Officescan Corporate Edition Disaster Recovery Plan

OfficeScan Corporate Edition Disaster Recovery Plan

Prepared by: Frederick Yeo (TS-PH) – SPS OfficeScan Corporate Edition

OfficeScan Disaster Recovery Plan

Perform the following procedure:

1. Note down the following information from the original OSCE installation:

a. The OSCE program directory path.

b. The OSCE web port number (by default, this is 80).

c. The OSCE client port number.

d. The default configurations of your clients as defined on the OSCE Management Console.

e. The enabling of Network Scanning and Shell Scanning during the initial install.

f. The Management Console Password.

g. The Unload and Uninstall Passwords.

2. For the normal backup method:

a. Make a frequent backup of all OfficeScan Server folders. This includes the backing up of the security privileges on all OfficeScan Server folders.

b. Backup the HKLM/SOFTWARE/TRENDMICRO/OFFICESCAN registry key hive.

c. Exclude the following directories from backup:

i. Ausrc.tmp, Aubackup and Virus folders.

3. Take note that there is no internal backup mechanism for OSCE.

Type of events tackled.

A. OSCE server is down or needs to be replaced.

B. IIS virtual directories are missing or not configured properly.

C. OfficeScan Master Service cannot be started.

A. OSCE Server is down or needs to be replaced.

1. To perform restoration on the same server, restore all the OSCE folders from normal backup; or you may,

2. Install a new instance of the OSCE server (same IP address, DNS/WINS name and port number.)

a. Ensure that the following information is similar with the previous installation:

i. OSCE program installation directory

ii. OSCE web port

iii. OSCE client port

iv. Network Scan / Shell Scan settings (is it enabled or disabled?)

v. Management Console password

vi. Uninstall / Unload passwords.

b. Restore the HTTPDB folder from backup.

3. Install a new instance of OSCE server (different IP address, DNS/WINS name and port number.)

a. Install OSCE using the setup program.

b. Use the IPXFER.EXE tool to migrate all the clients.

B. IIS Virtual Directories are Missing or not Configured Properly.

1. Go to the PCCSRV folder and look for the SVRINST.EXE file.

2. Execute the SVRINST.EXE file on a DOS prompt with the /? option to view all the switches for this executable.

3. Execute the SVRINST.EXE with the –setvirdir switch. (i.e. Svrinst.exe –setvirdir)

4. Check the Internet Services Manager Default Web Site for the OSCE virtual directories. There should be at least 7 directories under the /officescan virtual directory, namely:

a. cgi

b. html

c. remoteinstallcgi

d. clientinstall

e. download

f. hotfix_admin

g. hotfix_pcc95

h. hotfix_pccnt

i. hotfix_engine

j. clientutility

k. service

l. tmopp

C. OfficeScan Master Service (ofcservice.exe) cannot be started.

1. Check the file sizes of the HTTPDB folders if any of them are of a large size. Normally, a large DB size will cause the Master Service to fail while it is accessing the database (DB). Simply replace the HTTPDB folders with a clean copy to isolate if the issue is DB related.

For a copy of the clean DB, install a new instance of OSCE server and copy the HTTPDB folder

on the target server or obtain a copy from our support centers.

2. Enable ActiveSupport debugging and send us all the logs so we can analyze what is causing the problem.

Note: Click on the link or refer to the procedure on how to perform this is on the last section of this document.

3. Reboot the OSCE server.

4. If after rebooting, the problem persists, perform the manual removal procedure and reinstall the OSCE server.

Manual uninstall procedure for the OSCE server and client.

1. OSCE SERVER

a. Stop the OfficeScan Master Service. If this is not possible, use Task Manager or Sysinternal’s Process Explorer tool to remove the ofcservice.exe file from memory.

b. Delete the OfficeScan program directory.

c. Disable the sharing of the PCCSRV folder (ofcscan share).

d. Delete the OfficeScan program group from the Start menu.

e. Delete the HKLM/software/trendmicro/officescan registry key.

f. Proceed to Device Manager and Enable the View Hidden Devices option.

g. Remove any hidden devices pertaining to the OfficeScan Master Service (right-click and select Uninstall).

h. On the Internet Services Manager, remove the /officescan virtual directory on the default Web site.

i. Reboot the server.

2. OSCE CLIENT

a. Stop the OfficeScanNT Listener and the OfficeScanNT Realtime Scan services. If this is not possible, use Task Manager or Sysinternal’s Process Explorer tool to remove the ntrtscan.exe and tmlisten.exe files from memory.

b. Remove the pccntmon.exe file from memory by using Task Manager or Sysinternal’s Process Explorer tool.

c. Delete the OfficeScan program directory.

d. Delete the OfficeScan program groups.

e. Delete the Officescan registry key entries:

i. Delete the HKLM/software/trendmicro hive.

ii. Delete the OfficescanNT Monitor key at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run hive.

f. Proceed to Device Manager and Enable the View Hidden Devices option.

g. Remove any hidden devices pertaining to Officescan (right-click and select Uninstall):

i. Trend Micro VSAPI NT

ii. Trend Micro FILTER

iii. NTRTSCAN (if available)

iv. TMLISTEN (if available)

h. Reboot the OSCE client machine.

Enabling ActiveSupport Debugging using ActiveSupport v1.5 tool

1. ActiveSupport tool v1.5 will be provided to Shell for debugging Trend Software problems

2. Refer to the complete procedure below on how to use this tool:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=7852

3. For OfficeScan, select the following options:

a. Collect Basic ServerProtect Information

b. Collect ServerProtect Debug Information

c. Collect TmFilter Debug Information

Important: Running the ActiveSupport tool and replicating the problem will gather all the required info including Drwtsn32.log and user.dmp files. However, check out the ASsummary.log created to know if there's any big file that was not put in the AS folder due to the big file size. Make sure to include this file and upload it via FTP or burn it in a CD and send it to us.