caspar

CLOSED conflicting in HIPS feature?

Recommended Posts

Hi!

 

I am a OA Free (version 6.0.0.1736) user, 

and my XP SP3 box also installed with our company's antivirus system,

Trend Micro Worey-Free Bussiness Security (8.0.1346), or called it WFSMB for short.

 

I found that the OPEN FILE dialog window forzen and returned to normal later (about 30 seconds)

while using text editor (NotePad) to open text files that storded in differents folders under the same path.

 

The structure of folders as indicated below:

========================

d:\textfiles\20130101\
d:\textfiles\20130102\
d:\textfiles\20130103\
d:\textfiles\20130104\

...

========================

 

And I open Word 2003 then close it, the software also forzen for a while then closed normally.

 

I had excluded OA in the exclusion setting of WFSMB,

and excluded WFSMB in OA's Options > Exclusions .

 

But nothing changed.

 

I wonder if HIPS feature of both softwares cause this problem?

As you can see in the attached image, OA-001.jpg, there are kernel events in History window.

 

I had talked with Trend Micro, they say it is best to install one set of security software at the same time.

But I use NOD32 at my home box, it works well with OA.

 

Could you help me to slove this strange problem?

 

Thanks a lot :)

 

 

 

 

Share this post


Link to post
Share on other sites

My recommendation is to add your TrendMicro to the exclusions list in Online Armor. Here are some instructions for adding a folder to the Exclusions list in Online Armor:

  • Click on the Start button, go to All Programs, go to Online Armor, and click on the Online Armor icon to open it.
  • Click on Options in the menu on the left.
  • Go to the Exclusions tab.
  • Click on the Add button.
  • Use the little [+] and [-] icons to the left of folder names to open and close them, find the folder you want to add, click on it to highlight it, and then click OK at the bottom.
  • Close the Online Armor window.
I also recommend excluding Online Armor in TrendMicro. Here are the files that need to be excluded from protection in TrendMicro:
  • oacat
  • oahlp
  • oasrv
  • oaui
These files are normally in C:\Program Files\Online Armor

Share this post


Link to post
Share on other sites

Hi~ GT500

 

Thanks for your reply.  :lol:

 

As you can see in the attached images (OA-001.jpg, OA-002.jpg) and the post above,

I had excluded the whole forders of OA in the exclusion configuration of WFSMB,

and excluded the whole forders of WFSMB in OA's Exclusions tab before I open this new topic.

 

But I find this kind of configuration does not work.

 

OA always check the security scanning actions from WFSMB until I turn off OA's Program Guard

or exclued the program I used (i.e. NotePad) in OA's Exclusions tab.

 

So I think there are some scanning skill that WFSMB used may result in OA's HIPS reaction,

and OA does not full excluded what I want to excluded.

Share this post


Link to post
Share on other sites

It is possible that there are parts of TrendMicro that are executing from other folder. Lets get an OTL log to verify that. Please run OTL by following the instructions below:

  • Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run').
  • Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually.
  • Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.

Share this post


Link to post
Share on other sites

Hi~ GT500

I have used OTL.exe to scan my box many times, even restart my box, but it generated OLT.txt only.

Now I attached it as an encryped 7z file, OTL_RESULT.7z in this reply.

I hope it will be helpfull for you.

 

p.s. I will send you the password as private message.

Share this post


Link to post
Share on other sites

OTL will only generate Extras.txt the first time you run it, unless you change one of the settings. It's OK, OTL.txt file is what I wanted to see. ;)

Here's every TrendMicro file I was able to find in the log:

C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Security Agent\NTRtScan.exe
C:\Program Files\Trend Micro\Security Agent\PccNTMon.exe
C:\Program Files\Trend Micro\Security Agent\sqlite3.dll
C:\Program Files\Trend Micro\Security Agent\TmIEPlg.dll
C:\Program Files\Trend Micro\Security Agent\TmListen.exe
C:\Program Files\Trend Micro\Security Agent\TmPreflt.sys
C:\Program Files\Trend Micro\Security Agent\TmProxy.exe
C:\Program Files\Trend Micro\Security Agent\TmXpflt.sys
C:\Program Files\Trend Micro\Security Agent\TSC.exe
C:\Program Files\Trend Micro\Security Agent\vsapiNT.sys
C:\WINDOWS\system32\drivers\tmactmon.sys
C:\WINDOWS\system32\drivers\tmcomm.sys
C:\WINDOWS\system32\drivers\tmevtmgr.sys
C:\WINDOWS\system32\drivers\tmtdi.sys
C:\tmdbg20.dll
C:\LogServer.exe
Most of that is in the C:\Program Files\Trend Micro folder, however 6 files are not, and will need to be manually added to the Programs list as both Trusted and Allowed in order to prevent issues.

Also, I noticed evidence of pirated Adobe software in the OTL log. Since we have a zero-piracy policy on our forums, I am going to have to ask you to remove any pirated software before I can continue assisting you.

Share this post


Link to post
Share on other sites

Hi! GT500,

 

I am sorry for the delay in replying to your message, I am very busy these days.

There's a doubt need to clear first. ^_^

 

I guarantee taht we don't use any pirated Adobe softwares in this PC,

we bought a legal one form retialer, and we had registered it under our Adobe ID.

If you see any strange logs in OTL log, they are used for a testing purpose in early days.

 

OK, let's continue this topic.

 

I had excluded these folders in OA, as you can see in screen1.jpg, and it seems works!

I think these files in "C:\WINDOWS\system32\drivers\" is the root of the problem.

 

But could I excluded just ONE file in OA?

It's too danger to exclude whole folder like C:\WINDOWS\system32\drivers\ in OA. :D

 

Thank you very much for your help.

 

 

 

Share this post


Link to post
Share on other sites

You can't add an exclusion for a single file, however you should be able to add those files to the Programs list as Trusted and Allowed, which may help resolve the issue. To do this, open Online Armor, go to Programs in the menu on the left, right-click in the list, and select Add.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.