trend-micro-apex-one-troubleshooting-guidev15-pdf-free

Prévia do material em texto

<p>Copyright © April 2020 by Trend Micro Inc. All Rights Reserved.</p><p>TREND MICRO™Apex One</p><p>AMEA Partner</p><p>Case Submission Handbook</p><p>TREND MICRO™Apex One AMEA Partner Case Submission Handbook</p><p>Document Version 1.5</p><p>Prepared by: Alghie Garcia, Jessie Menil, Wilson Salvador</p><p>Contributors: Jean Luces, Michelle Ramos, Nickel Xu, Raymond Villafania, Regidor De Guzman</p><p>2 / 206</p><p>Table of contents</p><p>Introduction ...................................................................................................................... 6</p><p>What's new .................................................................................................................... 7</p><p>I. Reviewing System Requirements ...................................................................................... 8</p><p>Pre-deployment ............................................................................................................. 9</p><p>Collecting Basic Information .......................................................................................... 10</p><p>II. Policy Deployment Process ............................................................................................ 13</p><p>What happens after a policy is deployed from Apex Central to Apex One Server? ................ 13</p><p>Policy Deployment Triggers ........................................................................................... 14</p><p>Time needed for policy deployment status to reflect on Apex Central ................................. 14</p><p>Apex One Policy vs. Integrated Features ............................................................................. 15</p><p>Scenario 1: Default iProduct policy settings ..................................................................... 15</p><p>Scenario 2: Apex One server does not have a valid iProduct license ................................... 15</p><p>Agent Optimization .......................................................................................................... 16</p><p>General Problem Isolation Testing ...................................................................................... 21</p><p>III. Apex One Common Issues .......................................................................................... 24</p><p>A. Server Installation/Upgrade Issues ............................................................................. 25</p><p>Troubleshooting Tips ................................................................................................ 25</p><p>Fresh installation of Server .................................................................................... 25</p><p>Upgrade from OfficeScan to Apex One Server ......................................................... 25</p><p>Critical Patch/Hotfix Installation ............................................................................. 27</p><p>Logs to collect .......................................................................................................... 29</p><p>Useful links ............................................................................................................. 31</p><p>B. Agent Installation Issues ........................................................................................... 32</p><p>Troubleshooting Tips ................................................................................................ 32</p><p>Remnants of old installation .................................................................................. 32</p><p>3rd-party AV is installed ........................................................................................ 33</p><p>Logs to collect .......................................................................................................... 36</p><p>C. Offline Issues ........................................................................................................... 37</p><p>Troubleshooting Tips ................................................................................................ 37</p><p>Check Server/Agent communication ....................................................................... 37</p><p>Identify IIS Issues ................................................................................................ 44</p><p>TLS Issue ........................................................................................................... 47</p><p>Check License and Configuration ............................................................................ 49</p><p>Licensing ......................................................................................................... 49</p><p>Check DB Connection ........................................................................................ 49</p><p>NAT agents ..................................................................................................... 51</p><p>Logs to collect .......................................................................................................... 53</p><p>D. Agent Upgrade Issues .............................................................................................. 55</p><p>Troubleshooting Tips ................................................................................................ 55</p><p>How to check for Server/Agent Communication? ..................................................... 55</p><p>How to review the agent update configuration? ....................................................... 57</p><p>How to check for Mismatched Certificate? ................................................................ 57</p><p>Upgrade File Issue ................................................................................................ 58</p><p>Review Update Agent Configuration ....................................................................... 58</p><p>Unable to upgrade Windows 10 ............................................................................. 60</p><p>Logs to collect .......................................................................................................... 61</p><p>E. Performance Issues .................................................................................................. 63</p><p>3 / 206</p><p>Troubleshooting Tips ................................................................................................ 63</p><p>Optimization of System Performance ...................................................................... 63</p><p>Disable Windows Defender .................................................................................... 65</p><p>Battery Configuration ............................................................................................ 68</p><p>Logs to collect .......................................................................................................... 69</p><p>F. Web Console Issues .................................................................................................. 70</p><p>Troubleshooting Tips ................................................................................................ 70</p><p>Apex One Master Service was stopped .................................................................... 70</p><p>Logs to collect .......................................................................................................... 79</p><p>G. Smart Protection Server (SPS) Issues ......................................................................... 80</p><p>Troubleshooting Tips ................................................................................................ 80</p><p>Unable to Login to SPS console .............................................................................. 80</p><p>Unable to Login using Root Password ..................................................................... 80</p><p>Changing SPS IP Address ...................................................................................... 83</p><p>Web Reputation Service (WRS) and File Reputation Service (FRS) shows Unavailable ... 84</p><p>Best Practice Configuration ................................................................................ 87</p><p>Logs to collect .......................................................................................................... 88</p><p>IV. Apex One iProduct Common Issues ..............................................................................</p><p>server polling settings.</p><p>For details about server polling, see Server Polling.</p><p>a. If the Apex One server has both an IPv4 and IPv6 address, you can type an IPv4 address range and IPv6</p><p>prefix and length.</p><p>Type an IPv4 address range if the server is pure IPv4, or an IPv6 prefix and length if the server is pure IPv6.</p><p>When any agent's IP address matches an IP address in the range, the agent applies the heartbeat and</p><p>server polling settings and the server treats the agent as part of the unreachable network.</p><p>Note:</p><p>o Agents with an IPv4 address can connect to a pure IPv4 or dual-stack Apex One server.</p><p>o Agents with an IPv6 address can connect to a pure IPv6 or dual-stack Apex One server.</p><p>o Dual-stack agents can connect to dual-stack, pure IPv4, or pure IPv6 Apex One server.</p><p>b. In Agents poll the server for updated components and settings every __ minute(s), specify the server polling</p><p>frequency. Type a value between 1 and 129600 minutes.</p><p>Tip:</p><p>Trend Micro recommends that the server polling frequency be at least three times the heartbeat sending</p><p>frequency.</p><p>5. Configure heartbeat settings.</p><p>For details about the heartbeat feature, see Heartbeat.</p><p>a. Select Allow agents to send heartbeat to the server.</p><p>b. Select All agents or Only agents in the unreachable network.</p><p>c. In Agents send heartbeat every __ minute(s), specify how often agents send heartbeat. Type a value between</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/server-polling.aspx#GUID-0AD5C5E3-A461-4097-BA54-EAD79A05DFF4</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/server-polling.aspx#GUID-0AD5C5E3-A461-4097-BA54-EAD79A05DFF4</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/heartbeat.aspx#GUID-F880E79C-1845-48F6-8DDE-1C78D21BAE01</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/heartbeat.aspx#GUID-F880E79C-1845-48F6-8DDE-1C78D21BAE01</p><p>52 / 206</p><p>1 and 129600 minutes.</p><p>d. In An agent is offline if there is no heartbeat after __ minute(s), specify how much time without a heartbeat</p><p>must elapse before the Apex One server treats the agent as offline. Type a value between 1 and 129600</p><p>minutes.</p><p>6 Click Save.</p><p>Reference: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-</p><p>help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/configuring-</p><p>the-hear.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/configuring-the-hear.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/configuring-the-hear.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-trend_c/client_computer_sing_006/unreachable-client_c/configuring-the-hear.aspx</p><p>53 / 206</p><p>Information and logs to Collect:</p><p>Collect Relevant Information</p><p>Get the "number of</p><p>agents" affected</p><p>Select from the list below:</p><p>· ALL agents affected.</p><p>· only ONE agent is affected</p><p>· few or some agents are affected. How many?</p><p>Discussion:</p><p>· When all agents are offline, this may indicate that the issue is at server side, or</p><p>global network issue in customer's environment.</p><p>· If only one or a few is affected its possible that the server has no issues and the</p><p>issue is localized on the agent side.</p><p>Get the Operating</p><p>System of the affected</p><p>machines</p><p>· Verify if issue affects specific version of Operating System (e.g. Windows 10)</p><p>Get Apex One</p><p>Information</p><p>Check the current version and build number:</p><p>A. Through UI:</p><p>1. Access web console > Help > About</p><p>B. Through registry:</p><p>HKLM\SOFTWARE\TrendMicro\OfficeScan\service\Information</p><p>Get the "latest changes</p><p>done" on the</p><p>environment</p><p>Check what are the recent changes done prior to the issue:</p><p>· Applied a Critical Patch/Hotfix</p><p>· Change in TLS configuration</p><p>· Change network configuration</p><p>Get the Firewall/Proxy</p><p>Configuration</p><p>Check with the Network Team for any firewall/proxy configuration between the server</p><p>and agents</p><p>Logs to be collected</p><p>From Apex One</p><p>Server</p><p>- CDT Logs</p><p>· What to check when running CDT Tool?</p><p>§ Basic Information</p><p>§ Functionality</p><p>§ Update & Deployment</p><p>§ Enterprise Firewall</p><p>54 / 206</p><p>· How to replicate issue for Offline agents?</p><p>- If CDT is not working:</p><p>· Manual debug log</p><p>· How to replicate issue for Offline agents?</p><p>· Application and System Event Logs</p><p>· Latest Verconn.log (…\PCCSRV\Log)</p><p>· Backup copy of Registry</p><p>- Collect Wireshark logs</p><p>For steps in gathering Wireshark logs:</p><p>https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-</p><p>inspect-packets/</p><p>From the affected</p><p>machine</p><p>- CDT Logs</p><p>· What to check when running CDT Tool?</p><p>§ Basic Information</p><p>§ Connectivity Issue</p><p>§ Enterprise Firewall Issue</p><p>§ Update/Deployment Issue</p><p>· How to replicate issue for Offline agents?</p><p>- If CDT is not working, collect the following:</p><p>· Manual debug</p><p>· How to replicate issue for Offline agents?</p><p>· Application and System Event Logs</p><p>· Latest Connection logs (…\Security Agent\ConnLog)</p><p>· Latest Verconn.log (…\PCCSRV\Log)</p><p>· Backup copy of Registry</p><p>- Collect Wireshark logs</p><p>For steps in gathering Wireshark logs:</p><p>https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-</p><p>inspect-packets/</p><p>55 / 206</p><p>D. Agent Upgrade Issues</p><p>On this section, we will be discussing troubleshooting steps when encountering outdated agents.</p><p>Troubleshooting Tips</p><p>Listed are the consolidated troubleshooting steps:</p><p>1. Checking of Server/Agent Communication</p><p>2. Reviewing Update Configuration</p><p>3. Checking for Mismatched Certificate</p><p>4. Upgrade File Issue</p><p>5. Checking for Update Agent Configuration</p><p>6. Unable to upgrade Windows 10</p><p>If issues are not resolved after performing the provided troubleshooting tips, collect the recommended logs and file a</p><p>case to Trend MIcro Support.</p><p>How to check for Server/Agent communication?</p><p>1. Test if server is reachable from the client and vice versa</p><p>Access the following URL from the outdated agent using Internet Explorer:</p><p>URL Expected Result ( This means OSCE server is</p><p>reachable)</p><p>https://<OSCE_Server>:<Master_SSLPort>/officesc</p><p>an/cgi/isapiClient.dll</p><p>ex:</p><p>https://10.205.0.20:4343/>/officescan/cgi/isapiCl</p><p>ient.dll</p><p>Expected feedback from browser: -1</p><p>https://<OSCE_Server>:<Master_SSLPort>/officesc</p><p>an/download/server.ini</p><p>Expected feedback from browser:</p><p>display server.ini content or pop-up file save</p><p>notification</p><p>https://<OSCE_Server>:<Server_Port>/officescan/cg</p><p>i/cgionstart.exe</p><p>ex:</p><p>https://10.205.0.20:4343/>/officescan/cgi/cgionstart.</p><p>exe</p><p>Expected feedback from browser is: -2</p><p>56 / 206</p><p>Access the following URL from the Apex One Server using Internet Explorer</p><p>URL Expected Result ( This means OSCE server is reachable)</p><p>https://<agentʼs IP address>:<local</p><p>server port>/?CAVIT</p><p>ex: https://10.205.0.20:12345/?</p><p>CAVIT</p><p>Expected feedback from browser: a page with a string of text</p><p>starting with !CRYPT! should appear.</p><p>2. Check the status of the agent: online/offline and internal/external</p><p>Make sure that the machines are showing as online and internal</p><p>1. To verify the agent status: Open web console go to Agents > Agent management and search for the target</p><p>agent > check the connection status column</p><p>2. To verify the agent location:</p><p>§ Open the agent console</p><p>· Right-click the agent icon on the system tray and click</p><p>Open Security Agent</p><p>Console</p><p>§ Click the lower right icon as shown below</p><p>3. If agent is offline, see Offline Troubleshooting.</p><p>57 / 206</p><p>How to review the agent update configuration?</p><p>To upgrade the endpoint, ensure that you configure the following setting.</p><p>1. Go to Agents > Agent Management.</p><p>2. Click the Settings > Privileges and Other Settings > Other Settings tab.</p><p>3. Go to the Update Settings section.</p><p>4. In the Security Agents only update the following components dropdown, select "All components (including</p><p>hotfixes and the agent program)".</p><p>5. Click Apply to All Agents or target group of Agents</p><p>6. Check the agent registry to verify if the settings are applied:</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]</p><p>"NoProgramUpgrade"=dword:00000000</p><p>How to check for mismatched certificate?</p><p>To check if the server and agent have mismatched certificate:</p><p>A. On Apex One Server:</p><p>1. Go to <installation folder>\PCCSRV\Pccnt\Common\</p><p>2. Look for OfcNTCer.dat</p><p>3. Create a copy and change file extension to .cer</p><p>4. Click on the file then go to the Details tab.</p><p>5. Check Serial Number/Thumbprint</p><p>B. On affected agent:</p><p>1. Go to <installation>\Trend Micro\Security Agent\</p><p>2. Look for OfcNTcer.dat</p><p>3. Create a copy and change file extension to .cer</p><p>58 / 206</p><p>4. Click on the file then go to the Details tab.</p><p>5. Check Serial Number/Thumbprint</p><p>C. If the certificates are mismatched, you can copy the OfcNTcer.dat from the Apex One server to the affected</p><p>machine</p><p>1. After doing so, you can try to upgrade the agents to see if it will be successful</p><p>To further troubleshoot certificate issue see link below:</p><p>Title: Troubleshooting certificate-related issues in OfficeScan (OSCE)</p><p>Summary: This article provides information about common certificate-related issues that occur on either the</p><p>OSCE agent or server</p><p>See KB1117028 for further details</p><p>How to check for agent program upgrade file issue (newpnt.zip/newpx64.zip)?</p><p>This issue occurs when the files newpnt.zip and newpx64.zip which are for "main program upgrade" on the "update</p><p>agent” contains some legacy files.</p><p>A. On the Apex One server, download newpnt.zip and newpx64.zip under "C:\Program Files (x86)\Trend Micro\Apex</p><p>One\PCCSRV\Download\".</p><p>B. On each "update agent", please perform the actions below.</p><p>1. Check if the following files are included in the newpnt.zip and newpx64.zip.</p><p>bspatch.exe</p><p>bzip2.exe</p><p>libMsgUtilExt.mt.dll</p><p>msvcm80.dll</p><p>msvcp80.dll</p><p>msvcr80.dll</p><p>2. If yes, then unload the agent</p><p>3. Replace newpnt.zip and newpx64.zip with the files that you download from server (step a).</p><p>4. Reload the agent</p><p>How to check if customer is using Update Agent? How to check Update Agent</p><p>Configuration?</p><p>To check for Update Agents and its configuration:</p><p>https://success.trendmicro.com/solution/1117028</p><p>59 / 206</p><p>a. Go to Updates > Agents > Update Source</p><p>b. Check if the Update Agent Settings are correctly configured</p><p>c. Check if the Update Agents are using HTTPS connection as well</p><p>d. Make sure that the Update Agents are updated</p><p>i. Check the activeupdate folder of the specific Update Agent</p><p>ii. Update Agents are online and communication to and from the normal</p><p>e. Check if the Update Agent is allowed to deploy components. Check registry to verify privilege of Update Agent</p><p>Location: HKLM\SOFTWARE\WOW6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.</p><p>\UpdateAgent</p><p>1: Component Update</p><p>2: Domain Settings</p><p>3. Component Update and Domain Settings</p><p>4. Client Program and Hotfixes</p><p>5. Agent Program and Hotfixes and Component Updates</p><p>6. Domain settings, and Client Program and Hotfixes</p><p>7. All Privileges</p><p>f. Check where the agent is downloading the hotfix:</p><p>Location: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-</p><p>cillinNTCorp\CurrentVersion\Misc.]</p><p>"RelayClientGetHotfixFrom"="https://server:port"</p><p>60 / 206</p><p>How to check issue on upgrading Windows 10 due to unsupported version of Apex One</p><p>Agent?</p><p>Microsoft has changed the upgrade process for Windows with its Windows 10 OS. Instead of a new version of</p><p>Windows every few years, they now provide a full feature upgrade approximately every 6 months.</p><p>We recommend to hold off on updating Windows to the new release until after the Apex One agents have applied the</p><p>appropriate patch, as doing so beforehand may result in incompatibilities. Incompatibilities may include performance</p><p>issues, program crashes, and even system BSoDs.</p><p>Please refer to the table below for the list of Apex One compatible version:</p><p>Window s 10 version Apex One Apex One as a Service</p><p>Initial Window s 10 Any Apex One version Any Apex One Saas version</p><p>Window s 10 RS1 (1607) - Anniversary Update Any Apex One version Any Apex One Saas version</p><p>Window s 10 RS2 (1703) - Creators Update Any Apex One version Any Apex One Saas version</p><p>Window s 10 RS3 (1709) - Fall Creators</p><p>Update</p><p>Any Apex One version Any Apex One Saas version</p><p>Window s 10 RS4 (1803) - April 2018 Update Any Apex One version Any Apex One Saas version</p><p>Window s 10 RS5 (1809) - October 2018</p><p>Update</p><p>Any Apex One version Any Apex One Saas version</p><p>Window s 10 RS6 (1903) - May 2019 Update Apex One CP 1132 or higher Any Apex One Saas version</p><p>Window s 10 (19H2/1909) - November 2019</p><p>Update</p><p>Apex One Patch 1 Build 2087 or higher Any Apex One Saas version</p><p>https://docs.microsoft.com/en-us/windows/windows-10/release-information</p><p>https://files.trendmicro.com/products/Apex One/2019/apex_one_2019_patch1_win_en_b2087.exe</p><p>61 / 206</p><p>Information and logs to Collect:</p><p>Collect Relevant Information</p><p>Get the "number of</p><p>agents" affected</p><p>Select from the list below:</p><p>· ALL agents affected.</p><p>· only ONE agent is affected</p><p>· few or some agents are affected. How many?</p><p>Get the Operating System</p><p>of the affected machines</p><p>· Verify if if issue affects specific version of Operating System (e.g. Windows</p><p>10)</p><p>Get Apex One Information Check the current version and build number:</p><p>A. Through UI:</p><p>1. Access web console > Help > About</p><p>B. Through registry:</p><p>HKLM\SOFTWARE\TrendMicro\OfficeScan\service\Information</p><p>Get the "latest changes</p><p>done" on the environment</p><p>Check what are the recent changes done prior to the issue:</p><p>· Applied a Critical Patch/Hotfix</p><p>· Change Update Agent Settings</p><p>· Change network configuration</p><p>Logs to be collected</p><p>From Apex One Server - CDT Logs</p><p>· What to check when running CDT Tool?</p><p>§ Basic Information</p><p>§ Upgrade & Patch & Hotfix</p><p>§ Functionality</p><p>§ Update & Deployment</p><p>§ Enterprise Firewall</p><p>· How to replicate issue for outdated agents?</p><p>- If CDT is not working:</p><p>· Manual debug log</p><p>· How to replicate issue for outdated agents?</p><p>· Ous.ini (….\PCCSRV)</p><p>· Backup copy of Registry</p><p>62 / 206</p><p>From the affected machine - CDT Logs</p><p>· What to check when running CDT Tool?</p><p>§ Basic Information</p><p>§ Connectivity Issue</p><p>§ Enterprise Firewall Issue</p><p>§ Update/Deployment Issue</p><p>· How to replicate issue for outdated agents?</p><p>- If CDT is not working, collect the following:</p><p>· Manual debug</p><p>· How to replicate issue for outdated agents?</p><p>· Tmudump.txt (…\Security Agent\AU_Data\AU_Log)</p><p>· Upgrade log (…\Security Agent\Temp)</p><p>· Backup copy of Registry</p><p>If customer is using Update</p><p>Agents</p><p>- CDT Logs</p><p>· What to check when running CDT Tool?</p><p>§ Basic Information</p><p>§ Connectivity Issue</p><p>§ Enterprise Firewall Issue</p><p>§ Update/Deployment Issue</p><p>· How to replicate issue for outdated agents?</p><p>- If CDT is not working, collect the following:</p><p>· Manual debug</p><p>· How to replicate issue for outdated agents?</p><p>· Tmudump.txt (…\Security Agent\AU_Data\AU_Log)</p><p>· Upgrade log (…\Security Agent\Temp)</p><p>· Backup copy of Registry</p><p>63 / 206</p><p>E. Performance Issues</p><p>On this section, we will be discussing troubleshooting steps when encountering performance related issues.</p><p>Troubleshooting Tips</p><p>Listed are the consolidated troubleshooting steps:</p><p>1. Optimization of System Performance</p><p>2. Disable Windows Defender</p><p>3. Battery Configuration</p><p>4. Optimization of Apex One agent</p><p>If issues are not resolved after performing the provided troubleshooting tips, collect</p><p>the recommended logs and file</p><p>a case to Trend MIcro Support.</p><p>How to optimize the system performance?</p><p>This section provides information on the number of supported agents depending on enabled features.</p><p>· The sizing data below is for reference only. It is possible for Apex One to manage more than the upper bound</p><p>recommendation below if using higher spec machines. Customers can gradually increase number of</p><p>endpoints while observing the server performance data. Actual sizing limit can vary depending on product</p><p>configurations and customer environment factors.</p><p>· Sizing data below takes into considerations that both Vulnerability Protection and Application Control</p><p>features are enabled.</p><p>· Apex One is expected to provide a comparable experience running on the same hardware as OfficeScan XG</p><p>if the new advanced features (i.e. Vulnerability Protection, Endpoint Sensor, Application Control) are not</p><p>enabled.</p><p>· Gigabit Network Interface Card (NIC) required</p><p>64 / 206</p><p>65 / 206</p><p>How to disable to Window Defender?</p><p>Running Apex One and Windows defender on the same machine can lead to the following effects:</p><p>• Slow login</p><p>• Application lockup</p><p>• Machine unresponsiveness/hang</p><p>Using the Security Center will disable Windows Defender temporarily. This means that if your computer appears</p><p>to be at risk, Windows Defender can turn itself back on automatically. Hence, please edit using the registry.</p><p>This will turn off Windows Defender for good until you manually turn it back on again.</p><p>Note: Always back up the whole registry before making any modifications. Incorrect changes to the registry can</p><p>cause serious system problems.</p><p>1. Open the registry.</p><p>66 / 206</p><p>2. Browse to below path.</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender</p><p>3. Right-click on Windows Defender folder, select 'New' on the drop-down menu and choose 'DWORD (32-bit)</p><p>Value'</p><p>Only do this if you do not see DisableAntiSpyware in the folder. If you do see it, you can skip to step 5</p><p>4. Name it DisableAntiSpyware and hit Enter</p><p>A new item will appear in the folder, with the text highlighted. Delete out the current text and type in</p><p>'DisableAntiSpyware.' Then press Enter. The item should now be saved in the folder</p><p>67 / 206</p><p>5. Double click DisableAntiSpyware and change '0' to '1'</p><p>Double-click on the new DisableAntiSpyware item. A window will pop-up to edit the DWORD. In the 'Value data'</p><p>field, enter '1.' Click 'OK.'