Trend MicroTM Deep SecurityTM 20
Training for Certified Professionals
eBook
Copyright © 2021 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,
or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: February 18, 2021
Trend Micro Deep Security 20 Software
Courseware v1.1
Trend Micro™ Deep Security™ 20
Training for Certified Professionals
Student Guide
Copyright © 2021 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,
or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: February 18, 2021
Trend Micro Deep Security 20 Software
Courseware v1.1
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Lesson 1: Deep Security Overview.................................................................................................................... 1
Trend Micro Solutions ............................................................................................................................................... 1
User Protection ................................................................................................................................................... 1
Network Defense ............................................................................................................................................... 2
Hybrid Cloud Security ...................................................................................................................................... 2
Trend Micro Smart Protection Network ...................................................................................................... 2
Visibility and Control ........................................................................................................................................ 3
Evolution of the Data Center ................................................................................................................................. 3
Trend Micro XGen™ Security ................................................................................................................................. 4
Smart .................................................................................................................................................................... 4
Optimized ............................................................................................................................................................ 4
Connected ........................................................................................................................................................... 4
Deep Security ............................................................................................................................................................. 5
Deployment Options ......................................................................................................................................... 6
Deep Security Protection Modules ....................................................................................................................... 8
Anti-Malware ...................................................................................................................................................... 8
Web Reputation ................................................................................................................................................. 8
Firewall ................................................................................................................................................................. 9
Intrusion Prevention ......................................................................................................................................... 9
Integrity Monitoring .......................................................................................................................................... 9
Log Inspection ...................................................................................................................................................10
Application Control ..........................................................................................................................................10
Deep Security Components .................................................................................................................................... 11
Deep Security Manager .................................................................................................................................... 11
Database .............................................................................................................................................................. 11
Deep Security Manager Web Console ......................................................................................................... 12
Deep Security Agent ........................................................................................................................................ 12
Deep Security Relay ......................................................................................................................................... 12
Apex Central ...................................................................................................................................................... 12
Deep Security Virtual Appliance ................................................................................................................... 13
Deep Security Notifier ..................................................................................................................................... 13
Trend Micro Smart Protection Network ..................................................................................................... 13
Trend Micro Smart Protection Server ......................................................................................................... 13
Deep Security Smart Check ...........................................................................................................................14
Deep Security Scanner ....................................................................................................................................14
Deep Discovery Analyzer ...............................................................................................................................14
Third-Party Authentication ............................................................................................................................14
Threat Detection ......................................................................................................................................................15
Detecting Threats at the Entry Point ..........................................................................................................15
Detecting Threats Pre-execution .................................................................................................................15
Detecting Threats at Runtime .......................................................................................................................16
Detecting Threats at the Exit Point .............................................................................................................16
Review Questions ..................................................................................................................................................... 17
Lesson 2: Deep Security Manager .................................................................................................................. 19
Deep Security Manager ..........................................................................................................................................19
Deep Security Manager System Requirements .......................................................................................20
Operating System ............................................................................................................................................20
Database ...................................................................................................................................................................20
Database Requirements ................................................................................................................................20
Supported Databases ...................................................................................................................................... 21
Database Communication .............................................................................................................................22
Database Sizing ............................................................................................................................................... 23
© 2021 Trend Micro Inc. Education
i
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Database Installation Requirements ..........................................................................................................24
Deep Security Manager Architecture ................................................................................................................26
Apache Tomcat ................................................................................................................................................26
Web Client .........................................................................................................................................................26
Manager Core ...................................................................................................................................................26
Jasper Reports .................................................................................................................................................26
Communication Ports ..................................................................................................................................... 27
Network Communication ...............................................................................................................................28
Configuration Settings ...................................................................................................................................28
Multiple Deep Security Manager Nodes ............................................................................................................29
High Availability ...............................................................................................................................................29
Performing Operations Through the Deep Security Manager Web Console ............................................ 31
Performing Operations Through a Command Line ......................................................................................... 31
Performing Operations Through the Windows Command Prompt ...................................................... 31
Performing Operations Through the Linux Terminal ..............................................................................31
Command Syntax ............................................................................................................................................ 32
Installing Deep Security Manager 20 for Windows Server ...........................................................................34
Deep Security Pre-Installation Checklist ...................................................................................................34
Deep Security Manager Readiness Check .................................................................................................34
Installing Deep Security Manager for Windows Server .........................................................................36
Installing Deep Security Manager for Linux .............................................................................................47
Logging into the Deep Security Manager Web Console ............................................................................... 48
Deep Security Manager Digital Certificates .................................................................................................... 50
Upgrading From Deep Security 12 .......................................................................................................................51
Upgrading From Deep Security 11 .......................................................................................................................55
Review Questions ................................................................................................................................................... 60
Lesson 3: Deploying Deep Security Agents............................................................................. 61
Deep Security Agent Architecture ......................................................................................................................61
Deep Security Agent System Requirements ............................................................................................62
Deploying Deep Security Agents ........................................................................................................................63
Importing Deep Security Agent Software into Deep Security Manager ............................................63
Installing the Deep Security Agent .............................................................................................................67
Adding the Protected Servers to the Computer list ...............................................................................76
Activating Deep Security Agents ................................................................................................................87
Deep Security Agent Heartbeat ...........................................................................................................................91
Deep Security Manager to Agent Communication ..................................................................................92
Review Questions ....................................................................................................................................................93
Lesson 4: Managing Deep Security Agents............................................................................ 95
Performing Deep Security Agent Operations Through a Command Line ................................................95
Performing Operations Through the Windows Command Prompt .....................................................95
Performing Operations Through the Linux Terminal .............................................................................95
Command Syntax ............................................................................................................................................95
Resetting Deep Security Agents .........................................................................................................................97
Protecting Deep Security Agents From Modification ....................................................................................97
Viewing Computer Protection Status ............................................................................................................... 98
Computers Without a Deep Security Agent ............................................................................................. 98
Computers With an Unactivated Deep Security Agent ..........................................................................99
Computers with an Activated Deep Security Agent ...............................................................................99
Deep Security Relay ...................................................................................................................................... 100
ESXi Server ..................................................................................................................................................... 100
Deep Security Virtual Appliance ................................................................................................................ 100
ii
© 2021 Trend Micro Inc. Education
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Virtual Machine ............................................................................................................................................... 101
Protection Module Installation States .............................................................................................................. 101
Viewing Deep Security Agent Tasks in Progress ................................................................................... 103
Dealing With Offline Agents ............................................................................................................................... 104
Cleaning Up Inactive Agents ............................................................................................................................. 105
Cleaning up Inactive Agent ......................................................................................................................... 105
Reactivate Unknown Agents ...................................................................................................................... 106
Overriding Inactive Agent Cleanup ........................................................................................................... 106
Upgrading Deep Security Agents to Deep Security 20 ............................................................................... 107
Anti-Malware Protection During Upgrades ................................................................................................111
Upgrading Agents on Activation .........................................................................................................................111
Controlling the Agent Version ............................................................................................................................112
Organizing Computers Using Groups .................................................................................................................113
Creating Groups .............................................................................................................................................. 114
Adding Computers to a Group ......................................................................................................................115
Organizing Computers Using Smart Folders ...................................................................................................117
Review Questions ................................................................................................................................................... 119
Lesson 5: Keeping Deep Security Up To Date ....................................................................... 121
Security Updates .....................................................................................................................................................121
Security Update Process ..............................................................................................................................122
Creating Update Bundles ..............................................................................................................................123
Software Updates ................................................................................................................................................. 124
Software Update process ............................................................................................................................ 125
Deleting Imported Agent Packages .......................................................................................................... 125
Scheduling Checks for Updates ......................................................................................................................... 126
Update Source Settings ........................................................................................................................................127
Deep Security Relays ...........................................................................................................................................127
Deep Security Relay Architecture ............................................................................................................. 128
Enabling Deep Security Relays .................................................................................................................. 129
Organizing Relays Into Groups .................................................................................................................. 130
Review Questions .................................................................................................................................................. 135
Lesson 6: Trend Micro Smart Protection............................................................................... 137
File Reputation Service .................................................................................................................................137
Web Reputation Service ...............................................................................................................................137
Census Service ............................................................................................................................................... 138
Predictive Machine Learning Service ....................................................................................................... 138
Certified Safe Software Service ................................................................................................................ 138
Smart Feedback ............................................................................................................................................. 139
Smart Protection Sources .................................................................................................................................. 139
Trend Micro Smart Protection Network .................................................................................................. 140
Smart Protection Server ............................................................................................................................. 140
Configuring the Smart Protection Source ....................................................................................................... 141
Smart Protection Source for File Reputation Service ........................................................................... 141
Smart Protection Source for Web Reputation ....................................................................................... 142
Smart Protection Source for Census, Certified Safe Software and
Predictive Machine Learning ...................................................................................................................... 143
Review Questions .................................................................................................................................................. 144
© 2021 Trend Micro Inc. Education
iii
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Lesson 7: Assigning Protection Settings Through Policies ............................................... 145
Policy Structure ..................................................................................................................................................... 147
Policy Inheritance .......................................................................................................................................... 148
Policy-Level Overrides ................................................................................................................................. 149
Computer-Level Overrides .......................................................................................................................... 150
Rule Inheritance ...............................................................................................................................................151
Creating Policies ................................................................................................................................................... 153
Creating a New Policy .................................................................................................................................. 153
Duplicating an Existing Policy .................................................................................................................... 154
Importing an Existing Policy From Another Installation ...................................................................... 155
Running Recommendation Scans ..................................................................................................................... 155
Assigning the Recommendations .............................................................................................................. 158
Performing Ongoing Scans .......................................................................................................................... 161
Scheduling a Recommendation Scan ....................................................................................................... 162
Creating a New Policy Based on a Recommendation Scan ................................................................ 162
Common Objects ................................................................................................................................................... 165
Rules ................................................................................................................................................................. 165
Lists ................................................................................................................................................................... 166
Contexts ........................................................................................................................................................... 166
Firewall Stateful Configurations ................................................................................................................ 169
Malware Scan Configurations ..................................................................................................................... 169
Schedules ........................................................................................................................................................ 170
Syslog Configurations .................................................................................................................................. 170
Tags .................................................................................................................................................................. 170
Review Questions ....................................................................................................................................................171
Lesson 8: Protecting Servers from Malware ........................................................................ 173
Anti-Malware Solution Platform ........................................................................................................................ 174
Anti-Malware Scanning Methods ...................................................................................................................... 175
Virus Scanning ............................................................................................................................................... 175
Spyware and Grayware Scanning .............................................................................................................. 176
Process Memory Scanning .......................................................................................................................... 176
Behavior Monitoring ......................................................................................................................................177
Windows Antimalware Scan Interface (AMSI) ........................................................................................177
IntelliTrap ........................................................................................................................................................ 178
Predictive Machine Learning ...................................................................................................................... 178
Enabling Malware Protection ............................................................................................................................. 179
Defining a Malware Scan Configuration .................................................................................................. 179
Turning the Anti-Malware Module On ...................................................................................................... 186
Assigning the Scan Configuration to a Scan Type ................................................................................ 189
Keeping Deep Security Up To Date on Malware .................................................................................... 193
Viewing Anti-Malware-Related Events ............................................................................................................ 194
System Events ................................................................................................................................................ 194
Computer Events ........................................................................................................................................... 194
Adding Malware to the Allowed List ......................................................................................................... 195
Reviewing Files Identified as Malware ............................................................................................................. 196
Restoring Identified Files ............................................................................................................................. 197
Quarantining Files on Deep Security Agents .......................................................................................... 201
Smart Scan ............................................................................................................................................................ 202
File Reputation .............................................................................................................................................. 203
Querying the File Reputation Service ..................................................................................................... 205
Review Questions ................................................................................................................................................. 208
iv
© 2021 Trend Micro Inc. Education
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Lesson 9: Blocking Malicious Web Sites................................................................................ 209
Trend Micro URL Filtering Engine .................................................................................................................... 209
Credibility Scores ............................................................................................................................................211
Web Reputation Communication ................................................................................................................212
Enabling Web Reputation .....................................................................................................................................212
Turning on Web Reputation protection ....................................................................................................212
Setting the Security Level ........................................................................................................................... 214
Defining Exceptions ...................................................................................................................................... 215
Unblocking Pages ...................................................................................................................................................217
Viewing Web Reputation-Related Events ...................................................................................................... 220
System Events ............................................................................................................................................... 220
Computer Events .......................................................................................................................................... 220
Review Questions ...................................................................................................................................................221
Lesson 10: Filtering Traffic Using the Firewall..................................................................... 223
Enabling Firewall Protection ............................................................................................................................. 224
Turning the Firewall on ............................................................................................................................... 224
Applying Firewall Rules ............................................................................................................................... 225
Creating Custom Firewall Rules ....................................................................................................................... 226
Actions ........................................................................................................................................................... 228
Priority ..............................................................................................................................................................231
Packet Direction .............................................................................................................................................231
Frame Type ......................................................................................................................................................231
Protocol ...........................................................................................................................................................232
Packet Source and Packet Destination ....................................................................................................232
Recommended Firewall Policy Rules ...............................................................................................................233
Rule Order of Analysis .........................................................................................................................................233
Traffic Analysis ..................................................................................................................................................... 236
Tap Mode .........................................................................................................................................................237
Inline Mode ......................................................................................................................................................237
Failure Response Behavior ........................................................................................................................ 238
Anti-Evasion Posture ................................................................................................................................... 239
Advanced Network Engine Options ......................................................................................................... 240
Order of Analysis .................................................................................................................................................. 241
Integrity Check ............................................................................................................................................... 241
Reconnaissance Scans ................................................................................................................................. 241
Check Firewall Rules .................................................................................................................................... 243
Check Stateful Configuration .................................................................................................................... 243
Decrypt SSL Traffic ...................................................................................................................................... 245
Check Intrusion Prevention Rules ............................................................................................................ 245
Important Points to Remember ................................................................................................................ 245
Port Scans .............................................................................................................................................................. 245
Defining Ports to Scan ................................................................................................................................ 246
Scan Triggers ................................................................................................................................................ 247
Scan Results .................................................................................................................................................. 249
Viewing Firewall-Related Events ...................................................................................................................... 250
System Events ............................................................................................................................................... 250
Computer Events ........................................................................................................................................... 251
Review Questions ................................................................................................................................................. 252
Lesson 11: Protecting Servers From Vulnerabilities ........................................................... 253
Blocking Exploits Using Intrusion Prevention ............................................................................................... 254
Virtual Patching ............................................................................................................................................ 254
© 2021 Trend Micro Inc. Education
v
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Detecting Suspicious Network Activity ................................................................................................... 254
Blocking Traffic Through Protocol Control ............................................................................................ 254
Protecting Web Applications ..................................................................................................................... 254
Enabling Intrusion Prevention .......................................................................................................................... 255
Turning the Intrusion Prevention Module On ........................................................................................ 255
Setting the Intrusion Prevention Behavior ............................................................................................ 256
Running a Recommendation Scan ........................................................................................................... 257
Applying the Intrusion Prevention Rules ................................................................................................ 260
Staying Up To Date on Rules Through Ongoing Recommendation Scans ..................................... 262
Types of Intrusion Prevention Rules ............................................................................................................... 263
Rule Groups ........................................................................................................................................................... 264
TippingPoint Equivalent Rule ID Mapping ...................................................................................................... 265
Filtering SSL-Encrypted Traffic ....................................................................................................................... 265
Protecting Web Applications ............................................................................................................................. 270
Patterns ............................................................................................................................................................271
Drop Threshold ..............................................................................................................................................272
Log Threshold ................................................................................................................................................272
Max Distance Between Matches ................................................................................................................273
Viewing Intrusion Prevention-Related Events ...............................................................................................273
System Events ................................................................................................................................................273
Computer Events .......................................................................................................................................... 274
Review Questions ................................................................................................................................................. 275
Lesson 12: Detecting Changes to Protected Servers ......................................................... 277
Enabling Integrity Monitoring ........................................................................................................................... 278
Turning on Integrity Monitoring ............................................................................................................... 278
Applying Integrity Monitoring Rules to a Policy or Computer .......................................................... 279
Building a Baseline for the Computer ..................................................................................................... 282
Periodically Scanning for Changes to a Computer .............................................................................. 284
Detecting Changes ............................................................................................................................................. 284
Viewing Integrity Monitoring-Related Events ............................................................................................... 285
System Events ............................................................................................................................................... 285
Computer Events .......................................................................................................................................... 285
Review Questions ................................................................................................................................................. 287
Lesson 13: Blocking Unapproved Software........................................................................... 289
Enforcement Modes ............................................................................................................................................ 290
Enabling Application Control ............................................................................................................................ 290
Installing Approved Software .................................................................................................................... 290
Running a Malware Scan on the Server ................................................................................................... 291
Enabling Application Control ...................................................................................................................... 291
Detecting software changes ...................................................................................................................... 293
Viewing Application Control-Related Events ................................................................................................ 295
System Events ............................................................................................................................................... 295
Computer Events .......................................................................................................................................... 296
Overriding Application Control Enforcement ........................................................................................ 297
Global Block ........................................................................................................................................................... 299
Pre-Approving Software Updates .................................................................................................................... 299
Maintenance Mode ....................................................................................................................................... 299
Trusted Updater ............................................................................................................................................. 301
Application Control Order of Analysis ............................................................................................................. 301
Resetting Application Control ................................................................................................................... 302
Review Questions ................................................................................................................................................. 304
vi
© 2021 Trend Micro Inc. Education
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Lesson 14: Inspecting Logs on Protected Servers.............................................................. 305
Enabling Log Inspection ..................................................................................................................................... 306
Turning on Log Inspection ......................................................................................................................... 306
Applying Log Inspection Rules .................................................................................................................. 308
Viewing Log Inspection-Related Events ............................................................................................................311
System Events .................................................................................................................................................312
Computer Events ............................................................................................................................................312
Monitoring Windows Events ................................................................................................................................313
Review Questions .................................................................................................................................................. 315
Lesson 15: Events and Alerts .................................................................................................... 317
Event Forwarding ...................................................................................................................................................317
Security Information and Event Management Server .......................................................................... 318
Amazon Simple Notification Service ........................................................................................................ 318
SNMP ................................................................................................................................................................ 319
Web Services API ........................................................................................................................................... 319
Alerts ........................................................................................................................................................................ 319
Viewing Alerts in the Deep Security Manager Web Console ............................................................. 320
Email Notifications For Alerts ....................................................................................................................322
Event Tagging ...................................................................................................................................................... 324
Manual Tagging ............................................................................................................................................. 324
Standard Auto-Tagging ............................................................................................................................... 325
Trusted Source Auto-Tagging ....................................................................................................................327
Trend Micro Certified Safe Software Service ........................................................................................ 329
Reporting .................................................................................................................................................................331
Filtering Report Data ...........................................................................................................................................333
Filtering by Tag ..............................................................................................................................................333
Filtering by Date and Time ........................................................................................................................ 334
Filtering by Computer ................................................................................................................................. 334
Encrypting Reports ...................................................................................................................................... 335
Review Questions ................................................................................................................................................. 336
Lesson 16: Protecting Containers ........................................................................................... 337
Continuous Integration/Continuous Deployment .........................................................................................337
DevOps ............................................................................................................................................................ 338
Software Development Using Containers ...................................................................................................... 338
Concepts and Terminology ................................................................................................................................ 340
Image ............................................................................................................................................................... 340
Repository ...................................................................................................................................................... 340
Tags ................................................................................................................................................................. 340
Registry ........................................................................................................................................................... 340
Container ........................................................................................................................................................ 340
Docker ............................................................................................................................................................. 340
Kubernetes ...................................................................................................................................................... 341
Pods ................................................................................................................................................................. 342
Helm ................................................................................................................................................................. 342
Chart ................................................................................................................................................................ 342
Protecting Containers With Deep Security .................................................................................................... 343
Protecting the Software Build Pipeline ................................................................................................... 344
Protecting the Host at Runtime ................................................................................................................ 347
Review Questions ................................................................................................................................................. 352
© 2021 Trend Micro Inc. Education
vii
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Lesson 17: Automating Deep Security Operations ............................................................. 353
Scheduled Tasks ................................................................................................................................................... 353
Creating Scheduled Tasks .......................................................................................................................... 355
Event-Based tasks ................................................................................................................................................ 355
Creating Event-Based tasks ....................................................................................................................... 356
Quick Start Templates ........................................................................................................................................ 357
Deploying Deep Security Manager in Amazon Web Services Using a
CloudFormation Template .......................................................................................................................... 357
Deploying Deep Security Manager in Microsoft Azure Using Quickstarts ..................................... 363
Baking the Deep Security Agent into an Amazon Machine Image .......................................................... 369
Application Programming Interface ................................................................................................................ 370
Setting up the Development Environment ...............................................................................................371
API URL .............................................................................................................................................................371
Authenticating API Requests ......................................................................................................................371
API Reference ........................................................................................................................................................373
API Endpoints ................................................................................................................................................ 374
Command Parameters ................................................................................................................................ 375
API URL ........................................................................................................................................................... 376
Request Samples .......................................................................................................................................... 376
Review Questions ................................................................................................................................................. 378
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense ......... 379
Connected Threat Defense Phases ................................................................................................................. 379
Detect .............................................................................................................................................................. 380
Respond .......................................................................................................................................................... 380
Protect ............................................................................................................................................................ 380
View and Analyze Threats .......................................................................................................................... 380
Connected Threat Defense Requirements .................................................................................................... 380
How Connected Threat Defense Works ........................................................................................................... 381
Trend Micro Apex Central .................................................................................................................................. 382
Connecting Deep Security with Trend Micro Apex Central ............................................................... 383
Deep Discovery Analyzer ................................................................................................................................... 384
Suspicious Activities .................................................................................................................................... 385
Connecting Deep Discovery Analyzer to Apex Central ....................................................................... 386
Populating the Apex Central Product Directory .......................................................................................... 387
Configuring Deep Security for Connected Threat Defense ....................................................................... 389
Creating a Malware Scan Configuration ................................................................................................. 389
Configuring Deep Security to Submit Files to Deep Discovery Analyzer ........................................ 391
Subscribing to the Suspicious Object list ............................................................................................... 392
Enabling Sandbox Analysis ........................................................................................................................ 392
Manually Submitting a File to Deep Discovery For Analysis ..................................................................... 393
Tracking the Submission .................................................................................................................................... 393
Suspicious Objects ............................................................................................................................................... 397
Handling Suspicious Object ........................................................................................................................ 398
Review Questions .................................................................................................................................................. 401
Appendix A: Activating and Managing Multiple Tenants ..................................................403
Segmentation using Multi-Tenancy .................................................................................................................404
Segmentation by Business Unit ................................................................................................................404
Segmentation in a Service Provider Model ............................................................................................405
Tenant Isolation ............................................................................................................................................405
Database Isolation ........................................................................................................................................405
Deep Security Manager Web Console For Tenants ..............................................................................406
viii
© 2021 Trend Micro Inc. Education
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Enabling Multi-Tenancy ...................................................................................................................................... 407
Licensing Modes ...........................................................................................................................................408
Creating Tenants ..................................................................................................................................................409
Tenant Administrator ................................................................................................................................... 410
Tenant Account Confirmation ..................................................................................................................... 411
Managing Tenants ................................................................................................................................................ 412
Tenant State ................................................................................................................................................... 412
Tenant Properties ......................................................................................................................................... 413
Deleting Tenants ............................................................................................................................................ 417
Diagnosing Tenant Issues ............................................................................................................................ 418
Activating Deep Security Agent on Tenants .................................................................................................. 418
Deep Security Relays .................................................................................................................................... 418
Usage Monitoring .................................................................................................................................................. 418
Multi-Tenant Dashboard .............................................................................................................................. 419
Multi-Tenant Dashboard/Reporting ......................................................................................................... 420
Status Monitoring API ................................................................................................................................. 420
Administering Tenants ....................................................................................................................................... 420
Logging into Deep Security Manager as a Tenant ................................................................................ 421
Review Questions ................................................................................................................................................. 422
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance.423
Deep Security Virtual Appliance ...................................................................................................................... 424
Benefits of Using the Virtual Appliance .................................................................................................. 424
Virtual Appliance Deployment Models ............................................................................................................ 425
Deployments Using NSX for vShield Endpoint ...................................................................................... 426
Deployments Using NSX Advanced or Enterprise ................................................................................ 427
Deployments Without NSX ......................................................................................................................... 427
Deploying and Activating the Virtual Appliance Using NSX-V .................................................................. 428
Importing the Deep Security Virtual Appliance Package into Deep Security Manager .............. 428
Adding VMware vCenter to Deep Security Manager ........................................................................... 430
Installing the Guest Introspection Service on VMware ESXi ............................................................. 432
Installing the Deep Security Service on VMware ESXi ........................................................................ 436
Creating an NSX Security Group .............................................................................................................. 439
Creating an NSX Security Policy ............................................................................................................... 441
Applying the NSX Security Policy to the NSX Security Group .......................................................... 447
Activating Deep Security Protection on the Virtual Machines .........................................................448
Viewing Protected Virtual Machines .......................................................................................................450
Deep Security Notifier .................................................................................................................................450
Deep Security Virtual Appliance-Related Communication ........................................................................450
Traffic between the Deep Security Virtual Appliance and Deep Security Manager ..................... 451
Traffic between vCenter Server and Deep Security Manager ........................................................... 451
Traffic between ESXi and Deep Security Manager ............................................................................... 451
Deep Security Manager and VMware vCenter Server ................................................................................. 451
Re-configuring vCenter Server Communication .................................................................................... 451
Deep Security Manager and vCenter Server Synchronization ......................................................... 453
Event-based tasks ........................................................................................................................................454
Agentless Anti-Malware Protection ................................................................................................................ 455
Real-Time Scanning ..................................................................................................................................... 455
On-Demand Scan .......................................................................................................................................... 455
Scan Cache Settings and Concurrent Scan ........................................................................................... 455
Quarantining in Anti-Malware ................................................................................................................... 457
Agentless Integrity Monitoring Protection .................................................................................................... 457
VMware High Availability ................................................................................................................................... 457
Moving Deep Security Virtual Appliance Data ...................................................................................... 459
© 2021 Trend Micro Inc. Education
ix
Trend Micro Deep Security 20 Training for Certified Professionals - Student Guide
Review Questions .................................................................................................................................................460
Appendix C: Troubleshooting Common Deep Security Issues ..........................................461
Diagnostic Logging in Deep Security Manager .............................................................................................. 461
Creating a Diagnostic Package for Deep Security Agents ................................................................. 463
Creating a Diagnostic Package for Deep Security Manager .............................................................. 465
Troubleshooting Offline Agents ....................................................................................................................... 467
Potential Causes ........................................................................................................................................... 467
Possible Solutions ........................................................................................................................................468
Troubleshooting Deep Security Agent Activation Failures .......................................................................469
Possible Solutions ........................................................................................................................................469
Troubleshooting High CPU usage ..................................................................................................................... 471
Possible Solutions ......................................................................................................................................... 471
Troubleshooting Security Update Failures .................................................................................................... 472
Possible Solutions ........................................................................................................................................ 472
Appendix D: What's New in Deep Security 20 .....................................................................475
New Database Support ....................................................................................................................................... 475
New Manager Platform Support ...................................................................................................................... 475
New Agent Platform Support ............................................................................................................................ 475
Google Cloud Platform Support ....................................................................................................................... 476
Upgrade on Activation ........................................................................................................................................ 476
Agent Version Control ........................................................................................................................................ 476
Reboot Requirement Removed for Agent Upgrade .................................................................................... 476
Anti-Malware Protection During an Agent Upgrade ................................................................................... 476
Agentless Anti-Malware for NSX-T .................................................................................................................. 477
Hide AWS Host Groups ....................................................................................................................................... 477
Search Cloud Instance Metadata ..................................................................................................................... 477
AWS Manager-generated External ID ............................................................................................................. 478
Agent Integrity Check ......................................................................................................................................... 478
Deep Security Manager API updates .............................................................................................................. 478
Automate Google and AWS accounts ...................................................................................................... 478
New Anti-malware Features .............................................................................................................................. 478
Windows Antimalware Scan Interface (AMSI) ....................................................................................... 478
Behavior Monitoring Action ....................................................................................................................... 478
Predictive Machine Learning Action ........................................................................................................ 479
Behavior Monitoring on Linux ................................................................................................................... 479
Database Encryption ........................................................................................................................................... 479
Appendix E: FIPS 140-2 Support in Deep Security ...............................................................481
Enable FIPS Mode for Deep Security Manager on Windows ...................................................................... 481
Enable FIPS mode for Deep Security Manager on Linux ........................................................................... 482
x
© 2021 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
List the Deep Security deployment options
Identify the roles of each of the Deep Security protection modules
List the required and optional components of a Deep Security installation
Trend Micro Solutions
Trend Micro provides layered content security with interconnected solutions that share data so you can
protect your users, network, data center, and cloud resources from data breaches and targeted attacks.
NETWORK
DEFENSE
HYBRID CLOUD
SECURITY
USER
PROTECTION
User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too many
products that don’t work together, increasing complexity, slowing users, and leaving gaps in an
organization’s security.
To further complicate matters, organization are moving to the cloud and need flexible security
deployment options that will adapt as their needs change.
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any application,
any device, anywhere.
© 2020 Trend Micro Inc. Education
1
Lesson 1: Deep Security Overview
Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits.
Only complete visibility into all network traffic and activity will keep the organization ahead of
purpose-built attacks which bypass traditional controls, exploit network vulnerabilities, and either
ransom or steal sensitive data, communications, and intellectual property. Trend Micro Network
Defense detects and prevents breaches anywhere on the network to protect critical data and
reputation. Rapidly detect, analyze, and respond to targeted attacks on your network. Stop targeted
email attacks, and detect advanced malware and ransomware with custom sandbox analysis, before
damage is done
The Trend Micro Network Defense solution preserves the integrity of the network while ensuring that
data, communications, intellectual property, and other intangible assets are not monetized by
unwanted third parties. A combination of next-generation intrusion prevention and proven breach
detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware
from embedding or spreading within their network.
Hybrid Cloud Security
The Trend Micro Hybrid Cloud Security solution protects enterprise workloads in the data center and
the cloud from critical new threats, like ransomware, that can cause significant business disruptions,
while helping to accelerate regulatory compliance.
Hybrid Cloud Security delivers comprehensive, automated security for physical, virtual and cloud
servers. The organization can secure critical data and applications across their cloud and virtualized
environments with effective server protection that maximizes their operational and economic
benefits.
Whether you are focused on securing physical, virtual, cloud, or hybrid environments, Trend Micro
provides the advanced server security you need with the Trend Micro Deep Security platform.
Available as software, in the Amazon Web Services and Azure marketplace, or as a service, Deep
Security provides you with security optimized for VMware, Amazon Web Services, and Microsoft
Azure.
Trend Micro Smart Protection Network
The Trend Micro Smart Protection Network is collection of cloud-based services that mine data
around the clock and across the globe to ensure up-to-the-second threat intelligence to immediately
stamp out attacks before they can harm valuable enterprise data assets.
Trend Micro rapidly and accurately collates this wealth of global threat intelligence to customize
protection to the specific needs of your home or business and uses predictive analytics to protect
against the threats that are most likely to impact you.
2
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s most
extensive cloud-based protection infrastructures that collects more threat data from a broader, more
robust global sensor network to ensure customers are protected from the volume and variety of
threats today, including mobile and targeted attacks. New threats are identified quickly using finely
tuned automated custom data mining tools and human intelligence to root out new threats within
very large data streams.
Visibility and Control
Whether you are operating in the data center, the cloud, or across a hybrid environment, you can
manage a comprehensive set of security capabilities from one single management console providing
and strong level of visibility and control.
Evolution of the Data Center
The data center has gone through significant evolution over the years as new platforms for hosting
workloads have been introduced. Physical, rack-mounted servers running Windows, Linux, Unix or Solaris
were once the norm, but many organizations took advantage of the benefits of virtualization to reduce
the amount of hardware they had to manage. When cloud technologies became more prominent, many of
these physical and virtual workloads were transitioned to cloud platforms such as Amazon Web Services
or Microsoft Azure. Emerging technologies such containers and serverless are now becoming popular
and presents another possible transition point for the workloads in the data center.
Physical
Virtual
Cloud
Containers
Serverless
This constantly evolving infrastructure presents challenges to organizations as each new technology
requires a reworking of the data center and retraining of the staff responsible for its operation. Since
organizations may use a mix of technologies within the same data center, the tools used to protect the
workloads running in the data center must be supported on all of the platforms being used.
© 2020 Trend Micro Inc. Education
3
Lesson 1: Deep Security Overview
Trend Micro XGen™ Security
Trend Micro Hybrid Cloud Security solution, powered by XGen, delivers a blend of cross-generational
threat defense techniques that are smart, optimized, and connected to protect servers and applications
across the modern data center and the cloud – all while preventing business disruptions and helping with
regulatory compliance.
Smart
Trend Micro solutions, powered by XGen, protect against the full range of known and unknown
threats using a cross-generational blend of threat defense techniques that applies the right
technique at the right time, powered by global threat intelligence.
Optimized
Trend Micro solutions, powered by XGen, deliver security solutions to protect users, networks, and
hybrid cloud environments – all designed specifically for and tightly integrated with leading platforms
and applications, like VMware, Amazon Web Services (AWS), Microsoft Azure, Google Cloud,
Office365, and more.
Connected
Trend Micro solutions, powered by XGen, speeds the time to response with automatic sharing of
threat intelligence across security layers and centralized visibility and control. XGen™ security uses
proven techniques to quickly identify known good or bad data, freeing advanced techniques to more
quickly and accurately identify unknown threats. This identification in rapid succession with righttime technology regardless of location and device across a connected system, maximizes both
visibility and performance. This core set of techniques powers each of the Trend Micro solutions, in a
way that is optimized for each layer of security: hybrid clouds, networks, and user environments.
4
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
Deep Security
The Deep Security platform is at the core of the Trend Micro Hybrid Cloud Security solution. Deep
Security provides advanced server security for physical, virtual, and cloud-based computers and delivers
multiple security techniques in a single product. Deep Security makes the deployment and management
of security faster and easier, simplifying the transition from physical to virtual, and to the cloud. It
protects enterprise applications and data from breaches and business disruptions without requiring
emergency patching. This centrally-managed platform consolidates security operations within a single
management dashboard for all capabilities and simplifies security operations while enabling regulatory
compliance and accelerating the ROI of virtualization and cloud projects. Deep Security is FIPS certified.
Deep Security consists of the Manager application, responsible for creating security policy and managing
servers, along with an Agent application, responsible for enforcing the policies on the managed servers.
A Web-based management console allows administrators to access policies, settings and computers.
Deep Security
Manager
Deep Security
Manager Web
Console
Deep Security Agents
Deep Security protects servers against zero-day malware and ransomware, identifies suspicious
behavior, shields the network from vulnerabilities before they can be exploited and detects and stops
network-based attacks while minimizing operational impact from resource inefficiencies and emergency
patching.
As a hybrid cloud solution, Deep Security seamlessly integrates with cloud platforms including Amazon
Web Services (AWS), Microsoft Azure, Google Cloud and VMware vCloud Air, enabling you to extend data
center security policies to cloud-based workloads. With a wide range of capabilities optimized across
environments, Deep Security empowers enterprises and service providers to offer a differentiated and
secure multi-tenant cloud environment to their users.
© 2020 Trend Micro Inc. Education
5
Lesson 1: Deep Security Overview
Deployment Options
Deep Security can be deployed to protect the workloads in the datacenter in a few different
ways:
•
Installed software
You can buy Deep Security software and install it on a local Windows Server or Red Hat Linux
server, on an Amazon Web Services (AWS) instance, or on an Azure or Google Cloud virtual
machine. Deep Security can also protect virtual machines on single VMware server or
VMware images through ESXi.
•
Software as a Service
Cloud One™ - Workload Security (previously known as Deep Security as a Service) delivers a
complete set of security capabilities through a software-as-a-service model.
When Workload Security is deployed as a service, you have nothing to install or configure
and all updates and security data are stored for you. You also pay only for what you use
through usage-based pricing. Administrators connect to their instance of Workload Security
through a URL provided by Trend Micro.
6
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
•
Marketplace
A cloud marketplace is an online storefront operated by the cloud service provider that helps
their customers easily find and buy software and services that are built on, integrate with, or
complement the cloud provider's offerings.
In the Amazon Web Services and Microsoft Azure Marketplaces, Deep Security is available as
a software piece and as a service, which customers can purchase.
When purchasing Deep Security through the Marketplace, service fees conveniently show up
on their respective Marketplace bill without the need of a separate invoice specific for Deep
Security. Quick Start templates are available to get Deep Security up and running quickly and
easily.
© 2020 Trend Micro Inc. Education
7
Lesson 1: Deep Security Overview
Deep Security Protection Modules
Deep Security provides a collection of protection modules to ensure server, application, and data security
across physical, virtual, and cloud servers, as well as virtual desktops.
Intrusion
Prevenon
An-Malware
Firewall
HYBRID CLOUD
SECURITY
Web
Reputaon
Applicaon
Control
Integrity
Monitoring
Log
Inspecon
These modules can be licensed in many different combinations and can leverage both agent-based and
agentless protection mechanisms. In agent-based models, the computers (physical or virtual machines)
are protected by in-guest Deep Security Agents whereas in agentless environments, the virtual machines
are protected by a Deep Security Virtual Appliances running on each ESXi server. The protection modules
perform similarly in both physical agent-based or virtual agentless environments, though, depending on
the environment, some protection modules may require an on-host agent.
Anti-Malware
The Anti-Malware module detects and blocks malicious software such as viruses, trojans, spyware,
ransomware and other applications intended to harm the server. It is based on the Trend Micro AntiMalware Solution Platform in conjunction with the Trend Micro Smart Protection Network. Antimalware protection can occur in real-time, can be run on demand, or can be set up to run on a
schedule. A variety of techniques including behavior monitoring and machine learning enable Deep
Security to provide protection against emerging malware that would not be captured by traditional
pattern-based malware scanning.
Web Reputation
The Web Reputation module tracks the credibility of websites to safeguard servers from malicious
URLs. It integrates with the Trend Micro Smart Protection Network to detect and block Web-based
security risks, including phishing attacks.
The Web Reputation module blocks servers from accessing compromised or infected sites, blocks
users from communicating with Communication & Control servers (C&C) used by cybercriminals and
blocks access to malicious domains registered for perpetrating malicious activities.
Protection is provided whether a user types a URL in a Web browser or an application makes an
internal reference to a URL.
8
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
Firewall
The Firewall module provides broad coverage for all IP-based protocols and frame types as well as
fine-grained filtering for ports and IP and MAC addresses through a bidirectional, stateful firewall.
The firewall examines the header information in each network packet to allow or deny traffic based
on direction, specific frame types, transport protocols, source and destination addresses, ports, and
header flags. The firewall module can prevent denial of service attacks as well as block
reconnaissance scans.
Intrusion Prevention
The Intrusion Prevention module examines all incoming and outgoing traffic at the packet level,
searching for protocol deviations, policy violations, or any content that can signal an attack. This
module detects and blocks known and zero-day attacks. Where the Firewall module examines the
header information in the packet, the Intrusion Prevention module examines the payload
information.
The Intrusion Prevention module can implement rules to drop traffic designed to leverage unpatched
vulnerabilities in certain applications or the operating system itself. This virtual patching protects the
host while awaiting the application of the relevant patches.
Intrusion Prevention can detect activity that is considered suspicious, such as ransomware or
remote access as well as detecting and blocking traffic that does not conform to protocol
specifications, allowing Deep Security Agents to detect packet fragments, packets without flags, and
similar anomalies. This protection can also block traffic associated with specific applications like
Skype or file-sharing utilities.
Built-in Intrusion Prevention rules are provided for over 100 applications, including database, web,
email and FTP servers. The Intrusion Prevention module automatically delivers rules that shield
newly discovered vulnerabilities (within hours), and these can be pushed out to thousands of servers
within minutes, without a system reboot.
Integrity Monitoring
The Integrity Monitoring module monitors critical operating system and application files, including
directories, custom files, registry keys and values, open ports, processes and services to provide real
time detection and reporting of malicious and unexpected changes.
The Integrity Monitoring modules tracks both authorized and unauthorized changes made to a server
instance. The ability to detect unauthorized changes is a critical component in a security strategy as
it provides the visibility into changes that could indicate the compromise of an instance.
Trusted event tagging reduces administration overhead by automatically tagging similar events
across the entire data center.
© 2020 Trend Micro Inc. Education
9
Lesson 1: Deep Security Overview
Log Inspection
The Log Inspection module collects and analyzes operating system and application logs for
suspicious behavior, security events, and administrative events across the data center. This module
optimizes the identification of important security events buried in multiple log entries. Suspicious
events can be forwarded to a Security Information and Event Management (SIEM) system or to a
centralized logging server for correlation, reporting and archiving. The Log Inspection module
leverages and enhances the Open Source Security (OSSEC) Log Inspection Engine.
Log inspection requires running some analysis on the computer and as a result, it is not supported in
agentless deployments.
Application Control
The Application Control module monitors computers for any software changes that drift away from
an approved software inventory. It detects all changes to executables, including users installing
unapproved software, new PHP pages or Java applications, unscheduled auto-updates, and zero-day
malware.
This module can lock down software so that only approved applications can execute or stop specific
unwanted software from running. During a software update or maintenance window, the Application
Control module can be configured to approve the change, while still preventing software on the block
list from executing.
Application Control requires running some analysis on the computer and as a result, it is not
supported in agentless deployments.
10
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
Deep Security Components
The Deep Security platform consists of multiple components that work together to provide effective and
reliable protection for physical, virtual and cloud-based environments.
Authencaon
Acve Directory
Database
Google
Cloud
VCloud
Amazon
Web
Services
Azure
Deep Security Manager
Web Console
Second-Factor Authencator
Apex Central
SAML Identy Provider
Cloud Servers
Agentless Support
VCenter
Deep Security
Manager
NSX
Manager
Deep Discovery
Analyzer
VMware ESXi
Deep Security
Scanner
Deep
Security
Virtual
Appliance
VM
VM
VM
Deep Security
Smart Check
Smart Protecon
Server
Windows
Server
Linux
Server
Solaris
Server
Physical Servers
HPUX/AIX
Server
Container
Registry
Relays
Windows
VM
Linux
VM
Virtual Servers
Deep Security Manager
Deep Security Manager is a centralized management system to create and manage comprehensive
security policies and deploy protection to Deep Security Agents and Deep Security Virtual
Appliances. Deep Security Manager does not provide protection itself, but instead, manages the rules
and policies which are distributed to the enforcement components in the system.
Deep Security Manager is supported on 64-bit Windows and Linux Red Hat Operating Systems.
Database
Deep Security Manager requires a database for storing the information it needs to function. The
database must be installed and a user account with the appropriate permissions must be created
before installing Deep Security Manager. Microsoft SQL Server, Oracle or PostgreSQL databases are
supported, in addition, cloud deployments using the Marketplace option allows the use of the
vendor’s cloud-enabled database as well.
© 2020 Trend Micro Inc. Education
11
Lesson 1: Deep Security Overview
Deep Security Manager Web Console
Administration of the system performed through a Web-based interface. Administrative users with an
appropriate role authenticate to the Deep Security Manager Web console and perform policy or
computer-related tasks through a supported browser with cookies enabled. Administrative users
authenticate to the console using Deep Security-created credentials or a user name and password
stored in Microsoft Active Directory. Multi-factor authentication can be implemented to provide an
additional level of security on the login process. Some operations can also be performed through the
Windows Command Prompt.
Deep Security Agent
The protection layer of the Deep Security system is provided through the Deep Security Agent. This
software component is installed on the server to provide protection though a collection of modules,
including Anti-Malware, Web Reputation, Firewall, Intrusion Prevention, Integrity Monitoring, Log
Inspection and Application Control.
Deep Security Agents are supported on Windows, Linux, Solaris, HP-UX, and AIX and can be installed
on either physical servers, virtual machines or cloud servers. Deep Security can also operate without
an on-host Agent for specific operations in a VMware environment using the Deep Security Virtual
Appliance.
Deep Security Relay
The Deep Security Relay is a Deep Security Agent with relay functionality enabled. Deep Security
Relays download and distribute security and software updates from the Trend Micro Global Update
Server to Deep Security Agents and Deep Security Virtual Appliances. You must have at least one
Deep Security Relay enabled in your environment to keep your protection up-to-date.
Relays improve performance by distributing the task of delivering updates throughout your Deep
Security installation.
Apex Central
Apex Central (previously known as Control Manager) provides a single unified interface to manage,
monitor, and report across multiple layers of security and deployment models. Customizable data
displays allow administrators to rapidly assess status, identify threats, and respond to incidents. With
Apex Central, administrators can view security events in Deep Security, Apex One, as well as other
Trend Micro products, from a single interface.
User-based visibility shows what is happening across all endpoints and servers, enabling
administrators to review policy status and make changes across all devices. In the event of a threat
outbreak, administrators have complete visibility of an environment to track how threats have
spread.
Apex Central is responsible for compiling the Suspicious Objects for use in Connected Threat
Defense. This list based on information provided by other components in the infrastructure.
12
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
Deep Security Virtual Appliance
The Deep Security Virtual Appliance is a virtual machine that transparently enforces security policies
on VMware ESXi virtual machines through NSX, allowing agentless protection through the AntiMalware, Web Reputation, Firewall, Intrusion Prevention, and Integrity Monitoring modules. Some
restrictions on Anti-Malware and Integrity Monitoring might be in effect when using the Deep
Security Virtual Appliance, for example, related to damage clean-up.
If protection through the Log Inspection and Application Control module is required on a virtual
machine, a Deep Security Agent can be installed on the virtual machine itself.
The Deep Security Virtual Appliance runs as a VMware virtual machine and protects other virtual
machines running on the same ESXi Server, each with its own individual set of security policies.
The implementation of Protection Modules with the Deep Security Virtual Appliance depends on
limitations that exist within the licensing structure of VMWare NSX.
Deep Security Notifier
The Deep Security Notifier is a Windows System Tray application that communicates the state of the
Deep Security Agent and Deep Security Relay to client machines.
The Deep Security Notifier displays a pop-up notifications in the System Tray when a Deep Security
Agent begins a scan, blocks malware or identifies a malicious web page. The Notifier also provides a
console utility that allows the user to view events and check the status of the agent.
The Deep Security Notifier gets installed with the Deep Security Agent by default on Windows
servers. It may be installed separately on Windows VMs protected by the Deep Security Virtual
Appliance. In this case, the Anti-Malware module must be licensed and enabled on the VM for the
Deep Security Notifier to display information.
Trend Micro Smart Protection Network
Deep Security takes advantage of the Trend Micro Smart Protection Network to deliver real-time
updates of malware signatures and patterns. This cloud-client infrastructure delivers protection from
emerging threats by continuously evaluating and correlating threat and reputation intelligence for
websites, email sources, and files.
Trend Micro Smart Protection Server
One or more optional standalone Smart Protection Servers can be also be deployed locally on the
network to improve access time and increase privacy on behalf of Anti-Malware and Web Reputation
modules.
© 2020 Trend Micro Inc. Education
13
Lesson 1: Deep Security Overview
Deep Security Smart Check
Deep Security Smart Check performs pre-runtime scans of Docker images to detect OS
vulnerabilities and malware, enabling you to fix issues before they reach the orchestration
environment.
Deep Security Scanner
Deep Security Scanner provides integration with the SAP NetWeaver platform and performs antimalware scans and reviews the information to identify potential threats in SAP systems.
Note:
Deep Security Scanner is not supported on computers where the Deep Security Agent is enabled
as a Relay.
Deep Discovery Analyzer
Deep Discovery Analyzer is a secure virtual environment used to analyze samples submitted by Trend
Micro products. Sandbox images allow observation of file and network behavior in a natural setting
without any risk of compromising the network.
Deep Discovery Analyzer performs static analysis and behavior simulation to identify potentially
malicious characteristics. During analysis, Deep Discovery Analyzer rates the characteristics in
context and then assigns a risk level to the sample based on the accumulated ratings which is then
forwarded to Trend Micro Apex Central to build the suspicious objects list.
Third-Party Authentication
In addition to a Deep Security-created username and password for administrators, other
authentication methods are supported.
Microsoft Active Directory
When configured, administrative users can authenticate to the Deep Security Manager Web
Console using credentials stored in Microsoft Active Directory. In addition, Deep Security
Manager can populate its Computers list using information retrieved from Active Directory
servers. To import these hosts, the Add Directory Wizard performs an LDAP query to retrieve
the necessary information from Active Directory.
Second-Factor Authenticators
When configured, administrative users can authenticate to the Deep Security Manager Web
Console using second-factor authenticators such as Google Authenticator or Duo. With
second-factor authentication in place, administrative users will be required to enter their
Deep Security Manager user name and password, followed by the response from the
configured authentication device.
14
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
SAML Identity Providers
When configured, administrative users can authenticate to the Deep Security Manager Web
Console using credentials provided by an external SAML 2.0 Identity Provider. This
mechanism enables single sign-on to the management interface for administrative users. In
this configuration, Deep Security Manager behaves as the SAML Service Provider.
Threat Detection
There are several points at which threats could enter the system through the server computer. A variety
of automated threat detection techniques can be enabled in Deep Security to monitor for threats on the
server.
Entry
point Pre-execution
Runtime
Exit
point
Detecting Threats at the Entry Point
Entry point detection uses methods to capture threats as they enter the server. These methods
include:
•
Web Reputation: Web reputation blocks connections to malicious Web sites. This is done at
the kernel level, allowing Deep Security to block programs on the server from accessing the
site.
•
Virtual Patching: Deep Security block exploits of operating system and application
vulnerabilities by applying a virtual patch. Trend Micro provides timely protection for exploits
and vulnerabilities with the industry’s most timely vulnerability research.
Detecting Threats Pre-execution
Detection methods used in the pre-execution phase capture and block threats as they are written to
disk or to memory. These methods include:
•
Packer Detection: Deep Security identifies packed malware as it unpacks prior to execution,
blocking threats attempting to hide themselves in memory.
•
Predictive Machine Learning: File-based threats can be evaluated against a cloud-based
model before they are run to predict if the file is malicious.
•
Application Control: Application control prevents unrecognized software from executing.
© 2020 Trend Micro Inc. Education
15
Lesson 1: Deep Security Overview
•
Variant Protection: Variant protection detects mutations of malicious samples by recognizing
known fragments of malware code.
•
File-based Signatures: The majority of threats still arrive at the server as file-based attacks.
File-based signatures provide an effective technique for detecting known malicious items.
Detecting Threats at Runtime
While many threats can be detected as they are written to disk, there are some threats that won’t be
detected until they execute. Detection methods used in this phase include:
•
Behavior Analysis: Powerful behavior analysis techniques provide a clear indication if an
attack is taking place based on file behavior.
•
In-memory Runtime Analysis: Some malware executes only in memory. In-memory runtime
analysis can monitor for malicious behavior in memory and stop them once they start
running.
Detecting Threats at the Exit Point
Methods in this phase can detect and block attempts to forward data from the server. Detection
methods used in this phase include:
16
•
Web Reputation: At this phase, Web reputation protection can block connections to malicious
Web sites, such as Command & Control sites. Again, this protection is applied at the kernel
level blocking connections from applications running on the server.
•
Host Intrusion Prevention: Host intrusion prevention detects and blocks malware lateral
movement behavior.
© 2020 Trend Micro Inc. Education
Lesson 1: Deep Security Overview
Review Questions
1
Describe the role of the following components in a Deep Security implementation:
•
Deep Security Notifier
•
Deep Security Scanner
•
Trend Micro Smart Protection Network
•
Deep Security Manager
•
Deep Discovery Analyzer
•
Trend Micro Apex Central
•
Deep Security Smart Check
•
Deep Security Agent
•
Deep Security Manager Web console
•
Active Directory
•
Deep Security Relay
•
Deep Security Virtual Appliance
•
Trend Micro Smart Protection Server
•
Database
2 List the Deep Security Protection Modules and describe the protection they provide?
© 2020 Trend Micro Inc. Education
17
Lesson 1: Deep Security Overview
18
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Lesson Objectives:
After completing this lesson, participants will be able to:
•
Describe the computer, database and operating system requirements for Deep Security
Manager 20
•
•
Identify Deep Security components and ports
•
Perform Deep Security Manager actions through the Deep Security Manager Web console
or a Command Line
•
•
Install Deep Security Manager 20 on Windows Server
Describe how multiple Deep Security nodes can be used for high availability and load
balancing
Upgrade an existing installation to Deep Security 20
Deep Security Manager
Deep Security Manager is a centralized management system for creating and managing comprehensive
security policies and deploying protection to Deep Security Agents installed on the servers in the
datacenter. Deep Security Manager does not provide protection itself, but instead, manages the rules and
policies which are distributed to the enforcement components in the system.
The Deep Security Agents in turn forward security events back to Deep Security Manager through the
management console allowing preventive actions taken in response to threats. Deep Security Manager
can be configured to automate or distribute security updates to servers on-demand. It also generates
reports to gain visibility into activity and meet compliance requirements.
Deep Security
Manager
Policies
Events
Deep Security Agents
© 2020 Trend Micro Inc. Education
19
Lesson 2: Deep Security Manager
Deep Security Manager System Requirements
Many Deep Security Manager operations (such as Updates and Recommendation Scans) require high
CPU and memory resources. Trend Micro recommends that each Manager node have four cores and
sufficient RAM in high scale environments. The system requirements for Deep Security Manager
include:
•
Minimum Memory: Minimum RAM requirements depend on the number of Agents that are
being managed. The recommended can vary from 16GB of RAM and 8GB of Java Virtual
Machine (JVM) memory for a small deployment of under 500 Agents to 24GB and 16GB of
Java Virtual Machine for larger deployments of 20,000 Agents.
•
•
Minimum Disk Space: 200GB recommended
Deep Security Manager must have Internet connectivity to download software packages and
updates as well as to renew the system license.
Operating System
Deep Security Manager is available for different operating systems, including:
•
•
Windows Server 2012 R2 (64-bit)
•
Windows Server 2019 (64-bit)
•
Red Hat Linux 7 (64-bit)
•
Red Hat Linux 8 (64-bit)
Windows Server 2016 (64-bit)
NEW
NEW
Ensure that the operating system is installed with the latest service pack and patches.
Database
A database server is required by Deep Security Manager. It can be installed on the same system as Deep
Security Manager or on a different system. For on-premise enterprise deployments, Deep Security
Manager can use Microsoft SQL Server, Oracle Database Server, or PostgreSQL. A database instance
must be created before installing Deep Security Manager. The credentials for a database administrator
with appropriate permissions will be required to complete the setup of Deep Security Manager.
Cloud deployments using the Marketplace option allows the use of the vendor’s cloud-enabled database
as well. In this case, traffic generated by database access will incur charges that will appear on your
marketplace statement.
Database Requirements
The database should be installed on hardware that is equal to or better than the specifications of the
best Deep Security Manager node. For optimal performance, the database should have 8-16GB of
RAM and fast access to the local or network attached storage. Whenever possible, a database
administrator should be consulted regarding the best configuration of the database server.
20
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Database CPU, memory, and disk space required varies by:
•
•
•
•
•
Number of protected computers
Number of platforms where you install Deep Security Agent
Number of events (logs) recorded per second (related to which security features are enabled)
How long events are retained
Size of the database transaction log
Supported Databases
The following databases are supported:
Note:
•
Oracle Database 19c
•
Oracle Database 18
•
•
•
Oracle Database 12c
•
Microsoft SQL Server 2019
•
•
•
•
•
Microsoft SQL Server 2017
•
PostgreSQL 11.x
•
PostgreSQL 10.x
•
PostgreSQL 9.6
•
•
•
Amazon RDS for PostgreSQL (for Deep Security Manager for AWS Marketplace)
NEW
NEW
Oracle Database 11g
Oracle RDS
NEW
Microsoft SQL Server 2016
Microsoft SQL Server 2014
Microsoft SQL Server 2012
Microsoft SQL RDS
NEW
Azure SQL (for Deep Security Manager VM for Azure Marketplace)
Amazon Aurora
Microsoft SQL Server Express is only supported in very limited deployments of less than 50
protected computers. More computers' events will cause a larger database which Microsoft SQL
Server Express cannot handle. SQL Express can potentially be used for proof-of-concept
installations, but since it has a 10 GB database size limit, it should never be put into production.
Deep Security Manager and the database can be installed on the same computer if the final
deployment is not expected to exceed 1000 computers (real or virtual). If you think you may exceed
1000 computers, Deep Security Manager and the database should be installed on dedicated servers.
© 2020 Trend Micro Inc. Education
21
Lesson 2: Deep Security Manager
Database Communication
It is very important that the database and Deep Security Manager be co-located on the same network
with a 1GB LAN connection to ensure unhindered communication. The same applies to additional
Deep Security Manager nodes.
A two millisecond (or 2 million nanoseconds) latency or better is recommended for the connection
from the Manager(s) to the database. The speed of the database connection in your environment can
be verified in the Database Query Benchmark value, displayed under System Information in the Deep
Security Manager Web console.
