Tuesday, April 29, 2008

Trend Micro Going Downhill

Over the last week I've been having to spend an inordinate amount of time fixing things, both personally and professionally, and I'm struck how often the twisted and sordid trails are leading to Trend Micro Internet Security.

This tale starts with my acquisition of Trend Micro Internet Security 2007. I've been Running Trend Micro IS v11 (which I think they call 2002) for quite a long time now, and it's served me well over the years. So, I figured that the latest version would be that much better.

I must say I was disappointed in it. An install of Trend Micro 2007 on a private machine caused an excruciating selection of gripes. It garbled the fonts in firefox (but not IE7 oddly enough) such that I had to turn on Clearfonts. Any time I attempted to install something from a disk image using Daemon Tools the installation was usually corrupt. Indeed, sometimes the act of switching disk images would cause a lockup, requiring a hard reboot to fix. At first I was blaming this on the new version of Daemon tools, but then I also noticed that internet connectivity was noticeably slower with TMIS 2007 installed than it was previously. After a while it began to add up, and sure enough, all these problems went away the instant I uninstalled Trend Micro 2007.

Oh, but it gets better. Remember my tried and true, long-loyal TMIS 2002/v11? It has turned on me.

Both at home and at work I've noticed odd problems. I could ping any IP address, but I could only ping certain machines by name but not certain other machines. If an explorer window accessing a network resource is left open in the background, the computer often would lock up. Applications that access network resources by the //server/share naming convention would also frequently lock the system so hard that not even the task manager could open. All kinds of bizarre behavior, all behaving in a contrary manner to how I understand windows based networking to work based upon 10 or so years of professional experience and untold more of private experience. But it occurred to me I could also trace this aberrant behavior to one night a few days ago when Trend Micro (which I naturally keep on automatic update mode) received an update that not only was a new pattern but also altered something to such an extent as to require a reboot. This is rare but does happen from time to time. That update not only happened on all 3 of my home PCs and my laptop, but also the good 50% of the machines at work that also run Trend Micro Internet Security (based on my recommendation, naturally). It was after this update that not only did some of my machines at home start acting funny, but a good many of the machines at work also started paralyzing themselves doing otherwise routine activities.

It took me a little while to put all the pieces together about exactly what the hell was going on (especially since the problem only affected machines with XP SP2 but not SP1 on them), but final confirmation of my coalescent theory came when I used task manager to end pccpfw.exe and tmproxy.exe (Trend Micro's software firewall and proxy, respectively), disabled the network connections, re-enabled them, and magically all the problems went away instantly. I could ping anything by name, access any network //server/share without lockups both in explorer and in our professional software... in other words, removing Trend Micro Internet Security fixed the problem. I reinstalled... and things go ok until I update to the most current version... and pow. Faster than I could say "thank you sir, may I have another" the lockups and misbehavior are back.

This leaves me feeling severely disgruntled, if not betrayed. In researching this problem, I found that trend micro experienced a similar problem back in 2005 (1, 2) where a bad heuristic pattern in a virus pattern update caused the exact same symptoms I am experiencing today. That day, they allegedly fixed it within 90 minutes, but several days after this reboot-necessitating update still nothing is surfacing. And I'm left with egg on my face as the "company computer guy" for having recommended this product in the first place (never mind the years of trouble-free service it has given us previous to this episode).

So now it's time to move on, unfortunately... I'm looking at Kaspersky as a possible replacement, I suppose... but I still feel bummed at the ending of my Trend Micro era. All these years of us conquering viruses and worms together have ended with a bad taste, and it feels to me like that one episode of Dukes of Hazzard where Boss Hogg hired a hypnotist and they planted a compulsion in Luke Duke's mind while he slept to sell the General Lee the next time it broke down, then arranged for the GL to have a rather minor engine stall. And here I am the Bo Duke of this metaphor, wondering why my buddy is now against me, selling off my badass car and leaving me stranded to the mercies of the Boss Hogg viruses of the world.

12 comments:

DimentoGraven said...

I've always, ALWAYS, had issues with Trend Micro.

When I got my latest Dell, all super-uberness of it was dulled the minute I found I had that POS PC-cillian shit on it.

I've left it on, but occassionally PC-cillian (yes it's Trend Micro) I have to fight with PC-cillian to leave my other tried and true anti-spyware apps alone.

One thing I hate about ALL antivirus software is that their insistance on interrupting EVERYTHING you're doing, EVERYTIME they so much as fart.

Norton, McAfee, etc., all do it. They go download an update, BLAMMO, you're interrupted so that they can proudly tell you they're attempting to download an update. Going to do the regularly scheduled scan? BLAMMO, anything you were doing is now in the back ground so they can get in your face with the system scan.

