(imported topic written by jmorano91)
I have created a RTS task that included all the exclusions my environment requires. When I created the task and deploy it, it fails though looking at the task log shows everything completed successfully. This task is being run against version 10.6 Officescan, and the RTS wizard was just created during the 10.6 Officescan deploys.
Please see attached export file.
(imported comment written by jmorano91)
Also attached is the Action Info and the “Completed” results it reports. Once again the job shows “Failed”.
Jason
(imported comment written by Xie_Ran91)
Hi,
Can you please provide the client log file as well?
The client log is located at {TEM Install Directory}\BES Client__BESData__Global\Logs
(imported comment written by jmorano91)
Xie,
Thanks for asking for more info. I am providing a truncated log to focus more along the task failure we are discussing. The time for this machines action is 16:02 and I am including both log files.
(imported comment written by jmorano91)
Also this one.
(imported comment written by Xie_Ran91)
Trend team confirmed that this is a bug and they will fix it by this week.
(imported comment written by Xie_Ran91)
Can I confirm with you that the fixlet is generated using Real Time Scan wizard without any further customization/modification?
It looks like you manually added the “Excluded Folder” and values in action “__createFile”
(imported comment written by jmorano91)
XieRan91
I have not customized the Task in any way. I added excluded file types / folders and extension per the input fields. I have not in any way gone in and added any changes to the relevance or action other than what the wizard creates. Can I ask is this task successfully executing and just showing failed?
(imported comment written by Xie_Ran91)
What if you create a task using RTS wizard without any customization? Is it showing failed?
Your task "Core Protection Module Real-Time Scan Settings
Core Protection Module
4-4-12.bes" looks a bit strange to me since
The ExcludedFolder and ExcludedFile values only appear in the action but not in the relevance.
ExcludedFolder = \Device|\Device\harddisk\volumeshadowcopy1|C:\%allusersprofile%\NTUser.pol|C:\%Systemroot%\system32\GroupPolicy\registry.pol|C:\%systemroot%\System32\Wins|C:\Documents and Settings\All Users\Application Data\Microsoft\SharePoint\Config|C:\Program Files (x86)\Microsoft SQL Server|C:\Program Files\CA|C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions|C:\Program Files\Common Files\Microsoft Shared\Web Storage System|C:\Program Files\Commvault|C:\Program Files\Microsoft ISA Server\ISALogs|C:\Program Files\Microsoft Office Servers\12.0\Bin|C:\Program Files\Microsoft Office Servers\12.0\Logs|C:\Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA|C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Data|C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data|C:\Program Files\Microsoft SQL Server\MSSQL\FTDATA|C:\Program Files\SharePoint Portal Server|C:\System32\Spool|C:\Users\mossadm\AppData\Local\Temp\WebTempDi|C:\Users\mossadm\Local\Temp|C:\Users\mossfarm\AppData\Local\Temp\WebTempDir|C:\Users\mossfarm\Local\Temp|C:\Users\wsprod\AppData\Local\Temp\WebTempDir|C:\Users\wsprod\Local|C:\Windows\Cluster|C:\Windows\Microsoft.NET\Framework64|C:\Windows\NTDS|C:\Windows\ntfrs|C:\Windows\system32\dhcp|C:\Windows\system32\dns|C:\Windows\system32\IIS Temporary Compressed Files|C:\Windows\system32\LogFiles|C:\Windows\SYSVOL|C:\Windows\Temp\Frontpagetempdir|C:\WINNT\NTDS|C:\WINNT\ntfrs|C:\WINNT\system32\dhcp|C:\WINNT\system32\LogFiles|C:\WINNT\SYSVOL|D:\%allusersprofile%\NTUser.pol|D:\%Systemroot%\system32\GroupPolicy\registry.pol|D:\Program Files\Common Files\Microsoft Shared\Web Storage System|D:\Program Files\Microsoft ISA Server\ISALogs|D:\Program Files\Microsoft SQL Server\MSSQL$instancename\FTDATA|D:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Data|D:\Program Files\Microsoft SQL Server\MSSQL\FTDATA|D:\Program Files\SharePoint Portal Server|D:\System32\Spool|D:\Windows\Cluster|D:\Windows\NTDS|D:\Windows\ntfrs|D:\Windows\system32\ IIS Temporary Compressed Files|D:\Windows\system32\dhcp|D:\Windows\system32\dns|D:\Windows\system32\LogFiles|D:\Windows\SYSVOL|D:\Windows\Temp\Frontpagetempdir|D:\WINNT\NTDS|D:\WINNT\ntfrs|D:\WINNT\system32\dhcp|D:\WINNT\system32\LogFiles|D:\WINNT\SYSVOL|E:\System32\Spool|F:|M:|P:|Q:|U:
{(concatenation
"|" of (
"" ; (
if (exists regapp
"besclient.exe") then (pathname of parent folder of regapp
"besclient.exe" as string &
"\__BESData")
else
"C:\Program Files\BigFix Enterprise\BES Client\__BESData") ; (
if (exists regapp
"besrelay.exe") then (pathname of parent folder of regapp
"besrelay.exe" as string)
else
"C:\Program Files\BigFix Enterprise\BES Relay") ; (
if (exists value
"EnterpriseServerFolder" of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server" of registry) then (value
"EnterpriseServerFolder" of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server" of registry as string)
else
"C:\Program Files\BigFix Enterprise\BES Server") ; (
if (exists value
"Application Path" of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM" of registry) then (value
"Application Path" of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM" of registry as string)
else
"C:\Program Files\Trend Micro\Core Protection Module") ; (
if (exists value
"InstallPath" of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv" of registry) then (value
"InstallPath" of keys
"HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv" of registry as string)
else
"C:\Program Files\Trend Micro\Core Protection Module Server")))
} ExcludedFile = $db_dirty$|$db_normal$|authenticat.exe|besclient.exe|besclientui.exe|Cdb.exe|Cidaemon.exe|Clussvc.exe|dntu.exe|Dsamain.exe|dwrcc.exe|dwrcs.exe|EdgeCredentialSvc.exe|EdgeTransport.exe|ExFBA.exe|FileIDTable_2|GalGrammarGenerator.exe|Inetinfo.exe|Mad.exe|Microsoft.Exchange.AddressBook.Service.exe|Microsoft.Exchange.AntispamUpdateSvc.exe|Microsoft.Exchange.ContentFilter.Wrapper.exe|Microsoft.Exchange.EdgeSyncSvc.exe|Microsoft.Exchange.Imap4.exe|Microsoft.Exchange.Imap4service.exe|Microsoft.Exchange.Infoworker.Assistants.exe|Microsoft.Exchange.Monitoring.exe|Microsoft.Exchange.Pop3.exe|Microsoft.Exchange.Pop3service.exe|Microsoft.Exchange.ProtectedServiceHost.exe|Microsoft.Exchange.RPCClientAccess.Service.exe|Microsoft.Exchange.Search.Exsearch.exe|Microsoft.Exchange.Servicehost.exe|MSExchangeADTopologyService.exe|MSExchangeFDS.exe|MSExchangeMailboxAssistants.exe|MSExchangeMailboxReplication.exe|MSExchangeMailSubmission.exe|MSExchangeRepl.exe|MSExchangeThrottling.exe|MSExchangeTransport.exe|MSExchangeTransportLogSearch.exe|Msftefd.exe|Msftesql.exe|MSMDSrv.exe|Ntds.dit|Ntds.pat|NTUser.pol|OleConverter.exe|Pagefile.sys|pertracdatamanager.exe|Powershell.exe|pwdmanager.exe|Registry.pol|ReportingServicesService.exe|Scripts.ini|SESWorker.exe|sgn_masterservicen.exe|sgnauthservicen.exe|sgnmaster.exe|SimilarityTable_2|simonpro.exe|SpeechService.exe|SQLServr.exe|Store.exe|Tmp.edb|TranscodingService.exe|UmService.exe|UmWorkerProcess.exe|W3wp.exe|wfica32.exe|?Fdeploy.inf
I’ve tried to imput simple “11111111” in the “Scan Exlucsion List (Files)” and in the relevance generated, I have
( not exists ( key
"HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration" of registry ) whose ( value
"ExcludedFile" of it as string = ( rope
"11111111|" ) as string ) )
Same thing for “Scan Exlucsion List (Directories)”, whatever input should appear in both relevance and action.
Please let me know if you have any doubt.
(imported comment written by jmorano91)
This “default task” with no exclusions completed successfully.
Configure Default Real-Time Scan Settings
Core Protection Module
Workstation
Summary
The action executed successfully.
This action has been applied 1 time and will not be applied again.