</p><p>6. Restart your machine.</p><p>Restart your Windows device to install the new edits. Your Windows Defender should now be permanently</p><p>disabled</p><p>Note: If you do want to turn on Windows Defender in the future, follow steps 1-2, and then right-click on</p><p>'DeleteAntiSpyware' and select 'Delete.' A warning will appear — click 'Yes.' Restart your computer. Windows</p><p>Defender should now be turned back on.</p><p>68 / 206</p><p>How to configure battery high performance?</p><p>Steps on how to configure battery high performance:</p><p>1. Press the Windows + R keys to open the Run dialog box.</p><p>2. Type in the following text, and then press Enter : powercfg.cpl</p><p>3. In the Power Options window, under Select a power plan, choose High Performance</p><p>Note: If you do not see the High Performance option, click the down arrow next to Show additional plans.</p><p>On Windows XP: In the Power Options Properties dialog box, under Power Schemes tab, choose the power</p><p>scheme as Always On. If available, change the System standby and System hibernates settings to Never.</p><p>4. Click Save changes or click OK</p><p>69 / 206</p><p>Information and logs to Collect:</p><p>Collect Relevant Information</p><p>Get the "number of</p><p>agents" affected</p><p>Select from the list below:</p><p>· ALL agents affected.</p><p>· only ONE agent is affected</p><p>· few or some agents are affected. How many?</p><p>Get the Operating</p><p>System of the affected</p><p>machines</p><p>· Verify if if issue affects specific version of Operating System (e.g. Windows 10)</p><p>Get Apex One</p><p>Information</p><p>Check the current version and build number:</p><p>A. Through UI:</p><p>1. Access web console > Help > About</p><p>B. Through registry:</p><p>HKLM\SOFTWARE\TrendMicro\OfficeScan\service\Information</p><p>Get the "latest changes</p><p>done" on the</p><p>environment</p><p>Check what are the recent changes done prior to the issue:</p><p>· Applied a Critical Patch/Hotfix</p><p>· Change Update Agent Settings</p><p>· Change network configuration</p><p>Logs to be collected</p><p>Check what are the recent changes done prior to the issue:</p><p>o Collect Windows Performance Recorder (WPR)</p><p>o Collect Windows Dump Files</p><p>o Collect Procdump logs</p><p>70 / 206</p><p>F. Web Console Issues</p><p>On this section, we will be discussing common issues regarding Apex One web console.</p><p>Troubleshooting Tips</p><p>Listed are the consolidated troubleshooting steps:</p><p>1. Apex One Master Service was stopped</p><p>If issues are not resolved after performing the provided troubleshooting tips, collect the recommended logs and file</p><p>a case to Trend MIcro Support.</p><p>How to troubleshoot when web console is showing this error "Apex One Master</p><p>Service was stopped because SQL Server is unavailable"?</p><p>A sample error you might encounter in accessing your web console is regarding the SQL Server being</p><p>unavailable:</p><p>A. Check Apex One server's connectivity to the SQL database</p><p>1. Verify if the Apex One Server can connect to the SQL database by creating a data link (UDL) file :</p><p>a. Open Notepad.</p><p>71 / 206</p><p>b. Click File > ‘Save Asʼ.</p><p>c. Select ‘Desktopʼ as the location.</p><p>d. Enter File Name ‘SQL Test.udlʼ.</p><p>e. Select ‘All Filesʼ as the ‘Save as typeʼ.</p><p>f. Click Save.</p><p>72 / 206</p><p>g. Go to Desktop and right-click the file ‘SQL Test.udlʼ, then select ‘Propertiesʼ.</p><p>h. Go to ‘Connectionʼ tab.</p><p>i. Under ‘Select or enter a server nameʼ, type the SQL Database server which hosts your Apex One</p><p>Database</p><p>73 / 206</p><p>Note : If you don t̓ know what is the server name of the SQL database used by the apex one</p><p>server, open the ofcserver.ini from apex one server folder : ..Trend Micro\Apex</p><p>One\PCCSRV\Private. Search for ‘[DBServer] ̓and the server name of the SQL database is</p><p>the value of ‘Server= ̓:</p><p>j. Enter the username and password for the SQL account. Afterwards, select the database name of</p><p>the Apex One server, and click ‘Test Connectionʼ.</p><p>k. If the Result = ‘Test connection succeeded ,̓ it means that the Apex One Server can successfully</p><p>connect to the SQL database. If you are still unable to login to the Apex One console, proceed to step # 2</p><p>74 / 206</p><p>l. If the Result = ‘Login failed for user xxxxx ,̓ This means that the SQL credentials you entered is</p><p>incorrect. Check with the SQL admins for the correct username/password.</p><p>m. If the Result =ʼ[DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access</p><p>denied ,̓ this means that the Apex One server cannot connect to the SQL server or the SQL server is</p><p>down. Check with the network team for the network connection and/or check with the SQL Database</p><p>admins if the SQL services are running.</p><p>2. If there are some changes to the SQL account used by the Apex One server to connect to the SQL</p><p>database, update the account information by using the ‘SqlTxfrʼ Tool:</p><p>a. Go to Apex One folder ..Trend Micro\Apex One\PCCSRV\Admin\Utility\SQL</p><p>b. Right click ‘SqlTxfr.exeʼ and select ‘Run as Administratorʼ</p><p>75 / 206</p><p>c. Enter the ‘Server Nameʼ, Correct SQL Username/Password and the Database Name.</p><p>d. Click ‘Test Connectionʼ before proceeding</p><p>76 / 206</p><p>e. If there are no errors encountered, click ‘Startʼ and select ‘Yesʼ on the prompt that will appear.</p><p>77 / 206</p><p>f. Select ‘Yesʼ to confirm application of new connection settings</p><p>g. Exit the program once done</p><p>78 / 206</p><p>3. Restart the Apex One Master Service and try to access the Apex One web console again.</p><p>79 / 206</p><p>Information and logs to Collect:</p><p>Collect Relevant Information</p><p>Get Server Information Verify OS Type, ServicePack, and Microsoft Hotfixes installed</p><p>Get SQL Information Check the SQL Server version and authentication used</p><p>Get Apex One</p><p>Information</p><p>Check the current version and build number:</p><p>A. Through UI:</p><p>1. Access web console > Help > About</p><p>B. Through registry:</p><p>HKLM\SOFTWARE\TrendMicro\OfficeScan\service\Information</p><p>Logs to be collected</p><p>From Apex One</p><p>Server</p><p>- CDT Logs</p><p>· What to check when running CDT Tool?</p><p>§ Basic Information</p><p>§ Functionality</p><p>§ Update & Deployment</p><p>§ Enterprise Firewall</p><p>- If CDT is not working:</p><p>· Manual debug log</p><p>· Application and System Event Logs</p><p>· Diagnostic Log</p><p>· UI Network Traffic Log</p><p>· Backup copy of Registry</p><p>· Ofcserver.ini (PCCSRV\Private)</p><p>· IIS Logs</p><p>· Folder C:\Windows\System32\inetsrv\config\</p><p>80 / 206</p><p>G. Smart Protection Server (SPS) Issues</p><p>On this section, we will be discussing common issues regarding Apex One's Smart Protection Sources.</p><p>Troubleshooting Tips</p><p>Listed are the consolidated troubleshooting steps:</p><p>1. Unable to Login to SPS Unable to Login to SPS console</p><p>2. Unable to Login using Root Password</p><p>3. Changing SPS IP Address</p><p>4. Web Reputation Service (WRS) and File Reputation Service (FRS) shows Unavailable</p><p>If issues are not resolved after performing the provided troubleshooting tips, collect the recommended logs and file</p><p>a case to Trend MIcro Support.</p><p>Troubleshooting unable to login to SPS console</p><p>You are unable to log in to the SPS console and you get the error "Insufficient free disk space".</p><p>The issue occurs because the SPS Web services keeps on crashing and it generates too many core</p><p>dumps when Predictive Machine Learning (PML) service requests are heavy.</p><p>To resolve this issue, do the following:</p><p>Important: Open SPS CLI to issue the commands in steps 1 to 3.</p><p>1. Execute the following command to stop the lighttpd service:</p><p>#service lighttpd stop</p><p>2. Execute the following command to clear the crush dump:</p><p>#rm -f /var/coredumps/*</p><p>3. Execute the following command to start the lighttpd service:</p><p>service lighttpd start</p><p>4. Verify if the SPS Web console is now accessible.</p><p>5. Apply the SPS Critical Patch based on your SPS version:</p><p>For SPS 3.1 - SPS 3.1 Critical Patch Build 1064</p><p>For SPS 3.2 - SPS 3.2 - Critical Patch Build 1090</p><p>For SPS 3.3 - SPS 3.3 Critical Patch Build 1076</p><p>http://files.trendmicro.com/tmsps/3.1/CP/1064/TMSPS-31-linux-MUI-criticalpatch-B1064.zip</p><p>http://files.trendmicro.com/tmsps/3.2/CP/1090/TMSPS-32-linux-MUI-criticalpatch-B1090.zip</p><p>http://files.trendmicro.com/tmsps/3.3/CP/1076/TMSPS-33-linux-MUI-criticalpatch-B1076.zip</p><p>81 / 206</p><p>Troubleshooting unable to login using "root' password</p><p>To reset the root password in SPS server.</p><p>1. Restart the server.</p><p>2. Interrupt the boot process by pressing the Space Bar when the Grub menu appears.</p><p>3. Press ‘eʼ to edit the selected item (i.e. Trend Micro Smart Protection Server (3.10.0-693.2.2.e17.x86_64) 3ʼ.</p><p>4. Scroll down and delete the line“ ro crashkernel=auto rd.lvm. lv=sps/root rd.lvm.lv=sps/swap rhgb quie.</p><p>5. Delete “rhgb quiet” and type in “rw init=/sysroot/bin/sh”.</p><p>Note: The key to this step is to not remove the LVM/DISK LABELS or the boot will fail.</p><p>82 / 206</p><p>6. Press Ctrl-X to start.</p><p>7. Access the system with the command: chroot /sysroot and then press Enter.</p><p>8. Type passwd and create a new password for your root account.</p><p>9. Execute “exit” to terminate chroot state which started in step 7 or the reboot commands will not work.</p><p>Note: Both “init 6” or reboot” commands work after “exit”, but “shutdown –r now” will not work in this</p><p>mode.</p><p>10. Reboot the server</p><p>83 / 206</p><p>How to change SPS IP address?</p><p>At SPS3.3, you must change "/etc/issue" also to have the IP shown on CLI changed.</p><p>Here are the complete steps to change IP address:</p><p>1. Logon SPS via CLI with "root" account.</p><p>2. Type the below command to change SPS IP address.</p><p>/etc/trend/svanetwork set ethernet static "<new IP address>" "<subnet mask>" "<gateway IP</p><p>address>" "<vlan ID>"</p><p>Note:</p><p>The parameters of svanetwork after "ethernet":</p><p>"static": To set static IP</p><p>"<new IP address>": The static IP address for this TMSPS server.</p><p>"<subnet mask>": Subnet mask</p><p>"<gateway IP address>": Gateway route IP address</p><p>"<vlan ID>": The ID of VLan. Default set to "0".</p><p>Example:</p><p>/etc/trend/svanetwork set ethernet static "192.168.0.1" "255.255.255.0" "192.168.0.254" "0"</p><p>3. Run command to change IP in "etc/issue". Ignore this action before 3.3.</p><p>sed -i 's/<old IP address>/<new IP address>/g' /etc/issue</p><p>Example:</p><p>sed -i 's/192.168.0.224/192.168.0.1/g' /etc/issue</p><p>4. Reboot SPS</p><p>5. Verify the IP on the CLI welcome page and the connection</p><p>84 / 206</p><p>Web Reputation and File Reputation Services</p><p>The Standalone SPS Console shows an X mark in both File Reputation and Web Reputation Services. The</p><p>following error also appears in the Reputation Service Log:</p><p>Cannot read monitor.ini configuration file. Verify the file exists or check the permissions.</p><p>This issue causes the Smart Scan agents to get a "Smart Scan Unavailable" error or a "Connecting" status since</p><p>the Apex One serverʼs update source is the Standalone SPS.</p><p>1. Log on to SPS Server and go to /var/tmcss/conf directory using the following command:</p><p>cd /var/tmcss/conf</p><p>2. Check if monitor.ini file exist using ls command.</p><p>The following shows the monitor.ini file does not exist:</p><p>If the file does not exist, there are 2 options to resolve it.</p><p>Option 1: Recreate the monitor.ini</p><p>Option 2: Copy the monitor.ini from a working SPS Server with the same version. (If no other SPS server is</p><p>available, it can be requested from Technical Support)</p><p>85 / 206</p><p>Option 1: Recreate the monitor.ini file</p><p>1. Log on to the SPS server as Administrator.</p><p>2. Stop the SPS service – lighttpd</p><p>3. Using cd, run the following command then hit Enter.</p><p>cd /var/tmcss/conf</p><p>4. Create the monitor.ini file using touch command then hit Enter:</p><p>touch monitor.ini</p><p>5.Using the ls command, verify if the file has been created then hit Enter.</p><p>ls –lrt monitor.ini</p><p>Note: The monitor.ini should have 0 file size.</p><p>6.Change the ownership of the file to webserv using the following command then hit Enter.</p><p>chown webserverv:webserv monitor.ini</p><p>7. Using ls, execute the following command then hit Enter. Verify the ownership and file size.</p><p>Notice that the file size is now at 107 and the owner is webserv.</p><p>8.Start the lighttpd service under /var/tmcss directory then hit Enter.</p><p>service lighttpd start</p><p>86 / 206</p><p>Option 2: Copy the monitor.ini file from a working SPS Server.</p><p>Important: The Source SPS Server Version should be the same as the affected SPS Server.</p><p>1.At the Source SPS Server, stop the lighttpd service using the following command.</p><p>service lighttpd start</p><p>2. Log in again to the SPS console. File Reputation and Web Reputation should now have check</p><p>marks next to them.</p><p>87 / 206</p><p>Best Practice Configuration</p><p>Ensure all SPS URLs are allowed in firewall:</p><p>Pattern Update https://slspn30-p.activeupdate.trendmicro.com/activeupdate/</p><p>https://slspn30wr-p.activeupdate.trendmicro.com/activeupdate/</p><p>https://slspn30wrcom-p.activeupdate.trendmicro.com/activeupdate/</p><p>https://slspn30wrnewd-p.activeupdate.trendmicro.com/activeupdate/</p><p>Smart Feedback https://tmsps300-en.fbs20.trendmicro.com:443/</p><p>Smart Protection Proxy</p><p>https://tmsps30p2-en-wis.trendmicro.com</p><p>http://tmsps300-en.census.trendmicro.com</p><p>http://tmsps330-en-domaincensus.trendmicro.com</p><p>https://grid-global.trendmicro.com</p><p>https://rest.mars.trendmicro.com</p><p>http://tmsps30-en.grid-gfr.trendmicro.com</p><p>How to enable TLS 1.2 support in Smart Protection Server</p><p>Enabling TLS 1.2 on SPS 3.3 This would disable SSL 2.0 and SSL 3.0</p><p>Important: TLS 1.2 can only be enabled by turning on supported ciphers. Instructions below provide</p><p>information of TLS 1.2 supported ciphers only.</p><p>Customers who adopted this instruction were advised to test compatibility with browsers and applications in</p><p>staging environment first.</p><p>Important: SPS version 3.1 or later is required.</p><p>1. Log in to command shell.</p><p>2. Execute the following command:</p><p>vi /etc/lighttpd/lighttpd.conf</p><p>3. Replace "var.ssl-cipher-list" with var.ssl-cipher-list = "TLSv1.2:!eNULL:!aNULL”.</p><p>4. Save and exit vi interface.</p><p>5. Execute the following command:</p><p>service lighttpd restart</p><p>After applying the changes, SPS web console and Smart Scan will be limited to use TLS 1.2 only.</p><p>88 / 206</p><p>Information</p><p>and logs to Collect:</p><p>Collect Relevant Information</p><p>Get Server Information Verify OS Type, SPS Version and Build Version</p><p>Through UI:</p><p>1Access SPS web console > Help > About</p><p>Get Apex One Information Check the current version and build number:</p><p>A. Through UI:</p><p>1. Access web console > Help > About</p><p>B. Through registry:</p><p>HKLM\SOFTWARE\TrendMicro\OfficeScan\service\Information</p><p>Get the "latest changes</p><p>done" on the environment</p><p>Check what are the recent changes done prior to the issue:</p><p>· Applied a Critical Patch/Hotfix</p><p>· Change in TLS configuration</p><p>· Change network configuration</p><p>Get the Firewall/Proxy</p><p>Configuration</p><p>Check with the Network Team for any firewall/proxy configuration between the</p><p>server and agents</p><p>Logs to be collected</p><p>From iSPS Server Collect CDT on Apex One Server.</p><p>· What to check when running CDT Tool?</p><p>§ Basic Information</p><p>§ Functionality</p><p>§ Update & Deployment (if involving updating the server, agent)</p><p>§ Enterprise Firewall</p><p>From SPS Server To collect CDT from SPS Server:</p><p>A. Through Web Console:</p><p>o Access Web Console > Administration > Support > Click "Start". Upload</p><p>the .tar.gz file to Technical Support for further analysis.</p><p>B. Through CLI</p><p>o If unable to login to console and can't collect CDT from console, follow</p><p>the instructions on How to debug from SPS Server CLI?</p><p>89 / 206</p><p>IV. Apex One iProduct Common Issues</p><p>This section discusses troubleshooting common issues on Apex One Integrated Products (iProducts):</p><p>o Apex One Endpoint Sensor (iES)</p><p>o Apex One Application Control (iAC)</p><p>o Apex One Vulnerability Protection (iVP)</p><p>o Apex One Data Loss Prevention (iDLP)</p><p>o Apex One (Mac)</p><p>iProduct Action Code (AC) guide</p><p>AC Key Types Apex Central</p><p>Apex One Apex One (Mac)</p><p>AV,iDLP,VDI iES iAC iVP Apex One</p><p>(Mac)</p><p>iES</p><p>New Key Apex One Full Feature</p><p>(Window s & Mac) o o o o o</p><p>Apex One Endpoint</p><p>Sensor o o</p><p>Legacy Keys</p><p>(Stand alone</p><p>products)</p><p>TMCM Advanced o</p><p>OSCE o</p><p>TMVP o</p><p>TMEAC o</p><p>TMES o o</p><p>TMSM o</p><p>Activation Key Types Entitlement Scope</p><p>Trend Micro Control Manager (TMCM) AC will still work on Apex Central</p><p>Apex Once Full Feature Covers all Apex One 2019 features except for Apex One</p><p>Endpoint Sensor (iES) & Apex One Sandbox as a Service.</p><p>Please contact TM Sales to purchase add-on features.</p><p>Apex One Endpoint Sensory Covers Apex One Endpoint Sensor feature for both Apex One</p><p>& Apex One (Mac)</p><p>Trend Micro Endpoint Application Control</p><p>(TMEAC)</p><p>AC will work on Apex One to activate Application Control</p><p>Integration (iAC) feature but must be deployed via Apex Central</p><p>Trend Micro Vulnerability Protection (TMVP) AC will work on Apex One to activate Vulnerability Protection</p><p>integration (iVP) feature but must be deployed via Apex Central</p><p>Trend Micro Endpoint Sensor (TMES) AC will work on Apex One to activate Endpoint Sensor (iES)</p><p>feature but must be deployed via Apex Central</p><p>90 / 206</p><p>91 / 206</p><p>A. Apex One Endpoint Sensor (iES)</p><p>Installation of Apex One Endpoint Sensor</p><p>a. It can be installed during the installation of Apex One Server.</p><p>b. If user opted to skip the process of installing Endpoint Sensor during the installation of Apex One server,</p><p>iES can be installed through Maintenance mode: https://success.trendmicro.com/intkb/solution/1123009</p><p>How to verify if Endpoint Sensor (iES) is installed correctly?</p><p>Installation logs</p><p>o C:\w indow s\TMESSetupDebug.log</p><p>o C:\w indow s\iATASSetupDebug.log</p><p>o C:\w indow s\ OFCMAS.log</p><p>Endpoint Sensor Files</p><p>o <installation path>\Trend Micro\Apex One\iServiceSrv\iES</p><p>o <installation path>\Trend Micro\Apex One\iServiceSrv\iATAS</p><p>Review iES related Services</p><p>· Trend Micro Endpoint Sensor Service: Service Status: stopped (not activated yet)</p><p>· Trend Micro Advanced Threat Assessm ent Service: AtasService status: stopped (not activated yet)</p><p>Endpoint Sensor Application Pool</p><p>o Off iceScan_iATAS_AppPool</p><p>o Off iceScan_iESAgent_AppPool</p><p>o Off iceScan_iESConsole_AppPool</p><p>Endpoint Sensor IIS Sites</p><p>o Off iceScan > off icescan_iesagent</p><p>o Off iceScan > off icescan_iesconsole</p><p>o Off iceScan > off icescan_iatas</p><p>https://success.trendmicro.com/intkb/solution/1123009</p><p>92 / 206</p><p>93 / 206</p><p>Below are common reasons why iES installation fails:</p><p>A. Installation Failed due to iES database:</p><p>· Check the installation logs C:\Windows\TMESSetupDebug.log</p><p>log snippet:</p><p>Initializing deployment (Start)</p><p>Intializing deployment (Failed)</p><p>, StdErr=**** Could not deploy package. Unable to connect to master or target server 'OSCE-ApexOne-iES'. You myst have a</p><p>user with the</p><p>05-02 17:54:57 [1] ERROR - [UpgradeDB] [Agent Storage] Setup DB failed. [SqlComponent.cs - (89)]</p><p>05-02 17:54:57 [1] DEBUG - after install -1</p><p>05-02 17:54:57 [1] ERROR - Install::InstallPlugins() - Failed to install plugin</p><p>05-02 17:54:57 [1] INFO - 801</p><p>05-02 17:54:57 [1] DEBUG - -------Done-------</p><p>· Send the installation log to support</p><p>B. Installation Failed due to FIPS enabled:</p><p>· It is a known issue that iES cannot be installed if FIPS is enabled</p><p>· Check the installation log C:\Windows\TMESSetupDEbug.log</p><p>log snippet:</p><p>ERROR - System. Invalid OperationException: This implementation is not part of the Windows Platform FIPS validated</p><p>cryptographic algorithms. at System.Security.Cryptograpy.RijndaelManaged..ctor() at</p><p>Cryptography.AesProvider.AesEnryptTransforms(String key, String iv) at Cryptography.AesProvider.EncryptAES256(String</p><p>srouce) at Setup.Helper.Installation.Install.ConvertToXmlDataPair(Dictionary'2& inputPair, Dictionary'2&dataPair at</p><p>Setup.Helper.Installation.Install.FreshInstallFlow(String[]&msgBody)at Setup.Helper.Installation.Install.FreshInstall(String[]</p><p>&msgBody) at Setup.Helper.Installation.Install.Upgrade(String[]&msgBody) at</p><p>Setup.Helper.Installation.InstallationHelper.ProcMessage(String MsgId, String[]MsgBody) at Setup.Program.Main(String[]args)</p><p>· Solution: File case to Support and request for Apex One Hot Fix 2121</p><p>94 / 206</p><p>Activating Apex One Endpoint Sensor (iES)</p><p>Endpoint Sensor Service: Unknown Error</p><p>Status Description</p><p>Unsuccessful License deployment was unsuccessful</p><p>Endpoint Sensor Service: Unknown Error</p><p>Troubleshooting steps:</p><p>A. Check if all iES and iATAS components are complete:</p><p>1. Check if iES and iATAS services are existing but not running</p><p>2. Check if iES and iATAS AppPools are existing</p><p>3. Check if iES and iATAS IIS Sites are complete</p><p>4. If any above are incomplete, reinstall iES Server and iATAS server.</p><p>a. Remove iES and iATAS: https://success.trendmicro.com/solution/1122946</p><p>b. Reinstall iES and iATAS: https://success.trendmicro.com/solution/1123009</p><p>B. Check if Apex One Server is using 3rd-party certificate:</p><p>See How to check if Apex One Server is using 3rd-party certificate?</p><p>C. iES has incorrect DBName:</p><p>1. Check SQL server and compare the DB name of Apex One and iES</p><p>2. The iES DB name should be the same as Apex One with -iES appended to it.</p><p>3. If the DB names are different, check the config.xml on <installation path>\Apex One\iServiceSrv\iES for</p><p>the DB Name</p><p>4. Stop the iES Services and open config.xml</p><p>5. Rename the iES database with the database name based on the config.xml</p><p>6. Restart the iES Services.</p><p>7. Try again to deploy the license.</p><p>https://success.trendmicro.com/solution/1123009</p><p>95 / 206</p><p>Apex One Endpoint Sensor (iES) Policy Deployment Issue</p><p>Apex Central Issue</p><p>1. Test connectivity between Apex Central and Apex One Server. From Apex Central "ping IP/FQDN of Apex</p><p>One Server" and verify if the server is reachable.</p><p>2. Make sure that SSO from Apex Central to Apex One is working properly</p><p>1. Products SSO</p><p>a. Access Apex Central console.</p><p>b. Go to Directories > Products.</p><p>c. Go to Local Folder > <Apex One Folder> > Apex One Server</p><p>d. Click on Apex One Entity > Configure > Apex One Single Sign-On</p><p>e. SSO should be working.</p><p>2. Managed Servers SSO</p><p>a. Access Apex Central console.</p><p>b. Go to Administration > Managed Servers > Server Registration.</p><p>c. Change Server Type to Apex One.</p><p>d. Click on the URL for Apex One.</p><p>e. SSO should be working.</p><p>Apex One Issue</p><p>1. Policy status “Pending: Managed server deploying”</p><p>§ Check if Apex One Server is using 3rd-party</p><p>certificate:</p><p>See How to check if Apex One Server is using 3rd-party certificate?</p><p>2. Endpoint Sensor Server: System Error: Error ID: 420</p><p>An "Error ID: 420" occurs while the Apex One Endpoint Sensor policy is deployed and the "Unable to get the</p><p>registered server list. There are no registered servers." error appears on the Apex Central "Preliminary</p><p>Investigation" page.</p><p>96 / 206</p><p>Symptoms</p><p>o From diagnostic.log, iATAS is not started so parent proxy will not call execute function to iESProxy</p><p>o From iATASSetupDebug.log, you may find "access denied" errors during ATAS upgrade</p><p>1. Check if Trend Micro Advanced Threat Assessment Service (iATAS service) is running</p><p>2. If it is stopped or cannot be started, reinstall iATAS Service.</p><p>3. Uninstall iATAS:</p><p>a) launch a command prompt with administrator privilege and navigate to</p><p>...\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\iServicePackage\iATAS\Setup\.</p><p>b) Run the following command: iATASSetup.exe -uninstallation</p><p>4. Reinstall iATAS using Maintenance Mode: https://success.trendmicro.com/solution/1123009</p><p>Apex One agent Issue</p><p>o Endpoint Sensor Service: 201509003:</p><p>§ The error means Installation failed</p><p>What to check?</p><p>1. Check if the agents are getting the update from Apex One server or an Update Agent</p><p>2. If the agent is getting an update from Update Agent, make sure that complete Update Agent</p><p>files</p><p>o Endpoint Sensor Service: 201504423:</p><p>§ This is a generic timeout error</p><p>§ Please try to reboot those affected machines then try to redeploy the policy.</p><p>https://success.trendmicro.com/solution/1123009</p><p>97 / 206</p><p>Useful Links</p><p>Title KB</p><p>Error ID Mapping for policy deployment status of Apex Central: See KB 1122453</p><p>Removable of standalone plug-in products: See KB 1122946</p><p>https://success.trendmicro.com/intkb/solution/1122453</p><p>https://success.trendmicro.com/intkb/solution/1122946</p><p>98 / 206</p><p>Information and logs to Collect:</p><p>Installation Issue 1. CDT Logs from Apex One Server</p><p>a. Basic Information</p><p>2. Installation Logs from Apex One Server</p><p>a. C:\windows\TMESSetupDebug.log</p><p>b. C:\windows\iATASSetupDebug.log</p><p>c. C:\windows\ OFCMAS.log</p><p>License Issue 1. CDT logs from Apex Central Server</p><p>a. Update or Deployment Issues</p><p>b. General Issues</p><p>2. CDT logs from Apex One Server</p><p>a. Basic Information</p><p>b. Installation</p><p>c. Functionality</p><p>d. Update & Deployment</p><p>Policy Deployment 1. CDT logs from Apex Central Server</p><p>a. Web User Interface</p><p>b. Update or Deployment Issues</p><p>c. General Issues</p><p>2. CDT logs from Apex One Server</p><p>a. Basic Information</p><p>b. Functionality</p><p>c. Update or Deployment</p><p>3. If error is on Agent, CDT logs from affected agent:</p><p>a. Basic Information</p><p>b. Connectivity Issue</p><p>c. Update/Deployment Issue</p><p>d. Endpoint Sensor</p><p>99 / 206</p><p>B. Apex One Application Control (iAC)</p><p>Policy Deployment Flow for iAC</p><p>NOTE:</p><p>o Application Control Server and Apex One Server are two components in one server</p><p>o Application Control Agent and Apex One Security Agent are two component in one client.</p><p>How to check Apex One Server status in Apex Central?</p><p>1. Logon to Apex Central Management Console.</p><p>2. Go to Directories > Products tab.</p><p>3. Expand Local Folder and look for the Apex One Server.</p><p>4. Verify that it has a green check beside the Apex One Server Name.</p><p>100 / 206</p><p>IMPORTANT: Make sure that the Apex One Server is NOT in the “New Entity” folder. Else you will not be able to</p><p>deploy policy to it.