UMH is an engine in WFBS-SVC that supports the enhanced ransomware solution. It is installed in the Common Client Solution Framework (CCSF) service as a module. It also provides API events for other modules such as Behavior Monitoring, Predictive Machine Learning and others. These modules will make decisions according to the provided API events from the UMH.
The UMH has been added in WFBS-SVC since version 6.1 with the installation directory:
..\Trend Micro\Client Server Security Agent\CCSF\MODULE\20019\
To enable UMH:
- Log on to the WFBS-SVC console.
- Go to the Configure Policy page by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
- Click on the Windows icon.
- Click Behavior Monitoring.
- Under Ransomware Protection, tick Enable program inspection to detect and block compromised executable files.
- Deploy the setting by clicking the Save button.
To verify the status of UMH in the WFBS-SVC Agent:
- Check the following in the WFBS-SVC Agent’s registry:
- x86 platform:
[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
"EnableUMH"=dword:00000001 - x64 platform:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
"EnableUMH"=dword:00000001
- x86 platform:
- Check the UMH driver status in the command line:
> sc query tmumh
UMH should be running.
Run Update Now on the WFBS-SVC Agent to force the UMH status update.
To disable UMH, disable the features that are directly dependent to UMH:
- Log on to the WFBS-SVC console.
- Go to the Configure Policy page by performing one of the following:
- Classic Mode: Go to SECURITY AGENTS and select a group. Click the Menu icon (three vertical dots) > Configure Policy.
- Advanced Mode: Go to POLICIES > Policy Management. Click Add or click an existing policy.
- Click on the Windows icon.
- Click Behavior Monitoring.
- Under Ransomware Protection, untick Enable program inspection to detect and block compromised executable files.
- Deploy the setting by clicking the Save button.
- Go to Policies > Global Security Agent Settings.
- Disable HTTPS Web Threat Protection.
- Deploy the setting by clicking the Save button.
To verify the status of UMH in the WFBS-SVC Agent:
- Check the following in the WFBS-SVC agent’s registry:
-
x86 Platform:
[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
"EnableUMH"=dword:00000000 -
x64 Platform:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
"EnableUMH"=dword:00000000
-
- Check the UMH driver status in the command line:
> sc query tmumh
UMH should be running before you reboot the computer.
Before rebooting the computer, the UMH driver will still keep running because of some processes already injected. To avoid any risk, keep tmumh running before the system reboot. The new process created will not be hooked by UMH anymore.After you reboot the system, the driver will be stopped.