<> Trend Micro Incorporated December 27, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro Safe Lock(TM) 2.0 Service Pack 1 Patch 2 Build 58xx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM Contents ========================================================== 1. About Trend Micro Safe Lock 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 5.1 Installing 5.2 Uninstalling 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement ========================================================== 1. About Trend Micro Safe Lock ======================================================================== Trend Micro Safe Lock consists of an agent program called Safe Lock that resides on endpoints and a server program called Safe Lock Intelligent Manager that manages agents. Trend Micro Safe Lock protects fixed-function computers like Industrial Control Systems (ICS), Point of Sale (POS) terminals, and kiosk terminals from malicious software and unauthorized use. By using fewer resources and without the need for regular software or system updates, Safe Lock can reliably secure computers in industrial and commercial environments with little performance impact or downtime. Trend Micro Safe Lock Intelligent Manager provides centralized monitoring and management of Trend Micro Safe Lock agent deployment, status, and events. For example, administrators can remotely deploy agents, deploy initial agent Approved Lists, and change agent Application Lockdown states. Additionally, Safe Lock Intelligent Manager performs malware scans and administrators can view root cause information on files blocked from running by Safe Lock agents, reducing the time and effort needed to verify events and allowing quick responses to incidents. 1.1 Overview of This Release ===================================================================== This release is to expands supported platfroms and enhances Safe Lock aent functionaility. 1.2 Who Should Install This Release ===================================================================== You should install this patch release if you are currently running Safe Lock 2.0 Service Pack 1 Patch 1 (build 5799 or before installed) 2. What's New ======================================================================== Note: Please install the Patch/SP before completing any procedures in this section (see "Installation"). This patch addresses the following issues and/or includes the following enhancement(s): 2.1 Enhancements ==================================================================== Trend Micro Safe Lock agent 2.0 SP 1 Patch 2 includes the following new features and benefits: Enhancement 1: Support for Windows 10 Creators Update and Windows Server 2016 Standard (64-bit). Enhancement 2: Option to configure the agent Setup.ini file to initialize the Approved List upon running the installation. Enhancement 3: Use of regular expressions in the agent SLcmd.exe tool to specify exception path settings. 2.2 Resolved Known Issues ===================================================================== This release resolves the following issue(s): Issue 1: [Hotfix 5587] The Diagnostic Toolkit does not enable the debug logs of the Network Virus Protection feature. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch ensures that the Diagnostic Toolkit enables the debug logs correctly. Issue 2: [Hotfix 5588] Trend Micro Safe Lock unexpectedly blocks a Trusted Updater when it tries to rename a folder that contains many files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch ensures that Trend Micro Safe Lock does not block a Trusted Updater when it tries to rename a folder that contains many files. Issue 3: [Hotfix 5589] Trend Micro Safe Lock creates an empty debug log file during startup even when debug log is disabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This patch ensures that Trend Micro Safe Lock creates a debug log file only when the debug log is enabled. Issue 4: [AEGIS 2.956 build 1065] Trend Micro Safe Lock Service may take longer than usual to stop. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This patch ensures that Trend Micro Safe Lock Service stops normally. Issue 5: [SEG-18687] Trend Micro Safe Lock is unable to perform a pre-scan when installing an agent from optical media. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This patch fixes the issue and ensures the successful installation of the agent from optical media. 