Re: Error while opening Trend micro office scan Misc. Registry Key

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Les Connor (les.connor_at_DEL.cfive.ca)
Date: 11/03/04 

Date: Tue, 2 Nov 2004 20:22:24 -0600

Hi Mario,

Sorry, I've seen no issues of this nature with Trend CSM SMB. I was of the
opinion that Trend Micro products are xp2 firewall aware (or is it the other
way around), and in my experience officescan works fine so long as the
firewall on whatever connection you happen to be using at the time (they are
configured individually) isn't blocking ports.

I've got CSM running in multiple sites with xp sp2, and am not seeing any
issues. I wish I had some answers for you, but I don't. Right now, I think
Trend support is your best bet. 

-- 
Les Connor [SBS Community Member]
-------------------------------------
SBS Rocks !
"Mario Michela" <MarioMichela@discussions.microsoft.com> wrote in message 
news:3E58D042-0F3A-40CB-92D4-EE0D45F8883A@microsoft.com...
>I was told my Trend Micro that this is an issue with the Microsoft Firewall
> not releasing registry keys after reading them. can you substanciate any 
> of
> this?
>
> "Mario Michela" wrote:
>
>> ok I set the firewall exception and today the became again unavailable.
>> I believe the problem has something to do w/ the svchost.
>> i have several log files and misc other file i'd like to get to you. they
>> are in a .zip file. how do you suggest i get the file to you?
>>
>> "Mario Michela" wrote:
>>
>> > Comprimised state = Misc. key not Accessable.
>> > i've noticed that when i'm not able to view the misc. key. the svchost 
>> > also
>> > using that key contains 100s if not 1000s of handles. usually 85000
>> > I also checked the firewall exception list. tmlisten was list but not
>> > checked. i check the box. the system has not failed yet so perhaps it 
>> > was
>> > simply a firewall issue. if that is the case, perhaps a cooridinated 
>> > error
>> > msg between trend micro and the firewall services would be nice. we'll 
>> > see
>> > how well it goes..
>> >
>> >
>> >
>> >
>> > "Les Connor" wrote:
>> >
>> > > Hi Mario,
>> > >
>> > > I don't really know what you mean by compromised state, or what 
>> > > prompted you
>> > > to dig into the registry because Officescan is not updating. Perhaps 
>> > > you can
>> > > enlighten me.
>> > >
>> > > Failing that, I'll just proceed down the path of checking the XP 
>> > > firewall
>> > > isn't blocking the update. (or, you can disable it and see if that 
>> > > cures the
>> > > problem). On an XP workstation:
>> > >
>> > > Start | Control Panel | Security Center > click on Windows Firewall.
>> > > Click on the Advanced tab (how many connections do you show?) - and 
>> > > then the
>> > > Settings button.
>> > > Is the OfficeScanNT Listener listed there, and is it selected (check 
>> > > box) ?
>> > >
>> > > -- 
>> > > Les Connor [SBS Community Member]
>> > > -------------------------------------
>> > > SBS Rocks !
>> > >
>> > >
>> > >
>> > > "Mario Michela" <MarioMichela@discussions.microsoft.com> wrote in 
>> > > message
>> > > news:FB2138F2-CBAD-4B43-ACC0-EBF77C273081@microsoft.com...
>> > > > yes i'm using win xp sp2. i noticed that when the system is in a
>> > > > comprimised
>> > > > state syshost lists the number of handles allowcated to misc. is 
>> > > > serveral
>> > > > hundred. i have
>> > > > a copy of the detailed process list both in a comprimised and non
>> > > > comprimised state. do you have an email address where i can email 
>> > > > this
>> > > > file?
>> > > > "Les Connor" wrote:
>> > > >
>> > > >> About the only issue I've had with Officescan has been a 
>> > > >> connectivity
>> > > >> issue
>> > > >> with XP SP2 firewall. The connection that was active when SP2 was
>> > > >> installed
>> > > >> has an exception that allows proper communication between the 
>> > > >> server and
>> > > >> client. A subsequent connection may not have that exception, which
>> > > >> results
>> > > >> in the client seeing the server, but the server not always seeing 
>> > > >> the
>> > > >> client, and updates not working.
>> > > >>
>> > > >> For example, a wired connection might work, and a subsequently 
>> > > >> used
>> > > >> wireless
>> > > >> connection may not. Or, wireless connection A might work, while
>> > > >> connection B
>> > > >> may not. The firewall settings are connection specific.
>> > > >>
>> > > >> I'm thinking that a one-sided communication attempt to update the 
>> > > >> virus
>> > > >> defs
>> > > >> may be causing the file you refer to to be locked.
>> > > >>
>> > > >> If you can confirm that XP2 is - or isn't - a common denominator, 
>> > > >> then
>> > > >> that
>> > > >> might help us in where to look.
>> > > >>
>> > > >> -- 
>> > > >> Les Connor [SBS Community Member]
>> > > >> -------------------------------------
>> > > >> SBS Rocks !
>> > > >>
>> > > >>
>> > > >>
>> > > >> "Mario Michela" <MarioMichela@discussions.microsoft.com> wrote in 
>> > > >> message
>> > > >> news:255E74FD-4D60-4493-B8C8-62D3C5FE8997@microsoft.com...
>> > > >> > yes the only thing strange is that in the context menu (system 
>> > > >> > tray)
>> > > >> > the
>> > > >> > "update now" is missing. and security center advises virus def 
>> > > >> > is out
>> > > >> > of
>> > > >> > date.
>> > > >> > i did notice that svchost also accesses that key. any clues 
>> > > >> > there?
>> > > >> >
>> > > >> > "Les Connor" wrote:
>> > > >> >
>> > > >> >> Mario,
>> > > >> >>
>> > > >> >> I'm not sure if the key is a red herring or not.
>> > > >> >>
>> > > >> >> In Officescan console, do the workstations appear, and correcly 
>> > > >> >> ? As
>> > > >> >> in
>> > > >> >> do
>> > > >> >> they show on-line status when they're on line ? If you run the
>> > > >> >> connection
>> > > >> >> test (clients node, I think), and then check the connection 
>> > > >> >> test log,
>> > > >> >> what
>> > > >> >> do you see ?
>> > > >> >>
>> > > >> >> -- 
>> > > >> >> Les Connor [SBS Community Member]
>> > > >> >> -------------------------------------
>> > > >> >> SBS Rocks !
>> > > >> >>
>> > > >> >>
>> > > >> >>
>> > > >> >> "Mario Michela" <MarioMichela@discussions.microsoft.com> wrote 
>> > > >> >> in
>> > > >> >> message
>> > > >> >> news:1C8A2B1B-E93A-4532-A657-53035F60160E@microsoft.com...
>> > > >> >> > yes i noticed this behaviour on all workstations. I have not
>> > > >> >> > confirmed
>> > > >> >> > if
>> > > >> >> > this condition also exsists on a virtual pc. It would seem 
>> > > >> >> > (although
>> > > >> >> > not
>> > > >> >> > confirmed) that the last workstation to reboot would remain 
>> > > >> >> > intact
>> > > >> >> > until
>> > > >> >> > another workstation was rebooted. i did try taking down all
>> > > >> >> > workstaions
>> > > >> >> > but
>> > > >> >> > one and the condition also occured. when this misc. reg key 
>> > > >> >> > is
>> > > >> >> > unavailable
>> > > >> >> > so
>> > > >> >> > to is the 'update now' context menu choice. I resolve the 
>> > > >> >> > condition
>> > > >> >> > by
>> > > >> >> > rebooting the machine and doing an 'update now' immediately. 
>> > > >> >> > when i
>> > > >> >> > notice
>> > > >> >> > the security center warning, i try to reboot as soon as 
>> > > >> >> > possible.
>> > > >> >> > i'd
>> > > >> >> > like
>> > > >> >> > to