Encrypted Communication
NEW
For performance reasons, communication between Deep Security Manager and the database is
not encrypted by default. The channel between Deep Security Manager and the database may
already be secured if they are running on the same computer or they are connected by crossover
cable, a private network segment, or tunneling via IPSec.
If the communication channel between Deep Security Manager and the database is not secure,
you should encrypt the communication between them. In its current design, Deep Security
Manager attempts to build an encrypted communication connection with the database server. if
it fails, Deep Security Manager uses and unencrypted connection with database server instead.
The mechanisms for creating the encrypted connection are built into the database library that
Deep Security Manager is based on, therefore, the server certificate does not need to be
imported nor any configuration file updated.
Check the Help Center for each of supported databases for details on configuring data
encryption or SSL connections. If you have already installed Deep Security Manager, stop and
restart Deep Security Manager after enabling secure connections on the database.
22
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Database Sizing
The amount of database space required per computer is dependent on the number of event logs
recorded and how long they are retained. You can modify the default retention values from the
Storage tab under System Settings.
As well, additional settings and rules can be configured for each module, which can also increase the
overall logging size.
The table below estimates database disk space with default event retention settings. If the total disk
space for the protection modules you enable is more than the 2 or more modules value, use the
smaller estimate. For example, you could deploy 750 agents with Deep Security Anti-Malware,
Intrusion Prevention System and Integrity Monitoring. The total of the individual recommendations is
320 GB (20 + 100 + 200) but the recommendation is less (300 GB). Therefore, you would estimate
300 GB.
Number of
agents
AntiMalware
Web
Reputation
Log
Inspection
Firewall
IPS
Application
Control
Integrity
Monitoring
2 or more
modules
1-99
10 GB
15 GB
20 GB
20 GB
40 GB
50 GB
50 GB
100 GB
100-499
10 GB
15 GB
20 GB
20 GB
40 GB
100 GB
100 GB
200 GB
500-999
20 GB
30 GB
50 GB
50 GB
100 GB
200 GB
200 GB
300 GB
1000-9999
50 GB
60 GB
100 GB
100 GB
200 GB
500 GB
400 GB
600 GB
10,000-20,000
100 GB
120 GB
200 GB
200 GB
500 GB
750 GB
750 GB
1 TB
Database disk space also increases with the number of separate Deep Security Agent platforms. For
example, if you have 30 agents (maximum 5 versions per agent platform), this increases the
database size by approximately 5 GB.
© 2020 Trend Micro Inc. Education
23
Lesson 2: Deep Security Manager
Database Installation Requirements
You must install the database software, create a database instance for Deep Security Manager, and
create a user account before you install Deep Security Manager. Refer to your database provider's
documentation for instructions on installing your database. Before you start the installation,
however, make sure that your installation plan addresses the following requirements for integrating
your database with Deep Security Manager.
•
The database must be located on the same network as Deep Security Manager with a
connection speed of 1Gb/s over LAN. (WAN connections are not recommended.)
•
The database can be installed on the same system as Deep Security Manager or it be
installed on a separate dedicated machine. This typically depends on how many protected
computers are in your environment.
•
•
The recommended transport protocol is TCP.
•
Record the account details used in the creation of your database as they will be required
during the Deep Security Manager installation process.
•
If using Microsoft SQL Server, consider the following requirements:
The Deep Security database is compatible with database failover protection as long as no
alterations are made to the database schema. For example, some database replication
technologies add columns to the database tables during replication which can result in
critical failures. For this reason, database mirroring is recommended over database
replication.
-
Enable Remote TCP Connections. (See http://msdn.microsoft.com/en-us/
library/bb909712(v=vs.120).aspx)
-
The database account used by Deep Security Manager must have db_owner rights.
-
Select the simple recovery model property for your database. (See http://
technet.microsoft.com/en-us/library/ms189272.aspx)
-
If using Multi-Tenancy, keeping the main database name short will make it easier to read
the database names of your tenants. For example, If the main database is MAINDB, the
first tenant's database name will be MAINDB_1, the second Tenant's database name will
be MAINDB_2, and so on.
-
When using Named Pipes to connect to an SQL Server, a properly authenticated
Microsoft Windows communication channel must be available between the Deep Security
Manager host and the SQL Server host. This may already exist if any of these conditions
exist:
If using Multi-Tenancy, the database account used by Deep Security Manager must have
dbcreator rights.
·
·
·
The SQL Server is on the same host as Deep Security Manager
Both hosts are members of the same domain
A trust relationship exists between the two hosts
If no such communication channel is available, Deep Security Manager will not be able to
communicate to the SQL Server over Named Pipes.
•
If using Oracle Database Server, consider the following requirements:
-
24
Start the Oracle Listener service and make sure it accepts TCP connections.
The database account used by Deep Security Manager must be granted the CONNECT
and RESOURCE roles and UNLIMITED TABLESPACE, CREATE SEQUENCE, CREATE TABLE
and CREATE TRIGGER system privileges.
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
-
If using Multi-Tenancy, the database account used by Deep Security Manager must be
granted the CREATE USER, DROP USER, ALTER USER, GRANT ANY PRIVILEGE and
GRANT ANY ROLE system privileges.
-
Although Oracle allows special characters in database object names if they are
surrounded by quotes, Deep Security does not support these special characters.
-
Deep Security supports Oracle Real Application Clusters (RAC), including:
·
·
SUSE Linux Enterprise Server 11 SP3 with Oracle RAC 12c Release 1 (v12.1.0.2.0)
Red Hat Linux Enterprise Server 6.6 with Oracle RAC 12c Release 1 (v12.1.0.2.0)
The default Linux Server Deep Security Policy is compatible with the Oracle Real
Application Clusters environment, with the exception of Firewall settings. You can disable
Firewall or customize the Firewall settings according to the instructions in the Firewall
Settings with Oracle RAC section of the Deep Security Manager Help Center.
•
If using PostgreSQL, consider the following requirements:
-
There is no supported migration path for moving from an earlier version of Deep
Security with another database to Deep Security 20 with a PostgreSQL database.
-
To prepare a PostgreSQL database for use with Deep Security Manager, run the
following SQL commands:
CREATE DATABASE "<database>";
CREATE ROLE "<username>" WITH PASSWORD '<password>';
GRANT ALL ON DATABASE "<database>" TO "<username>";
GRANT CONNECT ON DATABASE "<database>" TO "<username>";
-
If using multi-tenancy, users also need the right to create new databases and roles:
ALTER ROLE <username> CREATEDB CREATEROLE;
-
By default, PostgreSQL log files are not rotated, which can lead to the log files using a
large amount of disk space. When using PostgreSQL with Deep Security, we recommend
that you use these four parameters in the postgresql.conf file to configure log
rotation:
log_filename
log_rotation_age
log_rotation_size
log_truncate_on_rotation
log_rotation_age and log_rotation_size control when a new log file is created.
For example, setting log_rotation_age to 1440 will create a new log file every 1440
minutes (1 day), and setting log_rotation_size to 10000 will create a new log file
when the previous one reaches 10 000 KB.
log_filename controls the name given to every log file. You can use time and date
format conversion in the name.
-
By default, the PostgreSQL deadlock_timeout setting in the postgresql.conf file
is configured to 1 second. This means every time a query waits on a lock for more than 1
second, PostgreSQL will launch a check for deadlock condition and will log an error if the
logging setting has been configured that way (by default, it is). This can lead to
performance degradation on bigger systems, where it can be normal for queries to wait
for more than 1 second during load times. On large systems, consider increasing the
deadlock_timeout setting.
© 2020 Trend Micro Inc. Education
25
Lesson 2: Deep Security Manager
Deep Security Manager Architecture
Deep Security Manager consists of the following major modules:
Apache Tomcat
An Apache Tomcat Web and application server is built into Deep Security Manager and is used to run
the necessary server-side Java components.
Web Client
This Web client is responsible for generating the Deep Security Manager Web console, and for
implementing access control.
Manager Core
The Manager Core on Windows or Linux is comprised of compiled Java libraries that are responsible
for the bulk of Deep Security Manager functionality, including command queuing and deployment,
database access, downloading updates from the security center, and interfacing with various network
services (e.g., SMTP, Active Directory, VMware servers, etc.)
Jasper Reports
Jasper Reports functions as the report generator mechanism running in Tomcat.
26
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Communication Ports
You must make sure the following ports on the computers hosting Deep Security Manager are open
and not reserved for other purposes. Deep Security Manager automatically implements specific
firewall rules to open the required communication ports on machines hosting Deep Security Relays,
Deep Security Agents and Deep Security Virtual Appliances.
Deep Security Manager
UDP
TCP
Deep Security Manager
Web Console
4119
80/443
Trend Micro
AcveUpdate
API
4119
80/443
4119
123
4120
SMTP
25
4118
NTP
Deep Security Agent/
Virtual Appliance
DNS
53
514
53
514
DNS
SIEM or Syslog
Apex Central
80/443
4122
4118
80/443
4122
Deep Discovery
Analyzer
80/443
VMWare vCenter
ESXi, NSX
80/443
Deep Security
Relay
4123
5274 /5275
Smart Protecon
Server
NTP
123
8080
80 / 443
SNMP
Amazon
Web Services
162
8443
Azure
Acve Directory
SQL Database Server
389 / 636
80/443
1433
11000/11999
14000/14999
Oracle Database Server
PostgreSQL
Azure
SQL Database
1521
5432
© 2020 Trend Micro Inc. Education
27
Lesson 2: Deep Security Manager
Network Communication
Communication between Deep Security Manager and Deep Security Relays/Agents/Appliances and
hypervisors uses DNS hostnames by default.
In order for Deep Security deployments to be successful, you must ensure that each computer can
resolve the hostname of Deep Security Manager. This requires a DNS entry for the Deep Security
Manager host.
Note:
You will be asked for the Deep Security Manager hostname as part of the installation procedure.
If you do not have a DNS entry, enter an IP address during the installation.
Configuration Settings
On startup, Deep Security Manager uses the following steps to obtain and maintain all required
configuration settings:
1
Loads static settings, including the database connection settings from a set of *.properties
configuration files.
2 Loads system-wide dynamic configuration settings from the systemsettings database table.
3 Loads host-specific dynamic configuration settings from the hostsystemsettings database
table.
4 Loads other dynamic settings from other database tables.
dsm.properties
This dsm.properties file contains some of the most relevant Deep Security Manager settings,
including the database type, connectivity details and credentials. The settings in the file are
specified, one per line, using the <name>=<value> format. These values can be specified in
clear text or in encrypted format; all encrypted values begin with $1$. To change an encrypted
setting in the dsm.properties file, stop the Deep Security Manager service, specify the new
value in clear text, save the change and start the service. After startup, Deep Security Manager
will encrypt and store the new value in encrypted format. Deep Security Manager rewrites this
file each time it starts. Some sample dsm.properties settings are listed in the table below.
28
Setting
Value
Description
database.type
SqlServer |
Oracle |
PostgreSQL
Configured database server: Microsoft SQL Server,
Oracle, or PostgreSQL.
database.name
<DB Name>
Name of the database in the database server used by
Deep Security Manager. Default: dsm.
database.SqlServer.server
<IP> |
<Host>
Name of the SQL database server in the network.
database.SqlServer.instance
<String>
Instance name the SQL database server, if different
from the default.
database.SqlServer.user
<String>
User name in the SQL database server.
database.SqlServer.password
<String>
Encrypted user password in the SQL database server.
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
configuration.properties
This properties file is created in the installation folder by the Deep Security installer and is not
modified after that.
override.properties
The properties specified in this configuration file override the properties specified in the
dsm.properties file. This file can be created manually by a support engineer to modify
product behavior without affecting the original configuration. This file supports the same
configuration settings as in dsm.properties. If Deep Security finds an instance of
override.properties during product initialization it will use this file, leaving
dsm.properties untouched. If the new settings in override.properties behave as
expected, rename the file to dsm.properties.
logging.properties
The properties in this file control the logging behavior in Deep Security.
Multiple Deep Security Manager Nodes
You may want to prepare two computers for Deep Security Manager installations. In a production
environment, two Deep Security Manager nodes connected to a single database can be set up to provide
increased reliability, redundant availability, virtually unlimited scalability, and better performance.
By default, the multi-node manager provides the address of both Deep Security Manager nodes to Deep
Security Agents and Virtual Appliances, who in turn use the list of addresses to randomly select a node to
contact. If neither of the nodes can be reached, it waits until the next heartbeat and tries again.
Once the second Deep Security Manager node is created, neither node is more important that the others.
High Availability
Multi-node installations provide Deep Security networks with failover capability. If one Deep Security
Manager is busy, or fails, the rest of the network can fail over to the second. Therefore, whenever
possible, having more than one node is advisable.
Each node is capable of all tasks and no node is more important than any of the others. Users can
sign into any node to carry out their tasks. The failure of any node cannot lead to any tasks not being
carried out. The failure of any node cannot lead to the loss of any data. All Deep Security Manager
nodes periodically check the health of all other nodes. If the other Manager node loses network
connectivity for more than 3 minutes, it is considered offline. The remaining nodes assume its tasks.
© 2020 Trend Micro Inc. Education
29
Lesson 2: Deep Security Manager
For networks with up to 20,000 Deep Security Agents or Virtual Appliances, having at least two Deep
Security Manager nodes is advisable, but not required for scalability. Above 20,000, having at least
two nodes is recommended.
dsm_1
dsm_2
Manager Node
Online
Manager Node
Online
SQL-01
SQL Server
Primary
Each node must be running the same version of the Deep Security Manager software. When
performing an upgrade of the Manager software, the first Manager to be upgraded will take over all
Deep Security Manager duties and shut down all the other Deep Security Manager nodes. They will
appear as offline in the System Activity panel with an indication that an upgrade is required.
dsm_1
dsm_2
Manager Node
Online
Manager Node
Offline (Upgrade Required)
SQL-01
SQL Server
Primary
All critical Deep Security Manager data are stored in the database, therefore, in disaster recovery
situations the only consideration to note is the location of the database server and authentication
credentials stored in dsm.properties.
As all information and settings are stored in the database, it is IMPERATIVE that regular backups of
the Deep Security database are scheduled. Database clustering is supported in both Oracle and
Microsoft SQL environments and is recommended for disaster recovery situations. Oracle Data Guard
and Microsoft SQL database mirroring both have no side effects in regular Deep Security
functionality and can be safely used.
30
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Performing Operations Through the Deep Security
Manager Web Console
The Deep Security Manager Web console allows administrative users with the appropriate
permissions to manage policies, computers and system settings through a Web-based interface.
Administrative users authenticate to the Deep Security Manager Web console through a supported
browser, and click the appropriate menu and interface components to perform system operations.
Performing Operations Through a Command Line
In addition to performing operations in the Deep Security Manager Web console, you can instruct Deep
Security Manager to perform a number of actions from a command line in Windows or Linux.
Performing Operations Through the Windows Command Prompt
Open the Windows Command Prompt as an Administrator and change folders to the following
location on the Deep Security Manager host computer:
C:\Program Files\Trend Micro\Deep Security Manager\
Performing Operations Through the Linux Terminal
Open the Linux Terminal as the root user and change folders to the following location on the Deep
Security Manager host computer:
© 2020 Trend Micro Inc. Education
31
Lesson 2: Deep Security Manager
/opt/dsm/
Command Syntax
To perform any of the following Deep Security Manager actions, use the following syntax:
dsm_c -action <actionname>
Action Name
changesetting
viewsetting
Description
Usage
Change a setting
dsm_c -action changesetting -name NAME
-value VALUE [-computerid COMPUTERID]
[-computername COMPUTERNAME] [policyid POLICYID] [-policyname
POLICYNAME] [-tenantname TENANTNAME]
View a setting value
dsm_c -action viewsetting -name NAME [computerid COMPUTERID] [-computername
COMPUTERNAME] [-policyid POLICYID] [policyname POLICYNAME] [-tenantname
TENANTNAME]
Create insert statements
createinsertstatements (for export to a different
database)
dsm_c -action createinsertstatements
[-file FILEPATH] [-generateDDL] [databaseType sqlserver|oracle] [maxresultfromdb count] [-tenantname
TENANTNAME]
diagnostic
Create a diagnostic package
for the system
dsm_c -action diagnostic
fullaccess
Give an administrator the
full access role
dsm_c -action fullaccess -username
USERNAME [-tenantname TENANTNAME]
resetcounters
Reset counter tables (resets
back to an empty state
dsm_c -action resetcounters [tenantname TENANTNAME]
setports
Sets the Deep Security
Manager port(s)
dsm_c -action setports [-managerPort
port] [-heartbeatPort port]
trustdirectorycert
Trust the certificate of a
directory
dsm_c -action trustdirectorycert directoryaddress DIRECTORYADDRESS directoryport DIRECTORYPORT [-username
USERNAME] [-password PASSWORD] [tenantname TENANTNAME]
unlockout
Unlock a user account
dsm_c -action unlockout -username
USERNAME [-newpassword NEWPASSWORD][tenantname TENANTNAME]
addregion
Add a private cloud provider
region
dsm_c -action addregion -region REGION
-display DISPLAY -endpoint ENDPOINT
listregions
List private cloud provider
regions
dsm_c -action listregions
removeregion
Remove a private cloud
provider region
dsm_c -action removeregion -region
REGION
addcert
Add a trusted certificate
dsm_c -action addcert -purpose PURPOSE
-cert CERT
listcerts
List trusted certificates
dsm_c -action listcerts [-purpose
PURPOSE]
removecert
Remove a trusted certificate dsm_c -action removecert -id ID
32
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Action Name
Description
Usage
masterkey
Generate, import, export, or
use a custom master key to
encrypt the:
- database password
- keystore password
- personal data
If a custom master key is not
configured, Deep Security
will use a hard-coded seed,
and personal data will not be
encrypted by default.
If a custom master key was
configured during a new
install, the installer has
completed this setup for
you. If you skipped master
key creation, use this
command to configure one
dsm_c -action masterkey -subaction
[generatekmskey -arn AWSARN |
generatelocalkey]
script
Perform batch processing of
dsm_c commands in a script
file
dsm_c -action script -scriptfile
FILEPATH [-tenantname TENANTNAME | tenantid TENANTID]
upgradetasks
Runs the upgrade task
actions which may be
required as part of an inservice upgrade
dsm_c -action upgradetasks [listtasksets] [-listtasks -taskset
UPGRADE_TASK_SET [-force]] [tenantlist] [-tenantsummary] [-run taskset UPGRADE_TASK_SET [-force] [filter REGULAR_EXPRESSION]] [showrollbackinfo -task TASKNAME] [purgehistory [-task TASKNAME]] [showhistory [-task TASKNAME]] [tenantname TENANTNAME | -tenantid
TENANTID]
versionget
View information about the
current software version,
the database schema
version, or both
dsm_c -action versionget [-software]
[-dbschema]
© 2020 Trend Micro Inc. Education
33
Lesson 2: Deep Security Manager
Installing Deep Security Manager 20 for Windows
Server
For a successful installation, review the pre-installation checklist before proceeding with the steps in
the installation.
Deep Security Pre-Installation Checklist
Prior to installing Deep Security Manager, you should review the following conditions to ensure that
all necessary permissions, ports and other settings are in place for the Deep Security Manager
installation.
•
You must have Administrator/root privileges on the computers where you will be installing
Deep Security software components.
•
You will require Deep Security Activation Codes for the protection modules and a separate
Activation Code for Multi-Tenancy if you intend to implement it.
VMware Licenses will also be required for VMware components.
•
All computers running Deep Security software should be synchronized with a reliable time
source (NTP server).
•
A supported database is installed and the database server hostname, database name,
database administrator user name and database administrator password are available.
•
A deployment requires at least one Deep Security Relay (an Agent with Relay functionality
enabled). Relays are used to keep the protection on your Deep Security Agents/Virtual
Appliances up to date. Trend Micro recommends installing a relay-enabled agent on the same
computer as Deep Security Manager to protect the host computer and to function as a local
Relay.
•
To receive alert emails from Deep Security Manager, you will need to supply your SMTP
server IP address. Deep Security Manager uses port 25 by default for connections to the
SMTP server.
•
Deep Security Manager will need to connect to Trend Micro update servers over the Internet.
If a proxy is needed for Internet access in your environment, you will need to supply your
proxy server address, port and log in credentials as part of the Deep Security Manager
installation process.
•
Fully-qualified domain names (FQDNs) are used for communications between Deep Security
Manager and Agents, Relays and Virtual Appliances. For proper communications, ensure
that each of your computers can resolve the hostname of Deep Security Manager and Relay.
You will be asked to enter the Deep Security Manager hostname as part of the installation
procedure. If you do not have a DNS, you can enter the Deep Security Manager host IP
address.
Deep Security Manager Readiness Check
To ensure a seamless installation of Deep Security Manager, the setup routine includes a Readiness
Check tool as part of the Installation Wizard. This tool will verify certain system requirements to
make sure environment is suitable for this version of Deep Security Manager.
34
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Items verified during the Readiness Check include:
•
•
•
•
•
•
•
•
Supported host operating systems
Host memory
Host available disk space
Deep Security manager version (in cases of upgrades)
Supported databases
Deep Security Agent version (in cases of upgrades)
Deep Security Relay version (in cases of upgrades)
Deep Security Virtual Appliance version (in cases of upgrades)
When displayed during the Setup Wizard, click Start Readiness Check.
Icons will be displayed to highlight the results of the Readiness check.
Icon
Result
This item is supported in Deep Security 20 and Install Deep Security Manager become
available.
This item is not supported in Deep Security 20 and must be corrected before Deep Security
Manager can be installed. Cancel is the only setup option available in this case.
i
This item is identified for information only. You can proceed with the installation.
!
This item is identified with a warning; it is supported with caveats. For example, SQL Express is
supported for use as the Deep Security database, but only for a limited number of Deep
Security Agents.
Deep Security will not install on unsupported operating systems or databases. Any items displayed as
Not Ready must be corrected before restarting the Readiness Check.
© 2020 Trend Micro Inc. Education
35
Lesson 2: Deep Security Manager
Installing Deep Security Manager for Windows Server
You can download the latest version of the Deep Security Manager installation package from the
Trend Micro Deep Security Online Help Center at:
https://help.deepsecurity.trendmicro.com/software.html
Select the appropriate Deep Security Manager installation program (Windows or Read Hat Linux)
from the Long Term Support (LTS) tab and download to the target computer.
Double-click the installation application and step through the Setup Wizard by clicking Next on each
page after providing the required information.
1
36
Select the language for the installation.
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
2 Click Next on the Welcome window.
3 If you agree to the terms, click I accept the terms of the Trend Micro license agreement.
© 2020 Trend Micro Inc. Education
37
Lesson 2: Deep Security Manager
4 The Installer will scan the server for a previous installation of Deep Security. If a previous version
exists, the installer will prompt to upgrade. If no previous version exists, the installer will proceed
with a new server installation.
5 Specify the folder on the hard drive where you would like Deep Security Manager to be installed.
38
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
6 Specify the type of database you wish to use and provide the connection details. The database
instance must be created beforehand and an administrator with appropriate rights must be
assigned.
7 Click Start Readiness Check to confirm that all the components of your system are supported.
© 2020 Trend Micro Inc. Education
39
Lesson 2: Deep Security Manager
If no warnings are displayed, click Install Deep Security Manager.
If any items is displayed with a warning, correct the issue and restart the installer.
8 Enter the Activation Code for the individual modules for which you have purchased a license. You
can proceed without entering any codes, but none of the protection modules will be available for
use until you do. You can enter your first or additional codes after the installation through the
Deep Security Manager Web Management console.
40
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
9 Confirm the address details of the Deep Security Manager server. Manager address must be a
resolvable hostname, a fully qualified domain name, or an IP address. If DNS is not available in
your environment, or if some computers are unable to use DNS, a fixed IP address should be used
instead of a hostname. At this point, you could also modify the default communication ports.
10 Enter the login credentials for the Master Administrator. This administrator will be able to create
identities for any other administrative users who require access to the Deep Security Manager
Web console.
© 2020 Trend Micro Inc. Education
41
Lesson 2: Deep Security Manager
11 Select a Security Update Configuration. Click Create Scheduled Task to regularly check for
Security Updates. When selected, Deep Security Manager will automatically retrieve the latest
security updates from Trend Micro and distribute them to your Deep Security Agents and Deep
Security Appliances. You can configure security updates later using Deep Security Manager.
42
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
12 Select a Software Update Configuration. Click Create Scheduled Task to regularly check for
Software Updates. When selected, Deep Security Manager will automatically retrieve the latest
software updates from Trend Micro and distribute them to your Deep Security Agents and Deep
Security Virtual Appliances. You can configure software updates later using Deep Security
Manager.
13 Provide an input value to generate master keys for encrypting personal information in the
database. The value entered here will be used as the basis for generating the encryption keys
used for this process. If not entered at this point, the keys can be generated later through a
Command Prompt command.
14 If a Deep Security Agent installation package is available either in the local folder or from the
Trend Micro Download Center, you will be given the option to install a co-located Relay-enabled
agent on this computer.
© 2020 Trend Micro Inc. Education
43
Lesson 2: Deep Security Manager
Note:
Deep Security requires at least one relay to download and distribute security and software
updates. If you don't install a relay-enabled agent now, you will need to do so when the first agent
is added.
15 Select whether you want to enable Trend Micro Smart Feedback. When enabled, your installation
contributes to the Trend Micro Smart Protection Network to improve analysis, identification, and
prevention of new threats. You can enable or configure Smart Feedback later in the Deep
Security Manager console. Optionally, enter the industry your organization belongs to by
selecting it from the drop-down list.
44
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Note:
Trend Micro Smart Feedback provides continuous communication between Trend Micro products
and the company's 24/7 threat research centers and technologies. Each new threat identified
through a single customer's routine reputation check automatically updates all of Trend Micro's
threat databases, blocking any subsequent customer encounters of a given threat. For example,
routine reputation checks are sent to the Smart Protection Network. By continuously processing
the threat intelligence gathered through this global network of customers and partners, Trend
Micro delivers automatic, real-time protection against the latest threats and provides better
together security. The privacy of a customer's personal or business information is always
protected because the threat information gathered is based on the reputation of the
communication source.
Trend Micro Smart Feedback is designed to collect and transfer relevant data from Trend Micro
products to the Smart Protection Network so that further analysis can be conducted, and
consequently, advanced solutions can evolve and be deployed to protect clients.
Samples of information sent to Trend Micro:
- File checksums
- Websites accessed
- File information, including sizes and paths
- Names of executable files
You can terminate your participation to the program anytime from the web console.
16 Finally, confirm the settings you provided and click Install to proceed with the setup of Deep
Security Manager on the server.
© 2020 Trend Micro Inc. Education
45
Lesson 2: Deep Security Manager
17 The Setup Wizard will proceed with the installation operations.
18 Once complete, click Finish to close the wizard.
46
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
The Trend Micro Deep Security Manager service will start automatically once the setup wizard is
complete. To view the status of the service, click Start > Administrative Tools > Services. Locate the
Trend Micro Deep Security Service in the list and note that it has started.
Installing Deep Security Manager for Linux
You can use the command line to perform a silent install, or, if you have X Windows installed, you can
use the graphical installer. View the section called Deploy Deep Security in the Trend Micro Deep
Security Online Help Center for details on installing Deep Security Manager on Red Hat Enterprise
Linux systems.
© 2020 Trend Micro Inc. Education
47
Lesson 2: Deep Security Manager
Logging into the Deep Security Manager Web Console
The Setup Wizard places a shortcut to Deep Security Manager Web Management console in the Windows
Start menu on the host computer.
To access the Deep Security Manager Web console from a remote computer, type the following URL in a
web browser:
https://<hostname>:<port>/
(Where <hostname> is the hostname of the server on which you have installed Deep Security
Manager and where <port> is the Deep Security Manager port specified during the installation,
4119 by default).
Administrative users accessing the Deep Security Manager Web console will be required to sign in with
their Username and Password. These credentials are created during the initial installation and are
needed to log in and create other administrative user accounts.
•
48
If Multi-Factor Authentication is enabled for administrative users, you will be prompted to enter a
response to a token challenge before being allowed access to the console.
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
•
If SAML Authentication is enabled for administrative users, you will be redirected to the Identity
Provider log in page to provide credentials.
•
If Multi-Tenancy is enabled, you will be required to provide an Account Name on the Sign in page
as well.
The Deep Security Manager Web Management console is displayed after a successful login.
You can confirm the Deep Security version number by clicking Support > About.
© 2020 Trend Micro Inc. Education
49
Lesson 2: Deep Security Manager
Deep Security Manager Digital Certificates
Deep Security Manager creates a 10-year self-signed certificate to secure connections with Deep Security
Agents, Virtual Appliances, and Relays, as well as for performing administration activities through the
Web browser. This self-signed certificate may trigger security warnings in Web browsers since the
signature on the certificate can not be verified by the web browser.
The warning can be disabled by importing the self-signed certificate created by Deep Security Manager
into the browsers used by administrative users.
A better solution is to replace this self-signed certificate with a certificate issued by a trusted Certificate
Authority (CA). Such certificates are maintained after a Deep Security Manager upgrade. For information
on using a certificates from a 3rd party Certificate Authority, consult the Deep Security Online Help
Centre.
50
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Upgrading From Deep Security 12
A direct upgrade to Deep Security 20 is available if your current installation uses Deep Security 11.x or
12.x. For any previous version, you must upgrade to Deep Security 11 or 12, then upgrade that installation
to Deep Security 20. The Readiness Check tool will allow you to confirm that the components of your
current Deep Security Installation are supported as part of the upgrade. The Readiness Check can be run
as part of the Setup Wizard, or it can be run as a separate tool from the Command Prompt. If your current
installation of Deep Security includes components that are not supported in Deep Security 20, the
upgrade will not proceed and you will be advised to update those components.
To upgrade your installation of Deep Security 12 to Deep Security 20 for Windows, perform the following
steps:
1
Download the Deep Security 20 installer from the Deep Security Online Help Center. Double click
the installer to initialize the Setup Wizard. The Wizard will scan for existing installations of Deep
Security.
© 2020 Trend Micro Inc. Education
51
Lesson 2: Deep Security Manager
2 If an installation of Deep Security 12 is detected, you will be prompted to either upgrade the
existing version to Deep Security 20 or create a new installation. This new installation will require
different database details.
3 The Readiness Check is displayed. Click Start Readiness Check to being the process. The tool will
verify the components of your current deployment are supported with Deep Security 20.
52
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
4 The results of the Readiness Check are displayed. If all the components of your current
deployment are supported with Deep Security 20, Upgrade Deep Security Manager becomes
available, allowing you to continue with the upgrade. If an item is unsupported, a red icon will be
displayed, with an explanation. Update the identified item and click Restart Readiness Check until
no items display with red warning icons.
5 A summary of the selected upgrade options is displayed. Click Install to begin the upgrade.
© 2020 Trend Micro Inc. Education
53
Lesson 2: Deep Security Manager
6 The upgrade is run on the existing installation of Deep Security Manager 12.
7 When the upgrade is complete, click Finish.
54
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
Upgrading From Deep Security 11
An upgrade from Deep Security 11 incorporates a few extra steps as a database schema update must be
performed and an input value for the master key encryption must be provided.
To upgrade your installation from Deep Security 11 for Windows, perform the following steps:
1
Download the Deep Security 20 installer from the Deep Security Online Help Center. Double click
the installer to initialize the Setup Wizard. The Wizard will scan for existing installations of Deep
Security.
2 If an installation of Deep Security 11 is detected, you will be prompted to either upgrade the
existing version to Deep Security 20 or create a new installation. This new installation will require
different database details.
© 2020 Trend Micro Inc. Education
55
Lesson 2: Deep Security Manager
3 The Readiness Check is displayed. Click Start Readiness Check to being the process. The tool will
verify the components of your current deployment are supported with Deep Security 20.
4 The results of the Readiness Check are displayed. If all the components of your current
deployment are supported with Deep Security 20, Upgrade Deep Security Manager becomes
available, allowing you to continue with the upgrade. If an item is unsupported, a red icon will be
displayed, with an explanation. Update the identified item and click Restart Readiness Check until
no items display with red warning icons.
56
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
5 Provide an input value to generate master keys for encrypting personal information in the
database. The value entered here will be used as the basis for generating the encryption keys
used for this process. If not entered at this point, the keys can be generated later through a
Command Prompt command.
6 A reminder is displayed to backup the database. If a problem occurs during the upgrade, the
database may become corrupt. Having a recent backup available is essential for restoring the
system in this scenario. Run a backup of the database, then click I Have Backed Up My Database.
© 2020 Trend Micro Inc. Education
57
Lesson 2: Deep Security Manager
7 An option to purge old data from the database during the update of the schema is presented. If
desired, select a time period to preserve older event data.
8 A summary of the selected upgrade options is displayed. Click Install to begin the upgrade.
58
© 2020 Trend Micro Inc. Education
Lesson 2: Deep Security Manager
9 The upgrade is run on the existing installation of Deep Security Manager.
10 When the upgrade is complete, click Finish.
© 2020 Trend Micro Inc. Education
59
Lesson 2: Deep Security Manager
Review Questions
1
What information does Deep Security store in the database?
2 What factors affect the system resources requirements (CPU, memory, disc space) for the
database used by Deep Security?
3 Why does Trend Micro recommend that Deep Security be installed in a multi-node configuration?
60
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security
Agents
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
•
Describe the responsibilities of the Deep Security Agent
Import the Deep Security Agent software packages into Deep Security Manager
Install Deep Security Agents
Add protected computers to the Computers list
Activate Deep Security Agents
A Deep Security Agent is the software component deployed directly on a server which provides
Application Control, Anti-Malware, Web Reputation, Firewall, Intrusion Prevention, Integrity Monitoring,
and Log Inspection protection.
Deep Security Agents are supported on a variety of physical, virtual and cloud servers and enforce the
policy settings configured in Deep Security Manager. The Agents return event details to Deep Security
Manager on a regular basis, allowing administrators to view security events occurring on the protected
servers.
Deep Security Agent Architecture
When initially installed, the Deep Security Agent does not include the security modules until they are
enabled through policies. When a new module is installed, it is driven by the Smart Agent policy meaning
that only the modules assigned by the policy will be installed. The Deep Security Agent consists of two
main parts:
•
Deep Security Agent Core: The Deep Security Agent Core includes the minimal framework
needed to start on a system, establish a communication with Deep Security Manager and
provides the primary features such as platform utilities and configuration management. The
Deep Security Agent Core includes only the code required for communicating with Deep Security
Manager as well as downloading and installing the required features.
•
Deep Security Agent Features: The Deep Security Agent Features are downloadable components
that provide the high-level functionality that must be implemented depending on the scanning
features being enabled, as well as Agent variants such as a Relay. Depending on the features
being installed, other plug-ins or components required to implement the selected features may
also be installed.
Note:
Installed features can be disabled, but cannot be uninstalled.
© 2020 Trend Micro Inc. Education
61
Lesson 3: Deploying Deep Security Agents
Agent Core
Features
An-Malware
dsa
ds_agent
dsa_control
dsa_query
Installed
Components
Web Reputaon
Agents
Firewall
Commands
Intrusion Prevenon
Uninstaller
4118
Nofier
Integrity Monitoring
Plug-ins
AMSP
Log Inspecon
Update
iAU
Applicaon Control
Network Plug-in
Relay Component
Network Driver
Relay Backend
4122
Deep Security Agent System Requirements
Deep Security Agents are available for a wide variety of 32-bit and 64-bit operating systems,
including Windows, Linux, Unix and Solaris. Consult the Online Help Center for the most up-to-date
list. The system requirements for Deep Security Agents include:
Note:
62
•
Minimum Memory: Minimum RAM requirements depend on the protection features enabled
on the Agent. 4GB of RAM is recommended when all protection features are enabled. Less
RAM is required (2GB) if you do not enable all Deep Security features.
•
Minimum Disk Space: 1 GB of hard drive space is recommended on the Agent computer,
which increases to 30GB when the Agent is promoted to become a Relay.
Available Deep Security Agent features may vary by operating systems. View the following help
topic for full details on which Agent feature are supported on each operating system:
https://helpcenter.deepsecurity.trendmicro.com/20_0/on-premise/
supported-features-by-platform.html
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Deploying Deep Security Agents
When you first install the Deep Security Agent software, only core functionality is enabled. None of the
Protection Modules are installed until you enable protection on the Deep Security Agent by assigning
policies. When the Protection Module is enabled, any plug-ins or components needed for that module are
installed.
The steps involved in deploying a Deep Security Agent on a server includes the following:
1
Importing the Deep Security Agent software package for the required operating systems into the
Deep Security Manager.
2 Installing the Deep Security Agent using one of the following methods:
•
•
•
Installing manually
Installing using a script
Installing using Microsoft Installer
3 Adding the protected server to the Computers list.
4 Activating the Deep Security Agent on the protected server.
Depending on the method used to install the Deep Security Agent, adding the server to the Computers
list and activating the Agent may be performed automatically as part of the process.
Importing Deep Security Agent Software into Deep Security
Manager
Importing the Deep Security Agent software packages (which includes all protection module features,
plug-ins and filters) into Deep Security Manager before installing it on your computers will simplify
the process of enabling the plug-ins and components needed for that module. Importing the Deep
Security Agent software package also makes it convenient to extract the Deep Security Agent
installer from the package through the Deep Security Manager Web console.
Note:
Deep Security verifies the digital signature on the Deep Security Agent package to ensure that
the software files have not changed since the time of signing.
NEW
The process for importing Agent software packages to Deep Security Manager includes the following
steps:
1
In the Deep Security Manager Web console, click the Administration menu. In the left-hand pane,
expand Updates > Software > Download Center. The Trend Micro Download Center page displays
the latest versions of all Deep Security Agent software available from Trend Micro.
© 2020 Trend Micro Inc. Education
63
Lesson 3: Deploying Deep Security Agents
2 Select the Deep Security Agent software packages required from the list and click Import at the
top of the list or the Import Now icon. Deep Security Manager will begin to download the
software from the Trend Micro Download Center.
Note:
64
Import the software packages for each operating system used on the servers to be protected.
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
3 Once the software has finished downloading, a green check mark will appear in the Imported
column for the selected Deep Security Agent.
4 Click Local in the left-hand pane. The Local Software page lists all the software packages that
have been imported into Deep Security.
The Is Latest column displays whether local software is up to date with software available from
Download Center.
© 2020 Trend Micro Inc. Education
65
Lesson 3: Deploying Deep Security Agents
You can view the contents of the software packages in Local Software by browsing to the following
folder on the Deep Security Manager computer:
C:\Program Files\Trend Micro\Deep Security Manager\temp
66
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Installing the Deep Security Agent
Deep Security Agents can be installed on the protected server using one of the following methods:
•
Install manually using an *.msi, *.deb or *.rpm file (depending on the operating system on
the protected computer)
•
•
Install using a script which in executed on the protected server
Distribute the *.msi file using a software distribution process then install using the
Microsoft Installer commands
Installing Deep Security Agents Manually
The process for installing Deep Security Agents manually on the host computer includes the
following steps:
1
Exporting the Deep Security Agent software installer from the Agent software package
2 Running the Deep Security Agent installer on the host computer
As mentioned previously, plug-ins for the protection modules are only downloaded from Deep
Security Manager after you have enabled that module on the Deep Security Agent. If you do not
import the Deep Security Agent installation package into Deep Security Manager, they will be
unable to download the required module plug-ins when enabling the individual protection
modules on the Deep Security Agent computer.
Exporting the Deep Security Agent installer
Once the import process is complete, the Deep Security Manager stores the Deep Security Agent
Installer Package (.zip), containing the core Installer (.msi, .rpm or .deb as appropriate to
platform) and the feature packages (.dsp). The installer can be exported from Deep Security
Manager with the following steps.
1
In the pane displayed on the left-hand side of the window, expand Updates > Software > Local.
Right-click the software package *.zip file and click Export and make the appropriate selection.
•
Click Export Package to export the entire software package. Deep Security Agents will install
the necessary Protection Module components from this package.
•
Click Export Installer to extract the core Deep Security Agent installer from the package. The
installer is a lightweight package that does not contain any of the plug-ins required for any of
the protection modules. When you activate the Deep Security Agent and turn on a protection
module, Deep Security Manager retrieves the required plug-in from the software package in
the database and sends it out to the Deep Security Agent to be installed on the computer.
© 2020 Trend Micro Inc. Education
67
Lesson 3: Deploying Deep Security Agents
2 Save the exported item to a local folder.
3 Copy the exported item to a location which is accessible by client computers. The installers can
also be made available using any software distribution method used in your organization.
Running the Deep Security Agent Installer on a Windows Host Computer
You must have administrator permissions to install and run the Deep Security Agent on a
protected Windows server. If the protected server is running on an AWS instance or on an Azure
virtual machines, use RDP to connect to the server and run the installer as indicated in the
following steps.
1
Locate the Deep Security Agent installer *.msi file (exported from the Deep Security Manager
using the above steps) and double-click the installation file.
2 When prompted, click Run.
68
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
3 When the Welcome screen is displayed, click Next to begin the installation.
4 Accept the terms of the license agreement, and click Next.
5 Select the destination folder where you would like the Deep Security Agent to be installed, and
click Next.
© 2020 Trend Micro Inc. Education
69
Lesson 3: Deploying Deep Security Agents
6 Click Install to begin the installation.
7 The Setup Wizard installs the Agent files on the server.
8 On Windows Server computers, the Deep Security Notifier will display a message indicating the
installation of that component is complete.
70
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
9 When the installation has completed successfully, click Finish.
The Deep Security Agent is now installed and running on this computer, and will start every time
the machine restarts.
Running the Deep Security Agent Installer on a Red Hat, CentOS and other Linux Host
Computers
You must have root privileges to install and run the Deep Security Agent on a protected Linux
server.
1
Copy the Deep Security Agent installer *.rpm/*.deb file (or other installer executable exported
from the Deep Security Manager using the above steps) to the Linux computer.
2 To install the Agent on Red Hat or CentOS Linux, enter with the following command in the
Terminal:
# sudo rpm -i <Agent_package_name>
To install the Deep Security Agent on other platforms, please refer to the Online Help Center:
•
•
•
•
•
•
Amazon Linux
Debian
Ubuntu
AIX
HP-UX
Solaris
Installing Deep Security Agents Using Deployment Scripts
Deployment scripts can be used to install the Deep Security Agent and add the computer to the
list of protected resources in Deep Security Manager. Most of the steps available in the Deep
Security Manager Web console can also be performed from the command line; you can include
any of these commands as part of your deployment scripts. In the Deep Security Manager
console, there is a helpful tool that you can use for creating your own deployment scripts.
© 2020 Trend Micro Inc. Education
71
Lesson 3: Deploying Deep Security Agents
1
Click Support > Deployment Scripts.
This tool can also be accessed directly from the Local Software page. Select the appropriate
package from the list and click Generate Deployment Scripts.
72
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
2 Select the Platform for which a script will be created (Windows, Linux or Solaris).
The Deployment Scripts tool will display the code for the script. Scripts can be adjusted for
specific needs, for example, sleep time can be extended if the cloud environment is busy or short
of resources.
If automatic activation of the Deep Security Agent is required, an option in the Deployment
Scripts window will also include the commands necessary to activate the Deep Security Agent
after installation, along with details of policies, group, relay groups and proxies to apply.
The option to activate requires Allow Agent Initiated Activation be enabled under Administration
> System Settings > Agents. An activation token can also be provided to ensure that only script
generated by this installation of Deep Security Manager are accepted.
© 2020 Trend Micro Inc. Education
73
Lesson 3: Deploying Deep Security Agents
3 Click Save to File to save the script code. Alternately, click Copy to Clipboard and paste the script
code into deployment tools such as RightScale, Chef, Puppet, SSH or Powershell.
4 Run the script on the host computer.
Note:
74
The deployment scripts generated by Deep Security Manager for Windows Agent deployments
require Windows Powershell version 4.0 or later.
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Installing Deep Security Agents on an AWS Instance Using Deployment Scripts
Deployment scripts can be used to install the Deep Security Agent on an AWS instance by using
RDP to connect to the server and running the script in Powershell or another deployment tool.
Alternately, the script can be incorporated into an Amazon Web Services AMI. An AMI is a
template that contains the software configuration (operating system, application server, and
applications) required to launch your instance. Adding the script to this template installs and
activates a Deep Security Agent automatically when new instances are launched, insuring that
protection on the new instance is immediate. Add the script content to the User Data field in the
Advanced Details section of the template definition.
Installing Deep Security Agents on an Azure Virtual Machine Using Deployment Scripts
The scripts can be run on an Azure virtual machines by using RDP to connect to the server and
running the script in Powershell or another deployment tool.
© 2020 Trend Micro Inc. Education
75
Lesson 3: Deploying Deep Security Agents
Installing Deep Security Agents on an Google Cloud Platform Virtual Machine Using Deployment
Scripts
The scripts can be run on Google Cloud Platform virtual machines by using RDP to connect to the
server and running the script in Powershell or another deployment tool.
Installing Deep Security Agents From the Microsoft Installer Command Prompt
Deep Security Agents can be installed using the Microsoft Installer file (*.msi) through the
msiexec command from the Command Prompt and identifying the following parameters:
msiexec.exe /q /i <DSA_Agent_Installer.msi>
Where:
/q - quiet|silent installation
/i - install
<DSA_Agent_Installer.msi> - Filename of Deep Security Agent installer
Adding the Protected Servers to the Computer list
Deep Security Manager can only detect vulnerabilities and implement security on servers that are
displayed in the Computers list.
Populating this list and seeing to it that it correctly reflects the correct composition of the network is
a critical security task. Some Add operations will automatically activate the Deep Security Agents
that are located on the servers.
76
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Methods for adding computers to the Computers list include:
•
•
•
•
•
•
•
Adding computers by hostname
•
Adding computers by Google Cloud Platform (GCP)
•
Importing a computer from a file
Discovering computers in an IP address range
Adding computers by Active Directory lookup
Adding VMware vCenter virtual machines
Adding computers by Amazon Web Services account
Adding computers by Microsoft Azure account
Adding computers by VMware vCloud account
NEW
Adding Computers by Hostname
Administrators can add individual computers to the Computers list by specifying them in the New
Computer Wizard.
Type the Hostname (or IP address) of the new computer and optionally select a Policy to be
applied to the new computer and Relay Group from the list. Clicking Next will tell Deep Security
Manager to find the computer on the network.
•
If the computer you specified is not found, Deep Security Manager will still create an
entry for it in the Computers list, but you will have to ensure that it can reach this
computer and that a Deep Security Agent is installed and activated. You can then apply
the appropriate policy to it.
© 2020 Trend Micro Inc. Education
77
Lesson 3: Deploying Deep Security Agents
•
If the computer is found but no Agent is identified, Deep Security Manager will create an
entry for the computer in the Computers list. You will have to install an Agent on the
computer and activate it.
•
If the computer is found and an Agent is detected, Deep Security Manager will create an
entry in the Computers list. As soon as you exit the wizard (by clicking Finish), Deep
Security Manager will activate the Agent on the computer and apply the policy you
selected.
Discovering Computers in an IP Address Range
To add multiple computers at once, an administrative user can specify a range of IP addresses
and Deep Security Manager will search the range and locate any computers with IP addresses
within that range. Click Add > Discover.
78
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Deep Security Manager uses an ICMP echo request to locate a host. If the attempt fails, Deep
Security Manager will try to establish a TCP connection on port 7 (echo) to the target host.
During discovery, Deep Security Manager searches the network for any visible computers that
are not already listed. When a new computer is found, Deep Security Manager attempts to detect
whether an Agent is present. When discovery is complete, Deep Security Manager displays all the
computers it has detected and displays their status in the Status column.
When running a Discovery operation with Automatically Resolve IPs to hostnames enabled, it is
possible that the discovery operation will find hostnames where Deep Security Manager can not.
Discovery is able to fall back to using a WINS query or NetBIOS broadcast to resolve the
hostname in addition to DNS. Deep Security Manager only supports hostname lookup via DNS.
•
Computers identified with this method can be automatically assigned a group, but not a
policy.
•
•
Agent software found on those computers will NOT be automatically activated.
If a computer is listed through other detection methods, it will NOT be listed in the
results of this search.
© 2020 Trend Micro Inc. Education
79
Lesson 3: Deploying Deep Security Agents
Adding Computers by Active Directory Lookup
Deep Security Manager can populate its Computers list using information retrieved from Active
Directory servers. To import these hosts, the Add Directory Wizard performs an LDAP query to
retrieve the necessary information from the Directory.
When prompted, provide the details of the Active Directory branch to search for new computers.
80
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Computers in the specified Directory branch are displayed.
•
•
•
Computers identified with this method will NOT be automatically assigned a policy.
•
Computers are imported and synchronized according to the structure in the directory.
For example, the Deep Security Manager hosts computer object hierarchy matches the
Directory structure.
•
After the initial data retrieval, Deep Security Manager needs to periodically synchronize
its host information with the information in the Directory to keep its information up-todate.
Agent software found on those computers will NOT be automatically activated.
If a computer is listed through other detection methods, it will STILL be listed in the
results of this search.
Depending on the communication needs of the directory, the wizard can send its query as a clear
text query at port 389, or as a secure SSL/TLS connection at port 636.
•
Computer discovery can use both SSL-based and clear text methods, while users and
contacts are restricted to non-anonymous SSL methods. The latter restriction ensures
that user account and usage is protected. SSL-based access methods will only work with
SSL-enabled Active Directory servers, so users and contacts can only be imported from
suitably configured servers.
•
SSL-enabled Active Directory servers must have a server certificate installed. This may
either be self-signed, or created by a third-party certificate authority.
•
•
You must include your domain name as part of the User Name field.
The Details window of each computer in the Deep Security Manager has a Description
field. To use an attribute of the Computer object class from your Active Directory to
populate the Description field, type the attribute name in the Computer Description
Attribute text box.
© 2020 Trend Micro Inc. Education
81
Lesson 3: Deploying Deep Security Agents
Filtering Active Directory Objects
When importing Active Directory objects, search filters are available to manage the objects that
will be returned. By default, the wizard will only show groups. You can add additional parameters
to the filter to further refine the selections. For additional information about search filter syntax,
refer to the following Microsoft document:
http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
Adding VMware vCenter Virtual Machines
Deep Security Manager queries VMware vCenter Server for information about the virtual
machines on the ESXi servers that are registered with it.
•
•
•
Computers identified with this method will NOT be automatically assigned a policy.
Agent software found on those computers will NOT be automatically activated.
If a computer is listed through other detection methods, it will STILL be listed in the
results of this search.
The same logic takes place behind the scene whether Deep Security Manager populates its
computers list using computer information lists of computers from vCenters, or by importing lists
from Active Directory.
82
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
It is important to notice that real-time synchronization will be maintained with VMware vCenter
to keep the information displayed in the Deep Security Manager up-to-date (number of VMs, their
status, etc).
Adding Computers in an Amazon Web Services Account
Deep Security can connect to and manage computers supplied by Amazon Web Services
Account.
© 2020 Trend Micro Inc. Education
83
Lesson 3: Deploying Deep Security Agents
Provide your Amazon Web Services Access Key ID and Secure Access Key to begin the detection
process. A list of all the EC2 instances in the account will be added to the Computers list.
•
•
•
Computers identified with this method will NOT be automatically assigned a policy.
Agent software found on those computers will NOT be automatically activated.
If a computer is listed through other detection methods, it will STILL be listed in the
results of this search.
Once you have imported the resources from any of the cloud provider accounts into the Deep
Security Manager, the computers in the account are managed like any computer on a local
network.
Note:
Empty AWS host groups can now be hidden on the Computers page. Instead of showing all host
groups, empty host groups will be represented by a greyed out, italicized count. This feature can
be toggled on and off by right clicking on Computers in the host group tree.
NEW
84
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Adding Computers in a Microsoft Azure Cloud Account
Deep Security can connect to and manage computers supplied by Microsoft Azure cloud services.
Provide the details of your Azure subscription to begin the detection process.
A list of all the Azure virtual machines in the account will be added to the Computers list
•
•
•
Computers identified with this method will NOT be automatically assigned a policy.
Agent software found on those computers will NOT be automatically activated.
If a computer is listed through other detection methods, it will STILL be listed in the
results of this search.
© 2020 Trend Micro Inc. Education
85
Lesson 3: Deploying Deep Security Agents
Adding Computers in a VMware vCloud Account
Deep Security can connect to and manage computers supplied by VMware vCloud.
A list of the virtual machines in the account will be added to the Computers list.
•
•
•
Computers identified with this method will NOT be automatically assigned a policy.
Agent software found on those computers will NOT be automatically activated.
If a computer is listed through other detection methods, it will STILL be listed in the
results of this search.
Adding Computers by Google Cloud Platform
NEW
A Google Cloud Platform (GCP) connector has been added to Deep Security 20. When you add a
Google Cloud Platform account to Deep Security, all virtual machines associated with that
account are imported into Deep Security Manager and become visible in the Computers list.
Only virtual machines hosting Deep Security 12 Agents (or higher) can be managed through this
connector. If you have Agents already installed on Google Cloud Platform virtual machines,
upgrade them to at least Deep Security 12 so that they will be recognized by the connector.
86
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Importing a Computer From a File
To save you the trouble of re-discovering and scanning computers in a new installation of Deep
Security Manager, you can export computers in your list of devices on one system to an XML or
CSV file. You can then manually import the devices into the Computers list on the new system.
Activating Deep Security Agents
Activation is required for Deep Security Agents and Virtual Appliances to accept commands from
Deep Security Manager and report its status.
Behind the scenes, the following operations are performed during activation:
1
The SSL certificate and the URL of the Deep Security Manager are transfered to the Deep
Security Agent.
2 A Global Unique Identifier (GUID) is generated and returned to the Deep Security Agent.
3 Information about the Deep Security Agent’s NICs is retrieved.
4 The registered Deep Security Agent information is stored in the database.
Prior to activating your Agents you will first need to determine and configure the direction of
communication between your Deep Security Manager and Agents. This setting must be configured
correctly in order for Agents to get activated and communicate with Deep Security Manager.
To secure the communications between the Agent and the Deep Security Manager during Agentinitiated activations, administrative users must set a shared Agent activation token to include in
Command Prompt and deployment scripts.
© 2020 Trend Micro Inc. Education
87
Lesson 3: Deploying Deep Security Agents
In the Deep Security Manager Web console, click the Administration menu and in the left-hand pane,
click System Settings. Click the Agent tab and click Allow Agent-Initiated Activation. Type a secret in
the Agent activation token field.
If an administrative user enables Agent-Initiated Activation and an Agent activation token is not
provided, Agents will be able to automatically activate without providing authentication.
If Agent-initiated activation is enabled, and the Agent activation token is entered, Agents will be
required to provide this value in order to activate.
Note:
88
In a multi-tenant environment, the Agent activation secret applies only to the primary tenant.
Other tenants are assigned a system generated password.
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Activating Deep Security Agents Through the Deep Security Manager Web
console
Activation of Deep Security Agents can be initiated in Deep Security Manager by an
administrative user by right-clicking the device in the Computers list and selecting Activate/
Reactivate. In this case, Deep Security Manager sends activation commands to the Agent.
Activating Deep Security Agents Through a Command Line
Administrative users can initiate Agent-based activation of Deep Security Agents by typing the
following command in the command line on the Deep Security Agent host:
dsa_control -a dsm://<host or IP>:<port>/
For the command-line Agent activation option to work, Deep Security Manager must be set to
accept Agent-Initiated Activations (AIA) commands. This method is particularly useful when
using scripts or in Cloud environments like Amazon Web Services where Deep Security Manager
can not typically connect to Deep Security Agents to activate them, but the Agents can connect
to Deep Security Manager.
Activating Deep Security Agents Through a Script
Scripting support in Deep Security allows automated deployment and Agent-initiated activation
of Deep Security Agents.
Administrative users can generate deployment scripts to automatically download the Deep
Security Agent software from Deep Security Manager, install the Agent and activate it.
© 2020 Trend Micro Inc. Education
89
Lesson 3: Deploying Deep Security Agents
Note:
90
To use a deployment script to activate your Agents, Deep Security Manager must be set to allow
Agent-initiated activations.
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Assigning Policy Automatically
Self-activated Deep Security Agents can be assigned a predetermined Policy automatically to
ensure at least a minimum level of protection, using event-based tasks. To create the task in the
Deep Security Manager Web Management console, click the Administration menu and in the lefthand frame, click Event-Based Tasks. Create a New tasks using Event Computer Created (by
system) and select the Assign Policy action.
Tasks such as Policy, Relay and Computer Group assignment can be automatically carried out on
newly discovered assets based on their hostnames, IPs, Tenancy ID, Tenancy Template, Instance
Type, or other cloud asset properties.
Deep Security Agent Heartbeat
A heartbeat is a periodic communication between the Deep Security Manager and Agent or Appliance.
During a heartbeat, the Deep Security Manager collects information about the Agent, including:
•
•
•
•
•
The status of the drivers (on- or off-line)
The status of the Agent or appliance (including clock time)
Agent or Appliance logs since the last heartbeat
Data to update counters
A fingerprint of the Agent or appliance security configuration (used to determine if it is up to
date)
© 2020 Trend Micro Inc. Education
91
Lesson 3: Deploying Deep Security Agents
The heartbeat can be configured through policy, or on an individual computer.
