Views:
 

When you experience issues with the WFBS Security Agent, try unloading first the Agent:

  1. Right-click the Trend Micro system-tray icon on the taskbar.
  2. Exit Worry-Free Business Security.

If the issue persists, uninstall the Agent and reboot the computer. If you still experience the issue after removing the Agent and rebooting your machine, then the Security Agent is not the cause of the issue.

If unloading the Agent does not resolve the issue, but uninstalling it does, send a report to Trend Micro Technical Support.

 

In cases where the issue was gone after unloading the Agent, perform the tests outlined below to isolate the module that is causing the issue:

Add a different group that will be used for the feature isolation.

  1. On the Management Console, go to the Devices tab.
  2. On the left pane, click on Add Group.
  3. Specify the following:
    • Group Type: Select the type of group either desktops or servers
    • Name: Specify a name for the test group
    • Settings: Import settings from the group that was affected by the issue
  4. click Save.
  5. On the right pane, select machine/s that can be used for isolation. Then drag them over to the new group.

    Add Group

    Click the image to enlarge.

Once isolation has been done on the single endpoint, you can double-check by expanding the change to other affected machines.

You will need to turn each service off one by one until the issue is gone. Note the setting and then turn the suspicious service back on and continue to turn the other services off to see if the issue persists to confirm. As components can interact with each other, it is possible that disabling different services could potentially resolve the issue. If any other service also corrects the issue, please note those as well.

After changing each service from the web console, do a manual update on client. Test if the issue persists. It can take up to 10 minutes for the agent to receive the updated policy.

 
If any step resolves the issue, do NOT proceed to the next step until the issue is reproducible again.
 

Test Group > Configure Policy > Antivirus/Anti-spyware > toggle off Enable real-time Antivirus/Anti-spyware > click Save

VSAPI

Click the image to enlarge.

To verify if the Real-Time Scan is disabled, hover your mouse on the small green icon of the agent console:

Agent Console

Click the image to enlarge.

If this action solves the issue, please enable this setting and do actions 2, 3, 8, 10 to confirm the problematic feature further.

Test Group > Configure Policy > Predictive Machine Learning > toggle off Enable Predictive Machine Learning > click Save.

Predictive Machine Learning

Click the image to enlarge.

To verify if the Predictive Machine Learning is disabled, hover your mouse on the small green icon of the agent console:

Agent Console

Click the image to enlarge.

Test Group > Configure Policy > Behavior Monitoring > toggle off "Enable Behavior Monitoring"> click Save.

Behavior Monitoring

Click the image to enlarge.

To verify if the Behavior Monitoring is disabled, hover your mouse on the small green icon of the agent console:

Agent Console

Click the image to enlarge.

If this action solves the issue, please enable this setting and do actions 2, 7, 8, 9 to confirm the problematic feature further.

Test Group > Configure Policy > Web Reputation > toggle off Enable Web Reputation > click Save.

Web Reputation Service

Click the image to enlarge.

To verify if the Web Reputation is disabled, hover your mouse on the small green icon of the agent console:

Agent Console

Click the image to enlarge.

 
If the Web Reputation is still enabled after doing changes on the web console, you may want to check the location of the agent. It might be on Out of Office.
 

If this action solves the issue, please enable this setting and do actions 5, 11 to confirm the problematic feature further.

Test Group > Configure Policy > URL Filtering > toggle off Enable URL Filtering > click Save.

URL Filtering

Click the image to enlarge.

 

To verify if the URL Filtering is disabled, hover your mouse on the small green icon of the agent console:

Agent Console

Click the image to enlarge.

 

Test Group > Configure Policy > Firewall > toggle off Enable Firewall > click Save.

Firewall

Click the image to enlarge.

 
If the Firewall is still enabled after doing changes on the web console, you may want to check the location of the agent. It might be on Out of Office.
 

When Advanced mode is enabled, you may try to lower the security level first or disable "Enable Intrusion Detection System" to further isolate the cause of the issue.

Firewall Level

Click the image to enlarge.

To verify if the Firewall is disabled, hover your mouse on the small green icon of the agent console:

Click the image to enlarge.

  • Access Document Control (ADC)
    Test Group > Configure Policy > Behavior Monitoring > Untick "Enable document protection against unauthorized encryption or modification"> click Save
  • Damage Recover Engine (DRE)
    Test Group > Configure Policy > Behavior Monitoring > Untick "Auto backup files changed by suspicious programs"> click Save
  • Software Restricted Policy (SRP)
    Test Group > Configure Policy > Behavior Monitoring > Untick "Enable blocking of processes commonly associated with ransomware"> click Save
 
If disabling the sub-modules above resolves the issue, you may re-enable them one-by-one and check which one of them will cause the issue. Please take note of the sub-module.
 

Ransomware

Click the image to enlarge.

To verify if the sub-modules are disabled, you may go to the following registry hive:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
EnableAdc=0
EnableDre=0
EnableSRP=0

 
Not applicable to server type group.
 

Test Group > Configure Policy > Behavior Monitoring > Untick Enable program inspection to detect and block compromised executable files > click Save.

User-Mode Hooking

Click the image to enlarge.

Verify if the TMUMH service has stopped by running the command "sc query tmuh" from an admin command line. If the service is still running, stop the service by running "sc stop tmumh". If the process is actively hooked, this may fail and a system restart will be required.

 
Not applicable to server type group.
 

Test Group > Configure Policy > Behavior Monitoring > untick Prompt users before executing newly encountered programs downloaded through HTTP or email applications > click Save.

Meerkat

Click the image to enlarge.

To verify if the Meerkat is disabled, you may go to the following registry hive:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
EnableMeerkatDetection=0

Test Group > Configure Policy > Antivirus/Anti-spyware > Advanced Settings > untick Quarantine malware variants detected in memory > click Save.

Ravage Scan

Click the image to enlarge.

To verify if the Ravage Scan is disabled, you may go to the following registry hive:

[HKEY_LOCAL_MACHINE\Software\Wow6432node\Trend Micro\PC-cillinNTCorp\CurrentVersion\RealTimeScan Configuration]
RavageScanMemory=0

Test Group > Configure Policy > Web Reputation > Browser Exploit Prevention > untick Block pages containing malicious script > click Save.

Browser Exploit Prevention

Click the image to enlarge.

To verify if the BEP is disabled, you may go to the following registry hive:

[HKEY_LOCAL_MACHINE\Software\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\URL Filtering]
EnableBES=0

Test Group > Configure Policy > Device Control > untoggle "Enable Device Control"> click Save.

Device Access Control

Click the image to enlarge.

To verify if the Device Control is disabled, hover your mouse on the small green icon of the agent console:

Agent Console

Click the image to enlarge.

Keywords: initial troubleshooting for WFBS,problem isolation for WFBS,issue isolation checklist for WFBS