Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Enabling or disabling User-Mode Hooking (UMH) in OfficeScan (OSCE)

    • Updated:
    • 28 Dec 2016
    • Product/Version:
    • OfficeScan 11.0
    • Platform:
    • Windows 10
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2012
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
Summary

This article serves as an introduction to UMH in OSCE, and demonstrates how to enable/disable this module.

Details
Public

UMH is an engine in OfficeScan that supports the enhanced ransomware solution. It is installed in the Common Client Solution Framework (CCSF) service as a module. It provides API events for other modules, such as Behavior Monitoring, Predictive Machine Learning, etc. Those modules will make decisions according to the provided API events from UMH.

Below is the installation path for UMH in OSCE:

<OfficeScan Agent Installation Path>\CCSF\MODULE\20019\

UMH has been included since OfficeScan 11.0 Service Pack 1 Critical Patch 6054 (Ransomware CP) and OfficeScan XG.

To enable UMH:

  1. Enable the Unauthorized Change Prevention Service service:
    1. Log in to the OfficeScan web management console.
    2. Go to Agents > Settings > Additional Service Settings.

      Additional Service Settings

    3. Make sure that the Trend Micro Unauthorized Change Prevention Service is running on the OfficeScan agent.
  2. Enable the OfficeScan Common Client Solution Framework service:
    1. Log in to the OfficeScan web management console.
    2. Go to Agents > Settings > Additional Service Settings.

      Additional Service Settings

    3. Make sure that the OfficeScan Common Client Solution Framework is running on the OfficeScan agent.
  3. Enable the UMH module:
    1. Log in to the OfficeScan web management console.
    2. Go to Agents > Settings > Behavior Monitoring Settings.

      Behavior Monitoring Settings

    3. Check the following in the OfficeScan agent’s registry:
      • x86 platform:

        [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
        "EnableUMH"=dword:00000001

      • x64 platform:

        [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]

        "EnableUMH"=dword:00000001

    4. Check the UMH driver in the command line:

      >sc query tmumh

UMH should be running.

To disable UMH:

  1. Log in to the OfficeScan web management console.
  2. Go to Agents > Settings > Behavior Monitoring Settings.
  3. Uncheck “Enable program inspection to detect and block compromised executable files”.
  4. Deploy the setting by clicking the Save button.
     
    If you choose the ROOT domain from the agent tree, the button should be named “Apply to All Agents”.
  5. Check the following in the OfficeScan agent’s registry:
    • x86 Platform:

      [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
      "EnableUMH"=dword:00000000

    • x64 Platform:

      [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]
      "EnableUMH"=dword:00000000

  6. Check the UMH driver in command line:

    >sc query tmumh

UMH should be running before you reboot the computer.

 
Before rebooting the computer, the UMH driver will still keep running because of some processes already injected. To avoid any risk, keep tmumh running before the system reboot. The new process created will not be hooked by UMH anymore.

After you reboot the system, the driver will be stopped.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1115431
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.