| Subcribe via RSS

Trend Micro OfficeScan 10 – Some thoughts

September 1st, 2009 Posted in Security, Software

So, just some thoughts about Trend Micro OfficeScan 10. Its been some months now, since the GM build release of OfficeScan 10. And most people should have had enough time to test it properly. So what are the current pros and cons? Should you upgrade, or wait a bit longer? Anyone?

In my opinion:
It depends on your values.
You should upgrade if the new features appeals to you. The Device Control, and the Smart Network stuff.

But, performance wise, there are still some issues. E.g.: Extracting a Windows XP cd (from an ISO file) takes at least 50% more time with OfficeScan 10 (using Winrar). This is with conventional scan mode, I get about the same results with Smart Scan, but you can’t really compare it, since its not cached.

In addition, the Trend Micro Unauthorized Change Prevention Service (tmbsrv.exe) is a nice feature, but I believe it requires a bit more resources than the old Watchdog service.

So what about the stand alone scan server? I haven’t had time to test this one properly, at least not performance wise. So if anyone has done any real performance testing, with 100-500+ clients, I would really like to know. At least Trend Micro managed to get something right with the new Smart Scan feature. If what I’m seeing is correct, the impact on the network is really low. Sending those hashes back and fourth doesn’t consume that much bandwidth. Yay!

And just one last tip: When you install OfficeScan 10, install the integrated scan server. Even though you`re not planning to use it. Why? Because its really complicated to install it after you`ve finished the installation of the OfficeScan server. Just install it, and remove it from the list of scan servers in the GUI.

Anyway, if my sense of time is correct, its about two weeks left, until the Service Pack 1 of OfficeScan 10 is released to the public. The beta looked okay, but I`m really curious whether or not they managed to fix some of those performance issues.

48 Responses to “Trend Micro OfficeScan 10 – Some thoughts”

  1. KELLY Says:

    Installation of OfficeScan 10 client causes Dell Precision T3400 PCs in our office to blue screen crash.


  2. jrp Says:

    What kind of operating system are you running? Windows Vista? Or XP?


  3. KELLY Says:

    XP w/SP3


  4. Thalha Says:

    Hi Kelly

    Have you removed your previous AV software from the system? If you have not, please remove and try it.


  5. Frankv Says:

    Officescan 10 seems to run fine except for the Unauthorized Change Prevention Service on our Windows 2003 servers.

    Looking at the process (tmbmsrv.exe) in the task manager, it does not appear to be using many resources, however, it is causing our nightly backups (Backup Exec 12.5) to take twice as long due to a much slower Job Rate.

    Stopping the service and disabling it brings the backup job rate back to what it was, but with the next server reboot the service is changed back to manual and automatically restarted.

    I am currently looking for a method to either uninstall or permanently disable this service.

    Cheers,

    Frank


  6. Ravi Ranjan sinha.(HCL-Patna) Says:

    Advantage Of Office Scan 10.0

    1. U Can Install Trend micro Client Through Av server.(Through Trend Micro Remote)
    2. U Can Start Integrated Smart Scan Server .( For Client Updating)
    3. U Can Configure Plug – in Manager (For Threat Management Agent )
    4. U Can Configure Security Compliance .(Add Domain For Client(Trend Micro Client) Installation.
    5. U Can Start Automatice Update Ur Network Cpmuters

    I Like It


  7. jrp Says:

    Frankv: Have you tried turning off the Unauthorized Change Prevention Service from the central console? I think it should be possible. You are not the only one experiencing problems with the Unauthorized Change Prevention Service. Lets hope they fix the issue in SP1.


  8. Michael Says:

    the tmbmsrv.exe make me headache also, I am thinking about to disable this service.But anyone konws if it will bring bad impact after disable this service ? thanks


  9. jrp Says:

    Well, its basically the Unauthorized Change Prevention Service, so you will lose some protection of officescan files, and registry settings.

    However, the rest of the functionality will mostly be preserved.


  10. Michael Says:

    on my officescan 10 master server, the cpu usage always reach 100, after check the cause related with ‘ofcservice.exe’. this process always occpy >60% cpu usage. and from ‘add/remove program’ I found the officescan 10.0 server size is 2.48G , i think it’s to large but don’t know the reason?


