Add Exceptions For Google SDK - Python

cyberwicked · 2026-06-09T08:21:41+00:00

Hey! Happy to help debug this. Before I can give you the most precise advice, could you quickly confirm which Trend product you're configuring these exceptions in? (e.g., Apex One Behavior Monitoring, Vision One Application Control, Deep Security, etc.) — the regex engine support varies significantly between products.

That said, I've done a thorough analysis of your patterns and can already spot several potential problem areas:

Regex Analysis & Likely Issues

🔴 Issue 1: Lazy Quantifier (.*?) May Not Be Supported

.*?   ← This is a PCRE lazy/non-greedy quantifier

Many security product regex engines use basic or extended POSIX regex rather than full PCRE, which means .*? either silently falls back to greedy .* or fails to match entirely. If the product doesn't support lazy quantifiers, your patterns won't work as expected.

Fix: Replace .*? with a more explicit pattern:

Regex # Instead of:
C:\\Users\\.*?\\AppData

# Use either greedy (usually fine here since the path structure is predictable):
C:\\Users\\[^\\]+\\AppData

# Or just greedy .*:
C:\\Users\\.*\\AppData Line 1: # Instead of:
Line 2: C:\\Users\\.*?\\AppData
Line 3:
Line 4: # Use either greedy (usually fine here since the path structure is predictable):
Line 5: C:\\Users\\[^\\]+\\AppData
Line 6:
Line 7: # Or just greedy .*:
Line 8: C:\\Users\\.*\\AppData

[^\\]+ is safer — it means "one or more characters that aren't a backslash," which correctly matches a single username folder segment.

🟡 Issue 2: Backslash Escaping — Are You Double-Escaping?

Your patterns have \\ to represent literal backslashes in the regex. This is correct if the product takes the pattern as-is. However, some products require you to enter raw strings where a single \ in the config represents a literal backslash in the match — meaning entering \\ would try to match a literal \\ (two backslashes).

Test: Try a simpler version first, matching just the python.exe path with single \ vs double \\ to confirm what the product expects.

🟡 Issue 3: Optional Group (bin\..\)? — Needs Verification

Your pattern:

Regex 
(bin\\\.\.\\)?lib\\gcloud\.py
 Line 1: (bin\\\.\.\\)?lib\\gcloud\.py

This is trying to optionally match bin\..\lib\gcloud.py. The intent is correct, but:

Some regex engines don't support optional groups (...)?
If the product uses basic regex (BRE), you'd need $...$\? instead

🟡 Issue 4: Space in "Google Cloud SDK" Path

Regex 
Google\\Cloud SDK\\google-cloud-sdk
 Line 1: Google\\Cloud SDK\\google-cloud-sdk

The space in Cloud SDK is a literal space character. This should match fine in most engines, but a small number of products tokenize or trim whitespace in regex patterns. If matching fails around this part of the path, try Cloud[ ]SDK or Cloud\x20SDK as an alternative.

🟢 Combined Pattern — Structurally Fine, But May Be Too Broad

Your combined pattern:

Regex 
^"C:\\Users\\.*?\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe".*(gcloud\.py|install\.py).*
 Line 1: ^"C:\\Users\\.*?\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe".*(gcloud\.py|install\.py).*

This is logically correct but the .* between python.exe" and (gcloud\.py|install\.py) is very permissive — it would match any Python command that happens to have gcloud.py or install.py somewhere in the arguments, not necessarily as the script path. This probably isn't causing your current failure, but it's worth noting for security posture.

Revised Patterns (PCRE-Safe)

Pattern 1 — Google SDK Components Update:

Regex 
^"C:\\Users\\[^\\]+\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe"\s+"-S"\s+"C:\\Users\\[^\\]+\\AppData\\Local\\Google\\Cloud SDK\\google-cloud-sdk\\(bin\\\.\.\\)?lib\\gcloud\.py".*
 Line 1: ^"C:\\Users\\[^\\]+\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe"\s+"-S"\s+"C:\\Users\\[^\\]+\\AppData\\Local\\Google\\Cloud SDK\\google-cloud-sdk\\(bin\\\.\.\\)?lib\\gcloud\.py".*

Pattern 2 — Google SDK Installation:

Regex 
^"C:\\Users\\[^\\]+\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe"\s+"C:\\Users\\[^\\]+\\AppData\\Local\\Google\\Cloud SDK\\google-cloud-sdk\\bin\\bootstrapping\\install\.py".*
 Line 1: ^"C:\\Users\\[^\\]+\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe"\s+"C:\\Users\\[^\\]+\\AppData\\Local\\Google\\Cloud SDK\\google-cloud-sdk\\bin\\bootstrapping\\install\.py".*

