Instana

The community for performance and observability professionals to learn, to share ideas, and to connect with others.

View Only

Back to discussions

Expand all | Collapse all

[windows] - Trend Micro Apex One Scanner Flags Agent's Log Collector as Trojan

1. [windows] - Trend Micro Apex One Scanner Flags Agent's Log Collector as Trojan

Like
Philipp Pfaff
Posted 6 hours ago

Reply
We've got a notification from Trend Micro's security scanner on Windows Servers running the Instana Agent 2025.08.27.0718

The executable was killed and quarantined by Trend Micro's scanner

In the Instana Agent Logs, exceptions started to appear just afterwards:
2025-08-23T04:59:40.436+02:00 | ERROR | tana-global-scheduler-thread-4-1 | WindowsUtilImpl  | com.instana.agent-process-handling - 1.0.26 | Exception while retrieving process metrics data from windows-service
java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.connect0(Native Method) ~[?:?]
at java.net.PlainSocketImpl.socketConnect(PlainSocketImpl.java:101) ~[?:?]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:412) ~[?:?]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:255) ~[?:?]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:237) ~[?:?]
at java.net.Socket.connect(Socket.java:615) ~[?:?]
at java.net.Socket.connect(Socket.java:563) ~[?:?]
at sun.net.NetworkClient.doConnect(NetworkClient.java:182) ~[?:?]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:509) ~[?:?]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:604) ~[?:?]
at sun.net.www.http.HttpClient.<init>(HttpClient.java:277) ~[?:?]
at sun.net.www.http.HttpClient.New(HttpClient.java:376) ~[?:?]
at sun.net.www.http.HttpClient.New(HttpClient.java:397) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1273) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1207) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1101) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1035) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1634) ~[?:?]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1562) ~[?:?]
at com.instana.agent.process.handling.windows.DefaultWindowsServiceClient.executeRequest(DefaultWindowsServiceClient.java:68) ~[?:?]
at com.instana.agent.process.handling.windows.WindowsUtilImpl.getExtensionsServiceResponse(WindowsUtilImpl.java:381) ~[?:?]
at com.instana.agent.process.handling.windows.WindowsUtilImpl.getAllProcessMetrics(WindowsUtilImpl.java:273) ~[?:?]
at com.instana.agent.process.handling.windows.WindowsUtilImpl.lambda$createScheduledFutureToReadProcessMetrics$0(WindowsUtilImpl.java:122) ~[?:?]
at com.instana.agent.api.ObservableRunnable.run(ObservableRunnable.java:65) ~[?:?]
at com.instana.agent.util.ErrorLoggingRunnable.run(ErrorLoggingRunnable.java:33) ~[?:?]
at com.instana.agent.task.orchestrator.api.ExecutionPipeline.execute(ExecutionPipeline.java:247) ~[?:?]
at com.instana.agent.task.orchestrator.api.ExecutionPipeline.lambda$wrapWithErrorLogging$5(ExecutionPipeline.java:357) ~[?:?]
at com.instana.agent.util.ErrorLoggingRunnable.run(ErrorLoggingRunnable.java:33) ~[?:?]
at com.instana.agent.task.orchestrator.impl.ScheduledFutureCallbackTask.run(ScheduledFutureCallbackTask.java:66) ~[?:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) ~[?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) ~[?:?]
at com.instana.agent.task.orchestrator.impl.CallbackDecoratedRunnableScheduledFuture.run(CallbackDecoratedRunnableScheduledFuture.java:53) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]

The agent log in the backend UI there's INFO level output to be found:
2025-08-28T10:09:06.648+0200 | INFO | or-thread-23-929 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Checking the status
2025-08-28T10:09:06.648+0200 | INFO | or-thread-23-929 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Looking for LogCollector in : data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:09:06.648+0200 | INFO | or-thread-23-929 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - LogCollector Not Exists in path :data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:10:38.595+0200 | INFO | or-thread-23-926 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Checking the status
2025-08-28T10:10:38.611+0200 | INFO | or-thread-23-926 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Looking for LogCollector in : data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:10:38.611+0200 | INFO | or-thread-23-926 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - LogCollector Not Exists in path :data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:10:48.613+0200 | INFO | or-thread-23-916 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Checking the status
2025-08-28T10:10:48.613+0200 | INFO | or-thread-23-916 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Looking for LogCollector in : data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:10:48.613+0200 | INFO | or-thread-23-916 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - LogCollector Not Exists in path :data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:11:18.608+0200 | INFO | or-thread-23-916 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Checking the status
2025-08-28T10:11:18.624+0200 | INFO | or-thread-23-916 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Looking for LogCollector in : data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:11:18.624+0200 | INFO | or-thread-23-916 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - LogCollector Not Exists in path :data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:12:34.660+0200 | INFO | or-thread-23-929 | AgentLogBackendRequestHandler    | 93 - com.instana.agent-sensor - 1.0.1 | | Forwarding log to backend for max 10 minutes.
2025-08-28T10:12:42.622+0200 | INFO | or-thread-23-923 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Checking the status
2025-08-28T10:12:42.622+0200 | INFO | or-thread-23-923 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - Looking for LogCollector in : data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:12:42.622+0200 | INFO | or-thread-23-923 | ClrLogsDownloadRequestHandler    | 216 - com.instana.discovery-netcore - 1.0.71 | | CLR - Log Collector - LogCollector Not Exists in path :data\repo\com\instana\dotnet-logcollector-win-x64\1.302.1\dotnet-logcollector-win-x64-1.302.1\LogCollector.exe
2025-08-28T10:18:08.620+0200 | INFO | or-thread-23-931 | AgentLogBackendRequestHandler    | 93 - com.instana.agent-sensor - 1.0.1 | | Forwarding log to backend stopped.

Metrics of Processes do not seem to be affected

Anyone out there having seen the same behaviour?

Should the documentation may be have a note about running Trend Micro Apex One on Machines running the Instana Agent?

#Agent

------------------------------
Philipp Pfaff
------------------------------

Instana

Instana

[windows] - Trend Micro Apex One Scanner Flags Agent's Log Collector as Trojan

1. [windows] - Trend Micro Apex One Scanner Flags Agent's Log Collector as Trojan

Additional
Resources

Office

Quick Links

Instana

Instana

[windows] - Trend Micro Apex One Scanner Flags Agent's Log Collector as Trojan

1. [windows] - Trend Micro Apex One Scanner Flags Agent's Log Collector as Trojan

Related Content

InstanaAgent Node.js collector issue

IBM Instana wins TrustRadius 2025 Top Rated award

Streamline Your Observability with IDOT: The OpenTelemetry Collector Built for Instana

Smart Tracing in Node.js: How to Focus on What Matters with Instana

Tracing Java SpringBoot applications in SAP Business Technology Platform by using Instana

Additional Resources

Office

Quick Links

Additional
Resources