Deep Security Manager to Agent Communication
The available settings for configuring the Deep Security Manager to Agent communication direction
are:
•
Bidirectional: With bidirectional communication enabled, the Deep Security Agent or
Appliance will initiate the heartbeat but will still listen on the Agent port for Deep Security
Manager connections. Deep Security Manager is free to contact the Agent or Appliance in
order to perform operations as required. The Deep Security Virtual Appliance can only
operate in bidirectional mode. This is the default setting configured in the Deep Security
Manager Web Management console.
•
Manager-initiated: With manager-initiated communication, Deep Security Manager will
initiate all communications with Deep Security Agents. Communication will occur when the
Deep Security Manager performs scheduled updates, performs heartbeat operations, and
when the Activate/Reactivate or Send Policy are selected in Deep Security Manager Web
Management console.
•
Agent-initiated: With Agent-initiated communications, the Deep Security Agent itself will
periodically check for updates and control heartbeat operations.
It is important to configure the direction of communication correctly, otherwise misleading events
will be generated. As an example, if bi-directional communication is configured, Deep Security
Manager will create an event every time it does not receive a Deep Security Agent heartbeat. This
may generate events saying the Deep Security Agent is Offline. Another example is where Deep
Security Agents can contact Deep Security Manager, but not the other way around (for example due
to NAT device, or a firewall policy). If bi-directional communication is configured, every time Deep
Security Manager tries to contact Deep Security Agents after a policy change, an error will be
generated stating that the Deep Security Agents didn't respond.
92
© 2020 Trend Micro Inc. Education
Lesson 3: Deploying Deep Security Agents
Review Questions
1
What methods are available for deploying a Deep Security Agent to a server that requires
protection?
2 Describe the purpose of the Deep Security Agent heartbeat?
© 2020 Trend Micro Inc. Education
93
Lesson 3: Deploying Deep Security Agents
94
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security
Agents
Lesson Objectives:
After completing this lesson, participants will be able to:
•
Perform Deep Security Agent operations from the Deep Security Manager Web console or a
Command Line
•
•
•
View the protection status of computers managed by Deep Security
Upgrade Deep Security Agents
Organize the Computers list using Groups and Smart Folders
Performing Deep Security Agent Operations Through a
Command Line
You can instruct Deep Security Agents to perform a number of maintenance tasks from the command
line in Windows and Linux.
Performing Operations Through the Windows Command Prompt
Open the Windows Command Prompt as an Administrator and change folders to the following
location on the Deep Security Agent host computer:
C:\Program Files\Trend Micro\Deep Security Agent\
Performing Operations Through the Linux Terminal
Open the Linux Terminal as the root user and change folders to the following location on the Deep
Security Manager Agent computer:
/opt/ds_Agent/
Command Syntax
To perform any of the following Deep Security Agent actions, use the following syntax:
dsa_control [-a <str>] [-r] [-m] [-s <num>] [-R <str>] [-d] [-b] [-x] [u] [-g <str>] [-c <str>] [-p <str>] [-t <num>]
© 2020 Trend Micro Inc. Education
95
Lesson 4: Managing Deep Security Agents
Supported command-line arguments include:
Argument
Description
-a <str>, -activate=<str>
Activates the Agent with Deep Security Manager at the specified URL.
URL format must be in the following format:
dsm://hostOrIp:port/
(where port is the Manager's heartbeat port, default 4120)
-r, --reset
Resets the Agent configuration.
-m, --heartbeat
Asks the Agent to contact the Deep Security Manager now
-s <num>, -selfprotect=<num>
Enables self-protection on the Agent by preventing local end-users
from uninstalling, stopping, or otherwise controlling the Agent.
Command-line instructions must include the authentication password
when self-protection is enabled. (1: enable, 0: disable)
-R <str>, --restore=<str>
Restores a quarantined file
-d, --diag
Generates an Agent diagnostic package
-b, --bundle
Creates an update bundle for use on air-gapped Relays
-x, --proxy
Sets the address of the proxy server which the Agent uses to
communicate with the Deep Security Manager. URL format must be in
the following format: dsm_proxy://proxyURL/
-u, --unpw
Set the proxy username and password in the format of
key:value pairs (with a colon as a separator)
-g <str>, --Agent=<str>
Displays the Agent URL. Defaults to https://localhost:4118/
-c <str>, --cert=<str>
Identifies the certificate file
-p <str>, --passwd=<str>
Sets the Authentication password
-t <num>, --retries=<num>
If dsa_control cannot contact the Deep Security Agent service to carry
out accompanying instructions, this parameter instructs dsa_control
to retry <num> number of times. There is a one second pause between
retries
96
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Note:
These operations can be performed from the Deep Security Manager Web console, but these
commands, executed from the Command Prompt on the Deep Security Agent host computer, can
be especially helpful when Deep Security Agents can no longer be controlled through Deep
Security Manager (for example, due to configuration or network problems). These commands can
also be used in conjunction with scripts.
Resetting Deep Security Agents
In the rare case where Deep Security Manager is unable to manage the Deep Security Agents on a host
computer, it is possible to wipe out any Deep Security Agent settings, including its relation with Deep
Security Manager, by performing a reset operation. This action will also remove from memory any
security policy previously deployed and implemented within the Deep Security Agent. To reset the
Agent, open a Command Prompt on the server protected by the Deep Security Agent, change to the Deep
Security Agent folder and run the following command:
dsa_control -r
In Deep Security Manager, Deactivate the problematic Agent from the Computers list, then Reactivate
over again.
Protecting Deep Security Agents From Modification
Modification to the Deep Security Agent on Windows computers can be prevented by enabling Agent Self
Protection settings in the Deep Security Manager Web console.
© 2020 Trend Micro Inc. Education
97
Lesson 4: Managing Deep Security Agents
When self-protection is enabled, attempts to make modifications to the Deep Security Agent through the
operating system graphical user interface, such as uninstalling the Agent, stopping the Agent service,
modifying Agent-related Windows Registry entries, or modifying Agent-related files will be met with a
message similar to Removal or modification of this application is prohibited by its security settings.
These restrictions can be overridden by issuing the following command from the Command Prompt on
the Deep Security Agent computer:
dsa_control --selfprotect=0
It is possible that Deep Security Manager loses the ability to communicate with an Agent. In such cases
you will have to interact with the Agent locally using the Deep Security Agent's command-line interface.
Enable Local override requires password by entering a password to protect the local command-line
functionality.
Note:
Store this password in a safe location. If you lose or forget the password you will have to contact
your support provider for assistance in overriding this protection.
Viewing Computer Protection Status
The Computers list in Deep Security Manager allows you to manage and monitor the machines on your
network. The Preview icon displays a status summary table for the computer that varies by computer
type; hover your pointer over Preview to display the pop-up details window. This provides a quick way for
an administrator to verify various details for the computer such as the presence and status of a Deep
Security Agent, the status of the protection modules, the number of rules in use, the available updates,
and other items.
Computers Without a Deep Security Agent
The preview for a computer added to Deep Security Manager but not hosting a Deep Security Agent
will display a status of Unmanaged (No Agent) or Discovered (No Agent). Since no Agent is available,
Not Activated will be displayed for all Deep Security Protection Modules.
98
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Computers With an Unactivated Deep Security Agent
The preview for a computer added to Deep Security Manager that is hosting an Deep Security Agent
that has not yet been activated will display a status of Unmanaged (Activation Required) or
Discovered (Activation Required). Since the Agent is not yet communicating with Deep Security
Manager, Not Activated will be displayed for all Deep Security Protection Modules.
Computers with an Activated Deep Security Agent
The preview for a computer hosting an activated Deep Security Agent lists the presence of an Agent,
its status, and details about the Protection Modules modules enabled on that host.
© 2020 Trend Micro Inc. Education
99
Lesson 4: Managing Deep Security Agents
Deep Security Relay
The preview for a computer hosting a Deep Security Relay displays its status, the number of security
and software update components it has available for distribution, and the status of the Protection
Modules provided by its embedded Deep Security Agent.
ESXi Server
The preview for an ESXi Server displays its status and the version numbers of the ESXi software. The
Guests list displays the Deep Security Virtual Appliance, and the virtual machines running on this
host.
Deep Security Virtual Appliance
The preview for a Deep Security Virtual Appliance displays its status and its version number. The
Protected Guests On list displays the virtual machines protected by the Appliance.
100
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Virtual Machine
The preview for a protected virtual machine displays whether it is being protected by a Deep Security
Virtual Appliance, an in-guest Agent, or both. It displays details about the protection modules
running on the virtual machine. Since the Deep Security Virtual Appliance is not capable of providing
Log Inspection or Application Control protection, it will be listed as Not Supported. Firewall and
Intrusion Prevention configuration will always be the same for both the Virtual Appliance and the inguest Agent.
Note:
A virtual machine can run a Deep Security Agent as though it were an ordinary computer
managed by the Deep Security Manager. It does not need to be imported into the Deep Security
Manager by way of VMware vCenter.
Protection Module Installation States
The computer Preview in the Deep Security Manager Web console provides details of the installation
state of the various Protection Modules.
A module may be turned on in the configuration, but until it is installed and providing protection through
the Deep Security Agent it will not display as On.
© 2020 Trend Micro Inc. Education
101
Lesson 4: Managing Deep Security Agents
Various installation states may be displayed, including:
Feature Installation State
Description
On/Off
If the On/Off state is On, it means that the module has been
installed on the Agent and it is currently providing protection.
Installed
The listed module is installed on the Agent. This state is only
displayed when the On/Off state of the module is Off and no
protection is provided.
Installation Pending
The listed module is configured in Deep Security Manager but
is not installed on the Agent.
Installation In Progress
The module is being installed on the Agent.
Matching Module Plug-In not Found
The version of the software package containing the module
imported into Deep Security Manager does not match the
version reported by the Agent.
A matching software package was found on the Agent, but it
does not contain the module. Not Supported or Update Not
Not Supported/Update Not Supported Supported is displayed depending on whether there is already
a version of this module installed on the Agent.
Not Installed
102
The software package containing the module has been
downloaded in Deep Security Manager, but the module has not
been turned on in Deep Security Manager or installed on the
Agent.
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Viewing Deep Security Agent Tasks in Progress
Tasks in progress on managed Deep Security Agents can be displayed in Deep Security Manager Web
console in the Tasks column. Common tasks includes installing Protection Modules, sending policies,
running Recommendation Scans, updating Application Control inventories, and so forth will display a
message in the Tasks column to provide feedback that an activity is being processed.
Once the message in the Tasks column disappears, the operation is complete on the Deep Security
Agent. To provide fast refresh of the Computers list, the Tasks column is not displayed by default. To
show the column in the Deep Security Manager Web console, click Columns and enable Tasks.
© 2020 Trend Micro Inc. Education
103
Lesson 4: Managing Deep Security Agents
Dealing With Offline Agents
A computer status of Offline or Managed (Offline) means that the Deep Security Manager hasn't
communicated with the Agent's instance for some time and has exceeded the missed heartbeat
threshold. The status change can also appear in alerts and events.
Heartbeat connections can fail because:
•
The Agent is installed on a workstation or other computer that has been shut down. If you are
using Deep Security to protect computers that sometimes get shut down, make sure the policy
assigned to those computers does not raise an alert when there is a missed heartbeat. In the
policy editor, go to Settings > General > Number of Heartbeats that can be missed before an alert
is raised and change the setting to Unlimited.
•
•
•
•
Firewall, IPS rule, or security groups block the heartbeat port number
Bi-directional communication is enabled, but only one direction is allowed or reliable
Computer is powered off
Computer has left the context of the private network
This can occur if roaming endpoints (such as a laptop) cannot connect to Deep Security Manager
at their current location. Guest Wi-Fi, for example, often restricts open ports, and has NAT when
traffic goes across the Internet.
104
•
Amazon WorkSpace computer is being powered off, and the heartbeat interval is fast, for
example, one minute; in this case, wait until the WorkSpace is fully powered off, and at that point,
the status should change from 'Offine' to 'VM Stopped'
•
•
•
•
DNS was down, or could not resolve the Deep Security Manager's host name
•
Deep Security Agent's or Deep Security Manager's system time is incorrect (required by SSL/TLS
connections)
•
•
A Deep Security rule update is not yet complete, temporarily interrupting connectivity
Deep Security Manager, the Agent, or both are under very high system resource load
Deep Security Agent process might not be running
Certificates for mutual authentication in the SSL or TLS connection have become invalid or
revoked
On AWS EC2, ICMP traffic is required, but is blocked
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Cleaning Up Inactive Agents
NEW
In some deployments Deep Security Manager can accumulate large numbers of computers that no
longer exist. The primary means to address this problem is to add your AWS, Azure, or vCloud account to
Deep Security Manager. Adding an AWS, Azure, or vCloud account allows Deep Security Manager to
connect to the cloud environment and receive updates on the life cycle of computers in your
environment, including deletion. With this information, the computers page can be updated
automatically on your behalf. In environments where adding an account is not possible, computers that
no longer exist must be manually deleted. In dynamic environments where computers have a short
lifecycle, unwanted computers can accumulate quickly which typically results in customer specific
processes to delete unwanted computers.
To address this issue the following features are available:
Cleaning up Inactive Agent
A system setting is provided to delete Agents that have not communicated with Deep Security
Manager in a configurable period of time.
Inactive agent cleanup will check hourly for computers that have been offline and inactive for a
specified period of time (from 2 weeks to 12 months) and remove them. Inactive agent cleanup will
remove a maximum of 1000 offline computers at each hourly check. If there are more offline
computers than this, 1000 will be removed at each consecutive check until all of the offline
computers have been removed.
Note:
Inactive agent cleanup does not remove offline computers that have been added by a cloud
connector.
© 2020 Trend Micro Inc. Education
105
Lesson 4: Managing Deep Security Agents
Reactivate Unknown Agents
If you have offline computers that are active but communicate irregularly with the Deep Security
Manager, inactive Agent cleanup will remove them if they don't communicate within the period of
inactivity you defined. To ensure that these computers reconnect to Deep Security Manager, we
recommend enabling both Agent-Initiated Activation and Reactivate unknown Agents. To do so,
under System Settings > Agents > Agent Initiated Activation, first select Allow Agent-Initiated
Activation and then select Reactivate Unknown Agents.
When a removed computer reconnects, it will not have a policy, and will be added as a new computer.
Any direct links to the computer will be removed from the Deep Security Manager event data.
Note:
This feature requires the use of Agent-Initiated Activation. In addition, the Agent must have been
successfully activated prior for the reactivation to succeed.
When an inactive Agent cleanup job runs, system events will be generated that you can use to track
removed computers. You'll need to check the following system events:
•
•
•
2953 - Inactive Agent Cleanup Completed Successfully
251 - Computer Deleted
716 - Reactivation Attempted by Unknown Agent (if Reactivate Unknown Agents is enabled)
Overriding Inactive Agent Cleanup
You can set an override at the computer or policy level to explicitly prevent computers from being
removed by inactive agent cleanup. Open the Computer or Policy editor for the computer or policy
you want to set an override on. Go to Settings > General and under Inactive Agent Cleanup Override,
select Yes.
106
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Upgrading Deep Security Agents to Deep Security 20
Deep Security Agents can be upgraded to Deep Security 20 directly from the Details window.
Note:
Any Deep Security Relays must be upgraded to Deep Security 20 before upgrading the Deep
Security Agents.
The software package for the updated Deep Security Agent must be imported into Deep Security
Manager before the Deep Security Agent can be upgraded.
1
Import the version 20 Agent packages for the operating systems hosting Deep Security Agents
into Deep Security Manager.
© 2020 Trend Micro Inc. Education
107
Lesson 4: Managing Deep Security Agents
2 In Deep Security Manager Web console, locate the Deep Security Agent to upgrade and doubleclick to open its Details. If an upgraded Deep Security Agent software package for the operating
system being used is available, Upgrade Agent will be available on the Actions tab.
3 Click Upgrade Agent, and select the version for the upgrade.
108
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Note:
The Agent Version list displays all the versions of Deep Security Agent packages that have been
imported into Deep Security Manager.
4 Select a time to process the upgrade, or select Now.
During the Deep Security Agent upgrade, the Actions tab will identify the progress of the
upgrade.
© 2020 Trend Micro Inc. Education
109
Lesson 4: Managing Deep Security Agents
5 Once complete, the Details window will display the version of the updated Deep Security Agent.
To simplify the process of upgrading several Deep Security Agents, multiple Agents can be selected in the
Computer list, and click Actions > Upgrade Agent Software from the right-mouse menu.
110
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
The Tasks column with display Upgrading Software (in Progress) while the selected Agents are
upgraded.
Anti-Malware Protection During Upgrades
NEW
When upgrading Deep Security Agents, any impact, either in the form of a network interruption or
protection impact is unacceptable. Agent upgrades now proceed without impacting either the host
services used by applications or functionality provided by the Deep Security Agent.
When Anti-Malware is enabled and an Agent is upgraded to Deep Security 20, Anti-Malware
protection will remain in place without interruption.
Upgrading Agents on Activation
NEW
Upgrade on activation instructs Deep Security Agents to automatically upgrade on activation if the
current version of the Agent does not match the latest compatible version of the Agent available for that
platform in Deep Security Manager.
© 2020 Trend Micro Inc. Education
111
Lesson 4: Managing Deep Security Agents
This feature can be helpful if you bake the Agent into your AMI or WorkSpace bundle and then want to
use a newer Agent, but are unable to update the bundle to include the new Agent. The Automatically
upgrade agents on activation setting can be enabled so when the Agent in the AMI or bundle activates
itself, Deep Security Manager can automatically upgrade the Agent to the latest version.
Controlling the Agent Version
NEW
Agent Version Control determines the specific versions of Deep Security Agents that will be deployed
when upgrading Deep Security Agents, using deployment scripts or using the Automatically upgrade
agents on activation feature.
This allows security operations teams to declare exactly what Agents will be used at any given time. As
new Agents are released by Trend Micro, your security operations team can test them in controlled
environments before changing the version control settings to expose the new Agents to downstream
applications teams in their production environment.
Prior to the introduction of Agent Version Control, the primary way to control the Agent version was to
selectively import only those Agents that you were confident you wanted to deploy. Once the Agents
were imported, the latest one for each platform was distributed to Relays. The latest Agents were then
picked up from the Relays by features like upgrade on activation and deployment scripts.
If you want to continue with this functionality, import the agents you want to deploy to your inventory,
and remove the old ones. On the Agent Version Control page and make sure all platforms are set to the
default, Latest. The Latest setting instructs Deep Security Manager to continue using the latest Agents
in its local inventory, and you can continue to use your existing processes without any changes.
Selecting Latest LTS indicates that the latest long-term support (LTS) software build available in your
local inventory should be used. Latest LTS can be the original LTS release, or can be an update to the
original LTS release.
112
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Selecting the <agent_version> option, (for example, 20.0.0.760), indicates that a specific Agent version
available in your local inventory should be used. Other agents in your inventory are ignored. If no Agent
version appears in the list, it's because there is no Agent in your local inventory that matches the OS. To
fix this issue, import an agent to your inventory.
Ensure that any previously created deployment scripts are updated when using this feature. If you have
existing deployment scripts that you generated prior to the availability of the agent version control
feature, and you do not update them, they will default to Latest. This default will be used for any older
deployment scripts regardless of how you have set your agent version control settings. Replace the
older deployment scripts with new deployment scripts to leverage the settings you define in the agent
version control settings. The latest deployment scripts pass additional information to Deep Security
Manager (for example, tenant information and platform information) that is required for the version
control feature to work properly.
Note:
Full access to all Agent versions is accessible when using the Upgrade Agent button or Upgrade
Agent Software page. Selecting either of these options launches a wizard with a drop-down list
that always defaults to Use latest version for platform regardless of your version control settings.
Organizing Computers Using Groups
To simplify administration of computers in a large implementation, groups can be used to sort and
organize computers. Administrators can create groups with any organizational structure they require,
then computers can be added into those groups. Computers can be moved into a different group at any
time through the computer Details window. Grouping computers is done for organization purposes only;
changing the group does not affect policy.
© 2020 Trend Micro Inc. Education
113
Lesson 4: Managing Deep Security Agents
Note:
Servers added to the Computers list through connectors (computers added through Active
Directory lookup, VMware vCenter virtual machines, Amazon web Services instances, Azure
virtual machines, vCloud virtual machine and Google Cloud Platform virtual machines) can not be
added to groups, as they are already grouped by their connector.
Creating Groups
Groups can be created from the Add menu.
114
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Click Create Groups. Type a name, description and choose a location in the groups structure for the
group to be added.
Adding Computers to a Group
Computers can be added to a group through Details. Double-click a computer to open its Details and
select a group from the list.
© 2020 Trend Micro Inc. Education
115
Lesson 4: Managing Deep Security Agents
A group can also be specific as part of a deployment script. All computers using the script will be
assigned to the specified group.
116
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Organizing Computers Using Smart Folders
Smart Folders are used to group your computers dynamically. The computers displayed in a Smart Folder
are determined by a set of custom rules, that act as a saved search which is executed each time you click
on the folder to display its contents. This allows administrators to easily filter and group computers by
these defined properties.
Additionally, you can use Smart Folders to restrict administrators to their own administration groups by
assigning appropriate read and write permissions.
When defining the properties for a Smart Folder, you are creating a search query that includes the
following settings:
•
•
•
Property, which defines what to search through
Operator, which defines how to search
Value, which defines what to search for
Property
Note:
Operator
Value
View the section called Group computers dynamically with Smart Folders in the Deep Security
Help Center for a full list searchable properties.
© 2020 Trend Micro Inc. Education
117
Lesson 4: Managing Deep Security Agents
Once you have configured your Smart Folders from the Computers page, any computers that match the
search will be displayed in folders which will always up-to-date information in the right-hand pane of the
display.
Smart Folders can be organized into subfolders that can be nested up to three levels deep. If you are
using Deep Security with Amazon Web Services, you can nest your folders deeper by using Amazon Web
Service tag keys. In this case, the subfolders will be created according to each of the tag key’s values.
Smart Folders can be selected and used throughout the Deep Security Manager Web console under the
various tabs, for example, Dashboard, Alerts, Events & Reports and so on.
118
© 2020 Trend Micro Inc. Education
Lesson 4: Managing Deep Security Agents
Review Questions
1
What methods are available in the Deep Security Manager Web console to organize the
Computers list?
2 Describe the purpose of the Deep Security Agent reset command (dsa_control -r) ?
© 2020 Trend Micro Inc. Education
119
Lesson 4: Managing Deep Security Agents
120
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To
Date
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
Describe how security and software updates are delivered to Deep Security Agents
Configure Relay Groups and promote Deep Security Agents to Relays
The two types of updates performed by Deep Security are software updates and security updates.
Security Updates
You must keep your Deep Security deployment up to date with the security updates that Deep Security
uses to identify potential threats. Security updates for Deep Security Agents in version 12.0 and later are
digitally signed to prove that they came from Trend Micro and to ensure that they were not tampered
with in transit to the Agent.
Trend Micro releases new rule updates every Tuesday, with additional updates as new threats are
discovered. You can get information about the latest updates from the Trend Micro Threat Encyclopedia.
When performing the Security Update task, Deep Security Manager instructs the Deep Security Relay to
download new scan components from the Trend Micro ActiveUpdate Server.
There are two types of security updates:
•
•
Pattern Updates, which are used by the Anti-Malware Protection Module.
Rule Updates, which are used by the following Protection Modules:
•
•
•
•
Firewall
Intrusion Prevention
Integrity Monitoring
Log Inspection
© 2020 Trend Micro Inc. Education
121
Lesson 5: Keeping Deep Security Up To Date
The Security Updates Overview page offers an at a glance view of the state of security updates in your
environment. Click Administration > Updates > Security to get an overview of the Rule and Pattern update
status.
Security Update Process
Deep Security uses the following process for distributing security updates:
Trend Micro
AcveUpdate Server
Ž
Œ

‘
Deep Security Manager

Deep Security Relay
’

Deep Security Agents
122
Deep Security Virtual Appliance
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To Date
1
Deep Security Manager contacts the Trend Micro ActiveUpdate Server to check for updates. This
check is based on a scheduled task, or when an administrator clicks Check For Updates and
Download on the Security Updates Overview window.
2 If security updates are available, Deep Security Manager instructs Relays to download the new
security components from Trend Micro ActiveUpdate Server.
3 The Relays download the components and store them locally in their \relay\iau folder.
4 Deep Security Manager sends a command to Deep Security Agents retrieve the security
components.
5 The Deep Security Agents retrieve the updates from the Relays.
Note:
Administrators can configure direct access to the ActiveUpdate Server as a failover if the Deep
Security Relay goes offline.
6 Deep Security Manager downloads any new Rules from the Relay and stores them in the
database.
7 The new rules are transferred to any affected Agents using the Policy Update command. The
Agents apply the new rules to the computer.
Creating Update Bundles
In the case of an air-gapped Relays, update bundles can transfer all available security components
from one Deep Security Relay to another. To create an update bundle, run the following command on
a source Relay computer with Internet connectivity:
dsa_control -b
This command creates a *.zip file that includes the contents of the following folder:
...\Deep Security Agent\relay\iau
Once created, move the archive to the Relay installation folder of the air-gapped destination systems.
On the next security update, the air-gapped Relay will update from the zipped bundle.
© 2020 Trend Micro Inc. Education
123
Lesson 5: Keeping Deep Security Up To Date
Software Updates
Deep Security Manager will regularly check for any updates on Agent packages that have been imported.
If new updates for any of these packages are made available on the download center, Deep Security
Manager will notify the Agents.
When performing a software update, Deep Security Manager loads the new software into the database
and advises the Relay. The Relay retrieves the software packages from Deep Security Manager (or from
the Download Centre if the Deep Security Manager is not available) and makes the update available.
When instructed by Deep Security Manager, the Deep Security Agents and Deep Security Virtual
Appliances retrieve the software package from the Relays and installs them on the local systems.
The Software Updates Overview page offers an at a glance view of the state of software updates in your
environment.
124
•
Trend Micro Download Center: This section displays whether there are any updates available for
the software that has already been imported to Deep Security.
•
Deep Security: This section displays the last time a check for software updates was performed
and whether the check was successful. Click Check for updates to perform an on-demand check.
The date of the next scheduled task for a software update is displayed. There will be a warning if
no scheduled tasks exist.
•
Computers: This section displays whether any computers are running Deep Security Agents for
which updates are available. The check is only performed against software that has been
downloaded to Deep Security, not against software available from the Download Center. If any
computers are out of date, you can click Upgrade Agent /Appliance software which will redirect
you to the Computers page, filtered to display any out-of-date computers.
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To Date
Software Update process
Deep Security uses the following process for distributing software updates.
Trend Micro
Download Center
Œ

Ž

Deep Security Manager
Deep Security Relay

Deep Security Agents
1
Deep Security Virtual Appliance
Deep Security Manager contacts the Trend Micro Download Center to check for software
updates, either automatically based on a scheduled task or initiated manually by an
Administrator
2 New Deep Security Agent packages are downloaded to Deep Security Manager.
3 Relays request the packages from the Deep Security Manager.
If the Deep Security Manager is unavailable, Relays may download the packages directly from the
Download Center, if this setting is enabled.
4 Relays unpack the packages and make each module component available.
5 Deep Security Agent Agents will download the required components from the Relays and install
them.
Deleting Imported Agent Packages
To save space, when Deep Security downloads an update to a package, it may automatically delete
old Agent packages that are not currently being used by Agents. The number of old software
packages kept in the database is configured in the Number of older software versions to keep per
platform setting on the Storage tab in Deep Security Manager Web console. The default is to keep the
last 5 packages.
You can also manually delete unused Deep Security Agent packages. If you try to delete software
that is being used on one of your managed computers, you will get a warning and be prevented from
deleting the software. Therefore the number of older packages to keep is a minimum, not an
absolute. For example, if set to five, and you have seven versions of the package in use, then all seven
packages will be kept.
© 2020 Trend Micro Inc. Education
125
Lesson 5: Keeping Deep Security Up To Date
Note:
In Multi-Tenancy, the primary tenant owns all the Agent software that is being used across all
tenants. In order to automatically prune older software, the primary tenant would need to be able
to monitor other tenants to find out what software is actually being used. Deep Security Manager
will keep all imported software indefinitely until it is manually deleted.
Scheduling Checks for Updates
Scheduled Tasks can be created to enable Deep Security Manager to regularly contact the ActiveUpdate
Server to check for security and software updates.
When the Deep Security Manager Setup Wizard is run, an option to automatically create tasks to check
for both Security and Software updates is displayed. These selections create a task for each type of
update that runs once a day. .
126
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To Date
Update Source Settings
Update source settings can be identified on the Updates tab in System Settings.
Deep Security Relays
A Relay is an Agent that is capable of distributing the software and security updates to other Deep
Security Agents and Virtual Appliances. Deep Security Relays help to optimize the distribution of these
updates. Relays can:
•
•
Reduce WAN bandwidth costs by shaping update traffic
Provide redundancy to update distribution
You must have at least one Deep Security Relay in your environment. You can co-locate the Deep
Security Relay on the same host as Deep Security Manager or install it on a separate computer.
© 2020 Trend Micro Inc. Education
127
Lesson 5: Keeping Deep Security Up To Date
Deep Security Relay Architecture
The process for adding a Deep Security Relay to your environment involves installing and activating a
Deep Security Agent and then enabling the Deep Security Relay functionality on that Deep Security
Agent. The Deep Security Relay also includes a Notifier component and a Relay Backend component.
•
Deep Security Agent: Deep Security Relays reside on a fully functional Deep Security Agent
that protects the local system
•
Deep Security Notifier: The user notification service is used to report detected security
threats on Windows computers
•
Deep Security Relay Backend: The Deep Security Relay Backend launches the Nginx Caching
Proxy Server and accepts the store/request/delete commands from Deep Security Manager
or Virtual Appliance. These commands are also used to transfer the virtual machine scan
context between the Deep Security Virtual Appliances when handling vMotion events
•
Nginx Caching Proxy: Downloads updates, stores them locally and offers to the Deep Security
Agents and Virtual Appliances for download
•
ds_relay.pem and ds_relay.key:These files store the SSL certificate and the private
key
Ports
By default, Deep Security Relays use the following TCP ports to accept connections:
•
•
128
Port 4118 allows Deep Security Agents to accept commands from Deep Security Manager
Port 4122 is used by Deep Security Relays to accept requests for updatable components
from Deep Security Agents
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To Date
Enabling Deep Security Relays
Relay functionality is enabled by promoting a Deep Security Agent to a Relay.
To enable Relay functionality, click the Administration menu. In the left-hand pane, expand Updates >
Software and click Relay Management. Select the Relay Group from the list and click Add Relay.
Select the Deep Security Agent to promote and click Enable Relay and Add to Group.
Note:
Only 64-bit Deep Security Agents can be promoted to a Relay. If Enable Relay is not available, it is
likely that you are try to enable a 32-bit Deep Security Agent, or the Relay has already been
activated for this computer.
© 2020 Trend Micro Inc. Education
129
Lesson 5: Keeping Deep Security Up To Date
Deep Security Agents will install the plug-ins required, and the Agent will begin to function as a Relay.
Organizing Relays Into Groups
For distributing updates throughout the network more efficiently, Relays can be organized into
groups. This ensures that the update load is distributed across multiple Deep Security Relays, and
also adds redundancy to your Deep Security deployment. It is recommended that Deep Security
Agents on computers in a particular geographic region or office be configured to download updates
from a Relay Group in the same region.
Trend Micro
AcveUpdate Server
130
Deep Security Manager
O awa Relay Group
Dallas Relay Group
Cork Relay Group
O awa Agents
Dallas Agents
Cork Agents
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To Date
Although a Relay Group may contain as few as a single member Relay, for performance and
redundancy reasons, it is best to configure the group to contain more than one member Relay. Each
Deep Security Agent will try to download updates from a randomly arranged list of the relays in the
group it is assigned to. If there's no response from the relay, the Agent will try another from the list
until it can successfully download the update. The list is random for each Deep Security Agent so that
the update load is shared evenly across relays in a group.
Trend Micro recommends at least 2 relays for redundancy. Number of relays should vary by:
Note:
•
•
Redundancy requirements
•
•
Number of protected computers (deployment scale)
Geographic locations: Trend Micro recommends that Deep Security Agents download
updates from a relay group in the same geographic region, preferably the same local
network.
Number of network bottlenecks / maximum bandwidth: A bottleneck occurs when all Agents
cannot quickly download updates through the same connection, such as a low bandwidth
WAN connection between the Deep Security Agents' local network segment and a remote
Deep Security Manager / Trend Micro Update Server. Alerts can occur if this happens.
Routers / firewalls / proxies with high system resource usage between Agents and the update
source can also be performance bottlenecks. To alleviate bottlenecks, put a relay inside each
bottlenecked network segment.
Don't convert all of your Deep Security Agents to be Relays. Too many Relays can introduce a
delay. A Deep Security Relay requires more system resources than an ordinary Agent.
In order to distribute load and fault impact, Deep Security Relays in a group are not prioritized. Each
Deep Security Agent and Appliance assigned to a Relay Group automatically chooses a member
Relay from the group at random to connect to. If the initial Relay fails to respond when the Agent/
Appliance attempts to download updates, then the Agent/Appliance randomly selects another
member Relay from the Relay Group to update from. Since the list is shuffled by each Agent/
Appliance, they each contact the Relays in a different order.
Note:
If a Deep Security Relay is busy with an update to a Deep Security Agent or Virtual Appliance, it
will reject new connections from other Agents and Virtual Appliances.
Although there must always be at least one Relay Group in your environment that downloads
Security Updates from the Trend Micro Update Server, a Relay Group can alternatively download
updates from another Relay Group.
Creating a Relay Group
Once you have installed and activated your Deep Security Relays, complete the following steps to
create Relay Groups. Relays not yet configured into a group are automatically configured as
members of the Default Relay Group.
© 2020 Trend Micro Inc. Education
131
Lesson 5: Keeping Deep Security Up To Date
1
In the Deep Security Manager Web console, click the Administration menu. Expand Update >
Software and click Relay Management.
2 Click New Relay Group, and in the right-hand Relay Group Properties, configure the details for
the Relay Group.
132
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To Date
Assigning Deep Security Agents and Appliances to Relay Groups
Computers can be added to a Relay Group group through Details. Double-click a computer to
open its Details and select a group from the Download Security Updates From list.
© 2020 Trend Micro Inc. Education
133
Lesson 5: Keeping Deep Security Up To Date
Alternately, select the Relay group when creating a deployment script.
134
© 2020 Trend Micro Inc. Education
Lesson 5: Keeping Deep Security Up To Date
Review Questions
1
Describe the function of the Deep Security Relay? How does a Relay differ from an Agent?
2 How can you keep a Relay without Internet connectivity up to date?
3 Why would you organize Relays into Relay Groups?
© 2020 Trend Micro Inc. Education
135
Lesson 5: Keeping Deep Security Up To Date
136
© 2020 Trend Micro Inc. Education
Lesson 6: Trend Micro Smart Protection
Lesson 6: Trend Micro Smart Protection
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
Define the Smart Protection Services used by Deep Security
Configure Smart Protection Sources
Smart Protection includes services that provide anti-malware signatures, web reputation credibility
scores, vulnerability patterns, in-the-cloud threat databases and more. Smart Protection Services used by
Deep Security include:
•
•
•
•
•
•
File Reputation Service
Web Reputation Service
Predictive Machine Learning Service
Census Service
Certified Safe Software Service
Smart Feedback
File Reputation Service
The File Reputation Services checks the reputation of each file against an extensive in-the-cloud
database. Since the malware information is stored in the cloud, it is available instantly to all users.
The cloud-Agent architecture eliminates the burden of pattern deployment while significantly
reducing the overall Agent footprint.
Deep Security Agents must be in Smart Scan mode to use File Reputation Services.
Web Reputation Service
With one of the largest domain-reputation databases in the world, Trend Micro Web Reputation
technology tracks the credibility of Web domains by assigning a reputation score based on factors
such as a Website's age, historical location changes and indications of suspicious activities
discovered through malware behavior analysis. Web Reputation then continues to scan sites and
block users from accessing infected ones. Web Reputation ensures that the pages that servers access
are safe and free from Web threats, such as malware, spyware, and ransomware. To increase
accuracy and reduce false positives, Trend Micro Web Reputation technology assigns reputation
scores to specific pages or links within sites instead of classifying or blocking entire sites, since often,
only portions of legitimate sites are hacked and reputations can change dynamically over time.
© 2020 Trend Micro Inc. Education
137
Lesson 6: Trend Micro Smart Protection
Census Service
This service provides information about the prevalence of detected files. Prevalence is a statistical
concept referring to the number of times a file was detected by Trend Micro sensors at a given time.
If a file has not triggered any detections, the file becomes suspicious as over 80% of all malware is
only seen once.
Census covers over 300 million distinct executable files. File prevalence and maturity is important
because polymorphism is the primary weapon of malware. An unknown binary can mean a possible
targeted attack.
In Deep Security, the Census Service is used for behavior monitoring and predictive machine
learning.
Predictive Machine Learning Service
Deep Security provides enhanced malware protection for unknown threats and zero-day attacks
through Predictive Machine Learning. Trend Micro Predictive Machine Learning uses advanced
machine learning technology to correlate threat information and perform in-depth file analysis to
detect emerging security risks through digital DNA fingerprinting, API mapping, and other file
features.
Predictive Machine Learning is effective in protecting against security breaches that result from
targeted attacks using techniques such as phishing and spear phishing. In these cases, malware that
is designed specifically to target your environment can bypass traditional malware scanning
techniques.
During real-time scans, when Deep Security detects an unknown or low-prevalence file, the Deep
Security Agent scans the file using the Advanced Threat Scan Engine (ATSE) to extract file features.
It then sends the report to the Predictive Machine Learning engine which is hosted on the Trend
Micro Smart Protection Network. Through the use of malware modeling, Predictive Machine Learning
compares the sample to the malware model, assigns a probability score, and determines the probable
malware type that the file contains. If the file is identified as a threat, Deep Security quarantines the
file to prevent the threat from continuing to spread across your network.
Certified Safe Software Service
The Certified Safe Software Service provides a comprehensive list of applications considered to be
safe by Trend Micro. The list includes most popular operating system files and binaries as well as
applications for desktops, servers, and mobile devices. Trend Micro periodically provides updates to
the list.
Certified Safe Software Service queries Trend Micro datacenters to check submitted sample files and
objects against these databases. Allow listing known good files is used to:
•
•
•
138
Reduce false positives
Save computing time and resources
Provide a mechanism for locking down systems from any undesired infiltration
© 2020 Trend Micro Inc. Education
Lesson 6: Trend Micro Smart Protection
Sources for the Certified Safe Software Service include:
•
Internal sources, such as the File Reputation Service, Tech Support, All Trend Release Builds,
etc.
•
Partnerships with other tech companies, including Adobe, Apple, Google, Mozilla, Cisco, Acer,
VMWare, Yahoo!, Citrix, Intel, Intuit, Bigfish Games, Electronics Arts, etc.
•
Targeted, pro-active sourcing including software download sources, such as Cnet
download.com, Majorgeeks, Softpedia, Sourceforge, crawlers, etc.
•
Subscriptions, including National Software Reference Library, MSDN, and some regional
magazines (especially from Europe) that include DVDs/applications
•
•
Local sourcing teams for P regional file collection
•
Customer Submission, for example, through Customer Support
GRID (Good Reputation Index Database), the world’s largest goodware catalog with over 700
million unique files and 130+ Grid Partners
Smart Feedback
Trend Micro Smart Feedback provides continuous communication between Trend Micro products and
its 24/7 threat research centers and technologies. Each new threat identified through every single
customer's routine reputation check automatically updates all Trend Micro threat databases,
blocking any subsequent customer encounters of a given threat.
By continuously processing the threat intelligence gathered through its extensive global network of
customers and partners, Trend Micro delivers automatic, real-time protection against the latest
threats and provides better together security, much like an automated neighborhood watch that
involves the community in the protection of others. Because the gathered threat information is based
on the reputation of the communication source, not on the content of the specific communication,
the privacy of a customer's personal or business information is always protected.
Samples of information sent to Trend Micro through Smart Feedback include:
•
•
•
•
File checksums
Websites accessed
File information, including sizes and paths
Names of executable files
You can terminate your participation to the program anytime from the Deep Security Manager Web
console. You do not need to participate in Smart Feedback to protect your servers. Your participation
is optional and you may opt out at any time. Trend Micro recommends that you participate in Smart
Feedback to help provide better overall protection for all Trend Micro customers.
Smart Protection Sources
The Smart Protection sources to which the Deep Security Agent connects can be either:
•
•
Trend Micro Smart Protection Network
Smart Protection Server
© 2020 Trend Micro Inc. Education
139
Lesson 6: Trend Micro Smart Protection
Trend Micro Smart Protection Network
The Trend Micro Smart Protection Network is a collection of on-line services. It powers both onpremise and Trend Micro hosted solutions to protect users whether they are on the network, at home,
or on the go. Protection is automatically updated and strengthened as more products, services and
users access the network, creating a real-time neighborhood watch protection service for its users.
Service URLs
The URLs used Deep Security Agents to communicate with the required services on the Smart
Protection Network include:
•
•
•
•
•
•
•
Predictive Machine Learning: ds20-en-f.trx.trendmicro.com
ActiveUpdate: iaus.activeupdate.trendmicro.com
Census: ds2000-en-census.trendmicro.com
Certified Safe Software Service: grid-global.trendmicro.com
Web Reputation: ds20-0-en.url.trendmicro.com
Smart Scan: ds20.icrc.trendmicro.com
Smart Feedback: ds200-en.fbs25.trendmicro.com
Smart Protection Server
Smart Protection Servers localize File Reputation and Web Reputation services to the corporate
network to optimize efficiency.
This server is available as a VMware image that runs CentOS and is compatible with the following
virtual servers:
•
•
•
•
•
•
140
VMware ESXi Server 6.5 Update 1, 6.0 Update 3a and 5.5 Update 3b
Microsoft Windows Server 2008 R2 with Hyper-V
Microsoft Windows Server 2012 with Hyper-V
Microsoft Windows Server 2012 R2 with Hyper-V
Microsoft Windows Server 2016 with Hyper-V
Citrix XenServer 7.2, 7.1, 6.5
© 2020 Trend Micro Inc. Education
Lesson 6: Trend Micro Smart Protection
Configuring the Smart Protection Source
Deep Security Agents send queries to their configured Smart Protection sources (the Trend Micro Smart
Protection Network, or a local Smart Protection Server) when scanning for security risks and determining
a Web site’s reputation.
File Reputaon
Web Reputaon
Deep Security
Agent
Smart Protecon
Server
To reduce the possibility of going off-line, Security Agents can be assigned multiple Smart Protection
Servers. If the Agent is unable to query one Smart Protection Server, it can switch to an alternative
Smart Protection Server if another is available, thereby avoiding a single-point-of-failure for cloud
scanning functionality.
Smart Protection Source for File Reputation Service
The Smart Protection Source for File Reputation Service is defined in the Anti-Malware Protection
Module and supplies file reputation information required by Smart Scan. In the Deep Security
Manager Web Management console, go to Computers or Policies > Anti-Malware > Smart Protection.
© 2020 Trend Micro Inc. Education
141
Lesson 6: Trend Micro Smart Protection
You can select to connect directly to Trend Micro's Smart Protection Server or to connect to one or
more locally installed Smart Protection Servers.
If you want to use a proxy for communication between Deep Security Agents and the Smart
Protection Network, we recommend that you create a proxy server specifically for the Smart
Protection Network. You can view and edit the list of available proxies on the Proxies tab on the
Administration > System Settings page. After you select a proxy, you will need to restart any agents
that will be using it.
Select the When off domain, connect to global Smart Protection Service (Windows only) option to
use the global Smart Protection Service if the computer is off domain. The computer is considered to
be off domain if it cannot connect to its domain controller. (This option is for Windows agents only.)
If you have a locally installed Smart Protection Server, this option should be set to Yes on at least one
computer so that you are notified if there is a problem with the Smart Protection Server itself. Set
the Smart Protection Server Connection Warning to generate error events and alerts when a
computer loses its connection to the Smart Protection Server.
Smart Protection Source for Web Reputation
The Smart Protection Source for Web Reputation supplies Web site credibility score information
required by the Web Reputation Protection Module. In the Deep Security Manager Web console, go to
Computers or Policies > Web Reputation > Smart Protection.
You can select to connect directly to Trend Micro's Smart Protection Server or to connect to one or
more locally installed Smart Protection Servers.
If you want to use a proxy for communication between agents and the Smart Protection Network,
create a proxy server specifically for the Smart Protection Network. You can view and edit the list of
available proxies on the Proxies tab on the Administration > System Settings page. For information on
proxy protocols, see Proxy protocols supported by Deep Security. After you select a proxy, you will
need to restart any agents that will be using it.
142
© 2020 Trend Micro Inc. Education
Lesson 6: Trend Micro Smart Protection
Select the When off domain, connect to global Smart Protection Service (Windows only) option to
use the global Smart Protection Service if the computer is off domain. The computer is considered to
be off domain if it cannot connect to its domain controller. (This option is for Windows agents only.)
If you have a locally installed Smart Protection Server, this option should be set to Yes on at least one
computer so that you are notified if there is a problem with the Smart Protection Server itself. Set
the Smart Protection Server Connection Warning to generate error events and alerts when a
computer loses its connection to the Smart Protection Server.
Smart Protection Source for Census, Certified Safe Software and
Predictive Machine Learning
The Smart Protection Source for the Census, Certified Safe Software and Predictive Machine
Learning services is enabled as a general setting for the computer or the policy. In the Deep Security
Manager Web console, go to Computers or Policies > Settings. On the General tab, indicate whether a
proxy is required to access the Global Server.
© 2020 Trend Micro Inc. Education
143
Lesson 6: Trend Micro Smart Protection
Review Questions
1
Which of the Smart Protection services are used by Deep Security?
2 Which of the Smart Protection services are available through a local Smart Protection Server?
3 How is the Census service used in conjunction with the Predictive Machine Learning service?
144
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection
Settings Through Policies
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
•
Create security policies
Override policy values inherited from a parent policy
Create common objects which can be reused in multiple policies
Run Recommendation Scans to identify known vulnerabilities
Create policies based on the results of a Recommendation Scan
While protection settings can be assigned manually to each server, it is more efficient to assign these
settings though policies. Policies are collections of rules and configuration settings that are saved for
easier assignment to multiple computers.
In Deep Security, a policy can include the configuration of the following items:
•
Protection Module state: The policy can dictate whether a Protection Module will be enabled or
disabled on computers using this policy
© 2020 Trend Micro Inc. Education
145
Lesson 7: Assigning Protection Settings Through Policies
•
Settings: Settings that are set in a policy are applied to any computers using this policy
•
Rules: Rules assigned to Protection Modules that use them are assigned to any computers using
this policy
The Policy editor is used to create and edit policies that can then be applied to one or more computers.
The Computer editor, which is very similar to the Policy editor, can be used to apply settings to a specific
computer.
146
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Policy Structure
Most Deep Security policy elements and settings operate on multiple hierarchical levels starting with a
Base Policy level, going down through multiple levels of child policies. Computers can be assigned policies
at any level in the hierarchy and will inherit the settings configured in that policy. Any changes to the settings in
the assigned policy will be refreshed on all computers using that policy.
The Policies tab in the Deep Security Web console displays all the existing Policies along with their
parent/child relationship in a hierarchical tree structure.
Deep Security provides a collection of policies that can be used as initial templates for the design of
policies tailored to your environment.
© 2020 Trend Micro Inc. Education
147
Lesson 7: Assigning Protection Settings Through Policies
Policy Inheritance
Deep Security supports multiple levels of policy inheritance. Newly created child policies can be
configured to inherit all or some of their settings from their parent policies. This allows you to create
a policy tree that begins with a base policy configured with settings and rules that will apply to all
computers, then a set of child and further descendant policies which have progressively more specific
targeted settings.
For example, you can use the base policy for settings to be applied to all computers throughout the
organization. A child policy can then be created containing settings to be applied to all Windows
computers. This child policy can inherit settings from the base policy or it can override them. This
child policy can in turn have child policies of their own for different editions of Windows, for example,
one child policy to enforce settings on Windows Server 2012 R2 computers and another to enforce
settings on Windows Server 2016 computers.
Your policy trees can be built based on any kind of classification system that suits your environment.
For example, the Deep Security branch in the policy tree that comes with Deep Security has two child
policies, one designed for a server hosting the Deep Security Manager and one designed for the Deep
Security Virtual Appliance. This is a role-based tree structure.
Deep Security includes three policy branches designed for specific operating systems:
•
•
•
Linux
Solaris
Windows
The Windows branch contains further child policies for desktop or server computers.
As an example, the Windows policy displayed here was created as a child of the Base Policy and in this
policy, the Anti-Malware configuration is Inherited (Off).
148
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
This means that the Anti-Malware setting in the Windows policy is inherited from its parent policy, in
this case, the Base Policy. If you were to change the Anti-Malware setting in the Base Policy from Off
to On, the setting would change in the Windows policy to Inherited (On). The value in parentheses
always shows you what the current inherited setting is.
Policy-Level Overrides
In the example below, the Windows Server policy is a child of the Windows policy. Here the AntiMalware setting is no longer inherited as it been overridden and set to On:
Any child policies created below the Windows Server level will inherit the Anti-Malware configuration
of On, as it is was set in its parent. This inherited setting will be displayed as (Inherited) On.
© 2020 Trend Micro Inc. Education
149
Lesson 7: Assigning Protection Settings Through Policies
You can view the settings that have been overridden on a policy by going to the Overrides page in the
Policy Details:
Overrides are displayed by Protection Module. You can revert system or module overrides by clicking
Remove.
If you find yourself overriding a large number of settings, you should probably consider branching the
parent Policy.
Computer-Level Overrides
Any setting in a policy that is assigned or inherited can be overridden at the computer level. In this
scenario, the computer will apply all the settings within the policy it is assigned to, EXCEPT for the
items that were overridden.
150
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
You can see the number of settings that have been overridden on a computer by going to the
Overrides page in the Computer Details:
Overrides are displayed by Protection Module. You can revert system or module overrides by clicking
Remove.
Rule Inheritance
Some Protection Modules, including Intrusion Prevention, Integrity Monitoring, Log Inspection and
Firewall use rules to define behavior. You can assign rules at any level in the hierarchy, either through
a policy or directly to a computer. However, rules that are in effect at a particular policy or computer
level because their assignment is inherited from a parent policy cannot be unassigned locally. They
must be unassigned at the Policy level in which they were initially assigned.
© 2020 Trend Micro Inc. Education
151
Lesson 7: Assigning Protection Settings Through Policies
Rules that are inherited and can not be disabled are greyed out in the policy Assign/Unassign list for
each Protection Module.
152
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Creating Policies
There are several ways to create policies in the Deep Security Manager Web Management console,
depending on whether the policy is being created from scratch, based on existing parameters or based on
the result of a Recommendation Scan.
Creating a New Policy
Click the Policies menu and in the Policies pane, click New > New Policy. Select an existing policy as
the parent.
All the settings in this parent policy will be inherited in the new policy, which can then be modified by
adding, removing or editing the parameters.
© 2020 Trend Micro Inc. Education
153
Lesson 7: Assigning Protection Settings Through Policies
Duplicating an Existing Policy
To create a replica of an existing policy, select and duplicate the policy, then rename this new policy.
The settings in the original policy are carried over to the duplicate.
The Windows Server policy is displayed in this example.
This policy is duplicated and renamed to Windows Serve 2019. The settings in the original are carried
over to the duplicate. Any changes required on this duplicate can be applied to this new policy.
154
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Importing an Existing Policy From Another Installation
Policies configured in one installation of Deep Security Manager can be imported into another Deep
Security Manager. In the source installation, select a policy from the tree and click Export > Export
Selected to XML (For Import). The resulting *.XML file can then be copied over to the destination
Deep Security Manager computer. Click New > Import From File to import policies from the XML file.
When importing policies, ensure that the system where you created the policies and the system that
will receive them both have the latest security updates. If the system that is receiving the policies is
running an older security update, it may not have some of the rules referenced in the policies from
the up-to-date system.
Running Recommendation Scans
Deep Security Agents can run Recommendation Scans on their host computer to offer suggestions on
rules that would be appropriate for this device. This operation scans the operating system and installed
applications and based on what is detected, Deep Security will recommend security rules that should be
applied.
Recommendation scans provide administrative users with a list of Deep Security rules that need to be
applied to a computer and creates a guide in hardening a host using Deep Security.
These rule recommendations rely on the following software properties:
•
The recommended Intrusion Prevention rules rely on the installed software and known
vulnerabilities
•
The recommended Integrity Monitoring rules rely on detected critical system and software
objects
•
The recommended Log Inspection rules rely on detected logs and their known critical entries
© 2020 Trend Micro Inc. Education
155
Lesson 7: Assigning Protection Settings Through Policies
During a Recommendation Scan, Deep Security Agents scan:
•
•
•
•
•
•
•
The operating system
Installed applications
The Windows registry
Open ports
The directory listing
The file system
Running processes and services
A Deep Security Virtual Appliance can perform Agentless recommendation scans on virtual machines but
only on Windows platforms and is limited to scanning:
•
•
•
•
The operating system
Installed applications
The Windows registry
The file system
Best Practice:
Because changes to your environment can affect which rules are recommended, it's
best to run recommendation scans on a regular basis (the best practice is to perform
recommendation scans on a weekly basis). Trend Micro releases new intrusion
prevention rules on Tuesdays, so it's recommended that you schedule
recommendation scans shortly after those releases. The use of system resources,
including CPU cycles, memory, and network bandwidth, increases during a
recommendation scan so it's best to schedule the scans at non-peak times.
There are several ways to run Recommendation Scans:
•
Scheduled task: Create a scheduled task that runs Recommendation Scans according to a
schedule that you configure. You can assign the scheduled task to all computers, an individual
computer, a defined computer group, or all computers protected by a particular policy.
•
Ongoing scans: Configure a policy so that all computers protected by the policy are scanned for
recommendations on a regular basis. You can also configure ongoing scans for individual
computers. This type of scan checks the timestamp of the last scan that occurred and then and
follows the configured interval thereafter to perform future scans.
This results in Recommendation Scans occurring at different times in your environment.
This setting is helpful in environments where an agent might not be online for more than a few
days (for example, in cloud environments that are building and decommissioning instances
frequently).
•
Manual scans: Run a single Recommendation Scan on one or more computers. A manual scan is
useful if you’ve recently made significant platform or application changes and want to force a
check for new recommendations instead of waiting for a scheduled task.
•
API: Initiate a Recommendation Scan via the Deep Security API.
Best Practice:
156
Use either the scheduled tasks or ongoing scans, but not both.
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Once a Recommendation Scan has run, alerts are raised on the all computers for which
recommendations have been made.
A Recommendation Scan follows these steps:
Deep Security
Manager
Deep Security
Agent
ŒQuery host information
 Collect host metadata
Ž Return host information
Identify recommendations
that apply to host

 Rules applied
1
Query host information
Deep Security Manager sends a query to Deep Security Agents to initiate the scan. The query
includes instructions as to where on the host computer the Agent needs to collect information.
These instructions are based on the detection rules and expressions that are included in every
Security Update.
2 Collect host metadata
Upon receipt of the query request, the Deep Security Agent collects information about the host
computer for return to Deep Security Manager. Features within the Deep Security Agent obtain
information from the following sources:
•
•
•
•
•
Registry entries
Running processes
Open ports
File system
Services
This information includes not only information about the host operating system, but also the
applications that are installed upon it. This information is used to determine the vulnerabilities
that may exist on the host.
3 Return host information
Once the host metadata is compiled, it is sent to Deep Security Manager as an XML-based
message. If the Recommendation Scan was initiated from Deep Security Manager, the
information is returned synchronously with the query. Otherwise, it is sent as part of the regular
Deep Security Agent heartbeat cycle.
4 Identify recommendations
Once the Deep Security Manager receives host metadata from the Deep Security Agent, it
compares this information with the following security information in its database to identify
which rules need to be applied to the host:
•
•
•
•
Intrusion Prevention rules
Integrity Monitoring rules
Log Inspection rules
Log Inspection decoders
© 2020 Trend Micro Inc. Education
157
Lesson 7: Assigning Protection Settings Through Policies
For example, if the service information collected from the Windows Service Control Module
indicates that Microsoft IIS was present on the host, then the rules related to this particular Web
server need to be applied.
A list of recommended rules is displayed in the Deep Security Manager Web console.
5 Rules applied
Rules can be set to be applied manually or automatically at the computer level. Any policy
assigned to this server will also have the recommendations available to be applied manually to
the policy.
Assigning the Recommendations
Recommendation Scans offer suggestions on rules which would be appropriate for the server, based
on the operating system and applications the server is currently hosting. The scan is run on the
server and the recommendations can be assigned to this server only, or can be applied to a policy
that the server is bound to.
Assigning the Recommended Rules to a Computer
Once a scan has completed, the rules recommended by the scan can be added to a computer
manually or automatically.