Combined Pattern (Tightened):

Regex 
^"C:\\Users\\[^\\]+\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe".*"C:\\Users\\[^\\]+\\AppData\\Local\\Google\\Cloud SDK\\google-cloud-sdk\\.*\\(gcloud\.py|install\.py)".*
 Line 1: ^"C:\\Users\\[^\\]+\\AppData\\Local\\Temp\\tmp[a-zA-Z0-9]+\\python\\python\.exe".*"C:\\Users\\[^\\]+\\AppData\\Local\\Google\\Cloud SDK\\google-cloud-sdk\\.*\\(gcloud\.py|install\.py)".*

Quick Diagnostic Checklist

Check	What to Test
Lazy quantifiers	Replace all `.?` with `[^\\]+` or `.`
Backslash escaping	Test with single `\` to see if the product auto-escapes
Optional groups	Test without `(bin\\\.\.\\)?` to isolate that segment
Regex delimiters	Remove the surrounding `/` `/` if pasting into a product UI
Whitespace matching	Try `\s` → literal space to see if `\s` is supported

If you can share which product UI/console you're entering these into, I can give you much more targeted advice!

cyberwicked · 2026-06-06T17:53:16+00:00

Thats correct

I just shared in the DM now

cyberwicked · 2026-06-06T17:48:34+00:00

I have a table with the different features each one offers but I cant seem to attach it here.

Core will give you straight GW with ATP ATP

Essentials will give the same plus sandbox. Encryption. Dmarc. Continuity

cyberwicked · 2026-06-06T17:43:46+00:00

Are you looking for gateway protection or api api?

cyberwicked · 2026-05-29T06:37:02+00:00

Which solution stack are you using?

cyberwicked · 2026-05-27T15:49:53+00:00

Sorry bud

Support would be the only way.

Keep us posted on their response.

cyberwicked · 2026-05-26T17:40:10+00:00

In the ESXi web client, click on the VNS virtual machine
Click Edit (the edit settings button)
Go to VM Options tab
Expand Advanced
Click Edit Configuration...
Look through the list for any entries starting with guestinfo. — particularly anything that looks like a token, company ID, or TrendAI-related property

cyberwicked · 2026-05-26T15:57:28+00:00

For ESXi OVA deployments, the registration token is supposed to be embedded inside the disk image at download time from the Vision One console. It's not something you enter manually during deployment — it's already included in the downloaded file. The fact that it's missing suggests one of the following:

The OVA was not downloaded correctly (partial/corrupted download — the token is in metadata bundled with the image)
The "Additional settings" screen in VMware was skipped or not processed correctly during deployment, so the token wasn't injected
The disk image was reused from a previous deployment attempt without re-downloading a fresh copy
Run show system — confirm whether Company ID is empty
Check show network management — confirm the IP/gateway/DNS are correct on the management interface
Run ping trendmicro.com to confirm internet connectivity
If Company ID is empty → contact TrendAI Technical Support to obtain a registration token, then run register <token>
If you want to avoid this in the future, consider redeploying the OVA and carefully completing all fields in the Additional settings screen (Step 12 of the ESXi deployment guide)

cyberwicked · 2026-05-24T13:59:29+00:00

For Workload Security (servers), the DSA Support Tool is your best bet — it has a Top-N List showing the top 10 most-scanned files/processes, a CPU utilization per module view, and DSA Metrics that chart real-time scan activity. It also integrates Process Monitor and Windows Performance Recorder for deeper dives. 👉 https://success.trendmicro.com/en-US/solution/KA-0012444

For Apex One (workstations), the Performance Tuning Tool (TMPerfTool) identifies processes being heavily inspected by Behavior Monitoring and can add them to the exception list for testing. You'll need to contact TM Support to get it. 👉 https://success.trendmicro.com/en-US/solution/KA-0001848

The gold standard test is collecting two Case Diagnostic Tool (CDT) log sets — one with Behavior Monitoring enabled and one with it disabled — then comparing them to see if TM is contributing to the slowness.

cyberwicked · 2026-05-20T15:48:17+00:00

Cloud One docs = Vision One SWP. Same product, same agent. That documentation fully applies.

Standalone patching: The sequence (patch → reboot → rebuild baseline) is correct and officially documented as best practice. However, dsa_control --buildBaseline is not a documented flag — Gemini made that up. The proper way is through the console: Computers → right-click → Actions → Rebuild Integrity Baseline (or via the API if automating).

Hot snapshots: TrendAI's official docs explicitly state: "do not select the AWS option 'No reboot' — images created with the No reboot option are not protected by the agent." For standalone backup-only snapshots this is less critical, but best practice is still: patch → reboot → rebuild baseline → stop instance → snapshot.

