Alert: Non-responding servers after deploying newest Trend signat ure /engine

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 10/28/01


Message-ID:  <E9A01F52DC939448BBDE44ED2E1C468F1F1E2B@muskie.rc.on.ca>
Date:         Sun, 28 Oct 2001 08:14:05 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
Subject:      Alert: Non-responding servers after deploying newest Trend signat ure /engine
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I received the following through the night. The author wised to remain
anonymous. I have not been able to verify the claims, but figured given the
potential harm that it was more prudent to get it out there than to wait for
confirmation from Trend (whom I just notified).

If you have experienced similar problems with this issue, please drop me a
note.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

////
Platforms : Windows 2000 Server/Advanced Server running SP1 or SP2
Additional services involved in problem/solution : AD, DFS, TS (admin mode),
remote control software and hardware

As a brief description we started noticing Friday evening that one main
location of ours had problems with performance and the print spooler dropped
out on the server. After some initial troubleshooting it was discovered that
the only way to access the server was from "Safe Mode" thereby disabling all
services. We had experienced performance problems on this server before and
thought the problem was local.

On Saturday evening one of our largest processing plants dropped out, but
because TS on the hardware granting us remote control of the server was
non-responsive, it took most of the day to get a replacement on-site. We
could not verify if the cause was the same even though the symptoms were the
same, we could only suspect.

During Saturday evening 3 more offices dropped out. This time we were able
to take remote control of them and start some troubleshooting. They were
quickly followed by all other offices, but by then we had located the cause
and were trying to solve the problem.

What happens is that when the new Trend ServerProtect/OfficeScan engine and
(5.600 / 159) signatures were deployed on to servers running DFS root
replicas, these systems became non-responsive and had to be started in Safe
Mode to disable virusscanning and then brought up again. We have two DFS
roots, one running on member servers, these were first affected, the other
running on Domain controllers, these were also affected but it was not
immediately noticed since they have heavy hardware and coped with a lot of
load until giving in, but if restarted they also became non-responsive.

Here are our experienced symptoms, others may exist :

1. Users cannot log on to workstations, Explorer simply hangs, and you're
using DFS for software distribution

or

2. Users can log on but when trying to access Start button Explorer hangs
and you're using DFS for software distribution

and

3. Servers running DFS becomes inaccessible using remote control tools such
as PCAnywhere, Netop etc. and the console either just shows the blue
background before logon box comes up, or hangs if trying to log on Explorer

or

4. Print Spooler crasches and server shares becomes inaccessible when DFS
services are started

Solution :

1. Bring down the server and restart it in "Safe Mode with Networking". If
you have the means to do this remotely a central action can be taken
otherwise you need to reach any local responsible with Administrator access
to the machines

2. Disable Trend ServerProtect. We also disabled Trend OfficeScan just to be
sure for the moment.

3. Restart the server normally.
////

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate



Relevant Pages

  • Re: Trend Micro - Remote office
    ... Les Connor [SBS Community Member - SBS MVP] ... Just did a little Googling and found this on the Trend site. ... Each server shows the same number of total licenses ...
    (microsoft.public.windows.server.sbs)
  • Re: Trend Micro - Remote office
    ... Licensing Model for Trend Micro Small and Medium Business Products ... and then install Trend CSM on both servers. ... Each server shows the same number of total licenses ...
    (microsoft.public.windows.server.sbs)
  • Re: Virtual memory fragmentation in Windows 2000 Server
    ... How do I know if Trend is installed as a filter driver of an event sink? ... It is plain Windows 2000 Server, ... Virtual memory will temporarially be used during isinteg. ... Why does the virtual memory plummet during online defrag. ...
    (microsoft.public.exchange.admin)
  • Re: Trend Worry Free Advanced 6
    ... As you note getting any sensible response from Trend over a ... Certainly we have seen a decrease in spam, ... The biggest WORRY is that on starting both clients and the server, ... workstations and let Trend remove Symantec off other workstations (to see if ...
    (microsoft.public.windows.server.sbs)
  • Re: STOP 0X0000008e - SBS 2003 Premium
    ... I have had very good luck with the current Trend Micro CSM Suite for SMB. ... ISA Proxy Cache if all the workstations are protected w/ Officescan client ... Put the SBS Server in SERVERS and all your client PC in the ...
    (microsoft.public.windows.server.sbs)