To apply the rules manually, once the Recommendation Scan is complete, select the
corresponding protection module and click Assign/Unassign from the General tab of
Computer Details. Select Recommended for Assignment from the list and click to select the
individual rules to apply.
158
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
The recommended rules can also be applied automatically by setting Automatically Implement
Recommendations to Yes on the General tab before running the scan.
Note:
Rules assigned this way override both Base and assigned Policy-level settings. Maintaining these
rules may become tedious and may eventually require use of an Override at the assigned Policy
level.
The results of a Recommendation Scan can also include recommendations to unassign rules.
This can happen when applications are uninstalled, when security patches from a manufacturer
are applied, or when unnecessary rules have been applied manually. If Automatically Implement
Recommendation is set to Yes, rules that are no longer needed are automatically removed,
otherwise, select Recommended for Unassignment from the display filter menu and deselect the
rules that are no longer needed.
© 2020 Trend Micro Inc. Education
159
Lesson 7: Assigning Protection Settings Through Policies
Applying the Recommended Rules to a Policy
If the computer on which you ran a recommendation scan is currently using a policy, the
suggested rules will also be available to apply manually to the policy through the Recommended
for Assignment list.
160
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
If a rule that was previously applied in the policy is no longer needed after the scan is run, it can
be selected from the Recommended for Unassignment list.
Performing Ongoing Scans
To ensure that the results of the scan are always up to date, Recommendation Scans can be
configured to run automatically at a specified interval. At the computer level, any new rules released
since the previous scan will be either added to the Recommended for Assignment list (if rule
assignment is being done manually) or added automatically (if Automatically Implement
Recommendations is enabled). Likewise, any rules that are no longer needed will be added to the
Recommended for Unassignment list (if rule assignment is being done manually) or removed
automatically (if Automatically Implement Recommendations is enabled).
© 2020 Trend Micro Inc. Education
161
Lesson 7: Assigning Protection Settings Through Policies
Scheduling a Recommendation Scan
Recommendation Scans can also be set to run as a scheduled task. This can be set at the Base Policy,
individual Policy or Computer level.
Creating a New Policy Based on a Recommendation Scan
To create a policy to be used on a collection of computers with similar configurations, the results of
the Recommendation Scan can be used as the basis for a new policy.
162
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Create a new policy and when prompted, click Yes to base the policy on an existing configuration.
Select the server on which you ran the Recommendation Scan that will be used as the basis for the
policy.
© 2020 Trend Micro Inc. Education
163
Lesson 7: Assigning Protection Settings Through Policies
Select which configuration settings and rules from the selected server will be carried over to the new
policy.
164
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Common Objects
Common Objects lists objects that can be shared by many constructs such as policies and rules
throughout Deep Security. Common Objects can be considered as a root repository for shared objects
and can be accessed from the Policies menu.
Rules
The Rules list displays all of the current Protection Module rules (for those modules that make use of
rules):
•
•
•
•
•
Firewall rules
Intrusion Inspection rules
Integrity Monitoring rules
Log Inspection rules
Application Control rulesets
© 2020 Trend Micro Inc. Education
165
Lesson 7: Assigning Protection Settings Through Policies
The list of rules is refreshed regularly by Trend Micro as new vulnerabilities are discovered and new
applications released. Any custom rules you have created will also be listed.
Lists
The Lists page contains objects that can be reused by various configuration or rules by either policies
or computers.
•
•
Directory Lists includes a reusable lists of directories
File Extension Lists includes a list of file extensions that are used by Malware Scan
Configurations.
For example, one list of file extensions can be used by multiple Malware Scan Configurations
to identify files to include in a scan. Another list of file extensions can be used by multiple
Malware Scan Configurations as files to exclude from a scan.
•
•
•
•
File Lists includes a reusable lists of files
IP Lists includes a reusable lists of IP addresses for use by multiple Firewall Rules
MAC Lists includes a reusable lists of MAC addresses
Port Lists includes a reusable lists of ports
Contexts
Contexts provide a mechanism for implementing different security policies depending on the
computer's network environment.
166
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
With many laptops now capable of connecting to both wired and wireless networks, users need to be
aware of the problems that can result from this scenario. For example, a common problem is a
network bridge configured between wired and wireless networks. This risks forwarding the internal
traffic externally and potentially exposing internal hosts to external attacks. Deep Security allows
administrators to configure a set of firewall rules for these types of users to prevent them from
creating a network bridge.
Contexts are designed to be associated with Firewall and Intrusion Prevention Rules. If the conditions
defined in the Context associated with a rule are met, the rule is applied. To link a security rule to a
Context, go to the Options tab in the Properties window for the rule and select the Context from the
menu.
Contexts can also be used to provide Deep Security Agents with location awareness. To determine a
computer's location, contexts examine the nature of the computer's connection to its domain
controller and connectivity to the Internet.
•
Locally Connected to Domain is true only if the computer can connect to its domain
controller directly
•
Remotely Connected to Domain is true if the computer can only connect to its domain
controller through a VPN connection
•
•
Not Connected to Domain is true if the computer cannot connect to its domain controller
Not Connected to Domain, No Internet Connectivity is true if the computer cannot connect to
its domain controller by any means and the host has no Internet connectivity. (The test for
Internet connectivity can be configured in Administration > System Settings > Contexts.)
By assessing the ability of the computer to connect with its domain controller or the Internet, an
Agent can then implement rules such as restricting HTTP traffic to non-routable (or private) IP
addresses only.
© 2020 Trend Micro Inc. Education
167
Lesson 7: Assigning Protection Settings Through Policies
The following contexts are included with Deep Security by default:
Both the Off Domain and Remote Domain VPN contexts use the Deep Security Agent’s host domain
controller as their reference servers.
Interface Isolation forces the Deep Security Agent host to use only one network interface, thereby
facilitating protection. This is particularly useful for laptops that have wireless functionality as well as
a network connection, where a connection can be bridged.
A context that uses Interface Isolation will apply to interfaces that have been disabled. This is useful
for firewall policies using the Allow and Force Allow actions.
168
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Firewall Stateful Configurations
Firewall Stateful Configurations analyze each packet in the context of traffic history, correctness of
TCP and IP header values, and TCP connection state transitions. In the case of stateless protocols like
UDP and ICMP, a pseudo-stateful mechanism is implemented based on historical traffic analysis.
Malware Scan Configurations
Malware Scan Configurations handle the way the detection of malware is processed. Configuration
options include what files to scan, whether the scanning is done in real time or on a scheduled basis,
and what actions to carry out if malware is detected. In this section you can set how, in what
combination, and when these configurations are in effect on a computer, and whether it is set at the
policy and at the computer levels. As with most elements in Deep Security, many global settings can
be overridden at the Policy and computer levels.
© 2020 Trend Micro Inc. Education
169
Lesson 7: Assigning Protection Settings Through Policies
Schedules
Schedules are reusable timetables for configuring when certain actions should take place.
Syslog Configurations
Syslog configurations define the destination and settings that can be used when forwarding system
or security events.
Tags
In Deep Security, a tag is a unit of meta-data that you can apply to a Deep Security event in order to
create an additional attribute for the event that is not originally contained within the event itself.
Tags can be used to sort, group, and otherwise organize Events in order to simplify the task of event
monitoring and management. A typical use of tagging is to distinguish between events that have
been investigated and found to be benign and those that require action.
170
© 2020 Trend Micro Inc. Education
Lesson 7: Assigning Protection Settings Through Policies
Review Questions
1
Characterize the differences between the following protection module states as displayed in a
policy:
•
Default (On/Off)
•
Inherited (On/Off)
•
On
•
Off
2 The Firewall Protection Module is enabled in a new child policy called Internal-SQL. You notice
that some rules for Firewall are already enabled in the policy, but when you try to remove one of
the rules, the item is greyed out. Why are you not able to remove the rules for the Firewall
protection module in this policy?
3 Describe the use of the Contexts policy object. Which protection modules would make use of this
object?
© 2020 Trend Micro Inc. Education
171
Lesson 7: Assigning Protection Settings Through Policies
172
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from
Malware
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
•
Describe the anti-malware scanning techniques used in Deep Security
Define malware scan configurations, including the action taken when potential malware is
identified
Enable malware protection through a policy or directly to a computer
Review quarantined files and restore if the file is proven to not be a threat
Locate and view malware-related events
The Deep Security Anti-Malware Protection Module provides real-time, on-demand or scheduled
protection against file-based threats, including malware, viruses, Trojans, spyware and ransomware. To
identify these threats, the Anti-Malware Protection Module checks the files against a comprehensive
threat database, portions of which are hosted online or kept locally as updatable patterns. It also checks
files for certain characteristics, such as compression and known exploit code.
Deep Security also provides security settings that you can apply to Windows servers that are protected
by a Deep Security Agent to enhance your malware and ransomware detection and clean rate. These
settings go beyond malware pattern matching and identify suspicious files that could potentially contain
emerging malware that hasn’t yet been added to the anti-malware patterns (known as a zero-day attack).
To address threats, the Anti-Malware Protection Module selectively performs actions that contain and
remove the threats while minimizing system impact. The Anti-Malware Protection Module can clean,
delete, or quarantine malicious files. It can also terminate processes and delete other system objects that
are associated with identified threats.
You can configure the anti-malware settings through a policy and assign that policy to all relevant
computers (for example, to all Windows Servers), or to a computer directly (at the computer level). The
best practice is to use policies as much as possible for ease of management.
Note:
A newly installed Deep Security Agent cannot provide anti-malware protection until it has
contacted an update server to download anti-malware patterns and updates. Ensure that your
Deep Security Agents can communicate with a Deep Security Relay or the global Trend Micro
Update Servers after installation.
© 2020 Trend Micro Inc. Education
173
Lesson 8: Protecting Servers from Malware
Anti-Malware Solution Platform
Anti-malware functionality uses the Trend Micro Anti-Malware Solution Platform (AMSP). This common
framework abstracts Trend Micro products from specific security technology implementations and
manages the different security modules for spyware, phishing, spam, web threat, and behavior
monitoring and so forth across multiple Trend Micro products.
Trend Micro Product Solutions
Machine learning
Process memory
Content security
Behavior monitoring
Anti-rootkit
Anti-spam
Anti-spyware
Anti-virus
Anti-Malware Solution Platform
In a Deep Security Agent installation, the Anti-Malware Solution Platform exists as a separate entity.
On a Windows computer, the Anti-Malware Solution Platform service host, framework host, log server,
and various configuration files (in the form of *.cfg and *.ini files) are held in the following folder:
C:\Program Files\Trend Micro\AMSP
Sub folders include configuration and resource backup files, debug and engine debug logs as well as the
core modules.
174
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
The Anti-Malware Solution Platform service appears as a service in the Windows Services window.
Anti-Malware Scanning Methods
Deep Security Agents use the Anti-Malware Solution Platform to administer the following scanning
methods:
Virus Scanning
Virus Scanning is responsible for detecting file-based viruses. Viruses infect files by inserting
malicious code. Typically, when an infected file is opened the malicious code automatically runs and
delivers a payload in addition to infecting other files.
Common types of viruses include:
•
COM and EXE infectors: These infect DOS and Windows executable files, which typically have
COM and EXE extensions.
•
•
Macro viruses: These typically infect Microsoft Office files by inserting malicious macros.
Boot sector viruses: These infect the section of hard disk drives that contain operating
system startup instructions
The Anti-Malware Protection Module uses different technologies to identify and clean infected files.
The most traditional method is to detect the actual malicious code that is used to infect files and strip
infected files of this code. Other methods include regulating changes to infectable files or backing up
such files whenever suspicious modifications are applied to them.
Deep Security offers conventional scanning using virus patterns stored locally on the Deep Security
Agent computer, or Smart Scan which shifts some of the scanning functionality to the Smart
Protection Network or Smart Protection Server.
© 2020 Trend Micro Inc. Education
175
Lesson 8: Protecting Servers from Malware
Spyware and Grayware Scanning
Spyware and grayware comprises applications and components that collect information to be
transmitted to a separate system or collected by another application. Spyware/grayware detections,
although exhibiting potentially malicious behavior, may include applications used for legitimate
purposes such as remote monitoring.
Spyware and grayware applications are typically categorized as:
•
•
Spyware: software installed on a computer to collect and transmit personal information.
•
Hacking tools: programs or sets of programs designed to assist unauthorized access to
computer systems.
•
Adware: any software package that automatically plays, displays, or downloads advertising
material.
•
Cookies: text files stored by a Web browser. Cookies contain website-related data such as
authentication information and site preferences. Cookies are not executable and cannot be
infected; however, they can be used as spyware. Even cookies sent from legitimate websites
can be used for malicious purposes.
•
Keyloggers: software that logs user keystrokes to steal passwords and other private
information. Some keyloggers transmit logs to remote systems.
Dialers: malicious dialers are designed to connect through premium-rate numbers causing
unexpected charges. Some dialers also transmit personal information and download
malicious software.
Although they exhibit what can be intrusive behavior, some spyware-like applications are considered
legitimate. For example, some commercially available remote control and monitoring applications can
track and collect system events and then send information about these events to another system.
System administrators and other users may find themselves installing these legitimate applications.
These applications are referred to as grayware.
To provide protection against the illegitimate use of grayware, the Anti-Malware module detects
grayware but provides an option to approve detected applications and allow them to run.
Spyware and Grayware Scanning detects and removes file-based components of malware. Damage
Cleanup, along with the Spyware Scanning API, detects and cleans malware-related system
alterations outside the file system (for example, malware processes in memory, Registry entries,
Layered Service Providers in the protocol stack, etc).
Process Memory Scanning
Malware writers often use customized packers that can trick file-based anti-malware engines and
bypass detection. Typical virus patterns are constructed into binary machine code and this machine
code can be repacked using packing tools. Since most conventional anti-malware detection is based
on virus signatures, this repacking of the virus machine code can bypass conventional detection.
Deep Security can now monitor process memory in real time and once a process is determined to be
suspicious, Deep Security will perform additional checks with the Trend Micro Smart Protection
Network to determine whether the process is a known good process. If these checks determine it is
not a known good process, Deep Security will terminate the running process.
176
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Behavior Monitoring
Deep Security provides security settings that you can apply to Windows and Linux machines that are
protected by a Deep Security Agent to enhance malware and ransomware detection and clean rate.
These settings enable you to go beyond malware pattern matching and identify suspicious files that
could potentially contain emerging malware that hasn’t yet been added to the anti-malware patterns.
Threat detection
To avoid detection, some types of malware attempt to modify system files or files related to
known installed software. These types of changes often go unnoticed because the malware takes
the place of legitimate files. Deep Security can monitor system files and installed software for
unauthorized changes to detect and prevent these changes from occurring.
Anti-exploit
In Deep Security, the anti-exploit functionality monitors for processes that may be performing
actions that are not typically performed by a given process. Using a number of mechanisms,
including Data Execution Prevention (DEP), Structured Exception Handling Overwrite Protection
(SEHOP), Caller Check, Special API Check, Heap Spray Prevention and Null Page Prevention,
Deep Security can determine whether a process has been compromised and then terminate the
process to prevent further infection.
Extended ransomware protection
Ransomware has become more sophisticated and targeted. Most organizations have a security
policy that includes anti-malware protection on their servers, which offers a level of protection
against known ransomware variants; however, it may not be sufficient to detect and prevent an
outbreak for new variants. The ransomware protection offered by Deep Security can protect
documents against unauthorized encryption or modification. Deep Security has also
incorporated a data recovery engine that can optionally create copies of files being encrypted to
offer users an added chance of recovering files that may have been encrypted by a ransomware
process.
In the Action to take list, choose the remediation action that you want Deep Security to take
when it detects malware:
NEW
•
ActiveAction (recommended): Use the action that ActiveAction determines. ActiveAction is a
predefined group of cleanup actions that are optimized for each malware category. Trend
Micro continually adjusts the actions in ActiveAction to ensure that individual detections are
handled properly.
•
Pass: Allows full access to the infected file without doing anything to the file. (An AntiMalware Event is still recorded.)
Windows Antimalware Scan Interface (AMSI)
NEW
The Windows Antimalware Scan Interface (AMSI) is an interface provided by Microsoft in Windows 10
and newer. Deep Security leverages AMSI to help detect malicious scripts.
© 2020 Trend Micro Inc. Education
177
Lesson 8: Protecting Servers from Malware
IntelliTrap
IntelliTrap is available for Real-Time scanning. Virus writers often attempt to circumvent virus
filtering by using real-time compression algorithms. IntelliTrap helps reduce the risk of such viruses
entering your network by blocking real-time compressed executable files and pairing them with other
malware characteristics.
Because IntelliTrap identifies such files as security risks and may incorrectly block safe files, consider
quarantining (not deleting or cleaning) files when you enable IntelliTrap. If users regularly exchange
real-time compressed executable files, disable IntelliTrap.
Predictive Machine Learning
Predictive Machine Learning protects your servers from new, previously unidentified, or unknown
threats through advanced file feature analysis and heuristic process monitoring. Predictive Machine
Learning can ascertain the probability that a threat exists in a file or process and the probable threat
type, protecting you from zero-day attacks.
After detecting an unknown or low-prevalence file, Deep Security scans the file to extract file
features and sends the report to the Predictive Machine Learning service, hosted on the Trend Micro
Smart Protection Network. Through use of malware modeling, Predictive Machine Learning
compares the sample to the malware model, assigns a probability score, and determines the probable
malware type that the file contains.
When Predictive Machine Learning is enabled, choose the remediation action that you want
Deep Security to take when it detects malware:
NEW
•
Quarantine (recommended): Moves the infected file to the quarantine directory on the
protected computer. The quarantined file can be viewed and restored in Events & Reports >
Events > Anti-Malware Events > Identified Files.
•
Pass: Allows full access to the infected file without doing anything to the file. (An AntiMalware Event is still recorded.)
•
Delete: On Linux, the infected file is deleted without a backup. On Windows, the infected file
is backed up and then deleted. Windows backup files can be viewed and restored in Events &
Reports > Events > Anti-Malware Events > Identified Files.
Pre-execution machine learning is supported on Windows computers hosting a Deep Security Agent.
Predictive Machine Learning requires Internet access to check files against the Global Census Service
and Predictive Machine Learning Service hosted on the Trend Micro Smart Protection Network. If
your Deep Security Agents or Deep Security Virtual Appliance cannot access the Internet directly,
you will need to configure a proxy to enable agents to check those sites.
Note:
178
If the Deep Security Agents or Deep Security Virtual Appliance cannot connect to the Global
Census Service or Predictive Machine Learning Service, the Predictive Machine Learning cannot
work properly and new/unknown ransomware may not be detected.
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Enabling Malware Protection
Enabling Anti-Malware protection in Deep Security typically involves the following steps:
1
Defining a malware scan configuration by selecting the anti-malware scanning methods to be
used.
2 Turning the Anti-Malware protection module on in a policy or on a computer.
3 Assigning the malware scan configuration to a scan type in a policy or on a computer.
4 Ensuring that Deep Security can keep up to date on the latest threats.
Defining a Malware Scan Configuration
A Malware Scan Configuration defines the settings and options such as what files to scan, when the
scan is performed, exclusions, what actions to carry out if malware is detected and more.
How, in what combination, and when these configurations are in effect on a computer, can set either
in a policy or on specific computers.
Default Malware Scan Configurations are displayed in the Deep Security Manager Web console from
the Common Objects list. These can be used as defined or edited to create new configurations.
When a Scan Type is selected, a corresponding Malware Scan Configuration must also be selected to
identify the scanning parameters.
New Malware Scan Configuration that are created are added to Common Objects list allowing these
configuration settings to be easily applied within policies or on computers. You can edit the Malware
Scan Configuration from Common Objects, or from the policy or computers.
Note:
It is recommended to create duplicates of the default scan configurations provided in the Deep
Security Manager console. This creates a backup that can be used by administrators for future
reference or as templates for new configurations.
© 2020 Trend Micro Inc. Education
179
Lesson 8: Protecting Servers from Malware
Click the Policy menu and in the left-hand pane, expand Common Objects > Other > Malware Scan
Configuration. Double-click an existing configuration or click New to create a new configuration.
Select the type of scan by identifying whether the new configuration for a Real-Time Scan or a
Manual/Scheduled Scan. The configuration options are displayed on the following tabs.
180
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
General Tab
Scan settings on the General tab define the types of scans to be performed and to enabled alerts.
Note:
The icons beside the scan methods identify whether the method is limited to particular operating
system, whether a on-host agent is required and whether a performance hit is expected.
© 2020 Trend Micro Inc. Education
181
Lesson 8: Protecting Servers from Malware
Inclusions Tab
Scan settings on the Inclusions tab define the folders and files to scan when this configuration is
used.
Directories to scan
•
•
All directories: The Agent will scan files in all directories on the server.
Directory List: Select a Directory List common object to restrict the scanning to only the
identified directories on the server.
Files to scan
•
File Extension List: Administrators can specify the types of files to scan by selecting a file
extension common object from the File Extension List. This option relies on file
extensions, which may not necessarily indicate the true nature of the file.
•
File types scanned by IntelliScan: Some files can’t be scanned, and cannot be malicious.
The Agent won’t scan files if it does not know how they can become infected. True file
type detection is used by the Agent to identify the type of file it is dealing with, to decide
if it is to be scanned, and how to scan it.
IntelliScan is a technique used by the Agent to make a scanning decision based on a list
of file types which are considering dangerous, and skip the ones not considered
dangerous.
•
All files: The All files option also uses true file type detection, but will also scan files even
if it cannot determine the true file type.
As an example, the Agent detects a file called dangerous.txt. Since text files have no true file
type, it will be scanned when All files is enabled, but not when IntelliScan is enabled as it
considers .txt files to be safe. If the text file did contain a malicious script, it would be captured
by the All files scan.
A file called dangerous.com is detected. No true file type detection is possible with .com files.
This file will be scanned when All files is enabled, and also when Intelliscan is enabled as .com
files are considered potentially dangerous.
182
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
The examples in this table can provide some examples on choosing between File types scanned
by IntelliScan or All files.
Header
in file
Extension
yes
.exe
Considered
dangerous
yes
Scanned
by IntelliScan
yes
Scanned
by All Files
Notes
yes
Always scanned
.jpeg
yes
no
no
no
.jpeg files could
contain malicious
information, such as
scripts, but to be
malicious the
application opening
those infected files
would also need to be
compromised to use
the malicious
information in the file.
.com
no
yes
yes
yes
Always scanned
yes
A .txt file could
contain malicious
scripts, but it is not
dangerous in .txt
form, but could
become dangerous if
changed to .com
.txt
no
no
no
Exclusions Tab
Scan settings on the Exclusions tab define the folders and files to ignore when this configuration
is used.
When the Anti-Malware Protection Module is enabled, there are certain files and folders that
should not be scanned. Reasons could include that the files are unscannable due to being
encrypted or being locked, or that scanning these files would cause performance issues or cause
software using these files to become unstable.
© 2020 Trend Micro Inc. Education
183
Lesson 8: Protecting Servers from Malware
As an example, if you are creating a malware scan configuration for a Microsoft Exchange server,
you should exclude the SMEX quarantine folder to avoid re-scanning files that have already been
confirmed to be malware.
Recommended exclusions include Microsoft Exchange mailbox folders, database folders and
VMWare images. Refer to Trend Micro Knowledge Base article 1059795 for recommended
exclusion lists when using Trend Micro products:
http://esupport.trendmicro.com/solution/en-us/1059795.aspx
Advanced Tab
Scan settings on the Advanced tab define various settings such as scanning of linked or
embedded objects, scanning of compressed files, as well as the remediation of malware files.
The Remediation Actions section identifies how Deep Security will deal with the malware when
detected. Default actions are assigned to each type of malware using ActiveAction technology.
With ActiveAction, the administrator relies on Trend Micro action recommendations that are
stored within the virus scanning pattern. Trend Micro Anti-Virus engineers define these actions
based on their analysis of various malware types. Custom actions can also be defined, allowing
an administrative user to specify a particular action for malware variations.
184
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
The following actions are available for each malware type displayed:
•
•
•
•
The Pass action does nothing to the file and allows full access
•
The Quarantine action moves malware to a quarantine folder
The Clean action attempts to remove virus code from the infected file
The Delete action deletes the infected file
The Deny Access action, which is only available in Real-time scan configurations, stops
file open and execute operations.
ActiveAction is a predefined group of cleanup actions that are optimized for each malware
category. Trend Micro continually adjusts the actions in ActiveAction to ensure that individual
detections are handled properly.
© 2020 Trend Micro Inc. Education
185
Lesson 8: Protecting Servers from Malware
Enhanced Scanning actions also performs the following actions when it finds an issue, however,
these actions are determined by Deep Security and are not configurable.
Note:
•
The Deny Access action immediately blocks the operation and records an anti-malware
event when Deep Security detects an attempt to open or execute a suspicious file
•
The Terminate action terminates processes that perform suspicious operations and
records an anti-malware event
If a Clean action fails, the Anti-Malware Solution Platform creates a backup of the file in the
quarantine folder and deletes the file.
Possible Malware identifies an action to take if a file is identified as possible malware, meaning
the file appears suspicious but cannot be classified as a specific malware variant since it’s based
on heuristics rules only and not patterns. If you leave this option set to Default, the action will be
what was selected in the Upon detection list. When possible malware is detected, Trend Micro
recommends that you contact your support provider for assistance in further analysis of the file.
Assigned To Tab
The Assigned To tab lists all the policies and computers that are using the particular Malware
Scan Configuration.
Note:
New or modified Malware Scan Configurations can be created from within policies or from the
details of a particular computer.
Turning the Anti-Malware Module On
You can enable Anti-Malware protection in policies or in the settings for a computer.
Turning the Anti-Malware Module On in a Policy
Anti-Malware protection can be assigned to policies at any level in the hierarchy. Any sub-policies
with inheritance enabled will be assigned the Anti-Malware protection setting.
186
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
To do this in a policy, click the Policies menu and double-click the policy to which you’d like to
assign protection. Click the Anti-Malware protection module from the left-hand frame and set
the Anti-Malware State to On and click Save.
A Malware Scan Configuration and Schedule must also be selected when turning the Protection
Module on.
© 2020 Trend Micro Inc. Education
187
Lesson 8: Protecting Servers from Malware
Turning the Anti-Malware Module On on a Computer
To set Anti-Malware protection on a specific computer only, click the Computers menu. Locate
and double-click a computer in the list to open Details. In the right-hand pane, click Anti-Malware
and on the General tab set the Anti-Malware Configuration to On and click Save.
Turning the module on at the computer level will override the inheritance of settings from the
policy. A Malware Scan Configuration and Schedule must also be selected when turning the
protection module on.
When you click Save, the appropriate scanning components will be downloaded to the Deep Security
Agent and any required security updates will be applied. A message in the lower left-hand corner of the
console window will display the status of the updated operation.
188
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
The status for the Anti-Malware protection module will be listed as On, as well as the type of scan being
used.
Assigning the Scan Configuration to a Scan Type
Deep Security needs to know what type of scans it should perform. You can configure this from the
Anti-Malware > General tab for a policy or on a computer.
Real-Time Scan
Real-Time Scanning is a persistent and ongoing scan, designed to detect file infection and/or
malware creation attempts as they happen. This functionality represents the primary reason for
using anti-malware products in the first place. Each time a file is received, opened, downloaded,
copied, or modified, Deep Security scans the file for security risks. If Deep Security detects no
security risk, the file remains in its location and users can proceed to access the file. If Deep
© 2020 Trend Micro Inc. Education
189
Lesson 8: Protecting Servers from Malware
Security detects a security risk, it displays a notification message that shows the name of the
infected file and the specific security risk.
Real-time scan is run every day, all day unless another time period is selected from the Schedule
list.
You can configure real-time scanning to run when it will not have a large impact on performance,
for example, when a file server is scheduled to back up files.
This scan can be run on all platforms supported by the Anti-Malware module. Both Deep Security
Agents and Virtual Appliances possess this functionality, however their implementations are
different.
Manual Scan
Manual scanning runs a full system scan on all processes and files on a computer. The time it
takes to complete depends on the number of files to scan and the computer's hardware
resources.
There are two Manual Scan options that can be selected:
•
190
Quick Scan for Malware will scan a computer's critical system areas for currently active
threats. A Quick Scan will look for currently active malware but it will not perform deep file
scans to look for dormant or stored infected files. It is significantly faster than a Full Scan on
larger drives. Quick Scan can only be run on Windows servers.
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
•
A Full Scan for Malware enumerate all files on a disk. Unlike real-time scans which only apply
to individual objects that trigger events, manual and scheduled scans require the scan
engines to scan entire system areas to detect malware. The process of collecting information
is called enumeration. If a system area can be enumerated, it can be scanned. This scan can
be run on all platforms supported by the Anti-Malware module.
To run a manual scan, click Quick Scan for Malware or Full Scan for Malware from the Malware
section of the General tab. Alternately, right-click one of the hosts in the Computers list, and click
Actions. From the pop-up menu, click Quick Scan for Malware or Full Scan for Malware.
Scheduled Scan
A Scheduled Scan runs automatically on the appointed date and time and can automate routine
scans and improve scan management efficiency.
This scan can be run on all platforms supported by the Anti-Malware module.
© 2020 Trend Micro Inc. Education
191
Lesson 8: Protecting Servers from Malware
As with other recurring tasks within Deep Security, Scheduled Scans are set using the Scheduled
Task wizard. Click Administration > Scheduled Tasks and click New.
A Timeout setting defines an allowable scan duration. If this preset limit is reached, the scan is
suspended. Combined with the Start time setting, scans can be time boxed so they run
exclusively during non-impacting hours.
192
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Keeping Deep Security Up To Date on Malware
Deep Security periodically needs to be updated with the latest security updates. The update
packages are retrieved from Trend Micro in the form of security updates. Deep Security Relays,
organized into Relay Groups (also managed and configured by the Deep Security Manager) are used
to retrieve security updates from Trend Micro and distribute them to Agents and Virtual Appliances.
To ensure that Deep Security has the ability to get the latest information about threats and patterns
from Trend Micro, from the Administration menu, expand System Settings > Updates.
Make sure you have at least one relay-enabled agent and it is assigned to the appropriate Agents and
Virtual Appliances. Verify that you have a scheduled task to perform regular updates for both
security and software updates though Administration > Scheduled Tasks.
The enhanced scanning features require Internet access to check files against the Global Census
Service, Good File Reputation Service and Predictive Machine Learning. If your Deep Security Agents
cannot access the Internet directly, you will need to configure a proxy to enable agents to check
those sites.
If the agent cannot check the Global Census Server and Good File Reputation Service, the detection
rate for scans will be very low. For example, ransomware may not be detected and process memory
scanning will also be affected.
© 2020 Trend Micro Inc. Education
193
Lesson 8: Protecting Servers from Malware
Viewing Anti-Malware-Related Events
Events related to Anti-Malware activities on the protected computers can be viewed for the entire
system, or on a computer-by-computer basis.
System Events
To view all the Anti-Malware events that have occurred, click the Events & Reports menu. Click AntiMalware Events in the left-hand frame. Select the criteria for the retrieval of the events and click
Refresh. All the retrieved events will be displayed.
Computer Events
To view anti-malware events for a specific computer, double-click the device in the Computers list to
view the Details. Click the Anti-Malware Protection Module in the left-hand frame and click the AntiMalware Events tab.
194
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Since new events are only retrieved at each heartbeat, you may need to click Get Events to view
recent activity.
Adding Malware to the Allowed List
If the events list displays malware that is to be allowed, right-mouse click the event and click Allow.
This file is added to the allowed list and will no longer be identified as malware.
© 2020 Trend Micro Inc. Education
195
Lesson 8: Protecting Servers from Malware
Reviewing Files Identified as Malware
A file that has been identified to be or to contain malware can be quarantined. These files are encrypted
and moved to a special folder.
The action to take on an identified file is derived from the filter which initially inspected the file. Custom
actions, including quarantine, can be assigned to the following types of malware:
•
•
•
•
•
•
•
•
Note:
196
Virus
Trojan
Packers
Spyware
Common Vulnerabilities and Exposures (CVE) exploits
Files identified by Aggressive Detection rules
Other threats
Possible Malware
After a file has been quarantined, a utility is used to decrypt, examine, and restore the file.
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
A limited amount of disk space is set aside for storing identified files. The amount of space can be
configured and alerts can be raised when there is not enough disk space to quarantine a suspicious file.
Note:
If the limit is reached, the oldest files will be deleted first until 20% of allocated space is freed up.
The Quarantine action was designed to give administrators a chance to verify if the file that was flagged
as malware is indeed a malicious file. For this to work, administrators must receive notifications when
files are quarantined and have a means to access the quarantined files.
Restoring Identified Files
Once a file has been identified as malware but is determined to be benign, administrators can use
tools to manually restore the files to their original locations. This should be done with caution as
infected files could be extremely damaging to your network.
© 2020 Trend Micro Inc. Education
197
Lesson 8: Protecting Servers from Malware
Restoring Identified Files to the Agent Computer Through the Deep Security
Manager Web Console
On the Identified Files tab, select a file from the list and click Restore.
A Restore File Wizard is launched. Step through the wizard to restore the file on the Agent
computer.
198
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Downloading and Unarchiving Identified Files Using the Administration Utility
Identified files can be downloaded from the Agent computer to the Deep Security Manager
computer and decrypted for further analysis. On the Identified Files tab, select the file and click
Download.
A Download File Wizard is launched.
© 2020 Trend Micro Inc. Education
199
Lesson 8: Protecting Servers from Malware
Step through the Wizard and select a location for the file.
On the final Summary page, click the link to download the restore utility.
A zip file called QFAdminUtil.zip is downloaded containing QDecrypt.exe, which is run as a
Windows application, or QDecrypt.com which is run as a Command Line utility.
Double-click QDecrypt.exe and locate the extracted quarantined file you wish to restore and
select a safe location for saving the file.
200
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Decrypting Identified Files From the Command Prompt
To manually restore a file identified as malware, you must use the command-line version of the
decryption utility downloaded from Deep Security Manager (QDecrypt.com) to decrypt the file
and then move it back to its original location.
Quarantining Files on Deep Security Agents
Quarantining on Deep Security Agents is based on the Anti-Malware Solution Platform backup
mechanism. Whenever a scan action is performed that results in a change in a file (for example,
clean, delete, quarantine), it creates a backup in the following location, where the file is compressed
and encrypted:
C:\ProgramData\TrendMicro\AMSP\quarantine
Note:
Since this Windows folder may hidden as it is a protected operating system file, change its view
settings in order to list the contents of the quarantine folder.
Whenever the Deep Security Agent cleans, deletes, or quarantines a file, the action will create a
quarantine event.
© 2020 Trend Micro Inc. Education
201
Lesson 8: Protecting Servers from Malware
Smart Scan
In addition to conventional pattern-based detection, Deep Security offers Smart Scan, as a feature of the
Trend Micro Smart Protection Network.
Smart Scan shifts much of the malware and spyware scanning functionality to a Smart Protection
Service, either in the cloud or local. It keeps local pattern files small and reduces the size and number of
updates required by Agents.
The move to in-the-cloud protection is driven by two considerations:
202
•
Malware creation is outstripping traditional malware knowledge deployment. By the time a
malware is recognized, it has already changed.
•
As patterns grow in power, they grow in size. An inescapable consequence of a rise in the number
of malware is accelerated growth of anti-malware patterns. As things currently stand, network
administrators now have to be careful about when they schedule their updates, to avoid network
disruption.
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
To address these conditions, Trend Micro re-thought how it deployed malware knowledge to its protection
products. Instead of pre-deploying anti-malware knowledge to the end points, with the resulting
deployment delay and bandwidth issues, this knowledge is now deployed on-demand from a centralized
database that is updated more frequently than traditional methods through a mechanism called File
Reputation.
Smart Scan provides the following features and benefits:
•
•
Reduces the overall time it takes to deliver protection against emerging threats
•
•
•
Reduces the cost and overhead associated with corporate-wide pattern deployments
Reduces network bandwidth consumed during pattern updates. The bulk of pattern definition
updates only needs to be delivered to the cloud and not to many servers
Lowers kernel memory consumption on servers. Consumption increases minimally over time
Provides fast, real-time security status lookup capabilities in the cloud and therefore increases
overall protection
By default this option is set to on. (In the Deep Security Virtual Appliance, the default is off). Agents that
implement the Smart Scan solution use the following components:
•
Smart Scan Agent Pattern: The pattern file contains complete threat information for all malware
that is currently in the wild.
•
Smart Query Filter: This compressed index file references complete threat information that is
stored in the Smart Scan Pattern on the Smart Protection Server.
•
Smart Scan Pattern: This pattern file stores information for virus confirmation and actions to
proceed in case of cleaning and is located on the Smart Protection Server.
File Reputation
File Reputation is a new implementation of malware identification through the use of Cyclic
Redundancy Check (CRC) values. Cyclic Redundancy Check information can be divided into two parts:
•
•
Part 1 - Used for initial malware identification
Part 2 - Used for malware confirmation
The following diagram represents a file that has been infected by a virus.
Virus part 1
(Jump code)
File contents
Virus part 2
(Main poron)
Jump code
When a virus infects a file, it typically appends a part of itself to the front of the file. This serves two
purposes:
•
To keep other instances of the virus from re-infecting an already infected file, thereby
ensuring efficient propagation.
•
To ensure that the virus code in the file runs first, whenever the file is opened this frontappended portion often contains a jump command to the main portion of the virus, which is
located elsewhere in the file.
© 2020 Trend Micro Inc. Education
203
Lesson 8: Protecting Servers from Malware
For this kind of virus, the CRC information in part 1 would be used to identify the first part of the virus
added to the front of the file.
Virus part 1
(Jump code)
Virus part 2
(Main poron)
File contents
CRC part 1
The scan engine uses this information to detect if a file has been infected with a specific virus.
After detecting the first part of the virus using part 1 of the CRC information, the scan engine looks
for the corresponding part 2 of the CRC for additional identification information about the remaining
portion of the virus and to confirm that the file is indeed a virus.
To locate part 2 of the CRC information, the scan engine requires information about its expected
location within the file. This information is stored in what pattern builders call the CRC table, and the
location within the file is called its offset.
Offset
Virus part 1
(Jump code)
Virus part 2
(Main poron)
File contents
CRC part 2
Once the virus has been identified, the scan engine requires information to clean/remove the virus.
This information comes from the Smart Protection Server. Once the scan engine retrieves the
cleaning/removal information that corresponds to the identified virus, it is then able to take action
against the virus.
File Reputation addresses the needs enumerated in the previous section by de-constructing the
existing pattern.
New pa ern
(Smart Query filter)
External database
(Smart Scan Pa ern)
CRC part 1
CRC part 1
CRC part 2
Virus info
Non-CRC data
CRC and virus
info for
in-the-wild
malware
Non-CRC pa ern
(Smart Scan
Agent Pa ern)
Deep Security Agent
computer
204
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Note the following changes to the existing pattern:
Note:
•
CRC and virus information is still stored locally for malware that is classified as in-the-wild.
This means that the only malware information that is available locally corresponds to
malware that is actively doing harm. This information resides in the Smart Scan Agent
Pattern file.
•
CRC and virus information for malware that is no longer considered in-the-wild is moved to
an external database called the Smart Scan Pattern. This pattern contains all the CRC Parts 1
and 2 information of the traditional pattern. Non-CRC data is also stored in the Smart Scan
Pattern.
•
A compressed copy of CRC Part 1 information, for not-in-the-wild malware, is moved to a new
pattern called the Smart Query Filter, which the Deep Security Agent uses to determine when
to query the external database for matching Part 2 information. This serves as a kind of
index to the information in the external database.
Both the Smart Query Filter and Smart Scan Agent Pattern reside on the Deep Security Agent.
Querying the File Reputation Service
Components on the Deep Security Agent are responsible for looking for malware and taking action
upon them when found. However, the knowledge required to identify malware does not completely
reside within the product itself, part of this knowledge is located externally.
The File Reputation Service containing CRC information that corresponds to known malware can be
located either on the Global Trend Micro Smart Protection Network, or a local Smart Protection
Server.
These elements work together as shown below.
Smart
Protection
Server
Deep Security
Agent
ΠReference Smart Scan
Agent Pattern for local
verification
 Calculate CRC Part 1
Ž Submit CRC Part 1
Smart Scan
 Returns corresponding CRC Part 2
‘ Malware identification
 Pattern query
(for CRC Part 2)
’ Virus ID query
”
Smart Scan
Returns cleaning/removal
instructions from virus info
“ Pattern query
(for virus info)
• Remove malware
© 2020 Trend Micro Inc. Education
205
Lesson 8: Protecting Servers from Malware
1
Reference Smart Scan Agent Pattern
Each time the Deep Security Agent scans a file, it first uses the local pattern file to check if the
scanned content contains malware and obtain cleaning instructions. It does this by referencing
information in the Smart Scan Agent Pattern. The Agent uses this to perform the In-the-wild
verification and clean/remove these active viruses.
2 Calculate CRC part 1
If the content looks suspicious but the malware cannot be detected and cleaned using the local
pattern files, it calculates a Cyclic Redundancy Check (CRC) sum for the initial portion of the
content (CRC Part 1).
3 Submit CRC part 1
The Agent submits the CRC Part 1 sum to the local or in-the-cloud File Reputation Service to
query the malware database for all records matching the calculated CRC Part 1.
4 Smart Scan Pattern query for CRC part 2
In this step, the File Reputation service uses the CRC Part 1 value to query for matching CRC Part
2 information, which enables the scan engine to confirm that the suspect file is indeed malware.
The CRC Part 2 information is stored in a database on the File Reputation service called the
Smart Scan Pattern.
By design, the Agent only waits for a response from the File Reputation service for a specific
period of time (a maximum of 500 milliseconds). For this brief period, the scan engine locks the
file. If the scan engine is unable to query the File Reputation service, the server-side processing
portion of this step does not occur, and the Agent attempts to query another File Reputation
service if one is available, or proceeds using offline protection.
5 Reply with corresponding CRC part 2
If the CRC information sent in the query matches CRC Part 1 information in the Smart Scan
Pattern, the File Reputation service returns all the corresponding CRC Part 2 records to the
Agent.
6 Malware identification
When the Agent receives the CRC Part 2 information from the File Reputation service, it passes
the information to the scan engine to perform matching operations. If no match is found, the file
is safe and the scanning process ends.
7 Virus ID query
If a match is found, the Agent sends a second query to the File Reputation service for information
about how to clean/remove the malware. Instead of sending CRC information like in the first
query, the Agent sends the Virus ID of the CRC Part 2 record of the malware that was detected.
8 Smart Scan Pattern query
The File Reputation service then searches for the virus information that corresponds to this Virus
ID submitted to retrieve cleaning instructions.
9 Cleaning instructions returned to Agents
Once the virus information is retrieved, the File Reputation service returns this to the Agent for
use by the scan engine.
The Agent waits for a maximum of 500 milliseconds for the File Reputation service to reply. If the
Agent does not receive a timely reply, the Agent will abandon the primary action, in favor of the
secondary action. A failure in this operation would cause the Agent to quarantine the malware
instead of cleaning it.
10 Remove Malware
Finally, the Deep Security Agent receives the virus information from the File Reputation service
and the scan engine uses this information to clean/remove the virus.
206
© 2020 Trend Micro Inc. Education
Lesson 8: Protecting Servers from Malware
Best Practice:
Do not use Smart Scan if the computer doesn't have reliable network connectivity to
the File Reputation service on the Trend Micro Smart Protection Network or your
Smart Protection Server.
© 2020 Trend Micro Inc. Education
207
Lesson 8: Protecting Servers from Malware
Review Questions
1
What malware scanning methods are available in Deep Security?
2 Define the following terms used when configuring a Malware Scan Configuration:
208
•
IntelliTrap
•
IntelliScan
•
ActiveAction
•
Smart Scan
© 2020 Trend Micro Inc. Education
Lesson 9: Blocking Malicious Web Sites
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
•
Enable Web Reputation protection through a policy or directly to a computer
Set the security level for URL filtering
Configure exceptions to override the assigned rating of a Web page
Test the blocking status of a Web page
Locate and view Web Reputation-related events
The Web Reputation module in Deep Security protects against web threats by blocking access to
malicious URLs.
Deep Security uses databases from the Trend Micro Smart Protection Network to check the reputation of
Web sites that are being accessed. These databases include references to sites collected from a variety of
sources, including URLs collected from malware analysis. Approximately 10 billion URLs are processed
per day by Trend Micro Web Reputation Services resulting in a daily average of 150,000 malicious URLs.
Sites in the database are classified and assigned credibility scores that reflect their potential for either
becoming infecting computers or their involvement in a malware or spyware’s lifecycle (for example,
sources of instructions or components, etc). It contains over 11 million URLs classified as dangerous.
Trend Micro products with Web Reputation protection enabled use these credibility scores to regulate
access to these sites. The Web site reputation score is correlated with the specific Web Reputation
Security Level enforced on the computer. Depending on the Web Reputation Security Level being
enforced, Deep Security will then either block or allow access to the URL.
Note:
Deep Security can verify the credibility score of http URLs only.
Trend Micro URL Filtering Engine
Deep Security Agents interfaces with the Trend Micro Web Reputation Service using a component called
the URL Filtering Engine (TMUFE). Deep Security uses the URL Filtering Engine for sending score
requests to the rating server, and then receiving the replies.
© 2020 Trend Micro Inc. Education
209
Lesson 9: Blocking Malicious Web Sites
Different sources can be used for score requests.
•
Web Reputation Service: If the Web site being visited is new, the Deep Security Agent queries the
Web Reputation Service on the Trend Micro Smart Protection Network, or a local Smart
Protection Server, if it is available.
Trend Micro
URL Filtering
Engine
Web Reputaon
query
Credibility
score
Local
Smart Protecon
Server
•
In-Memory Cache: If a site has been visited previously, an existing credibility score may exist in
the cache. If a cached entry exists, URL Filtering Engine uses this existing rating. For agentless
protection, all Virtual Agents share a single cache on the appliance.
Trend Micro
URL Filtering
Engine
Web Reputaon
query
Credibility
score
Local
Smart Protecon
Server
Cache
Note:
The URL Filtering Engine is not actually involved in the URL blocking function. It merely provides
the information necessary for the blocking decision.
Deep Security will either connect to a locally installed Smart Protection Server or it will connect to
the Global Smart Protection Service.
210
© 2020 Trend Micro Inc. Education
Lesson 9: Blocking Malicious Web Sites
Configure the connection to the Smart Protection Network, or local Smart Protection Server on the
Smart Protection tab for the Web Reputation module in either a Policy or on a Computer.
Credibility Scores
The defined Web Reputation Service source will return a credibility score as follows:
Score
Rating
Description
81-100
Safe
No known or potential threats.
66-80
Suspicious
51-65
Highly Suspicious
Possibly a phishing page or a potential source of malware
or spyware. Associated with spam or has a history of
being compromised.
0-50
Dangerous
Verified to be a phishing page or a source of malware or
spyware.
71
Untested
Has not been tested by Trend Micro. Untested pages are
not blocked by default.
© 2020 Trend Micro Inc. Education
211
Lesson 9: Blocking Malicious Web Sites
Web Reputation Communication
Instead of blocking the initial connection to the Web site, the Agent lets the HTTP request through to
the intended Website, but blocks the reply.
ŒConnect to Web site
 Request Web site score
Ž Reply dropped
Intended connection
 Score retrieved
Connection allowed
The Web Reputation communication process includes the following steps:
1
The protected server sends an HTTP request to an external Web server for a resource. This
request can originate from a Web browser on the server, or from within an application.
2 The network filter and URL Filtering Engine on the Deep Security Agent captures the request and
forwards the URL to the configured Web Reputation Service.
3 Meanwhile, the Web server replies to the request. This reply is blocked by the Deep Security
Agent until the Web Reputation score can be verified.
4 The Web Reputation Protection Module receives the score and it is compared against the
Security Level configured in the policy.
5 The Deep Security Agent takes the appropriate action: either let the page through to the browser
or application, or displays a blocked page warning screen.
Enabling Web Reputation
Enabling Web Reputation protection in Deep Security typically involved the following steps:
1
Turning on Web Reputation protection in a policy or on a computer
2 Setting the security level
3 Defining any exceptions
4 Configuring the Smart Protection source
Turning on Web Reputation protection
You can enable Web Reputation protection in policies or in the settings for a computer.
Turning the Web Reputation Module On in a Policy
Web Reputation protection can be assigned to policies at any level in the hierarchy. Any sub
policies with inheritance enabled will be assigned the Web Reputation protection setting.
212
© 2020 Trend Micro Inc. Education
Lesson 9: Blocking Malicious Web Sites
To do this in a policy, click the Policies menu and double-click the policy to which you’d like to
assign protection. Set the Web Reputation State to On and click Save.
Turning the Web Reputation Module On on a Computer
To set Web Reputation protection on a computer, click the Computers menu. Locate and doubleclick a computer in the list to open Details. In the right-hand pane, click Web Reputation and on
the General tab set the Web Reputation Configuration to On and click Save.
Turning the module on at the computer level will override the inheritance of settings from the
policy.
© 2020 Trend Micro Inc. Education
213
Lesson 9: Blocking Malicious Web Sites
Setting the Security Level
Deep Security administrators determine the types of sites that are blocked by configuring the
security levels. Security levels can be set in a policy or on a computer and can be inherited from the
parent.
In the Security Level section of the General tab for either a policy or a computer, select the required
security level:
214
•
High: Pages deemed to be Dangerous, Highly Suspicious, or Suspicious are blocked when the
Security Level is set to High. Only pages with a credibility score 81 or higher are allowed
when this level is enabled.
•
Medium: Pages deemed to be Dangerous, or Highly Suspicious are blocked when the Security
Level is set to Medium. With this security level, pages with credibility scores between of 0 to
65 are blocked, pages with a score of 66 or higher are allowed.
•
Low: When this security level is enabled, all pages deemed to be Dangerous are blocked.
These pages have a credibility score between of 0 to 50.
•
Block pages that have not been tested by Trend Micro: Enable this setting to block URLs that
have a credibility score of 71, meaning they are untested. By default, untested pages are
allowed.
© 2020 Trend Micro Inc. Education
Lesson 9: Blocking Malicious Web Sites
After enabling the security level, the protection settings can be verified using the following test
websites:
URL
Credibility Score
wrs91.winshipway.com
91
wrs81.winshipway.com
81
wrs71.winshipway.com
71
wrs61.winshipway.com
61
wrs51.winshipway.com
51
wrs41.winshipway.com
41
wrs31.winshipway.com
31
Trend Micro maintains these sample sites for testing and demonstrating Web Reputation blocking and
score retrieval functionality.
Defining Exceptions
Exceptions are URLs that are blocked or allowed regardless of their safety ratings. Deep Security
administrators can specify exceptions to the Web Reputation analysis by specifying URLs in the
Allowed or Blocked list. Like Security Level, Exceptions can be set at the policy or at the computer
level.
© 2020 Trend Micro Inc. Education
215
Lesson 9: Blocking Malicious Web Sites
Allowed
URLs included in the Allowed list will be accessible regardless of their safety ratings. Multiple
URLs can be added at once but they must be separated by a line break. When adding URLs to the
Allowed list, select whether to allow all URLs with the same domain or the URL:
216
•
Allow URLs from the domain: Enable this setting to allow all pages from the domain. Subdomains are supported. Include only the domain (and optionally sub-domain) in the entry. For
example, example.com and another.example.com are valid entries.
•
Allow the URL: The URL will be allowed as entered. Wildcard characters are supported. For
example, example.com/shopping/coats.html, and example.com/shopping/* are
valid entries.
© 2020 Trend Micro Inc. Education
Lesson 9: Blocking Malicious Web Sites
Blocked
URLs and URLs containing specified keywords that are listed in the Blocked list are always
blocked, unless there is an overriding entry in the Allowed list. Multiple URLs or keywords can be
added at once but they must be separated by a line break. When blocking URLs, you select
whether to block all URLs from a domain, block the specified URL, or block URLs that contain a
specific keyword.
•
Block URLs from the domain: Block all pages from the domain. Sub-domains are supported.
Only include the domain (and optionally sub-domain) in the entry. For example,
example.com and another.example.com are valid entries.
•
Block the URL: The URL as entered will be blocked. Wildcards are supported. For example
example.com/shopping/coats.html, and example.com/shopping/* are valid
entries.
•
Block URLs containing this keyword: Any URL containing the listed keyword will be blocked.
The Allowed list takes precedence over the Blocked list. URLs that match entries in the Allowed
list are not checked against the Blocked list.
The following flowchart illustrates the URL analysis process.
Start URL
Analysis
Is URL on the
Allowed List?
Y
Allow
site
Y
Block
site
Y
Use
exisng
rang
End
N
Is URL on the
Blocked List?
N
Exisng rang
in cache?
N
Request Web
Reputaon rang from
Trend Micro Smart
Protecon source
Evaluate rang
and perform acon
based on Web
Reputaon se ngs
Unblocking Pages
If an administrative user deems a page to be improperly blocked, they can add the page to the Allowed
list, which overrides the rating assigned to the page.
© 2020 Trend Micro Inc. Education
217
Lesson 9: Blocking Malicious Web Sites
Locate the event related to the blocked page. Right-mouse click the event and select Add to Allow List.
Alternately, open the event and click Add to Allow List.
218
© 2020 Trend Micro Inc. Education
Lesson 9: Blocking Malicious Web Sites
Select whether the block applied to the entire domain or this specific page as well as the policy or this
computer only.
Administrators can verify the credibility score of sites and request reassessment in the event that the
prevailing score is incorrect by visiting the following URL:
http://global.sitesafety.trendmicro.com/
© 2020 Trend Micro Inc. Education
219
Lesson 9: Blocking Malicious Web Sites
Viewing Web Reputation-Related Events
Web Reputation events can displayed for all computers in the system or for specific computers.
System Events
To view all the Web Reputation events that have occurred, click the Events & Reports menu. Click
Web Reputation Events in the left-hand frame. Select the criteria for the retrieval of the events and
click Refresh. All the retrieved events will be displayed.
Computer Events
To view Web Reputation events for a specific computer, double-click the device in the Computers list
to view the Details. Click the Web Reputation Protection Module in the left-hand frame and click the
Web Reputation Events tab.
220
© 2020 Trend Micro Inc. Education
Lesson 9: Blocking Malicious Web Sites
Review Questions
1
What sources are available for a Deep Security Agent to retrieve Web Reputation scores for Web
sites?
2 An organization would like to prevent servers from accessing some specific web sites, even
though their credibility score lists the sites as being safe. How can this be achieved?
3 How can an administrator override the block on a web page for a specific server only?
© 2020 Trend Micro Inc. Education
221
Lesson 9: Blocking Malicious Web Sites
222
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the
Firewall
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
•
•
Identify and describe the two basic firewall types
Enable firewall protection through a policy or directly to a computer
Create firewall rules
Describe the order of analysis for traffic filtering
Identify vulnerabilities on the system using reconnaissance scans and port scans
Locate and view firewall-related events
The Deep Security Firewall protection module enables an NDIS-based, bi-directional, stateful firewall that
is responsible for making sure that packets originating from unauthorized sources do not reach the
applications on its host.
Firewall rules examine the control information in the first packet of an exchange. The rules either block or
allow the packets based on their settings. Firewall rules are assigned directly to computers or to policies
which are in turn assigned to a computer or collection of computers.
Typically, firewall policies are based on one of two design strategies. Either they permit any service unless
it is expressly denied or they deny all services unless expressly allowed. It is best practice to decide what
type of firewall you would like to implement. This helps reduce administrative overhead in terms of
creating and maintaining the rules. The firewall types include:
•
Restrictive: With a restrictive design, traffic that is not expressly allowed is prohibited. A
restrictive firewall is the recommended best practice from a security perspective. All traffic is
stopped by default and only traffic that has been explicitly allowed is permitted. If the primary
goal of your planned firewall is to block unauthorized access, the emphasis needs to be on
restricting rather than enabling connectivity. A restrictive firewall is easier to maintain and more
secured. Allow rules are used only to permit certain traffic across the firewall and deny
everything else.
As soon as you assign a single outgoing Allow rule, the outgoing firewall will operate in restrictive
mode. This is also true for the inbound firewall: as soon as you assign a single incoming Allow
rule, the inbound firewall will operate in restrictive mode.
•
Permissive: A permissive firewall permits all traffic by default and only blocks traffic believed to
be malicious based on signatures or other information. A permissive firewall is easy to implement
but it provides minimal security and requires complex rules. Deny rules are used to explicitly
block traffic.
In general, restrictive policies are preferred and permissive policies should be avoided.
© 2020 Trend Micro Inc. Education
223
Lesson 10: Filtering Traffic Using the Firewall
Enabling Firewall Protection
Enabling Firewall protection in Deep Security typically involves the following steps:
1
Enabling the Firewall protection module in a policy or on a computer
2 Applying Firewall rules that make sense for your purposes to the policy or to a computer
Turning the Firewall on
You can enable Firewall protection in policies or in the settings for a supported computer.
Turning the Firewall Module on in a Policy
Firewall protection can be assigned to policies at any level in the hierarchy. Any sub policies with
inheritance enabled will be assigned the Firewall settings.
