Trend Micro Ztna

1 view

Skip to first unread message

Manases Blakemore

unread,

Aug 3, 2024, 5:12:35 PM8/3/24

to lisedese

This document provides information on Deep Security default port numbers, URLs, IP addresses, and protocols. If a port, URL or IP address is configurable, a link is provided to the relevant configuration page.

The following table provides details about the default ports. In this table, ports listed as mandatory must be opened to ensure the proper functioning of the Deep Security system; ports listed as optional may be opened depending on the feature or component you want to deploy; port numbers are referred to as ports.

To restrict the URLs that are allowed in your environment, you need to ensure that your firewall allows traffic from the source to the destinations, as described in the following table. For each FQDN, you have to allow access to its associated HTTP and HTTPS URLs. For example, for the FQDN files.trendmicro.com, allow access to :80 and :443.

I have been trying to uninstall the Trend Micro anti-virus software on my Mac (10.13.6) and have been encountering a lot of difficulty. Trend Micro's website refers to a couple of uninstaller options, but none of those are anywhere to be found on my computer.

There's a fairly technical (i.e., using terminal) instruction set by Trend Micro here, but I keep having trouble with it. At one point it tells you to remove the directory /Library/Application Support/TrendMicro, but I get "Permission denied" even when I attempt to remove it using sudo!

A lot of the difficulty in uninstalling Trend Micro comes from the fact that it spawns processes that then interfere with removing it (this actually makes sense for an anti-virus, but it certainly makes it a challenge when we need to remove it by hand). Basically, we're going to take this in two major moves: 1) killing those interfering processes, 2) deleting all the files associated with Trend Micro.

You're going to need to do this through the Terminal program. If you've never used Terminal before, be careful -- nothing below should harm anything (other than the Trend Micro anti-virus), but it's a very powerful tool, and you can really mess stuff up if you aren't careful. You can find it at Applications/Utilities/Terminal.

First, we need to knock out the processes that interfere with deleting Trend Micro. According to the uninstall guide from TrendMicro there are three main processes we want to kill (As a side note, it's a little unnerving that the names Trend Micro uses are so generic. It makes you worried they actually belong to something you want to keep):

You can use the command killall to kill processes that match by name, but I prefer to find the PID (Process ID number) associated with what I need to knock out, then issue kill commands for those PIDs. We can find the associated PIDs for each thing listed above with a command of this form:

When you enter that command*, it will return a list off all processes that have iCoreService somewhere in their name. Each process will have a number at the very front: that is the PID. Take note of those numbers. (Note: Your grep command will be one of the processes that gets returned -- you can ignore that, but nothing bad will happen if you try to kill it either.)

*: If you're wary of people telling you to enter random terminal commands, good for you! Here's what each part does: "ps -A" lists all processes currently running; "" pipes that into the next command (in other words, that info is passed along to the next part); "grep" searches for matches to whatever it is given, in this case 'iCoreService'. In total, we're pulling out all those processes that have 'iCoreService' in the name.

At this point, it should tell you that you don't have the permissions to do that -- you need to prove that you really are an admin and should be allowed. Issue that same command, but now with sudo in front:

What's going on with this command? "sudo" means Super User Do, basically forcing the computer to do what you want because you're the admin; "kill" issues a signal to terminate the process with whatever PID number you pass in after.

When I did this, I got a total of 4 processes associated with iCoreService. After you've knocked that one out, remember that you'll also need to do it for TmLoginMgr (I got 1 process here) and for MainUI (I had 0 processes here, but it's possible that was due to a previous removal attempt by someone else.)

[Note: When I did this, I was not able to find every single folder. It's possible some were gone due to a previous removal attempt by someone else. Could also be due to those Trend Micro uninstall docs being more than four years old... The specific folders I could not find were the first three in the list above. But if they exist on your installation, you should still remove them.]

In other words, you should copy each line from the above list and execute like this:
rm -rf "/Library/Application Support/TrendMicro". (The quotes are really important for the folder with 'Application Support' in its path because of the space, other directories don't need it, but it doesn't hurt to follow that pattern for each one.) Some of the folders might not exist, that's okay.

More than any other command, this is the one you need to be very careful with. "rm" is the command to remove (delete) things; "-rf" tells it to delete folders and to recurse downward (delete folders within folders and so on downward); the double-quotes ensure that paths with a space still get deleted correctly.

Note: I had a lot of difficulty trying to remove /Library/Application Support/TrendMicro. Even with sudo, I still got "Permission denied". Luckily, I happened to double-check that all the processes from part 1 were still dead (another ps -A grep iCoreService): nope, iCoreService had come back. I played kill whack-a-mole with it a couple more times, killing its new PIDs, then tried to very quickly issue the rm -rf "/Library/Application Support/TrendMicro" command after having killed all those processes and eventually got it to work. I think something was respawning those processes, so it was a matter of timing to knock them out and delete those files before they came back. (Once that directory was gone, they never came back.)

Finally, we can now remove the "Trend Micro Security Agent" app from our Applications folder. You can go do that in the finder (navigate to it in finder, right-click, move to trash [it will prompt for password]) or you can do it via the Terminal if you're comfortable with that.

"launchctl" is a utility for interacting with 'launchd', a utility that manages other processes; "unload" tells 'launchctl' to disable processes associated with whatever you pass it next; the "/Library/LaunchDaemons/com.trendmicro.icore.av.plist" is the thing you're unloading.

"rm" is the same remove (delete) command as before; "/Library/LaunchDaemons/com.trendmicro.*" tells it to delete all files in that path with that starting structure, the * means anything that matches up to that point will get deleted.

[Note: It's possible this should happen earlier in the steps. I'm not sure what caused the iCoreService processes to come back, if I had done the unloading earlier it might have made the actual deletion in part 2 more direct with no need to re-issue kills on iCoreService processes. If you try it that way and it works better, please leave a comment!]

The uninstall guide from Trend Micro says to run /Library/Application\ Support/TrendMicro/TmccMac/TmLoginMgr.app/Contents/MacOS/TmLoginMgr -u, but when I did that I got this "LoginItem(/Library/Application Support/TrendMicro/TmccMac/TmLoginMgr.app) has already been removed": it could have been from a previous person's attempt to remove Trend Micro, but it also could have been something else. You might want to include it when you try to uninstall, just in case, but it also might be pointless.

I actually took on root user (using sudo su) to do a lot of this when I got stuck trying to remove /Library/Application Support/TrendMicro. In retrospect, I don't think that was actually necessary, it was just due to those iCoreService child processes blocking things, but if you have trouble, give that a shot.

Thank you Erdős-Bacon for doing that work! Your hunch is correct that your problems with processes coming back were because the launch daemons had not been unloaded. I took your work and changed the order around, resulting in a shorter script (must be run with sudo):

I do note that the menu bar item is still there until after a reboot. I'm not sure if there's a way to kill that without rebooting. Unlike you, I am "blessed" with many machines infested with this malware, so I have more chances to test if anyone has further suggestions.

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-trend-micro-vision-one

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.