</p><p>How to verify iAC service status in Apex One Server?</p><p>iAC Services</p><p>1. Logon to the Apex One Server machine.</p><p>2. Open Services Console (services.msc).</p><p>3. Look for the Trend Micro Application Control Service and verify the status is Running.</p><p>iAC Folders</p><p>1. Logon to the Apex One Server machine.</p><p>2. Go to %PROGRAMFILES%\Trend Micro\iService and make sure iAC folder exists.</p><p>iAC Registry Keys</p><p>1. Logon to the Apex One Server machine.</p><p>2. Open Registry Editor (regedit.exe)</p><p>3. Go to HKLM\SOFTWARE\WOW6432Node\TrendMicro\iAC and make sure the following registries</p><p>exist.</p><p>iAC Database</p><p>101 / 206</p><p>1. Open SQL Management Studio.</p><p>2. Connect to the SQL Server where Apex One Database is created. (You may need assistance from a</p><p>DB Admin who have administrative access to SQL Server Database.)</p><p>NOTE: To know the SQL Server and Database Name, login to the Apex One Web Management console</p><p>and go to Help > About.</p><p>3. Expand the Apex One Database tables and make sure that you see all the iac.* tables.</p><p>iAC in IIS Manager</p><p>1. Logon to the Apex One Server machine.</p><p>2. Click Start > Run and type inetmgr.exe. Then hit enter to open IIS Manager</p><p>3. Go to Application Pools and verify that the OfficeScan_iAC_AppPool is started.</p><p>102 / 206</p><p>4. Go to Sites > OfficeScan and verify that the OfficeScan_iAC virtual website and sub-folders exist.</p><p>103 / 206</p><p>Apex One Server Certificates</p><p>1. IIS Certificate:</p><p>2. Open IIS Manager.</p><p>3. Go to Sites > OfficeScan.</p><p>4. Under Action, click Bindings… to open Site Bindings dialog box.</p><p>5. In the Site Bindings dialog box, select https and click Edit to open Edit Site Bindings dialog box.</p><p>6. In the Edit Site Bindings dialog box, take note of the SSL certificate.</p><p>7. Verify Installed Certificates in the Local Machine Certificate Store.</p><p>8. Click Start > Run and type “certlm.msc” to open Local Machine Certificate Store Management</p><p>Console.</p><p>104 / 206</p><p>9. Go to Trust People > Certificates and make sure that the following certificates exist:</p><p>NOTE: The apexone.trend.local should be the same as the SSL Certificate found in the IIS Manager.</p><p>10. Go to Personal > Certificates and make sure that the follow certificate exists:</p><p>NOTE: The apexone.trend.local should be the same as the SSL Certificate found in the IIS Manager.</p><p>105 / 206</p><p>How to verify iAC service status in Apex One Agent?</p><p>1. Logon to the Apex One Security Agent machine.</p><p>2. Open the Services Console (services.msc).</p><p>3. Make sure that the following service exists and started.</p><p>iAC Folders</p><p>1. Logon to the Apex One Security Agent machine.</p><p>2. Go to %PROGRAMFILES%\Trend Micro\iService\iAC and make sure the following sub-folders exist.</p><p>iAC Registry Keys</p><p>1. Logon to the Apex One Security Agent machine.</p><p>2. Open Registry Editor (regedit.exe).</p><p>3. Go to HKLM\Software\TrendMicro\iACAgent and verify the following registry keys exist.</p><p>4. Go to HKLM\System\CurrentControlSet\services\AcDriver and make sure the following registry keys</p><p>exist.</p><p>106 / 206</p><p>Agent Console iAC “Enabled” status</p><p>1. Logon to the Apex One Security Agent machine.</p><p>2. Right-click the agent icon on the system tray and select Security Agent Console.</p><p>3. Go to Apex One Security Agent and make sure that the Application Control is green.</p><p>107 / 206</p><p>Troubleshooting iAC Policy Deployment</p><p>Policy Error “Product Communication Error”</p><p>This error can happen when Apex One and Apex Central are installed on the same server.</p><p>To resolve this, follow the steps below:</p><p>1. Logon to the Apex One-Central Server.</p><p>2. Click Start > Run and type inetmgr.exe. Then hit enter to open IIS Manager.</p><p>3. Go to Application Pools and verify if the OfficeScan_iAC_AppPool is started. Otherwise, right-click the select</p><p>Start.</p><p>4. Restart the Apex One IIS Website.</p><p>5. Redeploy the Policy.</p><p>108 / 206</p><p>Policy Error “Application Control Service: Unactivated licenses”</p><p>A. Verify iAC has valid license.</p><p>1. Login to the Apex Central Web Management Console.</p><p>2. Go to Administration > License Management > Managed Products.</p><p>3. Verify that all the licenses are valid.</p><p>4. If any of the above license is expired, verify if it is for iAC. If this is the case, kindly contact your Trend</p><p>Micro Sales to help in re-activating the license.</p><p>B. Unable to deploy iAC Activation Code.</p><p>You get the following error when deploying iProduct valid licenses.</p><p>The issue can happen if the the Apex One SQL Database is assigned a Windows Account to manage. It may not</p><p>have sufficient web service framework access permissions. Fix this by adding the Windows Account to Apex One</p><p>Serverʼs IIS_IUSRS Local Groups.</p><p>1. Logon to the Apex One Server machine.</p><p>2. Open Computer Management Console.</p><p>3. Go to Local Users and Groups > Groups.</p><p>4. Configure</p><p>the IIS_IUSRS group, add the Windows Account.</p><p>109 / 206</p><p>5. Re-deploy the Policy.</p><p>C. Disable "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing".</p><p>The error appears in the C:\Windows\OFCSVR.log.MM_DD_HH_MM_SS.log.</p><p>1. Login to the Apex One Server.</p><p>2. Open Local Security Policy console (secpol.msc).</p><p>3. Go to Local Policies > Security Options.</p><p>4. Change the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and</p><p>signing to Disabled.</p><p>110 / 206</p><p>Policy Error “Pending: Waiting for product agent”</p><p>Policy to enable Application Control will always show "status pending" on the Apex Central console.</p><p>Application Control module cannot download policy setting because of the certificate verification failure. The</p><p>following Apex One Agent debug log can be seen.</p><p>From OFCDEBUG.log</p><p>For this, verify properties of the Apex One Server SSL Certificate.</p><p>A. Verify if the certificate is not expired and it is allowed to issue policy for all.</p><p>1. Open Local Computer Certificate Store and go to Trusted People > Certificates.</p><p>2. Double-click the Apex One Server SSL Certificate and make sure that All issuance policies exists</p><p>and the validity is not expired.</p><p>111 / 206</p><p>B. If using a 3rd Party or Corporate Certificate Authority (CA)</p><p>Follow the KB Article below to properly configure it with Apex One Serverʼs SSL Certificate.</p><p>Configuring Apex One to use a certificate signed by corporate Certificate Authority</p><p>https://success.trendmicro.com/intkb/solution/1122205</p><p>https://success.trendmicro.com/intkb/solution/1122205</p><p>112 / 206</p><p>Information and logs to Collect:</p><p>I. Using Case Diagnostic Tool</p><p>Use the article below for steps in how to use Trend Micro Case Diagnostic Tool to collect needed logs for</p><p>troubleshooting purposes.</p><p>Using the Case Diagnostic Tool (CDT) to collect the information needed by Technical Support</p><p>II. Manually Collecting iAC-related logs files.</p><p>iAC Server Installation Logs</p><p>C:\Windows\OFCSVR.log</p><p>C:\windows\iATASSetupDebug.log</p><p>C:\windows\ OFCMAS.log</p><p>C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iAC\config.xml</p><p>C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\OfUninst.ini</p><p>IIS Logs</p><p>C:\inetpub\logs\LogFiles\W3SVC1\u_exYYMMDD.log</p><p>C:\inetpub\logs\LogFiles\W3SVC3\u_exYYMMDD.log</p><p>MCP Agent Logs</p><p>C:\CMAgent_debug.log</p><p>C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\\CMAgent\Agent.ini</p><p>C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\\CMAgent\Product.ini</p><p>C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\\CMAgent\cmagentdebug.log</p><p>Apex One Server Debug Log</p><p>C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\\Log\ofcdebug.log</p><p>iAC Agent Installation Log</p><p>C:\Windows\TMiACAgentSetup.log</p><p>Connectivity</p><p>C:\Program Files (x86)\Trend Micro\Security Agent\\ConnLog\Conn_YYYYMMDD.log</p><p>Apex One Agent Debug Log</p><p>C:\OfcDebug.log</p><p>Apex Central</p><p>Server</p><p>Registration</p><p>C:\Program Files (x86)\Trend Micro\Control</p><p>Manager\DebugLog\CMEFScheduler_OSCE_iAC.log</p><p>C:\Program Files (x86)\Trend Micro\Control</p><p>Manager\DebugLog\TMCM_CascadingMCPAgentSDK.log</p><p>C:\Program Files (x86)\Trend Micro\Control Manager\DebugLog\WebUI_OSCE_iAC.log</p><p>C:\Program Files (x86)\Trend Micro\Control</p><p>Manager\WebUI\WebApp\widget\repository\log\diagnostic.log</p><p>https://success.trendmicro.com/intkb/solution/1055229-using-the-case-diagnostic-tool-cdt-to-collect-the-information-needed-by-technical-support</p><p>113 / 206</p><p>C. Apex One Vulnerability Protection (iVP)</p><p>iVP Licensing Common Issues</p><p>Review Command Tracking Status</p><p>o Hereʼs the sample screenshot for successful deployment of iVP license profile from Apex Central to Apex</p><p>One server:</p><p>o After you click Deployed, wait for until the license has been activated properly.</p><p>o For additional checking, check Command Tracking. Look for Command: Deploy License Profiles</p><p>and it should have status of Successful: 1.</p><p>Review IIS and Services Status</p><p>o Check the status of iVP web service if itʼs running in IIS Manager:</p><p>Web service display name: OfficeScan_iVP_AppPool</p><p>114 / 206</p><p>o Check if iVP service on Apex One Server is healthy or not:</p><p>Server service display name: Trend Micro Vulnerability Protection Service</p><p>If the above-mentioned requirements werenʼt able to satisfy due to an error, proceed on the next steps for further</p><p>troubleshooting.</p><p>115 / 206</p><p>How to troubleshoot"iProduct Service not Starting"</p><p>Issue: iVP service on Apex One wasnʼt able to start properly.</p><p>Description: When you try to deploy iVP license from Apex Central, it fails as its iVP server service on Apex One</p><p>wasn't able to start properly.</p><p>Additional Information: When you start manually Trend Micro Vulnerability Protection, you encounter the</p><p>following error message:</p><p>Error Message: ”Windows could not start the Trend Micro Vulnerability Protection Service on Local Computer.</p><p>Error 1067: The process terminated unexpectedly”</p><p>Symptoms</p><p>· Verify System Event logs for an error, in this issue it shows:</p><p>Event ID: 7034</p><p>Source: Service Control Manager</p><p>Level: Error</p><p>General: “The Trend Micro Vulnerability Protection Service service terminated unexpectedly. It has</p><p>done this 10 time(s).”</p><p>· Based on ivp_server0.log (C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP\):</p><p>SEVERE: Unable to send log to OSCE.</p><p>com.trendmicro.ivp.integration.osce.osf.webservice.OSFWebServiceException: OSF SystemCall result code: 10006</p><p>at</p><p>com.trendmicro.ivp.integration.osce.osf.webservice.object.OSFWebRequest.getResultData(OSFWebRequest.java:120)</p><p>at com.trendmicro.ivp.core.command.osf.OSFOnLogCommand.run(OSFOnLogCommand.java:512)</p><p>at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)</p><p>at java.util.concurrent.FutureTask.run(FutureTask.java:266)</p><p>at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)</p><p>at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)</p><p>at java.lang.Thread.run(Thread.java:748)</p><p>Troubleshooting</p><p>Check the Java Version in Windows:</p><p>1. Open the Start menu and click Control Panel.</p><p>2. Type "Java" into the search field and double-click the Java icon.</p><p>The Java Control Panel appears.</p><p>3. Click the General tab if it is not already open.</p><p>116 / 206</p><p>4. Click the About button. It shows:</p><p>e.g. Java File version: Version 8 Update 221 (build 1.8.0_221-b11)</p><p>Action Plan</p><p>1. Check the iVP server version:</p><p>a. Log in to the Apex One server computer.</p><p>b. Go to the iVP server installation folder (C:\Program Files (x86)\Trend Micro\Apex</p><p>One\iServiceSrv\iVP).</p><p>c. Right-click the Properties for iVPServer.exe.</p><p>d. Check the Details tab.</p><p>You can find the iVP server version.</p><p>e.g. iVPServer.exe File version: 3.0.0.2041</p><p>2. Check the iVP server installation source file version.</p><p>e.g. C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP</p><p>a. Go to C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Admin\Utility\iServicePackage\iVP.</p><p>b. Find iVPServerInstaller.exe and right-click its Properties.</p><p>c. Check the Details tab.</p><p>You can find the iVPServerInstaller.exe version there.</p><p>e.g. iVPServerInstaller.exe File version: 3.0.0.2041</p><p>d. Check the version for iVPServer.exe and iVPserverInstaller.exe to see whether it is the same or not.</p><p>For example, if the version for iVPserverInstaller.exe is 3.0.0.2055 and the iVPserver.exe version is</p><p>3.0.0.2041, then the version is not the same. This means that maybe the upgrade failed for the iVP server.</p><p>The version should be the same for iVPserver.exe and iVPserverInstaller.exe.</p><p>3. Check the BundledJava version:</p><p>a. Log in to Apex One server computer.</p><p>b. Go to C:\Program Files (x86)\Trend Micro\Apex One\BundledJava\Bin.</p><p>c. Check the java.exe version and right-click its Properties.</p><p>d. Check the Details tab.</p><p>You can find the java.exe version there.</p><p>e.g. java.exe File version: 8.33.0.1</p><p>If you see that the bundleJava version is 8.x.x.x (not 11.31.0.11) and the JRE version is 8.x.x.x., the iVP</p><p>server upgrade will fail. It needs to download JRE 11.31. For example:</p><p>https://www.azul.com/downloads/zulu-community/</p><p>117 / 206</p><p>e. Stop Apex One Master Service.</p><p>f. Back up and delete the files in C:\Program Files (x86)\Trend Micro\Apex One\BundledJava\.</p><p>g. Unzip the downloaded JRE files and put all of the files in C:\Program Files (x86)\Trend Micro\Apex</p><p>One\BundledJava\.</p><p>4. Upgrade iVP server manually:</p><p>a. Open a command line with administrator privilege and cd to C:\Program Files (x86)\Trend Micro\Apex</p><p>One\PCCSRV\Admin\Utility\iServicePackage\iVP.</p><p>b. Type the following command:</p><p>start /wait iVPServerInstaller.exe -q -dir "C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP"</p><p>-VskipOSCEIntegration="true" -VskipPrepareConfig="true" -Dinstall4j.keepLog=true -</p><p>Dinstall4j.alternativeLogfile="C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP\install.log""</p><p>c. Wait for a while then go to C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP and check</p><p>ivp_server0.log to see whether it has an error log or not.</p><p>d. Manually start the Trend Micro Vulnerability Service (iVPServer.exe).</p><p>It should run properly now.</p><p>Note: If the steps above donʼt work, please collect the iVP_server0.log file as well as the screenshot for</p><p>the version of java.exe, iVPserver.exe, and iVPserverInstaller.exe for reference.</p><p>How to troubleshoot Certificate Issue "License Deployment was Unsuccessful"</p><p>Issue: “License deployment was unsuccessful”</p><p>Description: License deployment fails when deploying iVP license from Apex Central.</p><p>Error Message: “License deployment was unsuccessful. Vulnerability Protection Service: Unknown Error”</p><p>Based from the Command Tracking:</p><p>Symptoms</p><p>1. Check ofcdebug.log, the following error can be seen:</p><p>Log Information:</p><p>118 / 206</p><p>[ofcservice.exe]OSFSvcClient::setProductServiceInfo - failed to get iService info -</p><p>[libosfsvcclient.cpp(73)]</p><p>2. Check ivp_server0.log, location C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP\</p><p>Log Information:</p><p>Apr 07, 2019 1:33:32 PM com.trendmicro.ivp.core.Core main SEVERE: Failed to start iVP server.</p><p>javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building</p><p>failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid</p><p>certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)</p><p>Analysis: The SSL handshake error indicates that iVP cannot find Apex One's console certificate. This</p><p>issue usually happened when customer used 3rd party signed certificate on Apex One.</p><p>How to troubleshoot?</p><p>The following initial steps can be done to review customer certificate.</p><p>1. The Apex One server private key must be exportable.</p><p>How to import certificate and allow private key to be exported?</p><p>1. On the certificate console of Local Computer, choose Personal > Certificates.</p><p>2. Right click on the right panel and choose All Tasks > Import...</p><p>3. Check the checkbox of 'Mark this key as exportable...' in the import wizard.</p><p>119 / 206</p><p>How to verify if private key is allowed to be exported?</p><p>1. On the certificate console of Local Computer, choose Personal > Certificates.</p><p>2. To view the certificate, double click target certificate.</p><p>Go to Details tab, click Copy to File to open certificate export wizard</p><p>120 / 206</p><p>3. Click Next. Export Private Key ("Yes, Export the private key") option should be available.</p><p>2. The certificate must be generated with a valid Common Name ( 'CN=<HOSTNAME>'.) .</p><p>1. On the certificate console of Local Computer, choose Personal > Certificates.</p><p>2. To view the certificate, double click target certificate.</p><p>Go to Details tab, then view Subject details. The certificate must have a valid subject.</p><p>IMPORTANT: Follow KB1122205 if customer is using a 3rd party CA signed certificate.</p><p>http://intkb.trendmicro.com/solution/en-us/1122205.aspx</p><p>121 / 206</p><p>Troubleshooting Policy Deployment Issue</p><p>How to check command tracking status?</p><p>The screenshot below shows a successful deployment of iVP policy from Apex Central Server.</p><p>For additional checking, check Command Tracking.</p><p>Look for recent Apply Policy under Command column > Click the Successful results to verify if itʼs already</p><p>deployed on Agentʼs Apex One Server.</p><p>When deployment is finished, connect to the endpoint, open the Apex One Security Agent Console via system</p><p>122 / 206</p><p>tray icon and verify if Vulnerability Protection is now Enabled with its running Trend Micro Vulnerability Protection</p><p>Service (Agent).</p><p>Confirm it has identical Policy Version that was recently deployed from Apex Central.</p><p>123 / 206</p><p>If the above-mentioned requirements werenʼt able to satisfy due to an error, proceed on the next steps for further</p><p>troubleshooting.</p><p>124 / 206</p><p>Policy status “Pending: Apex Central deploying”</p><p>Problem: Communication error occurs when Apex One and Apex Central are installed on the same server.</p><p>Error message: Policy status “Pending: Apex Central deploying”</p><p>Details: This issue occurs when Apex One is installed first before Apex Central is installed</p><p>Root Cause: The installation of Apex Central will stop the IIS Application Pool for Application Control and</p><p>Vulnerability Protection.</p><p>In order to prevent this error, here are the manual steps you need to follow:</p><p>1. Run IIS (Internet Information Services) Manager and go to Application Pools.</p><p>2. Start OfficeScan_iAC_AppPool and OfficeScan_iVP_AppPool.</p><p>3. Select the IIS site and click Restart.</p><p>4. Re-deploy the policy on Apex Central.</p><p>125 / 206</p><p>Policy status “System error. Error ID: 5”</p><p>Problem: Failed to deploy iVP policy</p><p>Error Message: “System Error. Error ID: 5” status with Description: “Vulnerability Protection Service: Disabled</p><p>product services”</p><p>Symptoms</p><p>Log Snippet:</p><p>Log File: ivp_server0.log (Location: C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP\)</p><p>com.microsoft.sqlserver.jdbc.SQLServerException: The TCP/IP connection to the host localhost,</p><p>port 1433 has failed. Error: "Connection refused: connect. Verify the connection properties.</p><p>Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections</p><p>at the port. Make sure that TCP connections to the port are not b locked by a firewall.".</p><p>Troubleshooting</p><p>How to check if Apex One Server can connect to SQL Database Server using port 1433?</p><p>1. Log into your SQL server through Remote Desktop Connection.</p><p>2. Click Start > Expand your Microsoft SQL Server folder > select SQL Server Configuration Manager.</p><p>3. Expand SQL Server Network Configuration > Click the Protocols for MSSQLSERVER.</p><p>4. Right click TCP/IP > Select Properties > Click IP Addresses tab > Scroll down to IPAll > Ensure TCP</p><p>Dynamic Ports is blank and TCP Port is set to 1433 > Click Apply > OK.</p><p>126 / 206</p><p>5. Perform to restart SQL Server (MSSQLSERVER) service.</p><p>6. Test connection from Apex One Server to SQL Server on port 1433 via PowerShell.</p><p>Success Result:</p><p>NOTE: Ensure that port 1433 is allowed on your firewall.</p><p>Mixed mode authentication should be enabled as well for remote connections.</p><p>7. Log-in to manage Apex Central and deploy iVP license again and check the results.</p><p>Policy status shows "Unable to logon Product"</p><p>Problem: Failed to deploy iVP Policy</p><p>Error Message: "Unable to automatically logon to product".</p><p>Symptoms</p><p>Log Snippet:</p><p>Log File: ivp_server0.log (Location: C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP\)</p><p>127 / 206</p><p>SEVERE: Unable to update policy tracking records.</p><p>javax.net.ssl.SSLHandshakeException: PKIX path building failed:</p><p>sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to</p><p>requested target</p><p>How to troubleshoot?</p><p>This issue happens when the server certificate is changed. See How to troubleshoot?</p><p>Policy status “Pending: Waiting for product agent”</p><p>Problem: Failed to deploy iVP Policy when deploying from Apex Central</p><p>Error Message: “Pending: Waiting for product agent”</p><p>Symptoms</p><p>Log Snippet:</p><p>Log File: ofcdebug log</p><p>2019 09/18 12:30:25 [2154 : 201c] (00) (E) [][tmlisten.exe]VerifyServerCert - Failed to</p><p>verify the SSL</p><p>certificate - [olh_winhttpclient.cpp(820)]</p><p>2019 09/18 12:30:25 [2154 : 201c] (00) (D) [][tmlisten.exe]VerifyServerCert - << 0 -</p><p>[olh_winhttpclient.cpp(827)]</p><p>2019 09/18 12:30:25 [2154 : 201c] (00) (E) [][tmlisten.exe]winHttpStatusCallback - Close connection due to</p><p>certificate verification failure - [olh_winhttpclient.cpp(78)]</p><p>How to troubleshoot?</p><p>To address this issue, ensure that thereʼs no OfcIPCer.dat mismatch between the server and agent. Compare</p><p>the certificate with server public key in Trusted People if itʼs the same. If not, export the server public key then</p><p>backup and replace it in the affected machine.</p><p>How to verify Officescan SSL certificate?</p><p>1. In IIS Manager, click OfficeScan Web Site > Click Bindings.. > Verify the current SSL certificate information being</p><p>128 / 206</p><p>used by port 4343 > Click Edit.</p><p>2. In Edit Site Bindings, click View > Go to certificate Details tab > Take note of its Serial Number.</p><p>3. Open mmc.exe and Run as administrator.</p><p>4. On the File menu > Click Add/Remove Snap-in.</p><p>5. Under Available snap-ins, select Certificates > Click Add.</p><p>6. Click Computer account > Next.</p><p>7. Click Local computer > Finish > Click OK.</p><p>8. Expand Certificates (Local Computer) > Expand “Trusted People” > click Certificates.</p><p>9. Double click certificates, search for the SSL certificate youʼve checked on Action 1 and verify if it has identical Serial</p><p>number.</p><p>129 / 206</p><p>10. Right click the SSL certificate, select All Task > Export... > Next > Next > Browse… input location path and file</p><p>name > Save > Next > Finish > OK.</p><p>11. Double click the exported certificate with file extension .cer. Take note of the certicate Serial number from the</p><p>Details Tab and compare it with the Server and Agent OfcIPCer.dat.</p><p>How to verify if the certificate of agent and server match?</p><p>The certificate's serial number from the server and agent should match.</p><p>1. Create a copy of OfclPCer.dat from the server and client.</p><p>FROM OSCE Server:</p><p>file Location: …PCCSRV\Pccnt\Common\OfcIPCer.dat</p><p>Example: To easily identify, name the copy to OfcPCer-SERVER.dat</p><p>FROM OSCE Agent</p><p>file Location: ...OfficeScan Client\OfcIPCer.dat</p><p>Example: To easily identify, name the copy to OfcPCer-AGENT.dat</p><p>2. To open the file, update the file extension from .dat to .cer</p><p>3. The serial number of the certificate from the server and agent should match</p><p>130 / 206</p><p>How to resolve certificate mismatch?</p><p>In this example, we have verified that the certificate of on Local Machine Certificate Store and</p><p>Certificate(OfcIPCer.dat) files on server and agent does not match.</p><p>Certificate Serial Number</p><p>Local Machine Certificate Store (MMC):</p><p>Under Certificates (Local Computer) > Expand</p><p>“Trusted People” > click Certificates.</p><p>1a 48 48 xx xx xx xx xx xx xx xx xx xx xx xx xx</p><p>Server 41 33 c5 xx xx xx xx xx xx xx xx xx xx xx xx xx</p><p>Agent 41 33 c5 xx xx xx xx xx xx xx xx xx xx xx xx xx</p><p>How copy the correct certificate to the affected machine?</p><p>1. Rename the exported file as OfcIPCer.dat.</p><p>2. Copy the file to affected agent machine.</p><p>3. Unload Apex One agent.</p><p>4. Backup original OfcIPCer.dat on agent side (AGENT: ...OfficeScan Client\OfcIPCer.dat) then replace</p><p>it using the newly exported OfcIPCer.dat.</p><p>5. Load Apex One agent.</p><p>6. Re-deploy policy, check if everything is OK or not.</p><p>7. If everything is OK, please check the OfcIPCer.dat in server side (SERVER: …</p><p>PCCSRV\Pccnt\Common\OfcIPCer.dat), is it the same?</p><p>8. If not, please replace also in server side using the exported OfcIPCer.dat from Trusted People and</p><p>131 / 206</p><p>trigger update from Agent or Server console.</p><p>In Apex Central Policy Management, the list of Agents with Deployed status should now gradually</p><p>adding up since updated OfcIPCer.dat are now being deployed from Apex One Server to Security Agent.</p><p>132 / 206</p><p>Information and logs to Collect:</p><p>How to collect CDT from Apex Central?</p><p>Run the CDT as Admin and select Update or Deployment Issues and General Issues.</p><p>How to collect CDT from Apex One Server?</p><p>Run the CDT as Admin and select Basic Information, Functionality, Update & Deployment, and Enterprise</p><p>Firewall.</p><p>133 / 206</p><p>How to collect CDT from Apex One Agent?</p><p>Run the CDT as Admin and select Basic Information, Connectivity Issue, Enterprise Firewall,</p><p>Update/Deployment Issue, and Vulnerability Protection.</p><p>134 / 206</p><p>How to manually debug iVP?</p><p>Follow this procedure if CDT fails.</p><p>§ Manual debug</p><p>§ Application and System Event Logs</p><p>§ msinfo32</p><p>§ Backup copy of Registry</p><p>· Collect Wireshark logs</p><p>For steps see How to use wireshar to capture filter and inspect packets?</p><p>§ iVP folder from Apex One server</p><p>(C:\Program Files (x86)\Trend Micro\Apex One\iServiceSrv\iVP).</p><p>Note: Verify if ivp_server0.log or ivp_server*.log is included on the folder.</p><p>§ To amend debug level, you can may check details below for iVP manual debug.</p><p>Debugging iVP service on Apex One Server?</p><p>How to manually debug IIS iVP Web Service?</p><p>1. Open file: C:\Program Files (x86)\Trend Micro\OfficeScan\iServiceSrv\iVP\Web\log4net.config</p><p>2. Open log4net.config using notepad and look for <level value="INFO"/>.