Views:

It is recommended to exclude the agent's AMSP process and folder in Sysmon to fix the interop issue. Please add the following exclusions to the corresponding event in the Sysmon configuration:

<!-- Event ID 1 == Process Creation - Excludes -->
        <ParentImage condition="image">coreServiceShell.exe</ParentImage>
        <Image condition="image">dsa.exe</Image>
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 2 == File Creation Time - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>
 
    <!-- Event ID 3 == Network Connection - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <Image condition="image">dsa.exe</Image>
 
    <!-- Event ID 10 == ProcessAccess - Excludes -->
        <SourceImage condition="image">coreServiceShell.exe</SourceImage>
        <SourceImage condition="image">dsa.exe</SourceImage>
        <SourceImage condition="is">C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe</SourceImage>
 
    <!-- Event ID 11 == FileCreate - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>
        <Image condition="image">dsa.exe</Image>
 
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed - Excludes -->
        <Image condition="image">dsa.exe</Image>
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 22 == DNS Queries and their results Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 23 == File Delete and overwrite events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 25 == Process tampering events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 26 == File Delete and overwrite events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>

Reference configuration: https://github.com/deep-security/sysmon-config/blob/master/DSSysmonConfig.xml

It is also suggested to add the following exclusions in the Process Image File list:

${windir}\sysmon64.exe
${windir}\sysmon.exe

Keywords: Windows server freeze, Windows server DSA interoperability issue

Windows Server freezes after enabling Anti-Malware module in Cloud One - Workload Security

Product / Version includes:

Cloud One - Endpoint and Workload SecurityAll

Last updated: 2023/10/12

Solution ID: KA-0015198

Category: Troubleshoot

Summary

Windows freezes after enabling Anti-Malware module. The issue seems to be caused by an interoperability issue between Microsoft System Monitor (Sysmon) and Trend Micro Deep Security Agent (DSA).

It is recommended to exclude the agent's AMSP process and folder in Sysmon to fix the interop issue. Please add the following exclusions to the corresponding event in the Sysmon configuration:

<!-- Event ID 1 == Process Creation - Excludes -->
        <ParentImage condition="image">coreServiceShell.exe</ParentImage>
        <Image condition="image">dsa.exe</Image>
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 2 == File Creation Time - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>
 
    <!-- Event ID 3 == Network Connection - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <Image condition="image">dsa.exe</Image>
 
    <!-- Event ID 10 == ProcessAccess - Excludes -->
        <SourceImage condition="image">coreServiceShell.exe</SourceImage>
        <SourceImage condition="image">dsa.exe</SourceImage>
        <SourceImage condition="is">C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe</SourceImage>
 
    <!-- Event ID 11 == FileCreate - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>
        <Image condition="image">dsa.exe</Image>
 
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed - Excludes -->
        <Image condition="image">dsa.exe</Image>
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 22 == DNS Queries and their results Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 23 == File Delete and overwrite events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 25 == Process tampering events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 26 == File Delete and overwrite events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>

Reference configuration: https://github.com/deep-security/sysmon-config/blob/master/DSSysmonConfig.xml

It is also suggested to add the following exclusions in the Process Image File list:

${windir}\sysmon64.exe
${windir}\sysmon.exe

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Windows Server freezes after enabling Anti-Malware module in Cloud One - Workload Security

Windows Server freezes after enabling Anti-Malware module in Cloud One - Workload Security

Product / Version includes:

Summary