Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting the Security Agent (SA) that appears offline/disconnected or is missing in Worry-Free Business Security (WFBS)

    • Updated:
    • 21 Apr 2021
    • Product/Version:
    • Worry-Free Business Security Standard/Advanced 10.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
Summary

Know the troubleshooting steps when you encounter the following issues with the CSA/SA of WFBS:

  • Agent appears as offline in the WFBS management console
  • Agent's status in the System Tray shows the disconnected icon
  • Clients incorrectly appear as "Offline" on the console or do not appear at all
  • Clients do not show the correct pattern file or scan engine on the console
  • Clients do not report/appear to the new Security Server
  • Security Agents are not showing in the WFBS console
  • Clients deployment problem from the console
  • Reconnecting offline clients after migrating to a new WFBS server
Details
Public

To resolve any of the issues listed, do one of the following options:

 
Troubleshooting the Security Server should be done if all or majority of the Security Agents are not appearing. On the other hand, troubleshooting the Security Agent should be done when a client or some clients are not appearing, but majority of the clients are appearing online. This is to avoid unnecessary actions on the Security Server and prevent further damage on the WFBS client.
 

Security Server

  1. Log in to the WFBS console.
  2. Go to Live Status > Scroll down the page until you see the License Status widget.

    License Status Widget

    Click the image to enlarge.

  3. Make sure that you have not exceeded the seats for your license. Otherwise, the extra clients will not appear in the management console.
 
You can contact your reseller or the Trend Micro Sales department to purchase additional seats.
 
  1. Identify the agent IP and listening port:
    1. Navigate to Devices > Select affected group > locate the endpoint.
    2. You can identify the IP Address for the endpoint, and the listening port configured.

      Identify IP Address

      Click the image to enlarge.

       
      For accurate results, the IP address should be verified on the agent side as communication issues could prevent the IP Address from updating on the console correctly when it changes at the endpoint.
       
    3. On the Security Server, open your browser.
    4. In the address bar, enter the following address replacing the IP and port where indicated:
      http://<endpoint IP>:<agentport>/?CAVIT
       
      CAVIT must be capitalized.
       
    5. Hit Enter. Either of the following will happen:
      • If the connection is successful, a page with a string of text starting with !CRYPT! will appear.

        Successful connection

        Click the image to enlarge.

      • If the connection fails, an error or blank page appears
  1. From the Security Server, and open Command Prompt.
  2. Change path to the PCCSRV directory "..\Trend Micro\Security Server\PCCSRV"
  3. Run the following commands, one by one:
    • svrsvcsetup.exe setvirdir
    • svrsvcsetup.exe setprivilege
    • svrsvcsetup.exe enablessl
  4. Restart the Trend Micro Security Agent Listener service on one of the clients that is disconnected or offline.
  5. Open the WFBS console, and go to Devices.
  6. Refresh the page after 30 seconds and verify if the agent is still disconnected or appears offline.
  1. On the Security Server, stop the Trend Micro Security Server Master Service.
  2. Go to the ..\PCCSRV\HTTPDB folder then make a backup copy of the HTTPDB folder (Example: HTTPDB_backup), and then delete all the contents of the original HTTPDB folder
  3. Start the Trend Micro Security Server Master Service.
     
    The above steps will re-create the database. It will remove all the configurations and the agents reporting on the console. However, when the machine is rebooted, get update from the server or when the Trend Micro Agent Listener is restarted, the database will automatically be repopulated.
     
  4. Restart the Trend Micro Agent Listener service on the offline/disconnected, or restart the computer.
  5. Open the management console to verify if the client/agent now appears correctly.

Security Agent

  1. Identify the Server IP/FQDN and listening ports.
    • IP can be obtained via ipconfig while FQDN can be gotten from the web console address.

      Check IP Address

      Click the image to enlarge.

    • Ports can be identified by going to IIS Manager > Sites > OfficeScan > Bindings...

      IIS Bindings

      Click the image to enlarge.

       
      4343 is the default HTTPS port on both Apache and IIS web servers.
       
  2. Open a web browser on the testing endpoint.
  3. In the address bar, enter the following address replacing the IP and port where indicated:

    https://<servername/IP address>:<https port>/SMB/cgi/cgionstart.exe

    A warning about the page will appear. This is expected as the server uses a self-signed certificate. Proceed past the warning and a page

    If the next screen shows "-2", this means the client can communicate with the server. Otherwise, there is a problem with the connection.

  1. Open a command prompt on the machine to verify.
  2. Run the following command to verify the port state with the Windows Firewall:
    Netsh firewall show state

    Below is a sample screenshot:

    Firewall Status

    Click the image to enlarge.

 
Always back up the whole registry before making any modifications. Incorrect changes to the registry can cause serious system problems.
 
  1. On the Security Server, open the ..\PCCSRV\ofcscan.ini file.
  2. Look for the following entries, and take note of their values:
  3. Open the Registry Editor in the offline/disconnected agent and go to the following registry hive:
    • For 32-bit machine: HKEY_LOCAL_MACHINE\Software\Trend Micro\PC-CillinNTCorp\CurrentVersion
    • For 64-bit machine: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Trend Micro\PC-CillinNTCorp\CurrentVersion
  4. The values of the following registry keys should be the same as the values from Step 2:
    • Server - must have the same value as Master_DomainName
    • ServerPort - must have the same value as Master_DomainPort
    • LocalServerPort - must have the same value as Client_LocalServer_Port

    If the values are not the same, use the Client Mover Tool (IPXfer.exe) to restore the communication between the WFBS server and Security Agent. Follow the procedure in this KB article: Migrating clients of Worry-Free Business Security (WFBS) to another server.

Use the following workaround if the client is offline after migrating to a new WFBS server or if the client can be updated but doed not appear in the web console after a fresh install:

 
This procedure is only applicable if you cannot use IpXfer to move the client to the new server.
 
 
Always back up the whole registry before making any modifications. Incorrect changes to the registry can cause serious system problems.
 
  1. Go to the offline client machine and unload the agent.
  2. Open Registry Editor.
  3. Go to the following registry key:
    • For 64-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion
    • For 32-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion
  4. Modify the value of Domain and DomainID, which are referencing to the Group in the WFBS console. By default, the values are:
    • For Servers group:
      "Domain"="Servers (default)"
      "DomainID"="10000000-0000-0000-0000-000000000000"
    • For Desktops group:
      "Domain"="Desktops (default)"
      "DomainID"="20000000-0000-0000-0000-000000000000"
      • ServerPort=dword:00001f7b (default port in hexadecimal)
      • Server="Name of the server"
      • Domain="Desktops (default)"
      • LocalServerPort=listening port (hexadecimal)
      • DomainID="20000000-0000-0000-0000-000000000000"

      For other languages, you must change the Domain value according to what is displayed in the console for the default groups. The DomainID should stay the same.

  5. Reload the agent.
If the issue still occurs, contact Trend Micro Technical Support, and provide the Case Diagnostic Tool (CDT) log generated on the WFBS server and the Security agent.
Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
1037481
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.