To do this in a policy, click the Policies menu and double-click the policy to which you’d like to
assign protection. Set th Firewall State to On and click Save.
Note:
224
Certain rules that are applied when the Firewall Protection Module is enabled. These are
inherited from the Base policy. Since they were assigned at a parent level, they can not be
disabled.
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Turning the Firewall Module for a Single Computer
In the Deep Security Manager Web console, click the Computers tab, and open the Details for a
specific computer. Click the Firewall Protection Module in the left-hand frame. Set the Firewall
Configuration to On and click Save.
The Firewall Protection Module on the Agent will be installed on the host computer.
Applying Firewall Rules
Firewall rules examine the control information in individual packets. The rules either block or allow
those packets based on rules that are defined on these pages. Deep Security provides a set of
Firewall rules that can be applied to policies or directly to a computer. These default rules provide
coverage for typical scenarios.
© 2020 Trend Micro Inc. Education
225
Lesson 10: Filtering Traffic Using the Firewall
To apply rules, click Assign/Unassign from the General tab of the policy or computer Details. Click to
enable the individual rules to apply.
If the rule required is not part of the default collection provided by Trend Micro, custom rules can be
created.
Creating Custom Firewall Rules
Firewall rules are created as Common Objects and can be reused in different policies as needed. To create
a new firewall rule, click New > New Firewall Rule in the Assign/Unassign window for the Firewall
protection module.
226
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
.
Configure the firewall rules by identifying the following attributes to match traffic against:
•
•
•
•
•
•
•
Action
Priority
Packet direction
Frame type
Protocol
Packet source and destination
Flags
© 2020 Trend Micro Inc. Education
227
Lesson 10: Filtering Traffic Using the Firewall
Actions
Firewall rules can behave in different ways depending on the action assigned.
Deny
Firewall rules using the Deny action explicitly block traffic that matches the rule.
Allow
Firewall rules using the Allow action explicitly allow traffic that matches the rule to pass, and
then implicitly denies everything else.
Allow rules have two functions:
•
•
228
Permit traffic that is explicitly allowed.
Implicitly deny all other traffic.
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Note:
Traffic that is not explicitly allowed by a rule using Allow is dropped and gets recorded as an Out
of Allowed Policy firewall event. Firewall rules using Allow always have priority of 0.
Commonly applied firewall rules using the Allow action include:
•
•
ARP rules permits incoming Address Resolution Protocol (ARP) traffic.
•
Allowing solicited ICMP replies ensuring that host computers are able to receive replies to
their own ICMP messages. This works in conjunction with ICMP stateful configuration.
Allowing solicited TCP/UDP replies ensuring that host computers are able to receive replies
to their own TCP and UDP messages. This works in conjunction with TCP and UDP stateful
configuration.
If you have no firewall rules using Allow in effect on a computer, all traffic is permitted unless it is
specifically blocked by a rule using the Deny action. Once you create a rule using Allow, all other
traffic is blocked unless it meets the requirements of this rule. There is one exception to this:
ICMPv6 traffic is always permitted unless it is specifically blocked by a rule using the Deny action.
Bypass
The Bypass action allows traffic to bypass both firewall and intrusion prevention analysis. Only
the port, direction, and protocol can be set with this action. Bypass is designed for mediaintensive protocols where filtering by the Firewall or Intrusion Prevention modules is neither
required nor desired.
Firewall rules using Bypass have the following noteworthy characteristics:
Note:
•
•
Bypass skips both Firewall and Intrusion Prevention analysis.
•
•
Firewall rules using Bypass will not be logged. This is not a configurable behavior.
Since stateful inspection is skipped for bypassed traffic, bypassing traffic in one direction
does not automatically bypass the response in the other direction. As a result firewall rules
using Bypass are always created in pairs, one for incoming traffic and another for outgoing.
Some firewall rules using Bypass are optimized, in that traffic will flow as efficiently as if the
Deep Security Agent/Deep Security Virtual Appliance was not there.
If you plan to use a Bypass action in a firewall rule to skip intrusion prevention processing on
incoming traffic to TCP destination port N and Firewall Stateful Configuration is set to perform
stateful inspection on TCP, you must create a matching outgoing rule for source port N to allow
the TCP responses (This is not required for firewall rules using Force Allow because force-allowed
traffic is still processed by the stateful engine).
Firewall rules using Bypass are designed to allow matching traffic through at the fastest
possible rate. Maximum throughput can be achieved with (all) the following settings:
•
•
•
•
Priority: Highest
Frame Type: IP
Protocol: TCP, UDP, or other IP protocol. (Do not use Any)
Source and Destination IP and MAC: Any
© 2020 Trend Micro Inc. Education
229
Lesson 10: Filtering Traffic Using the Firewall
•
Note:
-
If the protocol is TCP or UDP and the traffic direction is incoming, the Destination Ports
must be one or more specified ports (not Any), and the Source Ports must be Any.
-
If the protocol is TCP or UDP and the traffic direction is outgoing, the Source Ports must
be one or more specified ports (Not Any), and the Destination Ports must be Any.
Schedule: None
If Deep Security Manager uses a remote database that is protected by a Deep Security Agent,
Intrusion Prevention-related false alarms may occur when the Deep Security Manager saves
these rules to the database. The contents of the rules themselves could be misidentified as an
attack. One of two workarounds for this is to create a firewall rule with a Bypass action for traffic
from the Deep Security Manager to the database host.
Log Only
Firewall rules using the Log Only action will only generate an event if the packet in question is not
subsequently stopped by either a rule using a Deny action, or a rule using an Allow action that
excludes it.
If the packet is stopped by one of those two actions, those rules will generate the event and not
the rule using Log Only. If no subsequent rules stop the packet, the rule using Log Only will
generate an event.
Force Allow
Firewall rules using the Force Allow action exclude a sub-set of traffic that could otherwise have
been covered by a Deny action.
Force Allow has the same effect as Bypass, however, unlike Bypass, traffic that passes the firewall
because of this action is still subject to Intrusion Prevention.
The Force Allow action is particularly useful for making sure that essential network services are
able to communicate with the Deep Security Agent computer. Among the default rules using
Force Allow that are commonly enabled in real life are:
•
Allowing DHCP traffic to the DHCP client on the Deep Security Agent host. This ensures that
the client can obtain its dynamic IP address
•
Allowing wireless authentication traffic through the Extensible Authentication Protocol
(EAP)
One situation that would require a Force Allow action would be when an administrators wants a
host to accept ICMP and/or UDP traffic, but the Deep Security Agent has stateful configuration
for ICMP and UDP traffic enabled.
Firewall rules using Force Allow should only be used in conjunction with rules using Allow and
Deny actions to allow a subset of traffic that has been prohibited by these rules. Firewall rules
using Force Allow are also required to allow unsolicited ICMP and UDP traffic when ICMP and UDP
stateful are enabled.
230
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Priority
If you have selected Force Allow, Deny, or Bypass as your rule action, you can set a priority of 0 (low)
to 4 (highest). Setting a priority allows you to combine the actions of rules to achieve a cascading
rule effect. Rules using Log Only can only have a priority of 4, and rules using Allow can only have a
priority of 0.
The priority determines the order in which rules are applied. High priority rules get applied before
low priority rules. For example, a port 80 incoming rule with Deny with a priority of 3 will drop a
packet before a port 80 incoming rule using Force Allow with a priority of 2 ever gets applied to it.
Only one rule action is applied to any particular packet, and rules (of the same priority) are applied in
the order listed above.
Rules are run in priority order from highest (Priority 4) to lowest (Priority 0). Within a specific
priority level the rules are processed in order based on the rule action. The order in which rules of
equal priority are processed is as follows:
•
•
•
•
•
Bypass
Log Only
Force Allow
Deny
Allow
Remember that rule actions of type Allow run only at priority 0 while rule actions of type Log Only
run only at priority 4.
Packet Direction
The Deep Security Firewall is a bi-directional firewall. Therefore, it is able to enforce rules on traffic
originating from the network to the Deep Security host, referred to as incoming, and traffic from the
host to the network, referred to as outgoing.
Firewall rules only apply to a single direction; therefore Firewall rules for specific types of traffic often
come in pairs.
Frame Type
The term frame refers to Ethernet frames, and the available protocols specify the data that the frame
carries. Select a frame type from the list. Use Not to specify whether you will be filtering for this
frame type or anything but this frame type. Internet Protocol (IP), Address Resolution Protocol
(ARP), and Reverse Address Resolution Protocol (REVARP) are the most commonly carried protocols
on contemporary Ethernet networks but by selecting Other from the list you can specify any other
frame type by its frame number.
© 2020 Trend Micro Inc. Education
231
Lesson 10: Filtering Traffic Using the Firewall
Protocol
If you select the Internet Protocol (IP) frame type, the Protocol field is enabled, where you specify the
transport protocol that your rule will look for. Use the checkbox to specify whether you will be
filtering for this protocol or anything but this protocol. You can choose from the drop down list of
predefined common protocols, or you can select Other and enter the protocol code yourself (a three
digit decimal value from 0 to 255).
Note:
Solaris Agents will only examine packets with an IP frame type, and Linux Agents will only
examine packets with IP or ARP frame types. Packets with other frame types will be allowed
through. Note that the Deep Security Virtual Agent does not have these restrictions and can
examine all frame types, regardless of the operating system of the virtual machine it is
protecting.
Packet Source and Packet Destination
The firewall rule can specify an IP address, MAC address, or Port to determine traffic source and
destination.
IP Address
The following options are available for defining the IP Addresses in the firewall rule:
•
•
•
•
•
Any: No address is specified so any host can be either a source or destination
•
IP List: Enables you to select a value that you defined on the Policies > Common Objects >
Lists > IP Lists page.
Single IP: A specific machine is identified using its IP address.
Masked IP: This applies the rule to all machines that share the same subnet mask
Range: This applies the rule to all machines that fall within a specific range of IP addresses
IP(s): Use this when applying a rule to several machines that do not have consecutive IP
addresses.
MAC Address
The following options are available for defining the MAC addresses in the firewall rule:
•
•
•
•
232
Any: No MAC address was specified, so the rule applies to all addresses
Single MAC: Rule applies to a specific MAC address
MAC(s): Rule applies to the MAC addresses specified here
MAC List: Enables you to select a value that you defined on the Policies > Common Objects >
Lists > MAC Lists page.
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Port
The following options are available for defining the Ports in the firewall rule:
•
•
•
Any: Rule applies to all ports
Port(s): Rule applies to multiple ports specified here
Port List: Enables you to select a value that you defined on the Policies > Common Objects >
Lists > Port Lists page.
Specific Flags
If you have selected TCP, ICMP, or TCP+UDP as your protocol in the General Information section,
you can direct your firewall rule to watch for specific flags. If the rule does not apply to all flags,
you can choose from these flags:
•
•
•
•
•
•
URG (urgent)
ACK (acknowledgment)
PSH (flush buffer)
RST (reset)
SYN (synchronize)
FIN (finish)
Recommended Firewall Policy Rules
It is recommended that you make the following rules mandatory for all of your firewall policies. Some of
these rules are already applied to the Base policy and by default are inherited by child policies:
•
ARP: This rule allows incoming ARP requests for the host to reply to queries for its MAC address.
If you do not assign this rule, no devices on the network can query the host for its MAC address
and it will be inaccessible from the network.
•
Allow solicited TCP/UDP replies: Ensures that the computer is able to receive replies to its own
TCP and UDP messages. This works in conjunction with TCP and UDP stateful configuration.
•
Allow solicited ICMP replies: Ensures that the host computer is able to receive replies to its own
ICMP messages. This works in conjunction with ICMP stateful configuration.
•
•
•
DNS Server: Ensures that the DNS servers can receive inbound DNS requests.
Remote Access RDP: Ensures that the computer can accept Remote Desktop connections.
Remote Access SSH: Ensures that the computer can accept SSH connections.
Rule Order of Analysis
Deep Security firewall rules have both a rule action and a rule priority. Used in conjunction, these two
properties allow you to create very flexible and powerful rule sets. Unlike rule sets used by other
firewalls, which may require that the rules be defined in the order in which they should be run, Deep
Security Firewall rules are run in an order based on the rule action and the rule priority, which is
independent of the order in which they are defined or assigned.
© 2020 Trend Micro Inc. Education
233
Lesson 10: Filtering Traffic Using the Firewall
Before any rules are applied, the Deep Security Firewall operates in a permissive mode, meaning all
traffic is allow to pass through the firewall.
Implementing a firewall rule using the Allow action will cause all other traffic not specifically covered by
the rule to be denied.
A firewall rule using the Deny action can be implemented over a rule with an Allow action to block
specific types of traffic.
234
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
A firewall rule using the Force Allow action can be placed over the denied traffic to allow certain
exceptions to pass through.
Packets arriving at a computer get processed first by firewall rules, then the Firewall Stateful
Configuration conditions, and finally by the Intrusion Prevention rules.
The priority value in the rule define the order in which firewall rules are applied (incoming and outgoing):
Log only
Force allow
Deny
Priority 3: High
Bypass
Force allow
Deny
Priority 2: Normal
Bypass
Force allow
Deny
Priority 1: Low
Bypass
Force allow
Deny
Priority 0: Lowest
Bypass
Force allow
Deny
Priority 4: Highest
Note:
Bypass
Allow
If there are no rules using the Allow action in effect on a computer, all traffic is permitted unless
it is specifically blocked by a rule with the Deny action. Once a single rule using Allow is created,
all other traffic is blocked unless it meets the conditions of that rule.
Consider the example of a DNS server policy that makes use of a Force Allow rule to allow all incoming
DNS queries over TCP/UDP port 53. Creating a Deny rule with a higher priority than the Force Allow rule
lets you specify a particular range of IP addresses that must be prohibited from accessing the same
public server.
© 2020 Trend Micro Inc. Education
235
Lesson 10: Filtering Traffic Using the Firewall
Priority-based rule sets allow you to set the order in which the rules are applied. If a rule using a Deny
action is set with the highest priority, and there are no rules using Force Allow with the same priority,
then any packet matching the rule with Deny is automatically dropped and the remaining rules are
ignored. Conversely, if a rule using a Force Allow action with the highest priority flag set exists, any
incoming packets matching that rule will be automatically allowed through without being checked
against any other rules.
Traffic Analysis
Deep Security Agents can implement two modes for intercepting network traffic at their hosts. Traffic
analysis takes place whichever mode is used. These can be viewed in the Deep Security Manager Web
console at Policies > Settings > Advanced.
236
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Tap Mode
In Tap Mode, live packet streams are replicated and diverted from the main stream. In Tap Mode, the
live stream is not modified. All operations are performed on the replicated stream. When in Tap
Mode, Deep Security offers no protection beyond providing a record of events.
It is a good idea to test your Firewall rules in Tap Mode. Once you are satisfied that the rules are
working correctly, switch to Inline Mode.
Inline Mode
When operating using Inline Mode, the live packet stream passes through the network engine.
Stateful tables are maintained, Firewall rules are applied and traffic normalization is carried out so
that intrusion prevention rules can be applied to payload content. Only the inline mode provides
security functionality.
Use Inline Mode with rules set to Detect when there is a need to test the configuration and rules
before deploying them in to the production environment. This way, the real world process of
analyzing the traffic takes place without having to perform any action such as blocking/denying of
packets.
© 2020 Trend Micro Inc. Education
237
Lesson 10: Filtering Traffic Using the Firewall
Failure Response Behavior
In some cases, the network engine may block packets before the Firewall rules (or Intrusion
Prevention rules) can be applied. By default, the network engine blocks packets if:
•
The Deep Security Agent or Deep Security Virtual Appliance host has a system problem, for
example, it's out of memory
•
The packet sanity check fails
This fail closed behavior offers a high level of security as it ensures that cyber attacks cannot
penetrate your network when an agent or virtual appliance is not functioning properly, and
safeguards against potentially malicious packets. The drawback to fail closed is that your services
and applications might become unavailable because of problems on the Deep Security Agent or Deep
Security Virtual Appliance. You might also experience performance issues if a large number of
packets are being dropped unnecessarily as a result of the packet sanity check (too many falsepositives).
If you have concerns about service availability consider changing the default behavior to allow
packets through (or fail open) for system and packet check failures.
Open the Details for a Computer or Policy and click Settings in the left-hand frame. Click the
Advanced tab and under Network Engine Settings, set the Failure Response settings as follows:
•
238
Set Network Engine System Failure to Fail open to allow packets through if the network
engine host experiences problems, such as out of memory failures, allocated memory
failures, and network engine (DPI) decoding failures. Consider using fail open here if your
agent or virtual appliance frequently encounters network exceptions because of heavy loads
or a lack of resources. With fail open, the network engine allows the packet through, does not
perform rules checking, and logs an event. Your services and applications remain available
despite the problems on the agent or virtual appliance.
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
•
Set Network Packet Sanity Check Failure to Fail open to allow packets through that fail the
network engine's packet sanity checks. Examples of packet sanity checks: firewall sanity
checks, network layer 2, 3, or 4 attribute checks, and TCP state checks. Consider using fail
open here if you want do rules checking only on 'good' packets that pass the sanity check.
With fail open, the network engine allows the failed packet through, does not perform rules
checking on it, and logs an event.
Anti-Evasion Posture
Anti-evasion settings control the network engine handling of abnormal packets that may be
attempting to evade analysis. Anti-evasion settings are configured in a policy or an individual
computer. The Security Posture setting controls how rigorous Intrusion Prevention analyzes packets.
Anti-evasion posture can be set to one of the following values:
•
Normal: Prevents the evasion of Intrusion Prevention rules without false positives. This is the
default value.
•
Strict: Performs more stringent checking than Normal mode but can produce some falsepositive results. Strict mode is useful for penetration testing but should not be enabled under
normal circumstances.
•
Custom: If you select Custom, additional settings are available that enable you to specify how
Deep Security will handle issues with packets. For these settings (with the exception of TCP
Timestamp PAWS Window), the options are Allow (Deep Security sends the packet through to
the system), Log Only (same behavior as Allow, but an event is logged), Deny (Deep Security
drops the packet and logs an event), or Deny Silent (same behavior as Deny, but no event is
logged)
© 2020 Trend Micro Inc. Education
239
Lesson 10: Filtering Traffic Using the Firewall
If you changed the posture to Custom in earlier versions of Deep Security, all default values for the
anti-evasion settings were set to Deny. This led to a dramatic increase in block events. Now, the
default custom values can be set.
Advanced Network Engine Options
The Advanced Network Engine Options allow the overriding of default timeout values for managing
connections, for example, how long to wait to close a connection or how many simultaneous
connections are allowed. If you deselect the Inherited check box, you can customize these settings.
240
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Order of Analysis
Network traffic intercepted by the driver is passed through several levels of analysis before being passed
to the application.
Integrity Check
In the first step of traffic analysis, the driver verifies the validity of the packet. It makes sure that the
packet is actually suitable for analysis. Attacks involving malformed packets can be detected by their
deviation from protocol requirements, and can therefore be addressed here:
•
•
•
•
Tiny fragment
Overlapping fragment
Teardrop
Ping-of-death (POD)
Reconnaissance Scans
In this step, the driver can detect possible reconnaissance scans that attackers often use to discover
weaknesses before beginning a targeted attack. Set Reconnaissance Scan Detection Enabled to yes.
You can configure the Deep Security Firewall to detect possible reconnaissance scans and help
prevent attacks by blocking traffic from the source IPs for a period of time. Once an attack has been
detected, you can instruct Deep Security Agents and Deep Security Virtual Appliances to block traffic
from the source IPs for a period of time.
© 2020 Trend Micro Inc. Education
241
Lesson 10: Filtering Traffic Using the Firewall
Use the Block Traffic lists on the on the Policy/Computer Editor > Firewall > Reconnaissance tab to set
the number of minutes.
•
Computer OS Fingerprint Probe: Deep Security Agents and Virtual Appliances will recognize
and react to active TCP stack OS fingerprinting attempts
•
Network or Port Scan: The Deep Security Agents and Virtual Appliances will recognize and
react to port scans.
•
TCP Null Scan: The Deep Security Agents and Virtual Appliances will refuse packets with no
flags set.
•
TCP SYNFIN Scan: The Deep Security Agents and Virtual Appliances will refuse packets with
only the SYN and FIN flags set.
•
TCP Xmas Scan: The Deep Security Agents and Virtual Appliances will refuse packets with
only the FIN, URG, and PSH flags set or a value of 0xFF (every possible flag set).
For each type of attack, the Deep Security Agent and Deep Security Virtual Appliance can be
instructed to send the information to the Deep Security Manager where an Alert will be triggered by
selecting the option Notify DSM Immediately. For this option to work, the Deep Security Agent and
Deep Security Virtual Appliance must be configured for Agent-initiated or bidirectional
communication in Policy/Computer Editor > Settings > Computer. If enabled, the Deep Security Agent
and Deep Security Virtual Appliance will initiate a heartbeat to the Deep Security Manager
immediately upon detecting the attack or probe.
242
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Note:
If you want to enable reconnaissance protection, you must also enable the Firewall and Stateful
Inspection on the Policy/Computer Editor > Firewall > General tab. You should also go to the
Policy/Computer Editor > Firewall > Advanced tab and enable the Generate Firewall Events for
packets that are Out of Allowed Policy setting. This will generate Firewall events that are required
for reconnaissance.
Detection can be enabled or bypassed for certain IP addresses by selecting the IP address list from
Computers/Networks on which to perform detection or Do not perform detection on traffic coming
from. IP lists can be created as Common Objects.
Check Firewall Rules
With the exception of the Bypass rule, Firewall rules are applied at this point in the analysis. The
Firewall module will filter traffic based on the characteristics defined in the rule.
Check Stateful Configuration
Stateful Filtering plays a very important role in thwarting the attacks such as Denial of Service (DoS)
and ACK Storm. Traditionally, these attacks leverage the characteristics of the following protocols:
•
•
•
TCP
UDP
ICMP
Stateful Configuration analyzes each packet in the context of traffic history, correctness of TCP and
IP header values, and TCP connection state transitions. In the case of stateless protocols like UDP
and ICMP, a pseudo-stateful mechanism is implemented based on historical traffic analysis. A packet
is passed to the stateful routine if it has been allowed through by a static Firewall rule conditions. The
packet is examined to determine whether it belongs to an existing connection, and the TCP header is
examined for correctness (e.g. sequence numbers, flag combinations, etc.).
Deep Security Agents provide functionality that addresses known attack techniques for each of these
protocols.
When stateful analysis is enabled, packets are analyzed within the context of traffic history,
correctness of TCP and IP header values, and TCP connection state transitions.
•
A packet is passed through the stateful routine if it is explicitly allowed via static rules. The
packet is examined if it belongs to an existing connection by checking the connection table
for matching end points
•
The TCP header is examined for correctness (for example, sequence numbers, flag
combination)
•
Once enabled, the stateful engine is applied to all traffic traversing the interface.
UDP pseudo-stateful inspection, by default, rejects any incoming unsolicited UDP packets. If a
computer is running a UDP server, a Force Allow rule must be included in the policy to permit access
to that service. For example, if UDP stateful inspection is enabled on a DNS server, a Force Allow rule
permitting UDP traffic to port 53 is required.
© 2020 Trend Micro Inc. Education
243
Lesson 10: Filtering Traffic Using the Firewall
ICMP pseudo-stateful inspection, by default, rejects any incoming unsolicited ICMP request-reply and
error type packets. A Force Allow must be explicitly defined for any unsolicited ICMP packet to be
allowed. All other ICMP (non request-reply or error type) packets are dropped unless explicitly
allowed with static rules.
Stateful Configuration for TCP
Of the three protocols that this feature supports, TCP is the only protocol which the Deep
Security Manager Administrator is able to configure. From the Policies menu, click Common
Objects in the left-hand frame, then Other > Firewall Stateful Configurations. Click New > New
Firewall Stateful Configuration, or double click and existing configuration in the list.
Click the TCP tab to modify the properties for this protocol.
Pseudo-Stateful Configuration for UDP and ICMP
Both UDP and ICMP are connectionless protocols, so normal stateful inspection, the kind done
with TCP, does not apply to these protocols. Stateful configuration, therefore, uses pseudostate
table that keeps track of related UDP and ICMP messages which are then treated as pseudo
connections.
244
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Decrypt SSL Traffic
If the packet is part of an SSL connection, the driver will decrypt the traffic to allow Intrusion
Prevention. This feature, however, requires the administrator to provide the relevant keys to permit
decryption.
Check Intrusion Prevention Rules
Finally, the Intrusion Prevention module inspects the contents of the packet for malicious
instructions and other unauthorized content.
Important Points to Remember
Note:
•
Firewall rules using the Allow action are prohibitive. Anything not specified in the collection
rules is automatically dropped. This includes traffic of other frame types so you need to
remember to include rules to allow other types of required traffic. For example, don't forget
to include a rule to allow ARP traffic if static ARP tables are not in use.
•
If UDP stateful inspection is enabled, a firewall rule using Force Allow must be used to allow
unsolicited UDP traffic. For example, if UDP stateful is enabled on a DNS server then a force
allow for port 53 is required to allow the server to accept incoming DNS requests.
•
If ICMP stateful inspection is enabled, a rule using Force Allow must be used to allow
unsolicited ICMP traffic. For example, if you wish to allow outside ping requests a force allow
rule for ICMP type 3 (Echo Request) is required.
•
•
A firewall rule using Force Allow acts as a trump card only within the same priority context.
If you do not have a DNS or WINS server configured (which is common in test environments)
a firewall rule using Force Allow on incoming UDP port 137 rule may be required for NetBios.
When troubleshooting a new firewall policy, the first thing you should do is check the Firewall
Rule logs on the Agent/Appliance. The Firewall Rule logs contain all the information needed to
determine what traffic is being denied so that you can further refine your policy as required.
Information collected using the dsa_config command locally on a Deep Security Agent can
also be very helpful for troubleshooting.
Port Scans
Port scanning allows administrators to detect open, and potentially vulnerable, ports on machines on the
company network. This functionality can be used for the following purposes:
•
•
•
Aid in the selection of firewall rules to apply
Evaluate the effectiveness of existing firewall rules
When used in combination with malware-specific port lists, detect the ports opened by malware
© 2020 Trend Micro Inc. Education
245
Lesson 10: Filtering Traffic Using the Firewall
Deep Security Manager checks for open ports by initiating connections with them. If a connection is
established, then the port is identified as open.
Best Practice:
Add Deep Security Manager’s own IP address in the Ignore reconnaissance IP list so
that port scans do not generate Reconnaissance Scan alerts.
Defining Ports to Scan
By default, Deep Security Manager scans ports 1 to 1024. However, administrators can use port lists
to scan alternative ports, such as those associated with specific applications or threats.
246
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
From either the Policies or Computers menu, click Settings and on the General tab, select from the
Ports to scan list. A customized Ports to scan list can be created as a Common Object.
Scan Triggers
Administrators can initiate port scans from either the Computers list in the Deep Security Manager
Web console.
© 2020 Trend Micro Inc. Education
247
Lesson 10: Filtering Traffic Using the Firewall
A port scan can also be initiated from the computer Details page.
Note:
Scan for Open Ports is not available on the base and assigned (child) policies.
A Scanning for Open Ports message is displayed while the scan is in progress.
248
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Scan Results
Port scan results are displayed on the Details page of the target computer.
© 2020 Trend Micro Inc. Education
249
Lesson 10: Filtering Traffic Using the Firewall
Viewing Firewall-Related Events
Firewall events can displayed for all computers in the system or for specific computers.
System Events
To view all the Firewall events that have occurred for the entire system, click the Events & Reports
menu. Click Firewall Events in the left-hand frame. Select the criteria for the retrieval of the events
and click Refresh. All the retrieved events will be displayed.
Note:
250
The Firewall, Intrusion Prevention and Web Reputation Protection Modules share a common
network engine. Because of this, some Firewall events may still be generated even though the
Firewall Protection Module itself may be off.
© 2020 Trend Micro Inc. Education
Lesson 10: Filtering Traffic Using the Firewall
Computer Events
To view Firewall events for a specific computer, double-click the device in the Computers list to view
the Details. Click the Firewall Protection Module in the left-hand frame and click the Firewall Events
tab.
© 2020 Trend Micro Inc. Education
251
Lesson 10: Filtering Traffic Using the Firewall
Review Questions
1
1. Describe the effect of the following actions set in Firewall rules.
•
Deny
•
Allow
•
Force Allow
•
Log Only
•
Bypass
2 What is the purpose of the Priority setting in a Firewall rule?
3 How would you characterize the differences between the Network Engine Modes of Inline and
Tap? Which Protection Modules make use of this setting?
4 How can a Firewall Stateful Configuration help in thwarting Denial of Service (DoS) attacks
against a protected server?
252
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From
Vulnerabilities
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
•
•
•
Describe the functions enabled though the Intrusion Prevention protection module
Enable Intrusion Prevention through a policy or directly to a computer
Assess system vulnerabilities by running recommendation scans
List the different types of Intrusion Prevention rules
Describe how Deep Security-applied Intrusion Prevention rules are applied to SSL traffic
Protect Web applications from common attacks using Intrusion Prevention rules
Locate and view Intrusion Prevention-related events
The Intrusion Prevention module protects computers from being exploited against known vulnerability
attacks as well as SQL injections attacks, Cross-Site Scripting attacks, and other web application
vulnerabilities.
Whereas Firewall rules and Firewall Stateful Configurations examine a packet's control information (data
that describes the packet), Intrusion Prevention rules examine the actual content of packets and
sequences of packets. Based on the condition set within the Intrusion Prevention rule, various actions are
then carried out on these packets. Actions range from replacing specifically defined or suspicious byte
sequences, to completely dropping packets and resetting the connection.
Intrusion Prevention shields vulnerabilities until code fixes can be completed. It also identifies malicious
software accessing the network and increases visibility into, or control over, applications accessing the
network.
Trend Micro’s membership in the Microsoft Active Protections Program (MAPP) provides advanced
access to Microsoft’s monthly security bulletins. This allows the rule development team to anticipate
emerging threats and craft rules that protect against a new vulnerability, even before they are officially
acknowledged.
Deep Security Agents look at the content of a packet to determine if it contains malicious content. It is
able to determine if content is malicious by referencing instructions within Intrusion Prevention rules. If
the content matches what the rule looks for, the packet is dropped.
© 2020 Trend Micro Inc. Education
253
Lesson 11: Protecting Servers From Vulnerabilities
Blocking Exploits Using Intrusion Prevention
The Intrusion Prevention Protection Module can be leveraged to protect against exploits with the
following functions.
Virtual Patching
Intrusion Prevention rules can drop traffic designed to leverage unpatched vulnerabilities in certain
applications or the operating system itself. This protects the host while awaiting the application of
the relevant patches. This form of vulnerability protection mitigates the impact of falling behind on
patch application duties. Once the patch is applied, it is then possible to safely unassign the Intrusion
Prevention rule that protects against that particular vulnerability.
Virtual patching does not replace the need to run regular system updates. Once a security update is
applied to the operating system or an application, a Recommendation Scan can help identify rules
that can be unassigned. System performance can be affected if a large number of Intrusion
Prevention rules are applied to the server.
Virtual patching can also be used in cases where an operating system is no longer supported by the
vendor. Trend Micro will still issue updated Intrusion Prevention rules for an extended period of time
after the end of support by the original vendor.
Detecting Suspicious Network Activity
Intrusion Prevention rules could detect activity that is considered suspicious, such as ransomware or
remote access as well as detecting and blocking traffic that does not conform to protocol
specifications, allowing Deep Security Agents to detect packet fragments, packets without flags, and
similar anomalies.
Blocking Traffic Through Protocol Control
Communication applications like peer-to-peer chat programs use specific and distinct
communication protocols. Intrusion Prevention rules could identify packets that use these protocols
allowing the rule to detect the presence, and/or prevent the use, of these applications. Intrusion
Prevention rules can be used to block traffic associated with specific applications like Skype or filesharing utilities.
Protecting Web Applications
Intrusion Prevention rules can be used to block common web site vulnerabilities such as Cross-Site
Scripting and SQL Injection.
254
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
Enabling Intrusion Prevention
Enabling Intrusion Prevention in Deep Security typically involves the following steps:
1
Turning the Intrusion Prevention module on in a policy or on a computer
2 Setting the Detection mode in a policy or on a computer
3 Running a recommendation Scan on a computer
4 Applying the Intrusion Prevention rules to a policy or to a computer
5 Staying up to date on rules through ongoing recommendation scans
Turning the Intrusion Prevention Module On
You can enable Intrusion Prevention protection in policies or on a computer.
Turning the Intrusion Prevention Module On In a Policy
Intrusion Prevention protection can be assigned to policies at any level in the hierarchy. Any sub
policies with inheritance enabled will be assigned the Intrusion Prevention protection settings.
To do this in a policy, click the Policies menu and double-click the policy to which you’d like to
assign protection. Click the Intrusion Prevention Protection Module in the left-hand frame and on
the General tab, set the Intrusion Prevention State to On and click Save.
© 2020 Trend Micro Inc. Education
255
Lesson 11: Protecting Servers From Vulnerabilities
Turning the Intrusion Prevention Module On on a Computer
To set Intrusion Prevention protection on a computer, click the Computers menu. Locate and
double-click a computer in the list to open Details. In the right-hand pane, click Intrusion
Prevention and on the General tab set the Intrusion Prevention Configuration to On and click
Save.
Turning the module on at the computer level will override the inheritance of settings from the
policy.
Setting the Intrusion Prevention Behavior
This setting specifies the behavior of the Intrusion Prevention rule and can be set in a Policy or on a
Computer.
•
256
Detect: Detect is useful for testing when you first apply a new set of Intrusion Prevention
rules to make sure they don’t interfere with legitimate traffic. When set to Detect, all of the
Intrusion Prevention rules will be triggered and events are generated, but traffic is not
affected. You should test new Intrusion Prevention settings in Detect to ensure that service
on your computers will not be interrupted by false-positives.
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
•
Prevent: If you are satisfied that no false positives are being triggered after monitoring the
Intrusion Prevention events for a period of time, you can switch to Prevent which will prevent
rule-triggering traffic from continuing. This setting only applies when the network engine is
operating Inline; that is, live traffic is being streamed through Deep Security. The rules will be
applied to traffic and related log events are generated.
Rule Behavior
You can configure a rule's behavior mode to override the mode that is set for Intrusion
Prevention at the policy or computer level. Overriding is useful for testing new rules that are
applied to a policy or computer. For example, when a policy is configured such that intrusion
prevention works in Protect mode, you can configure a rule to use Detect mode. For that rule
only, Intrusion Prevention merely logs the traffic, and enforces other rules that do not override
the policy's behavior mode.
Some rules issued by Trend Micro use Detect mode by default. For example, mail client rules
generally use Detect mode because in Protect mode they block the downloading of all mail. Some
rules trigger an alert only when a condition occurs a large number times, or a certain number of
times within a certain period of time. These types of rules apply to traffic that constitutes
suspicious behavior only when a condition recurs, and a single occurrence of the condition is
considered normal.
Best Practice:
To prevent blocking legitimate traffic and interrupting network services, when a rule
requires configuration, keep it in Detect mode until you've configured the rule. Switch
a rule to Prevent mode only after configuration and testing.
Running a Recommendation Scan
Recommendation Scans provide a snapshot of existing vulnerabilities on a host, and a selection of
actions that can be taken to address these vulnerabilities. This eliminates much of the guesswork
involved in configuring security.
© 2020 Trend Micro Inc. Education
257
Lesson 11: Protecting Servers From Vulnerabilities
An on-demand scan can be triggered within the Deep Security Manager Web console by right-mouse
clicking the computer and selecting Actions > Scan for Recommendations.
258
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
Alternately, Scan for Recommendations can be triggered from the General tab of the Computer
Details page.
A message is displayed while the scan is in progress.
You will also note that the Task column for the computer displays Scanning for Recommendations.
Once this message disappears from the column, the scan is complete.
© 2020 Trend Micro Inc. Education
259
Lesson 11: Protecting Servers From Vulnerabilities
Applying the Intrusion Prevention Rules
Rules recommended as part of a Recommendation scan can be assigned to Deep Security Agent in
different ways:
Applying the Rules to a Computer
The rules recommended by the scan can be added to a computer manually or automatically.
To apply the rules manually, once the Recommendation Scan is complete, click Assign/
Unassign from the General tab of Computer Details. Select Recommended for Assignment
from the list and click to select the individual rules to apply. Click the category name to
assign all the rules in the category. Rules can be unassigned using the same method by
selecting Recommended for Unassignment and disabling the displayed items.
260
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
The recommended rules can also be applied automatically by setting Automatically Implement
Intrusion prevention Recommendation to Yes on the General tab.
Note:
Rules assigned this way override both Base and assigned Policy-level settings. Maintaining these
rules may become tedious and may eventually require use of an Override at the assigned Policy
level.
Applying the Rules Through an Assigned Policy
When a Recommendation Scan is performed on an individual member of an assigned policy
group, the recommendations for the Deep Security Agent will be reflected on the assigned policy
as well. Accepting the recommendations at the assigned policy level applies the rules to all
members of the related assigned policy, without actually assigning them directly to the Deep
Security Agents.
The advantage to this method is ease of maintenance. There is, however, the possibility that rules
may be assigned to policy members that do not actually need them. Unless the network consists
of identical machines, applying the rules through an assigned policy may be less than ideal.
© 2020 Trend Micro Inc. Education
261
Lesson 11: Protecting Servers From Vulnerabilities
Staying Up To Date on Rules Through Ongoing Recommendation
Scans
Recommendation scans can be configured to run automatically, on an ongoing basis. Running the
scan regularly will enable new rules to be added as new vulnerabilities are discovered, or older rules
that are no longer required because of a software can be removed.
Ongoing scans can also be configured as a scheduled task.
262
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
Types of Intrusion Prevention Rules
There are three types of Intrusion Prevention rules:
•
Exploit Rules: An Exploit rule protects against a specific exploit. There could be as many exploit
rules as there are methods for using the vulnerability. Depending on the nature of the exploit,
multiple exploits can be addressed by a single exploit rule.
•
Vulnerability Rules: A Vulnerability rule, on the other hand, applies a virtual patch on the
vulnerability, thereby rendering all exploits that use that vulnerability harmless. Vulnerability
rules, therefore, can theoretically take the place of several Exploit rules.
•
Smart Rule: A Smart rule is a generic rule that provides virtual patching for multiple
vulnerabilities.
Because of the breadth of these rules, some configuration may be required to prevent false positives.
Exploit B
Exploit A
Vulnerability
Exploit C
One-to-one patterns are designed for a specific malware variants and rely on a precise pattern match. As
variants emerge, the common denominator found in these variants is used as the basis for a one-to-many
pattern which can recognize the different variants without the pattern size impact of a one-to-one
pattern. This database space conservation measure permits Trend Micro to retire the one-to-one pattern
without loss of detection capability.
Mapped to Intrusion Prevention rules, Exploit rules would be roughly analogous to a one-to-one pattern
(exploits can actually match with more than one exploit), while Vulnerability and Smart rules would be
analogous to the one-to-many patterns.
The broader the applicability of the rule, the greater the chances of blocking traffic that really shouldn’t
be blocked. For this reason, Smart rules will probably not be developed for every single vulnerability.
These are only released after completion of exhaustive testing to address false-positive concerns.
Rules generate Intrusion Prevention events when they are triggered. Unless packet capture functionality
is enabled, these events typically only contain the name of the rule that was triggered, and the time and
location of the event. The usefulness of these events for forensic analysis of attacks is directly
proportional to the granularity of the information they contain. Smart rules alone, therefore, are too
broad for forensic analysis because they cover too many attack vectors. Targeted exploit filters, on the
other hand, offer the most targeted Intrusion Prevention logging information.
© 2020 Trend Micro Inc. Education
263
Lesson 11: Protecting Servers From Vulnerabilities
Exploit B
Exploit Y
Exploit rule
for Exploit B
Exploit rule
for Exploit Y
Vulnerability rule
for Vulnerability #1
Vulnerability rule
for Vulnerability #2
Vulnerability
#1
Smart rules
for Vulnerability
#1 and #2
Vulnerability
#2
Exploit rule
for Exploit C
Exploit rule
for Exploit Z
Exploit C
Exploit Z
Exploit rule
for Exploit X
Exploit A
Exploit rule
for Exploit A
When all three rules are available for a particular vulnerability, they form a layered defense mechanism
around the vulnerability.
Exploit X
•
•
•
Different Exploits targeted at Vulnerability #1.
•
Both vulnerabilities can be protected by a single Smart rule that can deal with all the attack
vectors for Vulnerability #1 as well as attacks for Vulnerability #2.
Each attack vector has a corresponding Exploit rule.
Each of these vulnerabilities has a Vulnerability rule that can address all of the attack vectors by
itself.
Rule Groups
To simplify the display of rules, Intrusion Prevention Rules are divided into groups. Selecting a group
limits the display of rules to those assigned to the group.
264
•
Web Application Protection: These rules are designed to protect Web applications from malicious
attacks.
•
Application Traffic: As its name implies, these rules detect the use of particular applications on
Deep Security Agent hosts.
•
Suspicious Network Activity: These rules are designed to detect activity that is considered
suspicious, such as remote access.
•
Vulnerabilities and Exploits: These rules include protection from known vulnerabilities.
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
TippingPoint Equivalent Rule ID Mapping
Many customers are benefiting from both TippingPoint network security and Deep Security host security.
To make it easier for you to know which Deep Security Intrusion Prevention rule maps to an equivalent
TippingPoint rule, the Intrusion Prevention Rules table can display an optional TippingPoint column that
will show the equivalent TippingPoint rule ID if it exists. Click the Columns menu item and enable the
display of the column.
Filtering SSL-Encrypted Traffic
The Intrusion Prevention module supports filtering of encrypted SSL traffic. SSL Configurations are
assigned to a given credential-port pair on one or more interfaces. The credentials required to decrypt
the SSL traffic must be imported in PKCS#12 or PEM format. Windows computers have the option of
using CryptoAPI directly. The credentials are required to give the Deep Security Agent access to the
private decryption key.
Note:
Filtering of SSL traffic is only supported by the Deep Security Agent, not the Deep Security
Virtual Appliance. The Agent does not support filtering SSL connections on which SSL
compression is implemented.
© 2020 Trend Micro Inc. Education
265
Lesson 11: Protecting Servers From Vulnerabilities
A secure SSL connection is made possible by using the server’s certificate to authenticate its identity and
to encrypt the master secret which will be used as a shared secret allowing both devices in the
communication to generate an identical session key. Any information exchanged between the two
devices will be encrypted using the session key, protecting the connection for the duration of the session.
Note:
HTTPS payload inspection must be able to observe the SSL session establishment to be able to
decrypt SSL traffic. It cannot read an already established session. If an established secure
session is present when HTTPS Payload inspection is enabled, the Deep Security Agent will
terminate this connection.
If the packet is part of an SSL connection, the driver needs to decrypt the traffic to perform Intrusion
Prevention filtering. If you are using PEM or PKCS#12, the administrator must identify the location of the
credential file and the pass phrase to permit decryption. If you are using Windows CryptoAPI credentials,
choose the credentials from the list of credentials found on the computer.
Click View SSL Configurations to view existing or create new configuration for encrypted scanning.
Create a new configuration and follow the prompts in the Wizard.
266
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
Identify the interface to monitor for encrypted traffic.
Identify the port (or ports) to monitor. The port list may have been created as a common object, if so,
select the list.
© 2020 Trend Micro Inc. Education
267
Lesson 11: Protecting Servers From Vulnerabilities
You can monitor traffic coming from all IP addresses, or selected IP address. Identify the IP addresses to
monitor.
Identify how the credentials will be provided to the Agent.
Select the type of credentials to be used. Credentials can be imported in PKCS#12 or PEM format, or
Windows servers can use CryptoAPI directly.
268
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
If selecting a file, provide the full path to the file and provide the password. The credentials provided will
be tested and the configuration will display in the list.
Note:
Deep Security Agents do not support filtering on SSL connections with SSL compression
enabled.
- When HTTPS payload inspection is enabled, any encrypted traffic that Deep Security Agents
cannot decrypt will be dropped. This includes SSL connections with SSL compression enabled.
- If HTTPS payload inspection is NOT enabled, then SSL connections with SSL compression
enabled will simply be allowed through without analysis.
Each time an SSL packet passes through a Deep Security Agent, the traffic is decrypted and analyzed.
This decryption is applied both to incoming traffic and its corresponding response.
When Deep Security Agents receive a packet from the network, the packet is deferred while its content is
analyzed. After the Firewall module completes its analysis of the packet, it is handed off to Intrusion
Prevention and HTTPS payload inspection for analysis.
The decryption engine is not able to re-encrypt the traffic that it decrypts. To preserve the original
encrypted packet, a copy of the packet is created, the copy is decrypted, and then inspected. If the packet
contains malicious content, then it is dropped. If the packet cannot be decrypted, then it is also dropped.
If the packet does not trigger any Intrusion Prevention rules, the deferred encrypted packet is allowed to
proceed to its destination.
© 2020 Trend Micro Inc. Education
269
Lesson 11: Protecting Servers From Vulnerabilities
Protecting Web Applications
Two of the most common application-layer attacks are SQL Injection and Cross-Site Scripting (XSS).
Cross-Site Scripting and SQL Injection rules intercept the majority of attacks by default, but you may
need to adjust the drop score for specific resources if they cause false positives.
•
Cross-Site Scripting
Cross-Site Scripting is a code injection attack that allows an attacker to execute malicious scripts
in another user's browser. Rather than directly targeting a user, the attacker makes use of
vulnerabilities in web sites that the victim visits in order to get the web site to deliver the
malicious scripts. To the browser, the malicious JavaScript appears to be a legitimate part of the
web site, and the web site acts as an unintentional accomplice to the attacker. The attack may
occur when a web application does not properly validate or escape user input. If user input is
echoed back to the browser without escaping it properly or using it without proper validation,
malicious HTML or script code may be executed by crafting malicious input.
•
SQL Injection
SQL Injection is an attack in which SQL code is inserted or appended into an application or user
input parameters. These are later passed to a back-end SQL server for parsing and execution.
Any procedure that constructs SQL statements could potentially be vulnerable, as the diverse
nature of SQL and the methods available for constructing it provide a wealth of coding options.
The primary form of SQL injection consists of direct insertion of code into parameters that are
concatenated with SQL commands and executed. SQL injection may occur when a web
application does not properly escape user input that is used in SQL statements. Malicious input
may result in executing arbitrary SQL statements.
The Intrusion Prevention module is able to defend against Cross-Site Scripting and SQL Injection attacks
through the following out-of-the-box rules available in Deep Security:
•
•
1000552 - Generic Cross-Site Scripting (XSS) prevention
1000608 - Generic SQL injection prevention
Both rules may require custom configuration for web servers. If you have output from a Web Application
Vulnerability Scanner, you should leverage that information when applying protection. For example, if the
username field on a login.asp page is vulnerable to SQL injection, ensure that the SQL injection rule is
configured to monitor that parameter with a low drop threshold.
270
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
Administrators however can add their own custom Web application rules. The configuration options for
both rules are very similar.
Both have similar parameters that are available and configurable.
Patterns
The Patterns field contains the characters that Intrusion Prevention rules look for in the HTTP
message. Consider the following pattern in the default Generic Cross-Site Scripting rule:
This pattern prompts the driver to keep track of instances of < and >. Each time the driver
encounters these characters in the URL, it increments the URL score by 1.
character
<,%3c,>,%3e:1
character in
UTF-8 encoding
© 2020 Trend Micro Inc. Education
score
271
Lesson 11: Protecting Servers From Vulnerabilities
Another pattern is designed to keep track of relevant scripting keywords.
As an example, both of these patterns are applied to this very simple Cross-Site Scripting attack:
‘--<script> alert(‘XSS Executed’)</script>
When the patterns are applied to the string, the result is shown below:
1 1 2
1
1
11
2
1
‘--<script> alert(‘XSS Executed’)</script>
The word script is part of the second pattern, and is given a score of 2. All other matches, including
the single apostrophe, are given a score of 1. This gives this script a total score of 11. In practice, the
filter implements a score threshold, which may be breached before the full script is analyzed.
Drop Threshold
Drop Threshold defines the maximum score that a string can accumulate before it is dropped. The
default value is 4, so when the score reaches 5, the packet is dropped. Applied to the same attack
string as in the example above, the threshold is breached by the time the > after script is read.
Total score =5
(Threshold exceeded)
1 1 2
1
1
11
2
1
‘--<script> alert(‘XSS Executed’)</script>
Log Threshold
Log Threshold works the same way as the Drop Threshold parameter. When the string’s score
reaches this value, the driver creates a log entry for this event.
272
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
Max Distance Between Matches
Max Distance Between Matches defines how many characters can exist between two pattern matches
for both matches to be part of the same score count.
30 characters (default)
yyyXyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyXyyyy
If there are no pattern matches beyond this value, then the score is reset to zero. The default value
for this parameter is 30.
Viewing Intrusion Prevention-Related Events
Intrusion Prevention events can displayed for all computers in the system or for specific computers.
System Events
To view all the Intrusion Prevention events that have occurred, click the Events & Reports menu. Click
Intrusion Prevention Events in the left-hand frame. Select the criteria for the retrieval of the events
and click Refresh. All the retrieved events will be displayed.
© 2020 Trend Micro Inc. Education
273
Lesson 11: Protecting Servers From Vulnerabilities
Computer Events
To view Intrusion Prevention events for a specific computer, double-click the device in the Computers
list to view the Details. Click the Intrusion Prevention Protection Module in the left-hand frame and
click the Intrusion Prevention tab.
274
© 2020 Trend Micro Inc. Education
Lesson 11: Protecting Servers From Vulnerabilities
Review Questions
1
Describe the concept of virtual patching.
2 A Recommendation Scan for Intrusion Prevention rules recommends a large number of rules to
be applied to a server, which could adversely affect performance. How can you reduce the
number of rules that are recommended to be applied to the server?
3 A security patch is applied to the operation system on a Windows Server 2016 computer. How can
you identify which of the Deep Security-identified vulnerabilities on this server have been
resolved by this patch?
4 How does the Deep Security Agent perform Intrusion Prevention scanning on an SSL-encrypted
connection?
© 2020 Trend Micro Inc. Education
275
Lesson 11: Protecting Servers From Vulnerabilities
276
© 2020 Trend Micro Inc. Education
Lesson 12: Detecting Changes to
Protected Servers
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
Enable Integrity Monitoring protection through a policy or directly to a computer
Run a recommendation scan and apply the suggested rules
Build a trusted baseline configuration for protected computers
Locate and view Integrity Monitoring-related events
The Integrity Monitoring module detects changes to system objects such as files, services, processes and
critical system areas like the Windows Registry that could indicate suspicious activity. It does this by
comparing current conditions to a baseline reading it has previously recorded. Deep Security uses rules
to identify the objects to monitor. Deep Security ships with predefined Integrity Monitoring rules and new
rules are delivered to Deep Security Agents through security updates.
Integrity Monitoring detects changes made to the system but will not prevent or undo the change.
This protection module can monitor system objects including:
•
•
•
•
•
•
Files
Folders
Registry entries
Processes
Services
Listening ports
It is important to note that Integrity Monitoring will detect any change that happens to an object but
lacks the ability to distinguish between legitimate and malicious changes.
You can enable Integrity Monitoring protection through a policy or directly at the computer level.
© 2020 Trend Micro Inc. Education
277
Lesson 12: Detecting Changes to Protected Servers
Enabling Integrity Monitoring
Enabling Integrity Monitoring in Deep Security typically involves the following steps:
1
Turning on Integrity Monitoring in a policy or on a computer
2 Applying Integrity Monitoring rules that make sense for your purposes to a policy or to a
computer
3 Building a baseline for a computer
4 Scanning periodically for changes to a computer
Turning on Integrity Monitoring
You can enable Integrity Monitoring protection in policies or on a computer.
Turning on Integrity Monitoring in a Policy
Integrity Monitoring protection can be assigned to policies at any level in the hierarchy. Any sub
policies with inheritance enabled will be assigned the Intrusion Prevention protection settings.
To do this in a policy, click the Policies menu and double-click the policy to which you’d like to
assign protection. Click the Integrity Monitoring Protection Module in the left-hand frame and
from the General tab, set the Integrity Monitoring State to On and click Save.
278
© 2020 Trend Micro Inc. Education
Lesson 12: Detecting Changes to Protected Servers
Turning on Integrity Monitoring on a Computer
To set Integrity Monitoring protection on a computer, click the Computers menu. Locate and
double-click a computer in the list to open Details. In the right-hand pane, click Integrity
Monitoring and on the General tab set the Integrity Monitoring Configuration to On and click
Save.
Turning the module on at the computer level will override the inheritance of settings from the
policy.
Applying Integrity Monitoring Rules to a Policy or Computer
Under the Policies or Computers menu, go to Integrity Monitoring > General. To add or remove
Integrity Monitoring Rules, click Assign/Unassign. This will display a window showing all available
Integrity Monitoring rules, from which you can select or de-select rules.
© 2020 Trend Micro Inc. Education
279
Lesson 12: Detecting Changes to Protected Servers
Some Integrity Monitoring Rules written by Trend Micro may require local configuration to function
properly. If you assign one of these rules to your computers or one of these rules gets assigned
automatically, an alert will be raised to notify you that configuration is required.
Best Practice:
Integrity Monitoring rules should be as specific as possible to improve performance
and to avoid conflicts and false positives, for example, do not create a rule that
monitors the entire hard drive.
Running a Recommendation Scan on a Computer
Run a Recommendation scan on the computer to get suggestions about which rules would be
appropriate. These rules identify objects on the protected server which can be monitored.
To do this, click the Computers menu and select a machine to scan. In the left-hand frame, click
Integrity Monitoring. On the General tab, click Scan for Recommendations. You can optionally
specify whether Deep Security should automatically implement the rule recommendations that it
finds.
280
© 2020 Trend Micro Inc. Education
Lesson 12: Detecting Changes to Protected Servers
© 2020 Trend Micro Inc. Education
281
Lesson 12: Detecting Changes to Protected Servers
Once the recommendation scan has run, click Assign/Unassign and in the rules window, select
Recommended for Assignment to view the recommendations. Select the rules that are appropriate
for your requirements.
Best Practice:
Recommended Integrity Monitoring rules may result in a large number of monitored
entities and attributes. The best practice is to decide what is critical and should be
monitored, then create custom rules or tune the predefined rules. Pay extra attention
to rules that monitor frequently-changed properties such as process IDs and open
ports because they can be noisy and may need some tuning.
Building a Baseline for the Computer
Integrity Monitoring works by comparing the current condition of a monitored object with an existing
baseline, which represents the original secure state of the objects. The state of many objects are
identified by a hash, captured during the creation of the baseline.
282
© 2020 Trend Micro Inc. Education
Lesson 12: Detecting Changes to Protected Servers
Best Practice:
You can select the hash algorithm(s) that will be used by the Integrity Monitoring
module to store baseline information. You can select more than one algorithm, but this
is not recommended because of the detrimental effect on performance.
A baseline is created automatically when the protection module is enabled and rules are applied. The
resulting snapshot is stored on the Deep Security Agent host. Any events related to detected
changes to the objects are uploaded to Deep Security Manager as part of a heartbeat operation.
Once fetched, the events will be deleted from the database, with the exception of the most recent
integrity events. These are retained for display in the Deep Security Manager Web console.
If changes are applied manually to the monitored objects (for example, after a software update) it is
recommended that you manually rebuild the baseline.
Best Practice:
Run a new baseline scan after applying patches.
To rebuild a new baseline for Integrity Scans on a computer, open the details for a computer and click
the Integrity Monitoring protection module in the left-hand frame.
© 2020 Trend Micro Inc. Education
283
Lesson 12: Detecting Changes to Protected Servers
A prompt in the lower-right corner of the Deep Security Manager Web console displays the progress
of the scan.
Note:
The size of the database will vary depending on the number of events that occur on the host. If
free disk space drops below 5MB, Integrity Monitoring will be suspended.
Periodically Scanning for Changes to a Computer
To detect changed to monitored objects, the Agent must periodically scan for changes. To perform an
on-demand scan, from the Computer menu, click Integrity Monitoring. On the General tab click Scan
for Integrity. You can also enable Real Time Scan or create a scheduled task that performs scans on a
regular basis.
Detecting Changes
The following Events can trigger the comparison between a system object and its baseline.
284
•
On-demand scans: Even when Integrity Monitoring is off, you can run an on-demand Integrity
Monitoring scan. To do this, click the Computers menu and click the Integrity Monitoring
Protection Module. From the General tab, click Scan for Integrity.
•
Real-Time scans: When Integrity Monitoring is on, you can enable real-time scanning. When this
option is selected, Deep Security monitors entities for changes in real time and raises Integrity
Monitoring Events when it detects changes.
•
Scheduled scans: When Integrity Monitoring is on, you can schedule Integrity Monitoring scans
just like other Deep Security operations. Deep Security checks the entities that are being
monitored and identifies and records an Event for any changes since the last time it performed a
scan. Multiple changes to monitored entities between scans will not be tracked; only the last
change will be detected. To detect and report multiple changes to an entity's state, consider
increasing the frequency of scheduled scans (for example, daily instead of weekly) or enable realtime scanning for entities that change frequently.