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this readme.txt, the documentation set for this product includes the following: - Installation Guide (IG): Provides product overview, deployment plan, installation steps, and basic information intended to help you deploy Trend Micro Safe Lock. - Administrator's Guide (AG): Provides post-installation instructions on how to configure the settings to help you get Trend Micro Safe Lock "up and running". Also includes instructions on performing other administrative tasks for the maintenance of Safe Lock. - Knowledge Base: Provides a searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== Refer to the Installation Guide for detailed information. 5. Installation ======================================================================== 5.1 Installing ===================================================================== To install this patch: 1) Copy the "tmsl_20_sp1_win_en_patch2.exe" file to a local folder on the computer where you have installed Trend Micro Safe Lock 2.0. 2) Run the "tmsl_20_sp1_win_en_patch2.exe" file. 3) On the setup screen, click "Install" and follow the on-screen instructions to complete the installation. A message appears after the system completes the installation. 5.2 Uninstalling ======================================================= For information, see the Installation Guide. 6. Post-Installation Configuration ======================================================================== No post-installation steps are required. 7. Known Issues ======================================================================== Known issues in this release: 7.1 Installation and Uninstallation ===================================================================== a. Safe Lock cannot be installed on endpoints with other Trend Micro products already installed. b. When installed on English versions of Windows, the Japanese version of Safe Lock may not correctly display all characters. c. Safe Lock does not support changing language versions during Safe Lock upgrades. d. If Safe Lock is installed silently, and the computer must be restarted, it must be restarted manually. e. After installing the Safe Lock agent on an endpoint running Windows Server 2008 without SP2, applications using IIS 7.0 may not work as expected. f. Safe Lock agents installed on tablets may be unable to resume from the suspense mode using a quick start button due to an internal error. Contact Trend Micro support for further assistance. g. The Windows Event Log may contain garbled characters after uninstallation of Safe Lock. h. After uninstallation, the following files are not removed by Setup, but can be removed manually: - Temp files - C:\Windows\Temp\INST_WKMsi.log - C:\Windows\Temp\tmdbg.ini - C:\Windows\Temp\TmDbg32.dll - C:\Windows\Temp\TmDbg64.dll - C:\Windows\Temp\wksptl.ini - Log files - C:\Documents and Settings\\Local Settings\ Application Data\Trend Micro\Safe Lock\*.log - C:\Users\\AppData\LocalLow\Trend Micro\ Safe Lock\*.log - Installation folder If the Safe Lock service was stopped before uninstallation, you must manually remove the Safe Lock installation folder. 7.2 General ===================================================================== a. Secure Boot is not supported. b. Universal Windows Platform is not supported. c. Safe Lock does not support virtualized applications or applications encrypted at the file-system level. d. Windows 2000 SP4 (without Update Rollup), Windows XP SP1, and Windows Server 2003 (no SP) do not support the following features: DLL/Driver Lockdown, Script Lockdown, Integrity Monitoring, USB Malware Protection, Storage Device Blocking, Trusted Updater and Predefined Trusted Updater. e. All Safe Lock features require Windows Administrator privileges. f. Safe Lock displays incorrectly at DPI settings other than the Windows default. g. Safe Lock only supports configuration files using UTF-8 encoding. h. Safe Lock has the following maximum path lengths. Maximum path length limitation: - Installation directory path: 180 - File path in the Approved List: 238 - File path of the Trusted Updater: 238 - File path to export the Approved List: 251 - File path to import the Approved List: 259 - File path to export settings: 259 - File path to import settings: 259 Note: The maximum length may be shorter if the path contains double-byte characters. i. If the system tray icon is enabled, local and remote users cannot open the Safe Lock console at the same time. j. The Safe Lock console and command line interface cannot be used at the same time by the logged on user or by simultaneously logged on Windows accounts. k. When the computer is restarted, the Service Stopped event (Event ID 1001) is not logged. 