</p><p>3. Update the value FROM: <level value="INFO" /> TO: <level value="DEBUG" /></p><p>https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/</p><p>135 / 206</p><p>4. Save the file</p><p>5. Replicate the issue</p><p>6. Collect iVPWebApp.log</p><p>file location: C:\Program Files (x86)\Trend Micro\OfficeScan\iServiceSrv\iVP\Web\iVPWebApp.log</p><p>Note: Revert the changes to disable debug</p><p>How to manually debug IIS iVP Server?</p><p>1. Open file: C:\Program Files (x86)\Trend Micro\OfficeScan\iServiceSrv\iVP\logging\logging.properties</p><p>using notepad</p><p>2. Select which feature of iVP you are trying to debug.</p><p>iVP server debug log settings: Enable debug based on the feature you want to check.</p><p>Features Log Settings</p><p>Command received by iVP service on Apex</p><p>One Server</p><p>com.trendmicro.ivp.core.thread.CommandHandlerThread.level=ALL</p><p>(general use for functions of iVP Service, alw ays turn on it for the iVP features</p><p>you w ant to troubleshoot)</p><p>Update iVP Pattern com.trendmicro.ivp.core.command.osf.OSFOnNotifyCommand.level=ALL</p><p>Deploy Security Agent Policy com.trendmicro.ivp.core.command.UpdateClientSettingsCommand.level=ALL</p><p>com.trendmicro.ivp.core.command.NotifyResultCommand.level=ALL</p><p>com.trendmicro.ivp.core.command.HeartBeatCommand.level=ALL</p><p>com.trendmicro.ivp.core.util.SecurityConf igurationUtilities.level=ALL</p><p>com.trendmicro.ivp.integration.osce.osf.w ebservice.level=ALL</p><p>IPS Logs sending com.trendmicro.ivp.core.command.osf.OSFOnLogCommand.level=ALL</p><p>com.trendmicro.ivp.integration.osce.osf.w ebservice.object.OSFWebRequest.leve</p><p>l=ALL</p><p>Move Security Agent to another Apex One</p><p>Server</p><p>com.trendmicro.ivp.core.command.osf.OSFOnCommandCommand.level=ALL</p><p>136 / 206</p><p>3. Add debug log settings at the end of the file</p><p>4. Save the file</p><p>5. Replicate the issue</p><p>6. Collect the following logs:</p><p>Installation Logs: C:\Program Files (x86)\Trend Micro\OfficeScan\iServiceSrv\iVP\install.log</p><p>Debug log: C:\Program Files (x86)\Trend Micro\OfficeScan\iServiceSrv\iVP\ivp_server0.log or</p><p>ivp_server*.log.</p><p>Note: Revert the changes to disable debug</p><p>How to manually debug IIS iVP Database?</p><p>1. How to check iVP tables from Apex One Server Database?</p><p>iVP tableʼs name format ivp.xxxx</p><p>137 / 206</p><p>2. How to check iVP server activation code from ivp.activationcodes table?</p><p>The “ActivationCode” column shows the iVP server activation code</p><p>Note: The AC may not be the same as ofcserver.ini.</p><p>The ofcserver.ini only record the first AC used to activate iVP.</p><p>3. How to check VP agentʼs information from ivp.hosts table?</p><p>4. How to check IPS rulesʼ information from ivp.payloadfilter2s table?</p><p>138 / 206</p><p>The “Identifier” column shows ruleʼs ID and “Name” column shows ruleʼs name</p><p>5. How to check iVP server event from ivp.systemevents table?</p><p>• The “EventNumber” column shows iVP server event.</p><p>• The “PlainDescription” column shows details of event.</p><p>139 / 206</p><p>D. Apex One Data Loss Prevention</p><p>(iDLP)</p><p>Pre-requisites when deploying Data Loss Prevention</p><p>o Make sure the Apex One Data Loss Prevention is installed in the Apex One server.</p><p>o Make sure the Apex One Data Loss Prevention license is activated.</p><p>How to install Apex One Data Loss Prevention (iDLP)?</p><p>1. Log in to Apex One web console.</p><p>2. Go to Plug-ins tab</p><p>3. Click Download</p><p>4. Click OK and wait for download to finish</p><p>5. Click Install Now</p><p>6. Click Agree to accept Apex One Data Protection License Agreement</p><p>7. Wait for Installation to finish.</p><p>140 / 206</p><p>How to activate Apex One Data Loss Prevention (iDLP)?</p><p>1. Log in to Apex One web console.</p><p>2. Go to Plug-ins tab</p><p>3. Click Manage Program</p><p>4. Enter Apex One Activation Code to activate DLP. Click Save</p><p>5. Click View the license information and status.</p><p>6. Click Update Information</p><p>141 / 206</p><p>142 / 206</p><p>Enabling and Verifying the Data Loss Prevention (iDLP) Module</p><p>How to enable iDLP via Apex Central?</p><p>1. Log in to the Apex Central web console and go to Policies > Policy Management.</p><p>2. From the Product drop-down menu select Apex One Security Agent and click Create.</p><p>3. In the Create Policy screen, type the Policy Name and Specify targets.</p><p>Apex Central provides several target selection methods that affect how a policy works.</p><p>The policy list arranges the policy targets in the following order:</p><p>Specify Targets: Use this option to select specific endpoints or managed products.</p><p>For details, see Specifying Policy Targets.</p><p>Filter by Criteria: Use this option to allocate endpoints automatically based on the filtering criteria.</p><p>For details, see Filtering by Criteria.</p><p>None (Draft only): Use this option to save the policy as a draft without choosing any targets.</p><p>4. Select Additional Service Settings from the policy page.</p><p>Enable Unauthorized Changed Prevention Service. Based on your company policy enable this feature</p><p>desktops and/or servers.</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/policies/policy-management_001/policy-management_002/creating-a-new-polic/specifying-policy-ta.aspx#GUID-D0127C9A-A7FB-49C8-AF9C-9DD5AA3FF4C6</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/policies/policy-management_001/policy-management_002/creating-a-new-polic/filtering-by-criteri.aspx#GUID-1919D46E-C842-40FC-91D6-199CE65D4481</p><p>143 / 206</p><p>Enable Data Protection Service. Based on your company policy enable this feature desktops and/or</p><p>servers.</p><p>5. Click Deploy.</p><p>144 / 206</p><p>How to enable iDLP via Apex One?</p><p>1. Log in to the Apex One web console and go to Agents > Agent Management</p><p>2. Select the agent or group where you want to enable DLP.</p><p>3. Click Settings > Additional Service Settings. Make sure to enable Unauthorized Changed Prevention Service</p><p>and Data Protection Service on desktops or servers or both, depending on your preference.</p><p>4. Click Save or Apply to All agents.</p><p>How to verify if iDLP policy is deployed via Apex Central?</p><p>After deploying iDLP policy under >Policies>Policy Management a policy version will be generated. Wait for a</p><p>few minutes for the policy to be deployed to the agent/s</p><p>1. To verify the policy deployment status go to Administration > Command Tracking</p><p>How to verify if iDLP policy is deployed on the agents?</p><p>1. Right click on the agent icon and select Component Versions</p><p>2. Verify if the Policy name and Policy version is correct.</p><p>How to verify if iDLP is installed properly?</p><p>IMPORTANT: Users will be prompted to restart computer to complete iDLP driver installation.</p><p>145 / 206</p><p>1. Open Apex One Security Agent Console verify if Data Loss Prevention feature is turned on and with</p><p>green status.</p><p>2. Verify if the Trend Micro Apex One Data Protection Service and Trend Micro Unauthorized Change</p><p>Prevention Service are running.</p><p>3. Verify whether the following registry keys were created properly:</p><p>For 32 bit agent:</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\DlpLite</p><p>For 64 bit agent:</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-cillinNTCorp\CurrentVersion\DlpLite</p><p>146 / 206</p><p>How to block USB using Device Control?</p><p>1. Make sure the pre-requisites are met. Refer to Pre-requisites when deploying Data Loss Prevention</p><p>2. Make sure the Data Loss Prevention module is enabled. Refer to Enabling the Data Loss Prevention Module</p><p>3. In the policy, enable the Block function.</p><p>From Apex Central, you will see the option below under Device Control Settings. Put a check mark on the Block</p><p>(Data Protection) checkbox.</p><p>From Apex One, select the option Block on the drop down list.</p><p>147 / 206</p><p>Adding USB device to Approved List</p><p>First thing you need to do is to get the device information, refer to the steps below:</p><p>1. Copy C:\Windows\System32\dgagent\listDeviceInfo.exe into C:\temp</p><p>2. Plug the device into the computer</p><p>3. Run C:\temp\listDeviceInfo.exe</p><p>4. Take note of the device vendor, model, and serial ID.</p><p>Once you have the device information, you may add it on the Allowed USB Devices/Approved Devices</p><p>Via Apex Central:</p><p>o Go to Policies > Policy Management > Select the policy deployed on agent</p><p>o Go to Device Control Settings</p><p>o Click on All users (default)</p><p>o Click on Allowed USB Devices</p><p>Via Apex One:</p><p>o Go to Agents > Agent Management > Select the agent or group where you want to check the</p><p>settings</p><p>o Go to Settings > Device Control Settings</p><p>o On the USB storage devices, click on Approved Devices</p><p>148 / 206</p><p>How to Deploy Data Loss Prevention Policy?</p><p>How to deploy iDLP via Apex Central</p><p>1. Log in to the Apex Central web console and go to Policies > Policy Management</p><p>2 From the Product drop down menu select Apex One Data Loss Prevention</p><p>3. Click Create</p><p>4. Provide a Policy name. Policy and choose Targets agent/s . Enable the Data Loss Prevention and add Rule/s</p><p>5. Under Targets select target selection method</p><p>Apex Central provides several target selection methods that affect how a policy works.The policy list arranges</p><p>the policy targets in the following order:</p><p>Specify Targets: Use this option to select specific endpoints or managed products.</p><p>For details, see Specifying Policy Targets.</p><p>Filter by Criteria: Use this option to allocate endpoints automatically based on the filtering criteria.</p><p>For details, see Filtering by Criteria.</p><p>None (Draft only): Use this option to save the policy as a draft without choosing any targets.</p><p>6. Under Apex One Data Loss Prevention Settings verify if Enable Data Loss Prevention is ticked.</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/policies/policy-management_001/policy-management_002/creating-a-new-polic/specifying-policy-ta.aspx#GUID-D0127C9A-A7FB-49C8-AF9C-9DD5AA3FF4C6</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/policies/policy-management_001/policy-management_002/creating-a-new-polic/filtering-by-criteri.aspx#GUID-1919D46E-C842-40FC-91D6-199CE65D4481</p><p>149 / 206</p><p>7. Click Add to start adding Rules.</p><p>8. Enable the rule and set the name. Select a policy template (e.g. all credit card number) add it to the right pane.</p><p>9. Click Channel and select the channels you require. In this sample, we choose Webmails and Windows</p><p>Clipboard.</p><p>150 / 206</p><p>10. Click Action and select the preferred action then Save.</p><p>In this sample, we selected Block and checked the Notify agents user and Record data option.</p><p>11. Click Save</p><p>12 Click Deploy.</p><p>Wait for some time to deploy. The rule must be Enabled.</p><p>To track the deployment process, see Verifying if the Data Loss Prevention Policy is Deployed.</p><p>151 / 206</p><p>152 / 206</p><p>How to deploy iDLP via Apex One?</p><p>1. Log in to the Apex One web console and go to Agents > Agent Management</p><p>2. Select the agent or group where you want to apply DLP policy.</p><p>3. Click Settings > Data Loss Prevention Settings</p><p>4. Name the Policy. Enable the Data Loss Prevention and add Rule/s</p><p>5. Enable the rule and set the name. Choose the template (e.g. all credit card number) add it to the right pane</p><p>6.</p><p>89</p><p>iProduct Activation Code (AC) Guide .............................................................................. 89</p><p>A. Apex One Endpoint Sensor (iES) ................................................................................ 91</p><p>Installation of Apex One Endpoint Sensor ................................................................... 91</p><p>iES Installation Verification .................................................................................... 91</p><p>iES Installation failed ............................................................................................ 93</p><p>Activating Apex One Endpoint Sensor (iES) ................................................................. 94</p><p>Apex One Endpoint Sensor (iES) Policy Deployment Issue ............................................ 95</p><p>Apex Central Issue ............................................................................................... 95</p><p>Apex One Issue ................................................................................................... 95</p><p>Apex One agent Issue ........................................................................................... 96</p><p>Useful links .......................................................................................................... 97</p><p>Log Collection per Issue ............................................................................................ 98</p><p>B. Apex One Application Control (iAC) .......................................................................... 99</p><p>Policy Deployment Flow for iAC ................................................................................. 99</p><p>Check Apex One Server status in Apex Central ............................................................ 99</p><p>Verify iAC Service Status ......................................................................................... 100</p><p>How to Verify iAC Service Status in Apex One Server ............................................. 100</p><p>Apex One Server Certificates ............................................................................ 103</p><p>How to Verify iAC Service Status in Apex One Agent .............................................. 105</p><p>Troubleshooting iAC Policy Deployment .................................................................... 107</p><p>Policy Error “Product Communication Error” .......................................................... 107</p><p>Policy Error “Application Control Service: Unactivated licenses” ................................ 108</p><p>Policy Error “Pending: Waiting for product agent” .................................................. 110</p><p>Log Collection ........................................................................................................ 112</p><p>C. Apex One Vulnerability Protection (iVP) .................................................................... 113</p><p>iVP Licensing Issue ................................................................................................. 113</p><p>Review Command Tracking/IIS/Services Status ...................................................... 113</p><p>Troubleshooting "iProduct Service not Starting" ..................................................... 115</p><p>Troubleshooting Certificate Issue "License Deployment was Unsuccessful" ................ 117</p><p>Policy Deployment Issue ......................................................................................... 121</p><p>Policy status “Pending: Apex Central deploying” ..................................................... 124</p><p>Policy status “System error. Error ID: 5” ............................................................... 124</p><p>4 / 206</p><p>Policy status shows "Unable to logon Product" ....................................................... 126</p><p>Policy status “Pending: Waiting for product agent” ................................................. 127</p><p>Log Collection ........................................................................................................ 132</p><p>Apex Central ...................................................................................................... 132</p><p>Apex One Server ................................................................................................ 132</p><p>Apex One Agent ................................................................................................. 133</p><p>Enabling Manual Debug ....................................................................................... 134</p><p>D. Apex One Data Loss Prevention (iDLP) ..................................................................... 139</p><p>Pre-requisites when deploying Data Loss Prevention ................................................... 139</p><p>Apex One Data Loss Prevention (iDLP) Installation ................................................. 139</p><p>Apex One Data Loss Prevention (iDLP) License Activation ....................................... 140</p><p>Enabling and Verifying the Data Loss Prevention (iDLP) Module ................................... 142</p><p>Enabling iDLP via Apex Central ............................................................................ 142</p><p>Enabling iDLP via Apex One ................................................................................ 144</p><p>Verifying if iDLP policy is deployed ....................................................................... 144</p><p>Verifying if iDLP is installed properly ..................................................................... 144</p><p>Blocking USB using Device Control .......................................................................... 146</p><p>Adding USB device to Approved List ..................................................................... 147</p><p>Deploying Data Loss Prevention Policy ...................................................................... 148</p><p>Deploying iDLP via Apex Central .......................................................................... 148</p><p>Deploying iDLP via Apex One .............................................................................. 152</p><p>Troubleshooting iDLP Common Issues ...................................................................... 153</p><p>Data Protection Status is showing “Not Installed” ................................................... 153</p><p>Data Protection Status is showing “Stopped” .......................................................... 155</p><p>Unable to install Data Protection plug-in ................................................................ 155</p><p>USB Exception is not working .............................................................................. 157</p><p>USB Blocking is not working ................................................................................ 159</p><p>DLP Blocking is not working in browser ................................................................ 160</p><p>Some devices are being blocked by DLP (e.g. Scanner) ........................................... 160</p><p>Log Collection ........................................................................................................ 161</p><p>Collect CDT on the Server ................................................................................... 161</p><p>Collect CDT on the Agent .................................................................................... 161</p><p>Collect Device Control information ........................................................................ 161</p><p>Collect dsagent crash dump file ............................................................................ 162</p><p>Isolation if issue is caused by DLP ........................................................................ 162</p><p>Collect Full HTTP Dump ...................................................................................... 162</p><p>E. Apex One (Mac) ..................................................................................................... 163</p><p>Apex One (Mac) Server Requirements ....................................................................... 163</p><p>Apex One (Mac) Server Installation and Activation ..................................................... 163</p><p>Installation Verification ........................................................................................</p><p>Click Channel and select the channels you require.</p><p>7. Click Action and select the preferred action.</p><p>8. Click Save or Apply to All agents.</p><p>153 / 206</p><p>Troubleshooting iDLP Common Issues</p><p>Data Protection Status is showing “Not Installed”</p><p>1. Check if DLP license is activated. see Apex One Data Loss Prevention license activation.</p><p>2. Check if DLP module is enabled. see Enabling the Data Loss Prevention Module.</p><p>3. Check if DLP is installed properly. see Verifying if Data Loss Prevention was installed properly.</p><p>How to troubleshoot and further isolate the issue?</p><p>Option 1: Modify Registry keys</p><p>1. Unload the Apex One agent.</p><p>2. Remove the value of the following registry keys on the agent:</p><p>Important: Always back up the whole registry before making any modifications. Incorrect changes to</p><p>the registry can cause serious system problems.</p><p>For 32 bit agent:</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\DlpLite</p><p>For 64 bit agent:</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TrendMicro\PC-</p><p>cillinNTCorp\CurrentVersion\DlpLite</p><p>o "version_main"=""</p><p>o "version_3rd"=""</p><p>3. Click Update now on the agent UI.</p><p>4. If issue is not resolved, perform Option 2.</p><p>Option 2: Reinstall DLP Service/Drivers</p><p>1. Disable DLP:</p><p>· Select agent/domain where DLP needs to be disabled.</p><p>· Click Settings > DLP Settings.</p><p>· In the Data Loss Prevention Configurations page, click Policies.</p><p>· Uncheck the "Enable Data Loss Prevention" option.</p><p>· Click Save.</p><p>2. Open the Apex One server's ..\PCCSRV\ofcscan.ini file using Notepad.</p><p>3. Look for the [Global Setting] section.</p><p>4. Add the DlpSSUninst=1 parameter so that the section looks like this:</p><p>[Global Setting]</p><p>154 / 206</p><p>DlpSSUninst=1</p><p>5. Save the changes and close the file.</p><p>6. Log on to the Apex One server's web console.</p><p>7. In the agent tree, select the agent/domain where you want to uninstall the DLP service/driver.</p><p>8. Go to Settings > Additional Service Settings.</p><p>9. Under Data Protection Service, uncheck the "Enable service on the following operating systems"</p><p>checkbox.</p><p>10. Click Save. On the agent side, the agent will prompt a Restart Required window.</p><p>11. Reboot the selected agent to completely remove their DLP components.</p><p>NOTE: If same issue still occurs, collect CDT logs on the Server and Agent while replicating the issue. see</p><p>Collect CDT on the Server and Collect CDT on the Agent</p><p>155 / 206</p><p>Data Protection Status is showing “Stopped”</p><p>1. Check if DLP license is activated. Refer to Apex One Data Loss Prevention license activation</p><p>2. Check if DLP module is enabled. Refer to Enabling the Data Loss Prevention Module</p><p>3. Check if DLP is installed properly. Refer to Verifying if Data Loss Prevention was installed properly</p><p>4. Check if there is error when starting the Trend Micro Apex One Data Protection Service. If yes, proceed in</p><p>collecting dsagent crash dump file and collect CDT on agent as well. Refer to Collect dsagent crash dump file</p><p>& collect CDT on agent</p><p>5. If the DLP is corrupted, follow the steps on Data Protection Status is showing “Not Installed” Refer to Data</p><p>Protection Status is showing “Not Installed”</p><p>Unable to install Data Protection plug-in</p><p>1. Check if the Apex One server has internet connection.</p><p>2. Check if the Update Source is correct. Go to Updates > Server > Update Source</p><p>3. If using proxy to download updates, make sure to configure Administration > Proxy</p><p>How to create an offline DLP installation package?</p><p>This method is used when Apex One server has no internet connection.</p><p>a. Download the following DLP files:</p><p>https://osce14-p.activeupdate.trendmicro.com/activeupdate/server.ini</p><p>https://osce14-p.activeupdate.trendmicro.com/activeupdate/product/osce14/enu/AddonSvcDLP.zip</p><p>https://osce14-p.activeupdate.trendmicro.com/activeupdate/product/osce14/enu/DLPPatchAgent.zip</p><p>b. Create a folder on C drive. You may also create it on your preferred location. (e.g. C:\DLP)</p><p>c. Copy server.ini file to DLP folder</p><p>d. Inside iDLP folder, create product folder</p><p>e. Inside product folder, create osce14 folder</p><p>f. Inside osce14 folder, create enu folder</p><p>g. Inside enu folder, paste AddonSvcDLP.zip and DLPPatchAgent.zip</p><p>The path of files should look like this:</p><p>C:\DLP\server.ini</p><p>C:\DLP \product\osce14\enu\AddonSvcDLP.zip</p><p>C:\DLP \product\osce14\enu\DLPPatchAgent.zip</p><p>How to modify .....DLP\server.ini?</p><p>https://osce14-p.activeupdate.trendmicro.com/activeupdate/server.ini</p><p>https://osce14-p.activeupdate.trendmicro.com/activeupdate/product/osce14/enu/AddonSvcDLP.zip</p><p>https://osce14-p.activeupdate.trendmicro.com/activeupdate/product/osce14/enu/DLPPatchAgent.zip</p><p>156 / 206</p><p>1. Modify the server.ini as following in order to comment out [Server] settings. You will notice that *;* has</p><p>been added.</p><p>FROM:</p><p>[Server]</p><p>AvailableServer=1</p><p>Server.1=http://osce14-p.activeupdate.trendmicro.co.jp/activeupdate/japan AltServer=[http://osce14-</p><p>p.activeupdate.trendmicro.co.jp/activeupdate/japan|https://osce14-p.activeupdate.trendmicro.com/activeupdate]</p><p>TO:</p><p>[Server]</p><p>*;*AvailableServer=1</p><p>*;*Server.1=http://osce14-p.activeupdate.trendmicro.co.jp/activeupdate/japan</p><p>*;*AltServer=http://osce14-p.activeupdate.trendmicro.co.jp/activeupdate/japan</p><p>2. Share the DLP folder over the network</p><p>3. Go to Security Tab. Set folder permission.</p><p>Permission setting: Everyone must have read & write capability.</p><p>4. Login to web console go to Updates > Server > Update Source > check Intranet.</p><p>5. Change the Update Source and set UNC path to the above sharing folder (e.g. \\HOSTNAME\DLP)</p><p>For the credentials in the Update source, please use any of the format below:</p><p>domain\username</p><p>hostname\administrator</p><p>6. Download the plug-in. Go to Plug-ins > Apex One Data Loss Prevention > Download</p><p>7. If still unable to install the plug-in, please collect CDT on the server Refer to collect CDT on serve</p><p>file:///\\HOSTNAME\DLP</p><p>157 / 206</p><p>USB Exception is not Working</p><p>1. Check if DLP license is activated. Refer to Apex One Data Loss Prevention license activation</p><p>2. Check if DLP module is enabled. Refer to Enabling the Data Loss Prevention Module</p><p>3. Check if DLP is installed properly. Refer to Verifying if Data Loss Prevention was installed properly</p><p>4. Check if the issue is happening on a specific device or on all USB devices.</p><p>5. Check in Device Manager if the device is being detected as USB device.</p><p>6. Check Allowed USB Devices/Approved Devices configuration if correct.</p><p>Via Apex Central:</p><p>§ Go to Policies > Policy Management > Select the policy deployed on agent</p><p>§ Go to Device Control Settings</p><p>§ Click on All users (default)</p><p>§ Click on Allowed USB Devices</p><p>Via Apex One:</p><p>§ Go to Agents > Agent Management > Select the agent or group where you want to</p><p>check the settings</p><p>§ Go to Settings > Device Control Settings</p><p>§ On the USB storage devices, click on Approved Devices</p><p>To get the device information, refer to the steps below:</p><p>· Copy C:\Windows\System32\dgagent\listDeviceInfo.exe into C:\temp</p><p>· Plug the device into the computer</p><p>· Run C:\temp\listDeviceInfo.exe</p><p>· Take note of the device vendor, model, and serial ID.