Summary
Policy Description shows the following error on the Apex Central "Preliminary Investigation" page.
"Endpoint Sensor Service: System error. Error ID: 420"
"Unable to get the registered server list. There are no registered servers."
Root Cause Analysis
From Apex One server ofcdebug.log located at ...\Trend Micro\Apex One\PCCSRV\Log\, it is indicated that that CM Agent tries to query Trend Micro Advanced Threat Assessment Service (ATAS) but would get an HTTP response 500 error:
2019 05/15 12:30:42[090c : 17f4](00) (I) [][ofcservice.exe]OSFSvcClient::setProductServiceInfo - http url=https://[Apex One FQDN]:4343/officescan_iatas/osf/iatas_api/v1/resourcedata-[libosfsvcclient.cpp(152)]
2019 05/15 12:30:42[090c : 17f4](00) (D) [][ofcservice.exe]getPFXFromCertificateStore - >>> find certificates and export PFX from keystore=[OfcOSF]by subject=[OfcOSFWebApp]-[libosfsvcclientutility.cpp(260)]
2019 05/15 12:30:42[090c : 17f4](00) (E) [][ofcservice.exe]BoostHTTPClient::receive - http response code=500 -[libosfsvcclienthttpclient.cpp(103)]
2019 05/15 12:30:42[090c : 17f4](00) (I)[CMDHO2][ofcservice.exe]cmdho2_GetProductServerStatusLog - << -[cmdho2_osf.cpp(820)]
The following logs appear in Apex One server ofcdebug.log located at ...\Trend Micro\Apex One\PCCSRV\Log\ indicating ATAS web config is broken after several failed installation of Endpoint Sensor, causing the service from failing start successfully.
2019 05/23 12:24:01 [36dc : 3fec] (00) (I) [libProductLibrary][OfcCMAgent.exe]ConsolidateESAndATASStatus - >>> - [cma_log.cpp(8352)] 2019 05/23 12:24:01 [36dc : 3fec] (00) (D) [libProductLibrary][OfcCMAgent.exe]ConsolidateESAndATASStatus - Unexpected status, ATAS status = 0, ES status = 7 - [cma_log.cpp(8374)]
In the Windows event log:
The description for Event ID 0 from source AtasService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
To resolve this issue:
- Remove ATAS.
- Option 1: Using iATASSetup Utility
- After applying the hot fix / critical patch on the Apex One server, launch a command prompt with administrator privilege and navigate to ...\TrendMicro\OfficeScan\PCCSRV\Admin\Utility\iServicePackage\iATAS\Setup\.
- Run the following command:
iATASSetup.exe -uninstallation
Take note that this command only works after applying Hot Fix Build 1141 or later on Apex One.
- Option 2: Manual Uninstallation
- Stop the Trend Micro Advanced Threat Assessment Service (or just simply run "sc stop AtasService" command).
- Launch the Command Prompt as administrator and execute the following command to delete iATAS service:
sc delete AtasService
- Open the Registry Editor and delete the hive, HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\iATAS
- Open IIS Manager and delete the iATAS server instance (in the following order):
officescan_iatas virtual directory
OfficeScan_iATAS_AppPool
- Navigate to the Apex One directory and delete the iATAS program installation folder ...\Trend Micro\Apex One\iServiceSrv\iATAS\.
- Reinstall Apex One Endpoint Sensor
- Launch Trend Micro Apex One Installer Maintenance Mode.
- Select "Install Endpoint Sensor".
For further details, refer to the article on How to install the Apex One Endpoint Sensor after the user has installed Apex One .