7.3 Application Lockdown ===================================================================== a. Application Lockdown must be turned off to configure Windows screen saver. b. When a script is blocked, two messages are recorded in the Windows Event Log. For example, *.bat will be blocked twice by Trend Micro Safe Lock and will therefore create two block events. c. If an EXE file is moved from one folder to another, and the file is blocked, the old path is displayed in the Windows Event log and the Blocked Applications logs. d. Files to be added to the Approved List must have read access enabled when they are added. e. Safe Lock always resolves mapped drives to their UNC paths. For example, selecting a mapped drive Z: will actually select the UNC \\\ path. f. The message "The event log is full" may appear when creating or importing the Approved List for the first time. This message may not be accurate. g. Pop-up notification does not support guest accounts on systems running Windows XP. h. The recycle bin may not function properly if it is protected by Write Protection settings. 7.4 Custom Action ===================================================================== a. The Custom Action of "Quarantine" is not supported on Windows XP and Windows Server 2003. b. If the Custom Action of "Ask Server" is specified, Safe Lock is unable to send files on mapped drives or UNC paths to Trend Micro Safe Lock Intelligent Manager. c. Safe Lock is unable to restore quarantined files to encrypted folders. 7.5 USB Malware Protection ===================================================================== a. USB Malware Protection will prevent Trend Micro Portable Security from running automatically. Run launcher.exe manually to scan the computer. 7.6 Network Virus Protection ===================================================================== a. Network Virus Protection can only be installed during the initial Safe Lock installation. To enable Network Virus Protection after installation, Safe Lock must be reinstalled. 7.7 Memory Randomization ===================================================================== a. Memory Randomization, API Hooking Prevention and DLL Injection Prevention are not supported on 64-bit platforms. b. The computer must be restarted for Memory Randomization to be enabled or disabled. c. Memory Randomization is not supported on systems running the latest version of Windows 10. 7.8 Trusted Updater and Predefined Trusted Updater ===================================================================== a. Safe Lock Trusted Updater or Predefined Trusted Updater do not support the installation of Trend Micro Safe Lock Intelligent Manager. Remove Safe Lock from the endpoint before installing Safe Lock Intelligent Manager. Safe Lock can be installed after installation of Safe Lock Intelligent Manager is complete. b. Using the Trusted Updater with an MSI file located on a network will result in high CPU usage. Copy MSI files to a local drive before using them with the Trusted Updater. 7.9 Windows Update Support ===================================================================== a. Known issues related to Windows Update Support: - Windows Update Support does not support OS upgrade. - Windows Update Support does not support major update for systems running Windows 10. For example, updating Windows 10 from Anniversary Update to Creators Update is not supported. - Windows Update Support is not applicable to Trend Micro Safe Lock installed on endpoints running systems older than Windows Vista. - Windows Update Support may not function when Microsoft KB2862330, KB3110329, or a part of .NET Framework is applied. - Windows Update Support may not work properly if Windows Service Pack is applied. We recommend installing Trend Micro Safe Lock after Windows Service Pack is installed. - Windows application updates may be blocked on systems running Windows 10. b. Files added by Windows Update may not be added to the Approved List and may remain blocked on the managed endpoints. Manually add these files to the Approved List or contact Trend Micro support for further assistance. 7.10 Managed Mode ===================================================================== a. If the Internet Explorer proxy setting is modified, import the Managed Mode configuration to apply that proxy setting (under Managed Mode). 