|
Trend Micro and Microsoft Kernel Driver conflict issue
|
| |
|
|
| |
Solution: |
|
|
|
|
I.
|
Description:
|
| |
Trend Micro has become aware of an issue that affects some versions of Trend Micro desktop and server-based products whereby a system crash may occur if a customer initiates a manual or scheduled scan after applying a recent Microsoft security update without rebooting and updating the pattern file.
|
| |
|
|
II.
|
Products Affected:
|
| |
This issue affects the following Trend Micro products and versions:
|
| |
•
|
Trend Micro OfficeScan (OSCE) versions 8.0 and above
|
| |
•
|
Trend Micro Worry-Free Business Security (WFBS) version 5.0
|
| |
•
|
Trend Micro Client Server Messaging Security (CSM) versions 3.5 and 3.6
|
| |
•
|
Trend Micro Internet Security versions 15.x (2007), 16.x (2008) and 17.x (2009)
|
| |
|
|
III.
|
Background:
|
| |
Microsoft released security update MS08-064 on October 14, 2008, to address a reported vulnerability in Virtual Address Descriptor. This security update addresses the vulnerability by modifying the way that Virtual Address Descriptor in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 handles memory allocation variables. Several key kernel drivers in Windows are modified, such as ntosknl.exe, and a reboot is required after the update.
A critical error (BSOD) was found to occur in certain rare cases when a system with one of the affected products above was updated with MS08-064, was not rebooted as required by Microsoft, performed a pattern update, and then initiated a manual or scheduled scan.
Upon analysis it was found the tmcomm.sys driver in the affected products had an internal address value that was incorrectly computed. This occurs when the ntosknl.exe version differs in memory compared to the driver, due to the Microsoft security update being applied without the required reboot. When the product scan is initiated in these circumstances, a critical error may result.
This error does not occur on systems that have rebooted after applying the Microsoft security update since the correct internal address would be available and used by the affected Trend Micro products.
|
| |
|
|
IV.
|
Impact:
|
| |
Customers who apply MS08-064 without subsequently rebooting as required by Microsoft, perform a pattern update, and then initiate a manual or scheduled scan may encounter a critical error (BSOD).
|
| |
|
|
V.
|
Recommended Solution:
|
| |
A reboot of the affected system after applying the security update will resolve the issue, as per Microsoft’s restart requirement on security update MS08-064.
|
| |
|
| |
It is recommended that customers, especially in large environments, that are planning to deploy MS08-064 during a scheduled maintenance window also allow for reboot time so that any potential issues can be avoided.
|
| |
|
|
VI.
|
Alternate Solution:
|
| |
A hotfix tmcomm.sys patch (2.2.0.1032) has been created for customers that may have issues rebooting affected products. More information, as well as the patch itself, can be obtained from Trend Micro technical support.
Please note, that the preferred solution is the recommend solution provided above, since other stability and kernel memory scenarios not directly related to this issue could also be present when not following Microsoft’s instructions to reboot.
|
| |
|
|
VII.
|
Reference:
|
| |
Click here for more information about Microsoft Security Bulletin MS08-064.
|
| |
|
|
VIII.
|
Other Information:
|
| |
Users who believe they may have been affected by this issue can contact their authorized Trend Micro technical support services provider in their region for further assistance.
|
|
|
|
|