d10_1.dll

LoadedModule[49]=C:\Windows\system32\d3d10_1core.dll

LoadedModule[50]=C:\Windows\system32\rsaenh.dll

LoadedModule[51]=C:\Windows\syswow64\CLBCatQ.DLL

LoadedModule[52]=C:\Program Files (x86)\Internet Explorer\ieproxy.dll

LoadedModule[53]=C:\Windows\system32\apphelp.dll

LoadedModule[54]=C:\Program Files (x86)\Trend Micro\Security Agent\TmIEPlg32.dll

LoadedModule[55]=C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

FriendlyEventName=Stopped working

ConsentKey=BEX

AppName=Internet Explorer

AppPath=C:\Program Files (x86)\Internet Explorer\iexplore.exe

 

Tags: ,