FUCKING SHUT THE FUCK UP ANTIVIRUS PIECES OF SHIT! THE ONLY GODDAMN TIME I CARE THAT YOU EVEN EXIST IS WHEN THERE'S AN ACTUAL VIRUS TO KILL!!!

-pant- -pant-

Anyway, you get a big fat "I told you so" from me on your problems with those shitheads.

People may hate Norton, but I've never locked up my PC with Norton properly installed.

Gas Bandit said...

There is one thing of which I am still certain, and that is I'd as soon trust my computer's security to a TI-84 graphing calculator as Norton Antivirus, and it would be just as effective.

The two companies I'm definitely avoiding as replacements are Norton and McAfee. There seems to be a lot of good talk about Kaspersky, or possibly F-Prot, and in the meantime, I suppose even just plain old free AVG and the windows firewall will probably be good enough for short term.

DimentoGraven said...

Crimany... Norton haters, Microsoft haters, etc., etc., all fricking generalizing...

Specifically WHERE does Norton fall short? (I could care less about McAffee)

Gas Bandit said...

Just about every Dell my company has bought (both this one and the previous ones I worked for) came with norton. I tried to give it a fresh shake every new version, but I've always found it to be a bigger resource hog than trend micro ever was.

Additionally, so many machines I have seen which were relying on Norton picked up malware that norton never even so much as batted an eyelash about. Every time I've had somebody at work tell me "can I bring you my laptop/home PC? I think something is wrong with it" and I found it to indeed have viruses, it invariably had Norton installed.

Furthering my bias against norton was that most of the versions previous to the current only allowed exceptions by executable in their firewalls, and you could not open specific ports or addresses manually. And frankly the firewall just never quite worked right, often filtering what I needed let through and letting through what should have been filtered. Trend Micro's firewall was much more adept, allowing exceptions by port, port range, address, address range, and further selectivity regarding protocol and inbound/outbound.

DimentoGraven said...

I've never noticed the 'resource hog' issue, unless the application wasn't installed correctly.

Norton is very modular, expecting Norton Anti-virus to catch spy ware is the exact same mistake as expecting the various flavors of Anti-spyware to detect virii... Sure, they've both got a bit of cross over, but they're not designed to work exclusively in place of the other.

I too am regularly asked to fix people's home PC's and, yes, like you I find that they have Norton, or McAffee, or PCcillion, or whatever, pick your flavor, and yes, they've had virii, spyware, various other bad things, and what's the REAL causetive reason, 99.9999999999% of the time?

Because they've got Norton '95 installed on their fucking PC and haven't updated the goddamn engine or DAT's since the original install of their fucking PC! Likewise, they don't have ANY OS updates installed, no driver updates, etc., and are just one big open gaping cunt for all the bad shit on the internet to stick their scummy penises in.

If people would maintain their OS and protective software like they should, then we wouldn't be spending so much of our free time at home fixing these fucked up machines.

It's not a problem of any particular brand of protection it's the user's lack of taking personal responsibility for the security of their PC.

It's like a mechanic getting pissed off at Penzoil because it doesn't protect the engine for 200,000 miles, without regular oil changes.

It's not Penzoil's fault, it's the fault of the car owner not fucking changing his oil like he's supposed to.

As far as the issues you've experienced with the Norton firewall. I've never noticed any particular issues along those lines. I just make sure that my applications that need to have access to the net, are started and I allow them access to the net when prompted that first time.

The last version that I bothered using (seemed kind of redundant with a bunch of the other stuff I have been using), didn't seem to have any non-selfinflicted issues, and I don't count the problems I caused myself.

Gas Bandit said...

Application level exceptions is all fine and dandy for applications that initiate the connection, but is often absolutely useless for applications that "listen" for a connection. Many types of game servers have problems with firewalls that grant exceptions by application because an incoming request on a given port will always be blocked if the server's application didn't initiate the connection. That's why I prefer using port and address based exceptions, and norton never gave me that option.

And I've found plenty of real, honest-to-god viruses on PCs that had full and fully updated versions of norton.

I'm sure PPMcBiggs will back me up on the evils of Norton.

Anonymous said...

I'm having a problem with a home PC as of yesterday's TM updates, too. BSODs left and right, TM using all of its CPU cycles but never actually finishing its load.
We bought Trend Micro and soon after my games started BSODing. I don't know if it's related but I'm suspicious. I put in a trouble report to them but they have yet to respond. I'm not real impressed so far.
-bill

PPMcBiggs said...

The problem is not any specific virus scanner. Virus scanners as a whole are pretty good. The problem is "security suites". These are simply hacked together attempts to generate more revenue by virus companies.

