When you experience issues with the WFBS-SVC Security Agent, try to unload the security agent first.
If you still experience the issue after removing the Security Agent and rebooting your machine, then the Security Agent is not the cause of the issue.
Before starting with the isolation steps, you may want to create a test group to make sure the changes applied will be on specific endpoint/s only.
- On the Management Console, go to the Security Agents tab.
- From the Security Agents pane, click on the menu button and select New Group.
- Specify the following:
- Name: Specify a name for the new group
- Source Settings: Import settings from the source group where you want to copy the settings from.
- Then, click Save.
- On the right pane, select the machine/s that will be used for isolation. Then drag them over to the new group
Once isolation has been done on the single endpoint, you can double-check by expanding the change to other affected machines.
You will need to turn each service off one by one until the issue is gone. Note the setting and then turn the suspicious service back on and continue to turn the other services off to see if the issue persists to confirm. As components can interact with each other, it is possible that disabling different services could potentially resolve the issue. If any other service also corrects the issue, please note those as well.
After changing each service from the web console, do a manual update on client. Test if the issue persists. It can take up to 10 minutes for the agent to receive the updated policy.
Test Group > Configure Policy > Scan Settings > Under Real-time Scan, toggle the slider to make sure the feature is OFF > click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
If this action solves the issue, please enable this setting and do actions 2, 3, 8, 10 to confirm the problematic feature further.
Test Group > Configure Policy > Predictive Machine Learning > toffle the slider to make sure the feature is OFF > Click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
Test Group > Configure Policy > Behavior Monitoring > toggle the slider to make sure the feature is OFF > click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
If this action solves the issue, please enable this setting and do actions 2, 7, 8, 10 to confirm the problematic feature further.
Test Group > Configure Policy > Web Reputation > toggle the slider to make sure the feature is OFF > click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
If this action solves the issue, please enable this setting and do actions 5, 11 to confirm the problematic feature further.
Test Group > Configure Policy > URL Filtering > toggle the slider to make sure the feature is OFF > click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
Test Group > Configure Policy > Firewall > toggle the slider to make sure the feature is OFF > click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
- Access Document Control:
Test Group > Configure Policy > Behavior Monitoring > untick Protect documents against unauthorized encryption and modification > Click Save - Damage Recover Engine:
Test Group > Configure Policy > Behavior Monitoring > untick Automatically back up and restore files changed by suspicious programs > Click Save - Software Restricted Policy:
Test Group > Configure Policy > Behavior Monitoring > untick Block processes commonly associated with ransomware > Click Save
Click the image to enlarge.
Test Group > Configure Policy > Behavior Monitoring > untick Enable program inspection to detect and block compromised executable files > click Save.
Click the image to enlarge.
Policies > Global Security Agent Settings > Behavior Monitoring > untick Prompt users before executing newly encountered programs downloaded through HTTP or email applications (Server platforms excluded) > click Save.
Click the image to enlarge.
Test Group > Configure Policy > under Real-time Scan, click Configure Settings > Advanced Settings > untick Quarantine malware variants detected in memory > click Save.
Click the image to enlarge.
Click the image to enlarge.
Test Group > Configure Policy > Device Control > untoggle the slider to make sure the feature is OFF > Click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
Test Group > Configure Policy > Data Loss Prevention > toggle the slider to make sure the feature is OFF > click Save.
Click the image to enlarge.
In order to verify if changes are cascaded on the security agent side, you may hover your mouse on the green icon from the rightmost corner of the security agent console.
Click the image to enlarge.
Administration > Smart Protection Network > untick Enable Trend Micro Smart Feedback > click Save.
Click the image to enlarge.
Once isolation is complete, the results, along with the output from the Case Diagnostic Tool while reproducing the issue, should be provided to Trend Micro Technical Support through a support case.