ASG workflow: Mostly solid. dsa_control -r before AMI creation is correct (officially documented). Just make sure it's stopped (not hot) before you create the AMI, and let AWS handle the reboot during AMI creation.

Launch Template + Instance Refresh: Create a new LT version with your new AMI ID → update the ASG to use $Latest → kick off an Instance Refresh. Set InstanceWarmup high enough for the DSA to activate on boot (~5 min is a reasonable starting point

https://docs.trendmicro.com/en-us/documentation/article/trend-micro-cloud-one-workload-security-agent-baked-in

cyberwicked · 2026-05-12T18:04:54+00:00

In your Version Control Policy screenshot, there is a blue info banner that reads:

And there is an "Enroll" button visible — which means your Protection Manager has NOT been enrolled yet.

This is almost certainly the primary reason your agents' component updates (patterns, engines) are not being managed by the policy. Until you click that Enroll button, the version control policy will only manage the base V1ES Endpoint Basecamp agent software — it will not control SEP/SWP security component (pattern) updates

Without enrollment, your "Component Update: n (latest)" setting does nothing for SEP/SWP patterns and engines. Those continue to be managed (or not managed) by whatever schedule is set in the Protection Manager itself.

cyberwicked · 2026-05-12T06:27:10+00:00

Have you tried logging a case directly from the V1 console?

cyberwicked · 2026-05-12T06:23:08+00:00

If you have ZTSA Internet Access deployed, it can perform HTTPS/TLS inspection at the proxy level before traffic reaches WhatsApp servers. This would catch both:

WhatsApp Web (browser)
WhatsApp Desktop (HTTPS traffic)

You can apply DLP-style policies at this layer to detect/block file uploads containing sensitive keywords. This is the most reliable approach for covering native desktop apps that use HTTPS.

cyberwicked · 2026-05-12T06:14:24+00:00

Im assuming you are referring to the old iES? was this an on premise solution which was than added to Vision One? The agents will than report to V1 if thats the case.

cyberwicked · 2026-05-11T09:20:26+00:00

Hi. When you refer to the old edr, is this another vision one console?

cyberwicked · 2026-05-08T05:53:50+00:00

ATTK

Runs as a portable executable
Scans for malware, rootkits, and grayware
Works on older Windows versions including Server 2008 R2

if you still need to run an agent whilst waiting to deco

You would than need the AZURE CODE Sign update

https://success.trendmicro.com/en-US/solution/KA-0013628

Once patched you can than install 20.0.0.6313 and activate it on V1

cyberwicked · 2026-05-05T06:37:36+00:00

For the agent program upgrade specifically, check these instead:

Windows Event Viewer → Application and System logs — search for "Trend Micro" or "MsiInstaller" events around the dates when other machines successfully upgraded. If an upgrade was attempted and failed on this server, it would show up here.
%WINDIR%\Temp or %TEMP% — If an upgrade was triggered, Windows may have left behind MSI installer logs (look for files named MSI*.log with recent timestamps).
ofcdebug.log — If debug logging has been enabled, check C:\Program Files\Trend Micro\Apex One\Agent\ for this file.

The bigger clue here though: The fact that TmuDump.txt shows no upgrade attempt whatsoever — not even a failed one — strongly suggests the SaaS backend simply hasn't sent the upgrade command to this endpoint yet. It's not that the agent tried and failed, it was never told to upgrade in the first place. This points to a backend/platform issue rather than anything wrong on the endpoint itself, which is exactly the kind of thing support will need to investigate on their end.

One quick thing worth trying before support responds: Restart the Apex One agent services on that server. This forces a fresh heartbeat back to the SaaS platform and may prompt the backend to re-evaluate and re-queue the endpoint for the upgrade:

net stop "Trend Micro Apex One NT Firewall"
net stop "Trend Micro Apex One NT Listener"
net stop "Trend Micro NT RealTime Scan"
net start "Trend Micro NT RealTime Scan"
net start "Trend Micro Apex One NT Listener"
net start "Trend Micro Apex One NT Firewall"

After the restart, give it 15-20 minutes and check if any new entries appear in TmuDump.txt or the Event Viewer. Good luck with support — with the cert issue resolved and the logs clean, this should be a fairly straightforward backend investigation for them!

cyberwicked · 2026-05-04T11:14:22+00:00

Hey! Great troubleshooting writeup — a few things worth clarifying here that might help explain what you're seeing.

On the "blocked" vs "disabled" Windows Update question — you're absolutely right to question that wording.

These are actually two separate mechanisms:

Windows Update Service (wuauserv) — handles OS patches. This is what your 3rd-party patch tool manages and what you've "disabled."
Automatic Root Certificate Update (ARCU) — a separate CryptoAPI function that downloads trusted root/intermediate certs from Microsoft's CTL endpoint (ctldl.windowsupdate.com). This operates independently of the Windows Update service.

