(imported topic written by pmiller23)
OK, I have configured the “Run Scheduled Scan” correctly as I see my logs being updated, also within the BigFix client dashboard I see the “Last On-demand Scan” timestamp change. But I do not see my “Last RealTime Scan” being updated on a regular basis – the timestamp shown in the BigFix client dashboard is the time that CPM was installed.
The reason that I am think that I have an issue with Real-Time Scan is that I know that I have a system that is infected and yet the logs show nothing unless I do a on-demand scan.
I am assuming that I made a configuration error when creating the action. There are no constraints and under the behavior section I have set:
On failure, retry 99 times – waiting 15mins between attempts
Reapply on action – do I need to reapply while relevant? Even thought the settings never change?
Here is a copy of my Real-Time Settings:
delete realtime.ini
delete “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”
createfile until __DONE
Real Time Scan Configuration
Enable = 1
ScanIncoming = 1
ScanOutgoing = 1
ScanAllFiles = 1
IntelliScan = 1
ExtList =
ScanShutdown = 0
ScanNetwork = 0
ScanCompressed = 1
CompressedLayer = 2
IntelliTrap = 1
EnableExclusion = 1
ActiveAction = 0
EnableUniAct = 1
CustAction = Universe-5-2,Joke-2-2,Trojan-2-2,Virus-5-2,Test_Virus-2-1,Spyware-4-2,Packer-2-1,Generic-25-1,Other-5-2
BkUpIfClean = 0
MoveDir = {value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string}\Quarantine
CleanFailedMoveDir = {value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string}\Quarantine
Spyware Real Time Scan Configuration
Enable = 1
ActionType = 1
Real Time Scan Configuration Ex
ExcludeTrendProduct = 1
ExcludedFolder = C:\Program Files\BigFix Enterprise{(concatenation “|” of ("" ; (if (exists regapp “besclient.exe”) then (pathname of parent folder of regapp “besclient.exe” as string) else nothing) ; (if (exists regapp “besrelay.exe”) then (pathname of parent folder of regapp “besrelay.exe” as string) else nothing) ; (if (exists value “EnterpriseServerFolder” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server” of registry) then (value “EnterpriseServerFolder” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server” of registry as string) else nothing)))}
ExcludedFile =
ExcludedExt =
__DONE
copy __createfile “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”
waithidden “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\TMCPMCLI.exe” CONFIG -i “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”
regset "
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM
" “SetCPMRealTimeSettingsActionID”="{id of active action}"
Thank you,
Patrick