When there is an issue on an endpoint with the OfficeScan/Apex One Security Agent installed, isolation testing is a recommended preliminary step to help determine where the issue is.
The steps below are a good outline for isolation testing.
If you are using Apex Central or Apex One as a Service, please copy your current policy to a test policy and specify the machine you're testing with in that policy. Otherwise, make the changes to a single test-endpoint in Apex One.
Once isolation has been done on the single endpoint, you can double-check by expanding the change to other affected machines.
You will need to turn each service off one by one until the issue is gone. Note the setting and then turn the suspicious service back on and continue to turn the other services off to see if the issue persists to confirm. As components can interact with each other, it is possible that disabling different services could potentially resolve the issue. If any other service also corrects the issue, please note those as well.
After changing each service from the web console, do a manual update on client. Test if the issue persists. It can take up to 10 minutes for the agent to receive the updated policy.
- Test Policy > Behavior Monitor Settings > Unclick "Enable Malware Behavior Blocking" > Deploy
- Test Policy > Behavior Monitor Settings > Unclick "Enable Event Monitoring" > Deploy
If this action solves the issue, please enable this setting and do actions 3, 8, 9, and 11 to confirm the problematic service further.
Test Policy > Behavior Monitor Settings > Unclick "Enable program inspection to detect and block compromised executable files" > Deploy
Verify if the TMUMH service has stopped by running the command "sc query tmuh" from an admin command line. If the service is still running, stop the service by running "sc stop tmumh". If the process is actively hooked, this may fail and a system restart will be required.
When using Apex Central policies, DLP is in a separate policy.
Policies > Policy Management > Apex One Data Loss Prevention
You can either remove the endpoint from this policy or create a test policy for DLP as well as the OfficeScan/Apex One Security Agent.
DLP Test Policy > DLP Settings > Unclick "Enable Data Loss Prevention" > Deploy
Once isolation is complete, the results, along with the output from the Case Diagnostic Tool while reproducing the issue, should be provided to Trend Micro Technical Support through a support case.