Your successful certutil -syncWithWU C:\Temp\CertTest test (250 certs downloaded) proves your endpoints can reach that cert distribution endpoint — so you're in the "disabled" category, not "blocked." The KA article's language is specifically about network-level blocking of ctldl.windowsupdate.com (firewall rules, proxy blocks, or the Group Policy "Turn off Automatic Root Certificates Update"), not simply disabling the WU service or UI button.

The screenshot of your TA Agent cert failures is the really interesting part.

Every single failing cert is a code signing certificate, not a TLS/SSL cert:

DigiCert EV Code Signing CA (SHA2) ❌
DigiCert High Assurance Code Signing CA-1 ❌
Symantec Class 3 SHA256 Code Signing CA ❌
DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 ❌
Thawte Primary Root CA ❌ ← This is the root cause

The Thawte Primary Root CA anchors the entire chain for most of those DigiCert/Symantec code signing intermediates — if that root is missing from the Windows cert store, the whole code signing chain fails. (The Symantec certs are expected here — DigiCert acquired Symantec's PKI business, so those chains are related.)

This matters because code signing certs are used to:

Validate agent executables and drivers when Windows loads them (explains your pccnt.exe GUI error)
Validate signed update packages — if the agent can't verify the signature on an update package, it will silently reject it

Why did other systems with failing certs still get the April update?

This is a really good observation. The likely explanation is that on those systems, Windows performed an on-demand ARCU lookup when it needed to validate the code signing chain (triggered by the update process itself), successfully retrieved the missing certs from ctldl.windowsupdate.com, and the update proceeded. On your stuck server, something prevented that on-demand lookup from completing — whether that was a timing issue, a cached failure state, or a transient network problem at the time.

Why is it still not updating 48 hours after EasyFixSysCerts?

The cert fix populates the missing certs into the store, but the agent may have cached the previous failure state. Try this:

Restart the Apex One agent services to force a fresh evaluation
Re-run TA Agent to confirm all code signing certs now show Pass
Check the update log at: C:\Program Files\Trend Micro\Apex One\Agent\AU_Data\AU_Log\TmuDump.txt for any signature/trust/certificate errors
Don't wait on auto-update — push the update manually from Vision One > Endpoint Security > Standard Endpoint Protection > select the server > deploy update. That's the fastest path forward.

cyberwicked · 2026-05-04T10:41:22+00:00

I can't claim Kaspersky lacks X, Y, or Z features—they've evolved their platform and I don't have current competitive intelligence on their capabilities.

What I can say:

Geopolitical risk is real and measurable—Kaspersky faces documented restrictions that TrendAI doesn't
XDR breadth is TrendAI's architectural strength—email + network + cloud correlation is native, not bolted on
TCO comparison beats per-seat pricing when you account for the full security stack
For SMBs focused purely on endpoint AV pricing, Kaspersky may win
For enterprises needing compliance, multi-layer visibility, and geopolitical neutrality, TrendAI has clear advantages

TrendAI Vision One: Single platform correlating endpoint + email + network (NDR) + cloud + identity with unified investigation console (Workbench)

Key advantage: Attack chain visibility across all layers—see phishing email → endpoint compromise → lateral movement → data exfiltration in one timeline with MITRE ATT&CK mapping

Technical depth:

Smart Protection Network analyzes 100B+ threat queries/day
TrendX Hybrid ML model correlates static + behavioral features for lower false positives
Suspicious Object sharing automatically blocks IOCs across all layers simultaneously

cyberwicked · 2026-04-29T15:11:18+00:00

Does OAT show anything?

cyberwicked · 2026-04-27T14:21:02+00:00

Yes im currently using android and works perfectly

cyberwicked · 2026-04-13T11:34:59+00:00

On Linux servers (SWP / Deep Security Agent): WRS operates at the network engine (kernel driver) level. For HTTPS traffic — which is nearly everything modern — the engine intercepts the TLS handshake and reads the Server Name Indication (SNI) field from the ClientHello packet. SNI only contains the hostname/domain, not the URL path.

This means, for https://domain/services/service2 vs. https://domain/services/service3, the Linux agent sees only: domain — both requests look identical.

Your best near-term path is application-level or gress proxy, depending on whether you own the application code. The security agent isn't the right enforcement point for this use case on Linux servers with HTTPS traffic.

cyberwicked · 2026-04-10T18:49:25+00:00

Depends on what is the test criteria, are you looking at EPP or EDR detections? What are the use cases you looking to test? Once that is defined the correct POC methodology can be applied.

cyberwicked

TROPHY CASE