Alert: Non-responding servers after deploying newest Trend signat ure /engine

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/28/01

Message-ID:  <>
Date:         Sun, 28 Oct 2001 08:14:05 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Alert: Non-responding servers after deploying newest Trend signat ure /engine

I received the following through the night. The author wised to remain
anonymous. I have not been able to verify the claims, but figured given the
potential harm that it was more prudent to get it out there than to wait for
confirmation from Trend (whom I just notified).

If you have experienced similar problems with this issue, please drop me a

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Platforms : Windows 2000 Server/Advanced Server running SP1 or SP2
Additional services involved in problem/solution : AD, DFS, TS (admin mode),
remote control software and hardware

As a brief description we started noticing Friday evening that one main
location of ours had problems with performance and the print spooler dropped
out on the server. After some initial troubleshooting it was discovered that
the only way to access the server was from "Safe Mode" thereby disabling all
services. We had experienced performance problems on this server before and
thought the problem was local.

On Saturday evening one of our largest processing plants dropped out, but
because TS on the hardware granting us remote control of the server was
non-responsive, it took most of the day to get a replacement on-site. We
could not verify if the cause was the same even though the symptoms were the
same, we could only suspect.

During Saturday evening 3 more offices dropped out. This time we were able
to take remote control of them and start some troubleshooting. They were
quickly followed by all other offices, but by then we had located the cause
and were trying to solve the problem.

What happens is that when the new Trend ServerProtect/OfficeScan engine and
(5.600 / 159) signatures were deployed on to servers running DFS root
replicas, these systems became non-responsive and had to be started in Safe
Mode to disable virusscanning and then brought up again. We have two DFS
roots, one running on member servers, these were first affected, the other
running on Domain controllers, these were also affected but it was not
immediately noticed since they have heavy hardware and coped with a lot of
load until giving in, but if restarted they also became non-responsive.

Here are our experienced symptoms, others may exist :

1. Users cannot log on to workstations, Explorer simply hangs, and you're
using DFS for software distribution


2. Users can log on but when trying to access Start button Explorer hangs
and you're using DFS for software distribution


3. Servers running DFS becomes inaccessible using remote control tools such
as PCAnywhere, Netop etc. and the console either just shows the blue
background before logon box comes up, or hangs if trying to log on Explorer


4. Print Spooler crasches and server shares becomes inaccessible when DFS
services are started

Solution :

1. Bring down the server and restart it in "Safe Mode with Networking". If
you have the means to do this remotely a central action can be taken
otherwise you need to reach any local responsible with Administrator access
to the machines

2. Disable Trend ServerProtect. We also disabled Trend OfficeScan just to be
sure for the moment.

3. Restart the server normally.

Delivery co-sponsored by Trend Micro, Inc.
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy: