Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

General Problem Isolation Testing

    • Updated:
    • 12 Sep 2019
    • Product/Version:
    • OfficeScan XG.All
    • Apex One All.All
    • Apex One as a Service All.All
    • Platform:
    • Windows All
Summary

When there is an issue on an endpoint with the OfficeScan/Apex One Security Agent installed, isolation testing is a recommended preliminary step to help determine where the issue is.

The steps below are a good outline for isolation testing.

Details
Public

If you are using Apex Central or Apex One as a Service, please copy your current policy to a test policy and specify the machine you're testing with in that policy. Otherwise, make the changes to a single test-endpoint in Apex One.

Isolation Testing

Isolation Testing

Once isolation has been done on the single endpoint, you can double-check by expanding the change to other affected machines.

You will need to turn each service off one by one until the issue is gone. Note the setting and then turn the suspicious service back on and continue to turn the other services off to see if the issue persists to confirm. As components can interact with each other, it is possible that disabling different services could potentially resolve the issue. If any other service also corrects the issue, please note those as well.

After changing each service from the web console, do a manual update on client. Test if the issue persists. It can take up to 10 minutes for the agent to receive the updated policy.

 
If any step resolves the issue, do NOT proceed to the next step until the issue is reproducible again.
 
The screenshots show the Apex Central policy, but the settings are the same on Apex One, with just a slightly different layout.

Test Policy > Real-time Scan Settings > Unclick "Enable virus/malware scan" > Deploy

Isolation Testing

If this action solves the issue, please enable this setting and do actions 3, 4, 8, 10, and 12 to confirm the problematic service further.

Test Policy > Web Reputation Settings > Unclick "Enable Web reputation policy on the following operating systems" > Deploy

Isolation Testing

If this action solves the issue, please enable this setting and do actions 8 and 13 to confirm the problematic service further.

Test Policy > Predictive Machine Learning Settings > Unclick "Enable Predictive Machine Learning" > Deploy

Isolation Testing

  1. Test Policy > Behavior Monitor Settings > Unclick "Enable Malware Behavior Blocking" > Deploy
  2. Test Policy > Behavior Monitor Settings > Unclick "Enable Event Monitoring" > Deploy

Isolation Testing

If this action solves the issue, please enable this setting and do actions 3, 8, 9, and 11 to confirm the problematic service further.

Test Policy > Additional Service Settings > Unauthorized Change Prevention Service > Unclick > Deploy

Isolation Testing

If this action solves the issue, please enable this setting and do actions 3, 4, 8, 9, and 11 to confirm the problematic service further.

Test Policy > Additional Service Settings > Firewall Service > Unclick > Deploy

Isolation Testing

Test Policy > Additional Service Settings > Suspicious Connection Service > Unclick > Deploy

Isolation Testing

Test Policy > Additional Service Settings > Advanced Protection Service > Unclick > Save

Isolation Testing

If this action solves the issue, please enable this setting and do actions 3, 10, 11, 12, and 13 to confirm the problematic service further.

  • Access Document Control

    Test Policy > Behavior Monitor Settings > Unclick "Protect documents against unauthorized encryption or modification" > Deploy

  • Software Restricted Policy

    Test Policy > Behavior Monitor Settings > Unclick "Block processes commonly associated with ransomware" > Deploy

Isolation Testing

Test Policy > Behavior Monitor Settings > Unclick "Enable program inspection to detect and block compromised executable files" > Deploy

Isolation Testing

Verify if the TMUMH service has stopped by running the command "sc query tmuh" from an admin command line. If the service is still running, stop the service by running "sc stop tmumh". If the process is actively hooked, this may fail and a system restart will be required.

Test Policy > Behavior Monitor Settings > Unclick "Monitor newly encountered programs downloaded through web or email application channels" > Deploy

Isolation Testing

Test Policy > Scan Settings > Real-time Scan Settings > Unclick "Quarantine malware variants detected in memory" > Deploy

Isolation Testing

Test Policy > Web Reputation Settings > Unclick "Block pages containing malicious script" > Deploy

Isolation Testing

Test Policy > Additional Service Settings > Data Protection Service > Unclick > Deploy

Isolation Testing

If this action solves the issue, please enable this setting and do actions 15 and 16 to confirm the problematic service further.

Test Policy > Device Control Settings > Unclick "Enable Device Control" > Deploy

Isolation Testing

If this action solves the issue, please enable this setting and do action 16 to confirm the problematic service further.

When using Apex Central policies, DLP is in a separate policy.

Policies > Policy Management > Apex One Data Loss Prevention

You can either remove the endpoint from this policy or create a test policy for DLP as well as the OfficeScan/Apex One Security Agent.

DLP Test Policy > DLP Settings > Unclick "Enable Data Loss Prevention" > Deploy

Isolation Testing

Once isolation is complete, the results, along with the output from the Case Diagnostic Tool while reproducing the issue, should be provided to Trend Micro Technical Support through a support case.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1123591
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.