What's new

Odd issue with Trend WFBS Service

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

DHLarson

Occasional Visitor
SmartScan (which uses server resources in an Akamai cloud to off-load scanning overhead) is a part of the Trend Worry Free Business Service anti-malware product. It fails to connect on Windows 8 devices behind the RT-AC68 running 376.45. However, the same Trend product works without flaw on Windows 7 devices behind the same router. The failing Windows 8 devices work perfectly on other networks or plugged into the Comcast boundary router that the Asus router is plugged into.

Config has some complexity with IP Tables entries for several static IP external-internal maps and a single port forward for the router IP itself.

I've cycled the firewall and DOS options without impact. Pings and tracert from the failing device to the targeted server work flawlessly. Wired and wireless makes no difference.

I've sent logs and wireshark files out the kazoo to Trend for help but until tonight never suspected the router of involvement since the Win 7 devices behind the router worked fine. But the fact that the Win 8 device works in front of the router and not behind it is rather interesting.

For info, ports used by the client which stay local to the network (clients share info to minimize network traffic):

Port 61117 (Broadcasting Server)
This is used to select which of the WFBS-SVC agents will be the Active/InActive agent. This is also used by the Active Agent (AA) to collect online/offline information and report it back to the server.

Port 61116 (HTTP Local Server)
This is used by the AA for component sharing, which includes (but is not limited to) configuration, pattern files, engines, hot fixes and the like.

Port 61119 (Downloader Listening Port)
This is used by the Downloader to receive all response before downloading the MSI package.

Port 21112 (Listening port)
This is used by the clients for communication with the AA/IA to get notifications.
Notify Client Update
Notify Client ScanNow
Notify Client Stop ScanNow
Notify Client ScanVA
Notify Client Uninstall
Notify Client Apply Firewall Settings
Notify Client Apply Opp Settings
Notify Client Apply Scan Mode( smart scan or traditional scan)
Notify Client Apply new Spyware Approved List

The internet server side connects via:

Port 443 (initiated by the client)
The WFBS-SVC server uses this port to communicate with the agents.

Port 5228, 5229, and 5230
This is used by Android devices. Set the outbound rule to android.apis.google.com. The Android device will connect to Google Cloud Messaging (GCM) through this port.

Port 5223, 2195 and 2196
This is used for iOS Devices. The iOS devices use these ports for APNs server communication, notification and feedback service. Communication Server communicates with Apple Push Notification Services via port 2195 and FQDN gateway.push.apple.com.

I'm at a loss and waiting for a response from Trend. Any history and suggestions on an approach? Any past lessons?

Don
 
After working with Trend's support organization for two months taking dumps, shipping logs, packet captures, etc., we finally determined that there is an unusual interaction between Asus routers (at least the AC-68RT) and Trend's Worry-Free Business Service (cloud based Malware protection.)

Users who use their SmartScan option on Windows 8 devices have issues with the SmartScan client losing it's connection with the SmartScan server based at Akamai. The conventional client has no similar issue. This seems to only impact Windows 8 or possible 8.1 clients - other Windows versions appear to work fine. SmartScan users connecting through non-Asus routers do not seem to have this issue.

The apparent problem has to do with how Windows 8 handles searching for the use of a proxy. The default configuration has automatic proxy detection enabled (located in IE properties under LAN options.) If enabled, SmartScan will not successfully run. Turn off automatic proxy detection and everything works fine. Trend believes it's a defect in Microsoft's code but it's unclear why the Asus router is connected. They had one other client reporting the defect in the US.

The issue appears to not be connected to a specific release. I tried multiple Merlin releases without impact - I did NOT go back to native Asus firmware. Currently running well under RT-AC68U_3.0.0.4_376.47_0 with the config change for diasabled auto proxy detect.

Just thought I'd let folks know.

Don
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top