There have been reports that the OfficeScan Master Service is randomly terminating and the Event Viewer logs may show errors similar to the following:
Faulting application ofcservice.exe, version X, faulting module ofcservice.exe, version x, fault address xxxxxxx.
Faulting application DbServer.exe, version x, time stamp x, faulting module DbServer.exe, version x, time stamp x, exception code x, fault offset x, process id 0x1dfc, application start time x.
Faulting application name: verconn.exe, version: 10.5.0.1766, time stamp: 0x4d1b84f8
Faulting module name:verconn.exe, version 10.5.0.1766 , time stamp: 0xd1b84f8
To understand the root cause why the OfficeScan server process(es) randomly terminate(s), we recommend using the ADPlus tool from Microsoft. This tool does not require enabling debugging for OfficeScan. The ADPlus will automatically generate a dump file when a crash or exception occurs.
To use ADPlus:
- Download and install the Debugging Tools for Windows. ADPlus is part of the Debugging Tools for Windows.
- Open a command prompt and go to the directory where the Debugging Tools for Windows is installed. By default, it is at C:\Program Files\Debugging Tools for Windows\. Run ADPlus on the server itself.
Execute this command:
"adplus -crash -pn ofcservice.exe -o C:\temp"
Some points to consider:
Do not close the DOS window(s) that ADPlus opened. ADPlus will run in the background while waiting for the process to crash. Also make sure not to recycle the OfficeScan Master service or reboot after running the command because ADPlus uses the PID.
- C:\TEMP can be any other directory. Just make sure that the path exists.
- If you see this same command to troubleshoot dbserver.exe, then substitute ofcservice.exe with dbserver.exe. Example: "adplus -crash -pn dbserver.exe -o C:\temp"
If the server is restarted or the machine is rebooted, the OfficeScan Master service will get a new PID and you will not be able to capture the dump. Once the crash happens, ADPlus willo generate the crash dump and terminate automatically.
- Once the process crashes, collect the logs generated by ADPlus under the C:\Temp folder.
- Send the logs to Trend Micro Technical Support for further analysis.
On certain occasions, ADPlus only catches the first chance of the crash. This first chance has limited use for troubleshooting and is therefore recommended to move up to the second method of capturing a process dump file using WinDBG.
- After installing Debugging Tools for Windows, open a command prompt and go to the directory where the Debugging Tools for Windows is installed. By default, it is in C:\Program Files\Debugging Tools for windows\.
- Type this command:
"Windbg.exe -i"You will see a message box showing "WinDBG has successfully installed as the default postmortem debugger".
- Once the process crashes, the WinDBG window will be launched. Type the following commands to capture the dump within the WinDBG window:
".dump /ma c:\temp\processname.dmp"Here are some points that you should consider:
- C:\temp can be any existing directory.
- The process name is the name of the executable that you are troubleshooting. For example, if you are troubleshooting a crash in dbserver.exe, then substitute processname.dmp to dbserver.dmp:
".dump /ma c:\temp\dbserver.dmp"
- The "q" command indicates quit. You do not have to run anything after capturing the dump.
- Send the captured dump to Trend Micro Technical Support for further analysis.