This article documents the known issues that the customers might encounter when installing the GM build of the product.
These are the common issues in Threat Intelligence Manager 1.0:
- Due to the current design of TDA, if there are more than two Threat Discovery Appliances (TDA) registered to the Threat Intelligence Manager server, you might not be able to identify the corresponding log of one specific server.
For example: If you have added a registry for TDA 1 and TDA 2 to the Threat Intelligence Manager server, then you might not be able to identify whether the log was sourced from TDA 1 or TDA 2.
- When you add a Threat Intelligence Map to small layouts, there are no scroll bars enabled to help view the entire widget content.
- Threat Intelligence Map widget fails to zoom in/out by mouse wheel in Firefox. It is a limitation for supporting Firefox in the current design.
- Threat Intelligence Map shows two globes when fully zoomed out. This is because the widget uses Bing map in the widget content, and it is a normal behavior of the Bing map.
- If there are too many segments in a pie chart, users may only see partial labels.
- The bar charts might not display the smaller bars when there is a big difference in the number count.
- In bar chart, the space between the bars can be unequal due to a third-party library limitation.
- Link graph is constrained to 100,000 valid logs and 600 lines. If the searched log scope hits one of the limitations, the Threat Intelligence Manager will not draw link graph to avoid misleading the user by displaying a partial link graph.
- When you right-click, context menus accessed from LinkGraph or GeoMap may be hidden by the Log View if the item clicked is too close to the Log View panel. To avoid this issue, drag the GeoMap or LinkGraph away from the Log View panel and right-click the item again.
- The maximum number of pins for the GeoMap is limited to 1000. If a result contains more than 1000 cities/countries or the rendering time is over 30 seconds, then the user receives a warning message and should narrow the search scope.
- Using the mouse wheel to zoom in/out in GeoMap sometimes does not work. Double-click the map to resolve this issue.
- The Smart event values are case-sensitive. For Windows product logs, when the logs have the same strings but their characters use different capitalization cases, then the smart events will use different values.
- The pagination of Smart Events does not work if users use the compatibility view in IE. Change to a different browser mode to avoid this issue.
- Auto-complete is not supported in the following situations:
- When the operator is AND NOT/ or NOT
e.g. "ProductName=TDA AND NOT des"
- The system will not return any fields or possible terms starting with the word "des".
- Rational operator RANGE FROM TO/IS NULL/IS NOT NULL
- The query string is enclosed in parenthesis ()
e.g. "(P " - The system will not return any field or possible terms starting with the character P.
e.g. "(ProductName= " - The system will not recommend any possible product name.
- When the operator is AND NOT/ or NOT
- Time fields in the manual search and breadcrumbs use UTC time for search/display. Other components display GMT time.
- The order of items in generated reports is not the same as that of the report template or the report builder.
- Log maintenance will be triggered when Time-Based or Log Size-Based conditions are met. However, old logs are purged until new logs are inserted into Solr.
- System may require a reboot after uninstalling TIM.
- When the Internet Explorer Enhanced Security Configuration (IEESC) is enabled, the Login button does not display at the TIM login page. As a workaround, disable IEESC, clear the browser cache, and then restart the TIM console.
- IE9 at Server 2008 may not be able to view Flash pages if IEESC is enabled. Disabling IEESC is a workaround solution.
- The chart does not handle Daylight Saving Time if it uses the log time as a baseline. This may affect log counts and labels.
- The Threat Intelligence Agent will not upload events to TIM if the agent needs an FQDN (Fully Qualified Domain Name) to connect to the server. This may be an issue where the agent and server are in different domains and the agent cannot resolve the host name of the server due to DNS restrictions.
Currently, the agent provides a fallback solution to this issue that should be transparent to the user. If the [upstream]\receiver_host name in the tmupload.ini file cannot be resolved, the tmupload will fall back and use the [shared]/last_server_url in the tmagent.ini file.The agent will use HTTPS and port 7174 for this failover. If tmupload still cannot connect to the server, then it will try and use the [shared]/last_server_ip to connect to TIM. It will again use HTTPS and port 7174 for this connection. If a user has changed the default SSL log receiver port on the server, the failover will not work.
- Users may experience a Log Server (Solr) startup issue if Threat Intelligence Manager is installed on a less substantial system (low memory/CPU). The workaround is to restart the Trend Micro Solr manager service.
If there are logs under \Program Files\Trend Micro\Threat Intelligence Manager\concentrator\workflow\errorlog and the logs need to be reprocessed, you can copy them back to \Program Files\ Trend Micro\Threat Intelligence Manager\concentrator\workflow\ taggedlog and then wait for them to be uploaded to Log server (Solr).