Help others and share!

For several months now we had been struggling with a sporadic issue where we were getting an error “Error: The System cannot open the device or file specified” when we tried to save an AppSense configuration to the Management Server. The error was hit or miss and very difficult to reproduce and capture. Making matters worse, I rarely if ever saw the error message, while others saw the message more frequent.

Finally, with the help of Andrew with 2nd Line AppSense Support, we believe we have narrowed down why.

In our environment we deliver the Consoles generally to our admins through Citrix. This is so that I can ensure all consoles I am putting out in our environment are identical. The exceptions to this are the local servers themselves and my own laptop where I consistently load them locally. I initially suspected the problems to be something Citrix related, since the users complaining were all through Citrix and I had not seen the errors on my laptop, and rarely when using remote desktop to the servers direct.

Today I did encounter the problem on our test server using the latest bits, so I reached out to AppSense support. Of course I could not reproduce the problem on demand, but Andrew did mention other customers that had issues with Trend Micro OfficeScan v10 and locking up access to the MSI files generated.

What occurs on the backend is that when saving the Configuration, an MSI is created and uploaded to the server. A race condition can occur and Trend may lock the MSI causing the choke. This was a new feature Trend threw into their product, and we had actually disabled it on all of our desktops due to the problems it caused with other MSI installers. (See: http://esupport.trendmicro.com/solution/en-US/1096841.aspx)

These are the steps that we had to take:

  1. Log on to the OfficeScan (OSCE) server.
  2. Go to the OSCE installation path: C:\Program Files\Trend Micro\Officescan\PCCSRV
  3. Create a backup of the ofcscan.ini file.
  4. Open the ofcscan.ini file and add the following parameters under Global Setting:
    [Global Setting]
    EnableRTScanMsiInstall=0
  5. Save the changes.
  6. Log on to the OfficeScan Server Management Console.
  7. Go to Networked Computers > Global Client Settings.
  8. Click Save.
  9. Go to the client machine, right-click the OSCE client icon and click Update Now.
  10. Verify if the client registry has the following values:
    [HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration
    EnableRTScanMsiInstall=0

This Trend Micro feature was disabled on my laptop, but not on the servers where the issues was being displayed for all of our other users. Once we disabled the MSIChecker following Trend Micro’s technical article, we did not continue to have issues. This did occur on versions 10 and 11 of  the OfficeScan clients.

Additionally, when validating through a procmon trace, this is the information you would see during the lockup of the Environment Manager msi.

****

19:11:11.7174820           ntrtscan.exe       6096     CreateFileMapping
C:\Users\TESTUSER\AppData\Local\Temp\c1c6ce5b-c197-4308-b432-37e57be4a226.msi     FILE LOCKED WITH ONLY READERS    560

After this, the Environment Manager console is not able to access due to this file being locked:

19:11:11.7186606           EMConsole.exe  4668     CreateFile
C:\Users\TESTUSER\AppData\Local\Temp\c1c6ce5b-c197-4308-b432-37e57be4a226.msi     SHARING VIOLATION        6128

****

This is not the first time the Trend Micro MSIChecker has caused issues in our environment. Hopefully this information will help others.

Help others and share!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.