[German]A short note to administrators and IT service providers among the blog readers who use TrendMicro Apex One for themselves or their customers. The update 13150 available for this security solution should be used with caution. A blog reader has informed me (thank you) that the update may kill the SmartScan function.
Blog reader Sebastian A. recently contacted me by email because he ran into a problem when using TrendMicro Apex One, which may also affect other admins. The reader wrote that the on-premise installation of TrendMicro Apex One SP1 with the latest update was causing a problem in his environment. The installation runs normally. The clients are also downloading the update as normal, wrote the blog reader.
As the screenshot above shows, SmartScan no longer works once TrendMicro Apex One Update 13150 has been installed. This must have been rolled out on January 23, 2025. According to the reader, all clients/servers are online but marked "red" in the admin console.
According to the reader, there are no further entries in the event log, neither on the client nor on the server.
diagnostic_spsc_updatepattern.log 2025/01/17 22:56:36:523 Mitteleuropäische Zeit [ 7068:16036] ERROR [UpdateImportPattern::Import] import error 230[0xe6](ICRC_CONSOLE_DB_FAIL) [updatepattern_import_obj.cpp:156] TmuDump.txt Err 20250117 22:56:28 17828 17032 Getaddrinfo failure, return code: 11001, error: Der angegebene Host ist unbekannt. . Err 20250117 22:56:28 17828 17032 Connect returns, WSAerror(183) Err 20250117 22:56:28 17828 17032 Getaddrinfo error Err 20250117 22:56:28 17828 17032 HttpsConnection: Socket connect fail Err 20250117 22:56:28 17828 17032 connect failed, will not send the report
The reader is in contact with support and writes that the above entries were the first errors that support saw. According to the reader, he is aware of others affected. However, virus detection continues to function normally – the EICAR test file is recognized immediately, the reader notes.
IIn the administration under "Smart Protection > Integrated Server", an error message without text and an implausible date stamp can be seen, the reader added. According to the instructions in the changelog, a rollback is also not entirely possible, as files are missing that are referenced. Anyone else affected?
We are facing the same issue since 29/January.
It seems like Trend Micro removed that version from the download centre, the latest one available is 13140.
This is the official response from Trend Micro:
This issue is caused by a corruption of the Smart Scan database at build 13150, and has nothing to do with the standalone Trend Micro Smart Protection Server product going end of life.
Please note the standalone Smart Protection Server (SPS) and the Apex One integrated SPS are different and the integrated SPS is not EOL.
The current issue might also be linked to the Microsoft January KB updates, which we are investigating.
I can provide you with the following workaround, but please note this is not a permanent fix and some customers find that the issue returns when the Smart Scan Pattern tries to update daily.
***PLEASE TAKE BACK UP/SNAPSHOT BEFORE ANY CHANGES ARE MADE****
**RUN CDT IN DEBUG in the case fix fails please collect CDT
1. Navigate to Administration > Smart Protection > Integrated Server, and adjust the File Reputation Service Update Source to Trend Micro Smart Update Server.
Note:
The prompt messages may vary.
2. Download the following file using a browser:
https://osce14-ilspn30-p.activeupdate.trendmicro.com/activeupdate/pattern/icrc$tbl.zip
3. Locate FRSUpdateCounter.ini in the directory:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\WSS
Modify the CONT_FULL_TBLPTN_COUNT value under [UpdateCounter] to 0.
4. Stop the Trend Micro Smart Protection Server (TMiCRCScanService) service.
5. Locate service.ini in the directory:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\WSS, and rename it to something else (e.g., bak_service.ini) to prevent the service from restarting during the process.
6. Delete the contents of the directory:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\WSS\activeupdate\tmp, and then create a new empty folder named tmp.
7. Extract the contents of the downloaded icrc$tbl.zip file into the newly created tmp folder.
8. Open CMD or PowerShell with administrator privileges, and navigate to:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\WSS
9. (Optional) Modify log.ini under [TMCOMMONLOGGING] and set LogLevel to 4 to observe the process.
10. Execute the following command:
AU_FRS.exe –servimporttbl
11. (Optional) Check the diagnostic.log file for the following message:
AU_FRS exit code: 0, arg: –servimporttbl
o If this message is not present, recheck the steps above.
o If the message is present, restore the original content of log.ini.
12. Rename the previously renamed bak_service.ini file back to service.ini in:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\WSS
13. Restart the Trend Micro Smart Protection Server (TMiCRCScanService) service.
14. Perform a manual update of the Cloud Scan Pattern to verify whether the update issue is resolved.
15. Refresh the source list once to ensure the query function is working properly.