Pattern Updates

There are a number of moving parts and components that are involved with the routine task of updating the pattern files:
  • CPM server components include:
    • Proxy Settings
    • TMCPMAuHelper.exe
    • TrendMirrorScript.exe
    CPM console components include:
    • Pattern Update Wizard
    • Pattern-set Loading via Manifest.json
    CPM for Mac client components include:
    • BESAgent.exe (for dynamic download requests for pattern-sets)
    • TMMPMAuUpdater.exe (for request and application of pattern-sets)

General

  • The default ActiveUpdate server (for pattern updates) appears in the BigFix Server registry:
     HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\CPMsrv \ServerUpdateSource\DefaultAUServer
  • The default ActiveUpdate server URL for CPM for Mac version 2.0:

    http://cpm-p.activeupdate.trendmicro.com/activeupdate

  • CPM server - Check that the server exists in the Windows Registry: 
    HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\server
  • CPM server - If the automatic update Task is successful, the CPM site will exist in the bfsites directory: 
    <%Program Files%>\BigFix Enterprise\BES Server\wwwrootbes\bfsites
\CustomSite_FileOnlyCustomSite_CPMAutoUpdate_0_1
  • CPM for Mac client - After automatic updates are enabled on the client, the CPM site will exist in the IBM BigFix subscribed sites directory: 
    <%Program Files%>\BigFix Enterprise\BES Client\__BESData
\CustomSite_FileOnlyCustomSite_CPMAutoUpdate
  • Check for pattern updates on the CPM server. From the CPM Dashboard, click Update/Rollback Patterns > Create Pattern Update/Rollback Task to open Pattern Update and Rollback Wizard.
    • If there are no new updates, inspect the Task Core Protection Module - Set ActiveUpdate Server Pattern Update Interval.
    • If the Task was run but the updates are not working properly, check the Action or the BigFix Agent logs on the BigFix Server.
    • Check the BigFix Server to confirm whether pattern updates are being received as expected: 
      <%Program Files%>\BigFix Enterprise\BES Server \wwwrootbes\cpm\patterns
  • Check the TrendMirrorScript.exe logs from 
    <%Program Files%>\BigFix Enterprise\TrendMirrorScript\logs
  • Confirm that older pattern files are still on the BigFix Server (by default a reserve of 15 patterns are retained).

Automatic Pattern Updates

  1. Check the BigFixConsole to verify whether any CPM servers require action for Core Protection Module > Warnings.
  2. Check on the BigFix Server that the Task, Core Protection Module - Set ActiveUpdate Server Pattern Update Interval has been created and run. This task must be set to automatically reapply at a frequent interval (often, hourly), and it must not be restricted in any way that would conflict with the action.
  3. Check on the BigFix Server that the Task, Core Protection Module - Apply Automatic Updates has been run and that the Action has successfully completed.
  4. On the CPM Server, the user account must be in place for the propagation site. The PropagateManifest registry key must be set to 1.
    • For 32-bit endpoints: 
      HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\CPM\server
    • For 64-bit endpoints:
       HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\CPM \server
    5. For CPM for Mac clients that enabled for automatic updates, check the following file:
     /Library/Preferences/com.bigfix.BESAgent.plist

Proxy Servers

If there is a proxy server between the BigFix Server and Internet, two separate configurations are necessary:

  • The BigFix Server proxy authentication settings: Used by BESGather service, and typically set during the BigFix Server install. For more information see the Knowledge Base article: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=231
  • CPM Server component proxy authentication settings: Used by the update program, TMCPMAuHelper.exe. Set or check this from Endpoint Protection > Core Protection Module > Configuration > ActiveUpdate Server Settings > ActiveUpdate Server Settings Wizard.
If the latest pattern file already exists on the CPM Server, you must perform the following manual steps to continue testing.
  1. Locate and delete the following folder:
    %CPM_SERVER_INSTALL_FOLDER%\bin\AU_Data
  2. Delete all files and any subfolders from this directory (but not the folder itself): 
    %CPM_SERVER_INSTALL_FOLDER%\download
  3. From Endpoint Protection > Core Protection Module > Updates > Automatic Update Tasks, run the Core Protection Module - Set ActiveUpdate Server Pattern Update Interval Task.

Client-Side Logging: ActiveUpdate

  1. On the CPM for Mac client, create or locate and open the following text file: 
    /Library/Application Support/TrendMicro/common/lib/ AUlib / aucfg.ini
  2. Add or change the following parameter: 
    [debug]
    level=-1
  3. Save and close the file.
  4. Log output will be saved here: 
    /Library/Application Support/TrendMicro/common/lib/ AUlib /AU_Data/AU_Log/TmuDump.txt

Additional Files

  • Create a manifest file and list of URLs by typing the following at a command prompt: 
    TMMPMAuUpdater -pu -m Manifest -f urllist
  • Check the file, server.ini in the following location: 
    /Library/Application Support/TrendMicro/MPM/download/