Trend Micro Manually Update Patch

AlexCSUEB · March 2, 2018, 6:45pm

Hello;

We are one of the many lucky people to get that killer Trend Deal and to get the shaft from upgrading away from Trend. As of right now we have Trend but no way to update using the current active bigfix scripts

I have found a way to manually do this; but I can get it working correctly

A simple bat file
@echo off
pushd "C:\Program Files\Trend Micro\OfficeScan Client"
PCCNTMon.exe -us

This will run the Trend Micro Updater and run it silent in the backround this works great if you run it from a Bat file or from the cmd line

I want to make a custom script that will run this in bigfix that we can use until we change over to a new AV

My current action script is

waithidden cmd.exe /C Cscript.exe C:\Program Files\Trend Micro\OfficeScan Client "PCCNTMon.exe -us"

But this will say completed but not run correctly; does any have any other way to run this correctly or any ideas on how do this better

Few Ideas I have
Have the .bat file
Put it on the system
Run a command to run the bat file on the system.

I’m not an expert on how to set this up or configure this; any help would be great.

JasonWalker · March 2, 2018, 8:08pm

Probably a problem with 32-bit redirection. Since the BES Client is 32-bit, when you reference “Program Files” it is redirected to “Program Files (x86)”.

Try putting
action uses wow32 redirection false
in your actionscript before running the batch file.

jgstew · March 2, 2018, 9:53pm

I definitely think you may need this, but also, not sure why you are calling cscript. Is this a VBScript or similar? Is this how you have done it manually on the command line?

To me, it seems like it should be:

waithidden cmd.exe /C "C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe" -us

or similar

It would help if you could give us more context about the EXE you are calling and documentation about how to run it if any exist.

http://docs.trendmicro.com/all/ent/officescan/v10.6/en-us/osce_10.6_olhsrv/ohelp/core/corclicom.htm

AlexCSUEB · March 2, 2018, 10:07pm

Hello JgStew;

I just want to find a way to run the automatic updater that is already built into the Trend Micro; you are unable to modify the folder so I couldn’t just add in a bat file as you can’t really make changes;

So I just came up with a script that kicks off the auto updater; I have been running it on a bat file that works fine and it also works when you run the command in the CMD; but when I was using https://gyazo.com/1eb0749a82ec93a365cd8064db22ef8f

bigfix to kick off the operation it wasn’t working correctly;

PCCNTMon.exe

Notice how Out of Date my Virus Pattern is

If you run the PCCNTMon.exe-us
It will do a silent update in the back round and have the Patterns up to date

This is updating tool used to Run with Trend; when you use a -u it will pull up the Trend Micro Screen and have to manually updated by clicking we don’t want that; that’s the reason I’m using the -us command

jgstew · March 2, 2018, 10:09pm

If you open an admin command prompt and do the following, does it work?

cmd.exe /C "C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe" -us

AlexCSUEB · March 2, 2018, 10:10pm

When I run this on the host machine this works fine

cmd.exe /C "C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe" -us

When I run this in bigfix it will run as completed but the it won’t update correctly so that’s why i asking on the forums
As i run this in the debugger and it runs fine as well the system thinks it was completed but it’s not doing the update.

-Alex

jgstew · March 2, 2018, 10:17pm

The next debugging step to try is to use PSExec to execute the command as the SYSTEM account and see if that works. I generally do this by opening a CMD window as SYSTEM, then run this:

cmd.exe /C "C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe" -us

To open a CMD window as SYSTEM, do this:

PSExec -accepteula -h -s CMD /K

If it works through this method, then that should match what bigfix is doing fairly closely.

AlexCSUEB · March 2, 2018, 10:42pm

I’m testing this and getting it ran; but it doesn’t update the pattern.

Like I said when I run it manually via command it works just fine

AlexCSUEB · March 2, 2018, 10:45pm

Sorry better screen shot

I’m trying the PCCNT without the MON

There is PCCNTMON and PCCNT

Both are updater for the AV; and are said use the commands like -us

jgstew · March 2, 2018, 10:49pm

Your screenshots are kind of confusing. It seems like you are running CMD /K over and over again a bunch.

If this works on the command line:

"C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe" -us

Then you can try in bigfix actionscript:

dos "C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe" -us

or:

wait CMD /C /S ""C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe" -us"

or similar.

I’m still a bit confused as to what definitely works for you on the command line or if it works when invoked using PSExec.

It is also useful to check the bigfix client log files for the action execution and see what it says.

AlexCSUEB · March 2, 2018, 11:25pm

I pulled the logs from bigfix not sure how helpfull this is

At 14:51:32 -0800 - 
   Successful Synchronization with site 'mailboxsite' (version 184) - 'MYBIGFIX/cgi-bin/bfgather.exe/mailboxsite11207337'
   Processing action site.
At 14:51:36 -0800 - mailboxsite (MYBIGFIX/cgi-bin/bfgather.exe/mailboxsite11207337)
   Relevant - Software Distribution - Deploy: TrendUpdate (fixlet:38863)
At 14:51:36 -0800 - 
   ActionLogMessage: (action:38863) Action signature verified for Execution
   ActionLogMessage: (action:38863) starting action
At 14:51:37 -0800 - actionsite (MYBIGFIX1/cgi-bin/bfgather.exe/actionsite)
   Command started - waithidden cmd.exe /C "C:\Program Files\Trend Micro\OfficeScan Client\PCCNT.exe" -us (action:38863)
At 14:51:39 -0800 - 
   Report posted successfully
At 14:51:40 -0800 - actionsite (MYBIGFIX:52311/cgi-bin/bfgather.exe/actionsite)
   Command succeeded (Exit Code=0) waithidden cmd.exe /C "C:\Program Files\Trend Micro\OfficeScan Client\PCCNT.exe" -us (action:38863)
At 14:51:40 -0800 - 
   ActionLogMessage: (action:38863) ending action
At 14:51:40 -0800 - mailboxsite (MYBIGFIX/cgi-bin/bfgather.exe/mailboxsite11207337)
   Not Relevant - Software Distribution - Deploy: TrendUpdate (fixlet:38863)
At 14:51:47 -0800 - actionsite (MYBIGFIX/cgi-bin/bfgather.exe/actionsite)
   Not Relevant - CSUEB- Apply Automatic Updates-Do Not STOP (fixlet:5312)
At 14:53:52 -0800 - 
   Report posted successfully

JasonWalker · March 2, 2018, 11:27pm

I don’t see that you are disabling wow32 redirection in that log?