</p><p>7. Check if the agent received the setting. Go to <Agent_Install_Folder>\dlplite\dc_in.xml (internal agent) or</p><p>dc_out.xml (external agent). Verify if the USB device is listed, refer to below sample:</p><p>158 / 206</p><p>8. If the agent did not receive the setting, please help check the communication between the server and agent.</p><p>9. If the agent received the setting but same issue occurs, please collect the Device Control Information. Refer to</p><p>Collect Device Control Information</p><p>159 / 206</p><p>USB Blocking is not Working</p><p>1. Check if DLP license is activated. Refer to Apex One Data Loss Prevention license activation</p><p>2. Check if DLP module is enabled. Refer to Enabling the Data Loss Prevention Module</p><p>3. Check if DLP is installed properly. Refer to Verifying if Data Loss Prevention was installed properly</p><p>4. Check if the issue is happening on a specific device or on all USB devices.</p><p>5. Check in Device Manager if the device is being detected as USB device.</p><p>6. Check if the agent received the setting. Go to <Agent_Install_Folder>\dlplite\dc_in.xml (internal agent) or</p><p>dc_out.xml (external agent). Verify if the permissions are correct, refer to below sample. In this sample, USB</p><p>permission is blocked.</p><p>7. If the agent did not receive the setting, please help check the communication between the server and agent.</p><p>8. If the agent received the setting but same issue occurs, please collect the Device Control Information. Refer to</p><p>Collect Device Control Information</p><p>160 / 206</p><p>DLP Blocking is not working in browser</p><p>1. Check if DLP license is activated. Refer to Apex One Data Loss Prevention license activation</p><p>2. Check if DLP module is enabled. Refer to Enabling the Data Loss Prevention Module</p><p>3. Check if DLP is installed properly. Refer to Verifying if Data Loss Prevention was installed properly</p><p>4. Check if the issue is happening on a specific browser or on all browser.</p><p>5. You may go to https://dlptest.com/ for testing purposes.</p><p>6. Check if the agent received the setting. Go to <Agent_Install_Folder>\dlplite\clc_in.xml (internal agent) or</p><p>clc_out.xml (external agent). Verify if HTTP and HTTPS channel are selected.</p><p>7. If the agent did not receive the setting, please help check the communication between the server and agent.</p><p>8. If the agent received the setting but same issue occurs, please collect CDT logs on the agent. Refer to Collect</p><p>CDT on the Agent</p><p>Some Devices are being blocked by DLP (e.g. Scanner)</p><p>1. Check if DLP license is activated. Refer to Apex One Data Loss Prevention license activation</p><p>2. Check if DLP module is enabled. Refer to Enabling the Data Loss Prevention Module</p><p>3. Check if DLP is installed properly. Verifying if Data Loss Prevention was installed properly</p><p>4. Check in Device Manager if the scanner is being detected as USB or Printer or other Device Type.</p><p>5. Check if the agent received the setting. Go to <Agent_Install_Folder>\dlplite\dc_in.xml (internal agent) or</p><p>dc_out.xml (external agent). Verify if the permissions are correct.</p><p>6. If the agent did not receive the setting, please help check the communication between the server and agent.</p><p>7. If the agent received the setting but same issue occurs, please collect the Device Control Information. Refer</p><p>to Collect Device Control Information</p><p>https://dlptest.com/</p><p>161 / 206</p><p>Information and logs to Collect:</p><p>Collect CDT on the Server</p><p>1. Download the latest CDT on this link.</p><p>2. Run the CDT as Admin and select Basic Information.</p><p>3. Replicate the issue.</p><p>4. Collect todayʼs log.</p><p>Collect CDT on the Agent</p><p>1. Download the latest CDT on this link.</p><p>2. Run the CDT as Admin and select Basic Information and Data Loss Prevention.</p><p>3. Replicate the issue.</p><p>4. Collect todayʼs log.</p><p>Collect Device Control Information</p><p>1. Copy C:\Windows\System32\dgagent\listDeviceInfo.exe into C:\temp</p><p>2. Copy this logger.cfg into C:\</p><p>https://downloadcenter.trendmicro.com/index.php?regs=ph&prodid=25&_ga=2.146896951.1613711976.1587965719-175934259.1554708004</p><p>https://downloadcenter.trendmicro.com/index.php?regs=ph&prodid=25&_ga=2.146896951.1613711976.1587965719-175934259.1554708004</p><p>162 / 206</p><p>3. Download WinAudit from : http://www.parmavex.co.uk/winaudit.html</p><p>4. Turn on CDT tool and select [Basic Information & Data Loss Prevention]. Refer to Collect CDT on</p><p>the Agent</p><p>5. Plug the device into the computer</p><p>6. Run C:\temp\listDeviceInfo.exe</p><p>7. Run winaudit.exe</p><p>8. Wait couple minutes until the auditing is over and STOP icon grey out like the follows:</p><p>9. Select File > Save to save the report.</p><p>10. Unplug the device</p><p>11. Turn off CDT tool</p><p>12. Collect the report and debug logs:</p><p>§ C:\temp\devInfo.(hostname)_(3 digits).log</p><p>§ C:\temp\dlpDeviceReport.htm</p><p>§ Winaudit report</p><p>§ CDT logs</p><p>Collect dsagent Crash Dump File</p><p>If DLP service process dsagent.exe crashes, its dump will be automatically created in the following location: %</p><p>WINDIR%\dsacrash.dmp</p><p>How to Isolate if issue is caused by DLP?</p><p>1. Unload Apex One agent.</p><p>2. Isolate DLP driver first. Rename the file:</p><p>3. %WINDIR%\System32\drivers\sakfile.sys to %WINDIR%\System32\drivers\sakfile.sys.bk</p><p>4. Reboot and check if the issue is gone.</p><p>5. If the issue persists, isolate DLP service. Rename the file:</p><p>6. %WINDIR%\System32\dgagent\dsagent.exe to %WINDIR%\System32\dgagent\dsagent.exe.bk</p><p>7. Reload Apex One agent.</p><p>8. Report the two isolation results.</p><p>How to Collect Full HTTP Dump?</p><p>http://www.parmavex.co.uk/winaudit.html</p><p>163 / 206</p><p>1. Unload Apex One agent.</p><p>2. Edit %windir%\system32\dgagent\dsa.pro</p><p>3. Add the lines below:</p><p>log_raw_data=true</p><p>keep_tmp_file=true</p><p>dump_all=true</p><p>dump_dir=dumpdir</p><p>4. Close all browser processes.</p><p>5. Restart DLP agent by reloading Apex One agent.</p><p>6. Browse some website and reproduce the issue. Check that HTTP data can be recorded in %windir%</p><p>\system32\dgagent\dumpdir</p><p>7. Collect the full folder after the issue is reproduced.</p><p>E. Apex One (Mac)</p><p>Apex One (Mac) Server Requirements</p><p>For full details, refer to this article: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-(mac)-</p><p>2019-server-online-help/installing-the-serve_001/system_requirements.aspx</p><p>Apex One (Mac) Server Installation and Activation</p><p>1. Apex One (Mac) server can be installed from Apex One or OfficeScan Plug-ins tab.</p><p>Refer for full details here: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-(mac)-2019-</p><p>server-online-help/installing-the-serve_001/install_server.aspx</p><p>2. Apex One (Mac) SaaS Version-- If you are using Apex One full license key—it will automatically activate</p><p>Apex One (Mac). If you are using legacy license for Apex One (Mac) separately, license needs to be added</p><p>and activated on Apex Central first.</p><p>Installation Verification</p><p>1. Installation Logs</p><p>· c:\TMSM_PreInstall.log</p><p>· c:\TMSM_Insatll.log</p><p>· c:\TMSM_DBInstall.log</p><p>· c:\TMSM_serverInfoTool.log</p><p>2. Apex One (Mac) Services</p><p>Verify that the following services display on the Microsoft Management Console</p><p>o ActiveMQ for Apex One (Mac)</p><p>o Apex One (Mac) Main Service</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-(mac)-2019-server-online-help/installing-the-serve_001/system_requirements.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-(mac)-2019-server-online-help/installing-the-serve_001/system_requirements.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-(mac)-2019-server-online-help/installing-the-serve_001/install_server.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-(mac)-2019-server-online-help/installing-the-serve_001/install_server.aspx</p><p>164 / 206</p><p>3. Apex One (Mac) Process</p><p>Verify of process is running in Windows Task Manager:</p><p>o TMSMMainService.exe</p><p>4. Apex One (Mac) Registry Key location</p><p>Verify that the following registry key exists in Registry</p><p>Editor: HKEY_LOCAL_MACHINE\Software\TrendMicro\</p><p>OfficeScan\service\AoS\OSCE_ADDON_TMSM</p><p>5. Apex One (Mac) Server Installation Folder</p><p>If you accept the default settings during Apex One server installation, you will find the server installation</p><p>folder at any of the following locations:</p><p>· C:\Program Files\Trend Micro\OfficeScan\Addon\TMSM</p><p>· C:\Program Files\Trend Micro\Apex One\Addon\TMSM</p><p>· C:\Program Files (x86)\Trend Micro\OfficeScan\Addon\TMSM</p><p>· C:\Program Files (x86)\Trend Micro\Apex One\Addon\TMSM</p><p>6. IIS App Pool</p><p>165 / 206</p><p>166 / 206</p><p>Apex One (Mac) agent Installation</p><p>You may get installer file for Apex One (Mac) Security Agent either from Apex Central or Apex One (Mac) Plugin.</p><p>1.  Log on to the Trend Micro Apex Central console.</p><p>2. Go to Administration > Security Agent Download.</p><p>3. Select the "Mac OS" operating system.</p><p>4. Click Download.</p><p>Expected Result: After step 4, the tmsminstall.zip file package downloads successfully.</p><p>Procedure:</p><p>1. On the target endpoint, unzip the tmsminstall.zip file package.</p><p>2. Go to the unzip folder and double click the tmsminstall.pkg file to install the Apex One (Mac) Security</p><p>Agent.</p><p>Expected Result: The Apex One (Mac) Security Agent successfully installs on the endpoint.</p><p>167</p><p>/ 206</p><p>168 / 206</p><p>The results display as shown in the following figure.</p><p>1. Verify that the Security Agent tray icon is on the menu bar.</p><p>2. Click the Security Agent tray icon and verify that the agent status is "Protection Enabled".</p><p>3. Verify that the TrendMicro folder is available in /Library/Application Support/ directory.</p><p>169 / 206</p><p>4. Check server connection status. The icon on the Security Agent console from the system tray indicate the</p><p>parent server connection status.</p><p>170 / 206</p><p>Deploying Apex One (Mac) Policy from Apex Central</p><p>Overview: For this example, we try to deploy Apex One (Mac) policy with Endpoint Sensor (iES) enabled:</p><p>1. Login to the Apex Central Web Console.</p><p>2. Go to Policies > Policy Management.</p><p>3. Select Apex One (Mac) from Product drop-down menu and click Create.</p><p>4. In the Create Policy screen, type in the name of the policy as Deploy Apex One for Mac.</p><p>5. Select Specify Target(s) and do the following:</p><p>a. In the Search tab, select Operating Systems checkbox and type Windows 10. Click Search.</p><p>6. In the search result, select the Mac endpoint and click the Add Selected Targets button to add.</p><p>Click OK to go back to the Create Policy screen</p><p>7. Most of Apex One features is enabled by default. For this exercise, enabled Endpoint Sensor feature.</p><p>Scroll to the bottom and expand the Endpoint Sensor tab. Click the Enable Endpoint Sensor</p><p>checkbox to enable this feature.</p><p>8. Click Deploy to start deploying the policy to the Apex One for Mac Security Agent.</p><p>9. Go to Administration > Command Tracking > Look for recent Apply Policy under Command column ></p><p>Click the Successful results to verify if itʼs already deployed on Agentʼs Apex One Server.</p><p>171 / 206</p><p>10. Go to Policies > Policy Management and verify that Apex One (Mac) Policy is now on Deployed</p><p>status.</p><p>11. When deployment is finished, connect to the Mac endpoint, open the Apex One Security Agent Console</p><p>via system tray icon and verify if Endpoint Sensor is now enabled with its running Trend Micro Security for</p><p>Mac agent).</p><p>172 / 206</p><p>Apex One (Mac) Common Issues</p><p>In this section, we will discuss commonly encountered issues in Apex One (Mac) including console blank page,</p><p>plugin errors, and services stopping.</p><p>Issue 1: How to troubleshoot "Blank page when accessing console"?</p><p>Description: Upon installing a later build of Apex One for Mac, the user is unable to access their plugin and</p><p>instead displays with a blank screen when clicking on "Manage Program"</p><p>Troubleshooting Steps:</p><p>A. From sample ofcdebug.log file, you may find this error:</p><p>B. In sample debug.log, check the requested certificate name:</p><p>C. Check the certificates on the Apex One server. To do this:</p><p>Run the command to check if there is any none self-signed certificate in the root store.</p><p>In Powershell interface, copy and run:</p><p>Get-ChildItem Cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}</p><p>D. Collect the information of client certificates:</p><p>1. Open MMC. Run "mmc" in "Start > Run"</p><p>2. Add certificates snap-in by click "File > Add/Remove Snap-in"</p><p>3. Select "Certificates" in left "Available snap-ins:", and then click "Add >" button to add it into "Selected</p><p>snap-ins"</p><p>4. Select "Computer account" in "Certificates snap=in" and click "Next>" to continue.</p><p>5. Select "Local computer" in "Select Computer" windows, and click Finish to reflect the operation result.</p><p>6. Make sure "Certificates > Trusted Root > Certificates" having a valid root certificate</p><p>173 / 206</p><p>"OfcOSFWebAppRootCA"</p><p>7. Make sure "Certificates > Trusted People > Certificates" having a valid item "OfcOSFWebApp"</p><p>8. Double click on the certificate "OfcOSFWebApp" click on "Certification Path" tab check the "Certificate</p><p>status" is OK or not.</p><p>E. Make sure the server's IIS component installation.</p><p>1. Open "Server Manager" and select "Local Server" at left pane</p><p>2. Click "Manage > Add Roldes and Features" at top-right side of "Server Manager"</p><p>3. Click "Next>"</p><p>4. Select "Role-based or feature-based installation" and click "Next>"</p><p>5. Leave as default settings and click "Next>"</p><p>6. In the Roles selection list, expanding "Web Server (IIS) > Web Server > Security" and make sure</p><p>174 / 206</p><p>"Client Certificate Mapping Authentication" is selected, if not please add this feature for IIS role.</p><p>If above item 3 performed adding "Client Certificate Mapping Authentication", please test reboot the</p><p>computer and test if the console can be connected or not.</p><p>However, if issue still persists, please go to this site and follow the answer provided:</p><p>https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-</p><p>issue/35001970</p><p>F. Restart all the TMSM related services, by running following commands in command prompt with admin</p><p>permission</p><p>. net stop ofcaosmgr</p><p>. net stop tmsmmainservice</p><p>. net stop activemq4tmsm</p><p>. net start activemq4tmsm</p><p>. net start tmsmmainservice</p><p>. net start ofcaosmgr</p><p>G. Please try to open the Apex One (Mac) or Security for Mac console to confirm if the console can be opened or</p><p>not.</p><p>1. From this point, please check if you're able to access the console, however if the issue persists,</p><p>please check debug log again if the same error code (403.16) is there or if it has changed.</p><p>2. If it has changed to error 404, please check if the port bindings by Apex One and TMSM (Apex One</p><p>Mac) are set accordingly (by default set at 4343).</p><p>3. If same issue persists, proceed to Collect the required logs.</p><p>https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue/35001970</p><p>https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue/35001970</p><p>175 / 206</p><p>176 / 206</p><p>1.</p><p>Logs Collection</p><p>Proceed to Collect debug logs and submit to Technical Support.</p><p>1. CDT log</p><p>Download the latest CDT on this link.</p><p>Run the CDT as Admin and select Basic Information, TMSM (Apex One for Mac)</p><p>Replicate the issue.</p><p>Collect todayʼs log.</p><p>2. debug.log of TMSM</p><p>3. Take screenshots as well of currently installed certificates in customer environment</p><p>4. IIS bindings</p><p>https://downloadcenter.trendmicro.com/index.php?regs=ph&prodid=25&_ga=2.146896951.1613711976.1587965719-175934259.1554708004</p><p>177 / 206</p><p>Issue 2: How to troubleshoot "Unable to install the Apex One (Mac) Server. The</p><p>product's database cannot be installed."?</p><p>Description: The error below is being encountered when trying to install the Apex One (Mac) plug-in.</p><p>Possible Cause:</p><p>The SQL account that Apex One/OfficeScan uses contains special characters in the password.</p><p>Sample logs:</p><p>C:\TMSM_DBTool.log</p><p>C:\TMSM_PreInstall.log</p><p>Error being stated above is related to a connection string error being used by SQL Server to connect with the</p><p>database. The password being used to connect with the database has some special characters (Ex. [] {}() , ; ? * !</p><p>@.) that is incompatible with the connection string.</p><p>To solve this issue:</p><p>1. Change password of the account being used to connect with the SQL Server and it should not contain special</p><p>characters. Make sure that the password being used does not contain any special characters. (Ex. [] {}() , ; ?' * !"</p><p>@.).</p><p>Reference Article: https://blogs.msdn.microsoft.com/spike/2009/10/30/format-of-the-initialization-string-does-not-</p><p>conform-to-specification-starting-at-index/</p><p>https://blogs.msdn.microsoft.com/spike/2009/10/30/format-of-the-initialization-string-does-not-conform-to-specification-starting-at-index/</p><p>https://blogs.msdn.microsoft.com/spike/2009/10/30/format-of-the-initialization-string-does-not-conform-to-specification-starting-at-index/</p><p>178 / 206</p><p>2. To verify if the issue is resolved:</p><p>Apex One (Mac) plug-in should be installed successfully.</p><p>3. If same issue persists, proceed to Collect the required logs.</p><p>Log Collection</p><p>If issue persists, please collect the following logs for further analysis:</p><p>· C:\TMSM_PreInstall.log</p><p>· C:\TMSM_Install.log</p><p>· C:\TMSM_DbInstall.log</p><p>· C:\TMSM_serverInfoTool.log</p><p>179 / 206</p><p>Plugin will not start after installing (upgrade) Apex One patch</p><p>Issue 3: How to troubleshoot "Plugin will not start after installing (upgrade) Apex One</p><p>patch"?</p><p>Description: The  ActiveMQ for Apex One (Mac) was unable to start due to corrupted/missing files caused by</p><p>the Apex One patch when doing the upgrade/backup</p><p>Apex One (Mac) Main Service will not start (dependent on ActiveMQ for Apex One (Mac))</p><p>§ Customer might experience the issue when:</p><p>o Apex One patch was installed (upgrade)</p><p>o Apex One build version is lower than apex-one-2019-win-en-criticalpatch-b2012.exe</p><p>Solution:</p><p>§ This issue has been resolved on apex-one-2019-win-en-criticalpatch-b2012.exe</p><p>Troubleshooting steps:</p><p>1. Verify if some files are missing or some files should not be on that directory</p><p>For example: There should be no \Trend Micro\Apex One\BundledJava\BundledJava folder</p><p>The \Trend Micro\Apex One\BundledJava should only contain</p><p>2. Restore from BundledJava_backup_xxxxx</p><p>3. Restart Apex One Mac services, (run restart_TMSM.bat)</p><p>BundledJava_corrupted (missing files)</p><p>https://files.trendmicro.com/products/Apex One/2019/apex_one_2019_win_en_criticalpatch_b2012.exe</p><p>https://files.trendmicro.com/products/Apex One/2019/apex_one_2019_win_en_criticalpatch_b2012.exe</p><p>180 / 206</p><p>BundledJava_backup_xxxxx, (Correct files)</p><p>Renamed BundledJava (corrupted) and restored from backup</p><p>4. If same issue persists, proceed to Collect the required logs.</p><p>181 / 206</p><p>Log Collection</p><p>If issue persists, please collect the following required logs:</p><p>1. TMSM logs (<Apex One>\Addon\TMSM\apache-activemq\data)</p><p>2. activemq.log</p><p>3. wrapper.log</p><p>The logs would show that the ActiveMQ for Apex One (Mac) last running state and correlate with the timestamp</p><p>when the patch was installed Apex One (hotfix_history)</p><p>182 / 206</p><p>Issue 4: The Apex One (Mac) agent is unable to start the protection on a Mac upgraded</p><p>to macOS Catalina v10.15 or higher.</p><p>Compatibility</p><p>Apex One Mac supports MacOS Catalina 10.15.4 on the following agent version as of writing:</p><p>Apex One On-premise: 3.5.2100 or higher</p><p>Apex One SaaS: 3.5.3310 or higher</p><p>Issues that might be caused by MacOS Catalina build upgrade are:</p><p>o Unable to Start Protection</p><p>- after applying all pre-requisites (kext, Full Disk Access, reboot)</p><p>o Apex One Mac console not showing</p><p>- after performing a "Reboot"</p><p>o Apex One Mac console keeps on restarting</p><p>- approximately restarting every 30+ seconds, conflict with other modules</p><p>o Freezing login screen (sleep)</p><p>- approximately stuck by 15 seconds</p><p>o Unable to collect debug logs</p><p>- Unable to generate the TMSMLog.tar after number of hours (typically it should take around 15</p><p>- 30 minutes).</p><p>Starting from MacOS Catalina 10.15, Apple implements new driver and security enhancement. MacOS devices</p><p>that already upgraded to MacOS Catalina with Agent version lower than (3.5.2089) needs to Uninstall and re-</p><p>install the agent.</p><p>For full details, refer to this KB article: https://success.trendmicro.com/solution/000149499-Trend-Micro-Apex-</p><p>One-Mac-Support-for-macOS-1015-Catalina</p><p>How to effectively submit this issue to Technical Support:</p><p>1. Indicating the right behavior (Category) would be beneficial on the troubleshooting steps or next action plan</p><p>2. If possible (please), indicated the performance category on the case title or initial summary</p><p>3. Most of the performance issues have intermittent and indistinguishable behavior, please make some time to</p><p>describe (technical observation) in the case description for the overview of the case</p><p>4. Indicate the steps that already been taken on the case description.</p><p>Recommended Action Plan:</p><p>1. Upgrade the Apex One (Mac) server to build 3.5.2141 or higher.</p><p>2. Uninstall (tmuninstall.zip) and reinstall (tmsminstall.zip) Apex One Mac agent. For more details, please refer</p><p>to this document.</p><p>3. If the issue still persist, collect Agent CDT logs</p><p>https://success.trendmicro.com/solution/000149499-Trend-Micro-Apex-One-Mac-Support-for-macOS-1015-Catalina</p><p>https://success.trendmicro.com/solution/000149499-Trend-Micro-Apex-One-Mac-Support-for-macOS-1015-Catalina</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-(mac)-2019-server-online-help/agentinstall_ch_intr/agent-uninstallation.aspx</p><p>https://success.trendmicro.com/solution/1060046-generating-debug-logs-from-security-for-mac-tmsm</p><p>https://success.trendmicro.com/solution/1060046-generating-debug-logs-from-security-for-mac-tmsm</p><p>183 / 206</p><p>iProducts System Requirements</p><p>Apex One Application Control System Requirements</p><p>Here are the pre-requisites for Apex One Application Control:</p><p>Item Requirem ent</p><p>System Requirements Same as Apex One Server and Security Agent</p><p>License · Included in the Apex One Full Feature for Window s and Mac license</p><p>· An existing Trend Micro Endpoint Application Control License (activated in Apex Central)</p><p>Apex Central registration Required for licensing and Security Agent policy deployment</p><p>Compatibility w ith Tend</p><p>Micro Endpoint Application</p><p>Control</p><p>· For server: The Apex One server w ith Application Control can exist on the same server w ith Trend Micro</p><p>Endpoint Application Control Server (not recommended)</p><p>Note: Trend Micro Endpoint Application Control server settings are not compatible w ith Apex One Application</p><p>Control Feature. You must manually conf igure all policies using the Apex Central w eb console</p><p>· For agent: Once you deploy an Apex One Application Control policy to the Apex One Security Agent, the</p><p>Security Agent w ill automatically uninstalls any existing Trend Micro Endpoint Application Control agent before</p><p>applying the Apex One Application Control settings.</p><p>Server The Apex One Setup program installs the Application Control feature automatically during normal Apex One</p><p>server installation.</p><p>After verifying that the Activation Code includes Application Control, Apex One starts the Trend Micro</p><p>Application Control Service on the Apex One server computer.</p><p>Apex One Endpoint Sensor Requirements</p><p>Here are the pre-requisites for Apex One Endpoint Sensor:</p><p>Item Requirem ent</p><p>System Requirements For server: Same operating system requirements as Apex One Server</p><p>SQL Server requirements dif fer.</p><p>For agent: Same system requirements as the Security Agent</p><p>The feature are only of f icially supported on the follow ing platforms:</p><p>o Window s 7 SP1</p><p>o Window 8.1</p><p>o Window 10</p><p>License · Apex One Endpoint Sensor license (activated in Apex Central)</p><p>· An existing Trend Micro Endpoint Sensor license (activated in Apex Central)</p><p>Apex Central registration Required for licensing and Security Agent policy deployment</p><p>Compatibility w ith Tend Micro</p><p>Endpoint Application Control</p><p>· For server: The Apex One server w ith Apex One Endpoint Sensor feature on the same server w ith the</p><p>standalone Trend Micro Endpoint Sensor server (not recommended)</p><p>Note: Standalone Trend Micro Endpoint Sensor server settings are not compatible w ith Apex One Endpoint</p><p>Feature. You must manually conf igure all policies using the Apex Central w eb console</p><p>· For agent: Once you deploy an Apex One Endpoint Sensor policy to the Apex One Security Agent, the</p><p>Security Agent w ill automatically uninstalls any existing Trend Micro Endpoint Sensor agent before applying</p><p>184 / 206</p><p>the Apex One Endpoint Sensor settings.</p><p>Redis service The Apex One server computer cannot have an existing Redis service installed. You must uninstall any existing</p><p>Redis service and allow the Setup program to install a new service.</p><p>SQL Server version · SQL Server 2017</p><p>· SQL Server 2016 SP1</p><p>Note: This feature does not support SQL Server Express versions</p><p>Database conf iguration Full-Text and Sem antic Extractions for Search should be enabled</p><p>Apex One Vulnerability Protection System Requirements</p><p>Here are the pre-requisites for Apex One Vulnerability Protection:</p><p>Item Requirem ent</p><p>System Requirements Same as Apex One Server and Security Agent</p><p>License · Included in the Apex One Full Feature for Window s and Mac license</p><p>· An existing Trend Micro Vulnerability Protection license (activated</p><p>in Apex Central)</p><p>Apex Central registration Required for licensing and Security Agent policy deployment</p><p>Compatibility w ith Tend Micro</p><p>Endpoint Application Control</p><p>· For server: The Apex One server w ith Apex One Vulnerability Protection feature on the same server w ith</p><p>the standalone Trend Micro Vulnerability Protection (not recommended)</p><p>Note: Standalone Trend Micro Endpoint Sensor server settings are not compatible w ith Apex One Endpoint</p><p>Feature. You must manually conf igure all policies using the Apex Central w eb console</p><p>· For agent: Once you deploy an Apex One Vulnerability Protection policy to the Apex One Security Agent, the</p><p>Security Agent w ill automatically uninstalls any existing Trend Micro Vulnerability Protection agent before</p><p>applying the Apex One Vulnerability Protection settings.