UMH is an engine used in several Trend Micro endpoint and server products that supports the enhanced ransomware solution and is installed as a module. It provides API events for other modules, such as Behavior Monitoring, Predictive Machine Learning, etc. Those modules will make decisions according to the provided API events from UMH.
Trend Micro is aware of a potential issue with customers who applied the recently released Microsoft Windows April 2023 Security Updates.
Please note - the following versions of Windows are NOT impacted:
- Windows 11 22H2 only - all other versions of Windows 11 are impacted
- Windows 10 32-bit versions (all)
- Windows 10 1809 (64-bit) only - all other versions of Windows 10 (64-bit) are impacted
- Windows Server 2019. 2016, 2012/2012R2
Impact and Recommendations
Customers who currently use the advanced ransomware protection options of their product are advised to temporarily hold off updating Windows Security Patches until a solution (please see the table below about UMH pattern delivery schedule) is available if possible.
Customers who have already applied the Monthly Security Windows patch on an affected version of Windows may not see any obvious errors such as BSODs, crashes, error messages, or performance impacts - but note that these clients may not have access to advanced protection features such as enhanced ransomware protection until the new UMH pattern is deployed on April 24th. Core functionality of the products (e.g. malware pattern-based protection) will still function as normal.
Solution Update Schedule
Trend Micro has addressed this issue with an updated UMH pattern, released on April 24, 2023:
| Product | Affected Version(s) | Solution |
|---|---|---|
| Apex One *Agent OS Reboot is required after receiving the updated pattern version. | 2019 (On-prem) | Program Inspection Monitoring Pattern (UMH) 293033 |
| Apex One as a Service *Agent OS Reboot is required after receiving the updated pattern version. | SaaS | Program Inspection Monitoring Pattern (UMH) 293033 |
| Deep Security Agent (Including Cloud One - Workload Security) *Agent OS Reboot is required after receiving the updated pattern version. | 20.0 / SaaS | Endpoint Sensor Trusted Pattern (UMH) 281149 |
| Worry-Free Business Security *Agent OS Reboot is required after receiving the updated pattern version. | 10.0 SP1 | Program Inspection Monitoring Pattern (UMH) 293033 |
| Worry-Free Business Security Services *Agent OS Reboot is required after receiving the updated pattern version. | SaaS | Program Inspection Monitoring Pattern (UMH) 293033 |
Verifying UMH Pattern Version
Trend Micro Apex One (including SaaS) and Worry-Free Business Security (including Services) customers can check their UMH pattern version from either Apex Central (server side) or on the agent itself.
Checking from Apex Central:
Checking from Agent Side: on the client agent right click the agent in taskbar > select Component Versions > and verifying the version number under Program Inspection Monitoring
Trend Micro Cloud One - Workload Security and Deep Security customers can verify the version number by logging into the Cloud One or Deep Security Manager (DSM) console > navigate to Administration > Updates > Security > Patterns > verifying the version number under Endpoint Sensor Trusted Pattern