AlexCSUEB · March 2, 2018, 11:31pm

So I tried 3 different ways
Way 1

Action Script Execution Detail
Completed dos “C:\Program Files\Trend Micro\OfficeScan Client\PCCNTMon.exe” -us
Completed dos “C:\Program Files\Trend Micro\OfficeScan Client\PCCNT.exe” -us

Way 2

Completed wait CMD /C /S ““C:\Program Files\Trend Micro\OfficeScan Client\PCCNT.exe” -us”

Both of these ways didn’t work; the AV wasn’t updated

Way 3 running now not working as well
Completed if {x64 of operating system}
Completed waithidden “C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccnt.exe” /us
Failed waithidden “C:\Program Files\Trend Micro\OfficeScan Client\pccnt.exe” /us
waithidden “C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe” /us
waithidden “C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe” /us
endif

So I was thinking just do everything and see what happens I’ll keep testing just want to get this stupid thing to work.

action uses wow64 redirection
if {x64 of operating system} 
waithidden "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccnt.exe" /us 
waithidden "C:\Program Files\Trend Micro\OfficeScan Client\pccnt.exe" /us 
waithidden "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" /us 
waithidden "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" /us

-Alex

jgstew · March 2, 2018, 11:36pm

try:

action uses wow64 redirection {not x64 of operating system}
dos "{pathname of files "pccntmon.exe" of folders "Trend Micro\OfficeScan Client" of folders whose(name of it starts with "Program Files") of folders "C:"}" -us

If this gives a relevance substitution error, that should mean there is something wrong with the path and the relevance I’m using to find it.

AlexCSUEB · March 3, 2018, 12:07am

Well

I’m getting reports back that Bigfix Action Scripts all completed but nothing was updated.

I tired 3 different ways

I even tried both

The pccnt.exe and the pccntmon.exe

But this failed for me as I left it if and didn’t change to not like you said above; I’m trying it correctly now’ i’ll keep u posted.

^^ i know I messed it up here

jgstew · March 3, 2018, 12:15am

The exit code of 1 and none don’t seem like good signs.

I’m not certain what is happening or why it wouldn’t work.

JasonWalker · March 3, 2018, 2:31am

I admire the tenacity. On some occassions I’ve had trouble using waithidden with wuoted parameters. Could also be a problem with the program itself not dealing with working directory correctly. So try this.

action uses wow64 redirection false

delete __createfile

createfile until eof

cd /d "C:\Program Files (x86)\Trend Micro\OfficeScan Client"

pccnt.exe /us

exit /b %errorlevel%

EOF
delete update.cmd
move __createfile update.cmd
waithidden cmd.exe /c update.cmd

AlexCSUEB · March 4, 2018, 7:05am

So what I did notice was it open the Trend Micro Agent but no update kicked off

Completed action uses wow64 redirection false 
Completed delete __createfile 
Completed createfile until EOF 
Completed  
Completed cd /d "C:\Program Files (x86)\Trend Micro\OfficeScan Client" 
Completed  
Completed pccnt.exe /us 
Completed pccnt.exe -us 
Completed pccntMON.exe /us 
Completed pccntMON.exe -us 
Completed  
Completed exit /b %errorlevel% 
Completed  
Completed EOF 
Completed delete update.cmd 
Completed move __createfile update.cmd 
Completed waithidden cmd.exe /c update.cmd

I wanted to hit all of them to see what would happen but it didn’t work
Check out these completed codes
None of them updated tho

AlexCSUEB · March 5, 2018, 6:54pm

The biggest issue is that Trend is setup to not allow you to change or modify the files in the folder; [Trend] Folder

I was playing around with dropping in a bat file but that isn’t allowed. As you have to have admin rights but I got bigfix right

Here is what I was thinking to doing
https://gyazo.com/0048acf6abc65c41277371e8e77deecc

Replace the replacescript.bat folder with this information
"C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccnt.exe" /us
"C:\Program Files\Trend Micro\OfficeScan Client\pccnt.exe" -us
"C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" /us
"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -us

This way whatever one It will upgrade with will run; I hit both with a -us or a /us so it will update silent

Then I could just replace the ReplaceScript.bat with the information above

Then make a script to call out to C:\Program Files (x86)\Trend Micro\OfficeScan Client\ReplaceScript.bat
Run this and it should update?

So playing around with it some more

I noticed my program if I click on the bat kicked off and said Protection is being updated

I was able to get it to run correctly
This works each time on my test machines in the bat file if I manually run it
pccnt.exe -us

And this works;

Now what’s my best way to change the bat file and run it in Bigfix?

jgstew · March 5, 2018, 7:34pm

That is a good sign of progress if you can definitely get it to open even if no update kicks off.

Another thing to try is to run it as the current user with the override command. This can work differently depending on if the current user is an admin or not but there are potential solutions to that too.

https://developer.bigfix.com/action-script/reference/execution/override.html