© 2020 Trend Micro Inc. Education
Lesson 12: Detecting Changes to Protected Servers
Viewing Integrity Monitoring-Related Events
Events related to Integrity Monitoring activities on the protected computers can be viewed for the entire
system, or on a computer-by-computer basis.
System Events
To view all the Integrity Monitoring events that have occurred, click the Events menu. Click Integrity
Monitoring Events in the left-hand frame. Select the criteria for the retrieval of the events and click
Refresh. All the retrieved events will be displayed.
Computer Events
The list of Events can also displayed for a specific computer. Locate and double-click a device from
the Computers list and from its Details page, click the Integrity Monitoring Protection Module. Click
the Integrity Monitoring Events tab to view all the events for this specific computer.
© 2020 Trend Micro Inc. Education
285
Lesson 12: Detecting Changes to Protected Servers
The display might not be up-to-the-minute, click Get Events to refresh the list and view the most
recent Events. Each Integrity Monitoring rule can include an alert. When an Integrity Monitoring
Event occurs with a rule that has this feature enabled, it will generate an alert.
286
© 2020 Trend Micro Inc. Education
Lesson 12: Detecting Changes to Protected Servers
Review Questions
1
On what types of system objects is the Integrity Monitoring protection module able to detect
changes on?
2 In what situations would you rebuild the baseline for Integrity Monitoring on a particular server?
3 How often is the server scanned for changes to the items being monitored by the Integrity
Monitoring protection module?
© 2020 Trend Micro Inc. Education
287
Lesson 12: Detecting Changes to Protected Servers
288
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved
Software
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
Enable Application Control through a policy or directly to a computer
Build a baseline inventory of approved software for computers
Locate and review Application Control-generated events
Override Application Control to allow or block software on protected computers
In Deep Security, Application Control is used for managing and tracking new or changed software while
keeping the attack surface known and controlled.
Application Control detects all forms of executable software, including:
•
•
•
•
Unwanted or unapproved software installed by users
New PHP pages, Python scripts or Java applications
Unscheduled auto-updates
Zero-day malware
New or updated software is considered to be drift from your approved software inventory. The configured
enforcement mode dictates behavior when unrecognized software is encountered. Application Control
locks down software, so only software in your inventory can execute, or stop specific unwanted software
from running. Allow rules can then be added for software that must execute despite not being in the
inventory.
Note:
Application Control will not block files that are executed from remote folder or other removable
media like a USB stick.
When it's time for a software update, you can tell Application Control that the update is allowed by setting
a maintenance window, while still preventing blocked software from executing.
Since Application Control requires processing on the host computer, it is not supported in agentless
implementations.
Note:
Application Control is intended for use on stable servers that are not updated frequently, and not
for workstations or servers that undergo a lot of software changes.
© 2020 Trend Micro Inc. Education
289
Lesson 13: Blocking Unapproved Software
Enforcement Modes
Two different Enforcement modes are available for application control, depending on how the Protection
Module is to be used.
•
Block unrecognized software until it is explicitly allowed: In this mode, all new or changed
software is blocked by the Application Control Protection Module. Software can be allowed by
changing the blocking rule to Allow.
•
Allow unrecognized software until it is explicitly blocked: In this mode, all new or changed
software is allowed by the Application Protection Module. Software can be blocked by changing
the blocking rule to Block.
Best Practice:
For most environments, it is suggested that the enforcement mode be set to Allow
unrecognized software until it is explicitly blocked. This will allow software changes by
default when you first enable application control, then you can add block rules for
changes you don’t want to allow. Eventually, the rate of software changes should
decrease. At that point, you could consider blocking software changes by default and
creating allow rules for the software that you know is good.
Enabling Application Control
Enabling Application Control in Deep Security typically involves the following steps:
1
Installing all of a server’s normal and approved software
2 Running a malware scan on the server
3 Enabling Application Control in a policy or on a computer
4 Detecting software changes on a computer
5 Monitoring for Application Control-related events on a computer
6 Allowing or blocking software on a computer
Installing Approved Software
To use Application Control, you must first ensure that your servers are installed with normal and
approved software. This is important because when Application Control is first enabled, the Deep
Security Agent builds an inventory of installed software on that computer. This inventory is the
baseline of what is expected and normal on that computer and is central to how Application Control
detects drift.
Note:
290
Since everything in the inventory is considered to be known, approved software, it is very
important to always review all installed software on your computer PRIOR to enabling Application
Control.
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved Software
Any software that is NOT in the inventory is considered unknown or unrecognized until you either:
•
•
•
Create an allow rule
Create a block rule
Rebuild the inventory to include the software
Running a Malware Scan on the Server
To ensure that no dormant malware exists on the server before the inventory scan is triggered, a full
scan of the server should be run before Application Control is enabled.
Note:
Building the inventory will approve all currently installed software, even if it is malware. Before
building the inventory, verify that unknown or unapproved software is not currently installed.
Failure to do so could prevent the Application Control Protection Module from blocking that
unwanted software. If you are not sure what is installed, the safest way is to make a clean install,
and then enable Application Control.
Enabling Application Control
You can enable Application Control protection in policies or in the settings for a supported computer.
Enabling Application Control in a Policy
Application Control protection can be assigned to policies at any level in the hierarchy. Any sub
policies with inheritance enabled will be assigned the Application Control protection settings.
To do this in a policy, click the Policies menu and double-click the policy to which you’d like to
assign protection. Set the Application Control State to On and click Save.
© 2020 Trend Micro Inc. Education
291
Lesson 13: Blocking Unapproved Software
Select the Enforcement mode, either Block unrecognized software until it is explicitly allowed, or
Allow unrecognized software until it is explicitly blocked.
Best Practice:
Some software, such as web hosting software, Microsoft Exchange, and Oracle
PeopleSoft, can change its own files. In those cases, instead of a complete lockdown, it
usually works better to select Allow unrecognized software until it is explicitly blocked,
so the software's self-change isn't automatically blocked. Then you would manually
add block rules for unwanted software if it occurs.
Enabling Application Control on a Single Computer
In the Deep Security Manager Web console, click the Computers tab, and open the Details for a
specific computer. Click the Application Control Protection Module in the left-hand frame. Set the
Application Control Configuration to On.
Select the Enforcement mode, either Block unrecognized software until it is explicitly allowed, or
Allow unrecognized software until it is explicitly blocked and click Save.
292
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved Software
The Application Control Protection Module on the Agent will be installed, and will create an
inventory of all installed applications.
When the Agent begins to build the software inventory, the Task column for the computer
displays Build Inventory In Progress and a progress prompt is displayed. It may take around 20
minutes to complete the inventory scanning.
Enabling Application Control on Multiple Computers
If you have server farms or auto-scaling virtual machines, you may want to use the API to
automatically deploy Application Control to those computers. This is faster than manually
enabling application control on one computer at a time.
Detecting software changes
When you enable Application Control, Deep Security Agents will scan for currently installed software.
This is the baseline of what is expected and normal on that computer. Application Control assumes
that currently installed software should be allowed.
Unlike Integrity Monitoring which monitors any file, Application Control looks only for software files
when examining the initial installation and monitoring for change. Software can be:
•
Compiled binaries and libraries, such as *.exe applications, and Java *.jar and *.class
files.
© 2020 Trend Micro Inc. Education
293
Lesson 13: Blocking Unapproved Software
•
Scripts that are interpreted or compiled on-the-fly, even though they remain editable like any
plain text file, such as PHP, Python, and shell scripts
Even if a file doesn't have execute permissions, the Deep Security Application Control
module will still detect it as software if it has a PHP, Python, PowerShell, or Java file
extension, including:
-
*.class
*.jar
*.war
*.ear
*.php
*.py
*.pyc
*.pyo
*.pyz
*.ps1
The Deep Security Agent continuously monitors the computer for change. Application Control is
integrated with the kernel and file system and has permissions to monitor the whole computer,
including software installed by root / Administrator accounts. The Agent looks for disk write activity
on software files. It compares the file with the hashes of the initially installed software to determine if
the software is new or has changed.
Detected changes to software include:
•
Note:
Changes to file hash
NEW
Rules will no longer also be enforced by file name and/or file path attributes. This improves the
coverage of each rule and reduce the operational overhead of creating and managing multiple
rules for the same hash value. For example, if a particular hash executes repeatedly on a
machine, but with a different file name each time, a single hash value rule (Allow or Block) will
control its execution. Previously, rules also included file name and file path, so a new rule would
need to be created each time the software executes.
•
•
•
Changes to time stamps
Changes to permissions
Changes to file contents
If any drift from the approved inventory is detected, Application Control will apply the enforcement
mode, and log the event. Depending on the severity level of the event, it will also trigger an alert.
Administrators can set rules to override the enforcement mode by creating allow or block rules if
required.
294
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved Software
Viewing Application Control-Related Events
Application Control events can displayed for all computers in the system or for specific computers.
System Events
To view all the Application Control events that have occurred, click the Events & Reports menu.
Expand Application Control Events in the left-hand frame and click Security Events. Select the
criteria for the retrieval of the events and click Refresh. All the retrieved events will be displayed.
When an Agent heartbeat includes several instances of the same security event, Deep Security
aggregates the events in the Security Events log. Event aggregation reduces the number of items in
the log, making it easier to find important events:
•
When the event occurs for the same application, which is usually the case, the log includes
the application name with the aggregated event. For example, a heartbeat includes three
instances of the Execution of Unrecognized Software Allowed event for the
Test_6_file.sh file, and no other instances of that event. Deep Security aggregates these
three events for the file Test_6_file.sh.
When the event occurs for many files, the log omits the file names. For example, a heartbeat
includes 21 instances of the Execution of Unrecognized Software Allowed event that occurred
for several different files. Deep Security aggregates the 21 events in a single event, but does
not include a file name.
•
When aggregated events apply to multiple files, other occurrences of these events have likely
been reported in other heartbeats. After you respond to other events where the file name is
known, it is likely that no more aggregated events occur.
In the log, aggregated events use special icons, and the Repeat Count column indicates the number
of events that are aggregated.
© 2020 Trend Micro Inc. Education
295
Lesson 13: Blocking Unapproved Software
Computer Events
To view Application Control events on a computer, open the Details window for the device and click
the Application Control Protection Module in the left-hand frame, then click the Application Control
Events tab.
296
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved Software
Overriding Application Control Enforcement
When Application Control detects unapproved software, events will be displayed on the Events &
Reports tab and on the Application Control Events tab for each computer.
To override the enforcement used by Application Control, click Change Rules in the Events entry and
create an Allow or Block rule in the ruleset.
© 2020 Trend Micro Inc. Education
297
Lesson 13: Blocking Unapproved Software
Alternately, you can quickly find all unapproved software and easily resolve it by creating Allow All or
Block All rules from the Actions menu.
Note:
Unlike the Computers tab, this pane usually does not show all computers. If Application Control
has not detected unapproved software, this pane will be empty.
If software is both on the blocked list and in the inventory (which would allow it), the block list has
priority. This could happen, for example, if computers with different software use the same Allow or
Block rules. A unique computer might have the software already installed when its Agent makes the
baseline inventory.
Note:
298
You can use the API to create shared allow or block rules and apply the rulesets to other
computers. This can be useful if you have many identical computers (such as a load balanced web
server farm). Shared rulesets should be applied only to computers with the exact same inventory.
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved Software
Global Block
The Application Control Protection Module includes a global block by hash feature that enables
administrators to submit known bad hash values to Deep Security for Application Control block list
enforcement.
This control recognizes a global rule set that includes a list of hash values to be blocked. This rule set
takes precedence over any other rules from existing shared or local rule sets and will be enforced by
every Deep Security Agent enabled with Application Control. This feature provides a simple way for
administrators to block unwanted or bad software from running at a global system-wide level. The design
allows the workflow to be fully automated, with APIs for creating the global rule set, adding and deleting
hash values.
Pre-Approving Software Updates
Normally, you will want Application Control to alert you when there are any unexpected software updates.
However, some updates are expected and you will need provide allowances for these updates. Two
methods for pre-approving software updates includes maintenance mode and trusted installers.
Maintenance Mode
To avoid unnecessary downtime due to manual approvals, and to avoid receiving alerts about normal
software updates, you can indicate when your maintenance window is.
Enable Maintenance Mode while completing the updates. Application Control will still continue to
block software that is in the Block rules, but it will allow new software and add new or changed
software to the baseline inventory.
In Deep Security Manager, click the Computers menu. Locate and double-click a computer in the list
to display its Details. Click the Application Control Protection Module and in the Maintenance Mode
section, click Turn On.
© 2020 Trend Micro Inc. Education
299
Lesson 13: Blocking Unapproved Software
Set a time period for the maintenance window; this will prevent scenarios where the administrator
forgets to turn off Maintenance Mode once the update is complete.
While Maintenance Mode is active, the computer Status will display as Managed (Online) but the
Maintenance Mode column will indicate the mode is enabled.
Once the software update is complete, disable Maintenance Mode to start to monitor and enforce your
list of approved software once again. If that computer was using shared Allow or Block rules, the next
time that the Agent connects with Deep Security Manager, it will upload the new rules. Deep Security
Manager will transmit these new rules to the other Deep Security Agents the next time they connect.
300
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved Software
Trusted Updater
Application Control creates a software change event log whenever new executable files are detected
on protected systems. Sometimes these changes are generated as part of the normal operation of
trusted software. For example, when Windows self-initiates a component update, hundreds of new
executable files may be installed.
Application Control will auto-authorize file changes that are created by well-known Windows
processes. Removing the noise associated with expected software changes provides you with clearer
visibility into changes that may need your attention.
Application Control Order of Analysis
Application Control continuously monitors for software changes on your protected servers. Based on the
enforcement mode assignment, Application Control either prevents unauthorized software from running
until it is explicitly allowed, or allows unauthorized software until it is explicitly blocked. Which option you
choose depends on the level of control you want over your environment.
Applicaon
Control
enabled
Soware
inventory
created
Inventory
change
detected
Maintenance
Mode on?
Y
Add to
inventory
Y
Add to
inventory
N
Changed by
trusted
installer?
N
Matches
exisng
soware
rule?
Y
N
Allow or
Block by
default
Allow
or Block
rule ?
Allow
Block
Allow
Block
Application Control uses the following order for verifying whether software should be blocked or allowed:
1
Enable application control in a policy or directly to a computer that is protected by a Deep
Security Agent.
© 2020 Trend Micro Inc. Education
301
Lesson 13: Blocking Unapproved Software
2 When the Agent receives the policy, it creates an inventory of all software installed on the
computer. All software listed in the inventory is assumed to be safe and is allowed to run on that
computer. This inventory list is not visible from Deep Security Manager, which means you need to
be absolutely certain that only good software is installed on a computer where you intend to
enable application control.
3 After the inventory is finished, Application Control is aware of any software changes on the
computer. A software change could be new software that appears on the computer or changes to
existing software.
4 If the computer is in maintenance mode, the Deep Security Agent adds the software to its
inventory and it is allowed to run.
5 If the change was made by a trusted installer, the Deep Security Agent adds the software to its
inventory and allows it to run. For example, when Microsoft Windows self-initiates a component
update, hundreds of new executable files may be installed.
Application Control auto-authorizes many file changes that are created by well-known Windows
processes and does not list these changes in Deep Security Manager. Removing the noise
associated with expected software changes provides you with clearer visibility into changes that
may need your attention.
6 If the computer's ruleset contains a rule for this exact piece of software, the software is allowed
or blocked according to the rule that's in place.
7 If software is not in the computer's inventory and is not covered by an existing rule, it's
considered unrecognized software. The policy assigned to the computer specifies how
unrecognized software is handled. Depending on the policy configuration, it's either allowed to
run or is blocked. If the software is blocked and it is able to produce error messages in the OS, an
error message on the protected computer indicates that the software does not have permissions
to run or that access is denied.
The unrecognized software appears on the Application Control - Software Changes page in Deep
Security Manager. On that page, an administrator can click Allow or Block to create an allow or
block rule for that piece of software on a particular computer. An Allow or Block rule takes
precedence over the default action specified in the policy.
Resetting Application Control
Application Control is designed to assist your software change management process and is not
designed for unregulated computers with continuous, large numbers of software changes. Too many
changes make large rulesets that consume more RAM (unless you remove old rules each time). If you
don't use maintenance mode during authorized software updates, too many changes can also result
in high administrator workload because they must manually create allow rules.
If unrecognized software changes exceed the maximum (based on system resources), application
control will stop detecting and displaying all of the computer's software changes. This prevents
accidental or malicious stability and performance impacts: consuming too much memory, disk space,
and (for shared rulesets) network bandwidth. If that happens, Deep Security Manager will notify you
through alerts and an event logs. You must resolve the issue to continue detecting software changes.
•
Examine the computer's processes and security events. Verify that the computer has not
been compromised. If you are not sure, or do not have enough time, the safest and fastest
way is to restore the system from a backup or VM snapshot.
If you don't remove any unauthorized software (including zero-day malware), application
control will ignore it when you reset application control. It won't appear on the Actions tab
anymore and if its process has already executed and it is in RAM, application control won't
log any events or alerts about it until you reboot the computer.
302
© 2020 Trend Micro Inc. Education
Lesson 13: Blocking Unapproved Software
•
If the computer was running software updates, including auto-updates such as browser,
Adobe Reader, or yum updates, disable them or schedule them so that they occur only when
you have enabled application control's maintenance mode.
•
Reset application control. To do this, disable application control. Once the Agent has
acknowledged it and cleared the error status, enable application control again.
Local rulesets will be rebuilt; shared rulesets will be downloaded again.
© 2020 Trend Micro Inc. Education
303
Lesson 13: Blocking Unapproved Software
Review Questions
1
Describe the enforcement modes available for the Application Control protection module?
2 Why is it a good practice to run a full Anti-Malware scan on a server before enabling the
Application Control protection module?
3 What methods are available for pre-approving software updates so they do not trigger
Application Control events?
304
© 2020 Trend Micro Inc. Education
Lesson 14: Inspecting Logs on Protected
Servers
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
Enable Log Inspection through a policy or directly to a computer
Run a recommendation scan and apply the suggested Log Inspection rules
Locate and view Log Inspection-related events
The Log Inspection protection module helps you identify important events that might be buried in your
operating system and application logs. These events can be sent to a Security Information and Event
Management (SIEM) system or centralized logging server for correlation, reporting, and archiving. All
events are also securely collected in the Deep Security Manager.
Log Inspection in Deep Security enables real-time analysis of third party log files. The Log Inspection
rules and decoders provide a framework to parse, analyze, rank and correlate events across a wide
variety of systems. As with Intrusion Prevention and Integrity Monitoring, Log Inspection content is
delivered in the form of rules included in a security update. These rules provide a high level means of
selecting the applications and logs to be analyzed.
The Log Inspection module captures and analyzes system logs to provide audit evidence for PCI DSS or
internal requirements that your organization may have.
Deep Security
Manager
Event handling
Event log
Rule: Severity level=Crical
00:00:01
00:00:10
00:00:20
00:00:30
00:00:40
00:00:50
00:01:00
01Apr20
01Apr20
01Apr20
01Apr20
01Apr20
01Apr20
01Apr20
EventA
EventB
EventC
EventD
EventE
EventF
EventG
Medium
Medium
Critical
Low
Low
Medium
Low
Deep Security
Agent
The Open Source Security (OSSEC) Log Inspection Engine is integrated into Deep Security and gives you
the ability to inspect the logs and events generated by the operating systems and applications running on
the computers. The Log Inspection module is equipped with a default decoder provided by Trend Micro,
but it is possible to load custom versions, as well as create custom Log Inspections rules using the OSSEC
standard.
Open Source Security is an open source agent-based security software package owned by Trend Micro
and forms the Log Inspection module of Deep Security and is integrated into every Deep Security Agent.
© 2020 Trend Micro Inc. Education
305
Lesson 14: Inspecting Logs on Protected Servers
This module takes elements of both the OSSEC server and client and combines it into an efficient log
parser with categorization and correlation capabilities. This allows the Deep Security Agent to filter the
logs before transmission to Deep Security Manager or output using Syslog. This different from Open
Source Security where the raw log stream is sent to the server.
Log Inspection rules can be assigned directly to computers through policy or directly to a computer. Like
Integrity Monitoring events, Log Inspection events can be configured to generate alerts in Deep Security
Manager.
Log Inspection requires running some analysis on the computer and is not supported in Agentless
deployments.
Deep Security Manager collects Log Inspection Events from Deep Security Agents at every heartbeat.
The data from the logs is used to populate the various reports, graphs, and charts in Deep Security
Manager.
Enabling Log Inspection
Enabling Log Inspection in Deep Security typically involves the following steps:
1
Turning on Log Inspection in a policy or on a computer
2 Applying the Log Inspection rules that make sense for your purposes to a policy or to a
computer
Turning on Log Inspection
You can enable the Log Inspection Protection Module in the settings for policies or a computer.
Turning on Log Inspection in a Policy
Log Inspection protection can be assigned to policies at any level in the hierarchy. Any sub
policies with inheritance enabled will be assigned the Log Inspection protection settings.
306
© 2020 Trend Micro Inc. Education
Lesson 14: Inspecting Logs on Protected Servers
To do this in a policy, click the Policies menu and double-click the policy to which you’d like to
assign protection. Click the Log Inspection Protection Module in the left-hand frame and from
the General tab, set the State to On or Inherited (On) and click Save.
Turning on Log Inspection on a Computer
To set Log Inspection protection on a computer, click the Computers menu. Locate and doubleclick a computer in the list to open its Details. In the left-hand pane, click the Log Inspection
Protection Module and on the General tab set the Log Inspection Configuration to On and click
Save.
© 2020 Trend Micro Inc. Education
307
Lesson 14: Inspecting Logs on Protected Servers
Turning the module on at the computer level will override the inheritance of settings from the
policy.
Applying Log Inspection Rules
Deep Security ships with many pre-defined rules covering a wide variety of operating systems and
applications.
Under the Policies or Computers menu, click Log Inspection. On the General tab, the Assigned Log
Inspection Rules section displays the rules that are in effect for this policy or computer. To add or
remove Log Inspection rules, click Assign/Unassign. This will display a window showing all available
Log Inspection rules, from which you can select or de-select rules.
Running a Recommendation Scan For Log Inspection
Run a Recommendation Scan on the server to get suggestions about Log Inspection rules which
would be appropriate to implement on this computer. To do this, locate and double-click a
supported computer in the Computers list and click the Log Inspection Protection Module in the
left-hand frame. On the General tab, click Scan for Recommendations.
308
© 2020 Trend Micro Inc. Education
Lesson 14: Inspecting Logs on Protected Servers
Some Log Inspection rules written by Trend Micro require local configuration to function
properly. If you assign one of these rules to your computers or one of these rules gets assigned
automatically, an alert will be raised to notify you that configuration is required.
Best Practice:
When improperly set, events for this feature can overwhelm the Deep Security
database if too many log entries are triggered and stored. Rules should only be set to
gather security events relevant to your requirements.
As with Recommendation Scans for other protection modules, you can have Deep Security
implement the recommended rules automatically. You can also select and manually assign rules.
© 2020 Trend Micro Inc. Education
309
Lesson 14: Inspecting Logs on Protected Servers
Select the Recommended for Assignment list to view the rules that were suggested to implement
based on the applications on the server. Only enable the rules that make sense for your
requirements.
310
© 2020 Trend Micro Inc. Education
Lesson 14: Inspecting Logs on Protected Servers
Creating Log inspection Rules
Although Deep Security ships with Log Inspection rules for many common operating systems
and applications, you also have the option to create your own custom rules. To create a custom
rule, you can either use the Basic Rule template, or you can write your new rule using XML.
Viewing Log Inspection-Related Events
Deep Security Agents monitor the application and operating system logs defined by Log Inspection
Rules. Once an event with the relevant severity level is detected, the Deep Security Agent copies the
event, and then uploads it to Deep Security Manager.
Upon receipt of the log information, Deep Security Manager normalizes the information in the log using a
decoder specifically designed for the log format sent. Deep Security Manager stores the event in the
database and displays it in the Deep Security Manager
© 2020 Trend Micro Inc. Education
311
Lesson 14: Inspecting Logs on Protected Servers
System Events
Log Inspection event for the entire system can be viewed under Events & Reports > Log Inspection
Events.
Computer Events
Events can also be viewed for a specific computer, by clicking the Log Inspection Events tab from the
computer Details.
312
© 2020 Trend Micro Inc. Education
Lesson 14: Inspecting Logs on Protected Servers
Monitoring Windows Events
Log Inspection rules that monitor various Windows-related logs will cause Deep Security Agents to
monitor logs that are normally viewed through the Windows Event Viewer.
If a relevant rule is applied, Deep Security Agents can monitor this log and read Events that are being
written to it.
© 2020 Trend Micro Inc. Education
313
Lesson 14: Inspecting Logs on Protected Servers
The same event below appears in Windows Event Viewer and in Deep Security:
The Windows Event log record was generated when the Audit Log was cleared. Since the computer
where the event occurred had a suitably configured Deep Security Agent, the Log Inspection module
was able to obtain a copy of the event, generating the Deep Security Log Inspection Event displayed
on the right.
Note:
314
Log inspection can only read new events. This inspection feature cannot be set to retrieve a
specific range of logs.
© 2020 Trend Micro Inc. Education
Lesson 14: Inspecting Logs on Protected Servers
Review Questions
1
How can the Log Inspection protection module help identify important events in application logs
on your protected servers?
2 You would like to inspect the log files on an existing SQL Server to help troubleshoot an issue
that has been occurring over the last few weeks. You install and activate a Deep Security Agent
on this server and enable Log Inspection with the appropriate rules. You notice that only new
events are being retrieved? Why?
© 2020 Trend Micro Inc. Education
315
Lesson 14: Inspecting Logs on Protected Servers
316
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
Forward events to external storage
Configure alerts
Tag events
Filter data and create reports
Event Forwarding
Deep Security integrates with third-party logging and event storage devices This can be used to
configure dedicated log collection devices or applications (such as ArcSight and Splunk) for long log
retention or large numbers of events.
You can configure Deep Security Manager to instruct all managed computers to send logs to a SIEM,
Amazon Simple Notification Service or SNMP computers.
© 2020 Trend Micro Inc. Education
317
Lesson 15: Events and Alerts
Security Information and Event Management Server
If a customer has a large environment and requires log retention for a period longer than 3 months, it
is recommended they rely on Security Information and Event Management (SIEM) for event storage
instead of the Deep Security Database. One very important design consideration is that syslog output
can be sent directly from Deep Security Agents. If the Agents are located on different network
segments, network and firewall restrictions must be configured to allow connectivity to the SIEM
server.
If you select the Direct Forward option on the SIEM tab for a computer, you cannot select Log Event
Extended Format 2.0 as the Syslog Format. Deep Security will only send events in LEEF format
through Deep Security Manager.
Deep Security has been tested with the Enterprise version of these products:
•
•
•
Splunk 6.5.1
IBM QRadar 7.2.8 Patch 3
HP ArcSight 7.2.2
The configuration for syslog to the SIEM is configured as a common object under the Policies menu.
Amazon Simple Notification Service
If you have an AWS account, you can take advantage of the Amazon Simple Notification Service
(SNS) to publish notifications about Deep Security events and deliver them to subscribers. On the
Event Forwarding tab, provide the details of the AWS account and select the type of events to publish.
318
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
SNMP
Deep Security supports SNMP for forwarding system events to a computer from Deep Security
Manager.
On Windows, the MIB file is located at:
..\Trend Micro\Deep Security Manager\util\DeepSecurity.mib
On Linux, the default location is:
/opt/dsm/util
Web Services API
To assist in deployment and integration into customer and partner environments, Deep Security
includes a REST Web Service APIs. This allows for easy, language-neutral methods to externally
access data and program configurations. If a customer wants to pull Deep Security events into their
SIEM product but don’t have syslog servers available in all required network segments, the
recommended alternative is to pull the events directly from Deep Security Manager using the Web
Services APIs. When using Web Services, events will not be collected in real-time, but a heartbeat
between the Deep Security Manager and Agent or Appliance will need to occur before the events
appear in the Deep Security Manager.
Note:
Web Services API documents and samples are available on the Deep Security Automation Center
web site at the following URL:
https://automation.deepsecurity.trendmicro.com
Alerts
Alerts are generated when Deep Security requires your attention, such as an administrator-issued
command failing, or a hard disk running out of space. Deep Security includes a pre-defined set of alerts.
Additionally, when you create Protection Module rules, you can configure them to generate alerts if they
are triggered.
There are several ways to see which alerts have been triggered:
•
•
•
•
They're displayed in the Alert Status dashboard widget in Deep Security Manager.
They're displayed on the Alerts page in Deep Security Manager
You can get an email notification when an alert is triggered
You can generate alert reports
Unlike security events and system events, alerts are not purged from the database after a period of time.
Alerts remain until they are dismissed, either manually or automatically.
© 2020 Trend Micro Inc. Education
319
Lesson 15: Events and Alerts
Viewing Alerts in the Deep Security Manager Web Console
The Alerts page in Deep Security Manager displays all alerts that have been triggered, but not yet
responded to. You can display alerts in a summary view that groups similar alerts together, or in list
view, which lists all alerts individually. To switch between the two views, use the menu next to Alerts
in the page's title. You can also sort the alerts by time or by severity.
In summary view, expanding an Alert panel (by clicking Show Details) displays all the computers (or
users) that have generated that particular alert. Clicking the computer will display the computer's
Details window. If an alert applies to more than five computers, an ellipsis ("...") appears after the
fifth computer. Clicking the ellipsis displays the full list. Once you have taken the appropriate action
to deal with an alert, you can dismiss the alert by selecting the check box next to the target of the
alert and clicking Dismiss. (In list view, right-click the alert to see the list of options in the context
menu.)
Alerts that can't be dismissed (like Relay Update Service Not Available) will be dismissed
automatically when the condition no longer exists.
Note:
In cases where an alert condition occurs more than once on the same computer, the alert will
show the timestamp of the first occurrence of the condition. If the alert is dismissed and the
condition reoccurs, the timestamp of the first re-occurrence will be displayed.
Use the Computers filtering bar to view only alerts for computers in a particular computer group,
with a particular policy, etc.
320
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
Configure Alert Settings
To configure the settings for individual alerts, go to the Alerts page in Deep Security Manager
and click Configure Alerts. This displays a list of all alerts. A green check mark next to an alert
indicates that it is enabled. An alert will be triggered if the corresponding situation occurs, and it
will appear in the Deep Security Manager.
© 2020 Trend Micro Inc. Education
321
Lesson 15: Events and Alerts
You can select an alert and click Properties to change other settings for the alert, such as the
severity level and email notification settings.
Email Notifications For Alerts
Deep Security Manager can send emails to specific users when selected alerts are triggered.
In the Deep Security Manager Web console, provide the details the SMTP mail server.
322
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
In the Alert Information details, specify which alerts cause email notifications to be sent. For
example, you can send email only for the most critical alerts. Most alerts send email notifications by
default.
Specify which administrators will receive email notifications by configuring their user account. With
this option, email is sent regardless of the configuration of the user accounts. Click Administration >
Users to configure the administrators to receive the alerts.
© 2020 Trend Micro Inc. Education
323
Lesson 15: Events and Alerts
Event Tagging
Deep Security enables you to create tags that you can use to identify and sort events. For example, you
might use tags to separate events that are benign from those that require further investigation. You can
use tags to create customized dashboards and reports.
Although you can use event tagging for a variety of purposes, it was designed to ease the burden of
event management. After you have analyzed an event and determined that it is benign, you can look
through the event logs of the computer (and any other similarly configured and tasked computers) to find
similar events and apply the same label to them, eliminating the need to analyze each event individually.
In Deep Security, a tag is an additional attribute that can be applied to a Deep Security Event and can be
used for all Deep Security Events, however, an additional type of tagging based on a Trusted Source, is
only available for Integrity Monitoring.
Tags can be used as sorting criteria just like any other Event properties. You can use them to create
customized dashboards and reports. You can use tags to control analysis workflow by hiding already
analyzed Events or identifying Events that require further analysis.
Note:
Tags do not alter the data in the Events themselves, nor do they allow users to delete Events.
They are simply extra attributes provided by Deep Security Manager.
A typical use of tagging is to distinguish between Events that have been investigated and found to be
benign and those that require action.
Events can be manually tagged on an ad-hoc basis, or they can be automatically tagged using one of two
available auto-tagging systems.
Manual Tagging
You can manually apply tags to Events by right-clicking the Event and then clicking Add Tag(s). To
manually tag this event only, click Selected Integrity Monitoring Event.
324
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
The tag is applied to this instance of the Event only.
Standard Auto-Tagging
Standard Auto-Tagging uses an existing Event as the model for auto-tagging existing and/or future
Events on the current or any other computers. The parameters for similarity are defined by selecting
which Event attributes have to match the model Event attributes for a tag to be applied.
To use auto-tagging, right-click the Event, click Add Tag(s) then click Apply to selected and similar
Integrity Monitoring Event.
© 2020 Trend Micro Inc. Education
325
Lesson 15: Events and Alerts
Identify the computers to which the auto-tags may apply.
Select the criteria for the automatic tagging.
Auto-tagging can be applied to all existing and future events, or only future events. Optionally, save
the tag details.
326
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
The Event list is refreshed with the tags matching the selected criteria.
Trusted Source Auto-Tagging
Trusted Source Auto-Tagging applies tabs automatically to Events based on their similarity to knowngood Events that occur on a trusted computer. Trusted Source Event Tagging is designed to reduce
the number of Events that need to be analyzed by automatically identifying Events associated with
authorized changes.
In addition to auto-tagging similar Events, the Integrity Monitoring module allows you to tag Events
based on their similarity to Events and data found on trusted sources. A trusted source can be either
a Local Trusted Computer, the Trend Micro Certified Safe Software Service, or a Trusted Common
Baseline.
© 2020 Trend Micro Inc. Education
327
Lesson 15: Events and Alerts
Local Trusted Computer
A Local Trusted Computer is a computer that will be used as a model computer that you know will
only generate benign or harmless Events. A target computer is a computer that you are
monitoring for unauthorized or unexpected changes.
The auto-tagging rule examines Events on target computers and compares them to Events from
the trusted computer. If any Events match, they are tagged with the tag defined in the autotagging rule.
You can establish auto-tagging rules that compare Events on protected computers to Events on a
Trusted Computer. For example, a planned roll-out of a patch can be applied to the Trusted
Computer. The Events associated with the application of the patch can be tagged as Patch X.
Similar Events raised on other systems can be auto-tagged and identified as acceptable changes
and filtered out to reduce the number of Events that need to be evaluated.
Integrity Monitoring Events contain information about transitions from one state to another.
When comparing Events, the auto-tagging engine will look for matching before and after states; if
the two Events share the same before and after states, the Events are judged to be a match and a
tag is applied to the second Event.
328
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
Trusted Source Events
Trusted Computer
Trusted Computer
Trusted Computer
Initial state
First changed state
Second changed state
Generate baseline
(Run IM rules and
generate data)
Scheduled or
Real-Time scan
(Run IM rules and
generate data)
Scheduled or
Real-Time scan
(Run IM rules and
generate data)
Data
Data
Data becomes
the Trusted
Computer
Baseline
Compare data
with Trusted
Computer
Baseline
Differences between
data and Baseline
become Trusted
Source Events
Data
Differences between
data and Baseline
are added to Trusted
Source Events
Compare data
with Trusted
Computer
Baseline
Trusted
Computer
Baseline
updated with
new data
Trusted
Computer
Baseline
updated with
new data
Trusted Computer Baseline
When using a Local Trusted Computer for Trusted-Source-Based Event Tagging, the Events being
tagged are Events generated by Deep Security Integrity Monitoring rules. This means that the
Integrity Monitoring rules that are generating Events on the target computer must also be
running on the Local Trusted Source computer.
Utilities which regularly make modifications to the content of files on a system (prelinking on
Linux, for example) can interfere with Trusted-Source Auto-Tagging.
Trend Micro Certified Safe Software Service
The Certified Safe Software Service is a list of known-good file signatures maintained by Trend
Micro. This type of Trusted Source tagging will monitor target computers for file-related Integrity
Monitoring Events. When an Event has been recorded, the file's signature (after the change) is
compared to Trend Micro's list of known good file signatures. If a match is found, the Event is
tagged.
© 2020 Trend Micro Inc. Education
329
Lesson 15: Events and Alerts
Trusted Common Baseline
The Trusted Common Baseline method compares Events within a group of computers.
A group of computers is identified and a common baseline is generated based on the files and
system states targeted by the Integrity Monitoring rules in effect on the computers in the group.
When an Integrity Monitoring Event occurs on a computer within the group, the signature of the
file after the change is compared to the common baseline. If the file's new signature has a match
elsewhere in the common baseline, a tag is applied to the Event.
Note:
In the Trusted Computer method, the before and after states of an Integrity Monitoring Event are
compared, but in the Trusted Common Baseline method, only the after state is compared.
This method relies on all the computers in the common group being secure and free of malware.
A full Anti-Malware scan should be run on all the computers in the group before the common
baseline is generated.
When an Integrity Monitoring baseline is generated for a computer, Deep Security will first check
if that computer is part of a Trusted Common Baseline group. If it is, it will include the computer's
baseline data in the Trusted Common Baseline for that group; the Trusted Common Baseline
Auto-Tagging Rule must be in place before any Integrity Monitoring rules have been applied to
the computers in the common baseline group.
330
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
Reporting
Event information can published in a report. Deep Security Manager produces reports in PDF, RTF and in
the case of certain reports, XLS formats. Most of the reports have configurable parameters such as date
range or reporting by computer group.
Deep Security uses the JasperReports open source reporting library and includes a collection of built-in
reports. If changes or additional reports are required, please send a request to Trend Micro Support.
© 2020 Trend Micro Inc. Education
331
Lesson 15: Events and Alerts
The Deep Security reports are available from the Events and Reports menu.
Depending on which protection modules are used, different reports will be available in the Report list
332
•
•
•
•
•
Alert Report: List of the most common alerts
•
•
•
Firewall Report: Record of Firewall Rule and Stateful Configuration activity
•
•
•
•
•
•
•
Integrity Monitoring Detailed Change Report: Details about the changes detected
•
•
•
•
Security Module Usage Report: Current computer usage of protection modules
Anti-Malware Report: List of the top 25 infected computers
Attack Report: Summary table with analysis activity, divided by mode
Computer Report: Summary of each computer listed on the Computers tab
DPI Rule Recommendation Report: Intrusion Prevention rule recommendations. This report can
be run for only one security policy or computer at a time
Forensic Computer Audit Report: Configuration of an Agent on a computer
Integrity Monitoring Baseline Report: Baseline of the host(s) at a particular time, showing Type,
Key, and Fingerprinted Date.
Integrity Monitoring Report: Summary of the changes detected
Intrusion Prevention Report: Record of Intrusion Prevention rule activity
Log Inspection Detailed Report: Details of log data that has been collected
Log Inspection Report: Summary of log data that has been collected
Recommendation Report: Record of recommendation scan activity
Security Module Usage Cumulative Report: Current computer usage of protection modules,
including a cumulative total and the total in blocks of 100
Summary Report: Consolidated summary of Deep Security activity
Suspicious Application Activity Report: Information about suspected malicious activity
System Event Report: Record of system (non-security) activity
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
•
•
•
System Report: Overview of Computers, Contacts, and Users
User and Contact Report: Content and activity detail for Users and Contacts
Web Reputation Report: List of computers with the most web reputation events
Any of these reports can also be set up to run automatically on a regular basis from the Recurring
Reports tab. These reports are simply scheduled tasks that periodically generate and distribute reports
to any number of users and contacts. Most of the options are identical to those for single reports.
Filtering Report Data
After selecting the desired report use the options to filter the report data.
Filtering by Tag
Deep Security enables you to create tags that you can use to identify and sort events. For example,
you might use tags to separate events that are benign from those that require further investigation.
You can use tags to create customized dashboards and reports.
Although you can use event tagging for a variety of purposes, it was designed to ease the burden of
event management. After you have analyzed an event and determined that it is benign, you can look
through the event logs of the computer (and any other similarly configured and tasked computers) to
find similar events and apply the same label to them, eliminating the need to analyze each event
individually.
© 2020 Trend Micro Inc. Education
333
Lesson 15: Events and Alerts
Filtering by Date and Time
You can set a date and time filter for any period for which records exist. This is useful for security
audits. Time filter options include:
•
Last 24 Hours: Includes events from the past 24 hours, starting and ending at the top of the
hour. For example if you generate a report on December 5th at 10:14am, you will get a report
for events that occurred between December 4th at 10:00am and December 5th at 10:00am.
•
Last 7 Days: Includes events from the past week. Weeks start and end at midnight (00:00).
For example if you generate a report on December 5th at 10:14am, you will get a report for
events that occurred between November 28th at 0:00am and December 5th at 0:00am.
•
Previous Month: Includes events from the last full calendar month, starting and ending at
midnight (00:00). For example, if you select this option on November 15, you will receive a
report for events that occurred between midnight October 1 to midnight November 1.
•
Custom Range: Enables you to specify your own date and time range for the report. In the
report, the start time may be changed to midnight if the start date is more than two days
ago.
Reports use data stored in counters which aggregated periodically from Events. Counter data is
aggregated on an hourly basis for the most recent three days. Data from the current hour is not
included in reports. Data older than three days is stored in counters that are aggregated on a daily
basis. For this reason, the time period covered by reports for the last three days can be specified at
an hourly level, but beyond three days, the time period can only be specified on a daily level.
Filtering by Computer
Another option for filtering the report data is to identify the computers whose data will be included in
the report.
•
•
•
•
•
•
Note:
334
All Computers: Include data for every computer listed in Deep Security Manager.
My Computers: Include data only for the computers for which you have access rights to.
In Group: Include data for computers in a Deep Security group.
In Smart Folder: Include data for computers in a Smart Folder.
Using Policy: Include data for computers using a specific protection policy.
Computer: Include data for a single computer.
To save time when generating a report on specific computers from multiple computer groups,
create a user who has viewing rights only to the computers you require and then either create a
Scheduled Task to regularly generate an All Computers report for that user or sign in as that user
and run an My Computers report. Only the computers to which that user has viewing rights will
be included in the report.
© 2020 Trend Micro Inc. Education
Lesson 15: Events and Alerts
Encrypting Reports
Reports can be protected with the password of the currently signed-in user or with a new password
that is specific to this report.
•
•
Disable Report Password: Report is not password protected.
•
Use Custom Report Password: Create a one-time-only password for this report.
Use Current User's Report Password: Use the current User's PDF report password. To view or
modify the User's PDF report password, go to Administration > User Management > Users >
Properties > Settings > Reports.
© 2020 Trend Micro Inc. Education
335
Lesson 15: Events and Alerts
Review Questions
1
What methods are available for forwarding event details from Deep Security?
2 How do you identify which administrators receive email notifications of Alerts being triggered in
Deep Security?
3 Describe the purpose of event tagging?
336
© 2020 Trend Micro Inc. Education
Lesson 16: Protecting Containers
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
Describe the components required to run containers
Describe how Deep Security can protect components of the container environment
Infrastructure changes in the datacenter are prompting organization to re-evalute how applications are
developed and deployed. In many organizations, monolithic applications that are difficult to deploy and
are tied to a specific piece of hardware are being re-engineered into smaller microservices that are easier
to deploy and update and are also operating system agnostic.
Continuous Integration/Continuous Deployment
Continuous Integration and Continuous Delivery (CI/CD) comprises a set of operating principles and
practices that enable a development teams to deliver product changes on a more frequent basis, with a
higher level of quality and reliability. In the context of cybersecurity, the CI/CD practices will be put in
place as part of the software development process.
Continuous Integration practices encourage development teams to implement small changes and check
the code into version control repositories frequently. Automated mechanisms are integrated into the
process to build, package, and test the applications. Defects and other software quality issues are easier
to identify on smaller code differentials developed over shorter period of time. Since commit cycles are
shorter, it is less likely for multiple developers to be editing the same code which resulting in fewer
merges to be performed when committing the code. With consistent integration processes in place,
teams are likely to commit code changes more frequently, which leads to better collaboration and
software quality.
Continuous Delivery picks up where continuous integration ends, automating the delivery of applications
to selected infrastructure environments. Continuous Delivery provides automation to push code changes
to testing and production systems along with any necessary service calls to web servers, databases, and
other services that may need to be restarted or follow other procedures when applications are deployed.
Continuous integration and delivery requires continuous testing, usually implemented as a set of
automated regression, performance, and other tests that are executed in the CI/CD pipeline, as the goal
of the process is to deliver quality applications and code to users.
In the context of security, finding issues earlier in the CI/CD pipeline allows developers to discover and
remedy the situation earlier. This helps reduce the cost and risk of fixing vulnerabilities after the
applications are in production.
© 2020 Trend Micro Inc. Education
337
Lesson 16: Protecting Containers
DevOps
The concept of DevOps is founded on building a culture of collaboration between the development
and operation teams that historically functioned in relative silos. The traditional software
development process had those who write the code and those who deploy and support that code
organizationally separate. The Development and Operations teams had separate responsibilities, and
sometimes competing objectives. These teams had different management structures with different
performance indicators by which they were judged. In many cases they were physically separated, in
different locations.
Development Responsibilities
Operations Responsibilities
Product
Infrastructure
Design
Management
Development
Server operation
Delivery
Tools
Create new features
Maintenance
Keep applications running without downtime
The fact that separate groups had different responsibilities made CI/CD difficult and prevented
organization from taking advantage of the speed and quality benefits of the process. The movement
towards a DevOps model allows organizations to improve collaboration between the teams, release
products faster with improved quality and security and increased customer satisfaction.
With both teams working together, security considerations, which were traditional the domain of the
Operation team, can be incorporated into earlier phases of the cycle.
Software Development Using Containers
Many organizations are implementing CI/CD practices into their software development process through
the use of containers. A container is a standard unit of software that packages up code and all its
dependencies so the application runs quickly and reliably from one computing environment to another.
This lightweight, standalone, executable package of software includes everything needed to run an
application: code, runtime, system tools, system libraries and settings. Containerized software will always
run the same, regardless of the infrastructure as it isolates software from its environment. Containers
package software into standardized units for development, shipment and deployment.
338
© 2020 Trend Micro Inc. Education
Lesson 16: Protecting Containers
Containers remove some of the challenges associated with the typical application development
methodology. The benefits of using containers are numerous, including:
•
Containers are lightweight: Containers are abstracted from the operating system and leverage
and share the host kernel. Sharing OS resources, such as libraries, significantly reduces the need
to reproduce the operating system code, allowing a server to run multiple workloads with a single
operating system installation.
•
Containers are very flexible: Most applications can be containerized, allowing existing
applications to be ported, in addition to new development projects.
•
Containers are interchangeable: Containerized applications are easy to update and upgrade. You
can replace one or all containers in a very short amount of time.
•
Containers are portable: Applications can be developed locally but deployed anywhere regardless
of the host operating system. This removes the complexity of having to code for different
operating systems and having multiple versions of an application.
•
Containers are scalable: Applications that are developed for containers can be replicated and
distributed easily. New containers can be spun up or removed as necessary to address scaling
requirements.
•
Containers are stackable: Applications that are developed for containers can be added on to (or
stacked). With containers, applications can be updated easily by replacing targeted parts of the
application without having to re-install or upgrade the entire application.
In some ways, containers behave like a virtual machine. Unlike a virtual machine, containers don't need to
replicate an entire operating system, only the individual components they need in order to operate. This
gives a significant performance boost and reduces the size of the application. They also operate much
faster, as unlike traditional virtualization the process is essentially running natively on its host, just with
an additional layer of protection around it.
Virtual Machine
Virtual Machine
Virtual Machine
App A
App B
App C
Bins/Libs
Bins/Libs
Bins/Libs
Guest OS
Guest OS
Guest OS
Container
Container
Container
App A
App B
App C
Bins/Libs
Bins/Libs
Bins/Libs
Hypervisor
Docker Engine
Host Operang System
Operang System
Infrastructure
Infrastructure
Virtual Machines
Containers
© 2020 Trend Micro Inc. Education
339
Lesson 16: Protecting Containers
Concepts and Terminology
To understand how Deep Security can help secure container deployments in the datacenter, it helps to
understand some of the concepts and terminology that relate to the technology.
Image
An image is the package that contains everything that is needed to run an application. It includes the
code, the runtime libraries, environment variables, configuration files, etc. Images are built by
developers and then run as-is everywhere without the need to be modified.
Repository
A repository is a collection of images. When images are put in to a repository they are often tagged
with information or a version. The repository stores the different version of the images.
Tags
Images in a repository are identified by a numeric image ID and as a result it can be difficult for an
administrator to identify what the image refers to. Tags are a way of providing useful information
about an image. Tags provide aliases to the images in a repository.
Registry
A registry is a storage and content delivery system for container images. This is where the containers
are typically stored when built and where they retrieved from when being deployed.
Container
A container is a runtime instance of an image. It is what the image becomes in memory when
executed. Images are pulled from the registry and run. When images are running, they are called
containers.
A container is similar to a virtual machine but does not contain the host operating system.
Docker
Docker is a platform for developers and sysadmins to develop, deploy, and run applications with
containers. The Docker platform allows for the abstraction of the running application from the host
OS, meaning you can develop once and run anywhere.
Docker allows you to connect to a registry and pull the images down the local machine. Docker then
instantiates the image and starts a running container. Docker can run multiple containers with
multiple applications but the idea is that the container is a self-contained piece of functionality. In a
virtualization environment, the operating system is includes as part of the virtual machine. With
340
© 2020 Trend Micro Inc. Education
Lesson 16: Protecting Containers
containers, it's Docker that helps to abstract this layer. As such, Docker runs on the host and allows
for use of the containers.
Docker is similar to the ESXi server for VMware.
Note:
Once images are running, they are called containers.
Kubernetes
Kubernetes is a open-source platform for managing containerized workloads and services. Imagine
having tens, hundreds, or even thousands of containers that perform various tasks. Kubernetes
provides a platform to help in the automating, deployment, scaling and operations of containerized
applications.
Kubernetes is the management plane for managing container workloads running on Docker.
Container
Container
Container
App A
App B
App C
Bins/Libs
Bins/Libs
Bins/Libs
Kubernetes
Docker Engine
Operang System
Infrastructure
The term Kubernetes is sometimes used as shorthand to describe the entire container environment,
however, Docker and Kubernetes are different and perform different functions.
•
•
Docker is a platform and tool for building, distributing, and running Docker containers.
Kubernetes is a container orchestration system for Docker containers that is meant to
coordinate clusters of nodes at scale in production in an efficient manner.
Kubernetes and Docker are both fundamentally different technologies but they work very well
together, and both facilitate the management and deployment of containers in a distributed
architecture.
Kubernetes is similar to vCenter with VMware. Docker Swarm is another orchestration environment
for containers.
© 2020 Trend Micro Inc. Education
341
Lesson 16: Protecting Containers
Pods
Kubernetes uses pods to define what the application looks like. A pod consists of one or more
containers that are guaranteed to be co-located on the host machine and can share resources, but
also provides other information such as networking and security.
Pod
Container
Container
Container
App A
App B
App C
Bins/Libs
Bins/Libs
Bins/Libs
Kubernetes
Docker Engine
Operang System
Infrastructure
Helm
Helm is a tool that streamlines installing and managing Kubernetes applications and uses charts as
its packaging format.
Chart
A chart is a collection of files that describe a related set of Kubernetes resources. A single chart
might be used to deploy something simple, or something complex, like a full web app stack with HTTP
servers, databases, caches, and so on.
Charts are created as files laid out in a particular directory tree, then they can be packaged into
versioned archives to be deployed.
Helm and charts are a common method to deploy Kubernetes applications.
Container Development Process
Continuous Integration/Continuous Deployment (or CI/CD) methodologies can be used as part of the
development of applications housing containers.
ΠDevelopment
342
 Commit
Ž Build
© 2020 Trend Micro Inc. Education
 Store
 Deploy
Lesson 16: Protecting Containers
1
Software developers write the code that will eventually become the application executed by end
users.
2 Once the code is complete, developers check the code in and commit it to a source repository
such as Github, Bitbucket or SVN.
3 Once checked in, an automated process is launched using Jenkins or a similar automation
platform to build an image from the software code.
4 In the case of containers, another automated process is triggered to tag the image and push it to
the registry.
5 Once in the registry, a final automated process will launched to deploy the image to production
as a running container (or set of containers). This can be repeated for multiple parts of the
application, resulting in multiple container images for a given application.
When the application is ready to be pushed to production, a helm chart is created to describe
what the application looks like and how it will be deployed. The application can then be deployed
using the helm chart in a quick and easy manner. The application is now running and can be
accessed and executed by end users.
This process repeats continually as developers create and updated code and check it in, ultimately
building, pushing and deploying new containers to production.
Applications can be developed with no system dependencies, updates can be pushed to any part of a
distributed application and resource density can be optimized.
Protecting Containers With Deep Security
The benefits of a Docker deployment are real, but so is the concern about the significant attack surface
of the Docker host's operating system (OS) itself. Like any well-designed software deployment, OS
hardening and the use of best practices for your deployment provide a solid foundation as a starting
point. Once you have a secure foundation in place, adding Deep Security to your deployment gives you
access to Trend Micro’s extensive experience protecting physical, virtual, and cloud workloads as well as
to real-time threat information from the Trend Micro Smart Protection Network.
Deep Security provides full lifecycle protection for your deployment.
Build Pipeline
Development
Commit
Runme
Build
© 2020 Trend Micro Inc. Education
Store
Deploy
343
Lesson 16: Protecting Containers
Protecting the Software Build Pipeline
Deep Security also ensures security throughout the container lifecycle with advanced pre-runtime
image scanning, that can be integrated in the CI/CD pipeline.
Deep Security provides pre-runtime scanning and detection on images in the registry for:
•
•
•
•
Vulnerabilities across all packages and layers in the image
•
Compliance using pre-made or custom compliance policies through OpenSCAP scanning on
Red Hat images
Malware using signature matching and machine-learning powered techniques
Embedded secrets including passwords, private keys, and license keys
Indicators of Compromise (IoC) using Yara rules to create custom queries for any string,
including suspicious hash values
Many security issues get introduced in the software build pipeline using outdated public containers
with potentially vulnerable and outdated packages installed within them. No release of public images,
even if they are up to date, is completely void of vulnerabilities. While developers can create
containers from scratch, many containers are built with old base images and outdated dependencies.
Deep Security provides continuous scanning of registry images, with default registry scanning every
24 hours (user configurable) using the latest intelligence from Trend Micro Research. Images that
were scanned and were determined clean when they first reach the registry may contain
vulnerabilities that have yet to be disclosed. Using Trend Micro's latest threat intelligence and Deep
Security's continued registry scanning, images will be scanned regularly for new and emerging
vulnerabilities.
After the image is scanned in the registry, the scan results (such as number of malware, severity of
malware or number of vulnerabilities and severity) can be used to decide whether a particular image
should be promoted to an approved repository.
Deep Security Smart Check
When containers are used, Deep Security Smart Check provides a valuable step in the CI/CD
pipeline.
Software projects can be automatically built, tested, and pushed to the registry. Once pushed, the
image may be instantly available to run in an orchestration environment. If malware or
vulnerabilities exist in the image, then they become a risk when the image is run. Since images
are intended to be immutable, the right time to scan the image is when it’s first pushed to the
registry and before it becomes a running container.
Deep Security Smart Check is a container image scanner from Trend Micro. It performs preruntime scans of Docker images to detect OS vulnerabilities and malware, enabling you to fix
issues before they reach the orchestration environment (for example, Kubernetes).
344
© 2020 Trend Micro Inc. Education
Lesson 16: Protecting Containers
Development
Commit
Build
Store
Deploy
Deep Security
Smart Check
Deep Security Smart Check can scan Docker images in any registry that implements the Docker
Registry V2 API. Deep Security Smart Check provides the ability to:
•
•
•
•
•
Detect OS-level and application-level vulnerabilities
Detect malware
Detect secrets and keys embedded in your applications
Perform custom scan queries to find suspicious or unwanted files
Verify compliance against checklists, such as PCI, HIPPA and NIST
All Deep Security Smart Check operations are available through a documented collection of APIs
to simplify integration into your CI/CD pipeline. Deep Security Smart Check APIs can be invoked
automatically by your CI/CD system to start scans when an image is pushed to a Docker registry.
Scan results are also available through the API.
The Smart Check API includes a facility that allows CI/CD components to register to receive
notifications of scan events, including scan-completed, allowing you to automate workflows. For
example, a Docker image signing service could register to receive scan results and then use those
results to decide whether a particular image should be digitally signed and promoted to a
repository that is available to your orchestration environment. You could also forward scan
results to a Slack channel or ServiceNow account.
