Web Security Service Unified Agent is having issues connecting to the Threatpulse service when Trend Micro OfficeScan is installed The client workstation may not be able to connect to the Cloud If the client workstation connects to the Cloud, only the system tunnel will come up Sometimes the user tunnel may come up but the user data is not being passed up to the Threatpulse service
The Threatpulse documentation states that the Unified Agent is not compatible with Trend Micro's OfficeScan product. However, the following solution detailed below may alleviate the incompatibility with TrendMicro. The solution is a two part process. The information contained here was taken from Trend Micro's forums and KB article and interaction with Trend Micro's technical support organization. The solution was tested using TrendMicro OfficeScan 10.5.
PART I: Whitelisting the Client Connector process
The information for part I was taken from Trend Micro Solution ID 1057179 and a Trend Micro forum thread.
1.) Apply the latest OfficeScan patch for your product.
2.) Go to the \PCCSRV\ folder on the OfficeScan server installation directory and then open the ofcscan.ini file using a text editor.
3.) Add the following keys under the [Global Setting] section and assign the appropriate value:
5.) Log on to the OfficeScan web console and then go to Networked Computers > Global Client Settings.
6.) Click Save to deploy the settings to the clients.
Once the global settings are deployed to the OfficeScan client computers, the following registry keys will be installed on the client workstations:
[HKLM\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList] SEG_WhiteListProcNum=1 (DWORD), specifies the number of approved processes
The following installed sub-keys are based on the number of processes you specified in the "SEG_WhiteListProcNum" key: [HKLM\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\bcua-service] Name: ProcessImageName Type: REG_SZ Data: bcua-service.exe
7.) Restart the OfficeScan NT proxy service on the OfficeScan client computers.
NOTE: The OfficeScan client users need to restart the OfficeScan NT proxy service or restart their computers after the registry keys are installed on their machines. Failure to restart the OfficeScan NT proxy service or restarting the workstations will result in the Unified Agent service not being whitelisted.
PART II: Disabling "Smart Feedback" in the OfficeScan server console
In addition to the information provided above, please go to the OfficeScan Web Console, disable the "Smart Feedback" under the "Smart Protection" menu. Once the change has been made on the server, then select "Update Now" from the OfficeScan client workstation. If the problem continues, please reboot the workstation.
During the investigation of the problem, it appears that the OfficeScan NT Proxy Service is causing the Unified Agent the most issues. When the OfficeScan NT Proxy Service is stopped on the local workstation, the client connector seems to work just fine. Simply whitelisting (what is being done in Part I above) the bcua-service.exe process is insufficient. Whitelisting may allow traffic to pass, but issues such as user tunnel not coming up or user names not being passed up to the cloud persist. During testing, once Smart Feedback was disabled, the client connector seems to work as expected.
Imported Document ID: 000008587
Subscribing will provide email updates when this Article is updated. Login is required.