>> > > >> >> > know if there is a tool that can tell me what is acessing and 
>> > > >> >> > or
>> > > >> >> > changing
>> > > >> >> > attributes of this key. i tried to turn auditing but wasn't 
>> > > >> >> > sure i
>> > > >> >> > succeeded
>> > > >> >> > because it seems t be under gpo control.
>> > > >> >> >
>> > > >> >> > "Les Connor" wrote:
>> > > >> >> >
>> > > >> >> >> Hi Mario,
>> > > >> >> >>
>> > > >> >> >> This is occuring on a workstation, right?
>> > > >> >> >> Are all workstations affected ?
>> > > >> >> >> What happens if, when you receive the out of date message, 
>> > > >> >> >> you
>> > > >> >> >> right
>> > > >> >> >> click
>> > > >> >> >> the officescan icon and select update ?
>> > > >> >> >> Are the client(s) actually out of date, and do they update
>> > > >> >> >> correctly ?
>> > > >> >> >> Has Officescan previously worked properly, and if so, did 
>> > > >> >> >> this
>> > > >> >> >> behaviour
>> > > >> >> >> coincide with XP SP2 ? Or some other event?
>> > > >> >> >>
>> > > >> >> >> I occasionally get the out of date message on a workstation
>> > > >> >> >> (laptop)
>> > > >> >> >> that
>> > > >> >> >> is
>> > > >> >> >> on the lan, and is an Officescan client, but does not have a
>> > > >> >> >> machine
>> > > >> >> >> account
>> > > >> >> >> on the SBS. But it will manually update as above.
>> > > >> >> >>
>> > > >> >> >> -- 
>> > > >> >> >> Les Connor [SBS Community Member]
>> > > >> >> >> -------------------------------------
>> > > >> >> >> SBS Rocks !
>> > > >> >> >>
>> > > >> >> >>
>> > > >> >> >>
>> > > >> >> >> "Mario Michela" <MarioMichela@discussions.microsoft.com> 
>> > > >> >> >> wrote in
>> > > >> >> >> message
>> > > >> >> >> news:6DA1C050-8150-4E69-9A16-C341FD235C56@microsoft.com...
>> > > >> >> >> > I've been working directly with trendmicros developers in 
>> > > >> >> >> > Taiwan,
>> > > >> >> >> > and
>> > > >> >> >> > Minilla
>> > > >> >> >> > and we are all equally stumpted.
>> > > >> >> >> > Enviroment:
>> > > >> >> >> >     1) sbs2003
>> > > >> >> >> >     2) Trend Micro Client/Server/Messaging Suite v6.0 
>> > > >> >> >> > bld1250
>> > > >> >> >> >     3) x number of OfficeScan 6.00
>> > > >> >> >> >     4) x number windows xp pro sp2
>> > > >> >> >> > Situation:
>> > > >> >> >> >    Machine reboots, all is  as it should be.. at some 
>> > > >> >> >> > point a
>> > > >> >> >> > security
>> > > >> >> >> > center system tray icon accounces that Trend Micro Office 
>> > > >> >> >> > Scan
>> > > >> >> >> > Client s
>> > > >> >> >> > Reports that it might be out of date. upon investigating 
>> > > >> >> >> > the
>> > > >> >> >> > registry i
>> > > >> >> >> > get
>> > > >> >> >> > the following error when trying to access this key:
>> > > >> >> >> > Cannot open Misc.: Error while opening key.
>> > > >> >> >> > Trend Micro stores inforamation regarding the latest patch 
>> > > >> >> >> > in the
>> > > >> >> >> > hklm/softwear\trendmicro/pc-cillinNTCorp\CurrentVersion\Misc.
>> > > >> >> >> > key.
>> > > >> >> >> > RegMon reported Result Code: c000009a
>> > > >> >> >> > upon reboot all would be restored. so my question. how do 
>> > > >> >> >> > i find
>> > > >> >> >> > out
>> > > >> >> >> > what
>> > > >> >> >> > process is locking this key. and why.  There are serveral 
>> > > >> >> >> > other
>> > > >> >> >> > keys
>> > > >> >> >> > in
>> > > >> >> >> > this
>> > > >> >> >> > section that are unaffected. i can supply any info log you 
>> > > >> >> >> > may
>> > > >> >> >> > require..
>> > > >> >> >> > thank you so much.
>> > > >> >> >>
>> > > >> >> >>
>> > > >> >> >>
>> > > >> >>
>> > > >> >>
>> > > >> >>
>> > > >>
>> > > >>
>> > > >>
>> > >
>> > >
>> > >
Quantcast