Troubleshooting Common Trend Micro OfficeScan Issues and Fixes

Migrating from Trend Micro OfficeScan to Apex One — Step-by-step

Prerequisites (assume defaults): OfficeScan XG SP1 (or later) agents; admin access to servers; recent backups of OfficeScan server and database; maintenance window; test group of endpoints.

1. Prepare new Apex One server

   • Install Apex One server on a separate machine (recommended) following the Apex One Installation Guide.
   • Apply latest patches/hotfixes. Confirm Web Console build (Help → About).

2. Preserve OfficeScan settings and backups

   • Backup OfficeScan server files and database (full DB backup + application files).
   • Export OfficeScan policies if using Apex Central (use Policy Export Tool on OfficeScan: PolicyExportTool.exe -cmconsole).

3. Prevent automatic agent upgrades (on OfficeScan)

   • In OfficeScan/Apex One old console: Agents → Agent Management → Settings → Privileges and Other Settings → Other Settings → limit updates to Pattern files/engines/drivers (or as recommended) so agents don’t auto-upgrade until ready.

4. Export Apex One settings (if migrating Apex One settings)

   • On new Apex One server: Administration → Settings → Server Migration → Download Apex One Settings Export Tool.
   • Copy the tool to the old server and run ApexOneSettingsExportTool.exe to generate the export files.
   • Copy generated files to the new Apex One server and import via Administration → Settings → Server Migration → Import Settings.

5. Import OfficeScan policies to Apex Central (if using Apex Central)

   • On OfficeScan server run PolicyExportTool.exe to produce PolicyClient_CMConsole.zip.
   • In Apex Central: Policies → Policy Management → Product = Apex One Security Agent → Import Settings → select the ZIP.
   • Verify domain-level policies; manually recreate any per-client custom policies.

6. Configure network/proxy and prerequisites

   • Ensure agent proxy settings are set to “Use Windows proxy settings” (OfficeScan console) if agents will access Apex One via proxy.
   • Open required ports (default agent-server ports 4343 or 443). Verify DNS/FQDN resolution for Apex One.

7. Move agents to Apex One (do in batches)

   • From old Web Console: Agents → Agent Management → select domain/group (test 1–2 machines, then 10–15 per batch).
   • Right-click → Manage Agent Tree → Move Agent → choose “Move selected agent(s) to another server” → enter Apex One server FQDN or IP and port (4343 or 443) → Move.
   • Wait for agents to report to Apex One Web Console and verify under Agents → Agent Management.

8. Upgrade agents to Apex One (after move)

   • In Apex One console, select migrated agent groups (small batches).
   • Right-click → Settings → Privileges and Other Settings → Other Settings → change “Security agents only update the following” to All components (to push full Apex One agent).
   • Save and monitor. Agent upgrades may prompt user reboot (not forced). Repeat until all agents upgraded.

9. Post-migration validation

   • Verify agent status, policy assignment, protection components, signature/engine updates.
   • Run targeted scans and check event/logs for errors.
   • Confirm exceptions, DLP, application control, vulnerability protection settings (recreate or enable as needed).

10. Enable additional Apex One features (optional)

• If using Apex Central, register Apex One to Apex Central and enable features like Application Control, Endpoint Sensor, Vulnerability Protection per recommended sequence (some features require Apex Central and additional licensing and SQL prerequisites).

11. Decommission old OfficeScan server (after verification)

• Once all agents are migrated and stable for your verification period, follow backup and uninstall procedures for OfficeScan and Control Manager.
• Keep backups and retain a rollback plan for a defined retention period before full decommission.

Quick operational tips

• Test on a small pilot group first (1–20 endpoints).
• Move update servers/relay agents first to reduce bandwidth impact.
• Migrate in controlled batches and monitor network and server load.
• Consult Trend Micro KBs for specific KB IDs, tools, and version compatibility issues.

References: Trend Micro migration guides (Apex One Server Migration, Policy Export Tool, Quick Migration Guide).