Known Issues
Known Issues for Endpoint Application Control 2.0
|
ID |
Location |
Issue |
Cause |
Workaround |
|---|---|---|---|---|
|
-- |
Server Web console |
Sometimes, the server web console is rendered in unexpected ways. |
Resource files are sometimes loaded out of order. This causes some text and other elements to render in unexpected ways. |
Do the following:
|
|
54 |
Server Web console Proxy Settings screen |
Selecting Use system proxy settings with SOCKS protocols under Server Communication and Updates does not function as expected. |
Endpoint Application Control does not correctly detect Internet Explorer SOCKS protocol configurations. |
Configure SOCKS protocol settings manually. |
|
80 |
Server Web console Management > Users and Endpoints screen |
After Endpoint Application Control agents are installed using the Endpoint Application Control OfficeScan Plug-in, system accounts such as IUSR display in Target Management. |
System service accounts normally display in the list. The only system service accounts normally not displayed are SECURITY_LOCAL_SERVICE_RID and SECURITY_NETWORK_SERVICE_RID. These accounts include LOCAL SERVICE, NETWORK SERVICE, and DWM-1. System service IIS accounts that display include the following: IIS_IUSRS IUSR DefaultAppPool ASP.NET v4.0 System service AppPool accounts that display include the following: IWAM System service Win32_UserAccount accounts that display include the following: PCX\Administrator PCX\Guest System service Win32_SystemAccount accounts that display include the following: **PCX\ANONYMOUS LOGON** PCX\Authenticated Users PCX\BATCH PCX\BUILTIN PCX\CREATOR GROUP PCX\CREATOR GROUP SERVER PCX\CREATOR OWNER PCX\CREATOR OWNER SERVER PCX\DIALUP PCX\ENTERPRISE DOMAIN CONTROLLERS PCX\Everyone PCX\INTERACTIVE PCX\IUSR PCX\LOCAL PCX\LOCAL SERVICE PCX\NETWORK PCX\NETWORK SERVICE PCX\OWNER RIGHTS PCX\PROXY PCX\REMOTE INTERACTIVE LOGON PCX\RESTRICTED PCX\SELF PCX\SERVICE PCX\SYSTEM PCX\TERMINAL SERVER USER |
This is normal behavior. Activity from these accounts should be tracked to allow administrators to monitor system account activity for non-standard behavior. |
|
94 |
Server Web console Dashboard > Server Summary widget |
Processor and memory use display apparently incorrect information in the Server Summary widget. |
The Server Summary widget displays processor and memory use based on application scope. Virtual memory and memory used by runtime platforms are ignored. Additionally, the widget collects data by polling on a five minute interval and averaging the results. |
To determine total current processor and memory use, including virtual and runtime platform memory, use Windows Task Manager. |
|
107 |
Server Web console Management > Rules, Add/Edit Rule screen |
Sometimes unknown applications or file names appear under Configure conflict resolutions. |
This issue may be caused by the following:
|
If there are many "unknown" entries, do one or more of the following:
|
|
115 |
Server Web console Dashboard > KPI widget |
Changes display as "--" if there is only partial data for previous period. |
Currently does not distinguish between no data due to inactivity and no data due to no history. |
On the Logs > Maintenance screen, verify that log purging schedules do not contradict with indicator period settings. Specifically, ensure that you do not purge data for periods within the range of any indicators. |
|
286 |
Server Web console |
A simple search uses all data columns instead of just visible columns. |
Processing and time requirements to create new indexes for the customized display of columns for all users and screens is too high. Therefore, a simple search looks for data in all columns. |
To search within a specific columns use dynamic search. See About Dynamic Search. |
|
341 |
Server Web console Management > Rules > Add or Edit Rule screen |
If using the Match using > File paths matching method with the Location of Any local storage, matches do not include paths with drive letters other than C or D in the preview. |
Agents do not transmit the exact data for their drive paths and types to the server. For the preview, the server assumes the drive letters C and D are local storage. |
Select Location: <empty> to define a path expression that displays all actual matched paths. |
|
347 |
Server Web console Management > Rules > Add or Edit Rule screen |
If using the Match using > Certificates matching method, SHA-1 hash value shortcuts do not resolve to the actual files if using drag-and-drop. |
In Windows, shortcuts are special link files. Unless otherwise implemented inside the web browser, shortcuts are not resolved to their target files. The Endpoint Application Control web console can only use the actual file, not the shortcut. |
Click Select Files. The browse to file window appears. Right-click the shortcut and select follow the shortcut in the file dialog and select Open file location. The target of the shortcut appears and is selected. Click OK. |
|
399 |
Server Web console Logs > Query screen |
If opening the Query Logs screen for the first time, some entries may not sort correctly. |
The default sort setting is not always applied. |
Click on a column name to sort the entries by that column. |
|
448 |
Server Web console Dashboard widget |
Newly saved templates may not be immediately available to existing widgets. |
The web browser page content may not be updated automatically. |
Do one of the following:
|
|
509 |
Server Web console |
Depending on browser and version, and your usage time, browser memory consumption may become high. |
Browser implementations exhibit varying behaviors for single page web applications. Specifically, some browsers may not call destruction events, which leads to high RAM usage. Specific browser and behavior optimizations are required for web applications to resolve this issue. |
If memory consumption is problematic, do one or more of the following:
|
|
521 |
Server Web console Dashboard > User and Endpoint Summary widget |
Percentage in summary table and chart do not match. Charts display percentage among the top values, but the table shows the percentage relative to all values. |
The chart and table include "other" values using different strategies to assist your understanding of their visualizations. Therefore, there are occasions that they display different results for the "same" data. In these cases, the displayed data sets are not exactly identical. |
This is normal behavior. |
|
522 |
Server Web console Dashboard > Application, Rule, and Policy Events widget |
After deleting conditions, saving, and then reopening the settings page, the top and bottom values change back to their defaults. |
||
|
525 |
Server Web console Dashboard > Application, Rule, and Policy Events screen |
If using Save as Template, the setting of Period is not saved. |
Period is not included in templates. To learn about the default periods for various templates, see Application, Rule, and Policy Events Widget. |
Set Period manually for each Application, Rule, and Policy Events widget you add to your dashboard. |
|
ID |
Location |
Issue |
Cause |
Workaround |
|---|---|---|---|---|
|
-- |
Agent |
After deploying the Endpoint Application Control agent using the SCCM framework, the SCCM deployment task returns a timeout error. However, the Endpoint Application Control agent is deployed successfully. |
The Endpoint Application Control agent does not provide a return code to SCCM. |
After deploying Endpoint Application Control agents, verify the agent status by going to the Endpoint Application Control web console Management > Users and Endpoints screen. If the agent appears in the list, the deployment task completed successfully. |
|
-- |
Agent |
Policies that use the Trusted Source feature add hash values for allowed applications to the Endpoint Application Control agent database, but the agent does not delete the values if the Trusted Source policy is deleted. |
To delete hash values added by the Trusted Source feature, do the following:
|
|
|
30 |
Agent |
Self-protection on XP is limited. |
Windows XP is no longer supported by Microsoft. Therefore, Trend Micro only provides limited support for this feature on Window XP platforms. |
|
|
39 |
Agent |
Assuming a policy is applied that should block execution of already-running applications, if kernel-level blocking is enabled, the already-running applications do not terminate. |
Endpoint Application Control kernel-level blocking stops applications before they start, but ignores running applications. |
This is normal behavior. After the application terminates, Endpoint Application Control blocks it from starting again. |
|
86 |
Agent |
If kernel-level blocking is enabled, Endpoint Application Control detects files as started if users open the folder containing the files. The user does not need to execute or modify the file for it to be considered "started". |
The Endpoint Application Control agent receives load events from the Endpoint Application Controlkernel-level driver if Windows Explorer loads a file. In some instances, Windows Explorer opens files to load information displayed to the user. The Endpoint Application Control agent is notified of such events because they are indistinguishable from instances of the file "starting". For example, Windows Explorer displays an application so that the user can double-click and start the application. The event of displaying the file requires Windows Explorer to open the file to access metadata displayed to the user. To Endpoint Application Control, opening the file to read data is indistinguishable from opening the file to execute the application. Therefore Endpoint Application Control blocks this "start" attempt. |
If kernel-level blocking is enabled, this is normal behavior. |
|
201 |
Agent |
Process protection does not work if OfficeScan 11 is installed on the endpoint. |
||
|
270 |
Agent |
Allow rules using the Selection method of SHA-1 hash values sometimes do not take effect during lockdown. |