  11. Xin Says:

    When update today, it prompt ‘Generic failure on source network’ what is this meaning


  12. Tiago Says:

    Some findings about OfficeScan 10:

    – It detects mutch more Virus than the OficeScan 8;
    – Windows XP takes mutch more time to reboot;
    – CPU many times reaches 100%.
    – A lot of manual work to remove some virus.


  13. jrp Says:

    Xin: I believe this means that the server cant reach the Trend Micro Active Update server, this is either because there’s something wrong with the network connection of the OfficeScan-server, or because the Trend Micro Active Update server is temporarily unavailable, this happens sometimes (some periods it happens really often).

    Tiago: Are you sure about the detection rates? Is this with Smart Scan? Because in conventional scan mode, it pretty much uses the same scan engine (VSAPI) and the same pattern files.


  14. jrp Says:

    Michael: The size of about 2.5G sounds ok, it really depends on the amount of pattern files, log files, and database files.

    However, how many clients do you have running at the same time? 60% or more sounds a lot. What kind of specs do you have on the server?

    And have you tried installing Service Pack 1?


  15. Mike Says:

    Installed version 10 client on 3 windows 7 clients now and none of them allow a manual scan to be performed, real time scan is ok, but the scan button is greyed out in the console and will not light up when you chose a drive to scan.


  16. Michael Says:

    Thanks, jrp.
    400 clients under the server. But I have a subsidiary that there are around 1600 clients under the server, so I am afraid the server workload on that server?

    and one more thing just happen this week,

    After upgrade officescan 10 in one country office, the network speed is very slow when from this office connect to other country office server. And especially this office clients use outlook quite slow.

    Is it officescan10 have some new function to scan the clients computer and scan the outlook?How to speed up the network speed by disable these new functions?


  17. jrp Says:

    Well, if its 60% stable with 400 + 1600 clients? That sounds about right, if its an average specced server.

    I dont really know about any new functionality related to outlook. But I have been getting reports of problems related to large pattern files.

    Are you using the smart scan functionality? And are you using update agents? Or are the clients pulling the pattern files directly from the central server?


  18. Thomas Says:

    i thought the idea with officescan10 was to avoid pattern files and focus on reputation, was that just marketing from TrendMicro?


  19. jrp Says:

    Well yes, its a new feature in OfficeScan 10.

    Its called SmartScan, its basically “file reputation”. But you have to enable it in order for it to work, and it still uses pattern files. But smaller pattern files. You also have to make an infrastructure to support the central scan server that is a part of the SmartScan functionality.

    (Only if you have a larger installation, with more than 300-400 clients).


  20. Michael Says:

    I do not use smartscan.
    after use officescan 10, my clients connect the internal network resource is very slow, espically through IE to accsss some application, like Oracle ONE syestem,documentum, my company homepage,….

    I suspect this is related with officescan firewall services?
    looks the Trend Micro Common Firewall Driver change the NIC kernal info.,


  21. may Says:

    I just deployed officescan 10 companywide and i have had at least 20 computers blue screen at shut down or start up. Any ideas???? Anyone with the same issues? We are running Dell optiplexs with XP SP3


  22. Michael Says:

    May, pls install v10 sp1.
    I read some articles that officescan 10 firewall change the NIC adapter/kernal info. , so make the network speed slower than before?

    Any comments about this?


  23. jrp Says:

    Trend Micro updates the “Common Firewall Driver” now and then. Is this what you are referring to?

    And, could you please share the URLs to the articles? :)


  24. Frankv Says:

    >jrp says:
    >September 22, 2009 at 11:46 pm
    >Frankv: Have you tried turning off the Unauthorized Change Prevention >Service from the central console? I think it should be possible. You are >not the only one experiencing problems with the Unauthorized Change >Prevention Service. Lets hope they fix the issue in SP1.

    jrp,

    Sorry I took a while to get back to you. Yes, I tried what you suggested, but it does not disable this service, nor prevent the problem occurring.
    I believe it is also causing another problem with Backup Exec too. After a server restart I think it is causing problems with the Backup Exec media service (pvlsvr.exe) from starting properly, making it use almost 100% CPU. Restarting the Backup Exec services fixes the problem, until the next server restart. I have resorted to running msconfig and turning the tmbm service off, however, that is not my preferred solution.
    I haven’t been able to find OfficeScan SP1. Is it actually called that?


  25. jrp Says:

    Ah, yes. Its Called SP1. Actually: Trend Micro OfficeScan 10 Service Pack 1

    You can download it here:
    http://www.trendmicro.com/ftp/products/officescan/OSCE_10_WIN_EN_ServicePack1.exe

    And you can read the readme here:
    http://www.trendmicro.com/ftp/documentation/readme/OSCE_10_WIN_EN_ServicePack1_Readme.TXT

    And the SP1 Administrators Guide here:
    http://www.trendmicro.com/ftp/documentation/guides/OfficeScan10SP1_AG.pdf

    Try installing it, and see if it works. Remember it will require a reboot. :)


  26. Ganesh Says:

    Hi Jrp,

    I tried to upgrade Officescan 8version to officescan 10, unfortuanately i can’t able to install because of disk space, then i made disk space reinstalled with officescan 10. Now i am getting some problems like
    (1) some client pc showing offline
    (2)Still some pc is not get upgrade to officescan 10
    (3) atlast all pc is show smartscan server unavailable red crossmark.
    (4) i can’t able to do remote installation from server, when i put computer name or IP address, the i get msg like “Could not find”

    please tell me why this all problems are coming what i need to do for this.

    Thanks


  27. Gopinath Says:

    Hi All,
    I started receiving BSOD on windows XP Clients.. around 1000 workstations.

    My officescan version is Officescan 10, No smart scan, vsapint.sys(9.100.1001).

    Early help appreciated…

    Gopi


  28. jrp Says:

    Ganesh:
    How many of your PCs are having this problem? (Percentage).

    I suggest putting some sort of script in your login script, that runs AutoPcc.exe. This will fix a “broken” installation of OfficeScan, or install OfficeScan if its missing. If you download the “Installation and Upgrade Guid” from http://www.trendmicro.com/download/product.asp?productid=5, there should be some reference to AutoPcc.exe, somewhere under “Installation Methods”.

    Gopinath:
    I suggest you open a support case with Trend Micro, or your local reseller as soon as possible. Just to get that started.

    Are you running the firewall? Try disabling the firewall service, and unchecking the firewall driver on the interface on some of the machines (Find the network connection, right click it, choose “properties”, then uncheck the Trend Micro Common Firewall driver).

    In my experience, most problems related to BSOD/crashes and OfficeScan is caused by the firewall driver, or some other related components.

    If this doesnt help, try collecting minidumps (crashdumps) from the machines. Also, turn on full memory dump in Windows on some of the machines, and try to find a full dump. Analyzing it may reveal what caused the BSOD. If you’re not able to analyze it yourself, Trend Micro support will be more than able to perform an analysis :)

    – jrp


  29. OrbMan Says:

    I am running OfficeScan v10 on Windows 7, and like Mike (http://technoblog.org/2009/09/trend-micro-officescan-10-some-thoughts/comment-page-1/#comment-1032), the scan button is greyed out in the console.


  30. Akhlaq Ahmad Says:

    im using Officescan v10, but this is taking too much disk space. it taking almost 11GB disk space, when i check which folder occupying space, i found C:\Program Files\Trend Micro\OfficeScan\PCCSRV\WSS\patterns. is taking almost 9GB space. with name of this folder seem it is contain pettern files of antivirus and malware, but why this datebase is so huge?
    is there any one who can help me?


  31. Max Says:

    Guys..I’m using OCSE 10 and i have a problem with 1 of the application. It slows down badly. So i disable trend micro firewall and real time monitoring however the problem still persists. So i unload officescan from the desktop and walla my application goes back to normal.

    Can someone help me and explain what is causing the slowdown when firewall and realtime scaning is turned off? I checked and my memory and performance was good.
    Urgently need help..
    Thanks


  32. AVA Says:

    We got officescan 10 SP1 working on about 600 clients
    Everything is working fine except for the boot time on Windows XP.
    It has gone up dramatically. Especially after logging in, we get a blank screen for about 2 minutes before it continous loading to the desktop. All our XP machines seem to have this problem after installing the new version.
    Version 7.3 (wich we had before) didnt have this problem. Is there a solution fo this problem?

    Thanks in advance


  33. OVd Says:

    We are using OCSE 10 with SP1 on Windows XP SP3. In most of the situation it is working fine, but with some applications and especially Solidworks CAD software sometimes system is completely blocked for a couple of seconds (10 to 30 seconds every 1 or 2 hours).
    When we disable OfficeScan it works just fine.