© 2020 Trend Micro Inc. Education
345
Lesson 16: Protecting Containers
Deep Security Smart Check also includes an administrator console that provides:
•
•
•
•
•
A dashboard (system-wide summary of scan information, including metrics)
User management
Registry configuration
Access to scan results
Scan history
The Dashboard provides a summary of the scans completed:
346
•
Malware
•
Content Findings
your applications
•
Vulnerabilities
: This item displays the number of vulnerabilities detected during the
scans, broken down into High, Medium, Low and Negligible priority
•
Checklists
: This item displays the total incidents of malware detected during the scans
: This item displays the number of secrets and keys embedded in
: This item displays findings against compliance checklists
© 2020 Trend Micro Inc. Education
Lesson 16: Protecting Containers
Click a link in the Registries section to view the details of the findings for that Registry.
Deep Security Smart Check supports the scanning of Docker images in any registry that
supports the Docker Registry V2 API and allows catalog listing. Tested registries include:
•
•
•
•
•
•
Docker Trusted Registry (DTR)
Google Container Registry (GCR)
Amazon Elastic Container Registry (ECR)
VMware Harbor
Nexus
Quay
To integrate Deep Security Smart Check into your pipeline, you will need to write integration
logic to trigger scanning based on the event model of your registry. For example, Google
Container Registry uses a pub/sub model to publish events about registry activity and Docker
Trusted Registry uses a Webhook model.
Protecting the Host at Runtime
Once images are approved and pushed to the registry, they are then allowed to be instantiated in to
running containers. These containers can be run on a host with Docker and, optionally, Kubernetes as
the orchestration layer. In this environment, all the running containers in a container stack share the
same kernel and OS. If the host is compromised If the host is compromised, all the containers on the
node are at risk. Deep Security supports full policy protection for your Docker hosts. This is
important because threats can also be introduced into an organization through the container
platform.
© 2020 Trend Micro Inc. Education
347
Lesson 16: Protecting Containers
Deep Security protects your Docker hosts and containers running on Linux distributions. Deep
Security can do the following:
Note:
•
•
Find and identify Docker hosts within your deployment
•
Provide real-time anti-malware detection for the file systems used on Docker hosts and
within the containers
•
Deep Security asserts the integrity of the Docker and Kubernetes hosts for continuous
compliance and to protect your deployment using the following techniques:
Shield Docker hosts and containers from vulnerabilities to protect them against known and
zero-day exploits by virtually patching new found vulnerabilities
-
Prevent the unauthorized execution of applications on Docker hosts by helping you
control which applications are allowed to run in addition to the Docker daemon
-
Monitor Docker and Kubernetes hosts for unexpected changes to system files
Notify you of suspicious events in your OS logs
Deep Security runtime protection for Docker and Kubernetes work at the host system level and
this means that the Deep Security Agent has to be installed on the Docker and Kubernetes
system and not in the containers.
Protecting the Docker Host
The following Deep Security modules can be used to protect the Linux server hosting Docker:
•
•
•
•
•
•
•
348
Intrusion Prevention (IPS)
Anti-Malware
Integrity Monitoring
Log Inspection
Application Control
Firewall
Web Reputation
© 2020 Trend Micro Inc. Education
Lesson 16: Protecting Containers
Protecting Docker Containers
The following Deep Security modules can be used to protect Docker containers:
•
•
Intrusion Prevention
Anti-Malware
App A
App B
App C
App D
Kubernetes
Docker Engine
Operang System
App E
An-Malware
Intrusion Prevenon
An-Malware
Web Reputaon
Firewall
Intrusion Prevenon
Integrity Monitoring
Log Inspecon
Applicaon Control
Infrastructure
Note:
Although Deep Security Intrusion Prevention controls work at the host level, it also protects
container traffic on the exposed container port numbers. Since Docker allows multiple
applications to run on the same Docker host, a single Intrusion Prevention policy is applied to all
Docker applications. This means that recommendation scans can not be relied upon for Docker
deployments.
Protecting Kubernetes and Docker
Container users can benefit from Kubernetes and Docker platform protection at runtime with
Intrusion Prevention, Integrity Monitoring and Log Inspection rules using the Deep Security
Agent installed on the host. The Deep Security Intrusion Prevention approach allows you to
inspect both east-west and north-south traffic between containers and platform layers like
Kubernetes.
Deep Security monitors changes to key Docker and Kubernetes objects to detect compromised
instances, and will detect software changes (upgrades, downgrades, removal), monitor binaries
for attribute changes, monitor running processes and detect changes to critical files and
permissions in key directories. The Deep Security Agent will also scan ingress/egress container
traffic and monitor for attacks as well as file system activity and monitor running processes for
malware.
© 2020 Trend Micro Inc. Education
349
Lesson 16: Protecting Containers
Rules can be enabled in the following Protection Modules to ensure that the environment is safe:
•
•
•
Intrusion Prevention
Log Inspection
Integrity Monitoring
App A
App B
App C
App D
App E
Kubernetes
Docker Engine
Intrusion Prevenon rules
Integrity Monitoring rules
Log Inspecon rules
Operang System
Infrastructure
Deep Security inspects traffic and monitor keys objects to detect compromised Dockers and
Kubernetes instances. Anomalies in Kubernetes behavior that could signal an attack on the
platform could include the following:
•
•
•
•
•
•
Software upgrades, downgrades or removal
Attribute changes for binaries
Modification to running processes
Modifications to critical files
Modifications to iptable rules
Modifications to permissions for key directories
Scanning of inter-container traffic is available in Deep Security 20. A policy setting in the
Intrusion Prevention Protection Module enables this capability.
350
© 2020 Trend Micro Inc. Education
Lesson 16: Protecting Containers
Deep Security 20 includes Intrusion Prevention Rules to protect against the following known
Kubernetes vulnerabilities:
•
•
•
CVE-2018-18264
CVE-2019-1002100
CVE-2018-1002105
© 2020 Trend Micro Inc. Education
351
Lesson 16: Protecting Containers
Review Questions
1
Deep Security runtime protection can protect running containers as well as what key
components of the container infrastructure?
2 What is the benefit of Deep Security Smart Check in the Continuous Integration/Continuous
Deployment (CI/CD) pipeline?
3 What is the difference between an image and a container?
4 What is the difference between Docker and Kubernetes?
5 What Trend Micro product offers pre-runtime scanning of containers? What Trend Micro product
offers runtime protection of containers and the container infrastructure.
352
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security
Operations
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
Use scheduled and event-based tasks to automate Deep Security operations
Deploy Deep Security in Amazon Web Services or Azure using a Quick Start
Bake the Deep Security Agent into an Amazon Web Services AMI
Use the Deep Security REST API to access functionality programmatically
Deep Security provides multiple mechanisms for automating, monitoring, and managing security for
servers in the data center, as well as mechanisms to speed up the protection of computers and other
resources.
These mechanisms include:
•
•
•
•
•
Scheduled tasks
Event-based tasks
Quick-start templates
Baking the Deep Security Agent into an Amazon Machine Image
Application Programming Interfaces (API)
Scheduled Tasks
Deep Security has many tasks that you might want to perform automatically on a regular basis.
Scheduled tasks are useful to keep your system up to date and functioning smoothly. They are especially
useful for running scans on a regular basis during off-peak hours.
The following Deep Security tasks are available for scheduling:
•
Check for Security Updates: Regularly check for security updates and import them into Deep
Security when they are available. For most organizations, performing this task once daily is ideal.
•
Check for Software Updates: Regularly check for Deep Security Agent software updates and
download them when they are available.
•
Discover Computers: Periodically check for new computers on the network by scheduling a
Discovery operation. You will be prompted for an IP range to check and asked to specify which
computer group the new computer will be added to. This task is useful for discovering computers
that are not part of your cloud connector.
•
Generate and Send Report: Automatically generate reports and optionally have them emailed to
a list of users.
•
Run Script: If the Syslog options do not meet your event notification requirements, it may be
possible for Trend Micro to provide a solution using custom-written scripts. Contact Trend Micro
for more information.
© 2020 Trend Micro Inc. Education
353
Lesson 17: Automating Deep Security Operations
•
Scan Computers for Integrity Changes: Causes the Deep Security Manager to perform an
Integrity Scan to compare a computer's current state against its baseline.
•
Scan computers for Malware: Schedules a Malware Scan. The configuration of the scan is the
same as that specified on the Policy or Computer Editor > Anti-Malware page for each computer.
For most organizations, performing this task once weekly (or according to your organization’s
policies) is ideal.
•
Scan Computers for Open Ports: Schedule periodic port scans on one or more computers. You
can specify individual computers or all computers belonging to a particular computer group.
Deep Security Manager will scan the port numbers defined on the Scanning tab in the Policy or
Computer Editor > Settings page.
•
Scan Computers for Recommendations: Causes the Deep Security Manager to scan the
computer(s) for common applications and then make recommendations based on what is
detected. Performing regular recommendation scans ensures that your computers are protected
by the latest relevant rule sets and that those that are no longer required are removed. If you
have set the Automatically implement Recommendations option for each of the three protection
modules that support it, Deep Security will assign rules that are recommended. Rules that are no
longer needed will be displayed on the Recommended for Unassignment list. If rules are
identified that require special attention, an alert will be raised to notify you. For most
organizations, performing this task once a week is ideal.
Best Practice:
354
Recommendation Scans can be CPU-intensive, so when scheduling Recommendation
Scans, it is best practice to set the task by group (for example, per policy or for a group
of computers, no more than 1,000 machines per group) and spread it in different days
(for example, database server scans scheduled every Monday; mail server scans
scheduled every Tuesday, and so on). Schedule Recommendation Scans more
frequently for systems that change often.
•
•
Send Outstanding Alert Summary: Generate an email listing all outstanding (unresolved) alerts.
•
Synchronize Cloud Account: Synchronize the Computers list with an added cloud account. (Only
available if you have added a cloud account to the Deep Security Manager.)
•
Synchronize Directory: Synchronize the Computers list with an added LDAP directory. (Only
available if you have added an LDAP directory to the Deep Security Manager.)
•
Synchronize Users/Contact: Synchronize the Users and Contacts lists with an added Active
Directory. (Only available if you have added an Active Directory to the Deep Security Manager.)
•
Synchronize VMware vCenter: Synchronize the Computers list with an added VMware vCenter.
(Only available if you have added a VMware vCenter to the Deep Security Manager.)
Send Policy: Regularly check for and send updated policies. Scheduled updates allow you to
follow an existing change control process. Scheduled tasks can be set to update machines during
maintenance windows, off hours, etc.
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
Creating Scheduled Tasks
To set up a scheduled task in the Deep Security Manager, click Administration > Scheduled Tasks >
New. This opens the New Scheduled Task Wizard, which takes you through the steps to create a
scheduled task.
Event-Based tasks
Event-based tasks let you monitor protected computers for specific events and trigger other tasks based
on certain conditions. The following Deep Security tasks can be triggered automatically when certain
conditions occur:
•
Computer Created (by System): A computer being added to the manager during synchronization
with an Active Directory or Cloud Provider account, or the creation of a virtual machine on a
managed ESXi server running a virtual appliance.
•
Computer Moved (by System): A virtual machine being moved from one vApp to another within
the same ESXi, or a virtual machine on an ESXi being move from one datacenter to another or
from one ESXi to another (including from an unmanaged ESXi server to a managed ESXi server
running a virtual appliance.)
•
•
•
Agent-Initiated Activation: An agent is activated using agent-initiated activation.
•
Computer Powered On (by System): Enables users to trigger activation by the VMware Virtual
Machine power on event.
IP Address Changed: A computer has begun using a different IP.
NSX Security Group Change: Certain situations will trigger this event (the event will be recorded
on each affected virtual machine).
© 2020 Trend Micro Inc. Education
355
Lesson 17: Automating Deep Security Operations
Creating Event-Based tasks
In Deep Security Manager, click Administration > Event-Based Tasks > New. The wizard that appears
will guide you through the steps of creating a new task. You will be prompted for different
information depending on the type of task.
Event-Based Task Conditions
You can require specific match conditions to be met in order for the task to be carried out. If you
specify multiple conditions, each of the conditions must be met for the task to be carried out. (In
other words, multiple conditions are AND conditions, not OR.)
356
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
Quick Start Templates
Deep Security provides templates to automate the deployment of Deep Security Manager and its
underlying infrastructure within Amazon Web Services and Microsoft Azure.
Deploying Deep Security Manager in Amazon Web Services Using a
CloudFormation Template
A simple method for deploying Deep Security Manager within Amazon Web Services uses a
CloudFormation template and AWS services (including the Relational Database Service).
The Deep Security on AWS Quick Start deploys Deep Security and offers two license models:
•
•
Note:
Per Protected Instance Hour
Bring Your Own License (BYOL)
A Virtual Public Cloud (VPC) and an Identity and Access Management (IAM) account for Deep
Security Manager must be created in Amazon Web Services before running the CloudFormation
template.
After deployment, you can modify the configuration to protect instances across your entire Amazon
Web Services infrastructure. In the example that follows, Deep Security will be configured using the
Bring Your Own License model
Type the following URL in your Web browser to access the Deep Security on AWS Quick Start:
https://aws.amazon.com/quickstart/architecture/deep-security/
Select the licensing mode, for example Use in AWS Service Catalog (BYOL).
© 2020 Trend Micro Inc. Education
357
Lesson 17: Automating Deep Security Operations
A CloudFormation template must be selected. The Trend Micro-supplied CloudFormation template for
the Quick Start is identified in the Specify an Amazon S3 template URL field. Accept the default
template URL.
Specify the details for the Deep Security installation.
Deep Security Configuration:
•
•
Administrator username for Deep Security: Type a default Deep Security administrator name
•
•
EC2 Key Pair for SSH access: Select the key pair used to access the AWS account
Administrator password for Deep Security: Type a password for the default Deep Security
administrator name
Deep Security License Key: Since the BYOL license option was selected, type the license code
supplied by Trend Micro
Network Configuration:
358
•
VPC for Deep Security Components: Select the Virtual Private Cloud you created for Deep
Security
•
Public Subnet for Deep Security Managers: Select an existing subnet for Deep Security
Manager. This must be a public subnet contained in the VPC chosen above.
•
•
Choose the backend database: Select the type of database to be configured using RDS
•
Secondary private subnet for RDS: Select a second private subnet for the RDS database. This
must be a private subnet contained in the VPC chosen above.
Primary private subnet for RDS: Select a private subnet for the RDS database. This must be a
private subnet contained in the VPC chosen above.
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
RDS Configuration:
•
Administrator username for RDS Instance: Type an administrator username to be used for
the database instance
•
Administrator password for RDS Instance: Type an RDS database administrator password
© 2020 Trend Micro Inc. Education
359
Lesson 17: Automating Deep Security Operations
Options, including Tags, Permissions and Advanced settings can be configured if required.
360
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
A final review of the configuration is displayed. Click to acknowledge that the CloudFormation
Template may create resources with custom names. Click Create once you are satisfied with the
Details. Click Previous if corrections are required.
© 2020 Trend Micro Inc. Education
361
Lesson 17: Automating Deep Security Operations
The deployment steps are displayed while the installation and configuration is in progress. It can take
30 to 45 minutes to complete these operations.
Once the final status message displays Create Complete, Deep Security has been deployed to the
Virtual Private Cloud instance.
362
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
Deploying Deep Security Manager in Microsoft Azure Using
Quickstarts
Azure Quickstarts provide a quick way to provision virtual machines and services. A Quickstart is
available to install Deep Security in a Bring Your Own License model in Azure.
Log into your Microsoft Azure account and on the Dashboard, create either a Linux or Windows
virtual machine to host Deep Security.
© 2020 Trend Micro Inc. Education
363
Lesson 17: Automating Deep Security Operations
Complete the Create Virtual Machine Wizard. Remember to note the details you provide, such as the
administrator name and passwords.
364
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
Once the VM is deployed, run a search in the Azure marketplace, for Deep Security Manager (BYOL).
© 2020 Trend Micro Inc. Education
365
Lesson 17: Automating Deep Security Operations
Click Create and step through the Wizard to configure Deep Security Manager.
366
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
A Summary page is displayed providing a final verification of the parameters entered. Click OK to
begin the deployment of Deep Security Manager.
© 2020 Trend Micro Inc. Education
367
Lesson 17: Automating Deep Security Operations
The process make take some time, be patient as the database and Deep Security Manager are
installed and configured on the virtual machine.
Once the deployment is complete, the Deep Security Manager Web console for the cloud deployed
installation can be accessed by entering the URL based on the VM name and location of the data
center selected during configuration, for example:
https://azuresample.canadaeast.cloudapp.azure.com:8443/auth/
(Where azuresample is the Deep Security VM name entered in the wizard and canadaeast is
the datacenter location selected for the virtual machine)
From this point, the cloud deployed installation of Deep Security Manager functions the same as an
on-premises installation.
368
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
Baking the Deep Security Agent into an Amazon
Machine Image
Deployment scripts can be incorporated into an Amazon Web Services Machine Image (AMI) to install and
activate a Deep Security Agent when a new AWS instance is launched. An AMI is a template that contains
the software configuration (operating system, application server, and applications) required to launch
your instance. Adding the script to this template installs and activates a Deep Security Agent
automatically when new instances are launched, ensuring that protection on the new instance is
immediate. Add the script content to the User Data field in the Advanced Details section of the template
definition.
© 2020 Trend Micro Inc. Education
369
Lesson 17: Automating Deep Security Operations
Application Programming Interface
The Deep Security Application Programming Interface (API) enables you to automate operational tasks in
Deep Security, thereby increasing productivity and improving the security services that you support. The
API allows Deep Security to be integrated with other security solutions, or initiate Deep Security
operations from outside of the Web console. Automation using the API can be applied to Protection
Module operations, as well as Administration, Computer and Policy operations.
Intrusion
Prevenon
Firewall
An-Malware
Integrity
Monitoring
API
Web
Reputaon
Log
Inspecon
Administraon
Applicaon
Control
Computers
Policies
Common uses of the Deep Security API include tasks such as:
•
•
•
Searching for computers out of compliance
Automating tenant creation and setup
Automating policy management
The Deep Security API is a Representational State Transfer (RESTful) API that you use to make HTTP
requests to interact with Deep Security Manager.
The Deep Security API is versioned. Each request that you include the version to use in the apiversion header. You must ensure that the API version you are using is compatible with the Deep
Security Manager with which you are interacting. However, Deep Security Manager is backwardcompatible with all versions of the API. For example, if your code uses the v1 API and you upgrade Deep
Security Manager, your code behavior does not change. However, you should always use the latest
available version of the API.
The reply to the Deep Security API request is presented as JavaScript Object Notation (JSON). This
lightweight data-interchange format is easy for humans to read and write, but also easy for machines to
parse and generate. JSON is a text format that is completely language independent but uses conventions
that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript,
Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
370
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
Setting up the Development Environment
The environment where you develop your software accessing the Deep Security API requires the
following items:
•
Network access to a running Deep Security Manager, either one that you installed or one
provisioned by Deep Security as a Service.
•
An Software Development Kit (SDK) client library, if you choose to use one. You can download the
client library from the Deep Security Automation center. You can also use the API directly
through tools such as Postman and curl; in this case, you do not need an SDK.
•
The runtime environment for the programming language of your client library.
API URL
Each API-enabled resource is referenced through a URL, such as:
https://<URL_of_DSM>:4119/api/<resource>
For example, to reference API operations related to computers in our classroom environment, the
URL would be:
https://server-02.trend.local:4119/api/computers
Authenticating API Requests
Deep Security uses API keys for authenticating HTTP requests. Each request that you make requires
an api-secret-key header that contains a secret key and the api-version header which
contains the version of the API being used, as in the following example request:
GET /api/policies HTTP/1.1
Host: localhost:4119
api-secret-key: 2:vJC6lckDygB6FYURIvR0WK2ZTAhIY8rb0Amy9UMn4mo=
api-version: v1
The API key behaves like a password that is passed within the API request. Role-based controls, such
as those used for administrators in Deep Security, can limit the API to certain operations, however,
API keys are designed to be issued to automation systems, rather than people.
When using a client library, you obtain an instance of ApiClient and configure it to use your secret
key. The configuration is global, so that all calls to the API thereafter are authenticated by Deep
Security Manager using the secret key. Each API key is associated with a role that determines the
actions that you can perform.
Creating an API key
Create an API key to authenticate requests with Deep Security Manager. When you create an API
key, provide a name, the role to associate with the key, and optionally an expiry date. To create an
API key, you require the access rights to create users.
© 2020 Trend Micro Inc. Education
371
Lesson 17: Automating Deep Security Operations
Upon creation of an API key, you are provided a unique secret key that is associated with the API
key. Include this secret key in the HTTP request for authenticating. You must store the secret key
when it is provided because at no other time are you able to obtain it. If you lose the secret you
must create a new API key or create a new secret for the key. The API key can be set to expire on
a pre-configured date.
In Deep Security Manager, click Administration > User Management > System API Keys.
Click New and enter the property values for the key.
372
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
The secret is presented. This is the only time that you can obtain the secret. Copy the secret to
the clipboard and paste into a file.
API Reference
The API Reference contains details of the Deep Security API endpoints, including parameter descriptions,
request and response schemas, and language-specific SDK examples. The API Reference is available on
the Deep Security Automation Center, viewable online at the following URL:
https://automation.deepsecurity.trendmicro.com/
Click the API Reference menu. The API Reference provides information about each resource that you
interact with:
•
•
•
Descriptions of operations that you can perform on each resource (GET, POST, etc)
Request paths, headers, and payloads
Example requests and response messages
© 2020 Trend Micro Inc. Education
373
Lesson 17: Automating Deep Security Operations
Deep Security
version
API
URL
API
endpoints
Command
parameters
Request
samples
API Endpoints
In the left-hand frame, all of the API endpoints are listed. These represent all of the resources and
operations that can be accessed through the API. The operation are gathered into logical categories;
expand the category name to view the individual API items. In the example below, the API-enabled
commands available for Computer Groups are displayed in the API endpoints list.
374
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
API Operations
There are four different HTTP operations that can be performed on Deep Security resources
using the API:
GET
POST
: The GET operation is used to request data from a specified resource.
: The POST operation is used to send data to a server to create/update a resource.
DEL
: The DEL operation deletes specific resources
PUT
: The PUT operation assigns an item to specific resources
Command Parameters
The middle frame displays parameters related to the operation selected in the API endpoints frame,
such as authorization requirements, header parameters, and request body fields. In the example
here, the parameters related to creating a new group are displayed.
© 2020 Trend Micro Inc. Education
375
Lesson 17: Automating Deep Security Operations
API URL
When the API endpoint is selected, the URL field will display the path to the API object on the Deep
Security Manager computer.
Click the down arrow to display the full URL path.
Select and copy the path and paste where needed, making sure to edit the path to reflect the correct
host name for your Deep Security Manager computer, for example:
https://server-02.trend.local:4119/api/computergroups
Request Samples
The right-hand frame displays sample code for the selected endpoint in the three supported
development language Software Development Kits. The SDKs consist of programming-languagespecific packages containing modules used to interact with the API.
The SDK includes client libraries that enable you to use the API in the following languages:
•
•
•
Python
JavaScript (via NodeJS)
Java
The instructions for downloading and installing the SDKs is available in the Deep Security
Automation Center. If you would rather use the API directly through demo and testing tools such as
Postman and curl, you do not need an SDK.
376
© 2020 Trend Micro Inc. Education
Lesson 17: Automating Deep Security Operations
In this example, the code required to create a new group using the Java SDK is displayed.
The codes samples can be copied and pasted into your application. Modify the YOUR HOST, YOUR
API KEY and YOUR VERSION fields in the sample to match the specifics of your environment.
Click Payload to displays a JSON-formatted request body to submit the required data with the
request.
© 2020 Trend Micro Inc. Education
377
Lesson 17: Automating Deep Security Operations
Review Questions
1
How would you characterize the difference between a Scheduled Task and an Event-Based Task
in Deep Security?
2 Explain how the Deep Security API can automate the management of computers in Deep
Security?
3 How can you automate the deployment and activation of a Deep Security Agent in a newly
launched Amazon Web Services instance?
378
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware
Through Connected Threat
Defense
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
Describe the components of the Connected Threat Defense system
Integrate Deep Security with Trend Micro Apex Central and Deep Discovery Analyzer
Track submissions through the phases of Connected Threat Defense
In the modern data center, more and more security breaches are a result of targeted attacks using
techniques such as phishing and spear-phishing. In these cases, malware writers can bypass traditional
malware scanners by creating malware specifically targeted for your environment. Deep Security adds
enhanced malware protection for new and emerging threats through Connected Threat Defense.
Using heuristic detection, Deep Security can identify document files that are deemed suspicious and
submit them automatically to Deep Discovery Analyzer for analysis. If the analysis indicates that a
particular file does contain malware, Deep Discovery will provide the information to Trend Micro Apex
Central. Through Apex Central, an action for this particular malware can be specified and any Trend Micro
product can subscribe to the suspicious object list from Apex Central to remediate threats.
Connected Threat Defense allows multiple Trend Micro products to share threat information and analysis
across multiple layers of protection critical to defending against advanced threats.
Connected Threat Defense Phases
Connected Threat Defense includes a complete set of security technology to prevent, detect, and
respond to advanced server protection.
PROTECT
RESPOND
DETECT
© 2020 Trend Micro Inc. Education
379
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Detect
Components of the Connected Threat Defense detect advanced malware, behavior and
communications invisible to standard defenses. Connected Threat Defense analyzes the risk and
nature of the attack and attacker within sandboxes to reveal malicious actions without relying on
malware signatures.
Respond
Components of the Connected Threat Defense enable rapid response through shared threat
intelligence and delivery of real-time security updates.
Protect
Components of the Connected Threat Defense assess potential vulnerabilities and proactively
protect endpoints, servers and applications.
View and Analyze Threats
Components of the Connected Threat Defense provide visibility across the system and analyze and
assess the impact of threats.
Connected Threat Defense Requirements
Deep Security’s participation in Connected Threat Defense requires you to set up a connection between
Deep Security, Deep Discovery Analyzer and Apex Central.
Before connecting Deep Security to Deep Discovery Analyzer, verify that your environment meets these
requirements:
•
Deep Security Manager is installed and configured with Deep Security Agents or Virtual
Appliances protecting computers. Policies are configured in Deep Security to detect and submit
suspicious files
•
•
•
Deep Discovery Analyzer is installed and the sandbox virtual machines are provisioned
Note:
380
Trend Micro Apex Central is installed
Deep Discovery Analyzer and Deep Security have been added to the Apex Central Managed
Servers list
To use Connected Threat Defense with the Deep Security Virtual Appliance, you must be using
VMware NSX 6.x.
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
How Connected Threat Defense Works
When all the components are deployed and configured correctly, Connected Threat Defense operates as
described below.
Deep Security
Agent
Deep Security
Manager

Deep Discovery
Analyzer
Ž
’


Œ
1
Apex Central
(formerly Control Manager)
‘
Deep Security Agents are configured with policy settings to enable detection of malware on the
protected computers.
2 Objects deemed to be suspicious are gathered and submitted to Deep Security Manager.
3 Deep Security Manager submits the suspicious objects to Deep Discovery Analyzer for analysis.
4 Deep Discovery Analyzer executes and observes the suspicious object in a secure, isolated virtual
sandbox environment.
5 Deep Discovery Analyzer pushes the analysis results to Trend Micro Apex Central, where an
action can be specified for the file based on the analysis. Once the action is specified, a list of
emerging threats called a Suspicious Object List is created or updated. Other Trend Micro
products, such as Apex One, Deep Discovery Inspector or Deep Discovery Email Inspector, may
also be connected to Trend Micro Apex Central and be able to update the list.
6 Deep Security Manager receives the list of suspicious objects from Apex Central.
7 The list is forwarded to Deep Security Agents where protection against the suspicious object is
applied. Anti-Malware policies define how suspicious objects are to be handled.
© 2020 Trend Micro Inc. Education
381
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Trend Micro Apex Central
Apex Central is a central repository for local and global threat intelligence. It provides a centralized
console to manage, monitor, and report across multiple layers of security in all your Trend Micro product
deployments.
Customizable data displays provide the visibility and situational awareness for administrators to rapidly
assess status, identify threats, and respond to incidents. Administration can be streamlined to achieve
more consistent policy enforcement with single-click deployment of data protection policies across
endpoint, messaging, and gateway solutions.
User-based visibility shows what is happening across all endpoints and servers owned by users, enabling
administrators to review policy status and make changes across all user devices.
In the event of a threat outbreak, administrators have central access point for complete visibility of an
environment to track how threats have spread.
With a better understanding of security events, it becomes easier to prevent them from reoccurring.
Direct links to Trend Micro Threat Connect database provides access to actionable threat intelligence,
which allows administrators to explore the complex relationships between malware instances, creators,
and deployment methods. Apex Central is then able to apply policy on how these suspicious objects
should be treated.
Deep Security sends and can retrieve suspicious objects from Apex Central. Additionally, Deep Security
can leverage Scan Actions (for example Log or Block) from Apex Central.
The Dashboard in the Apex Central console provides the status summary for the entire Apex Central
network.
382
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Connecting Deep Security with Trend Micro Apex Central
To participate in Connected Threat Defense, Deep Security must be added to Apex Central as a
Manager Server.
In the Apex Central Web Management console, click Administration > Managed Servers > Server
Registration.
Select Deep Security from the Server Type list and click Add a product.
Type the details of Deep Security Manager and click Save.
Deep Security is now listed as a Managed Server.
© 2020 Trend Micro Inc. Education
383
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Deep Discovery Analyzer
Deep Discovery Analyzer provides custom sandbox analysis using virtual images that are tuned to
precisely match your system configurations, drivers, installed applications, and language versions. This
approach improves the detection rate of advanced threats that are designed to evade standard virtual
images. The custom sandbox environment includes safe external access to identify and analyze multistage downloads, URLs, command and control (C&C), and more, as well as supporting manual or
automated file and URL submission.
Deep Security can send these file types to Deep Discovery Analyzer:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
384
doc - Microsoft Word document
docx - Microsoft Word 2007 and later document
gul - JungUm Global document
hwp - Hancom Hangul Word Processor (HWP) document
hwpx - Hancom Hangul Word Processor 2014 (HWPX) document
jar - Java Applet Java application
js - JavaScript file
jse - JavaScript encoded script file
jtd - JustSystems Ichitaro document
lnk - Microsoft Windows Shell Binary Link shortcut
mov - Apple QuickTime media
pdf - Adobe Portable Document Format
ppt - Microsoft Powerpoint presentation
pptx - Microsoft PowerPoint 2007 and later presentation
ps1 - Microsoft Windows PowerShell script file
rtf - Microsoft Rich Text Format document
swf - Adobe Shockwave Flash file
vbe - Visual Basic encoded script file
vbs - Visual Basic script file
xls - Microsoft Excel spreadsheet
xlsx - Microsoft Excel 2007 and later spreadsheet
xml - Microsoft Office 2003 and later XML file
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Suspicious Activities
The Deep Discovery Analyzer monitors activity within the sandbox environment for activities such as
those listed here.
Anti-security, self-preservation
Autostart or other system
reconfiguration
Deception, social engineering
· Deleted AV registry entry
· Disabled AV service
· Locked registry
· Added autorun in registry
· Added scheduled task
· Added startup file or folder
· Stopped or modified AV service
· Bypassed firewall
· Created message box
· Deceiving extension name
· Double EXE header
· Double extension name with
· Suspicious packer
· Used watchdog
· Modified important registry items
· Modified AppInit_DLLs in registry
· Modified sensitive file
· Dropped fake system file
· Fake icon
· File signature
File drop, download, sharing, or
replication
· Reset IP settings
· Porn-like file name
· Copied self
Hijack, redirection, or data theft
Suspicious network or messaging
activity
· Deleted self
· Downloaded executable
· Dropped driver
· Dropped executable
· Dropped file into share
· Executed download
· Accessed document files
· Installed BHO
· Modified configuration files
· Set up API hooks
· Stole IM password
· Created raw socket
· Established network connection
· Listened on port
· Opened IRC connection
· Performed DNS query
· Performed port scanning
· Executed dropped file
Process, service, or memory object
change
· Requested suspicious URL
· Opened share
· Renamed download
· Searched shares
· Added service
· Created mutex
· Created named pipe
· Created process
· Injected memory with dropped
· Requested URL
· Sent email
· Memory resident
· Started self
· Started service
· Terminated process
· Hide file
· Hide registry
· Hide service
executable tail
· Copied same file multiple times
Malformed, defective, or with known
malware traits
· Contains known malware string
· Crashed document reader
· Crashed process
· Failed to start
files
© 2020 Trend Micro Inc. Education
Rootkit, cloaking
· Attempted to hide file
385
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Connecting Deep Discovery Analyzer to Apex Central
The Deep Discovery Analyzer must be added as a Managed Server in Apex Central.
In the Apex Central Web Management console, click Administration > Managed Servers > Server
Registration.
Select Deep Discovery Analyzer from the Server Type list and click Add a product.
Type the details of the Deep Discovery Analyzer device and click Save.
Deep Discovery Analyzer is now listed as a Managed Server.
386
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Populating the Apex Central Product Directory
In the Apex Central Web Management console, add Deep Security and Deep Discover Analyzer to the
Product Directories list.
In the Apex Central Web Management console, click Directories > Products and click Directory
Management.
Click Local Folder, and click Add Folder.
Type a name for a new folder (or directory), for example, Trend Micro Servers.
© 2020 Trend Micro Inc. Education
387
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Expand the New Entity folder. Drag Analyzer from the New Entity folder to the newly created Trend Micro
Servers folder.
When prompted, click OK to acknowledge the move.
The Analyzer device should now be displayed in the Trend Micro Servers folder.
Drag Deep Security from the New Entity folder to the newly created Trend Micro Servers folder. When
prompted, click OK to acknowledge the move.
388
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Deep Discovery Analyzer and Deep Security are displayed in the Trend Micro Servers folder.
Configuring Deep Security for Connected Threat
Defense
You can enable Connected Threat Defense in policies or for individual computers. The steps involved in
configuring Deep Security for Connected Threat Defense include:
1
Creating a Malware Scan Configuration and apply to a policy
2 Configuring Deep Security to submit files to Deep Discovery Analyzer
3 Subscribing to the Suspicious Object List
4 Enabling sandbox analysis
Creating a Malware Scan Configuration
Create a malware scan configuration to allow Deep Security to detect suspicious files and
automatically send them to Deep Discovery Analyzer for further analysis. In Deep Security Manager,
click the Policies menu. In the left-hand pane, expand Other > Malware Scan Configurations.
© 2020 Trend Micro Inc. Education
389
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
On the General tab, click Scan documents for exploits and Scan for exploits against known critical
vulnerabilities and aggressive detection of unknown suspicious exploits.
Configure any other malware scan settings as required.
Assign the Malware Scan Configuration to a policy by clicking the Anti-Malware Protection Module in
either the Computers or Policies menu. On the General tab, ensure that the Anti-Malware State is On
or Inherited (On). In the appropriate scan section of the General tab and select the Malware Scan
Configuration created in the previously.
390
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Configuring Deep Security to Submit Files to Deep Discovery
Analyzer
In the Deep Security Manager Web console, click the Administration menu. In the left-hand pane,
expand System Settings and click the Connected Threat Defense tab.
In the Connected Threat Defense section, click Enable submission of suspicious file to Deep
Discovery Analyzer.
To automatically submit files to Deep Discovery Analyzer from Deep Security, click Enable automatic
file submission.
Note:
Automatic Submission to Deep Discovery Analyzer occurs every 15 minutes and will submit a
maximum of 100 files per submission.
Click Use the Deep Discovery Analyzer associated with the Apex Central that Deep Security is
registered with.
Click Add/Update Certificate to update to the correct Deep Discovery Analyzer certificate, then click
Test Connection and insure that the connection is successful.
© 2020 Trend Micro Inc. Education
391
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Subscribing to the Suspicious Object list
Still in the Connected Threat Defense section, scroll down and enable Compare objects against
Suspicious Object List and click Use the Apex Central That Deep Security is registered with.
Click Add/Update Certificate to update to the correct Apex Central certificate and click Test
Connection and insure the connection is successful.
Enabling Sandbox Analysis
Open a policy and click the Anti-Malware Protection Module. On the Connected Threat Defense tab,
adjust these settings as required and save the policy:
392
•
Use Apex Central’s Suspicious Object List: If you have set up a connection between Deep
Security and Trend Micro Apex Central, you can set this option to On or Inherited (On) to use
the suspicious object list from Apex Central to detect malicious files in computers protected
by this policy.
•
Sandbox Analysis: Set this option to On or Inherited (On) to enable the submission of
suspicious files found on computers protected by this policy to Deep Discovery Analyzer.
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Manually Submitting a File to Deep Discovery For
Analysis
Based on the configuration of Deep Security, files can either be submitted automatically, or manually.
To submit a file manually, Locate the suspicious file on the Events & Reports > Events > Anti-Malware
Events > Identified Files page. Select the file that you want to submit and click Analyze.
After the file is submitted, you can check the progress of its analysis in the Submission Status column on
the Identified Files page.
When the analysis is finished, the Submission Status column will display Results Ready. Click Results
Ready to see details.
Tracking the Submission
The analysis of the submitted file can be tracked in Deep Discovery Analyzer and Apex Central.
© 2020 Trend Micro Inc. Education
393
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Log into the Deep Discovery Analyzer Web Management console and verify that the file has been
submitted by the Deep Security by clicking Virtual Analyzer > Submitters. Deep Security should be
displayed as the submitter of the object.
Click Virtual Analyzer > Submissions. On the Processing tab, verify that the sample is being processed by
the Analyzer under today's date. There will be some delay before the file is forwarded from Deep Security
Manager and processing of the file by Deep Discovery Analyzer begins.
Once the submission is processed, the entry will be displayed on the Completed tab. There will be some
delay while the file is processed.
394
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Click Virtual Analyzer > Suspicious Objects and verify the object it is now visible in the list. To uniquely
identify the object, the hash will be displayed instead of the file name.
Return to the Apex Central Web Management console and click Threat Intel > Virtual Analyzer Suspicious
Objects and verify the object it is now visible in the list. You may need to wait several minutes for the
results of the analysis to be passed to Apex Central.
© 2020 Trend Micro Inc. Education
395
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Click to select the object in the list and click Configure Scan Action.
In the Scan Action window, select Block in the For selected files section and click Apply.
When prompted, confirm the application of the scan action. Click Apply Scan Action.
396
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
The Scan Action is changed to Block.
Suspicious Objects
There are two primary sources of threat information:
• Suspicious objects information collected from Deep Discovery
• Community exchanged Indicators of Compromise (IOC)
When Deep Discovery discovers suspicious objects through the virtual analysis of a file, it can send
information about the object (SHA-1, URL, IP, Domain) to Apex Central for local sharing. Deep Discovery
can also send the Suspicious Object List, along with executable files, to the Trend Micro Smart Protection
Network.
Trend Micro will validate the suspicious objects within a maximum of 6 hours. If suspicious objects are
found to be malicious they will be added to Smart Protection Network and all products which integrate
with the network can leverage this information.
Other Indicators of Compromise may also be manually configured and sent to Apex Central.
© 2020 Trend Micro Inc. Education
397
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Handling Suspicious Object
The process for handling suspicious object can be broken down into a few phases. To view the details
of each phase, click View in the Handling Process column of the Virtual Analyzer Suspicious Objects
page in Apex Central.
Sample Submission
Deep Security and other Trend Micro products use administrator-configured file submission rules
to determine the samples to submit to Virtual Analyzer. The Sample Submission tab provides
details of the submission to Deep Discovery Analyzer.
398
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Analysis
Virtual Analyzer tracks and analyzes the submitted samples and flags suspicious objects based
on their potential to expose systems to danger or loss. Supported objects include files (SHA-1
hash values), IP addresses, domains, and URLs. The Analysis tab provides information on why the
object was flagged as suspicious.
Distribution
Apex Central consolidates suspicious objects and scan actions against the objects and then
distributes them to other products.
•
Virtual Analyzer Suspicious Objects: Trend Micro products integrated with Virtual Analyzer
send suspicious objects to Apex Central.
•
Exceptions to Virtual Analyzer Suspicious Objects: Apex Central administrators can select
objects from the list of suspicious objects that are considered safe and then add them to an
exception list. Apex Central sends the exception list back to the products integrated with
Virtual Analyzer. If a suspicious object from a managed product matches an object in the
exception list, the product no longer sends it to Apex Central.
•
User-Defined Suspicious Objects: Apex Central administrators can add objects they consider
suspicious but are not currently in the list of Virtual Analyzer suspicious objects.
•
Suspicious Object Distribution: Apex Central consolidates Virtual Analyzer and user-defined
suspicious objects (excluding exceptions) and sends them to other managed products. These
products synchronize and use all or some of these objects.
© 2020 Trend Micro Inc. Education
399
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Configure scan actions (log, block, or quarantine) against suspicious objects that affect
computers. Block and quarantine actions are considered active actions, while the log action is
considered passive. If products take an active action, Apex Central declares the affected
computers as mitigated. If the action is passive, computers are declared at risk.
Scan actions are configured separately for Virtual Analyzer and user-defined suspicious objects.
Apex Central automatically deploys the actions to certain managed products.
Impact Assessment and Mitigation
Impact assessment checks computers for suspicious activities associated with suspicious
objects. Computers with confirmed suspicious activities are considered at risk. Apex Central also
considers computer to be at risk if products take passive actions against suspicious objects.
The Deep Security Agents and Virtual Appliances perform active scan actions against suspicious
objects. When the scan action configured in Apex Central and deployed to Deep Security Agents
is Block or Quarantine, the affected computers are considered mitigated.
Apex Central also checks Web Reputation, URL filtering, network content inspection, and rulebased detection logs received from all managed products and then compares them with its list of
suspicious objects. If there is a match from a specific computer and the managed product takes
an active action such as Block, Delete, Quarantine, or Override, Apex Central treats the computer
as mitigated.
400
© 2020 Trend Micro Inc. Education
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
Review Questions
1
Why would you require multiple sandbox environments in a Deep Discovery Analyzer device?
2 What is the role of Apex Central in the Connected Threat Defense infrastructure?
3 How does Connected Threat Defense ensure that all Trend Micro products in your infrastructure
are made aware of suspicious objects?
© 2020 Trend Micro Inc. Education
401
Lesson 18: Detecting Emerging Malware Through Connected Threat Defense
402
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing
Multiple Tenants
Lesson Objectives:
After completing this lesson, participants will be able to:
•
•
•
•
•
•
Enable Multi-Tenancy in Deep Security
Create Tenants
View the status and properties of a Tenant
Activate Deep Security Agents on Tenants
Monitor the Tenant usage of security services
Locate and view Tenant-related events
Multi-Tenancy lets you create multiple distinct management environments using a single Deep Security
Manager and database server installation. It fully isolates the policies, settings, computers, and events for
each tenant and makes use of a number of additional infrastructure scaling options.
Tenant 0
Admin
for Tenant0
Deep Security Manager
VCenter
NSX
Manager
VMWare ESXi
Deep
Security
Virtual
Appliance
VM
VM
Windows
Server
Amazon
Web
Services
VM
VM
VM
Azure
VM
Tenant A
Admin for
Tenant A
Linux
Server
Policies
Se ngs
Computers
Events
Tenant B
Policies
Se ngs
Computers
Admin for
Tenant B Events
Tenant C
Admin for
Tenant C
© 2020 Trend Micro Inc. Education
Policies
Se ngs
Computers
Events
Tenant D
Admin for
Tenant D
Policies
Se ngs
Computers
Events
403
Appendix A: Activating and Managing Multiple Tenants
Segmentation using Multi-Tenancy
When Deep Security Manager is first installed, it is the one-and-only tenant. Once Multi-Tenancy is
enabled, the Primary Tenant (referred to as Tenant0) retains all of the capabilities of a regular installation
of Deep Security Manager. However, the tenants that are subsequently created can have their access to
Deep Security functionality restricted to varying degrees based on how the system is configured for them.
No tenant's assets or security components are visible to any other tenants. Each tenancy is independent
and isolated from every other tenancy.
Multi-Tenancy is available if you are using an on-premise installation of Deep Security or Deep Security
for Amazon Web Services Marketplace with the Bring Your Own License (BYOL) option. You cannot set up
multi-tenancy with Deep Security as a Service or any other license options for Deep Security for Amazon
Web Services Marketplace.
Segmentation by Business Unit
Once common use for multi-tenancy is to segment an organization’s larger Deep Security installation
by business unit or department. In this scenario, each business unit can be made responsible for the
creation and management of their own assets including computers, policies, settings and events,
independently of other business units.
Tenant 0
Admin
Deep Security Manager
VCenter
NSX
Manager
VMWare ESXi
Deep
Security
Virtual
Appliance
VM
VM
Windows
Server
Amazon
Web
Services
VM
VM
VM
Azure
VM
Manufacturing
404
Linux
Server
Design
Sales
© 2020 Trend Micro Inc. Education
Customer
Service
Appendix A: Activating and Managing Multiple Tenants
Segmentation in a Service Provider Model
Multi-tenancy is ideal for service providers reselling security services to other organizations. In this
model, the service provider segments their Deep Security installation by customer. Each organization
subscribing the provider’s services are created as a separate tenant. It is common in this type of
installation restrict access to specific protection modules based on services the customer subscribes
to.
Tenant 0
Admin
Deep Security Manager
VCenter
NSX
Manager
VMWare ESXi
Deep
Security
Virtual
Appliance
VM
VM
Windows
Server
Linux
Server
Amazon
Web
Services
VM
VM
VM
Azure
VM
Acme Company
ABC Industries
J&E
Limited
Micron
Enterprises
Tenant Isolation
Tenant isolation involves more than simply configuring Deep Security Manager properly. For absolute
isolation between tenants, appropriate network level configuration is also required.
Although Deep Security Manager can be configured to isolate one tenant's policies, events, and
configuration settings from being seen or modified by other tenants, each tenant must also be
restricted from seeing any other tenant's computers (virtual or physical). Otherwise, a tenant may
potentially be able to install and activate an Agent on a computer that actually belongs to another
tenant. This may not seem harmful if the only purpose of a multi-tenancy configuration is to separate
the different departments of a larger company. However, if the tenants themselves are actually
different companies, as in an ISP configuration for example, it is absolutely critical that each tenant is
completely isolated from a network level to prevent any of them from being able to access or see
each other's machines.
Database Isolation
Multi-tenancy relies on using multiple databases (if you are using Microsoft SQL or PostgreSQL) or
multiple users (if you are using Oracle). With Microsoft SQL and PostgreSQL, there's one main
database and an additional database for each tenant. With Oracle, all tenant information is in one
Deep Security Manager database, but an additional user is created for each tenant. Each user has its
own tables.
The majority of each tenant's data is stored in a separated database. This database may co-exist on
the same database server as other tenants, or can be isolated onto its own database server. In all
cases some data only exists in the primary database (the one Deep Security Manager was installed
with).
© 2020 Trend Micro Inc. Education
405
Appendix A: Activating and Managing Multiple Tenants
The segmentation of each tenant's data into a database provides additional benefits:
Note:
•
•
Data destruction: Deleting a Tenant removes all traces of that Tenant's data
•
Balancing: The potential for future re-balancing to maintain an even load on all database
servers
Backup: Each Tenant's data can be subject to different backup policies. This may be useful for
something like tenancy being used for staging and production where the staging
environment requires less stringent backups. (Backups are the responsibility of the
administrator setting up Deep Security Manager.)
Tenants are created on the database with the least amount of load when multiple database
servers are available. The decision of which tenant’s Database is located on which database
Server is made by Deep Security Manager, and cannot be configured by the user.
Each tenant database has an overhead of approximately 100MB of disk space (due to the initial rules,
policies and events that populate the system). Tenant creation takes between 30 seconds and 2
minutes due to the creation of the schema and the population of the initial data. This ensures each
new tenant has the most up to date configuration and removes the burden of managing database
templates (Especially between multiple database servers).
To scale further, you can connect Deep Security Manager to multiple database servers and
automatically distribute the new tenants across the available set of database servers. To configure
additional databases go to Administration > System Settings > Database Servers.
The following table shows an estimate of how a Deep Security environment can scale with multitenancy enabled.
Component
Single Tenant
Multi-Tenant
Managed Computers (max nodes, 64-bit managers, high-end
hardware)
100,000
1,000,000 or more
Deep Security Manager Nodes
1-5
1-50
Databases
1
1-10,000
Database Servers
1 (with or without
replication)
1-100
Deep Security Manager Web Console For Tenants
Some features in the Deep Security Manager Web Console are not available to tenant users. The
following areas are hidden for tenants:
•
•
•
•
•
•
•
406
Manager Nodes Widget
Multi-Tenant Widgets
Administration > System Information
Administration > Licenses (If Inherit option selected)
Administration > Manager Nodes
Administration > Tenants
Administration > System Settings:
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
•
•
Tenant Tab
Security Tab > Sign In Message
Updates Tab > Setting for Allowing Tenants to use Relays from the Primary Tenant
Advanced Tab > Load Balancers
Advanced Tab > Pluggable Section
Some of the help content not applicable to tenants
Some reports not applicable to tenants
Some Alert Types will also be hidden from tenants:
•
•
•
•
•
•
•
Heartbeat Server Failed
Low Disk Space
Manager Offline
Manager Time Out Of Sync
Newer Version of Deep Security Manager available
Number of Computers Exceeds Database Limit
When inherited licensing is enabled, any of the license-related alerts
Enabling Multi-Tenancy
Once you enable multi-tenancy, you cannot disable it or remove the Primary Tenant.
In the Deep Security Manager Web console, click the Administration menu. In the left-hand frame, click
System Settings and in the right-hand pane, click the Advanced tab. In the Multi-Tenant Options section,
click Enable Multi-Tenancy.
© 2020 Trend Micro Inc. Education
407
Appendix A: Activating and Managing Multiple Tenants
A separate Activation Key and license is required to use Multi-Tenancy. Type your Multi-Tenancy
Activation Code and click Next.
Licensing Modes
Choose the license mode you wish to implement and click Next:
408
•
Inherit Licensing from Primary Tenant: This option gives all tenants the same licenses that
you (the Primary Tenant) have. This option is recommended if you are using multi-tenancy
testing in a staging environment, or if you intend to set up tenancies for separate
departments within the same organization.
•
Per-Tenant Licensing: This mode is recommended when Deep Security is being offered as a
service. Configured this way, you provide a license at the moment that you create a tenant
account (using the API) or the tenants themselves enter a license when they sign in for the
first time.
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
Once Multi-Tenancy is enabled, a new Tenant tab is displayed under System Settings. This tab contains
options that can be globally enabled for tenants of this installation.
In addition, a new Tenants item is displayed in the left-hand pane. It is from this list that individual
tenants can be managed.
Creating Tenants
Once Multi-Tenant mode is enabled, tenants can be created from the Tenants page that now appears in
the Administration section.
In the Deep Security Manager Web console, click the Administration menu. In the left-hand frame, click
Tenants. In the right-hand frame, click New to launch the New Tenant wizard.
Complete the account details page:
•
Account Name: Type a tenant account name. It can be any name except Primary which is
reserved for the Primary Tenant.
•
•
•
Email Address: The email address is required in order to have a contact point per tenant.
Locale: This determines the language of the UI for this tenancy.
Time Zone: Although time is recorded throughout Deep Security in UT, all tenant-related
events will be shown to the tenant users in the time zone of the tenant account, not the
server where are created.
© 2020 Trend Micro Inc. Education
409
Appendix A: Activating and Managing Multiple Tenants
Note:
In a multi-tenant environment, tenants may need to add the Deep Security Manager IP address to
the Ignore Reconnaissance IP list found in Policies > Common Objects > Lists > IP Lists. This is to
avoid getting a Reconnaissance Detected: Network or Port Scan warning.
Tenant Administrator
A tenant administrator must be assigned as part of the tenant creation process. Complete the first
administrator account information page:
•
•
410
Username: Type the name of the first user of the new tenant account.
Password Options: Select one of the three password options:
-
No Email: The username and password for the tenant’s first user are defined here and no
emails are sent.
-
Email Confirmation Link: You set the password for the tenant's first user. However the
account is not active until the user clicks a link in a confirmation email.
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
-
Email Generated Password: This allows the tenant creator to generate a tenant without
specifying the password. This is most applicable when manually creating accounts for
users where the creator does not need access
Note:
All three of these password options are available through the REST API. The confirmation option
provides a suitable method for developing public registration. A CAPTCHA is recommended to
ensure that the tenant creator is a human and not an automated bot. The email confirmation
ensures that the email provided belongs to the user before they can access the account.
Note:
If problems occur during the tenant creation process, check the following:
- Does the Database have sufficient permissions?
- Does the Database Server support additional databases (size or total number cap)?
- Check serverx.log for errors
Tenant Account Confirmation
Email confirmations of account creation will be sent to the tenant contact user based on the email
address indicated in the new tenant wizard. The confirmation will contain a link to activate the
account or access the Deep Security manager Web console.
© 2020 Trend Micro Inc. Education
411
Appendix A: Activating and Managing Multiple Tenants
Managing Tenants
Tenants are managed from Deep Security Manager Web console. Click the Administration menu. In the lefthand frame, click Tenants. The list of configured tenants is displayed.
Tenant State
Tenant can be in any of the following States:
412
•
Created: Tenants listed in the Created state are in the process of being created but are not
yet active.
•
Confirmation Required: Tenants in this state have been created, but the activation link in the
confirmation email sent to the tenant user has not yet been clicked. An administrator can
manually override this state.
•
•
•
Active: Tenants in this state are online and managed.
•
Database Upgrade Failure: Tenants in this state failed the upgrade path. Click Database
Upgrade to resolve this situation.
Suspended: Tenants in this state no longer accepting sign-ins.
Pending Deletion: Tenants can be deleted, however the process is not immediate. The tenant
can be in the pending deletion state for up to seven days before the database is removed.
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
Tenant Properties
Properties for the tenants are displayed in the following tabs.
General
The General tab displays account information about the tenant.
The Account Name can not be modified once the tenant is created.
The Locale, Time Zone and State of the tenant can be altered. Be aware that changing the time
zone and locale does not affect existing tenant users. It will only affect new users in that tenancy
and events and other parts of the interface that are not user-specific.
The Database Name indicates the name of the database used by this tenancy. The server the
database is running on can be accessed by clicking the hyperlink.
© 2020 Trend Micro Inc. Education
413
Appendix A: Activating and Managing Multiple Tenants
Modules
The Modules tab provides options for protection module visibility. By default all unlicensed
modules are hidden. You can change this by de-selecting Always Hide Unlicensed Modules.
Alternatively, selected modules can be shown on a per-tenant basis.
If you are evaluating Deep Security in a test environment and want to see what a full MultiTenancy installation looks like, you can enable Demo Mode.
When in Demo Mode, Deep Security Manager populates its database with simulated tenants,
computers, events, alerts, and other data. Initially, seven days worth of data is generated but new
data is generated on an ongoing basis to keep the Deep Security Manager Dashboard, Reports
and Events pages populated with data.
Note:
414
Demo Mode is not intended to be used in a production environment.
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
Features
The Features tab allows administrative users to enable and disable specific features per
tenant.
Statistics
The Statistics tab shows information for the current tenant including database size, jobs
processed, logins, security events and system events. The small graphs show the last 24 hours of
activity.
© 2020 Trend Micro Inc. Education
415
Appendix A: Activating and Managing Multiple Tenants
Agent Activation
The Agent Activation tab displays a command-line instruction that can be run from the Deep
Security Agent installation folder on the tenant computers to activate Agents within this tenancy.
Any activation scripts created in this tenant will include the tenantID and token values as part of
the script commands.
416
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
Primary Contact
The Primary Contact tab lists the user who is to be contacted for communications related to that
tenant.
Deleting Tenants
Deep Security customers must wait seven days before information about the tenant is completely
removed from the system.
When a tenant account is created, the following database items are generated:
•
•
•
A new database named dsm_<name>
Background jobs which are saved in the dbo.managerhobs table
Messages which are saved in the dbo.managemessages table along with the TenantID
To delete a tenant from the Deep Security Manager Web console, the record should be removed from
the dbo.tenants database table. However, this table and the dbo.managerhobs and
dbo.managemessages tables are all correlated. The record in dbo.tenants will be deleted only
after all the jobs in dbo.managerhobs are finished. Because the longest job runs every week, the
tenant account stays in pending deletion state for approximately seven days before it is removed.
Immediate deletion of tenants in not recommended, but if a tenant insists, you can follow this
procedure to delete the tenant immediately from the database.
1
Open the Deep Security Manager database.
2 Identify the Tenant ID that you want to delete. Get the corresponding value of the TenantID from
dbo.tenants.
As an example, the next steps will use 1 for the TenantID.
3 Delete the jobs for the tenant using the following command:
delete from dbo.managerjobs where TenantID = 1;
4 Delete the messages for the tenant using this command:
delete from dbo.managermessages where TenantID = 1;
© 2020 Trend Micro Inc. Education
417
Appendix A: Activating and Managing Multiple Tenants
5 Delete the tenant account from the DB using this command:
delete from dbo.tenants where TenantID = 1;
6 Drop database dms_<name> for this tenant.
The tenant will then be removed from the database and will no longer appear in the Deep Security
Manager Web console.
Diagnosing Tenant Issues
Tenants are not able to access Deep Security Manager diagnostic packages due to the sensitivity of
the data contained within the packages. Tenants can still generate Agent diagnostics by opening the
Computer Editor and choosing Overview > Actions > Agent Diagnostics.