</p><p>Compatibility w ith other Trend</p><p>Micro products</p><p>The follow ing Trend Micro products are not compatible w ith the Apex One Vulnerability Protection feature:</p><p>· Deep Security Agent</p><p>· Intrusion Defense Firew all agent</p><p>You cannot activate the Apex One Vulnerability Protection feature on Security Agents installed on endpoints</p><p>w ith an incompatible agent program installed. You must uninstall the conf licting program before activating the</p><p>Apex One Vulnerability Protection feature.</p><p>185 / 206</p><p>How to enable debug?</p><p>186 / 206</p><p>How to debug Apex One Server?</p><p>1. Debugging the server using the web UI.</p><p>1. Hover the mouse over the “T” of Trend Micro on the banner after logging in.</p><p>2. Click the letter T and debugging window appears.</p><p>3. Enable the debug mode.</p><p>4. Select Error for the Debug Level</p><p>5. Click on Save. You can now replicate the issue.</p><p>6. After reproducing the case, click again on the “T” of Trend Micro. Before disabling the debug log, take note of the</p><p>location of the log file. Then, disable the debug mode.</p><p>2. Manually debugging the server.</p><p>1. Copy the contents of the \Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private\LogServer to the</p><p>root of C:</p><p>2. Edit the ofcdebug.ini file now located in the root of C:</p><p>3. Change DebugLog= C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Log\ofcdebug.log to</p><p>"DebugLog=.\ofcdebug.log".</p><p>4. Change debugLevel_new=I to "debugLevel_new=D".</p><p>5. Change ForceStopOtherLogserver=0 to "ForceStopOtherLogserver=1".</p><p>· If larger logs are desired, you can edit the debugSplitSize line. Default is 10 MB before splitting and zipping</p><p>the old file.</p><p>· By default, DebugMaxSplit=500, this limits the total number of split logs to 500 files.</p><p>6. Save the file.</p><p>7. Run LogServer.exe as Admin.</p><p>· You will see the ofcdebug.log file created in the root of C:</p><p>· When the file rolls-over, it will compress the old file with a .7z and start a new ofcdebug.log.</p><p>8. Reproduce the issue.</p><p>9. Close the LogServer.exe window to stop the debug log.</p><p>10. Delete the files copied from \Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private\LogServer.</p><p>187 / 206</p><p>How to debug Widget Framework?</p><p>1. Go to the C:\Program Files\Trend</p><p>Micro\OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\widget\repository\widgetPool\product\ directory</p><p>in the OfficeScan Server.</p><p>2. Open the config.php file and change the value of wfconf_debug lines as shown below:</p><p>$GLOBALS['wfconf_debug'] = true;</p><p>$GLOBALS['wfconf_client_debug_level'] = “DEBUG”;</p><p>3. Save and close the file.</p><p>Make sure the other debug tools mentioned in this article are running simultaneously. Replicate the issue.</p><p>4. Replicate the issue.</p><p>5. Collect the following files from the ..\Trend</p><p>Micro\OfficeScan\PCCSRV\Web_OSCE\Web_console\HTML\widget\repository\log\ directory:</p><p>· diagnostic.log</p><p>· client_diagnostic.log</p><p>Important: Disable debug mode before collecting the widget debug log.</p><p>To disable the debug log, open the config.php file and set the values below according to the following:</p><p>o Set $GLOBALS['wfconf_debug'] = "null";</p><p>o $GLOBALS['wfconf_client_debug_level'] = "OFF";</p><p>How to debug CM Agent Issues?</p><p>1. On the Apex One server, open the \Apex One\PCCSRV\CmAgent folder.</p><p>2. Open the product.ini file in a text editor.</p><p>3. Add the following lines at the end of the file:</p><p>[debug]</p><p>debugmode=3</p><p>debuglevel=3</p><p>188 / 206</p><p>debugtype=0</p><p>debugsize=10000</p><p>debuglog=c:\CMAgent_debug.log</p><p>4. Save and close the file.</p><p>5. Replicate the issue you encountered.</p><p>6. Send the C:\CMAgent_debug.log to Trend Micro Technical Support.</p><p>To disable debug mode, open the product.ini file then remove the lines you added in Step 3.</p><p>How to manually debug the agent?</p><p>1. Copy the contents of the \Program Files (x86)\Trend Micro\OfficeScan Client\Temp\LogServer\ folder</p><p>(excluding the Log folder) to the root of C:</p><p>2. Edit the ofcdebug.ini file now located in the root of C:</p><p>Change DebugLog=.\Log\ofcdebug.log to "DebugLog=.\ofcdebug.log".</p><p>Change debugLevel_new=E to "debugLevel_new=D".</p><p>Change ForceStopOtherLogserver=0 to "ForceStopOtherLogserver=1".</p><p>· If larger logs are desired, you can edit the debugSplitSize line. Default is 10 MB before splitting and</p><p>zipping the old file.</p><p>· By default DebugMaxSplit=100, this limits the total number of split logs to 100 files.</p><p>6. Save the file.</p><p>7. Run LogServer.exe as Admin.</p><p>· You will see the ofcdebug.log file created in the root of C:.</p><p>· When the file rolls-over, it will compress the old file with a .7z and start a new ofcdebug.log.</p><p>8. Reproduce the issue.</p><p>9. Close the LogServer.exe window to stop the debug log.</p><p>10. Delete the files copied from \Program Files (x86)\Trend Micro\OfficeScan Client\Temp\LogServer\.</p><p>How to debug Scan Engine?</p><p>1. Open the Registry Editor.</p><p>Note: Always back up the whole registry before making any modifications. Incorrect changes to the</p><p>registry can cause serious system problems.</p><p>http://intkb.trendmicro.com/solution/en-us/0011939.aspx</p><p>189 / 206</p><p>2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TMFilter\Parameters.</p><p>3. Change the value of the "DebugLogFlags" key to "00003eff".</p><p>4. Replicate the issue.</p><p>5. Once done, disable the debug mode by restoring the "DebugLogFlags" key to "0".</p><p>6. Locate the TMFilter.log file in your %SystemRoot% folder and send it to Trend Micro Technical Support.</p><p>How to enable Apex One Diagnostic Log?</p><p>1. Backup the file : ..\PCCSRV\Web_OSCE\Web_console\HTML\widget\repository\widgetPool\product\config.php</p><p>2. Open the the ‘config.phpʼ in notepad and change the value of debug to ‘Trueʼ, then click save.</p><p>See below example:</p><p>$GLOBALS['wfconf_debug'] = true;</p><p>3. Restart the Apex One Master service and the log will be generated on below location :</p><p>.. \PCCSRV\Web_OSCE\Web_console\HTML\widget\repository\log\diagnostic.log</p><p>Note : To disable the diagnostic log debugging, revert back the original config.php or change the value of the</p><p>debug back to ‘null ̓again.</p><p>https://success.trendmicro.com/contact-support</p><p>190 / 206</p><p>How to debug SPS Server using CLI?</p><p>This method is useful when customer cannot collect CDT or login using SPS Web Console.</p><p>How to generate CDT via SSH?</p><p>1. Connect to SPS server using SSH. In this example we will use putty.</p><p>2. Login as root account</p><p>3.Perform the following command</p><p>“/usr/tmcss/bin/CDT_ICRC_Linux.sh”</p><p>191 / 206</p><p>4. Collect CDT File. The location of the file will be provided after the command completed to run.</p><p>In this example file is located in /var/tmcss/cdt/Info_20171110_031204.tar.gz</p><p>How to collect CDT using WinSCP?</p><p>1. Download and install WinSCP on a windows machine to collect the CDT data</p><p>2. Run WinSCP application and input the credentials needed for SPS server then click Login</p><p>3. You can see that we are now successfully connected to SPS server and we can see all the directories available</p><p>on the SPS server</p><p>https://winscp.net/download/WinSCP-5.9.5-Setup.exe</p><p>192 / 206</p><p>4. Go to the directori where CDT data is saved.</p><p>/var/tmcss/cdt</p><p>193 / 206</p><p>5. Select the CDT data and click download</p><p>6. Browse the location where you want to copy the CDT data on your desktop.</p><p>7. It will start copying the data and after the download is complete. You can now see the CDT data on</p><p>your Desktop</p><p>where you saved it.</p><p>194 / 206</p><p>8. You can now zip this file and send the data to Trend Micro Technical Support or you can now also try analyzing</p><p>the data.</p><p>195 / 206</p><p>Indexes</p><p>How to collect logs using Windows Performance Recorder (WPR)?</p><p>Windows Performance Recorder (WPR) is a tool that extends Event Tracing for Windows (ETW) and provides</p><p>detailed recordings of system and application behavior and resource usage. You can use WPR together with Windows</p><p>Performance Analyzer (WPA) to investigate particular areas of performance and to gain an overall understanding of</p><p>resource consumption. WPR and WPA enable development and IT professionals to proactively identify and resolve</p><p>performance issues. WPR requires Windows 8 or later version operating system.</p><p>How to Use?</p><p>1. Download and Install Windows Performance Recorder from Windows MSDN.</p><p>o Windows 8 and later => Use Win10 WPT</p><p>o Windows 7/2008R2 => Windows 8 WPT</p><p>o Windows Vista/2008 => User WPT 4.x, refer to WPT 4.x usage</p><p>2.Once installed, open cmd.exe with elevated privilege and launch WPRUI.exe to open Windows Performance</p><p>Recorder.</p><p>3.Select the following:</p><p>Logging Mode: File</p><p>Resource Analysis:</p><p>· CPU Usage</p><p>· Disk I/O Activity</p><p>· File I/O Activity</p><p>· Registry I/O Activity</p><p>https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk</p><p>196 / 206</p><p>NOTE: If this performance issue is about memory usage, you could also select the following:</p><p>· Heap Usage</p><p>· Pool Usage</p><p>4.Click the Start button to begin recording.</p><p>a. Select what resource you want to monitor.</p><p>Note: Select what is applicable based on the issue you are troubleshooting</p><p>b. Click “start” to run the tool</p><p>5. Reproduce the issue.</p><p>Note: Ensure that the issue is happening when collecting information. Keep the tool running for about 30-</p><p>60sec or up until the replication is done.</p><p>197 / 206</p><p>6. Save the .etl file when the high CPU issue occurs.</p><p>7. Compress the .etl file with zip format.</p><p>How to collect Windows Dump Files?</p><p>For BSOD or system hang issue, we need a full dump at least.</p><p>How to collect FULL memory dump ?</p><p>1. Download Microsoft free tool "DumpConfigurator.hta".</p><p>See link to download</p><p>2. Unzip the WinPlatTools.zip ,go to \WinPlatTools\sourceCode---> you will see DumpConfigurator.hta.</p><p>3. Run it with Administrator privilege.</p><p>https://archive.codeplex.com/?p=winplattools</p><p>198 / 206</p><p>4. All the settings can be edited and saved by clicking Save Settings. The system will have to be rebooted for the</p><p>settings to take effect.</p><p>5 Submit the C:\Windows\MEMORY.DMP to Trend Micro Support Team.</p><p>How to collect ProcDump logs?</p><p>We can use ADplus or ProcDump to collect the dump for the crashed process.</p><p>1. Download latest version of ProcDump here.</p><p>2. Extract the tool (procdump.exe) on a temporary folder like desktop on the target computer.</p><p>3. Open command prompt (run as the Administrator) and change the directory to where the procdump.exe was</p><p>extracted.</p><p>https://docs.microsoft.com/en-us/sysinternals/downloads/procdump</p><p>199 / 206</p><p>4. Run the following command: procdump -ma someprocess.exe -s 20 -p "\Processor(_Total)\% Processor Time" 80</p><p>5. Click the Agree button when the EULA dialog box shows up.</p><p>The switches are defined as follows:</p><p>-ma someprocess.exe - means generate full dump on ntrtscan.exe process</p><p>-s 20 - means 20 seconds before creating dump</p><p>-p "\Processor(_Total)\% Processor Time" - 80 means threshold of 80% CPU</p><p>When the above command is executed, ProcDump monitors someprocess.exe and only when it reaches 80%</p><p>CPU Utilization for 20 seconds that the tool starts creating the full memory dump. The tool terminates itself after</p><p>creating the process dump file found in the same file path as the procdump.exe.</p><p>How to collect ProcMon logs?</p><p>Process Monitor can also be useful for performance issues, although care needs to be taken as Process Monitor can</p><p>also have a performance impact on the machine.</p><p>1. Download the Process Monitor Utility from Microsoft and place it in the machine.</p><p>2. Extract the files.</p><p>3. Run ProcMon.exe and accept the EULA.</p><p>It will automatically begin collecting data.</p><p>4. Reproduce the performance issue on the machine.</p><p>5. After the issue has been reproduced, stop the collection by clicking the magnifying glass icon in</p><p>Process Monitor so that there is a red line through it.</p><p>https://technet.microsoft.com/en-US/sysinternals/processmonitor.aspx</p><p>200 / 206</p><p>6. Choose File > Save and then All events and Native Process Monitor Format (PML).</p><p>7. Zip the PML file, then upload it for review.</p><p>How to collect UI Network Traffic Log?</p><p>1. Open the Apex One web console on the internet explorer.</p><p>2. Press F12.</p><p>3. Go to Network Tab and make sure that the debug is recording :</p><p>201 / 206</p><p>4. Access the Apex One web console to replicate the issue.</p><p>5. Save the log in har file:</p><p>Note: To disable the recording, just close the F12 Developer Tools.</p><p>How to replicate issue for Offline agents?</p><p>Steps on how to replicate issue for offline agents:</p><p>1. Enable CDT/Manual debug on Apex One server</p><p>2. Enable CDT/Manual debug on Apex One agent</p><p>3. Start Wireshark on Apex One agent</p><p>4. Start Wireshark on Apex One server</p><p>5. Unload/Reload Apex One agent. Provide timestamps.</p><p>6. Wait for 10 minutes</p><p>7. Collect logs and submit to Trend Micro Support Team</p><p>There are instances that the machines cannot handle the load of running CDT and Wireshark at the same</p><p>time.</p><p>202 / 206</p><p>You can follow the steps below:</p><p>1. Enable CDT/Manual debug on Apex One server</p><p>2. Enable CDT/Manual debug on Apex One agent</p><p>3. Unload/Reload Apex One agent. Provide timestamps.</p><p>4. Wait for 10 minutes</p><p>5. Collect CDT logs</p><p>6. Start Wireshark on Apex One agent</p><p>7. Start Wireshark on Apex One server</p><p>8 Unload/Reload Apex One agent. Provide timestamps.</p><p>9. Wait for 10 minutes</p><p>10. Collect Wireshark logs and CDT logs and submit to Trend Micro Support Team</p><p>How to replicate issue for Outdated agents?</p><p>Steps for replicating issue for outdated agents:</p><p>1. Enable CDT/Manual debug on Apex One server</p><p>2. Enable CDT/Manual debug on Apex One agent</p><p>3. Enable CDT/Manual debug on Update Agent if agent get updates from Update Agent</p><p>4. Unload/Reload Apex One agent. Provide timestamps.</p><p>5. Wait for 10 minutes (Note: wait for all Apex One agent services and drivers to be completely loaded, wait for</p><p>Apex One server to notify agent to perform program upgrade)</p><p>6. Collect logs and submit to Trend Micro Support Team</p><p>How to check if Apex One Server is using 3rd-party certificate?</p><p>1. Access Apex One Server</p><p>2. Look for IIS logs and open the latest IIS logs</p><p>3. Look for this keyword: SystemCall and check if the HTTP result is 403.16</p><p>4. Open certlm.msc and check the following certificates</p><p>a. Personal > Certificate</p><p>203 / 206</p><p>b. Trusted People > Certificate</p><p>c. OfcOSF > Certificate</p><p>5. Open inetmgr and check the certificate being used in Apex One Site Bindings</p><p>a. Click on Sites > OfficeScan.</p><p>b. Click on Bindings.</p><p>204 / 206</p><p>c. Click on https > Edit.</p><p>d. Check if the certificate being is used the default certificate or a 3rd-party issued certificate.</p><p>6. If customer is using 3rd-party certificate, follow the steps on this KB:</p><p>https://success.trendmicro.com/solution/1122205-configuring-apex-one-to-use-a-certificate-signed-by-</p><p>corporate-certificate-authority</p><p>7. If customer is using the default certificate and you still see HTTP 403.16, add the following registry:</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]</p><p>Name: ClientAuthTrustMode</p><p>Type: REG_DWORD</p><p>Value: 2</p><p>https://success.trendmicro.com/solution/1122205-configuring-apex-one-to-use-a-certificate-signed-by-corporate-certificate-authority</p><p>https://success.trendmicro.com/solution/1122205-configuring-apex-one-to-use-a-certificate-signed-by-corporate-certificate-authority</p><p>205 / 206</p><p>8. Try again to deploy the license.</p><p>206 / 206</p><p>Feedback</p><p>For comments and suggestions you can answer a quick survey below.</p><p>· Comments and Suggestions</p><p>Useful links</p><p>Description URL</p><p>Knowledge Base https://success.trendmicro.com/product-support/apex-one</p><p>Online documents https://docs.trendmicro.com/en-us/enterprise/apex-one.aspx</p><p>· Installation and Upgrade Guide</p><p>· Administration Guide</p><p>· System Requirements</p><p>· Online Help</p><p>CDT Tool How to use CDT Tool?</p><p>Download link</p><p>https://www.surveymonkey.com/r/L3MT8GF</p><p>https://success.trendmicro.com/product-support/apex-one</p><p>https://docs.trendmicro.com/en-us/enterprise/apex-one.aspx</p><p>https://success.trendmicro.com/solution/1055229-using-the-case-diagnostic-tool-cdt-to-collect-the-information-needed-by-technical-support</p><p>https://downloadcenter.trendmicro.com/index.php?regs=ph&prodid=25&_ga=2.100154846.1776803107.1586752149-1517366574.1585128821</p><p>Introduction</p><p>What's new</p><p>I. Reviewing System Requirements</p><p>Pre-deployment</p><p>Collecting Basic Information</p><p>II. Policy Deployment Process</p><p>What happens after a policy is deployed from Apex Central to Apex One Server?</p><p>Policy Deployment Triggers</p><p>Time needed for policy deployment status to reflect on Apex Central</p><p>Apex One Policy vs. Integrated Features</p><p>Scenario 1: Default iProduct policy settings</p><p>Scenario 2: Apex One server does not have a valid iProduct license</p><p>Agent Optimization</p><p>General Problem Isolation Testing</p><p>III. Apex One Common Issues</p><p>A. Server Installation/Upgrade Issues</p><p>Troubleshooting Tips</p><p>Fresh installation of Server</p><p>Upgrade from OfficeScan to Apex One Server</p><p>Critical Patch/Hotfix Installation</p><p>Logs to collect</p><p>Useful links</p><p>B. Agent Installation Issues</p><p>Troubleshooting Tips</p><p>Remnants of old installation</p><p>3rd-party AV is installed</p><p>Logs to collect</p><p>C. Offline Issues</p><p>Troubleshooting Tips</p><p>Check Server/Agent communication</p><p>Identify IIS Issues</p><p>TLS Issue</p><p>Check License and Configuration</p><p>Licensing</p><p>Check DB Connection</p><p>NAT agents</p><p>Logs to collect</p><p>D. Agent Upgrade Issues</p><p>Troubleshooting Tips</p><p>How to check for Server/Agent Communication?</p><p>How to review the agent update configuration?</p><p>How to check for Mismatched Certificate?</p><p>Upgrade File Issue</p><p>Review Update Agent Configuration</p><p>Unable to upgrade Windows 10</p><p>Logs to collect</p><p>E. Performance Issues</p><p>Troubleshooting Tips</p><p>Optimization of System Performance</p><p>Disable Windows Defender</p><p>Battery Configuration</p><p>Logs to collect</p><p>F. Web Console Issues</p><p>Troubleshooting Tips</p><p>Apex One Master Service was stopped</p><p>Logs to collect</p><p>G. Smart Protection Server (SPS) Issues</p><p>Troubleshooting Tips</p><p>Unable to Login to SPS console</p><p>Unable to Login using Root Password</p><p>Changing SPS IP Address</p><p>Web Reputation Service (WRS) and File Reputation Service (FRS) shows Unavailable</p><p>Best Practice Configuration</p><p>Logs to collect</p><p>IV. Apex One iProduct Common Issues</p><p>iProduct Activation Code (AC) Guide</p><p>A. Apex One Endpoint Sensor (iES)</p><p>Installation of Apex One Endpoint Sensor</p><p>iES Installation Verification</p><p>iES Installation failed</p><p>Activating Apex One Endpoint Sensor (iES)</p><p>Apex One Endpoint Sensor (iES) Policy Deployment Issue</p><p>Apex Central Issue</p><p>Apex One Issue</p><p>Apex One agent Issue</p><p>Useful links</p><p>Log Collection per Issue</p><p>B. Apex One Application Control (iAC)</p><p>Policy Deployment Flow for iAC</p><p>Check Apex One Server status in Apex Central</p><p>Verify iAC Service Status</p><p>How to Verify iAC Service Status in Apex One Server</p><p>Apex One Server Certificates</p><p>How to Verify iAC Service Status in Apex One Agent</p><p>Troubleshooting iAC Policy Deployment</p><p>Policy Error “Product Communication Error”</p><p>Policy Error “Application Control Service: Unactivated licenses”</p><p>Policy Error “Pending: Waiting for product agent”</p><p>Log Collection</p><p>C. Apex One Vulnerability Protection (iVP)</p><p>iVP Licensing Issue</p><p>Review Command Tracking/IIS/Services Status</p><p>Troubleshooting "iProduct Service not Starting"</p><p>Troubleshooting Certificate Issue "License Deployment was Unsuccessful"</p><p>Policy Deployment Issue</p><p>Policy status “Pending: Apex Central deploying”</p><p>Policy status “System error. Error ID: 5”</p><p>Policy status shows "Unable to logon Product"</p><p>Policy status “Pending: Waiting for product agent”</p><p>Log Collection</p><p>Apex Central</p><p>Apex One Server</p><p>Apex One Agent</p><p>Enabling Manual Debug</p><p>D. Apex One Data Loss Prevention (iDLP)</p><p>Pre-requisites when deploying Data Loss Prevention</p><p>Apex One Data Loss Prevention (iDLP) Installation</p><p>Apex One Data Loss Prevention (iDLP) License Activation</p><p>Enabling and Verifying the Data Loss Prevention (iDLP) Module</p><p>Enabling iDLP via Apex Central</p><p>Enabling iDLP via Apex One</p><p>Verifying if iDLP policy is deployed</p><p>Verifying if iDLP is installed properly</p><p>Blocking USB using Device Control</p><p>Adding USB device to Approved List</p><p>Deploying Data Loss Prevention Policy</p><p>Deploying iDLP via Apex Central</p><p>Deploying iDLP via Apex One</p><p>Troubleshooting iDLP Common Issues</p><p>Data Protection Status is showing “Not Installed”</p><p>Data Protection Status is showing “Stopped”</p><p>Unable to install Data Protection plug-in</p><p>USB Exception is not working</p><p>USB Blocking is not working</p><p>DLP Blocking is not working in browser</p><p>Some devices are being blocked by DLP (e.g. Scanner)</p><p>Log Collection</p><p>Collect CDT on the Server</p><p>Collect CDT on the Agent</p><p>Collect Device Control information</p><p>Collect dsagent crash dump file</p><p>Isolation if issue is caused by DLP</p><p>Collect Full HTTP Dump</p><p>E. Apex One (Mac)</p><p>Apex One (Mac) Server Requirements</p><p>Apex One (Mac) Server Installation and Activation</p><p>Installation Verification</p><p>Apex One (Mac) agent Installation</p><p>Deploying Apex One (Mac) Policy from Apex Central</p><p>Apex One (Mac) Common Issues</p><p>Blank page when accessing console</p><p>Logs to be collected</p><p>Getting error "Format of the initialization string does not conform to specification..." on TMSM_DBTool.log when installing Apex One (Mac) plug-in</p><p>Logs to be collected</p><p>Plugin will not start after installing (upgrade) Apex One patch</p><p>Logs to be collected</p><p>Apex One (Mac) agent is unable to start after upgrading to macOS 10.15 (Catalina)</p><p>iProduct System Requirements</p><p>V. How to enable debug?</p><p>How to debug the Apex One server?</p><p>How to debug Widget Framework?</p><p>How to debug CM Agent Issues?</p><p>How to manually debug the agent?</p><p>How to debug Scan Engine?</p><p>How to enable Apex One Diagnostic Log?</p><p>How to debug SPS Server using CLI?</p><p>Indexes</p><p>How to collect Windows Performance Recorder (WPR)?</p><p>How to collect Windows Dump Files?</p><p>How to collect Procdump Logs</p><p>How to collect ProcMon logs?</p><p>How to collect UI Network Traffic Log?</p><p>How to replicate issue for Offline agents?</p><p>How to replicate issue for Outdated agents?</p><p>How to check if Apex One Server is using 3rd-party certificate?</p><p>Feedback</p><p>Useful links</p><p>163</p><p>Apex One (Mac) agent Installation ............................................................................ 166</p><p>Deploying Apex One (Mac) Policy from Apex Central .................................................. 170</p><p>Apex One (Mac) Common Issues ............................................................................. 172</p><p>Blank page when accessing console ...................................................................... 172</p><p>Logs to be collected ........................................................................................ 176</p><p>Getting error "Format of the initialization string does not conform to specification..." on</p><p>TMSM_DBTool.log when installing Apex One (Mac) plug-in ..................................... 177</p><p>Logs to be collected ........................................................................................ 178</p><p>Plugin will not start after installing (upgrade) Apex One patch ................................. 179</p><p>Logs to be collected ........................................................................................ 181</p><p>5 / 206</p><p>Apex One (Mac) agent is unable to start after upgrading to macOS 10.15 (Catalina) .. 182</p><p>iProduct System Requirements ..................................................................................... 183</p><p>V. How to enable debug? ................................................................................................ 185</p><p>How to debug the Apex One server? ............................................................................ 186</p><p>How to debug Widget Framework? ............................................................................... 187</p><p>How to debug CM Agent Issues? .................................................................................. 187</p><p>How to manually debug the agent? .............................................................................. 188</p><p>How to debug Scan Engine? ........................................................................................ 188</p><p>How to enable Apex One Diagnostic Log? ..................................................................... 189</p><p>How to debug SPS Server using CLI? ............................................................................ 190</p><p>Indexes ......................................................................................................................... 195</p><p>How to collect Windows Performance Recorder (WPR)? .................................................. 195</p><p>How to collect Windows Dump Files? ............................................................................ 197</p><p>How to collect Procdump Logs ..................................................................................... 198</p><p>How to collect ProcMon logs? ...................................................................................... 199</p><p>How to collect UI Network Traffic Log? ......................................................................... 200</p><p>How to replicate issue for Offline agents? ...................................................................... 201</p><p>How to replicate issue for Outdated agents? .................................................................. 202</p><p>How to check if Apex One Server is using 3rd-party certificate? ....................................... 202</p><p>Feedback ....................................................................................................................... 206</p><p>Useful links .................................................................................................................... 206</p><p>6 / 206</p><p>TREND MICRO™Apex One</p><p>AMEA Partner Case Submission Handbook</p><p>This document serves as a manual for troubleshooting common issues. It provides in-depth troubleshooting</p><p>guidelines about configuration, components, and functionality of Apex One on-premise.</p><p>By following this document, we can ensure that submitted cases are already isolated and verified from the given</p><p>troubleshooting guidelines.