Background
Trend Micro received some customer reports that there were multiple detections for msedge_200_percent.pak, a Microsoft Edge file, with the detection names of TROJ_FRS.VSNTE222 or TROJ_FR.654AC47C.
The msedge_200_percent.pak can be generally found in the following directories (there may be others):
C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.32\
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\101.0.1210.32\ResiliencyLinks
Temporary Workaround (if pattern update does not work):
As a workaround solution, customers can temporarily exclude the location of the detected file on their Trend Micro product:
C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.32\*
C:\Users\*\AppData\Local\Microsoft\Edge\Application\101.0.1210.32\*
C:\Program Files\Microsoft\Edge\Application\101.0.1210.32\*
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\101.0.1210.32\*
C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.32\*
C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.32\*
C:\Program Files (x86)\Microsoft\Edge Beta\Application\101.0.1210.31\*
Restoring Affected Registry Changes
It was reported that some customers observed some registry changes as a result of the detection depending on their endpoint cleaning configuration settings.
The following steps can be used an endpoint to restore changes made:
(Please note the following instructions are for Trend Micro Apex One but are similar for other endpoint solutions)
1. On the affected machine, open a command prompt with elevated administrator rights.
2. Navigate to the \Backup folder on the affected machine running Apex One agent (usually C:\Program Files (x86)\Trend Micro\Security Agent\Backup).
3. There should be a file named TSE_GENCLEAN_XXXX_XX_XX_XX_XX_XXX_XXX_XXX.DAT in the folder and take note of this name (Where XX represents date and time stamps. Example: TSC_GENCLEAN_2022_05_03_17_54_14_118_035.DAT).
4. Navigate back to the Agent folder (usually C:\Program Files (x86)\Trend Micro\Security Agent).
5. Run/execute the following command:
a. 64-bit machines: tsc64.exe -restore=.\backup\TSC_GENCLEAN_XXXX_XX_XX_XX_XX_XXX_XXX_XXX.DAT
b. 32-bit machines: tsc.exe -restore=.\backup\TSC_GENCLEAN_XXXX_XX_XX_XX_XX_XXX_XXX_XXX.DAT
(Note: replace the TSC_GENCLEAN_XXXX_XX_XX_XX_XX_XXX_XXX_XXX.DAT file in the command string with the name of the one you noted in step number 3)
Going through the steps above will restore the changes made when the agent's Damage Cleanup tool was executed.
Reference Script For Restoration
For Advanced Corporate AdministratorsTrend Micro has created a reference script that advanced corporate administrators can use to deploy the restore procedures utilizing the TSC tool above in a more automated fashion using GPOs or other similar enterprise level scripting tools. Please note that administrators looking to utilize this script as a batch file or via other method should first carefully review the script and test in their environment before any widespread development.
The updated reference script can be downloaded from here . The password on the zip file is novirus.
Customers who are continuing to have issues are advised to contact their authorized Trend Micro representative for further assistance.