Status Completed
Start Time 4/10/2012 9:42:37 AM
End Time 4/10/2012 9:42:49 AM
Exit Code 0
Action Script Execution Detail
Completed if {name of operating system starts with “Win”}
Completed delete realtime.ini
Completed delete “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”
Completed createfile until __DONE
Completed
Real Time Scan Configuration
Completed Enable = 1
Completed ScanIncoming = 1
Completed ScanOutgoing = 1
Completed ScanAllFiles = 1
Completed IntelliScan = 1
Completed ExtList =
Completed ScanShutdown = 0
Completed ScanNetwork = 0
Completed ScanCompressed = 1
Completed CompressedLayer = 2
Completed IntelliTrap = 1
Completed EnableExclusion = 1
Completed ActiveAction = 1
Completed {if (exists key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” whose (exists value “ProgramVer” whose (it as string as version >= “10.5”) of it) of registry) then (“EnablePossibleVirusCustActInActiveAct = 1”) else (nothings)}
Completed {if (exists key “HKLM\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.” whose (exists value “ProgramVer” whose (it as string as version >= “10.5”) of it) of registry) then (“PossibleVirusCustActInActiveAct = 4”) else (nothings)}
Completed EnableUniAct = 0
Completed BkUpIfClean = 1
Completed MoveDir = {value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string}\Quarantine
Completed CleanFailedMoveDir = {value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string}\Quarantine
Completed PopVirusFoundAlert = 1
Completed SystemCleanForPossibleVirus = 1
Completed
Completed
Spyware Real Time Scan Configuration
Completed Enable = 1
Completed ActionType = 1
Completed PopSpywareFoundAlert = 1
Completed
Completed
Real Time Scan Configuration Ex
Completed ExcludeTrendProduct = 1
Completed ExcludedFolder = {(concatenation “|” of ((if (exists regapp “besclient.exe”) then (pathname of parent folder of regapp “besclient.exe” as string & “__BESData”) else “C:\Program Files\BigFix Enterprise\BES Client__BESData”) ; (if (exists regapp “besrelay.exe”) then (pathname of parent folder of regapp “besrelay.exe” as string) else “C:\Program Files\BigFix Enterprise\BES Relay”) ; (if (exists value “EnterpriseServerFolder” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server” of registry) then (value “EnterpriseServerFolder” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server” of registry as string) else “C:\Program Files\BigFix Enterprise\BES Server”) ; (if (exists value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry) then (value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string) else “C:\Program Files\Trend Micro\Core Protection Module”) ; (if (exists value “InstallPath” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv” of registry) then (value “InstallPath” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv” of registry as string) else “C:\Program Files\Trend Micro\Core Protection Module Server”) ))}
Completed ExcludedFile =
Completed ExcludedExt =
Completed __DONE
Completed copy __createfile “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”
Completed waithidden “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\TMCPMCLI.exe” CONFIG -i “{(value “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM” of registry as string)}\realtime.ini”
Completed regset "
HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPM
" “SetCPMRealTimeSettingsActionID”="{id of active action}"
Completed endif
Completed if {name of operating system starts with “Mac”}
Completed wait rm -f “{string “ApplicationPath” of dictionary of file “/Library/Preferences/com.trendmicro.mpm.plist” & “/realtime.plist”}”
Completed createfile until __DONE
Completed <?xml version="1.0" encoding="UTF-8"?>
Completed
Completed
Completed
Completed RealtimeScanConfig
Completed
Completed enableScan
Completed
Completed targetUserActivity
Completed 3
Completed action
Completed
Completed option
Completed 1
Completed
Completed
Completed
Completed
Completed __DONE
Completed wait cp -f __createfile “{string “ApplicationPath” of dictionary of file “/Library/Preferences/com.trendmicro.mpm.plist” & “/realtime.plist”}”
Completed wait “{string “ApplicationPath” of dictionary of file “/Library/Preferences/com.trendmicro.mpm.plist”}”/TMMPMCLI CONFIG -i “{string “ApplicationPath” of dictionary of file “/Library/Preferences/com.trendmicro.mpm.plist”}”/realtime.plist
Completed wait rm -f “{string “ApplicationPath” of dictionary of file “/Library/Preferences/com.trendmicro.mpm.plist” & “/realtime.plist”}”
Completed endif
(imported comment written by jmorano91)
Still investigating true causal.
(imported comment written by fergusop)
Hello,
We have also had this problem for any of our scan setting tasks that we created. We found the issue to be with the relevance that is generated with the task. It seems like the relevance is looking for more than required to consider the task completed and so it shows as failed. Our work around was to edit the task and remove the first and last relevance string leaving only the string that contained the settings we configured. The first two strings seemed to focus on the eligibility for the task in general but had nothing to do with the success measurement of the task itself.