</p><p>Overview</p><p>Figure below shows an Apex One Sample setup.</p><p>7 / 206</p><p>What's New in Apex One!</p><p>This guide will help partners/customers to know the common issues on Apex One and how to troubleshoot it. It contains</p><p>step-by-step procedure, Apex One commands, and useful tools.</p><p>The following tables outlines the new features and enhancements in this version of Trend Micro Apex One™ .</p><p>Item Description</p><p>Offline Predictive Machine Learning Predictive Machine Learning has been upgraded to provide</p><p>offline protection against portable executable files. The</p><p>lightweight, offline model helps protect all endpoints against</p><p>unknown threats when a functional Internet connection is</p><p>unavailable</p><p>Fileless Attack Protection Security Agent policies provide increased real-time protection</p><p>against the latest fileless attack methods through enhanced</p><p>memory scanning for suspicious process behaviors. Security</p><p>Agents can terminate suspicious processes before any</p><p>damage can be done.</p><p>Off-premises Security Agent Protection Enhanced Edge Relay Server support allows for increased</p><p>communication between the Apex One server and off-</p><p>premises Security Agents. Security Agents can receive</p><p>updated policy settings from the Apex One server even when</p><p>a direct connection to the server is unavailable.</p><p>Rebranded Console The OfficeScan server and OfficeScan agent programs have</p><p>been rebranded to the Apex One server and Security Agent</p><p>respectively. The new Apex One server integrates with Apex</p><p>Central (formerly Trend Micro Control Manager) to provide</p><p>increased protection against security risks. The all-in-one</p><p>Security Agent program continues to provide superior</p><p>protection against malware and data loss but also allows you</p><p>implement Application Control, Endpoint Sensor, and</p><p>Vulnerability Protection policies without having to install and</p><p>maintain multiple agent programs.</p><p>URL: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/introduction-and-</p><p>get/introducing-product_/whats-new.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/introduction-and-get/introducing-product_/whats-new.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/introduction-and-get/introducing-product_/whats-new.aspx</p><p>8 / 206</p><p>I. Reviewing System Requirements</p><p>On this section, you will see the requirements for Pre-deployment and Collecting Basic Information.</p><p>1. Pre-deployment will discuss the following:</p><p>1. Apex One System Requirements</p><p>2. URLs used by Apex One</p><p>3. Ports and Protocols used by Apex One</p><p>2. Collect Basic Information will discuss items that are needed when submitting a case to Trend Micro Support:</p><p>1. Case Description</p><p>2. Server Information</p><p>3. Agent Information</p><p>4. Network Layout</p><p>9 / 206</p><p>System Requirements</p><p>Server and client have met minimum system requirements.</p><p>Verify Apex One System</p><p>Requirements</p><p>Check the System Requirements:</p><p>https://docs.trendmicro.com/all/ent/apex-one/2019/en-us/apexOne_2019_req.pdf</p><p>Supported IP address Pure IPv4 and Dual IP Stacks is supported, but pure IPv6 is not supported</p><p>Product Limitation on IIS · Apex One is a 32-bit program.</p><p>· Apex One installs under WOW on 64-bit computers (Standard and Enterprise editions).</p><p>What URLs are used by Apex One?</p><p>Here are the URLs used by Apex One:</p><p>1 http://osce14-p.activeupdate.trendmicro.com/activeupdate</p><p>2 http://osce14-ilspn30-p.activeupdate.trendmicro.com/activeupdate</p><p>3 http://osce14-ilspn30w r-p.activeupdate.trendmicro.com/activeupdate</p><p>4 http://osce14.icrc.trendmicro.com/</p><p>5 http://osce14-0-en.url.trendmicro.com</p><p>6 http://oscecmp140-de-f .trx.trendmicro.com/</p><p>7 http://osce140-en.fbs25.trendmicro.com/</p><p>8 http://osce14-en-census.trendmicro.com/</p><p>9 http://osce14-en.gfrbridge.trendmicro.com/</p><p>10 http://licenseupdate.trendmicro.com/</p><p>Ports and protocols used by OfficeScan/Apex One that should be allowed through a</p><p>firewall or router</p><p>Here are the different ports and protocols used in OfficeScan/Apex One which should be allowed to communicate</p><p>via firewall</p><p>or router. This is typically the scenario in case the customer deployed either an OfficeScan/Apex One</p><p>server or a client/agent in a DMZ or they have segmented their network into multiple subnets.</p><p>Agent/Server com m unication</p><p>port</p><p>It is a random 5-digit port number set during installation. To determine this port number, check the</p><p>"Client_LocalServer_Port" parameter in the \PCCSRV\ofcscan.ini f ile.</p><p>NetBIOS ports  This uses TCP/UDP port 137, TCP port 139, and TCP port 445. These ports are used w hen</p><p>installing clients/agents via Remote Install and w hen clients/agents send quarantined f iles to the</p><p>server using the UNC path.</p><p>Com m unication w ith Control</p><p>Manager/Apex Central</p><p>MCP agent uses TCP port 80 on HTTP or TCP port 443 on HTTPS to communicate w ith Control</p><p>Manager/Apex Central.</p><p>License ports These allow access to the Trend Micro License Server via TCP port 443.</p><p>Standalone Sm art Protection</p><p>Server</p><p>If Standalone Smart Protection Server is used in the environment, File Reputation Service for</p><p>smart scan uses port 80 for HTTP and port 443 for HTTPS. Web Repuation Service uses port</p><p>5274. The w eb console uses port 4343 for HTTPS.</p><p>Unm anaged endpoints This port (TCP 135 by default) is used by the Off iceScan/Apex One server to check w ith those</p><p>https://docs.trendmicro.com/all/ent/apex-one/2019/en-us/apexOne_2019_req.pdf</p><p>10 / 206</p><p>checking unreachable and determine w hether itʼs managed by another Off iceScan/Apex One server. This</p><p>port can be conf igured through the follow ing menu path: Off iceScan/Apex One w eb</p><p>console > Assessment > Unmanaged Endpoints > Def ine scope.</p><p>Collect Basic Information</p><p>Case Description</p><p>When submitting case, it is important to have clear and complete information on the case.</p><p>1. Provide a short description of the problem.</p><p>2. Provide the step–by-step process to reproduce the problem</p><p>3. Screenshot of the problem/error</p><p>4. Provide information if there are any changes on the system or the netw ork before problem happened</p><p>5. What is the expected result?</p><p>Server Information</p><p>1. Product version and build</p><p>Using Apex One w eb console, go to Help > About</p><p>2. Product registry inform ation</p><p>Registry export of HKLM \SOFTWARE\WOW6432Node\TrendM icro\OfficeScan\service\Information</p><p>3. Basic System Inform ation</p><p>Run m sinfo32 to open Window s System inform ation. Click File > Export to a text f ile or .nfo f ile</p><p>11 / 206</p><p>4. Event Logs</p><p>o Run eventvw r and then expand Window s Logs :</p><p>o Right-click Application > Save All Events As... > Specify the f ile name then click Save .</p><p>o Do the same for "Security", "Setup" and "System ".</p><p>5. Database Server Information</p><p>o Using Apex One Console, go to Help > About</p><p>o Database Server Type and information (e.g. MSDE/SQLExpress/SQL):</p><p>1. Open PCCSRV\Private\ofcserver.ini</p><p>2. Look for the entry SQL Server: DBE_ENGINE=1002</p><p>Note: The Apex One server uses SQL Server by default.</p><p>o Service Pack installed</p><p>1. Using any DB brow ser tool (e.g. Microsoft SQL Server Management Studio)</p><p>- Go to Run > Type: ssm s > Type SQL Query: select @@version > Press F5 to execute the commands.</p><p>12 / 206</p><p>6. IIS related applications</p><p>o List dow n other Applications (e.g. Control Manager/Apex Central, 3rd party applications) using IIS.</p><p>o Identify the w ebsite security level (Low /Medium/High)</p><p>- Low = HTTP only</p><p>- Medium = SSL primary and HTTP secondary</p><p>- High = SSL Only</p><p>7. Tim e Elem ent</p><p>o Take note of the system time of the server (relative to time on the agent)</p><p>o Take note of the system timezone</p><p>Basic Agent Information</p><p>Product version and build · Identify the Apex One agent version and build number</p><p>o Right-click on the system tray icon, then click on Com ponent Version</p><p>· Collect ofcscan.ini in the product agent directory</p><p>Basic System Information Run m sinfo32 and export system information to a text f ile</p><p>Time Element · Take note of the system time of the agent (relative to time on the server)</p><p>· Take note of the system timezone</p><p>Network Layout</p><p>Check Netw ork Layout Diagrams/draw ings of netw ork layout how agents are connected to the Apex One</p><p>Server</p><p>Identify f irew all, VPN, NAT and other netw orking services in use</p><p>13 / 206</p><p>II. Policy Deployment Process</p><p>What happens after a policy is deployed from Apex Central to Apex One Server?</p><p>1. Apex Central deploys policy to Apex One server.</p><p>2. Apex One server dispatches policies to iProduct Servers.</p><p>3. For Saas, Apex One server now waits for SaaS agents to poll (default every 10 min).</p><p>§ On-premise agent will receive server notification immediately.</p><p>4. After Apex One agents get policy tasks/commands, Apex One agents also notify the iProduct agents.</p><p>5. Apex One server marks agent as “deployed successfully” once Agent One agents get the policies from server.</p><p>§ For iProduct agents, after the policies are applied, iProduct agents report policy status to</p><p>corresponding iProduct servers accordingly.</p><p>6. iProduct servers write iProduct agentsʼ policy status to database & Apex One server consolidates all status</p><p>result from iProduct servers.</p><p>7. Apex One server then sends consolidated policy status to Apex Central.</p><p>14 / 206</p><p>Policy Deployment Triggers</p><p>SCENARIO USE CASE AFFECTED ENDPOINTS AFFECTED POLICIES DEPLOY TIMING</p><p>CREATE POLICY</p><p>New filtered policy</p><p>All endpoints without policy and match the new</p><p>criteria</p><p>Only this policy Immediate</p><p>New specified policy The specified endpoints Only this policy Immediate</p><p>EDIT POLICY</p><p>Edit targets (criteria) for filtered</p><p>policy</p><p>All endpoints as long as they are not in specified</p><p>polices</p><p>All filtered policies Immediate</p><p>Edit targets for specified policy</p><p>Endpoints in this policy</p><p>(If endpoints are removed from polices,</p><p>they will be regarded as “new” endpoints</p><p>by policy deployment flow)</p><p>Only this policy Immediate</p><p>Edit policy setti ngs only The endpoints in the policy Only this policy Immediate</p><p>Reorder policies</p><p>(including policy removal)</p><p>All endpoints as long as</p><p>they are not in specified polices</p><p>All filter policies Immediate</p><p>NEW OR CHANGED</p><p>ENDPOINTS</p><p>New endpoint reported to Apex</p><p>Central</p><p>The new endpoints Policies applicable to these new endpoints</p><p>120 sec after endpoints are reported</p><p>to Apex Central</p><p>Endpoint property changes</p><p>(which also causes policy changes)</p><p>The changed endpoints All policies Every 24 hours</p><p>POLICY ENFORCEMENT</p><p>Apex Central default mechanism</p><p>to ensure all endpoints get policies</p><p>All endpoints All policies On premise: Every 24 hours</p><p>SaaS: Every 10 minutes</p><p>Time needed for policy deployment status to reflect on Apex Central</p><p>· Within 20 minutes</p><p>o Creating new policies for the 1st time, or new registered agents that never had a policy applied (Apex</p><p>Central checks every 120 seconds to see if there are new agents)</p><p>o Admin reorders policies</p><p>o Admin edit policy settings or targets (either specified or filtered)</p><p>· Wait for next policy enforcement</p><p>o New agents that passed Apex Centralʼs new agent check (every 120 seconds), but didnʼt get an</p><p>applicable policy (becomes “without policies”)</p><p>o Agents that received polices & need to be moved to another policy due to agent property changes (e.g.</p><p>location in AU, IP address, etc)</p><p>AD-based filtered policies always need to have Apex Central sync the latest AD info first in order to trigger policy</p><p>changes.</p><p>15 / 206</p><p>Apex One Policy vs. Integrated Features</p><p>Scenario 1: Default iProduct policy settings</p><p>By default, iProduct settings are set to “disabled”, this implies iProduct agents are not installed. Under this</p><p>situation, after Apex One server dispatches policies to iProduct servers, iProduct servers will directly respond</p><p>“successfully deployed” to Apex One server.</p><p>The very first policy deployment that enables iProducts settings will trigger iProduct agent installation.</p><p>Once iProduct agents are installed, policy setting changes to iProducts will just fall into the normal policy</p><p>deployment flow</p><p>Scenario 2: Apex One server does not have a valid iProduct license</p><p>When there is a policy containing settings to enable</p><p>iProduct settings, before dispatching the policies to iProduct</p><p>servers, Apex One server will first check if there are valid licenses; if there is no valid license, Apex One server will</p><p>respond “unactivated licenses” error code to Apex Central directly.</p><p>16 / 206</p><p>Agent Optimization</p><p>How to optimize Apex One agent?</p><p>1. Install the latest patch for Apex One</p><p>https://downloadcenter.trendmicro.com/index.php?</p><p>regs=ph&prodid=1745&_ga=2.65440174.1208411755.1586855937-175934259.1554708004</p><p>2. Minimize Behavior Monitoring's functionality without sacrificing the security of Apex One</p><p>If process SYSTEM has high CPU, do the following:</p><p>Note: Unload the Apex One agent first. Always back up the whole registry before making any modifications.</p><p>Incorrect changes to the registry can cause serious system problems.</p><p>a. Skip System File Event Scan:</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS]</p><p>"SkipSystemFileEvent"=dword:00000001</p><p>b. Skip scan when opening process from system:</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS]</p><p>“SkipOpenProcessFromSystem” =dword:00000001</p><p>If process TMBMSRV.exe, NtRtScan.exe, TmCCSF.exe and LogServer.exe have high CPU, do the following:</p><p>a. Disable activity monitor to stop sending event to product processes:</p><p>[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]</p><p>"EnableAegisActivityMonitor"=dword:00000000</p><p>3. Exclude the application on Real-time scan, Behavior Monitoring and Trusted Program List</p><p>https://downloadcenter.trendmicro.com/index.php?regs=ph&prodid=1745&_ga=2.65440174.1208411755.1586855937-175934259.1554708004</p><p>https://downloadcenter.trendmicro.com/index.php?regs=ph&prodid=1745&_ga=2.65440174.1208411755.1586855937-175934259.1554708004</p><p>17 / 206</p><p>a. Real-time scan</p><p>b. Behavior Monitoring</p><p>c. Trusted Program List</p><p>4. Enhance Application Control feature (applicable to those agents with Application Control enabled)</p><p>a. Delayed Application Control's startup process during boot-up.</p><p>Note: To prevent CPU high utilization / high disk consumption for Application Control Agent when</p><p>machine boots up.</p><p>i. Make sure the iAC agent build is at least "TMiACAgentSvc.exe" >= 3.0.0.2003. To verify you</p><p>may check the following file:</p><p>C:\Program Files (x86)\Trend Micro\iService\iAC > right click and select Properties > go to</p><p>Details tab and check the File version or right-click from Agent Tray icon and click "Component</p><p>Versions".</p><p>18 / 206</p><p>ii. Unload Apex One Security Agent</p><p>iii. Set the registry with value below</p><p>Key : DelayLoadAC</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\iACAgent\DelayLoadAC</p><p>Type : DWORD</p><p>Valid Range : 0-10 (min)</p><p>b. Increased the LRU Cache 2000 (default)</p><p>i. Unload Apex One Security Agent</p><p>ii. Stop iAC agent service (TMiACAgent service)</p><p>iii. Set the registry with value below</p><p>Key : LRUCacheSize</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\iACAgent\LRUCacheSize</p><p>Type : DWORD</p><p>Value : 5000 (Default = 2000)</p><p>Note: The iAC service may consume disk when opening VB or other application since the Application</p><p>Control Agent will evaluate the PE files, it will try to calculate the hash value(SHA1 and SHA2) and the</p><p>digital signatures information. Those information help iAC Agent to make the decision when a process</p><p>needs to be allowed or blocked. When iAC Agent try to evaluate PE files, it will need CPU and I/O</p><p>loading. To resolve this k ind of issue, we have an LRU cache mechanism which keep those PE file's</p><p>hash values and digital signatures information when the PE file has been evaluated once. The LRU</p><p>19 / 206</p><p>cache mechanism will speed up when the process/image launching. However, it still need to spend the</p><p>cost in the first time to calculate those information.</p><p>5. Change the interval of Endpoint Sensor's data forwarding from 15 minutes (default) to 3 hours (applicable to those</p><p>agents with Endpoint Sensor enabled)</p><p>6. Enable the deferred scan.</p><p>Defer Scan can postpone the timing of scanning and for VSAPI engine not to perform file-lock while waiting</p><p>7. Make sure that the debug module has been disabled.</p><p>VSAPI:</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TmFilter\Parameters] DebugLogFlags=0</p><p>BM:</p><p>HKLM\SOFTWARE\TrendMicro\Aegis\DebugLogFlags = dword:00000000</p><p>HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan</p><p>Configuration\DACPolicyDump = dword:00000000</p><p>AEGIS:</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmevtmgr\Parameters]</p><p>"DebugLogFlags"=dword:00000000</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcomm\Parameters]</p><p>"DebugLogFlags"=dword:00000000</p><p>20 / 206</p><p>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmactmon\Parameters]</p><p>"DebugLogFlags"=dword:00000000</p><p>DLP: (remove the keys)</p><p>HKLM\Software\Trend Micro\PC-cillinNTCorp\DlpLite\debugcfg</p><p>HKLM\Wow6432Node\Software\Trend Micro\PC-cillinNTCorp\DlpLite\debugcfg</p><p>21 / 206</p><p>General Problem Isolation Testing</p><p>Summary</p><p>When there is an issue on an endpoint with the OfficeScan/Apex One Security Agent installed, isolation</p><p>testing is a recommended preliminary step to help determine where the issue is.</p><p>Once the issue has been isolated and you have an idea on the service (e.g. Realtime scan, WRS, behavior</p><p>Monitoring) causing the issue you can start debugging the specific service causing the issue.</p><p>Where to start isolating the issue?</p><p>Using windows services turn each service off one at a time until the issue is gone. Take note of the</p><p>suspected service and turn the suspected service back on to confirm. As components can interact with each</p><p>other, it is possible that disabling different services could potentially resolve the issue. If any other service also</p><p>corrects the issue, please note those as well.</p><p>How to turn off the following services using Apex One web console?</p><p>Turn-off each service from the web console, do a manual update on client. Test if the issue persists.</p><p>1. Real Time Scan (VSAPI) Procedure: Go to Agents -> Agent Management -> select 1 machine -> Settings -></p><p>Scan Settings -> Real-time Scan Settings -> untick "Enable virus/malware scan" -> Save</p><p>Note: If this action solves the issue, please enable this setting and do action 3, 4, 8, 10,</p><p>and 12 to conf irm the problematic service further.</p><p>2. Web Reputation Service (WRS) Procedure: Go to -> Agents -> Agent Management -> Click 1 machine -> Settings -></p><p>Web Reputation Settings -> untick "Enable Web reputation policy on the following</p><p>operating systems" -> Save</p><p>Note: If this action solves the issue, please enable this setting and do action 8, 10, and</p><p>13 to conf irm the problematic service further.</p><p>3. Predictive Machine Learning Service</p><p>(PML)</p><p>Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Predictive</p><p>Machine Learning Settings -> untick "Enable Predictive Machine Learning" -> Save</p><p>Note: If this action solves the issue, please enable this setting and further test File and</p><p>Process types, separately.</p><p>· Agents -> Agent Management -> Click 1 machine -> Settings -> Predictive Machine</p><p>Learning Settings -> Unclick "File" -> Save</p><p>· Agents -> Agent Management -> Click 1 machine -> Settings -> Predictive Machine</p><p>Learning Settings -> Unclick "Process" -> Save</p><p>4. Behavior Monitor Service (AEGIS) Procedure:</p><p>22 / 206</p><p>· Agents -> Agent Management -> Click 1 machine -> Settings -> Behavior Monitor</p><p>Settings -> untick "Enable Malware Behavior Blocking" -> Save</p><p>· Agents -> Agent Management -> Click 1 machine -> Settings -> Behavior Monitor</p><p>Settings -> untick "Enable Event Monitoring" -> Save</p><p>Note: If this action solves the issue, please enable this setting and do action 3, 8, 9, 10,</p><p>and 11 to conf irm the problematic service further.</p><p>5. Unauthorized Change Prevention</p><p>Service (AEGIS)</p><p>Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Additional</p><p>Service Settings -> Unauthorized Change Prevention Service -> untick -> Save</p><p>Note: If this action solves the issue, please enable this setting and do action 3, 4, 8, 9,</p><p>10, and 11 to conf irm the problematic service further.</p><p>6. Firew all Service (NSC) Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Additional</p><p>Service Settings -> Firew all Service -> untick -> Save</p><p>7. Suspicious Connection Service Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Additional</p><p>Service Settings -> Suspicious Connection Service -> Unclick -> Save</p><p>8. Advanced Protection Service (TMCCSF) Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Additional</p><p>Service Settings -> Advanced Protection Service -> Unclick -> Save</p><p>Note: If this action solves the issue, please enable this setting and do action 3, 10, 11,</p><p>12, and 13 to conf irm the problematic service further.</p><p>9. Ransomw are Protection</p><p>A. Access Docum ent Control</p><p>Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -></p><p>Behavior Monitor Settings -> Unclick "Protect documents against unauthorized</p><p>encryption or modification" -> Save</p><p>B. Softw are Restricted Policy</p><p>Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -></p><p>Behavior Monitor Settings -> untick "Block processes commonly associated with</p><p>ransomware" -> Save</p><p>10. Program Inspection (TMUMH) Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -></p><p>Behavior Monitor Settings -> untick "Enable program inspection to detect and block</p><p>compromised executable files" -> Save</p><p>Note: You must see the stop of the tm um h by command "sc query tm um h". If tmumh</p><p>is still running, run command "sc stop tm um h" to stop it. A reboot might be needed</p><p>because tmmon has hooked to the processes.</p><p>11. New ly Encountered Programs</p><p>(Meerkat)</p><p>Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Behavior</p><p>Monitor Settings -> untick "Monitor newly encountered programs downloaded through</p><p>web or email application channels" -> Save</p><p>12. Scan Memory (Ravage Scan) Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Scan</p><p>Settings -> Real-time Scan Settings -> untick "Quarantine malware variants detected in</p><p>memory" -> Save</p><p>23 / 206</p><p>13. Brow ser Exploit Prevention Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Web</p><p>Reputation Settings -> untick "Block pages containing malicious script " -> Save</p><p>14. Data Protection Service Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Additional</p><p>Service Settings -> Data Protection Service -> untick -> Save</p><p>Note: If this action solves the issue, please enable this setting and do action 15 and 16</p><p>to conf irm the problematic service further.</p><p>15. Device Control Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> Device</p><p>Control Settings -> untick "Enable Device Control" -> Save</p><p>Note: If this action solves the issue, please enable this setting and do action 16 to</p><p>conf irm the problematic service further.</p><p>16. DLP Settings Procedure: Agents -> Agent Management -> Click 1 machine -> Settings -> DLP</p><p>Settings -> untick "Enable Data Loss Prevention" -> Save</p><p>NOTE: For isolating on Apex One as a Service, see KB 1123591</p><p>https://success.trendmicro.com/solution/1123591-general-problem-isolation-testing#</p><p>24 / 206</p><p>III. Apex One Common Issues</p><p>On this section, you will see Troubleshooting Tips and Logs to be Collected for the Top Common Cases:</p><p>1. Server Installation / Server Upgrade Issues</p><p>a. Fresh Server Installation Issue</p><p>b. Upgrade Issue from OfficeScan to Apex One</p><p>c. Critical Patch / Hotfix Installation Issue</p><p>2. Agent Installation Issues</p><p>a. Remnants of old installation</p><p>b. 3rd-party AV is installed</p><p>3. Offline Issues</p><p>a. Checking of Server/Agent Communication</p><p>b. Identifying IIS Issues</p><p>c. Checking of License and Configuration</p><p>d. TLS Issue</p><p>4. Agent Upgrade Issues</p><p>a. Checking of Server/Agent Communication</p><p>b. Reviewing Update Configuration</p><p>c. Checking for Mismatched Certificate</p><p>d. Upgrade File Issue</p><p>e. Checking for Update Agent Configuration</p><p>25 / 206</p><p>A. Server Installation/Upgrade Issues</p><p>On this section, we will be discussing common issues when installing, upgrading, or patching Apex One Server.</p><p>Troubleshooting Tips</p><p>Listed are the consolidated troubleshooting steps per issue:</p><p>1. Fresh Server Installation Issue</p><p>2. Upgrade Issue from OfficeScan to Apex One</p><p>3. Critical Patch / Hotfix Installation Issue</p><p>If issues are not resolved after performing the provided troubleshooting tips, collect the recommended logs and file</p><p>a case to Trend MIcro Support.</p><p>Fresh installation of Server</p><p>System Requirements</p><p>If the target device does not meet the system requirements then the software may not work correctly after</p><p>installation. You may also experience performance issues and other problem related to resources.</p><p>See System Requirements</p><p>Upgrade from OfficeScan to Apex One Server</p><p>A. Quick migration guide for Trend Micro Apex One</p><p>Summary:</p><p>Upgrading to Trend Micro Apex One™ allows you to enable extended endpoint features like Application</p><p>Control, Endpoint Sensor, and Vulnerability Protection — all within one product.</p><p>It redefines endpoint security with its breadth of capabilities delivered as a single agent, with consistency</p><p>across SaaS and on-premises deployments. This offers enhanced automated detection and response and</p><p>actionable insights that maximize security for customers.</p><p>This article provides an overview of multiple scenarios and recommended upgrade plans. For a detailed</p><p>guide, please refer to the Install and Upgrade Guide in the Deployment Suggestions Based on Product</p><p>Features section below</p><p>The following topics are discussed on this KB</p><p>· Pre-Upgrade Checklist for Apex One Server</p><p>· Pre-Upgrade Checklist for Apex One Agent</p><p>· Sizing Considerations</p><p>· Deployment Suggestions Based on Product Features</p><p>https://docs.trendmicro.com/all/ent/apex-one/2019/en-us/apexOne_2019_req.pdf</p><p>26 / 206</p><p>See KB 1122308 for more details</p><p>B. During Server Upgrade, the installer detected that there are unsupported Agent Operating</p><p>Systems.