WARNING: Issue with Trend Micro AV definitions affecting SharePoint

UPDATE: 12/7 - We have released a KB article to provide more information.

I've been alerted to an issue with Trend Micro antivirus scanners causing problems for SharePoint, and reporting SharePoint files as being infected with a virus. Apparently there was an issue with the updates released sometime last night/this am, which flagged SharePoint javascript files (initstrings.js, maybe others) as being infected on both the client and server. I believe Trend Micro updated their AV definitions at noon eastern time on 12/6/2016(today) to address this problem. I understand that there are at least two options to resolve this, as told to me by SharePoint farm owners.

  1. Role back the definition update. Ensure the servers and client machines get this update - I've been told this started making things work.
  2. Stop AV scan on the SharePoint servers. Replace/restore any missing/quarantined files. Roll back or roll past the update on the client machines.

This post should NOT serve as the definitive guidance for this issue. Please contact TrendMicro support for the correct guidance. This post is meant to be an advisory post. 

If you're running TrendMicro on SharePoint Servers, it's critical to have the proper file exclusions in place. See the KB below for proper info.



UDPATE: Info from TrendMicro

"December 6, 2016: 
Trend Micro received several customer reports of a false alarm (FA) detection on what is believed to be a file related to Microsoft SharePoint: “initstrings.js” with the detection name of JS_NEMUCOD.SMAA15 using the Official Pattern Release (OPR) of 12.941.00.

As of 15:15 GMT, Trend Micro has removed OPR 12.941.00 from our global ActiveUpdate (AU) servers and is in the process of uploading a rollback version of the last known good pattern file (12.943.00).

The Global Smart Scan version of 12.943.00 is available now (as of approximately 15:40 GMT) and the conventional version of the pattern is estimated to be available by 17:00 GMT."


Comments (0)

Skip to main content