I say find a virus scanner that you like and just get the virus portion of whatever suite is being peddled. If you must buy a suite turn off everything but virus scanning.

Personally I use ESET Nod32. I switched to it when I moved to vista, and I think it is pretty awesome. I found out about it from an anti virus benchmark type article. They put all virus software mentioned in the comments plus many more and did several sophisticated benchmarks. IMO ESET Nod32 was the best overall. Let me know if you desire the link, I will dig it up.

Anyway, if your network is secured correctly you shouldnt need a security suite. By configured correctly I mean a good hardware stateful packet inspection type firewall at the edge, a good virus scanner on everything. If you are large enough to host your own email definitely spring for a virus scanner that can integrate with your mail server. Enable attachment scanning on your local anti virus software. If you have naughty users install a good spyware package (honestly a good antivirus should take care of this too by its very nature), such as adaware or spybot (nothing says these are the best, do some research). Next install something such as spywareblaster to keep your users from visiting known bad sites. The last 3 programs are fairly passive, so it is up to you to do your due diligence and keep them maintained. Nothing good comes easy.

It is my opinion that you do not need a software firewall for pcs on a properly configured network. A good firewall, setup properly and regularly maintained will stop any bad stuff that you may attract. At that point all a software firewall is good for is blocking traffic outbound from PCs, and who cares about that?

To clarify, do not rely on a single suite of software to be a silver bullet. Also dont bitch about security suites, they just plain suck. Also, any number of people who have dealt with virus scanners with have the same number of different experiences. For instance, I hate AVG. Lots of geeks I know love it. I think it is a terrible piece of shit (you get what you pay for). Norton Internet Security is a festering bowl of dog vomit, but Symantec AntiVirus is actually pretty damn good. Both made by the same company, the difference is the price and the target market. Norton is a suite for consumers and Symantec is for business. McAfee burned me more than 8 years ago, I havent used them since and I will never use them again.

Anyway, just find some shit that works for you and keep in mind the complexity of todays operating systems. There is way too much shit going on at any one time for everything to go perfect all the time.

PPMcBiggs said...

I found the link I mentioned:

http://www.av-comparatives.org/

DimentoGraven said...

Dude, if you've got a site that is acting as a host waiting for communications, you really SHOULD set up a DMZ on your router and stick it out there so the rest of your network has a less of a chance of being exposed.

I love being stealthed, and as you recall I had used to have my own FTP site so that I could have access to files where ever I went due to my job requiring so much traveling. Eventually I set that puppy up in the DMZ, had the rest of my systems on the other side and had fun watching and reporting all the hack attempts.

I agree with PPMcBiggs, software firewalls on a system intended for a user stuff is just silly.

Crimany, proper setup of a LinkSys router will protect you from 99.9999% of the bullshit hack attempts, and that 0.00001% that's left will be a result of not maintaining a decent anti-virus, anti-spyware setup on your systems.

I disagree with PPMcBiggs assertion that anti-virus software will neccessarily stop spyware. The reality of the situation is that spy-ware in many of its forms really doesn't act the same ways that virii will and therefore the majority of anti-virus software isn't designed to detect how a majority of spy-ware infect your systems.

At best you can only hope for an 'after the fact' detection of spyware with anti-virus software.

FYI, here's my set up (much of it based on old recommendations from PPMcBiggs actually):

Anti-Virus (currently using PC-cillan, but will change to Norton once the "free" year has expired on this system)
Spybot Search and Destoy
SpywareBlaster
Ad-Aware2007
SuperAntiSpyware (it's actually the best one I've found so far)
Microsoft Defender

And of course ALL of these are updated AT LEAST once a week, and run AT LEAST once a week, and they all run CONCURRENTLY!

Other than one nasty piece of crap that I'm pretty sure came installed on this PC from Dell, I haven't had one problem.

Anonymous said...

I posted earlier with similar problems - if you didn't know, TM put out a new version of the suite. I had to uninstall and reinstall, but it's working well now. So you can give it a try.
-bill

PPMcBiggs said...

Bah, all infectious things rely on the same principle. In order to remain infectious they are going to have to leave something (a file) behind. The nature of virus scanners is that they scan every file created, read or modified. When a piece of spyware does that your virus scanner _should_ pick it up. Although more and more regularly they wont because malware writers are getting smarter and antivirus companies are falling behind. See this:

http://arstechnica.com/news.ars/post/20080427-antivirus-vendors-pan-free-research-from-defcon-contest.html

That is one of the reasons I chose to try out ESET NOD32. It was rated as having the best heuristics at the site I previously linked.