Application Problem

To isolate the problem:

While the UMH module is enabled, execute the program to try to reproduce the problem. Refer to the following KB to make sure UMH is enabled: Enabling/Disabling User-Mode Hooking (UMH) in OfficeScan (OSCE).

If the problem can be reproduced by enabling UMH, and resolved by disabling UMH, it is a UMH-related problem.

After UMH status changes (enabled/disabled), terminate the process, and then restart the process again.

When the problem has been reproduced, confirm whether the process of this application is running or not. Process Explorer can assist to check and confirm this.

If the application's process is still running while the problem is being reproduced, collect the UMH debug logs. Below are the reference KBs:

If the application's process is not running while the problem is being reproduced, collect the application crash log for the UMH module. Refer to the following KB: Collecting logs for the User-Mode Hooking (UMH) module for an application crash issue.

Provide the execution file of the application's process to Trend Micro Technical Support, if possible.

Provide an installer of this application to Trend Micro Technical Support, if possible.

System Problem

For system hang:

Log in using Safe Mode. Refer to Step 1 of the following KB: Collecting logs for the User-Mode Hooking (UMH) module for a system crash issue.

Navigate to "%windir%\system32\drivers\":

Rename "TMUMH.sys" to "TMUMH.sys.bak"
Create a folder in the same place. The folder's name is "TMUMH.sys".

Reboot the system to normal mode to reproduce the problem.

If the problem fails to reproduce, it is a UMH-related problem.

For the system hang problem, refer to the following KB: Collecting logs for the User-Mode Hooking (UMH) module for a system hang issue

Rollback the changes to "%windir%\system32\drivers\" to reproduce the problem.
1. Remove the "TMUMH.sys" folder.
2. Rename "TMUMH.sys.bak" back to "TMUMH.sys".
3. Reboot the system to normal mode to reproduce the problem.
For a system crash problem, refer to the following KB: Collecting logs for the User-Mode Hooking (UMH) module for a system crash issue

Rollback the changes to "%windir%\system32\drivers\" to reproduce the problem.
1. Remove the "TMUMH.sys" folder.
2. Rename "TMUMH.sys.bak" back to "TMUMH.sys".
3. Reboot the system to normal mode to reproduce the problem.

Isolating the problem for the User-Mode Hooking (UMH) module in OfficeScan (OSCE)

Product / Version includes:

OfficeScanXG , OfficeScan11.0

Last updated: 2021/08/28

Solution ID: KA-0006941

Category: Troubleshoot

Summary

The OSCE agent may cause an issue with an application/system, such as:

Application hang
Application working abnormally
Application crash
System hang
System crash

The problem can be resolved by unloading or uninstalling the OSCE agent. This article focuses on how to isolate the problem for the UMH module and collect corresponding logs for UMH under different scenarios.

UMH is an engine in OSCE that supports the enhanced ransomware solution. It is installed in the Common Client Solution Framework (CCSF) service as a module. It provides API events for other modules, such as Behavior Monitoring, Predictive Machine Learning, etc. Those modules will make decisions according to the provided API events from UMH.

Below is the installation path for UMH in OSCE:

<OfficeScan Agent Installation Path>\CCSF\MODULE\20019\

UMH has been involved since OfficeScan 11.0 Service Pack 1 Critical Patch 6054 (Ransomware CP) and OfficeScan XG.

Application Problem

To isolate the problem:

While the UMH module is enabled, execute the program to try to reproduce the problem. Refer to the following KB to make sure UMH is enabled: Enabling/Disabling User-Mode Hooking (UMH) in OfficeScan (OSCE).
If the problem can be reproduced by enabling UMH, and resolved by disabling UMH, it is a UMH-related problem.

After UMH status changes (enabled/disabled), terminate the process, and then restart the process again.
When the problem has been reproduced, confirm whether the process of this application is running or not. Process Explorer can assist to check and confirm this.
If the application's process is still running while the problem is being reproduced, collect the UMH debug logs. Below are the reference KBs:
- Collecting the User-Mode Hooking (UMH) module's service and driver logs in OfficeScan (OSCE)
- Collecting logs for the User-Mode Hooking (UMH) module for an application hang issue
If the application's process is not running while the problem is being reproduced, collect the application crash log for the UMH module. Refer to the following KB: Collecting logs for the User-Mode Hooking (UMH) module for an application crash issue.
Provide the execution file of the application's process to Trend Micro Technical Support, if possible.
Provide an installer of this application to Trend Micro Technical Support, if possible.

System Problem

For system hang:

Log in using Safe Mode. Refer to Step 1 of the following KB: Collecting logs for the User-Mode Hooking (UMH) module for a system crash issue.
Navigate to "%windir%\system32\drivers\":
- Rename "TMUMH.sys" to "TMUMH.sys.bak"
- Create a folder in the same place. The folder's name is "TMUMH.sys".
Reboot the system to normal mode to reproduce the problem.
If the problem fails to reproduce, it is a UMH-related problem.
- For the system hang problem, refer to the following KB: Collecting logs for the User-Mode Hooking (UMH) module for a system hang issue
  
  Rollback the changes to "%windir%\system32\drivers\" to reproduce the problem.
  1. Remove the "TMUMH.sys" folder.
  2. Rename "TMUMH.sys.bak" back to "TMUMH.sys".
  3. Reboot the system to normal mode to reproduce the problem.
- For a system crash problem, refer to the following KB: Collecting logs for the User-Mode Hooking (UMH) module for a system crash issue
  
  Rollback the changes to "%windir%\system32\drivers\" to reproduce the problem.
  1. Remove the "TMUMH.sys" folder.
  2. Rename "TMUMH.sys.bak" back to "TMUMH.sys".
  3. Reboot the system to normal mode to reproduce the problem.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Isolating the problem for the User-Mode Hooking (UMH) module in OfficeScan (OSCE)

Application Problem

System Problem

Isolating the problem for the User-Mode Hooking (UMH) module in OfficeScan (OSCE)

Product / Version includes:

Summary

Application Problem

System Problem