Views:

Obtain the following information:

  • The steps to replicate the issue
  • Frequency of the issue
  • Number of machines affected
  • Differences between affected and non-affected machines
  • Role of affected machine (e.g. gateway server, etc.)
  • Customer scenario
  • Any recent hardware or software changes
  • System information (winmsd or msinfo32)
  • System and application event log (from the Event Viewer)
  • Impact of the issue to the customer
  • Any VPN or firewall software installed
  • IP address(es) of the affected machine(s)
  • Registry dump of HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC (not applicable to CFW 1.2/1.25)
  • !PfwDump.txt file (run "TmPfw.exe dump"; not applicable to CFW 1.2/1.25)
  • If possible, VMware image of the affected machine that can be used to reproduce this issue

Blue Screen of Death (BSOD issues)

  1. Obtain complete memory dump (preferred) or kernel memory dump.
  2. If a conflict with a third party driver has been identified, obtain information on the third party software, the installation package and the license, if possible.
  3. If using a special OS version, obtain the relevant symbol files.

System hang issues

  1. Obtain information on CPU usage and the processes which use the most CPU.
  2. Generate the complete memory dump at the time of hang.
  3. If a conflict with a third party driver has been identified, obtain information on the third party software, the installation package and the license, if possible.

Performance issues

  1. Obtain accurate numbers to demonstrate that the performance goes down because of CFW/NSC.
  2. Generate the complete memory dump at the time when performance goes down, if possible.
  3. Obtain information for comparison of performance between starting the CFW/NSC service and stopping it.

Installation issues

  1. Enable the detailed driver installation log.
  2. Uninstall the product (OfficeScan or PC-cillin Internet Security).
  3. Restart the system.
  4. Collect system information using winmsd or msinfo32.
  5. Obtain the setupapi.log file in the %WinDir% directory.

IP stack corruption issues

  1. Enable the detailed driver installation log.
  2. Uninstall the product (OfficeScan or PC-cillin Internet Security).
  3. Restart the system.
  4. Use winmsd or msinfo32 to export system information and check if the IP stack is back.
  5. Install the product (OfficeScan or PC-cillin Internet Security).
  6. Restart the system.
  7. Use winmsd or msinfo32 to export system information and check if the IP stack is back.
  8. Obtain the setupapi.log file in the %WinDir% directory and the system information files.

Loss of all network connections (not applicable in CFW 1.2/1.25)

  1. Enable the tmcfw, tmpfw, tmtdi, and tmproxy log.
  2. Enable wireshark to capture all network packets.
  3. Stop the Personal Firewall Service and check if the issue persists.
  4. Disable tmcfw and check if the issue persists.
  5. Stop tmproxy and check if the issue persists.
  6. Disable tmtdi and check if the issue persists.
  7. Note down the step where the issue gets resolved.
  8. Collect all log files, setupapi.log file in the %WinDir% directory.

Loss of network connection on a specific program or application (not applicable in CFW 1.2/1.25)

  1. Enable the tmcfw, tmpfw, tmtdi, and tmproxy log.
  2. Enable wireshark to capture all network packets.
  3. Stop the Personal Firewall Service and check if the issue persists.
  4. Disable tmcfw and check if the issue persists.
  5. Stop tmproxy and check if the issue persists.
  6. Disable tmtdi and check if the issue persists.
  7. Note down the step where the issue gets resolved.
  8. Collect all log files, setupapi.log file in the %WinDir% directory.
  9. Obtain information on the affected program (e.g. program name, version, network protocol used, ports used, etc.)

Memory leak issues

  1. Obtain complete memory dump (preferred) or kernel memory dump.
  2. Obtain the poolmon.log.

Changing the memory dump type to "Complete memory dump"

  1. Go to Control Panel > System.
  2. On the Advanced tab, under Startup and Recovery,click Settings.
  3. Under "Write debugging information", select "Complete Memory Dump".

Manually generating the memory dump file

Refer to  the following Microsoft KB article: Windows feature lets you generate a memory dump file by using the keyboard

Getting system information files

Run "winmsd" or "msinfo32".

Getting the poolmon.log

  1. Use Gflags.exe to enable pool tagging in Windows XP (restart required).
  2. Run "poolmon" to get the poolmon log.

Enabling the CFW 1.2/1.25 log

  1. Set the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CFW
    Value: DebugCtrl (REG_DWORD)
    Data: 0x111
  2. Restart the system.
  3. Collect the C:\cfw_log.txt file.

Enabling the NSC log

TmCFW log:

  1. Set the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw\Parameters
    Value: DebugCtrl (REG_DWORD)
    Data: 0xffffffff
  2. Restart the system.
  3. Collect the C:\cfw_log.txt file.

TmTDI log:

  1. Set the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmtdi\Parameters
    Value: Debug (REG_DWORD)
    Data: 1
  2. Restart the system.
  3. Collect the C:\tdi_log.txt file.

TmPfw log:

  1. Open the TmPfw.ini file in the product installation directory.
  2. Add the following section:

    [debug]
    debug_on=yes
    debug_level=90
    log_path=c:\tmpfw.log
  3. Restart the Personal Firewall Service.
  4. Collect the C:\tmpfw.log file.

TmProxy log:

  1. Open the TmProxy.ini file in the product installation directory.
  2. Add the following section:

    [debug]
    debug_on=yes
    debug_level=90
    log_path=c:\tmproxy.log
  3. Restart the Proxy Service.
  4. Collect the C:\tmproxy.log file.

Enabling detailed driver installation log

  1. Open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup registry subkey.
  2. If the LogLevel entry does not exist, create the following:

    Value: LogLevel (REG_DWORD)
    Data: 0x0000ffff
  3. Collect the %WinDir%\setupapi.log file.

Starting or stopping the NSC service (not applicable in CFW 1.2/1.25)

Personal Firewall Service:

Stop command: net stop tmpfw
Start command: net start tmpfw

Proxy Service:

Stop command: net stop tmproxy
Start command: net start tmproxy

Enabling or disabling the NSC drivers

Disable:

  1. Set the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw\Parameters
    Value: ActionCtrl (REG_DWORD)
    Data: 1
  2. Restart the system.

Enable:

  1. Delete the ActionCtrl value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw\Parameters key.
  2. Restart the system.
Keywords: Collecting basic information,collect information,normal server,Blue Screen of Death,system hang,installation issue,IP stack corruption,network connection lost,memory leak