Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting Behavior Monitoring exploit detection issues in Apex One, OfficeScan, and Worry-Free Business (WFBS)

    • Updated:
    • 29 Nov 2019
    • Product/Version:
    • Apex One
    • OfficeScan XG
    • Worry-Free Business Security Advanced 9.5
    • Worry-Free Business Security Services 6.0
    • Worry-Free Business Security Services 6.6
    • Worry-Free Business Security Standard 9
    • Worry-Free Business Security Standard 9.5
    • Platform:
    • N/A
Summary

When a legal application continually triggers Malicious Behavior/Detections by Behavior Monitoring policies, follow the steps below to collect the required debug information and contact Trend Micro Technical Support for further assistance.

In OfficeScan, the detection will keep on popping up whenever the application is launched. For example:

Threats Found

Logs

In the Worry-Free Business (WFBS) series, the application is terminated without an agent side notification, but it can still be checked in the Behavior Monitoring log. For example:

WFBS Help Desk

Details
Public

To collect debug log information:

Apply one of the following patches to update SAEGIS >= 2.976.2226 and tmsysevt >= 7.0.1169:

  • OfficeScan XG SP1 Patch 5400 or later
  • OfficeScan XG Patch & WFBS 9.5 Patch TBD

The dump can be collected by following the details in this section. If you are unable to apply the patches, please contact Trend Micro Technical Support directly for further assistance.

 

For checking the component:

  • BM folder location: %ProgramFiles%\TrendMicro\BM (x86 OS) / %ProgramFiles(x86)%\TrendMicro\BM (x64 OS)
  • SAEGIS - Check BM folder
  • tmsysevt - Check BM\Eyes\ folder
  1. Stop the agent.
  2. Set the following registry key:

    [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS]
    EnableExploitDump=DWORD:00000001

  3. Start the agent.
  4. Replicate the issue.

    The dump file can be found in the BM\Debug folder.

  5. Stop the agent.
  6. Remove the registry key from Step 2.
  7. Start the agent.

Please contact Trend Micro Technical Support directly for further assistance.

  1. Use the Case Diagnostic Tool (CDT) and check “Collect AEGIS debug information”.

    CDT

  2. Once debug mode is enabled by CDT, reproduce the issue and confirm when the detection was triggered again.
  3. Stop CDT debug mode and collect the compressed log package.
  4. Provide feedback to Trend Micro Technical Support.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1121543
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.