7.11 Diagnostic Toolkit ===================================================================== a. By default, no troubleshooting logs are collected. To collect diagnostic information, enable debug logging in the Diagnostic Toolkit. b. Troubleshooting logs cannot be stored using mapped drive paths or UNC paths. c. Extracting the log archive located in the installation folder appears to require a password. To access the archive's contents, copy the ZIP file to another folder, extract it, and leave the password field blank. d. The computer must be restarted after uninstalling Safe Lock to remove the Diagnostic Toolkit. e. Windows 2000 SP4 does not support debug log collection using Diagnostic Toolkit. To solve this issue, apply Update Rollup to the managed endpoint or disabling Self Protection of the Safe Lock agent while collecting debug logs. f. Windows 10 environment which Windows Defender real-time protection enabled may occure performance down when agent debug mode is enabled. To avoid this issue, add agent modules below to Windows Defender's exception process before you enabling debug mode. C:\Program Files\Trend Micro\Safe Lock\WKSrv.exe C:\Program Files\Trend Micro\Safe Lock\SLCmd.exe NOTE: The module path may vary depending on the environment. 8. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Previous releases include the following: Trend Micro Safe Lock 2.0 - December 15, 2014 Trend Micro Safe Lock 2.0 Patch 1 - May 12, 2015 Trend Micro Safe Lock 2.0 Service Pack 1 - April 21, 2016 Trend Micro Safe Lock 2.0 Service Pack 1 - July 26, 2016 Trend Micro Safe Lock 2.0 Service Pack 1 - October 7, 2016 Trend Micro Safe Lock 2.0 Service Pack 1 Patch 1 - April 27, 2017 Trend Micro Safe Lock 2.0 Service Pack 1 Patch 2 - December 27, 2017 8.1 Service Pack 1 ===================================================================== 8.1.1 Enhancements ===================================================================== Enhancement 1: Safe Lock agents built under NAT-enabled routers are supported by Safe Lock Intelligent Manager and the connection frequency is configurable using the agent Setup.ini file. Enhancement 2: Administrators can customize the criteria for installation prescan by specifying a maximum number of layers on compressed files and a minimum file size. Enhancement 3: Administrators can add applications from multiple folders of a Safe Lock agent to the Approved List in one operation. Enhancement 4: Windows Update can run on Safe Lock agents with Application Lockdown enabled. Administrators can use the Setup.ini file or the command line interface to enable this feature. Enhancement 5: Administrators can update settings across multiple Safe Lock agents by importing partial settings of a configuration file. 8.1.2 Resolved Known Issues ===================================================================== Issue 1: When Trend Micro Safe Lock 2.0 runs in Managed Mode, it may generate a large number of "Information" type logs which occupy a large amount of disk space in the "McAgent" folder. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: [Hot Fix 1226] This hot fix helps minimize the disk consumption in the "McAgent" folder when Trend Micro Safe Lock 2.0 generates a large number of "Information" type logs in Managed Mode. Issue 2: An application error occurs when users copy the contents of the approved list by clicking on the "Copy to Clipboard" button on the approved list page. This error can trigger the Trend Micro Safe Lock console to stop responding. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: [Hot Fix 1228] This hot fix ensures that users can copy the contents of the approved list by clicking the "Copy to Clipboard" button. Issue 3: The Trend Micro OfficeScan(TM) server cannot install OfficeScan clients remotely from computers where Trend Micro Safe Lock 2.0 lockdown is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: [Hot Fix 1229] This hot fix ensures that the OfficeScan server can successfully install clients remotely from computers where Trend Micro Safe Lock 2.0 lockdown is enabled. Issue 4: Under certain environments, the Predefined Trusted Updater cannot successfully add files that are saved in the network folder to the approved list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: [Hot Fix 1230] This hot fix ensures that the Predefined Trusted Updater can successfully add files from the network folder to the approved list. Issue 5: An issue prevents Trend Micro USB Security Launcher for Trend Micro Safe Lock from launching certain models of Trend Micro USB Security. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: [Hot Fix 1232] This hot fix ensures that Trend Micro USB Security can be launched successfully on affected computers. Issue 6: Under certain scenarios, a Safe Lock agent cannot register to the Safe Lock Intelligent Manager server successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: [Hot Fix 1237] This hot fix ensures that Safe Lock agents can successfully register to the Safe Lock Intelligent Manager server. Issue 7: An issue prevents users from adding files in a network drive to the approved list of Safe Lock agents. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: [Hot Fix 1238] This hot fix resolves the issue to ensure that users can successfully add files from a network drive to the approved list on Safe Lock agents. Issue 8: Sometimes, endpoints running Trend Micro Safe Lock 2.0 may experience a fatal system error. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: [Hot Fix AEGIS 2.956.0.1040] This hot fix helps prevent the fatal error. 8.2 Service Pack 1 Patch 1 ===================================================================== 8.2.1 Enhancements ===================================================================== Enhancement 1: Safe Lock agents support Windows 10 Anniversary Update. Enhancement 2: Administrators can configure the following for pop-up notifications of blocked files: - customize notification message - set up a request for an administrator password before a pop-up notification is closed Enhancement 3: Safe Lock can be configured to allow or block storage device access on managed endpoints. The storage devices include USB drives, CD/DVD drives, floppy disks, and network drives. Enhancement 4: The agent Setup.ini can be encrypted using the Diagnostic Toolkit (WKSupportTool.exe) to prevent unauthorized access. 8.2.2 Resolved Known Issues ===================================================================== Issue 1: Trend Micro Safe Lock Intelligent Manager cannot initialize Approved Lists of Trend Micro Safe Lock 2.0 if the Approved Lists are not empty. Solution 1: This patch allows Trend Micro Safe Lock Intelligent Manager to initialize Approved Lists of Trend Micro Safe Lock 2.0 even if the Approved Lists are not empty. Issue 2: Administrators can import Approved Lists during setup by specifying LIST_PATH option in Setup.ini. However, the option does not work if ICON_SYSTRAY option is 0. This is because a necessary folder is not created before importing Approved List. Solution 2: The necessary folder is created regardless of the specified value for ICON_SYSTRAY. Issue 3: Users may encounter an error while accessing a floppy disk on endpoints protected by Trend Micro Safe Lock 2.0. Solution 3: This patch ensures that users can access data on a floppy disk from protected endpoints. 9. Files Included in This Release ======================================================================== Filename Build No. (Major.Minor.Build No.) --------------------------------------------------------------------- remove.exe 2.0.0.58?? SLCmd.exe 2.0.0.58?? WKApi.dll 2.0.0.58?? WKEvtMsg.dll 2.0.0.58?? wkinst32.dll 2.0.0.58?? wkinst64.dll 2.0.0.58?? WKSrv.exe 2.0.0.58?? WKSupportTool.exe 2.0.0.58?? WKSystray.exe 2.0.0.58?? WKUi.exe 2.0.0.58?? WKUpdateEx.exe 2.0.0.58?? WKuserinit.exe 2.0.0.58?? TmPfwHlp.dll 2.0.0.58?? TmPfwLog.dll 2.0.0.58?? libexpat.dll N/A sqlite3.dll N/A ft_files.ico N/A AgentDef.xen N/A WKServiceMask.xen N/A WKStoDrv.xen N/A WKWusRul.xen N/A wksptl.ini N/A TmMcAgnt.dll 2.0.0.58?? TMBMCLI.dll 2.956.0.1068 TMBMSRV.exe 2.956.0.1068 Tmcomeng.dll 2.956.0.1068 TmEngDrv.dll 2.956.0.1068 TMPEM.dll 2.956.0.1068 tmactmon.inf N/A tmactmon.sys 2.956.0.1068 tmevtmgr.inf N/A tmevtmgr.sys 2.956.0.1068 tmcomm.inf N/A tmcomm.sys 6.60.0.1062 TMLCE32.dll 3.8.0.1033 TMLCE64.dll 3.8.0.1033 TMLES32.dll 3.8.0.1033 TMLES64.dll 3.8.0.1033 ATL90.dll 9.0.30729.6161 mfc90.dll 9.0.30729.6161 mfc90u.dll 9.0.30729.6161 mfcm90.dll 9.0.30729.6161 mfcm90u.dll 9.0.30729.6161 msvcm90.dll 9.0.30729.6161 msvcp90.dll 9.0.30729.6161 msvcr90.dll 9.0.30729.6161 Microsoft.VC90.ATL.manifest N/A Microsoft.VC90.CRT.manifest N/A Microsoft.VC90.MFC.manifest N/A Microsoft.VC90.MFCLOC.manifest N/A 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, Safe Lock and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks oftheir respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide