Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Windows Server crashes and unable to boot with smss.exe hooked to Deep Security Agent (DSA) tmumh (TmUmEvt64.dll)

    • Updated:
    • 26 Aug 2020
    • Product/Version:
    • Deep Security All
    • Platform:
Summary

Windows Server encounters BSOD / crashes, and unable to boot because of smss.exe while hooked to DSA tmumh (TmUmEvt64.dll).

The issue originally occurs on Deep Security 11.0.0.871.

  • This crash happens when the Windows System process smss.exe tries to load trend module:

    C:\Windows\system32\tmumh\20019\AddOn\7.30.0.1113\TmUmEvt64.dll

    The system complains that the TmUmEvt64.dll has an invalid image format and results to BSOD/crash.
     
    TmUmEvt64.dll is a binary file which belongs to AMSP UMH module. UMH will inject this DLL to user-mode processes when User mode hooking is enabled if the processes have not been excluded from UMH.
     
  • The critical process smss.exe should be excluded from UMH but failed to do so, which resulted in BSOD/crash. As smss.exe is a critical system process, we bypass it using our pattern whiltelist settings, but in the BSOD dump, it can be found that the smss.exe’s whitelist tag is marked as deserted (It contains complex encoded data structure tree link that would cost a significant amount of time for decoding.)
Details
Public

To resolve this, upgrade from current DSA 11 and install DSA 11 U21 or above. Note that the fix is also applied on DS 12.0 U10 and current DS 20.0.

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000265136
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.