When there is an issue on an endpoint with the OfficeScan/Apex One Security Agent installed, isolation testing is a recommended preliminary step to help determine where the issue is.
The steps below are a good outline for isolation testing.
If you are using Apex Central or Apex One as a Service, please copy your current policy to a test policy and specify the machine you're testing with in that policy. Otherwise, make the changes to a single test-endpoint in Apex One.
Once isolation has been done on the single endpoint, you can double-check by expanding the change to other affected machines.
You will need to turn each service off one by one until the issue is gone. Note the setting and then turn the suspicious service back on and continue to turn the other services off to see if the issue persists to confirm. As components can interact with each other, it is possible that disabling different services could potentially resolve the issue. If any other service also corrects the issue, please note those as well.
After changing each service from the web console, do a manual update on client. Test if the issue persists. It can take up to 10 minutes for the agent to receive the updated policy.
Test Policy > Real-time Scan Settings > Unclick "Enable virus/malware scan" > Deploy
If this action solves the issue, please enable this setting and do actions 3, 4, 8, 10, and 12 to confirm the problematic service further.
Test Policy > Web Reputation Settings > Unclick "Enable Web reputation policy on the following operating systems" > Deploy
If this action solves the issue, please enable this setting and do actions 8 and 13 to confirm the problematic service further.
Test Policy > Predictive Machine Learning Settings > Unclick "Enable Predictive Machine Learning" > Deploy
- Test Policy > Behavior Monitor Settings > Unclick "Enable Malware Behavior Blocking" > Deploy
- Test Policy > Behavior Monitor Settings > Unclick "Enable Event Monitoring" > Deploy
If this action solves the issue, please enable this setting and do actions 3, 8, 9, and 11 to confirm the problematic service further.
Test Policy > Additional Service Settings > Unauthorized Change Prevention Service > Unclick > Deploy
If this action solves the issue, please enable this setting and do actions 3, 4, 8, 9, and 11 to confirm the problematic service further.
Test Policy > Additional Service Settings > Firewall Service > Unclick > Deploy
Test Policy > Additional Service Settings > Suspicious Connection Service > Unclick > Deploy
Test Policy > Additional Service Settings > Advanced Protection Service > Unclick > Save
If this action solves the issue, please enable this setting and do actions 3, 10, 11, 12, and 13 to confirm the problematic service further.
- Access Document Control
Test Policy > Behavior Monitor Settings > Unclick "Protect documents against unauthorized encryption or modification" > Deploy
- Software Restricted Policy
Test Policy > Behavior Monitor Settings > Unclick "Block processes commonly associated with ransomware" > Deploy
Test Policy > Behavior Monitor Settings > Unclick "Enable program inspection to detect and block compromised executable files" > Deploy
Verify if the TMUMH service has stopped by running the command "sc query tmuh" from an admin command line. If the service is still running, stop the service by running "sc stop tmumh". If the process is actively hooked, this may fail and a system restart will be required.
Test Policy > Behavior Monitor Settings > Unclick "Monitor newly encountered programs downloaded through web or email application channels" > Deploy
Test Policy > Scan Settings > Real-time Scan Settings > Unclick "Quarantine malware variants detected in memory" > Deploy
Test Policy > Web Reputation Settings > Unclick "Block pages containing malicious script" > Deploy
Test Policy > Additional Service Settings > Data Protection Service > Unclick > Deploy
If this action solves the issue, please enable this setting and do actions 15 and 16 to confirm the problematic service further.
Test Policy > Device Control Settings > Unclick "Enable Device Control" > Deploy
If this action solves the issue, please enable this setting and do action 16 to confirm the problematic service further.
When using Apex Central policies, DLP is in a separate policy.
Policies > Policy Management > Apex One Data Loss Prevention
You can either remove the endpoint from this policy or create a test policy for DLP as well as the OfficeScan/Apex One Security Agent.
DLP Test Policy > DLP Settings > Unclick "Enable Data Loss Prevention" > Deploy
Once isolation is complete, the results, along with the output from the Case Diagnostic Tool while reproducing the issue, should be provided to Trend Micro Technical Support through a support case.