After Endpoint Application Control agents start lockdown mode, they snapshot the application status of the entire system, creating an inventory. Any applications already on the endpoint are automatically "allowed". If lockdown is applied by a policy, Endpoint Application Control does not send SHA-1 hash values for files for allow rules using the selection methods of Known application dynamic search, Certified Safe Software list, and SHA-1 hash values, because the endpoint already allows all files present during inventory. Sending an additional list of allowed applications that matches the inventory would be redundant. Therefore, after starting lockdown, if a user adds a file that was not on their endpoint during inventory, the file will be blocked even if it should be allowed based on a SHA-1 hash value selection method. The software added by the user was not on the endpoint during inventory, so it is not allowed by lockdown, and the server did not send any hash values to override this status. |
To allow applications added to endpoints after lockdown rules are applied, do one of the following:
|
|
296 |
Agent |
The Windows 2003 platform does not display the Endpoint Application Control system tray icon. |
||
|
331 |
Agent |
Policy misconfigurations can result in critical system files being blocked during lockdown. |
It is possible for administrators to configure a policy that does not allow system files to open during lockdown. |
In the policies containing the lockdown rule, expand Rules. Select Always allow all applications in the Windows directory . |
|
499 |
Agent |
Assuming a policy is applied that should block execution of already-running applications, after re-enabling the kernel-level driver, the already-running applications do not terminate. |
Endpoint Application Control kernel-level blocking stops applications before they start, but ignores running applications. This is normal behavior. After the application terminates, Endpoint Application Control blocks it from starting again. |
This is normal behavior. After the application terminates, Endpoint Application Control blocks it from starting again. |
|
550 |
Agent |
During deployment of HTTP proxy settings to 32-bit agents on Windows Vista or Windows 7 platforms, the AcAgentService service sometimes stops. |
Restart the AcAgentService service. |
|
ID |
Location |
Issue |
Cause |
Workaround |
|---|---|---|---|---|
|
512 |
Control Manager Endpoint Application Control widgets |
Widgets do not integrate data from multiple Endpoint Application Control servers. |
Widgets use a single connection to a server or server cluster and display the data of that single source. Endpoint Application Control only shares data across servers via Control Manager. To integrate the data from several servers, the Control Manager version of widgets would need to implement their own logic and processing. Such extra processing is outside the scope of the widget concept. |
Integrating data within widgets is outside the scope of the widget concept. Cluster separate Endpoint Application Control servers to create a single source of data. Any server belonging to the cluster returns the same information to widgets. |
|
562 |
Control Manager Dashboard |
If Endpoint Application Control 1.0 widgets appear on your dashboard, but one or more 2.0 or later servers is also registered in your Control Manager server visibility, the 1.0 widgets may not display any data. |
Endpoint Application Control 1.0 widgets are not upward-compatible with 2.0 servers. |
Ideally, do not mix 1.0 and 2.0 servers and widgets in Control Manager. If your environment has 1.0 servers that have not been upgraded, you can register those servers in your Control Manager server visibility first. Then, add the corresponding 1.0 widgets to the dashboard. After the 1.0 widgets are working properly, register the 2.0 or later servers in server visibility. |
|
563 |
Control Manager Dashboard > KPI widget |
After removing the last Endpoint Application Control server from server visibility, the values of the indicators stay at the last known state. |
The KPI widget caches the last indicator results. The widget's cache is not cleared until new data is available. Because the last server is offline, the data never updates. |
This is normal behavior for the widget. Consider deleting the widget if it is no longer needed. |
|
564 |
Control Manager Dashboard > Rule Management widget |
After removing the last Endpoint Application Control server from server visibility, rules continue to display in the widget. |
The Rule Management widget caches rules in order to provide rule synchronization among connected Endpoint Application Control servers. The widget's cache is not cleared until new data is available. Because the last server is offline, the data never updates. |
This is normal behavior for the widget. Consider deleting the widget if it is no longer needed. |
|
583 |
Control Manager Dashboard |
Internet Explorer 10 sometimes displays a JavaScript error after you click a dashboard tab. |
If this symptom is problematic, do one or more of the following:
|
|
|
587 |
Control Manager |
After updating to from 1.0 to 2.0 or later, Endpoint Application Control is unable to send violation logs to Control Manager. |
Register the updated Endpoint Application Control server to Control Manager again. |
