Trend Micro Security Solutions: Roll Back Registry Changes After False Alert (May 2, 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]On May 2th/3th 2022, a false positive alert occurred from Trend Micro Apex One as well as Worry Free Business Security (security solutions), which classified the file msedge_200_percent.pak from Edge 101.0.1210.32 under Windows as malware/Trojan. The problem was fixed by a signature update, but there are modified registry entries as a result of the incident. Now there is also a solution from Trend Micro to roll back these unwanted registry changes as well.


Advertising

The Apex One false positive alert

As of April 28, 2022, Microsoft had updated the Chromium Edge browser to version Edge 101.0.1210.32 to close two vulnerabilities, CVE-2022-29146 (privilege elevation) and CVE-2022-29147 (information retrieval). On May 3, 2022, administrator feedback started piling up on my blog that Trend Micro's security solutions Apex One as well as Worry Free Business Security were triggering a false alarm and supposedly detecting a Trojan in the msedge_200_percent.pak file from Edge 101.0.1210.32. 

I had picked up that isse in the blog post Trend Micro Apex One triggers false positive with Microsoft Edge 101.0.1210.32. In that post, there are also some descriptions of the false alert from those affected. Trend Micro had confirmed the issue and a few hours later released a fixed signature file that removed the false positive. 

Ryan Torio | Customer Service Engineer – Global Technical Support

Apologies for the issue this happened on your side. As an update, our Antimalware Team already released a Smart Scan Pattern 21474.139.09 to revoke these detections.

Please make sure to update your Trend Micro Product to make sure it gets the latest pattern Smart Scan Agent Pattern 17.541.00 to revoke the detection of False Positives.

Trend Micro confirmed the incident in the article CUSTOMER ADVISORY: Trend Micro False Positive Detection Reported with Microsoft Edge (May 2, 2022) – the May 2, 2022 date given there is based on the local date, in Germany it was already May 3, 2022 when the false alarm occurred. The false alarm occurred with Smart Scan Agent Pattern 17.541.00 or later and was only removed with Smart Scan Pattern 21474.139.09 or later.

Changed registry entries

Problem fixed? In various comments, however, those affected mentioned that registry entries under Windows were unintentionally changed as a result of the incident.  Peter L. reports here that also the registry entry:

HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper

is changed. In the German blog post Trend Micro Apex One löst Fehlalarm beim Microsoft Edge 101.0.1210.32 wegen msedge_200_percent.pak aus, German reader MRa wrote in this comment:


Advertising

In logs in the following folder (%path_of_TM_agent%\report) you can find where exactly the agent changed what.

and posted the following excerpt from the log file with changed registry entries:

–>reboot modify registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoDriveTypeAutoRun") success 
–>reboot modify registry data("HKEY_USERS","S-1-5-21–********-********-********-****\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoDriveTypeAutoRun") success 
–>reboot modify registry data("HKEY_USERS","S-1-5-21–********-********-********-****\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced","Hidden") success 
–>reboot modify registry data("HKEY_USERS","S-1-5-21-********-********-********-****\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced","ShowSuperHidden") success 

–>reboot delete registry value("HKEY_LOCAL_MACHINE","SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore","DisableSR") success –>reboot modify registry data("HKEY_LOCAL_MACHINE","SYSTEM\CurrentControlSet\Services\RemoteRegistry","Start") success

The question here was whether Trend Micro would also correct this, or whether administrators would have to perform a manual rework.

Manually restoring registry entries

In Trend Micro's acknowledgement of the incident, the vendor notes that some customers – depending on their endpoint cleanup configuration settings – observed registry changes. To roll back these changes, Trend Micr suggests the following steps for Apex One.

1. open a command prompt with extended administrator privileges on the affected computer.

2. navigate to the \Backup folder on the affected computer running the Apex One Agent (usually C:\Program Files (x86)\Trend Micro\Security Agent\Backup).

3. there should be a file named TSE_GENCLEAN_XXXX_XX_XXX_XXX_XXX.DAT in the folder, and make a note of this name (where XX stands for date and timestamp). Beispiel: TSC_GENCLEAN_2022_05_03_17_54_14_118_035.DAT).

4. Navigate back to the Agent folder (usually C:\Program Files (x86)\Trend Micro\Security Agent).

5. Tun the following command:

   a. 64-Bit-Rechner: tsc64.exe -restore=.\backup\TSC_GENCLEAN_XXXX_XX_XX_XX_XXX_XXX_XXX.DAT
   b. 32-Bit-Maschinen: tsc.exe -restore=.\backup\TSC_GENCLEAN_XXXX_XX_XX_XX_XXX_XXX_XXX.DAT

The file specified here:

TSC_GENCLEAN_XX_XX_XX_XX_XX_XXX_XXX_XXX.DAT

is to be replaced in the above command string with the name of the file noted in step number 3. The above steps restore the changes made when the agent's damage cleanup tool was run, Trend Micro writes.

Script to fix registry entries

In larger environments, the above manual repair steps are not feasible. Trend Micro has created a reference script for these environments to deploy the recovery procedures using the above TSC tool in an automated manner with GPOs or other similar enterprise-level scripting tools.

The updated reference script can be downloaded as a password-protected ZIP archive from Trend Micro.  The password for the zip file is novirus.  Administrators using this script as a batch file or by any other method should first carefully review and test the script in their environment before applying it. (via Bleeping Computer)


Advertising

This entry was posted in issue, Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).