    We tried to disable firewall and real time monitoring and many other settings in ofsc.ini however the problem still persists.

    We didn’t observe this behavior previously with OfficeScan 8.0. We think about to step back to 8.0.

    Any similar experiences?


  34. RAD Says:

    After removing the Officescan 7.3 client and installing Officescan 10 SP1, a small percentage of our XP SP3 workstations are experiencing an indefinite hang at a blank screen post logon. This does not happen during each logon, but when it does happen, it occurs immediatly after logon from the CTRL-ALT-DEL screen and prior to the application of user policies and logon scripts. A reboot will fix it most of the time but it can occur on thae same workstations during subsequent logons. Removing and reinstalling the Officescan client seems to fix it for good on the few that I’ve worked with so far. I plan to test if a repair is as reliable as a complete re-install.


  35. Muyass Says:

    Hi All,
    I have installed Trend Micro 8 in my server machine and recently upgraded it to 10. I used Conventional scan and today changed it to Smart scan.
    Problem that appeared is: red cross mark appeared (unavailable) in all clients computes.

    Can you please help

    Regards,
    Muyass


  36. Max Says:

    Guys..i have found the root cause to web application being slow with ocse10. I disable the startup services called tmproxy.exe. Every traffic goes through this scaning thus causing slowness is real time apps. This work for me after i disable it.

    I hope this helps!


  37. Crispin Says:

    I am not able to start this service “Trend Micro Unauthorized Change Prevention Service”

    Keep getting this error:
    The Trend Micro Unauthorized Change Prevention Service service depends on the tmactmon service which failed to start because of the following error:
    The dependency service or group failed to start.


  38. mp Says:

    i switch from conventional to smart scan on my servers, in the first scan job, my pdc crash! in the bdc i found and ntfrs warning event 13522 and no more evidence … Anyone heard of a problem similar to mine


  39. Steve Says:

    How can I permanently disable the TMProxy service. Every time I disable the service, it resets itself to manual and started after each reboot?


  40. Evman Says:

    Max, you fixed it the same way I did!
    I also disabled the TMBMSRV.exe service as well as TMPROXY.exe, and then renamed both the actual files in their respective locations incase the program tried to wise up and load them again. The Celeron 900mhz at work is somewhat useable by the salesman again 😀


  41. Max Says:

    Guys, if you want to disable tmproxy permanently go to services.msc and look for Officescan NT Proxy ( im using windows 7 ) right click properties and select Startup type to Disabled. Restart your pc!

    Hope that works..


  42. Sachin Says:

    Im using trend micro officescan 10 I cant download activeupdate pattern files / Latest scan engine. Please help! URGENT…. SINCE ONE OF MY COMPUTER IS DOWN IN THE NETWORK

    Regards,

    Sachin


  43. nawal Says:

    I have to install trend micro 8.0 server any one suggest me installation process ????


  44. nawal Says:

    how can we fix CgiLog.exe in trend micro 8.0 server


  45. Technoblog.org » Blog Archive » OfficeScan how-to series Says:

    […] I have had an overwhelming response to my “Thoughts about OfficeScan 10“. […]


  46. jrp Says:

    Sachin: Most likely its a problem with Trend Micros Active Update Server. If it happens again, wait a couple of hours and then check again. It may also be a problem with your license, without a valid license you wont be able to update pattern files.

    nawal:
    First part of what you requested:
    http://technoblog.org/2010/07/trend-micro-officescan-installation/

    Its pretty much the same for OfficeScan 8.0.

    Just click the “View older versions and related downloads” link at the top. And you will be able to download OfficeScan 8 installation files.


  47. DJ Says:

    Turn off web reputation and turn off (it is a global setting) the “Enable Trend Micro Smart Feedback” – this turns off the tmproxy service for good. You HAVE to do this if you are using websense on citrix 😉


  48. Asif Says:

    Dear frnds,

    I am facing a challenge from Officescan Antivirus since i am unable to install it on windows 7 ultimate.

    I am having a desktop client and i am trying to install it from the Trend micro office scan server ver 10 Service Pack 1.

    Problem is i can install it on XP but cannot on Win 7.
    Internet explorer appears blank after it tries to connect with the server.

    Please help


Leave a Reply

technoblog@trap.threatobs.com