<> Trend Micro, Inc. January 25, 2010 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) ServerProtect(TM) 5.7 For Microsoft(TM) Windows(TM) Server 2003 and Storage Server 2003 Patch 4 - Build 1107 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: This readme file was current as of the date above. However, all customers are advised to check Trend Micro's Web site for documentation updates at: http://www.trendmicro.com/download/ Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro Web site. Register during installation or online at: http://olr.trendmicro.com/ Contents =================================================================== 1. About Trend Micro ServerProtect 5.7 1.1 Overview of this Release 1.2 Who Should Install this Release 2. What's New 2.1 Resolved Known Issues 2.2 Resolved Known Issues (from Previous Versions) 3. Documentation Set 4. System Requirements 5. Installation/Un-installation 5.1 Installation 5.2 Un-installation 6. Post-installation Configuration 7. Known Issues 8. Release History 9. Files Included in this Release 10. Contact Information 11. About Trend Micro 12. License Agreement =================================================================== 1. About ServerProtect 5.7 ======================================================================== ServerProtect is the award-winning software for protecting file servers on corporate networks. It is specifically designed to protect the entire network from viruses of any kind by adopting advanced virus-catching technology to help ensure that your network stays virus-free. ServerProtect detects new file infections, identifies viruses in existing files, and detects activity indicating an unknown virus may have entered the network environment on either the server or workstation. 1.1 Overview of this Release ===================================================================== This patch release includes all the modifications from ServerProtect 5.7 general release, build 1012. This patch corrects the migration issue that occurs during program deployment. After applying this patch, users can upgrade the ServerProtect 5.7 Normal Server to higher versions through program deployment. This patch also fixes a number of ActiveUpdate issues. 1.2 Who Should Install this Release ===================================================================== You should install this patch if you are running ServerProtect 5.7 for Microsoft Windows Server 2003 and Storage Server 2003 (build 1012 or above). 2. What's New ======================================================================== This patch addresses the following issues: 2.1 Resolved Known Issues ===================================================================== Patch 4 resolves the following issues: Issue 1: ServerProtect virus scan engine logs successful updates as "unsuccessful". This issue occurs when the new version of the virus scan engine is deployed to a Normal Server with the same virus scan engine version as the Information Server but different build numbers. For example, the virus scan engine installed in the Normal Server is "8.95.1092" and "8.95.1094" for the Information Server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: Patch 4 resolves this issue. Issue 2: The Normal Server stops and shows the stop status on the management console when performing a manual scan on empty folders. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: After applying Patch 4, the Normal Server does not stop and show the stop status on the management console when performing a manual scan on empty folders. Issue 3: A General Protection Failure (GPF) occurs when components use multiple threads to call the Damage Cleanup Engine (DCE) library. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: Patch 4 adds a lock that prevents components from using multiple threads to call the Damage Cleanup Engine library. This resolves the GPF issue. Issue 4: On Microsoft Windows 2003 64-bit platforms, a GPF event occurs when users attempt to open the "SpntLog.dbf" database file using "LogViewer.exe". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: Patch 4 resolves this issue. Issue 5: Control Manager(TM) agent cannot distinguish between 32-bit and 64-bit virus scan engine files. If the versions for these two scan engine files are different in the same Information Server, Control Manager treats these as having outdated engine versions even though these files are up-to-date. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: Patch 4 resolves this issue. Issue 6: When the length of the agent name or agent address reaches the limit of 15 characters, the last character of the name string or address string is cut and saved in the Normal Server's registry. This prevents the Normal Server from connecting to the agent server because the server uses an incorrect agent name and agent address. This issue occurs after applying ServerProtect for Windows NT 5.7 Patch 3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: Patch 4 increases the maximum length for both agent name and agent address. This allows the Normal Server to save the complete agent name and agent address in its registry. As a result, the Normal Server can connect to the agent server successfully. Issue 7: Users cannot use the ServerProtect program to deploy function to upgrade ServerProtect 5.7 64-bit Normal Servers to version 5.8. After ServerProtect 5.7 Information Server upgrades to 5.8, 64-bit Normal Servers are unexpectedly upgraded to version 5.8 when other components are deployed. When ServerProtect 5.7 is set to get updates from Control Manager, the Normal Server automatically restarts even if only the pattern file was deployed. During a rollback of pattern files, the management console progress bar displays a successful status even though the pattern file was not rolled back successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: After applying Patch 4, users can upgrade the ServerProtect 5.7 Normal Server to higher versions through program deployment. No pattern deployment and rollback issues occur when integrating these with Control Manager. Issue 8: The "tsc.exe" process regularly causes high CPU usage after the virus scan pattern is updated in certain environments. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: After applying Patch 4, users can choose whether or not to launch "tsc.exe" after a virus scan pattern file is updated. Issue 9: When users try to launch "ScanNow.exe" to notify a Normal Server installed on a 32-bit platform to perform a manual scan, the following message appears: "StRpcCln.dll is not found." This issue occurs because the "StRpcCln.dll" file is missing in Normal Servers installed on 32-bit platforms. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: Patch 4 adds the "StRpcCln.dll" file for 32-bit platforms and deploys this file to all Normal Servers installed on a 32-bit platform. After installing this patch, users can use "ScanNow.exe" to notify a Normal Server installed on a 32-bit platform to perform a manual scan. Issue 10: In a previous hot fix, the "RecordBack&Move" option was provided for the Information Server, which is saved while creating a manual scan profile in the Information Server. Users can use this profile as a template when they configure ServerProtect to run "Scan Now" tasks. Using the template allows the user to exclude the quarantine folder and backup folder from task scans. Users can enable the function by setting "RecordBack&Move=1" manually. However, a user requests that this key be enabled by default. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: Patch 4 removes the "RecordBack&Move" option because users can now exclude the quarantine and backup folders from task scans by default using the "Scan Now" settings. Issue 11: The DCE 6.0 stops unexpectedly when two threads call the DCE library at the same time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: Patch 4 creates a lock that prevents multiple threads from calling the DCE library at the same time. 2.2 Resolved Known Issues (from Previous Build 1012) ===================================================================== This patch resolved the following issues: Note: Patch 4 also includes the previous fixes accumulated from GM build 1012. Issue 1: ServerProtect cannot display the DCE/DCT information of the 64-bit Normal Server in the management console. This is caused by the change in interface when querying the DCE/DCT version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: After applying Patch 4, the Normal Server uses the correct interface to query the DCE/DCT version. Issue 2: General release versions include one old DCE, version 3.5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: Patch 4 updates the DCE to version 5.1. Issue 3: The ServerProtect 5.7 Information Server cannot manage the ServerProtect 5.58 Normal Server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: Patch 4 enhances the Information Server to enable the management of the ServerProtect 5.58 Normal Server. Issue 4: The "TSC.exe and TSC64.exe failed to initilize" error message appears in 64-bits Windows 2003 Server when restarting or shutting down the Normal Server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: After applying Patch 4, the Normal Server does not launch the "TSC.exe" and "TSC64.exe" applications when shutting down. Issue 5: ServerProtect for NT 5.58 ActiveUpdate URL is still in the configuration list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: After applying Patch 4, the ServerProtect for NT 5.58 ActiveUpdate URL is removed from the list. Issue 6: Some UI fields display the wrong version information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: After applying Patch 4, these fields display the correct version. Issue 7: The "ScanNow.exe" tool and Deploy tool does not work in 64-bit environments. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: After applying Patch 4, these tools can work in 64-bit environments. Issue 8: The Quarantine tool does not display the correct file version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: After applying Patch 4, the quarantine tool displays the file version as 5.70. Issue 9: ServerProtect cannot update the pattern when deploying the engine and pattern together on a 64-bit Normal Server and the engine version is already the latest. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: Patch 4 resolves this issue. Issue 10: When uninstalling the Normal Server, the process fails and an "uninstall failed" message appears. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: Patch 4 resolves this issue. Issue 11: An "StRpcSrv.dll" Insecure Method Exposure Vulnerability occurs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: Patch 4 enhances the RPC interface to address this vulnerability. Issue 12: A heap overflow occurs in the Normal Server RPC interface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: After applying Patch 4, the Normal Server checks the size of the RPC commands to prevent heap overflow. Issue 13: The Normal Server cannot be registered to SPNT-IS during a silent installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: After applying Patch 4, the Information Server accepts special registry commands and commands from specific ports. Issue 14: In 64-bit systems, SPNT-IS debug logs cannot be enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: After applying Patch 4, the debug logs can be generated correctly. Issue 15: The "SetRealScanConfig" default task is not available for a new Normal Server that is remotely installed to the Information Server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: After applying Patch 4, the new interface is adopted to access the "SetRealScanConfig" information in the Information Server's local registry. Issue 16: The management console displays the wrong time for the next scheduled update of some Normal Servers included in the task setting server list. This happens if these servers have been stopped. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: After applying Patch 4, the time is shown correctly. Issue 17: The management console stops responding during startup if the date format for the Japanese Windows server is set to "yyyy/mm/dd ddd". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: After applying Patch 4, the management console works correctly. Issue 18: If there is no Normal Server installed on the Information Server, the 64-bit scan engine version section and the download date section show a blank screen in the management console of ServerProtect for Windows. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: After applying Patch 4, the 64-bit scan engine version and download date field displays "N/A" if there is no Normal Server installed on the Information Server. 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: o Administrator's Guide -- product overview, and configuration instructions, and basic information to get you "up and running." o Installation Guide -- deployment, installation, and integration information designed to help you install and access IMSVA. o Electronic versions of the printed manuals are available at: http://www.trendmicro.com/download/ o Online help -- Context-sensitive help screens that provide guidance for performing a task. o Knowledge Base -- a searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== No changes from system requirements in product readme. 5. Installation/Un-installation ======================================================================== 5.1 Installation ===================================================================== Note: Install this package from the same machine as the Information Server. Before applying this patch, close the management console application and follow the instructions below to finish the patch installation. 1. Copy the patch installation files "spnt_570_win_en_patch4.exe" to a temporary folder. 2. Run the patch file. 3. When the patch installation begins, the license screen appears. If you disagree with the terms of the legal agreement, please choose "I do not agree the terms of the legal agreement." and click "Cancel" to abort the installation. If you choose to accept the terms, choose "I accept the terms of the legal agreement" and click "next". The installation will proceed to the next step. 4. The "readme" appears. Please read the contents of the readme carefully, and then click "Install" to begin the patch deployment. 5. The Information Server will deploy the patch to Normal Servers 30 seconds after the installation is complete, and then it will restart the ServerProtect services. Note: If the installation does not complete successfully, contact Trend Micro technical support. To apply this patch to a management console that is not associated with the machine hosting the Information Server, follow the instructions below. 1. Apply the patch to the Information Server. 2. Close the management console. 3. Go to the management console home directory and backup the "admin.exe" and "spuninst.exe" file to another location. 3. In the Information Server, find the Information Server home directory, copy the "admin.exe" and "spuninst.exe" files to overwrite the local files under the management console home directory. 5.2 Un-installation ===================================================================== To roll back to the previous build: 1. Before you can roll back, run the following shell commands to stop all ServerProtect services: net stop spntsvc net stop earthagent net stop "TrendMicro Infrastructure" 2. You can find the backup files with the file extension ".bak" in the ServerProtect home directory. To roll back, rename the backup files and use them to replace the current files. 3. After the rollback, run the following commands to start the ServerProtect services: net start spntsvc net start earthagent net start "TrendMicro Infrastructure" Note: "TrendMicro Infrastructure" refers to the CMAgent service. You need to restart this service only when CMAgent is installed. 6. Post-installation Configuration ======================================================================== 6.1 To deploy the latest DCE from the ServerProtect 5.7 Information Server to all ServerProtect 5.7 and 5.58 Normal Servers: ===================================================================== 1. Download the latest DCE from the Trend Micro Web site (http://www.trendmicro.com/download/dcs.asp). 2. Extract the downloaded DCE package into a temporary folder. 3. In the Information Server, go to the "\Hotfix\" folder and create and extract the package to the following subfolders. \Hotfix NT\ TSC.exe TSC.ptn 32bit\ TSC.exe TSC.ptn 64bit\ TSC.exe TSC64.exe TSC.ptn 4. Under the "SProtect Home Directory" > "Hotfix folder", open the "hotfix.ini" file with Notepad (TM) or any text editor to start the DCE deployment. 5. In the "NT" section of "hotfix.ini", add or overwrite the "Path" parameter to "Path=NT". The result should be [NT] Path=NT 6. In the "Common" section of "hotfix.ini", locate the "Server=Server_Name" string. Replace "Server_Name" with the Normal Server name(s). Separate multiple server names with a comma. Note: If "Server_Name" is left blank, the hot fix deploys to all normal servers managed by the Information Server. 7. Change the "read" value to "0" at "Common" section to start the deployment. 8. Verify the deployment result from management console. Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6.2 To allow the Normal Server to accept the RPC command "RPCFN_EVENTBACK_AgentConnect" from other address, make the changes below on the Windows registry of the Normal Server: ======================================================================== Notes: - Be aware that the "AgentFilter" registry setting influences all commands, including "RPCFN_EVENTBACK_AgentConnect". - If the "AgentFilter" setting approves certain address to pass through command source filter, this setting will override the setting of "TrustedAgent". - To enable the Normal Server to accept the "RPCFN_EVENTBACK_AgentConnect" command from certain addresses or hostnames, do the following: 1. Open the following registry folder: "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\ CurrentVersion\RPC" 2. Create one new string key named "TrustedAgent". 3. Change the value of the "TrustedAgent" key to the IP addresses or hostnames from where the Normal Server should receive "AgentConnect" commands. Separate multiple IP addresses or hostnames with a semicolon (;). - To enable the Normal Server to accept the "RPCFN_EVENTBACK_AgentConnect" command from any address: 1. Open the following registry folder: "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\ CurrentVersion\RPC" 2. If "TrustedAgent" item does not exist, create a new string key and name it as "TrustedAgent". 3. Change the value to one char "*". - To remove all trusted addresses: 1. Open the following registry folder in the Normal Server. "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\ CurrentVersion\RPC" 2. Delete registry item "TrustedAgent" or set the value to empty. 6.3 To enable the Normal Server to receive all commands from other user-specified IP addresses or hostnames: ====================================================================== 1. Open the following registry folder: "HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\ CurrentVersion\RPC" 2. Create one new string key and name it as "AgentFilter". 3. Change the value of the "AgentFilter" key to the IP addresses or hostnames from where the Normal Server should receive commands. Separate multiple IP addresses or hostnames with a semicolon. 6.4 To disable "tsc.exe", create the following key and set its value to "1": ====================================================================== Path: HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect\ CurrentVersion\SpntService Key: DisableTSCAfterPatternUpdate Type: DWORD Values: "1" disables "tsc.exe" "0" enables "tsc.exe" 7. Known Issues ======================================================================== After applying Patch 4, the Normal Server only accepts the RPC command "RPCFN_EVENTBACK_AgentConnect" from the trusted address. If another Information Server tries to add this Normal Server, the Normal Server directly returns 1707 to the Information Server, whether or not the original Information Server is running. When this happens, the following conditions happen: - the "Add Normal Server" function does not work properly from the Information Server that does not belong to the trusted address. Refer to Sections 6.2 and 6.3 for information on the solution to this issue. - the "Move Information Server" function does note transfer all Normal Servers to the new Information Server unless the new Information Server address is found in the registry item "TrustedAgent" or "AgentFilter" in the Normal Server. 8. Release History ======================================================================== See the following Web site for more information about updates to this product: http://www.trendmicro.com/download 9. Files Included in this Release ======================================================================= Module Filename Build No. --------------------------------------------------------------------- Management Console Admin.exe 5.70.0.1107 spuninst.exe 5.70.0.1107 Information Server DeployTool.exe 5.70.0.1107 Earthagent.exe 5.70.0.1107 Notification.dll 5.70.0.1107 StRpcCln.dll 5.70.0.1107 TmRpcSrv.dll 5.70.0.1107 Spuninst.exe 5.70.0.1107 Spuninstrc.dll 5.70.0.1107 32-bit Normal Server AgRpcCln.dll 5.70.0.1107 LogMaster.dll 5.70.0.1107 Notification.dll 5.70.0.1107 Quarantine.exe 5.70.0.1107 ScanNow.exe 5.70.0.1107 SpntSvc.exe 5.70.0.1107 StRpcSrv.dll 5.70.0.1107 StWatchDog.exe 5.70.0.1107 spuninst.exe 5.70.0.1107 spuninstrc.dll 5.70.0.1107 StUpdate.exe 5.70.0.1107 tsc.exe 5.1.0.1008 TmRpcSrv.dll 5.70.0.1107 64-bit Normal Server AgRpcCln.dll 5.70.0.1107 EventMsg2.dll 5.70.0.1107 LogMaster.dll 5.70.0.1107 Notification.dll 5.70.0.1107 Quarantine.exe 5.70.0.1107 ScanNow.exe 5.70.0.1107 SpntSvc.exe 5.70.0.1107 spuninst.exe 5.70.0.1107 spuninstrc.dll 5.70.0.1107 StUpdate.exe 5.70.0.1107 StUpdate_32.exe StRpcSrv.dll 5.70.0.1107 StWatchDog.exe 5.70.0.1107 TmRpcSrv.dll 5.70.0.1107 TSC64.exe 5.1.0.1008 TSC.exe 5.1.0.1008 Normal Server hot fix file Hotfix.ini n/a Patch files Tmpatch.exe 2.0.0.1022 readme.txt n/a hotfix.ini n/a license.txt n/a 10. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content-filtering security products and services. Trend Micro allows companies worldwide to stop viruses and other malicious code from a central point before they can reach the desktop. Copyright 2010, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, ServerProtect are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://www.trendmicro.com/en/purchase/license/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Getting Started Guide or Administrator's Guide