Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Preventing DLP modules from being deployed during server upgrade or hot fix/patch deployment in OfficeScan

    • Updated:
    • 8 Oct 2018
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
Summary

By current design, Data Loss Protection (DLP) modules are automatically deployed to the agents during an upgrade and patch or hot fix deployments (with dlp components/drivers), even when NoProgramUpgrade is enabled on the server and deployed to the agents.

Details
Public

Pre-Requirement

This workaround/solution works with OfficeScan 11.0 and later versions with the DLP plugin activated.

Resolution

Prior to upgrading the OfficeScan 11.0 server to OfficeScan XG or installing a patch or hot fix on OfficeScan XG, make sure that the settings below are configured and deployed to the agents:

  1. Set the setting as shown below in the ofcscan.ini file found in ...\Officescan Server\PCCSRV:

    [Global Setting]
    DLPNoUpgrade=1

     

    If this is not configured, below is the expected scenario:

    OSCE Agent Version: 11.x.xxxx
    DLP Module version: 6.2.xxxx

    iDLP will NOT function as expected since 6.2.xxxx is designed only for OfficeScan XG.

  2. Go to OfficeScan console > Global Agent Settings and click Save.
  3. In the OfficeScan console, go to Agents > Agent Management > Settings > Privileges and Other Settings > Other Settings tab.
  4. Under update settings, select “Clients can update components but not upgrade the client program or deploy hotfixes”.

    For OfficeScan XG Service Pack 1 (SP1):

    1. In the OfficeScan console, go to Agents > Agent Management > Settings > Privileges and Other Settings > Other Settings tab.
    2. Under update settings, select “Pattern files” for the "OfficeScan agents only update the following component" option.

      Privileges & Other Settings

    The OfficeScan server deploys the command to OfficeScan clients and adds the following registry entry to all OfficeScan client computers:

    • For x86 machines:

      Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\DlpLite\
      Key: NoUpgrade = 1
      Type: REG_DWORD
      Value: 1

    • For x64 machines:

      Path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\DlpLite
      Key: NoUpgrade = 1
      Type: REG_DWORD
      Value: 1

 

Once the steps above are configured and you upgraded the agents to OfficeScan XG (either specific machines or a group), below is the expected scenario:

OSCE Agent Version: 12.x.xxxx
DLP Module version: 6.0.xxxx

iDLP will not work as expected since 6.0.xxxx is not compatible with OfficeScan XG. Admin should change the setting to "0" or remove the key for the agent to upgrade and make it compatible with iDLP.

Premium
Internal
Rating:
Category:
Configure; Deploy
Solution Id:
1121214
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.