This article explains the "Protection At Risk" error that appears when upgrading Apex One agent machines.
The error appears on the agent machines when the main Apex One process ntrtscan.exe crashes.
This issue is related to the TmCCSF file being inconsistent with the current agent patch level. This can happen when the affected file was not properly upgraded during the agent patch installation pushed by the local server or update agent, due to a failed overwrite because the file may have been locked by some other processes.
Event Viewer Log
The System event viewer logs record the crash of ntrtscan.exe in relation to the issue at hand. Upon checking Services.msc, the ntrtscan is not running:
Log Name: Application Source: Application Error Event ID: 1000 Task Category: Application Crashing Events Level: Error Keywords: Classic User: N/A Description: Faulting application name: ntrtscan.exe, version: 14.0.0.2062, time stamp: 0x5e3934f0 Faulting module name: KERNELBASE.dll, version: 10.0.14393.1770, time stamp: 0x59bf2ba6 Exception code: 0xe06d7363 Fault offset: 0x0000000000033c58 Faulting process id: 0x28a4 Faulting application start time: 0x01d5f2c7a9fc09e4 Faulting application path: C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe Faulting module path: C:\Windows\System32\KERNELBASE.dll Faulting package full name: Faulting package-relative application ID:
Upgrade Log
The upgrade log indicates that the the agent upgrade cannot modify the file, so it skips the said file and proceeds to the next:
[RenameFileForAccessViolation] ===> [RenameFileForAccessViolation] Check if [C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\TmBpIe64.dll] is opening by other process. [RenameLockPossibleFile] Create file handle [C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\TmBpIe64.dll] with write success. Should not be the cause. [RenameFileForAccessViolation] <=== [RenameFileForAccessViolation] ===> [RenameFileForAccessViolation] Check if [C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\IE32\TmBpIe32.dll] is opening by other process. [RenameLockPossibleFile] Create file handle [C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\IE32\TmBpIe32.dll] with write success. Should not be the cause. [RenameFileForAccessViolation] <===
To resolve the issue:
- Verify if the Apex One Server is running the latest patches.
You may check the latest patches available for the product in the Apex One Patch Download Center Portal.
- Ensure that the agent's update privilege is set to "All Components".
For more information, refer to this article.
- Initiate the update from the agent side and confirm if the update is successful.
- Verify if the following agent files have the same build as the ones on the server side:
[C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\]libCCSF_ClientLibrary.dll 14.0.0.xxxx
[C:\Program Files (x86)\Trend Micro\OfficeScan Client\] CCSF_X64.zip 14.0.0.xxxx- If the builds DO NOT match, it is possible to use Autopcc.exe on the agent side or reinstall the agent then verify if the issue persists.
- If the builds DO match, collect CDT logs and contact Trend Micro Technical Support for further assistance.