Upgrade to Trend Micro Worry Free 9 causes 10 minute stall when plugging in USB storage

On one of our installations, since installing TMWF9, whenever a USB drive (Hard disk or Flash media) is installed to the Master server, explorer stops responding for 10 minutes.

Remote access for file shares on servers still works. Sharepoint, Exchange and other services are unaffected. It is just the Explorer Windows on the local server console (Which is used for the Browse feature or File explorer /My Computer).

If you open the Disk Management before inserting the drive, you note that a volume comes up, then it all stalls and the disk is not allocated a drive letter for 10 minutes.

From a command prompt, if you try and move to that disk, it stalls. If you try a non existant disk, it comes back “drive not found”. In this way I know I can navigate using CMD and switch between drive letters to valid letters, just not this new volume.  It seems the drive has started allocating resouces but it is not yet available for use.

If during this time you try and stop the Trend Agent – real-time scan service, it hangs whilst stopping until the 10 minutes is up.

If we halt that service first, USB drives go in and out as normal. If we do not halt it or it restarts, when inserting a drive, Explorer hangs again for 10 minutes.

After 10 minutes, the drive volume appears, Explorer responds and everything goes back to normal.

There are no events recorded in the EventLog :(

Tags: , , ,

Cryptolocker (Again, new and improved ?)

UPDATE: Be sure to read the comments to this post. I am posting new information and updates as comments. There is a lot of information there.

 

Yes, again we see Cryptolocker. My client emailed me the following “I received an email on Friday from Energy Australia that took me to a website and it asked me to run a program but I could not open anything I believe that email may have caused this issue if that is of any help”

This falls in line with other peoples observations i.e. http://blogs.appriver.com/Blog/bid/102814/New-CryptoLocker-Has-a-Walkabout

 

We have not yet worked out how this version works nor what files have been affected. Here is the text
  !!! YOUR SYSTEM IS HACKED !!! All your files was encrypted with Cryptolocker!   This means that without the decryption key the recovery of your files is not possible, If your files have a value to you and you are willing to pay me for the decryption key please contact me: decrypt-request@mail.ua   You have 3 days to pay for my services. After this period, you will lose all your files.   Anti-virus software can remove Cryptolocker, but can not decrypt your fles. The only way to recover your files -is to pay for the decryption key.   Information for IT-specialist:   Data was encrypted with AES (Rijndael) algorithm with the session key length if 256 bits. Session key is encrypted with RSA (2048 bits) algorithm. Public-key is enclosed into Cryptolocker. Private-key for decryption of the session key is stored only in my database. To crack this key, you will need more than a million years time.

Here is a photo
Img_0804ed2

This is the nasty email that began it all

email

 

 

 

 

Tags: ,

Real world test of Trend Worry Free Professional

I miss Microsoft ISA/TMG. I miss being able to report staff’s internet usage, solve bottlenecks, isolate PC’s that have downloaded Malware and all the other general IT admin things that go with this.
Along comes Trend Worry Free Professional which allows you to setup your browser to the external proxy in Trend Micro’s Amazon cloud.

You can setup Ldap integration with your AD and then after the staff have used it, do reports on their activity.

This all sounds really nice.

So what are the real world issues with this product?
  • Using it from South Australia and using Proxy servers on the eastern side of Australia, my latency is huge. It adds 30 ms. A slow ADSL2+ connection feels this badly. All my pages are delayed and slow coming up. The experience over fibre or in the eastern states is far less exaggerated.
  •  I keep getting certificate popups. I get it for my email (Especially using Office 365), I get it for many of the HTTPS sites I use.
  • The proxy settings are easy to tamper with. Unless you lock IE settings down or force the settings via Group policy, users can bypass the proxy.
  • I have a few websites that “sometimes work”. One happens to be my webmail. The experience is very hit and miss with the proxy turned on.
  • The built in reports are very basic. They don’t give me enough detail.

Ok, this all sounds really bad. Yes, there are some teething issues and the latency is killing me so why do I love this product ?
  • It filters all my outbound web traffic and removes Malware and viruses instantly as discovered.
  • I can dump the raw logs into Excel an do my own reports.
  • I can have external roaming users logged into this no matter where they are in the world.
  • I have control of what happens on the network.

So if you have Fibre, are in the eastern states or have a client with very little expectations (maybe they are not a big internet user) then this is an awesome tool.

If you are a geek like me, you have to work out if the tool makes your habits safer and live with it, or forge ahead as the speed annoyed you and run other protection.

Don’t forget, this is only version 1, future advancements will help.

Tags: ,

Trend Micro Worry Free 9 attachment blocking

We have just upgraded a client to TMWF9 (Another one in a long list of clients to upgrade). In the products previous configuration, attachment blocking was turned on.
Exceptions were set to allow most Microsoft Office documents in. This included Word Doc and Docx format.

After the upgrade, the attachment policy is still the same. The Doc and Docx files are allowed through however, they are not getting through.

They are being replaced with the text file saying that the attachment was removed due to policy.

We have tried turning the Attachment blocking on / off and turning the exception for Word on and off.

 

We have a case open with Trend. The only work around presently is to disable attachment blocking.

NOTE: Be aware. If Attachment blocking is on, Scanmail stomps around in your email store removing all attachments that match. Even if the attachments were placed into your mailbox years ago. It is not just an attachment blocker but also a remover of existing attachments. Don’t play with attachment blocking until you understand this.

Tags: , ,

Trend Micro Worry Free 9 TMproxy32.dll crash in IE9

After a Trend Micro worry Free 9 upgrade from Trend Micro WorryFree 8, we now see a client with a crash in TmProxy32.dll.

It crashes out the browser and renders it useless.

I am currently working with Trend Support looking for a solution.

We have 2 workarounds at the moment.
  • Use the Internet Explorer 64 bit – Which leaves you safe and protected
  • Use the Internet Explorer 32 bit but under the add on’s, disable the TmIEPlugInBHO Class (Version 5.82.0.1081) – Which does not leave you safe and protected.

We have so far found one sure fire way to create the crash.

Windows 2008 R2 64bit enterprise server in Remote Desktop hosting mode using IE9 32bit browser and clicking the second tab with the default IE multi-tab setting set to show new tab (Under Tools – internet options – General Tab and then select the tab behaviour to a new page).

Open IE, let the default page come up then click the second tab and click a most popular site (As listed by IE9).

 

The error comes up as:

 

Internet Explorer has stopped working
  • Windows can check online for a solution and close the program
  • Close the program
  • Debug the program

 

Faulting application name: iexplore.exe, version: 9.0.8112.16490, time stamp: 0x51955cca

Faulting module name: TmProxy32.dll, version: 5.82.0.1081, time stamp: 0x52df52ed

Exception code: 0xc000000d

Fault offset: 0x0001e452

Faulting process id: 0x6438

Faulting application start time: 0x01cf7975ee091613

Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Faulting module path: C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

Report Id: b9113ce2-e569-11e3-9b0b-e839352523ea

 

 

The event log shows

 

Log Name:     Application

Source:       Application Error

Date:         27/05/2014 4:10:00 PM

Event ID:     1000

Task Category: (100)

Level:         Error

Keywords:     Classic

User:         N/A

Computer:     ADLTS02.jhg.local

Description:

Faulting application name: iexplore.exe, version: 9.0.8112.16490, time stamp: 0x51955cca

Faulting module name: TmProxy32.dll, version: 5.82.0.1081, time stamp: 0x52df52ed

Exception code: 0xc000000d

Fault offset: 0x0001e452

Faulting process id: 0x6438

Faulting application start time: 0x01cf7975ee091613

Faulting application path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Faulting module path: C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

Report Id: b9113ce2-e569-11e3-9b0b-e839352523ea

 

The Windows Error reporting logs contains:

 

Version=1

EventType=BEX

EventTime=130456429019247176

ReportType=2

Consent=1

ReportIdentifier=937c35e3-e561-11e3-a983-441ea13d400a

IntegratorReportIdentifier=937c35e2-e561-11e3-a983-441ea13d400a

WOW64=1

Response.type=4

Sig[0].Name=Application Name

Sig[0].Value=iexplore.exe

Sig[1].Name=Application Version

Sig[1].Value=9.0.8112.16490

Sig[2].Name=Application Timestamp

Sig[2].Value=51955cca

Sig[3].Name=Fault Module Name

Sig[3].Value=TmProxy32.dll

Sig[4].Name=Fault Module Version

Sig[4].Value=5.82.0.1081

Sig[5].Name=Fault Module Timestamp

Sig[5].Value=52df52ed

Sig[6].Name=Exception Offset

Sig[6].Value=0001e452

Sig[7].Name=Exception Code

Sig[7].Value=c000000d

Sig[8].Name=Exception Data

Sig[8].Value=00000000

DynamicSig[1].Name=OS Version

DynamicSig[1].Value=6.1.7601.2.1.0.18.10

DynamicSig[2].Name=Locale ID

DynamicSig[2].Value=3081

DynamicSig[22].Name=Additional Information 1

DynamicSig[22].Value=cb1a

DynamicSig[23].Name=Additional Information 2

DynamicSig[23].Value=cb1a56b584ba5e1bcbdf4857a81c9eeb

DynamicSig[24].Name=Additional Information 3

DynamicSig[24].Value=2892

DynamicSig[25].Name=Additional Information 4

DynamicSig[25].Value=2892bce1c4b270ff21520e12f4242258

UI[2]=C:\Program Files (x86)\Internet Explorer\iexplore.exe

UI[3]=Internet Explorer has stopped working

UI[4]=Windows can check online for a solution to the problem.