</p><p>1. Access Officescan Server web console.</p><p>2. Go to Agents > Agent Management.</p><p>3. Export Client Listing.</p><p>4. Check the exported Client Listing for any unsupported OS</p><p>5. If there are no unsupported OS on the agent listing, export the information from Apex One database</p><p>a. Access SQL Server</p><p>b. Access Apex One DB</p><p>c. Export the data from dbo.TBL_CLIENT_INFO</p><p>6. Check the exported file and filter the OS_MAJOR, OS_MINOR</p><p>7. There should be no machines on the following:</p><p>a. 6.0 = Windows XP and Windows Server 2008</p><p>b. 6.2 = Windows 8</p><p>c. 5.2 = Windows Server 2003</p><p>8. If there are any machines that are those version, delete it from the database by using this SQL</p><p>Command:</p><p>DELETE FROM [DBname].[dbo].[TBL_CLIENT_INFO] Where UID ='GUID of the unsupported machines'</p><p>https://success.trendmicro.com/solution/1122308-quick-migration-guide-for-trend-micro-apex-one#collapseTwo</p><p>27 / 206</p><p>How to troubleshoot of Critical Patch / Hotfix Installation Issues?</p><p>If encountered an issue when installing a Critical Patch/Hotfix, check tmpatch.log on C:\</p><p>1. Look for this keyword: failed.</p><p>Sample log file:</p><p>[2019-09-25:09:58:41][perfLWCSPerfMonMgr.dll : C:\Program Files (x86)\Trend</p><p>Micro\OfficeScan\PCCSRV\LWCS\perfLWCSPerfMonMgr.dll[3.1.0.1009]->C:\Program Files (x86)\Trend</p><p>Micro\OfficeScan\PCCSRV\Backup\CriticalPatch_B2012\LWCS\perfLWCSPerfMonMgr.dll[3.1.0.1009]]</p><p>[2019-09-25:09:58:41][perfLWCSPerfMonMgr.dll : C:</p><p>\Users\santosh.z\AppData\Local\Temp\3\7ZipSfx.000\FileGroup180\perfLWCSPerfMonMgr.dll[3.1.0.2023]->C:\Program</p><p>Files (x86)\Trend Micro\OfficeScan\PCCSRV\LWCS\perfLWCSPerfMonMgr.dll[3.1.0.1009]]</p><p>[2019-09-25:09:58:41]Create new File Failed,last error:[32]</p><p>[2019-09-25:09:58:41]Rollback the file because the file copy fail.</p><p>[2019-09-25:09:58:41][perfLWCSPerfMonMgr.dll : C:</p><p>\Users\santosh.z\AppData\Local\Temp\3\7ZipSfx.000\FileGroup180\perfLWCSPerfMonMgr.dll->C:\Program Files (x86)</p><p>\Trend Micro\OfficeScan\PCCSRV\LWCS\perfLWCSPerfMonMgr.dll fail]</p><p>Failed.</p><p>[2019-09-25:09:58:41]Create new File Failed,last</p><p>error:[32]</p><p>- This error means file is used by another process and not allowed to access.</p><p>2. In Apex One Server, perform the following action.</p><p>o Unload Apex One Agent</p><p>o Stop Apex One Master Services</p><p>o Stop any SQL Services</p><p>o Ensure no more TM related running processes from Task Manager</p><p>3. Based on the example above the hotfix/patch failed to replace the file perfLWCSPerfMonMgr.dll</p><p>If the hotfix/patch failed to replace a file/folder the logs will indicate the location in the logs and located</p><p>in C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\LWCS\perfLWCSPerfMonMgr.dll fail</p><p>4. Since the the patch failed to replaceperfLWCSPerfMonMgr.dll, manually rename this file (e.g.</p><p>perfLWCSPerfMonMgr.dll.backup )</p><p>On the example TmPatch.log, it failed on perfLWCSPerfMonMgr.dll. Rename the file from</p><p>28 / 206</p><p>perfLWCSPerfMonMgr.dll to perfLWCSPerfMonMgr.dll.bak</p><p>5. Reinstall the Critical Patch/Hotfix. (Run as Administrator)</p><p>29 / 206</p><p>Information and logs to Collect:</p><p>Collect Relevant Information</p><p>Get Server Information Verify OS Type, ServicePack, and Microsoft Hotfixes installed</p><p>Get SQL Information Check the SQL Server version and authentication used</p><p>Get Apex One Information Check the current version and build number:</p><p>A. Through UI:</p><p>1. Access web console > Help > About</p><p>B. Through registry:</p><p>HKLM\SOFTWARE\TrendMicro\OfficeScan\service\Information</p><p>Logs to be collected</p><p>New Installation Fresh Installation log file: C:\Windows\ofcmas.log</p><p>Collect CDT debug logs</p><p>What to check when running CDT Tool?</p><p>o Basic Information</p><p>o Installation & Uninstallation</p><p>Request for a copy of the Database</p><p>For steps on how to create backup DB, check this Microsoft link:</p><p>Take a screenshot of the error</p><p>Patch Installation Log File: C:\tmpatch.log</p><p>Request for a copy of the Database</p><p>For steps on how to create backup DB, check this Microsoft link:</p><p>Take a screenshot of the error</p><p>Upgrade fail due to unsupported agent</p><p>OS</p><p>Log File: C:\tmpatch.log</p><p>Take a screenshot of the error</p><p>Copy of exported data from dbo.TBL_CLIENT_INFO</p><p>Steps in collecting the exported data:</p><p>https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-database-backup-sql-server?view=sql-server-ver15</p><p>https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-database-backup-sql-server?view=sql-server-ver15</p><p>https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-database-backup-sql-server?view=sql-server-ver15</p><p>https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-database-backup-sql-server?view=sql-server-ver15</p><p>https://docs.microsoft.com/en-us/sql/relational-databases/backup-restore/create-a-full-database-backup-sql-server?view=sql-server-ver15</p><p>30 / 206</p><p>1. Access SQL Server</p><p>2. Access Apex One DB</p><p>3. Export the data from dbo.TBL_CLIENT_INFO</p><p>31 / 206</p><p>Useful links</p><p>Know ledge Base</p><p>Article</p><p>Title Sum m ary</p><p>KB 152876 Supported upgrade path to Apex</p><p>One 2019</p><p>This article lists the Off iceScan versions that can be upgraded to Apex One</p><p>2019.</p><p>KB 1122308 Quick migration guide for Trend</p><p>Micro Apex One™</p><p>Upgrading to Trend Micro Apex One™ allow s you to enable extended</p><p>endpoint features like Application Control, Endpoint Sensor, and</p><p>Vulnerability Protection — all w ithin one product.</p><p>It redef ines endpoint security w ith its breadth of capabilities delivered</p><p>as a single agent, w ith consistency across SaaS and on-premises</p><p>deployments. This of fers enhanced automated detection and</p><p>response and actionable insights that maximize security for</p><p>customers.</p><p>This article provides an overview of multiple scenarios and</p><p>recommended upgrade plans. For a detailed guide, please refer to the</p><p>Install and Upgrade Guide in the Deployment Suggestions Based on</p><p>Product Features section below .</p><p>https://success.trendmicro.com/solution/000152876-Supported-upgrade-path-to-Apex-One-2019</p><p>https://success.trendmicro.com/solution/1122308-quick-migration-guide-for-trend-micro-apex-one#collapse3</p><p>32 / 206</p><p>B. Agent Installation Issues</p><p>On this section, we will be discussing common issues when installing Apex One agents. Troubleshooting steps for</p><p>the common issues are provided.</p><p>Troubleshooting Tips</p><p>Listed are the consolidated troubleshooting steps per issue:</p><p>1. Remnants of old agent installation</p><p>2. 3rd-party AV is detected</p><p>If issues are not resolved after performing the provided troubleshooting tips, collect the recommended logs and file</p><p>a case to Trend Micro Support.</p><p>How to remove remnants of old installation?</p><p>1. You can use the Common Uninstall Tool:</p><p>· Available on Business Support Portal: https://success.trendmicro.com/diagnostic-tools</p><p>· Login on https://success.trendmicro.com/sign-in and navigate to My Support > Diagnostic Tools.</p><p>2. You can manually remove the remnants by following the steps on this KB:</p><p>https://success.trendmicro.com/solution/1039283-uninstalling-clients-or-agents-in-officescan#collapseOne</p><p>https://success.trendmicro.com/diagnostic-tools</p><p>https://success.trendmicro.com/sign-in</p><p>https://success.trendmicro.com/solution/1039283-uninstalling-clients-or-agents-in-officescan#collapseOne</p><p>33 / 206</p><p>How to install Apex One agent on a machine with 3rd-party AV?</p><p>Here are troubleshooting steps when 3rd party antivirus programs unable to automatically uninstalled from the</p><p>computer before installing the Apex One agent.</p><p>1. Verify first whether 3rd party antivirus program are included already from the list of competitor products that</p><p>Apex One can automatically remove:</p><p>KB reference: https://success.trendmicro.com/solution/1105236-list-of-competitor-products-that-officescan-can-</p><p>automatically-remove</p><p>Note: If the uninstall password protection of 3rd party software is enabled, it is recommended that you need to</p><p>disable it first.</p><p>· You can also verify it from the tmuninst.ptn and tmuninst_as.ptn files under the \PCCSRV\Admin.</p><p>You can open these files using a text editor such as Notepad.</p><p>· You can also verify it from a certain Patch/HF installer, see example below:</p><p>a. Right click and Extract HF installer (apex_one_2019_win_en_hfbnnnn.u.exe).</p><p>b. Look for the tmuninst.ptn file and open it using a text editor such as Notepad.</p><p>https://success.trendmicro.com/solution/1105236-list-of-competitor-products-that-officescan-can-automatically-remove</p><p>https://success.trendmicro.com/solution/1105236-list-of-competitor-products-that-officescan-can-automatically-remove</p><p>34 / 206</p><p>2. If the 3rd party software is confirmed in the lists that can be detected and uninstalled, ensure you run the</p><p>updated installer such as MSI as follows:</p><p>· In the affected machine, right click CMD > select Run as administrator > Type "cd" with your MSI</p><p>installer Location path > Type your “MSI installerʼs name” > Press “Enter” and wait until finish.</p><p>· If it works and need to apply on mass deployment, you may deploy it via SCCM or GPO and it should</p><p>be done by the customerʼs System Administrator.</p><p>· Depending on the uninstallation process of the software, the endpoint may or may not need to restart</p><p>after uninstallation.</p><p>· If automatic agent migration is successful but a user encounters problems with the Security Agent right</p><p>after installation, restart the endpoint.</p><p>· If the Apex One installation program proceeded to install the Security Agent but was unable to uninstall</p><p>the other security software, there will be conflicts between the two software. Uninstall both software, and</p><p>then install the Security Agent using any of the installation methods discussed in Deployment</p><p>Considerations (Online Document: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-</p><p>2019-server-online-help/protecting-trend_cli/installing-the-trend/deployment-considera.aspx#GUID-</p><p>31C5ACC3-3D4B-4ADE-98FB-C145FE418573</p><p>3. If the 3rd party software on the target computer cannot be found in the list, Trend Micro Technical Support</p><p>can assist you to include it in the Apex One agent installer with coordination with our DEV Team to detect</p><p>these</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/protecting-trend_cli/installing-the-trend/deployment-considera.aspx#GUID-31C5ACC3-3D4B-4ADE-98FB-C145FE418573</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/protecting-trend_cli/installing-the-trend/deployment-considera.aspx#GUID-31C5ACC3-3D4B-4ADE-98FB-C145FE418573</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/protecting-trend_cli/installing-the-trend/deployment-considera.aspx#GUID-31C5ACC3-3D4B-4ADE-98FB-C145FE418573</p><p>35 / 206</p><p>antivirus programs. Before contacting Trend Micro Technical Support:</p><p>· Prepare the following information below for our further checking:</p><p>1. What is the version and build number of the Apex One Server?</p><p>2. What is the version and build number of the 3rd party AV to be removed?</p><p>3. What type of Security Agent installation method will the customer use?</p><p>4. What is the client machine's operating system?</p><p>5. Kindly provide the copy and installation guide of the 3rd party installer [32 and 64 bit].</p><p>6. In the computer that 3rd party AV installed, kindly provide the following:</p><p>A. Screenshot of the "Program and Features".</p><p>B. Screenshot of the "About" status from 3rd party AV icon.</p><p>C. Kindly export and send to us the Registry entries from this path:</p><p>- Go to HKEY_LOCAL_MACHINE\Software\....</p><p>[32-Bit] = Microsoft\Windows\CurrentVersion\Uninstall\</p><p>[64-Bit] = Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\</p><p>· If the installer can no longer be retrieved, you can uninstall the third-party software using Add/Remove</p><p>Programs under Control Panel.</p><p>· If you encounter any problems uninstalling the 3rd party software, you need to contact the vendor of the</p><p>3rd party software.</p><p>4. If you want to prevent Apex One from uninstalling 3rd party security products during agent installation.</p><p>You may refer on this link for your further information.</p><p>KB reference: https://success.trendmicro.com/solution/1123821-prevent-apex-one-from-uninstalling-3rd-party-</p><p>security-products-during-agent-installation</p><p>https://success.trendmicro.com/solution/1123821-prevent-apex-one-from-uninstalling-3rd-party-security-products-during-agent-installation</p><p>https://success.trendmicro.com/solution/1123821-prevent-apex-one-from-uninstalling-3rd-party-security-products-during-agent-installation</p><p>36 / 206</p><p>Information and logs to Collect:</p><p>Collect Relevant Information</p><p>Get the Operating</p><p>System of the affected</p><p>machines</p><p>· Verify if if issue affects specific version of Operating System (e.g. Windows 10)</p><p>Logs to be collected</p><p>MSI package</p><p>installations</p><p>File name: OFCNT.LOG</p><p>Location: In a temporary system file, for example in Windows 7:</p><p>C:\Users\Administrator\AppData\Local\Trend Micro\Security Agent\OFCNT.LOG</p><p>Web installations File name: WebInstall.log</p><p>Location: C:\</p><p>Remote Installations File name: RemoteInstall.LOG</p><p>Location: C:\</p><p>Autopcc and EXE</p><p>package installations</p><p>File name: OFCNT.LOG</p><p>Location: %windir%\</p><p>37 / 206</p><p>C. Offline Issues</p><p>On this section, we will be discussing troubleshooting steps when encountering offline agents.</p><p>Troubleshooting Tips</p><p>Listed are the consolidated troubleshooting steps:</p><p>1. Checking Server-Agent Communicaton</p><p>2. Identifying IIS Issues</p><p>3. TLS Issue</p><p>4. Checking License and Configuration</p><p>If issues are not resolved after performing the provided troubleshooting tips, collect the recommended logs and file</p><p>a case to Trend MIcro Support.</p><p>How to check network communication between Apex One Server and agent?</p><p>A. Check Apex One Server to Agent communication</p><p>1. Ping Offline_Agent_ address/FQDN</p><p>o Apex One server should be able to ping the agent</p><p>2. Telnet Offline_Agent_ address/FQDN through 5-digit listening port</p><p>a. Open ofcscan.ini on <installation path>\PCCSRV\</p><p>b. Check the value for Client_LocalServer_Port</p><p>c. Open cmd and run this command:</p><p>telnet OfflineAgent_IP_FQDN Client_LocalServerPort</p><p>d. If the Client_LocalServer_Port is open, you should get the following results:</p><p>38 / 206</p><p>B. Check Agent to Apex One Server communication</p><p>1. Ping ApexOneServer_IP/FQDN</p><p>o Agent should be able to ping the server</p><p>2. Check if the client is using the correct Client LocalServerPort</p><p>Client LocalServerPort is a random 5-digit port number port set during installation and used for</p><p>Server/Agent communication</p><p>a. Open \PCCSRV\ofcscan.ini, search and take note of the Client_LocalServer_Port</p><p>b. Check the Client Listening Port in Registry key:</p><p>Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-</p><p>cillinNTCorp\CurrentVersion\LocalServerPort</p><p>Important: Client LocalServerPort from agent's registry should match to Apex One Server</p><p>\PCCSRV\Ofcscan.ini (Client_LocalServer_Port).</p><p>From serverʼs ofcscan.ini From agentʼs registry</p><p>Client_LocalServer_Port LocalServerPort</p><p>c. Check the Client Listening Port from Agent Icon</p><p>1. Right-click on the agent icon in the system tray and choose "Component Versions".</p><p>2. At the top of the window, it will display the listening port.</p><p>39 / 206</p><p>3. Check Apex One Master_DomainName, Server Port, and Server SSLport</p><p>a. Open \PCCSRV\ofcscan.ini, search and take note of the following:</p><p>Master_DomainName = xxxx</p><p>Master_DomainPort = xxxx</p><p>Master_SSLPort = xxxx</p><p>b. Check the Client Listening Port in Registry key</p><p>Important: The following entries should match</p><p>From server's ofcscan.ini From agent's registry</p><p>Master_DomainName Server</p><p>Master_DomainPort ServerPort</p><p>Master_SSLPort ServerSSLPort</p><p>4.Telnet ApexOneServer_IP/FQDN through MasterSSLPort</p><p>a. Open ofcscan.ini on <installation path>\PCCSRV\</p><p>b. Check the value for Master_DomainPort and Master_SSLPort</p><p>c. Open cmd and run this command:</p><p>telnet ApexOneServer_IP/FQDN Master_DomainPort</p><p>40 / 206</p><p>telnet ApexOneServer_IP/FQDN Master_SSLPort</p><p>d. If the Master_DomainPort and Master_SSLPort are open, you should get the following results:</p><p>C. What to do when there is a port mismatch between server and agent?</p><p>If the following ports are not the same between server and agent, this will result to agent OFFLINE issues.</p><p>From server's ofcscan.ini From agent's registry</p><p>Master_DomainName Server</p><p>Master_DomainPort ServerPort</p><p>Master_SSLPort ServerSSLPort</p><p>41 / 206</p><p>What is the possible reasons why there is a port mismatch?</p><p>· Agent migration failed</p><p>· Client used an old installation package using a different port</p><p>· The server configuration have changed (e.g. Hostname, IP address)</p><p>· The agent is reporting to a different server.</p><p>To resolve this issue use ipxfer utility tool to transfer or re-establish communication between</p><p>OfficeScan/Apex One agents and server.</p><p>See KB 0127004 for more details on how to use the tool.</p><p>D. How to check if Apex One Server is able to communicate with the agents?</p><p>Note: The following procedures are only done on the Apex One Server</p><p>1. Access this URL using Internet Explorer:</p><p>https://<IP_Hostname_ApexOneAgent>:Client_LocalServer_Port/?CAVIT</p><p>· Expected result: !CRYPT!</p><p>2. Check verconn.log on <installation path>\PCCSRV\Log:</p><p>· Look for the target IP address</p><p>· Sample of verconn.log:</p><p>E. How to check if agent is able to communicate with the OfficeScan server?</p><p>Note: The following procedures are only done on the OFFLINE Apex One agents</p><p>Access the following links using Internet Explorer:</p><p>1. https://IP_FQDN_ApexOneServer:Master_SSLPort/officeScan/download/server.ini</p><p>https://success.trendmicro.com/solution/0127004-manually-transferring-or-re-establishing-communication-between-officescan-apex-one-agents-and-server</p><p>https://success.trendmicro.com/solution/0127004-manually-transferring-or-re-establishing-communication-between-officescan-apex-one-agents-and-server</p><p>42 / 206</p><p>o Expected result: see server.ini or download the file</p><p>2. https://IP_FQDN_ApexOneServer:Master_SSLPort/officeScan/cgi/cgionstart.exe</p><p>o Expected result: -2</p><p>3. https://IP_FQDN_ApexOneServer:Master_SSLPort/officeScan/cgi/isapiclient.dll</p><p>o Expected result: -1</p><p>F. How to check if FQDN is working?</p><p>Note: The following procedures are only done on the OFFLINE Apex One agents</p><p>Sometimes, if we only use Apex One server IP address to Telnet, it may accessible but via FQDN, it will</p><p>fail. Thus, agent using FQDN to contact Apex One server might encounter DNS problem.</p><p>To verify this:</p><p>1. In CMD, try to run: nslookup <ApexOneServerFQDN>.</p><p>2. It should display DNS resolution of Apex One Server IP Address.</p><p>3. You may try to download server.ini (See How to check if agent is able to communicate with the</p><p>OfficeScan server?) via FQDN and check whatʼs being used by the Agent from C:\Program Files (x86)</p><p>\Trend Micro\OfficeScan Client\AU_Data\AU_Log\Tmudump log.</p><p>Sample tmudump log where agents are accessing the Apex One server via FQDN:</p><p>43 / 206</p><p>Inf 20200319 12:10:23 6896 28972 Downloading [https://apex-one-</p><p>server.com:4343/officescan/download/server.</p><p>ini] to [C:\Program Files (x86)\Trend Micro\Security Agent\AU_Data\AU_Temp\</p><p>6896_28972\server.ini]...</p><p>4. Another option is to get the agents registry info Under</p><p>Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TrendMicro\PC-</p><p>cillinNTCorp\CurrentVersion\Misc.\UpdateFrom and append server.ini</p><p>Download server.ini by accessing the link via browser</p><p>e.g. https://apex-one-server.com:4343/officescan/download/server.ini</p><p>https://apex-one-server.com:4343/officescan/download</p><p>https://apex-one-server.com:4343/officescan/download</p><p>44 / 206</p><p>How identify Internet Information Services (IIS) Issues?</p><p>A. Check if OfficeScan IIS Web Site is running.</p><p>1. Web server status should be on Running state</p><p>In Apex One Server, go to Run > Type: inetmgr > Expand localhost > Site > OfficeScan</p><p>2. Ensure IIS Admin Service and World Wide Web Publishing Service are on Running Status</p><p>2.1 In Apex One, go to Run > Type: services.msc</p><p>B. How to verify the isapiClient.dll version used on IIS?</p><p>How to verify the isapiClient.dll version:</p><p>1. Open Run window and type inetmgr</p><p>2. Go to Application Pools</p><p>3. Right-click on OfficeScan AppPool then go to Advance Settings</p><p>4. Check the value of Enable 32-bit Application</p><p>o If it is set to FALSE, you should be using isapiClientx64.dll</p><p>o If it is set to TRUE, you should be using isapiClientx86.dll</p><p>To counter-check the file:</p><p>45 / 206</p><p>1. Go to ...\Apex One\PCCSRV\Web_OSCE\Web\CGI\</p><p>2. Look for isapiClient.dll</p><p>3. Compare the size of the file with the following:</p><p>o If the size is same as isapiClientx64.dll, you are using 64-bit isapiClient.dll</p><p>o If the size is same as isapiClientx32.dll, you are using 32-bit isapiClient.dll</p><p>Sample screenshot for 64-bit isapiClient.dll</p><p>C. Check if OfficeScan/Apex One Server and Database services are running</p><p>In Apex One/SQL Server, go to Run > Type: services.msc</p><p>The following services should be on Running state</p><p>1. Apex One Server</p><p>· Apex One Master Service</p><p>· Apex One Active Directory Integration Service</p><p>· Apex One Apex Central Agent</p><p>· Apex One Common Client Solution Framework</p><p>46 / 206</p><p>· Apex One Deep Discovery Service</p><p>2. SQL Server</p><p>· SQL Full-test Filter Daemon Launcher (MSSQLSERVER)</p><p>· SQL Server (MSSQLSERVER)</p><p>47 / 206</p><p>How to check if there is TLS issue?</p><p>If the Server-Agent communication are established but still agent shows an Offline status from Agent Management</p><p>console, kindly check also the machineʼs TLS supported version.</p><p>There is a known issue arises after upgrading to XG SP1 due to advancements in secure communications</p><p>(HTTPS protocol using TLS). Older operating systems do not natively support TLS 1.2 as their default secure</p><p>protocol.</p><p>A. To verify if your agent has incompatible protocol issue</p><p>1. In Agentʼs ofcdebug.log, you can see these error lines:</p><p>o Windows Error Code: 12030</p><p>o nError = -27 means LOADHTTP_ERROR_FAIL_SEND_HTTP_REQUEST</p><p>2. Check Windows Event Logs, there are several Schannel errors (Event ID 36871):</p><p>"A fatal error occurred while creating a TLS client credential. The internal error state is 10013."</p><p>3. In Wireshark logs, please follow the TLS Steam of the Client Hello TLS handshake.</p><p>The client initiated a Client Hello to the server with Version: TLS 1.0.</p><p>The server sent a Reset packet [RST, ACK] indicating that the connection has been terminated.</p><p>48 / 206</p><p>B. To address this issue:</p><p>1. Ensure Windows will negotiate the highest mutual supported version of TLS by the server and client.</p><p>Older operating systems may require specific patches to support newer protocols. Please refer on this</p><p>article for further information on TLS 1.1 and 1.2 for your reference.</p><p>KB reference: https://success.trendmicro.com/solution/1119045</p><p>2. You can also use IISCrypto.exe (Download Link: https://www.nartac.com/Products/IISCrypto/Download)</p><p>a. Run it as Administrator from the machine.</p><p>b.Compare the protocols between the server and client then enable the highest mutual supported version of</p><p>TLS.</p><p>c. Please reboot the machine to fully take effect the changes.</p><p>This is an example of successful TLS Protocol communication.</p><p>https://success.trendmicro.com/solution/1119045</p><p>https://www.nartac.com/Products/IISCrypto/Download</p><p>49 / 206</p><p>Check License and Configuration</p><p>On this section, license and configuration that can affect the agent status will be discussed:</p><p>1. Licensing</p><p>2. Checking DB Connection</p><p>3. NATed agents</p><p>How to check Apex One License?</p><p>Ensure license is not expired and it should be on Activated Status. Verify as well that is has still enough Seat</p><p>counts to properly accommodate your registered Agents.</p><p>In Apex One Server, go to Administration > Settings > Product License:</p><p>How to check if Apex One and SQL Server can establish connection?</p><p>A. Check connection between Apex One and SQL Server</p><p>1.1 In Apex One server, navigate to \PCCSRV\Admin\Utility\SQL</p><p>1.2 Double click the SQLTxfr.exe to run the tool</p><p>1.3 Input necessary credentials > Click Test Connection.</p><p>50 / 206</p><p>2. Ensure credential inputted from SQLTxfr.exe Tool with connection successful should be identical from Apex</p><p>One Server.</p><p>B. Steps on fixing DB issues</p><p>1.1 If there's no connection between, perform the following to reconnect Apex One Server to its SQL Server</p><p>using SQLTxfr.exe Tool with its necessary credentials. See link below for your further reference:</p><p>Online Documents: https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-</p><p>help/managing-the-product/managing-the-product_001/sql-server-migration/sql_tool_use.aspx</p><p>1.2 If DB seems to be corrupted with table missing or manual removed by mistake, perform backing up and</p><p>restoring the Apex One SQL Server database with its last known good configuration. See link below for your</p><p>further reference:</p><p>KB: https://success.trendmicro.com/solution/1113252-backing-up-and-restoring-the-officescan-sql-server-</p><p>database</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-product_001/sql-server-migration/sql_tool_use.aspx</p><p>https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-one-2019-server-online-help/managing-the-product/managing-the-product_001/sql-server-migration/sql_tool_use.aspx</p><p>https://success.trendmicro.com/solution/1113252-backing-up-and-restoring-the-officescan-sql-server-database</p><p>https://success.trendmicro.com/solution/1113252-backing-up-and-restoring-the-officescan-sql-server-database</p><p>51 / 206</p><p>2. Ensure credential inputted from SQLTxfr.exe Tool with connection successful should be identical from Apex</p><p>One Server.</p><p>How to check if heartbeat is enabled on NAT Agents?</p><p>NATed agent is offline when Heartbeat is not enabled</p><p>Condition: Apex One server is published on the internet. All agents are based in office LAN.</p><p>Configuring the Heartbeat and Server Polling Features:</p><p>1. Go to Agents > Global Agent Settings.</p><p>2. Click the Network tab.</p><p>3. Go to the Unreachable Network section.</p><p>4. Configure</p>