logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

System hang during shutdown or reboot

System hang during shutdown or reboot

Environment

  • Cb Protection: All Versions
  • Trend Micro cloud-based “Worry-Free Business Security Services” version 6.1.1280*
  • Trend Micro "Office Scan" version 12.0.1556*
    * The Trend Micro we know of where the issue started is on the above versions and newer

Symptoms

  • Customers who have Cb Protection and certain versions of Trend Micro products may experience hangs on shutdown or reboot.

Cause

During an endpoint’s system shutdown, a Trend Micro kernel module acquires exclusive system lock (PushLock) that is synchronizing access to a process’ virtual memory and does not release it. This results in other processing in the kernel that requires the lock to pause until the lock is released. Multiple threads in the stack result in a Wait state including the Cb Protection driver when the system is attempting a shutdown. Because the lock is never released, the system cannot continue shutting down and hangs. We recommend replacing the files listed in the Resolution section below with the Trend Micro version prior to the ones exhibiting the behavior.

Resolution

Trend Micro issued the following Hotfix:

OfficeScan Server, Version: XG Service Pack 1

Build: 5122

Please contact Trend Micro to request the Hotfix.

Additional Notes

Details on Trend Micro versions

From the memory dump file, the following timestamp is seen for the version of TMEvtMgr and TMPrefilt drivers that are problematic and exhibiting this behavior:

0: kd> lmvm TmEvtMgr
start             end  module name
fffff801`05b20000 fffff801`05b38000   tmevtmgr (deferred) 
    Image path: \SystemRoot\system32\DRIVERS\tmevtmgr.sys
    Image name: tmevtmgr.sys
    Timestamp:        Tue Sep 26 05:55:10 2017 (59CA23FE)
    CheckSum:         000205FC
    ImageSize:        00018000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
0: kd> lmvm TmPreFlt
start             end  module name
fffff804`d81a0000 fffff804`d81b1000   TmPreFlt (deferred) 
    Image path: \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys
    Image name: TmPreFlt.sys
    Timestamp:        Fri Oct 20 01:43:39 2017 (59E98D0B)
    CheckSum:         000191CC
    ImageSize:        00011000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
klazaga
Creation Date:
‎04-05-2018
Views:
2069
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.