UI[5]=Check online for a solution and close the program

UI[6]=Check online for a solution later and close the program

UI[7]=Close the program

LoadedModule[0]=C:\Program Files (x86)\Internet Explorer\iexplore.exe

LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll

LoadedModule[2]=C:\Windows\syswow64\kernel32.dll

LoadedModule[3]=C:\Windows\syswow64\KERNELBASE.dll

LoadedModule[4]=C:\Windows\syswow64\ADVAPI32.dll

LoadedModule[5]=C:\Windows\syswow64\msvcrt.dll

LoadedModule[6]=C:\Windows\SysWOW64\sechost.dll

LoadedModule[7]=C:\Windows\syswow64\RPCRT4.dll

LoadedModule[8]=C:\Windows\syswow64\SspiCli.dll

LoadedModule[9]=C:\Windows\syswow64\CRYPTBASE.dll

LoadedModule[10]=C:\Windows\syswow64\USER32.dll

LoadedModule[11]=C:\Windows\syswow64\GDI32.dll

LoadedModule[12]=C:\Windows\syswow64\LPK.dll

LoadedModule[13]=C:\Windows\syswow64\USP10.dll

LoadedModule[14]=C:\Windows\syswow64\SHLWAPI.dll

LoadedModule[15]=C:\Windows\syswow64\SHELL32.dll

LoadedModule[16]=C:\Windows\syswow64\ole32.dll

LoadedModule[17]=C:\Windows\syswow64\urlmon.dll

LoadedModule[18]=C:\Windows\syswow64\OLEAUT32.dll

LoadedModule[19]=C:\Windows\syswow64\iertutil.dll

LoadedModule[20]=C:\Windows\syswow64\WININET.dll

LoadedModule[21]=C:\Windows\syswow64\Normaliz.dll

LoadedModule[22]=C:\Windows\system32\IMM32.DLL

LoadedModule[23]=C:\Windows\syswow64\MSCTF.dll

LoadedModule[24]=C:\Windows\system32\IEFRAME.dll

LoadedModule[25]=C:\Windows\syswow64\PSAPI.DLL

LoadedModule[26]=C:\Windows\system32\OLEACC.dll

LoadedModule[27]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

LoadedModule[28]=C:\Windows\syswow64\comdlg32.dll

LoadedModule[29]=C:\Program Files (x86)\Internet Explorer\IEShims.dll

LoadedModule[30]=C:\Windows\system32\Secur32.dll

LoadedModule[31]=C:\Windows\system32\profapi.dll

LoadedModule[32]=C:\Windows\syswow64\WS2_32.dll

LoadedModule[33]=C:\Windows\syswow64\NSI.dll

LoadedModule[34]=C:\Windows\system32\dnsapi.DLL

LoadedModule[35]=C:\Windows\system32\iphlpapi.DLL

LoadedModule[36]=C:\Windows\system32\WINNSI.DLL

LoadedModule[37]=C:\Windows\system32\RpcRtRemote.dll

LoadedModule[38]=C:\Windows\system32\MSHTML.dll

LoadedModule[39]=C:\Windows\system32\VERSION.dll

LoadedModule[40]=C:\Windows\system32\d2d1.dll

LoadedModule[41]=C:\Windows\system32\DWrite.dll

LoadedModule[42]=C:\Windows\system32\dxgi.dll

LoadedModule[43]=C:\Windows\system32\dwmapi.dll

LoadedModule[44]=C:\Windows\system32\CRYPTSP.dll

LoadedModule[45]=C:\Windows\syswow64\WINTRUST.dll

LoadedModule[46]=C:\Windows\syswow64\CRYPT32.dll

LoadedModule[47]=C:\Windows\syswow64\MSASN1.dll

LoadedModule[48]=C:\Windows\system32\d3d10_1.dll

LoadedModule[49]=C:\Windows\system32\d3d10_1core.dll

LoadedModule[50]=C:\Windows\system32\rsaenh.dll

LoadedModule[51]=C:\Windows\syswow64\CLBCatQ.DLL

LoadedModule[52]=C:\Program Files (x86)\Internet Explorer\ieproxy.dll

LoadedModule[53]=C:\Windows\system32\apphelp.dll

LoadedModule[54]=C:\Program Files (x86)\Trend Micro\Security Agent\TmIEPlg32.dll

LoadedModule[55]=C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy32.dll

FriendlyEventName=Stopped working

ConsentKey=BEX

AppName=Internet Explorer

AppPath=C:\Program Files (x86)\Internet Explorer\iexplore.exe

 

Tags: ,

Trend Micro Worry Free Professional proxy software is not talking with my AD

I am not sure if this is a widely known problem yet. Fresh install of TMWF9 and then the Professional AD sync tools.

I selected my own custom port for Trend to quirey my AD (6443). (It uses an Apache service)

It will not communicate. I ran up a fake IIS server on this port and it works, so my firewall rules are ok.

I ran “Netstat -an” and noted that the Trend service was running on 0.0.0.0 port 6433. I need it on my server IP on port 6443.

I located and edited:
<drive letter>:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\conf

I changed the following

Listen 6443

(Which listens on all free IP’s ports)

To the following (Where I have used my server IP)

Listen 10.0.0.2:6443

All fixed.

Tags: , ,