Access official resources from Carbon Black experts
During an endpoint’s system shutdown, a Trend Micro kernel module acquires exclusive system lock (PushLock) that is synchronizing access to a process’ virtual memory and does not release it. This results in other processing in the kernel that requires the lock to pause until the lock is released. Multiple threads in the stack result in a Wait state including the Cb Protection driver when the system is attempting a shutdown. Because the lock is never released, the system cannot continue shutting down and hangs. We recommend replacing the files listed in the Resolution section below with the Trend Micro version prior to the ones exhibiting the behavior.
Trend Micro issued the following Hotfix:
OfficeScan Server, Version: XG Service Pack 1
Build: 5122
Please contact Trend Micro to request the Hotfix.
Details on Trend Micro versions
From the memory dump file, the following timestamp is seen for the version of TMEvtMgr and TMPrefilt drivers that are problematic and exhibiting this behavior:
0: kd> lmvm TmEvtMgr
start end module name
fffff801`05b20000 fffff801`05b38000 tmevtmgr (deferred)
Image path: \SystemRoot\system32\DRIVERS\tmevtmgr.sys
Image name: tmevtmgr.sys
Timestamp: Tue Sep 26 05:55:10 2017 (59CA23FE)
CheckSum: 000205FC
ImageSize: 00018000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0: kd> lmvm TmPreFlt
start end module name
fffff804`d81a0000 fffff804`d81b1000 TmPreFlt (deferred)
Image path: \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys
Image name: TmPreFlt.sys
Timestamp: Fri Oct 20 01:43:39 2017 (59E98D0B)
CheckSum: 000191CC
ImageSize: 00011000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.