Activating Deep Security Agent on Tenants
Agent-initiated activation is enabled by default for all tenants. Unlike Agent-initiated activation for the
Primary Tenant, a Password and Tenant ID are required to invoke the activation for tenant Users.
Using tools like Chef or Puppet, tenants can install and deploy Agents using scripts. These scripts can be
generated using a wizard launched from Support > Deployment Scripts. The Tenant ID and Password must
be appended to the script. The Tenant ID and password are displayed on the Agent Activation tab.
Deep Security Relays
Each Deep Security Manager must have access to at least one Deep Security Relay, including tenants
in a Multi-Tenancy Deep Security installation. By default, the Relays in the Default Relay Group on the
Primary Tenant are also available to the other tenants. The setting is located in the Administration
menu under System Settings > Tenants > Multi-Tenant Options. If this option is disabled, tenants will
have to install and manage their own Deep Security Relays.
Usage Monitoring
Deep Security Manager records data about tenant usage. This information is displayed in the Tenant
Protection Activity widget on the Dashboard, the Statistics tab in tenant Properties, and the Chargeback
report.
This information can also be accessed through the Status Monitoring REST API which can be enabled or
disabled from the Administration > Advanced > System Settings > Advanced > Status Monitoring API.
This chargeback (or viewback) information can be customized to determine what attributes are included
in the record. This configuration is designed to accommodate various charging models that may be
required in service provider environments. For enterprises this may be useful to determine the usage by
each business unit.
418
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
Multi-Tenant Dashboard
When Multi-Tenancy is enabled, Primary Tenant users have access to additional Dashboard widgets
for monitoring tenant activity:
Some examples of tenant-related widgets:
The same information is available in Administration > Tenants (some in optional columns) and on the
Statistics tab of a tenant's Properties.
This information provides the ability to monitor the usage of the overall system and look for
indicators of abnormal activity, for instance, if a single tenant experiences a spike in Security Event
Activity they may be under attack.
© 2020 Trend Micro Inc. Education
419
Appendix A: Activating and Managing Multiple Tenants
Multi-Tenant Dashboard/Reporting
More information is available in the Chargeback report (in the Events & Reports section). This report
details protection hours, the current database sizes, and the number of computers (activated and
non-activated) for each tenant.
Status Monitoring API
Use the Status Monitoring REST API to customize the type of tenant information that you would like
to see, depending on your environment. For enterprises, this can be useful to determine the usage by
each business unit. You can also use the information to monitor the usage of the overall Deep
Security system and look for indicators of abnormal activity. For example, if a single tenant
experiences a spike in security event activity, it might be under attack.
Administering Tenants
In certain cases, the Primary Tenant may be required to access a Deep Security Manager Web console on
a tenant. The Tenants List and tenant Properties pages provide an option to sign in as a given tenant,
granting them immediate access.
Users are logged in as a special account on the tenant using the prefix support_. For example if Primary
tenant user jdoe logs on as a tenant, an account is created called support_jdoe with the Full Access
role. The user is deleted when the support user times out or signs out of the account.
The tenant can see a record of the user account being created, the user signing in, signing out and the
user account being deleted, along with any other actions in system events.
Click Administration > System Information for additional information about tenant memory usage and
the state of threads. This may be used directly or provided to Trend Micro support.
In addition, the server0.log on the disk of Deep Security Manager nodes contains additional
information on the name of the tenant (and the user if applicable) that caused the log. This can be helpful
in determining the source of issues.
In some cases, tenants may require custom adjustments not available in the Deep Security Manager Web
console, usually at the request of Trend Micro support. The command line utility to alter settings accepts
the following argument to direct the setting change or other command line action at a specific tenant:
-Tenantname "account name"
If omitted, the requested action is performed on the Primary Tenant.
Tenants are able to control login access from the Primary Tenant using the option Allow Tenants to
control access from Primary Tenant. Whenever a Primary Tenant accesses a Tenant account, the access
is logged on the Tenant system.
420
© 2020 Trend Micro Inc. Education
Appendix A: Activating and Managing Multiple Tenants
Logging into Deep Security Manager as a Tenant
When Multi-Tenancy is enabled, the sign-in page has an additional Account Name text field.
Tenants are required to enter their Account Name in addition to their Username and Password. The
account name allows tenants to have overlapping usernames (for example, if multiple tenants
synchronize with the same Active Directory server).
Note:
When you log in as the Primary Tenant, leave the Account Name field blank or type Primary.
When tenants log in, they have a very similar environment to a fresh install of Deep Security
Manager. Some features in the Deep Security Manager Web console are not available to tenant users.
It is also important to note that tenants cannot see any of the Multi-Tenant features of the primary
tenant or any data from any other tenant. In addition, certain APIs are restricted since they are only
usable with Primary Tenant rights, such as creating other tenants.
All tenants have the ability to use Role-Based Access Control with multiple user accounts to further
sub-divide access. Additionally they can use Active Directory integration for users to delegate the
authentication to the domain. The tenant Account Name is still required for any tenant
authentications.
© 2020 Trend Micro Inc. Education
421
Appendix A: Activating and Managing Multiple Tenants
Review Questions
1
Describe some situations where an organization would benefit from multi-tenancy in Deep
Security?
2 How is information from one tenant isolated from the data of other tenants running on the same
Deep Security Manager?
3 How does the Deep Security Manager Web console of the Primary tenant differ from that of a
tenant?
422
© 2020 Trend Micro Inc. Education
Appendix B:
Protecting Virtual
Machines Using the Deep
Security Virtual Appliance
Lesson Objectives:
After completing this lesson, participants will be able to:
•
Describe how the Deep Security Virtual Appliance provides Agentless protection for
virtual machines hosted on the ESXi Server
•
•
•
Describe how Deep Security is deployed in VMware environments
Describe the VMware components required for Agentless protection
Describe how high availability features in VMware affect the Deep Security Virtual
Appliance
Deep Security has a deep integration with VMware for the purpose of protecting virtual machines. The
Trend Micro Deep Security Virtual Appliance protects virtual machines running on your VMware ESXi
servers through VMware NSX-V or NSX-T Manager.
VCenter
NSX
Manager
VMware ESXi
Deep
Security
Virtual
Appliance
VM
VM
VM
Through the integration with VMware NSX, Deep Security Virtual Appliances can perform Firewall,
Intrusion Prevention, Anti-Malware (Windows only), Web Reputation and Integrity Monitoring (Windows
only) on virtual machines hosted on the ESXi server without the need of a physical Agent. If Application
Control and Log Inspection is required in the implementation, an on-virtual-host Deep Security Agent can
be installed.
© 2020 Trend Micro Inc. Education
423
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Deep Security Virtual Appliance
The Deep Security Virtual Appliance itself is a guest virtual machine running the CentOS 64-bit operating
system and works by intercepting network and disk I/O traffic intended for virtual machines, and then
analyzing this traffic for malicious content.
The Deep Security Virtual Appliance is built on the same code base as the Deep Security Agent, but the
smart policy installation does not make sense for the Deep Security Virtual Appliance, therefore all of the
features are installed and updated automatically.
The main process running in the Deep Security Virtual Appliance is called Master Agent (ds_Agent), and
its purpose is to protect the Deep Security Virtual Appliance itself and all protected virtual machines on
the same ESXi server.
The Master Agent creates and maintains a directory for each virtual machine that is protected. These
directories are named using the virtual machine’s BIOS UUID and are referred to as Virtual Agents, as
they hold an individual set of configuration settings, databases and quarantine items for each virtual
machine. There is a one-to-one relationship between virtual Agents and virtual machines being
protected.
Each Deep Security Agent requires network connectivity to locate the Deep Security Manager and
Relays. By using a Deep Security Virtual Appliance, network connectivity is limited to the virtual
appliance and connectivity from Deep Security components to each individual virtual machines is not
required.
Benefits of Using the Virtual Appliance
Using the Deep Security Virtual Appliance delivers certain benefits over the use of a physical Deep
Security Agent.
Automatic Protection
Generally, deploying one Deep Security Virtual Appliance to each ESXi host is easier than
deploying an Agent on multiple virtual machines. With NSX, deployment of Deep Security is done
through NSX Manager and applied to the cluster. Any new hosts added to the cluster
automatically get Deep Security protection.
Simplified Management
In some cases, the team managing the infrastructure and the team managing each virtual
machine are different (in a Managed Service Provider model, for example). By using a Deep
Security Virtual Appliance, the infrastructure team does not require access to the virtual
machine to add protection because it can be deployed at the hypervisor level and protect each of
the virtual machines.
424
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Improved Scan Performance
When the Deep Security Virtual Appliance scans a file, it creates a fingerprint of this file. When
files with the same fingerprint are found on other virtual machines, those files no longer need to
be scanned which can considerably reduce the overall scan time particularly in situations like
when using a Virtual Desktop Infrastructure (VDI).
This method of scan caching allows the results of an Anti-Malware scan to be used when
scanning multiple machines using the same policy and containing a majority of the same files.
Where the workloads are different (such as when protecting multiple servers), the scan cache
savings are not as significant.
Resource Optimization
There can be an increased demand on computing resources when Anti-Malware scans are
triggered simultaneously on multiple guest virtual machines on a single physical host, for
example, when a scheduled scan is triggered. The result is degradation of service. When scanning
is done by the Deep Security Virtual Appliance, the virtual appliance has knowledge of all of the
machines it is protecting. When performing Anti-Malware scanning, the virtual appliance can
manage resource usage by staggering the launch of the individual scans thereby preventing
these scan storms from occurring.
Virtual Appliance Deployment Models
There are different deployments models for Deep Security that use VMware to provide either hypervisorbased Agentless protection or on-host Agent-based protection.
Deep Security previously had a deep integration with VMware vCloud Networking and Security (vCNS). In
this deployment architecture, customers could use the Deep Security Virtual Appliance to protect their
environment at the hypervisor level, which provided compatibility with Firewall, Intrusion Prevention,
Web Reputation, Integrity Monitoring and Anti-Malware. VMware has discontinued general support for
vCNS and at the same time released a new virtualization and networking platform called VMware NSX.
Administrators still have options on how they approach security for their VMware deployments, but must
be aware that Agentless security now requires a transition to VMware NSX.
Note:
The full capabilities of the Deep Security Virtual Appliance is supported on
VMware NSX-T 3.0.
NEW
© 2020 Trend Micro Inc. Education
425
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Deployments Using NSX for vShield Endpoint
NSX 6.2.4 introduced a new default license version of NSX called NSX for vShield Endpoint. This
version does not require a license to enable Anti-Malware and Integrity Monitoring functionality.
Customers who want to use the default license version of NSX for vShield Endpoint but still require
Intrusion Prevention, Firewall, Log Monitoring, Application Control and Web Reputation capabilities of
Deep Security must install a software Agent on each virtual machine. This is what is referred to as
Combined Mode.
Some key points in considering Combined Mode:
426
•
Deployment scripts can be used to automate the deployment of the Deep Security Agent
using various orchestration tools (Chef, Puppet, etc). Using scripts simplifies the deployment
of Agents and also allow activation and assignment of policy. These scripts help to reduce the
manual intervention required when deploying the software Agent in the VMware
environment.
•
To specify whether the protection should be provided by the Deep Security Agent or the
Deep Security Virtual Appliance in Combined Mode, select an affinity for each of the Deep
Security Protection Modules. When you have imported a vCenter into Deep Security
Manager, the affinity settings will be available in the Computer or Policy editor, on the
Settings > General tab.
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
For each protection module or group of protection modules you can choose from these settings:
•
Appliance Only: The Protection Module will only be provided by the Deep Security Virtual
Appliance, even if there is an Deep Security Agent on the virtual machine. The Agent will
never run the Protection Module, even if the Deep Security Virtual Appliance is
deactivated or removed.
•
Appliance Preferred: If there is an activated Deep Security Virtual Appliance for the
virtual machine, it will provide the protection. But if the Deep Security Virtual Appliance
is deactivated or removed, the Deep Security Agent will provide protection instead.
•
Agent Only: The Protection Module will only be provided by the Deep Security Agent,
even if there is an activated Deep Security Virtual Appliance available.
•
Agent Preferred: If there is an activated Deep Security Agent on the virtual machine, it
will provide the protection. But if there is no activated Agent, the Deep Security Virtual
Appliance will provide protection instead.
The log inspection and application control modules do not have an affinity setting because they
are only available with the Deep Security Agent.
When the Anti-Malware module is enabled on Deep Security Agents, the Anti-Malware Solution
Platform is downloaded and started as a service. If you do not want this to happen, set AntiMalware affinity to Appliance Only so that even if the Deep Security Virtual Appliance is
deactivated, Anti-Malware will not be enabled on the Agents.
Note:
If you are using the SAP module, keep in mind that it is only available with the Deep Security
Agent and it requires that the Anti-Malware protection be Agent-based.
Deployments Using NSX Advanced or Enterprise
In VMware NSX Advanced or Enterprise deployments, customers can use Deep Security Virtual
Appliances to provides Agentless support for Firewall, Intrusion Prevention, Integrity Monitoring, Web
Reputation, and Anti-Malware. In this deployment scenario, customers can get the full benefits of
Agentless protection in their VMware environments.
Deployments Without NSX
Customers protecting VMware environments without NSX can use a Deep Security Agent on each of
their virtual machines. By using the Deep Security Agent, the VMware environment can be protected
using all the Deep Security Protection Module.
© 2020 Trend Micro Inc. Education
427
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Protection
Anti-Malware
Web Reputation
Intrusion Prevention
Firewall*
Integrity Monitoring
Log Inspection
Application Control
Agent-based
protection
Agentless protection
vShield Endpoint
for NSX (free)
NSX Advanced
NSX Enterprise




























* With the built-in NSX firewall, the Deep Security Firewall will not normally be used.
Deploying and Activating the Virtual Appliance Using
NSX-V
Once VMware NSX-V and ESXi server are prepared, the Deep Security Virtual Appliance can be deployed.
The steps involved in deploying the Virtual Appliance include:
1
Importing the Deep Security Virtual Appliance package into Deep Security Manager
2 Adding VMware vCenter to the Deep Security Manager Computers list
3 Installing the Guest Introspection Service on VMware ESXi
4 Installing the Deep Security Service on VMware ESXi
5 Creating an NSX Security Group
6 Creating an NSX Security Policy
7 Applying the NSX Security Policy to the NSX Security Group
8 Activating Deep Security Protection on the virtual machines
Importing the Deep Security Virtual Appliance Package into Deep
Security Manager
Because of the size of the Deep Security Virtual Appliance package, it is recommended that it be
downloaded from the Trend Micro Software Download page, then imported manually into Deep
Security Manager.
In a web browser, type the following URL to access the Deep Security Help Center Software Download
page:
https://help.deepsecurity.trendmicro.com/software
428
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
On the Long Term Support (LTS) tab, scroll to Appliance section. Click to download the Deep Security
Appliance 20.0._____for ESX-x86_64 package and download the .zip file to a location on the hard
drive.
Once downloaded, log into the Deep Security Manager Web console and click Administration. In
the left-hand pane, expand Software > Local Software and click Import.
Click Browse to locate the downloaded Deep Security Appliance 20.0._____for ESXx86_64.zip package.
© 2020 Trend Micro Inc. Education
429
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Once the import is complete, the appliance installation package will be displayed in the Local
Software List.
Adding VMware vCenter to Deep Security Manager
To manage the security of the virtual machines hosted on the ESXi server with Deep Security
agentlessly, with an Agent, or in combined mode, you must add the vCenter to the Computers list in
Deep Security Manager.
In the Deep Security Manager Web console, click the Computers menu and add a VMware vCenter.
Provide the details of the vCenter.
430
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Provide the details of the NSX Manager when prompted.
The Add VMware vCenter Wizard will display a successful result message when the vCenter has been
imported. The wizard will automatically create two Event-Based Tasks: one activates virtual machines
when protection is added and the other deactivates virtual machines when protection is removed.
© 2020 Trend Micro Inc. Education
431
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
In the Computers list, expand vCenter. The ESXi clusters and virtual machines are displayed in the list.
Installing the Guest Introspection Service on VMware ESXi
To use the Deep Security Virtual Appliance for file-based protection such as Anti-Malware and
Integrity Monitoring, you must install the Guest Introspection service on your ESXi servers. Guest
Introspection offloads file-based scanning to a dedicated secure virtual appliance delivered by
VMware partners such as Trend Micro
432
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
In the vSphere Web Client, click Home > Networking & Security > Installation and Upgrades. Click the
Service Deployments tab.
Add a new service deployment and select Guest Introspection.
© 2020 Trend Micro Inc. Education
433
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
When prompted, identify the cluster that contains the ESXi servers and virtual machines to protect.
When prompted, identify the network attributes.
434
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Review the settings, and click Finish.
vSphere will take a few minutes to install the guest introspection service on your ESXi servers.
© 2020 Trend Micro Inc. Education
435
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Installing the Deep Security Service on VMware ESXi
Deploying the Trend Micro Deep Security service will enable the Deep Security Virtual Appliance on
the ESXi server.
Still in the vSphere Web Client, go to Home > Networking & Security > Installation and Upgrades and
click the Service Deployments tab once again.
Add another new service deployment and select the Trend Micro Deep Security service.
436
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
When prompted, identify the cluster that contains the ESXi servers and virtual machines that you
want to protect, and click Next.
When prompted, identify the network attributes.
© 2020 Trend Micro Inc. Education
437
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Review the settings, and click Finish.
vSphere will take a few minutes to install the Deep Security service on your ESXi servers.
438
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Creating an NSX Security Group
Still in vSphere Web Client, go to Home > Networking & Security > Service Composer. Click the
Security Groups tab.
Create a New Security Group. Assign a Name and provide a Description for the security group.
© 2020 Trend Micro Inc. Education
439
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
You can restrict membership of virtual machines in this group based on certain filtering criteria if
required.
To include the virtual image that contains the host that we want to protect, click Virtual Machine
from the Object Type menu, and move the client virtual machines to protect to the Selected Objects
column.
Click Finish to create the new Security Group.
440
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
The Security Groups tab will display the newly listed Security Group.
Creating an NSX Security Policy
A NSX Security Policy with Deep Security enabled as both an endpoint and as a network service must
be created.
•
If you are using only the Anti-Malware or Integrity Monitoring Modules, you will only need to
enable the Guest Introspection service.
•
If you have NSX Advanced or NSX Enterprise and are also using the Web Reputation, Firewall,
or Intrusion Prevention Protection Modules, you will only need to enable the Network
Introspection service.
© 2020 Trend Micro Inc. Education
441
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Still in the vSphere Web Client, go to Home > Networking and Security > Service Composer and click
the Security Policies tab.
Create a new Security Policy. Type a Name and Description for the new policy.
442
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
In the Add Guest Introspection Service window, click the green plus sign (+) to add a Guest
Introspection Service.
Provide the following details for the service, for example
•
•
•
•
•
•
•
Name: Type a Name for the service
Description: Type a description for the service
Action: Apply
Service Name: Trend Micro Deep Security
Service Profile: If you are using event-based tasks to handle the creation and protection of
virtual machines, select Default (EBT). If you have synchronized your Deep Security policies
with NSX Service Profiles, select the Service Profile that matches the Deep Security policy
that you want to apply.
State: Enabled
Enforce: Yes
© 2020 Trend Micro Inc. Education
443
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
If using the NSX firewall, configure the firewall rules you require.
Add two Network Introspection Services to the NSX Security Policy: a first one for outbound traffic,
and a second one for inbound traffic.
Create the first outbound service:
•
•
•
•
•
•
•
•
•
444
Name: Type a name for the first service, preferably one that includes the word Outbound
Action: Redirect to service
Service Name: Trend Micro Deep Security
Profile: Select the NSX Service Profile created previously.
Source: Policy's Security Groups
Destination: Any
Service: Any
State: Enabled
Log: Do not log
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Create a second inbound service:
•
•
•
•
•
•
•
•
•
Name: Type a name for the first service, preferably one that includes the word Inbound
Action: Redirect to service
Service Name: Trend Micro Deep Security
Profile: Select the NSX Service Profile created previously.
Source: Any
Destination: Policy's Security Groups
Service: Any
State: Enabled
Log: Do not log
© 2020 Trend Micro Inc. Education
445
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Both Network Introspection Services are displayed.
446
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
The policy is listed as published.
Applying the NSX Security Policy to the NSX Security Group
The Security Policy must be applied to the Security Group containing the virtual machines to protect.
Still in the vSphere Web Client, click Home > Networking & Security > Service Composer. Click the
Security Policies tab and with the new Security Policy selected, click Apply Security Policy.
© 2020 Trend Micro Inc. Education
447
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Select the Security Group that contains the virtual machines you want to protect and click OK.
The NSX Security Policy is now applied to the virtual machines in the NSX Security Group. When
virtual machines are moved into the security group, they will get the NSX Security Group tag and
Deep Security Manager will automatically activate the virtual machines and assign the policy to
them.
Activating Deep Security Protection on the Virtual Machines
Like any Deep Security Agent, a Virtual Appliance also needs to be activated in order to communicate
with Deep Security Manager. Deep Security Virtual Appliance activation works the same way as Deep
Security Agent activation and enables Deep Security Virtual Appliance self-protection, and initiates
Virtual Agent instantiation.
448
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Note:
If the Deep Security Virtual Appliance is deployed to an unprepared ESXi machine, it cannot be
activated and activation attempts would fail.
Return to the Deep Security Manager Web console where you can activate the virtual machines in the
imported vCenter and apply Deep Security Policies to them.
Virtual Agent Activation
Like regular Deep Security Agents, Virtual Agents (VA) must be activated before they can
provide protection for their virtual machines.
Virtual machines can be activated manually by right-clicking on the device in the Computers list
in the Deep Security Manager Web console.
A Virtual Agent doesn’t actually exist until it is activated. Activation creates the Agent’s
subdirectory, under /var/opt/ds_Agent/guests, along with its component files.
© 2020 Trend Micro Inc. Education
449
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Viewing Protected Virtual Machines
Protected virtual machines, and by extension the virtual Agents that provide protection are displayed
in the Deep Security Manager Web console. Click Preview for a computer to view the status.
Deep Security Notifier
The Deep Security Notifier is a Windows System Tray application which provides local notification
when malware is detected or malicious URLs are blocked.
It may be installed separately on protected virtual machines, however the Anti-Malware Protection
Module must be licensed and enabled on the virtual machine for the Deep Security Notifier to display
information.
The Notifier displays pop-up user notifications when the Anti-Malware module begins a scan, or
blocks malware or access to malicious web pages. The Notifier also provides a console utility that
allows the user to view events.
Deep Security Virtual Appliance-Related
Communication
To deploy and manage the Deep Security Virtual Appliance, Deep Security Manager must be able to
communicate with the device itself as well as the vCenter server that manages the ESXi server upon
which the Deep Security Virtual Appliance is installed.
Disruption of either communication is undesirable, but will not actually disrupt protection functionality
once it is already in place.
Communication between Deep Security Manager and the vCenter Server takes place regularly. It can be
time-based or event-based, for example, when a new virtual machine is created in the virtual
infrastructure, and vCenter automatically notifies Deep Security Manager, which in turn informs the Deep
Security Virtual Appliance to enable protection.
450
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Traffic between the Deep Security Virtual Appliance and Deep
Security Manager
This is virtually identical to the traffic that would flow between Deep Security Manager and Deep
Security Agents and consists of rule updates, log events and heartbeat messages. This
communication is initiated according to the heartbeat schedule or upon administrator intervention.
Any disruption to the communication will prevent rule updates and event consolidation at the Deep
Security Manager.
Traffic between vCenter Server and Deep Security Manager
Deep Security Manager uses this communication channel to receive virtual machine-related events.
This includes virtual machine creation, start and stop events, and vMotion events. Deep Security
Manager always stays logged on to vCenter server. If the connection is lost, Deep Security Manager
tries to re-establish communication every 10 minutes. Disruptions to this communication during
deployment will cause deployment to fail. Any disruptions to this communication during normal
operations will prevent Deep Security Manager from detecting the creation of new virtual machines
and vMotion events. In addition, virtual machine status indicators on the Deep Security Manager will
not be updated.
Traffic between ESXi and Deep Security Manager
This communication channel only applies during deployment of the Deep Security Virtual Appliance.
Any disruption to the communication during deployment will cause the deployment to fail.
Deep Security Manager and VMware vCenter Server
As discussed previously, Deep Security Manager communicates with vCenter Server to obtain
information about the virtual environment it is protecting.
Re-configuring vCenter Server Communication
Running the Add VMware vCenter wizard from the Computer list ensures that Deep Security
Manager has sufficient credentials to establish a relationship with a vCenter Server instance,
otherwise, the wizard would fail.
In the event that this information changes, administrators can update the information by rightclicking the relevant vCenter Server in the Computers list and clicking Properties.
© 2020 Trend Micro Inc. Education
451
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
General
This tab defines basic Deep Security Manager to vCenter Server communication. The vCenter
Server host information, communication port, and logon credentials can be reconfigured here.
NSX Manager
This tab the location, port and credentials for configuring NSX Manager.
452
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Network configuration
This tab defines the IP address and subnet configuration that Deep Security Virtual Appliance
kernel drivers use when they are deployed to ESXi servers. These values should not be modified
unless absolutely necessary.
Deep Security Manager and vCenter Server Synchronization
Deep Security Manager synchronizes its information with vCenter Server constantly to ensure that
any changes that occur within the virtual environment are captured, such as the creation of virtual
machines, or vMotion events. Although this synchronization occurs automatically, administrators still
have the option to synchronize manually.
This can be done by right-clicking the vCenter Server in the Computers list and clicking Synchronize
Now.
© 2020 Trend Micro Inc. Education
453
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Alternately, the information can be synchronized from vCenter Server Properties.
Event-based tasks
Event-based tasks define system responses for particular situations, such as when a virtual machine
is added or moved to a protected ESXi server.
These events can trigger tasks such as assigning a policy or relay group.
454
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
The Deep Security Virtual Appliance can instantiate and activate Virtual Agents for virtual machines
as they are created and automatically assign a specific security profile.
Agentless Anti-Malware Protection
The Deep Security Virtual Appliance can provides malware protection for virtual machines without
installing any components on them.
Real-Time Scanning
Real-time scanning uses write-only scan mode. If the Guest Introspection cannot detect that the file
is changed, it is not scanned. As applications attempt to access files within the virtual machine, Guest
Introspection system drivers detect the Input/Output (I/O) event, and send data about the file being
accessed to Deep Security Virtual Appliance for analysis. If malware is detected, Deep Security
Virtual Appliance is able to leverage Guest Introspection to prevent the malicious change.
On-Demand Scan
When performing on-demand scans, Deep Security Virtual Appliance sends the requested list of
directories, files and exclusions and then starts receiving the enumerations of events.
Each event includes information about a single file including the name and the attributes. To read the
file contents, Deep Security Virtual Appliance has to send a separate read request, one per file.
After analyzing the file, Deep Security Virtual Appliance can request the server to write the new
content, truncate or delete that file.
Scan Cache Settings and Concurrent Scan
Scan caching can help to enhance Deep Security Virtual Appliance’s Anti-Malware scanning on virtual
machines.
Sequential scanning is used to avoid scan storms (all virtual machines scanning concurrently using
up resources on the ESXi server at the same time) which can have high host CPU impact.
© 2020 Trend Micro Inc. Education
455
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
In virtual desktop environments, many of the virtual machines are the same, created from a cloned
image. This means that many virtual machines are scanning the same file hundreds of times on every
ESXi server. De-duplication helps solve this problem found in Agentless deployments related to VDI
environments.
A Scan Cache Configuration is a collection of settings that determines Expiry Time of the cache, the
use of Update Sequence Numbers (USNs), files to exclude, and files to include. Virtual machines that
use the same Scan Cache Configuration also share the same Scan Cache.
You can see the list of existing Scan Cache Configurations by going Administration > System Settings
> Advanced > Scan Cache Configurations and clicking View Scan Cache Configurations. Deep Security
comes with several pre-configured default Scan Cache Configurations. These are implemented
automatically by the Virtual Appliance depending the properties of the virtual machines being
protected and the types of scan being performed.
•
Expiry Time: This setting determines the lifetime of individual entries in a Scan Cache. The
default recommended settings are one day for Manual (on-demand)/Scheduled Malware
Scans, 15 minutes for Real-Time Malware Scans, and one day for Integrity Monitoring Scans.
•
Use USN (Windows only): This setting specifies whether to make use of Windows NTFS
Update Sequence Numbers, which is a 64-bit number used to record changes to an individual
file. This option should only be set for cloned VMs.
•
Files Included and Files Excluded: These fields include regular expression patterns and lists of
files to be included in or excluded from the Scan Cache. Files to be scanned are matched
against the include list first.
Individual files and folders can be identified by name or you can use wildcards (* and ?) to
refer to multiple files and / or locations with a single expression. (Use * to represent any zero
or more characters, and use question mark ? to represent any single character.)
The include and exclude lists only determine whether the scan of the file will take advantage
of Scan Caching. The lists will not prevent a file from being scanned in the traditional way.
456
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Scan Cache will attempt to cache certain files that can take longer to scan, instead of how often it is
accessed to save on memory and get the best result. There is one cache for on-demand scan, one
cache for Real-Time scan, and one cache for Integrity Monitoring Scan.
Also, for security reasons, the first 1 KB of file data will get scanned again regardless, when used with
Real-Time scan. The gain of using a Scan Cache can be very significant (as high as 20 times better)
where strong reductions in input/output volume and Deep Security Virtual Appliance CPU usage
have been measured. 1 million cache entries in the Deep Security Virtual Appliance (Memory) uses up
approximately 100 MB of space (default policies in Deep Security Virtual Appliance is 500,000
entries). The cache is unique to each Deep Security Virtual Appliance.
Quarantining in Anti-Malware
A file that has been found contain malware can be encrypted and moved to a special folder as part of
a quarantine operation. Each Virtual Agent has its own quarantine folder.
If the disk space usage limit is reached, the quarantine action will fail, and the I/O event that
triggered the quarantine action will be blocked.
Quarantined files will be automatically deleted from a Virtual Appliance under the following
circumstances:
•
If a virtual machine undergoes vMotion, quarantined files associated with that virtual
machine will be deleted from the Virtual Appliance.
•
If a virtual machine is deactivated from the Deep Security Manager, quarantined files
associated with that virtual machine will be deleted from the Virtual Appliance.
•
If a Virtual Appliance is deactivated from the Deep Security Manager, all the quarantined files
stored on that Virtual Appliance will be deleted.
•
If a Virtual Appliance is deleted from the vCenter, all the quarantined files stored on that
Virtual Appliance will also be deleted.
Agentless Integrity Monitoring Protection
Integrity Monitoring also uses the same Guest Introspection components used for Anti-Malware. Unlike
full Integrity Monitoring capability that is available with Deep Security Agents, Integrity Monitoring in
Deep Security Virtual Appliance is limited to monitoring files and registry settings, and only works with
Virtual Machines with Windows operating systems.
VMware High Availability
VMware enables the live migration of running virtual machines from one physical server to another with
zero downtime, continuous service availability, and transaction integrity through a feature called
vMotion. vMotion is typically used for the following purposes:
•
Virtual machines can be moved automatically and transparently between ESXi servers in a
datacenter to distribute the processing load
•
Virtual machines can be automatically migrated to other ESXi servers when a particular ESXi
server is being brought offline for maintenance
© 2020 Trend Micro Inc. Education
457
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Deep Security Virtual Appliances can protect virtual machines even if they move between ESXi servers,
provided that the destination server has a Deep Security Virtual Appliance installed.
Note:
By design, the Deep Security Virtual Appliance cannot be migrated to another ESXi server using
vMotion.
If you use High Availability (HA) features in VMware, make sure that the High Availability environment is
established before you begin installing Deep Security. Deep Security must be deployed on all ESXi
hypervisors (including the ones used for recovery operations). Deploying Deep Security on all
hypervisors will ensure that protection remains in effect after a HA recovery operation.
Virtual Appliances must be pinned to their particular ESXi host. You must actively change the Distributed
Resource Scheduler settings for all the Virtual Appliances to Manual or Disabled (recommended) so that
they will not be vMotioned by the DRS. If a Virtual Appliance (or any virtual machines) is set to Disabled,
vCenter Server does not migrate that virtual machine or provide migration recommendations for it. This
is known as pinning the virtual machine to its registered host. This is the recommended course of action
for Virtual Appliances in a Distributed Resource Scheduler environment.
Note:
If a virtual machine is vMotioned by the Distributed Resource Scheduler from an ESXi protected
by a Deep Security Virtual Appliance to an ESXi that is not protected by a Deep Security Virtual
Appliance, the virtual machine will become unprotected.
If the virtual machine is subsequently vMotioned back to the original ESXi, it will not automatically be
protected again unless you have created an Event-based Task to activate and protect computers that
have been vMotioned to an ESXi with an available Deep Security Virtual Appliance.
You can use Deep Security Manager to create an Event-Based Task to activate new machines or vMotion
machines to a protected ESXi host.
1
Log on to the Deep Security Manager Web console.
2 Click the Administration tab and click Event-Based Task > New > Computer created by system.
3 Enable the Activate computer after 1 minutes option.
4 Assign a Security Profile and then click Select the Security Profile.
5 Configure a condition of Appliance Protection Available is True. This means that if Deep Security
Virtual Appliance is online on the ESXi host where the virtual machine is created or moved,
Agentless protection will be automatically activated.
458
© 2020 Trend Micro Inc. Education
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Moving Deep Security Virtual Appliance Data
Each protected virtual machine has a corresponding Virtual Agent. When a virtual machine is
transferred to another ESXi server, its Virtual Agent must also be replicated at the Deep Security
Virtual Appliance on the receiving ESXi server.
During vMotion, the data that defines a virtual Agent’s identity is compressed into a tar file and then
transferred to the destination ESXi server using the default virtual machine communication channel.
Data transferred includes:
•
Certificates used for Virtual Appliance-Deep Security Manager communication
(ds_guest_Agent.crt, ds_guest_Agent_dsm.crt)
•
•
•
Anti-Malware component version information
System event database (ds_guest_Agent.db)
Miscellaneous vMotion-related data
This communication channel, is limited to files that are up to 2KB. This is a concern for the baseline
database (si.db) used for Integrity Monitoring, which can become very large depending upon the
rules that are applied to the virtual machine. For this reason, Integrity Monitoring-related data is
transferred through an alternative, proprietary Trend Micro channel involving a Deep Security Relay.
When migrating an Integrity Monitoring-protected virtual machine, the Deep Security Virtual
Appliance does the following:
1
Encrypts the Integrity Monitoring database on the Deep Security Virtual Appliance.
2 Includes the keys for decrypting the database into the *.tar file that is transferred using the
default virtual machine channel.
3 Uploads the database to the Deep Security Relay.
4 Once the transfer is complete, the virtual Agent has 10 minutes to:
•
•
Re-locate the Deep Security Relay to which it uploaded its Integrity Monitoring database.
Download and decrypt the database.
If the Deep Security Relay is not able to download its database within this 10 minute window, or if
some other aspect of the transfer fails, then the virtual Agent will rebuild its baseline.
© 2020 Trend Micro Inc. Education
459
Appendix B: Protecting Virtual Machines Using the Deep Security Virtual Appliance
Review Questions
1
Which Protection Modules are not supported in Agentless implementations?
2 What VMware components are required for Deep Security to be installed in an Agentless
implementation?
3 Describe the purpose of Combined Mode?
460
© 2020 Trend Micro Inc. Education
Appendix C: Troubleshooting Common
Deep Security Issues
Diagnostic Logging in Deep Security Manager
To help diagnose issues related to Deep Security, diagnostic logging can be enabled.
While diagnostic logging is running, Deep Security Manager will display the message Diagnostic Logging
enabled on the status bar. If you changed the default options, the status bar will display the message Non
default logging enabled upon diagnostic logging completion.
Best Practice:
Don't enable diagnostic logging unless recommended by your support provider.
Diagnostic logging can consume large amounts of disk space and increase CPU usage.
To enable diagnostic logging, access the Deep Security Manager Web console and click the
Administration menu. Click System Information in the left-hand frame and click Diagnostic Logging.
© 2020 Trend Micro Inc. Education
461
Appendix C: Troubleshooting Common Deep Security Issues
Select the logging details from the list including the time period, the options and the size of the log files.
The resulting log file are stored in the following folder:
C:\Program Files\Trend Micro\Deep Security Manager\serverx.log
The size of the log files and the number of files created will depended on the Maximum log file size and
Maximum number of log files values indicated.
462
© 2020 Trend Micro Inc. Education
Appendix C: Troubleshooting Common Deep Security Issues
Creating a Diagnostic Package for Deep Security Agents
Diagnostic packages can help support personnel to investigate customer issue by including the
selected traffic, configuration settings, system information and Deep Security Agent status in a
*.zip file that can be analyzed offline. When generating the diagnostic package through the Deep
Security Manager Web console, a list of items to include in the file is displayed in the Wizard. When
creating the diagnostic package from the Command Prompt, a default collection of files is included.
© 2020 Trend Micro Inc. Education
463
Appendix C: Troubleshooting Common Deep Security Issues
Creating a Diagnostic Package in the Deep Security Manager Web Console
You can create a diagnostic package using the Deep Security Manager Web console. From the
Details window for the selected computer, click Overview in the left-hand pane and on the
Actions tab, click Create Diagnostic Package.
In the Diagnostic Package Wizard, select the type of information to include in the zipped package:
Creating a Diagnostic Package from the Command Line
You can also create a diagnostic package from the computer you want to obtain information
about. Open the Command Prompt on the server protected by a Deep Security Agent, change to
the Agent main directory and run the following command:
dsa_control -d
464
© 2020 Trend Micro Inc. Education
Appendix C: Troubleshooting Common Deep Security Issues
A *.zip file is created in the following folder:
...\Documents and Settings\All Users\Application Data\Trend Micro\
Deep Security Agent\diag
Note:
The path may vary depending on the version of your operating system.
The diagnostic package includes the Agent configuration files, event databases, system
information and any intercepted traffic.
Creating a Diagnostic Package for Deep Security Manager
Similarly to creating diagnostic packages for the Deep Security Agents, there are also two ways in
which to create a diagnostic package for Deep Security Manager.
Creating a Diagnostic Package in the Deep Security Manager Web Console
You can create a diagnostic package from the Deep Security Manager Web console. Sign in and
click the Administration menu. Click System Information in the left-hand pane and click Create
Diagnostic Package.
© 2020 Trend Micro Inc. Education
465
Appendix C: Troubleshooting Common Deep Security Issues
In the Diagnostic Package Wizard, select the type of information to include in the diagnostic
package:
Creating a Diagnostic Package from the Command Line
You can also create a diagnostic package by opening a command prompt on the Deep Security
Manager server and entering the following:
dsm_c –action diagnostic
The Deep Security Manager diagnostic package is created as a *.zip file in the installation
folder.
466
© 2020 Trend Micro Inc. Education
Appendix C: Troubleshooting Common Deep Security Issues
Troubleshooting Offline Agents
A computer status of Offline or Managed (Offline) means that the Deep Security Manager hasn't
communicated with the agent's instance for some time and has exceeded the missed heartbeat
threshold. The status change can also appear in alerts and events.
Potential Causes
Heartbeat connections can fail because:
•
The agent is installed on a workstation or other computer that has been shut down. If you are
using Deep Security to protect computers that sometimes get shut down, make sure the
policy assigned to those computers does not raise an alert when there is a missed heartbeat.
In the policy editor, go to Settings > General > Number of Heartbeats that can be missed
before an alert is raised and change the setting to Unlimited.
•
•
•
•
•
Firewall, IPS rule, or security groups block the heartbeat port number
•
Amazon WorkSpace computer is being powered off, and the heartbeat interval is fast, for
example, one minute; in this case, wait until the WorkSpace is fully powered off, and at that
point, the status should change from Offline to VM Stopped
•
•
•
•
DNS was down, or could not resolve the Deep Security Manager's host name
Bi-directional communication is enabled, but only one direction is allowed or reliable
Computer is powered off
Computer has left the context of the private network
This can occur if servers cannot connect to Deep Security Manager at their current location.
Guest Wi-Fi, for example, often restricts open ports, and has NAT when traffic goes across the
Internet
Deep Security Manager, the agent, or both are under very high system resource load
Deep Security Agent process might not be running
Certificates for mutual authentication in the SSL or TLS connection have become invalid or
revoked
© 2020 Trend Micro Inc. Education
467
Appendix C: Troubleshooting Common Deep Security Issues
•
Deep Security Agent's or Deep Security Manager's system time is incorrect (required by SSL/
TLS connections)
•
•
•
A Deep Security rule update is not yet complete, temporarily interrupting connectivity
•
If you are using manager-initiated or bi-directional communication, and are having
communication issues, we strongly recommend that you change to agent-initiated activation
(see Use agent-initiated communication with cloud accounts).
On AWS EC2, ICMP traffic is required, but is blocked
On Solaris 11, the agent was upgraded from 9.0 to 11.0 directly without first being upgraded to
9.0.0-56
Possible Solutions
To troubleshoot the error, verify that the Deep Security Agent is running, and then that it can
communicate with Deep Security Manager.
•
On the computer with Deep Security Agent, verify that the Trend Micro Deep Security Agent
service is running. Method varies by operating system.
-
On Windows, open the Microsoft Windows Services Console (services.msc) or Task
Manager. Look for the service named ds_agent.
-
On Linux, open a terminal and enter the command for a process listing. Look for the
service named ds_agent or ds-agent, such as:
sudo ps -aux | grep ds_agent
sudo service ds_agent status
•
On Solaris, open a terminal and enter the command for a process listing. Look for the service
named ds_agent, such as:
sudo ps -ef | grep ds_agent
sudo svcs -l svc:/application/ds_agent:default
•
If agents connect to the Deep Security Manager via its domain name or hostname, not its IP
address, test the DNS resolution:
nslookup [manager domain name]
If the test fails, verify that the agent is using the correct DNS proxy or server (internal
domain names can't be resolved by a public DNS server such as Google or your ISP). If a
name such as dsm.example.com cannot be resolved into its IP address, communication will
fail, even though correct routes and firewall policies exist for the IP address.
•
If the computer uses DHCP, in the computer or policy settings, in the Advanced Network
Engine area, you might need to enable Force Allow DHCP DNS
•
•
Allow outbound ports (agent-initiated heartbeat)
Telnet to required port numbers on Deep Security Manager to verify that a route exists, and
the port is open:
telnet [Deep_Security_Manager_IP]:4120
Telnet success proves most of the same things as a ping: that a route and correct firewall
policy exist, and that Ethernet frame sizes are correct. (Ping is disabled on computers that
use the default security policy for Deep Security Manager. Networks sometimes block ICMP
ping and traceroute to block attackers' reconnaissance scans. So usually, you can't ping the
Manager to test.)
468
© 2020 Trend Micro Inc. Education
Appendix C: Troubleshooting Common Deep Security Issues
If telnet fails, trace the route to discover which point on the network is interrupting
connectivity. Methods vary by operating system.
On Linux, enter the command:
traceroute [agent IP]
On Windows, enter the command:
tracert [agent IP]
Adjust firewall policies, routes, NAT port forwarding, or all three to correct the problem.
Verify both network and host-based firewalls, such as Windows Firewall and Linux iptables.
For an AWS EC2 instance, see Amazon's documentation on Amazon EC2 Security Groups for
Linux Instances or Amazon EC2 Security Groups for Windows Instances. For an Azure VM
instance, see Microsoft's Azure documentation on modifying a Network Security Group.
If connectivity tests from the agent to the manager succeed, then next you must test
connectivity in the other direction. (Firewalls and routers often require policy-route pairs to
allow connectivity. If only 1 of the 2 required policies or routes exist, then packets will be
allowed in one direction, but not the other.)
•
•
Allow inbound ports (manager-initiated heartbeat)
On the Deep Security Manager, ping the Deep Security Agent and telnet to the heartbeat
port number to verify that heartbeat and configuration traffic can reach the agent:
ping [agent IP]
telnet [agent IP]:4118
If the ping and telnet fail, use the following command to discover which point on the network
is interrupting connectivity.:
traceroute [agent IP]
Adjust firewall policies, routes, NAT port forwarding, or all three to correct the problem.
If IPS or firewall rules are blocking the connection between the Deep Security Agent and the
Deep Security Manager, then the manager cannot connect in order to unassign the policy
that is causing the problem. To solve this, enter the command on the computer to reset
policies on the agent:
dsa_control -r
You must deactivate, then re-activate the Agent in the Deep Security Manager web console
after running this command.
Troubleshooting Deep Security Agent Activation
Failures
When trying to activate an agent, the Deep Security Agent may return an Activation Failed error
message.
Possible Solutions
•
Check the description of the error why the activation failed. Most of the time, the problem is
self-explanatory.
© 2020 Trend Micro Inc. Education
469
Appendix C: Troubleshooting Common Deep Security Issues
•
•
Check if the Deep Security Manager is able to resolve the hostname or FQDN of the agent.
•
Check and make sure that the system time for Deep Security Agent and Deep Security
Manager are synchronized.
•
Check the Deep Security Agent and make sure that it is not activated or registered to
another Deep Security Manager.
Check if the Agent is able to resolve the hostname or FQDN used by the server. You can find
the Deep Security Manager name used for communication by logging into the Deep Security
Manager Web console and going to System > System Information > System Activity > Deep
Security Manager object.
To check if DSA is activated or not, go to the following folder:
...\Program Files\Trend Micro\Deep Security Agent
Look for these three (3) files:
config.bin
ds_agent.config
ds_agent_dsm.crt
If these files are available, it means that the agent is already activated.
Alternatively, open the ds_agent_dsm.crt file, and go to the Details tab to verify the Deep
Security Manager where the Agent is activated from
•
If the Deep Security Manager where an Agent is registered is no longer available, deactivate
the Deep Security Agent.
Open a command prompt and navigation to the following folder:
...\Program Files\Trend Micro\Deep Security Agent
Run the following command to reset and deactivate the agent:
dsa_control.exe /r
The message Agent reset successfully appears after successfully completing the command.
Re-activate the agent with the following command:
dsa_control.exe /a dsm://<hostname>:4120/
The message Command Session Completed appears after successfully completing the
command
•
If you encounter an error when activating the Agent from the Deep Security Manager Web
Management console, check the Agent system events for any error message. If you
encountered an error when activating the Agent locally, enable additional logging to
determine the cause of the activation error.
In the C:\Windows folder, create a file named ds_agent.ini.
Add this parameter to the file to enable the debug:
trace=*
Activate the agent using the command line method and check the log file.
470
© 2020 Trend Micro Inc. Education
Appendix C: Troubleshooting Common Deep Security Issues
Troubleshooting High CPU usage
Computers protected by Deep Security Agent are experiencing high CPU usage.
Possible Solutions
•
Verify that the Trend Micro Deep Security Agent process (ds_agent.exe on Windows) has
unusually high CPU usage
-
On Windows: Check Task Manager
On Linux and HP-UX, type the following command:
top
-
On Solaris, type the following command:
prstat
-
On AIX, type the following command:
topas
•
•
Verify that the agent is updated to the latest version
Apply the best practices for performance with Anti-Malware
-
Reserve an appropriate amount of disk space for storing identified malware files. The
space that you reserve applies globally to all computers: physical machines, virtual
machines, and Deep Security Virtual Appliances. The setting can be overridden at the
policy level and at the computer level
If you are using a Deep Security Virtual Appliance to protect virtual machines, all
identified files from the protected virtual machines will be stored on the virtual
appliance. As a result, you should increase the amount of disk space for identified files on
the virtual appliance
-
Exclude files from real-time scans if they are normally safe but have high I/O, such as
databases, Microsoft Exchange quarantines, and network shares
-
Do not scan network directories
-
Reduce the CPU impact of malware scans by setting CPU Usage to Medium
(Recommended; pauses between scanning files) or Low (pauses between scanning files
for a longer interval than the medium setting)
-
Create a scheduled task to run scans at a time when CPU resources are more readily
available
-
In the virtual machine Scan Cache, select a Real-Time Scan Cache Configuration. If scans
are not frequent, increase the Expiry Time (avoid repeated scans)
-
Use agentless deployments so that CPU usage is in one centralized virtual appliance, not
on every computer
-
Reduce or keep small default values for the maximum file size to scan, maximum levels
of compression from which to extract files, maximum size of individual extracted files,
maximum number of files to extract, and OLE Layers to scan
Do not use Smart Scan if the computer doesn't have reliable network connectivity to the
Trend Micro Smart Protection Network or your Smart Protection Server
Most malware is small, and nested compression indicates malware. But if you don't scan
large files, there is a small risk that Anti-Malware won't detect some malware. You can
mitigate this risk with other features such as integrity monitoring
© 2020 Trend Micro Inc. Education
471
Appendix C: Troubleshooting Common Deep Security Issues
-
•
Use multi-threaded processing for manual and scheduled scans (real-time scans use
multi-threaded processing by default). Multi-threaded processing is effective only on
systems that support this capability.
Apply the best practices for performance with Intrusion Prevention:
-
Include packet data in the event log only during troubleshooting
-
Don't assign more than 300 rules. To minimize the number of required rules, ensure all
available patches are applied to the computer operation system and any third-party
software that is installed
-
Do not monitor HTTP responses from the web server, especially if the policy has many
signatures applied
-
When an agent is assigned a large number of Intrusion Prevention rules, the size of the
configuration package can exceed the maximum allowed size. When the allowed size is
exceeded, the status of the agent changes to Agent configuration package too large and
the event message Configuration package too large appears.
Assign only Intrusion Prevention rules that apply to the computer's OS and applications.
Apply only the Intrusion Prevention rules that a recommendation scan recommends and
remove any rules from the computer or the assigned policy that are recommended for
unassignment
There is a configuration limit of 20 MB in Windows 32-bit platform because it has smaller
kernel memory available. For other platforms, the limit is 32 MB.
•
If you have just enabled Application Control, wait until the initial baseline ruleset is complete.
Time required varies by the number of files on the file system. The CPU usage should
decrease.
•
If a recommendation scan is being performed, try running scans during a time when the
computer is less busy, or allocating more virtual CPUs if the computer is a virtual machine.
•
Temporarily disable each protection feature (Anti-Malware etc.), one at a time. Check CPU
usage each time to determine if a specific module is the cause.
•
If high CPU usage still continues, try temporarily stopping the agent. Verify that the issue
stops when the Agent is stopped. If it does, collect diagnostic information and give it to your
support provider.
Troubleshooting Security Update Failures
Connectivity issues between the Deep Security Relay and the ActiveUpdate sources may cause security
updates on Deep Security Agents to fail.
Possible Solutions
•
To verify that a route exists between the relay server and its Active Update source or proxy
server and that the relay port number is open. Enter the command to verify the route:
telnet [relay IP] [port number]
If the telnet fails, verify that a route exists and that firewall policies (if any) allow the traffic
by pinging or using traceroute. Also verify that the port number is open, and doesn't have a
port conflict.
•
472
To verify that the DNS server can resolve the domain name of the relay, enter the following
command:
© 2020 Trend Micro Inc. Education
Appendix C: Troubleshooting Common Deep Security Issues
nslookup [relay domain name]
If the test fails, verify that the agent is using the correct DNS proxy or server (internal
domain names can't be resolved by a public DNS server such as Google or your ISP)
•
If you are using Deep Security as a Service, you might not be using your own relays; instead,
you will be using the relays that are built into the service:
relay.deepsecurity.trendmicro.com.
•
If you use a proxy server confirm that the proxy settings in the Deep Security Manager Web
console are correct
•
To determine if your Deep Security settings are blocking connectivity, unassign the current
policy
© 2020 Trend Micro Inc. Education
473
Appendix C: Troubleshooting Common Deep Security Issues
474
© 2020 Trend Micro Inc. Education
Appendix D: What's New in Deep
Security 20
The appendix provides an overview of the new features and functionality available in the Deep Security
20. Some of these features may have been initially introduced in the Deep Security 12 Feature Releases.
New Database Support
Additions to supported databases for Deep Security Manager 20 include:
•
•
•
Oracle 18 and Oracle 19c
PostgreSQL 11
SQL Server 2019
New Manager Platform Support
Additions to supported platforms for Deep Security Manager 20 include:
•
•
Red Hat Enterprise Linux 8 (64-bit)
Windows Server 2019 (64-bit)
Platforms no longer supported for Deep Security Manager 20 include:
•
Red Hat Enterprise Linux 6 (64-bit)
New Agent Platform Support
New platforms with a supported Deep Security 20 Agent include:
•
•
•
•
•
•
•
Ubuntu 20.04 (64-bit)
Cloud Linux 8 (64-bit)
Debian Linux 10 (64-bit)
Oracle Linux 8 (64-bit)
SUSE Linux Enterprise Server 15 (64-bit)
Red Hat Enterprise Linux 8 (64-bit)
CentOS 8 (64-bit)
© 2020 Trend Micro Inc. Education
475
Appendix D: What's New in Deep Security 20
Google Cloud Platform Support
Google Cloud Platform (GCP) support was introduced in a Deep Security 12 Feature Release. You can now
view new GCP instances that come online or are removed, and which instances have protection. If you are
using multiple clouds on-premise and in your data center, Deep Security can provide visibility for all of
your environments. This feature is available for virtual machines that have Deep Security Agent 12.0 or
later installed.
Virtual machines are organized into projects, which lets you easily see which GCP Virtual machines are
protected and which are not. Policies can be assigned automatically based on the GCP Instance Labels,
GCP Network Tags, and other instance attributes while auto-scaling up. Related GCP instances can be
grouped in Smart Folders based on the GCP instance labels, GCP network tags, and other instance
attributes to simplify the management.
Upgrade on Activation
Upgrade on activation is a new feature that instructs Deep Security Agents to automatically upgrade on
activation if the current version of the Agent does not match the latest compatible version of the Agent
available for that platform in Deep Security Manager.
Upgrade on activation was supported for Linux platforms only in the LTS release of Deep Security 12.
Support for Windows is now available in Deep Security 20.
Agent Version Control
Agent Version Control allows administrators to define the specific versions of Deep Security Agents that
will be deployed when upgrading Deep Security Agents, using deployment scripts or using the
Automatically upgrade agents on activation feature.
This allows security operations teams to declare exactly what Agents will be used at any given time. As
new Agents are released by Trend Micro, your security operations team can test them in controlled
environments before changing the version control settings to expose the new Agents to downstream
applications teams in their production environment.
Reboot Requirement Removed for Agent Upgrade
Previously, there were several situations where a Windows server would require a reboot for a new agent
to complete the upgrade. The need for the reboot has been completely removed, enabling the application
to not be impacted as result of upgrading a Deep Security Agent.
Anti-Malware Protection During an Agent Upgrade
The Deep Security Agent Anti-Malware driver can be upgraded without rebooting your computers. By
removing the need to reboot your computer, the friction involved with operation efforts is drastically
reduced.
476
© 2020 Trend Micro Inc. Education
Appendix D: What's New in Deep Security 20
Note:
There are still scenarios where a reboot is required, for example when the system events 1533: A
computer reboot is required to complete an Anti-Malware cleanup or restoration task or 1534: A
computer reboot is required to complete Anti-Malware protection occur.
Agentless Anti-Malware for NSX-T
Deep Security 20 includes support for the latest VMware Service Insertion and Guest Introspection
technologies which enables you to protect your guest virtual machines using Intrusion Prevention, Web
Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless
protection.
Deep Security Manager now sends guest virtual machines’ network configuration to all Deep Security
Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the
protection of guest machines that use the network features during and after a vMotion migration from
one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where
the guest machine is using an assigned policy without network features overrides.
Also, by introducing the Data Plane Development Kit (DPDK) in Deep Security 20, network throughput is
three times faster when compared with prior technology.
Finally, you can add multiple vCenters in the Deep Security Manager, and associate them to the same
NSX-T Data Center. An overwrite warning message is displayed if you are using NSX Data Center for
vSphere (NSX-V), which does not support the use of multiple vCenters, or if the NSX-T Manager has being
registered with another Deep Security Manager cluster.
Hide AWS Host Groups
A new Deep Security 20 option allows AWS host groups to now be hidden on the Computers page. Instead
of showing all host groups, empty host groups will be represented by a greyed out, italicized count. This
feature can be toggled on and off by right clicking on Computers in the host group tree.
This feature was developed to accelerate the load time of Computers page. Hiding empty host groups
also makes the host group tree more streamlined. Empty host groups are hidden by default.
Search Cloud Instance Metadata
Deep Security 20 adds the ability to do a simple search or advanced search for Cloud Instance Metadata
on the Computers page. This allows you to easily find workloads with specific labels, network tags, and
more.
© 2020 Trend Micro Inc. Education
477
Appendix D: What's New in Deep Security 20
AWS Manager-generated External ID
Previously when using a cross-account role for authentication, Deep Security required two pieces of
information: a role ARN, and an external ID trusted by the role. This has now changed to a new process
where Deep Security provides the external ID, and requires that the role provided has included this
external ID in its IAM trust policy. This change provides stronger security in shared Deep Security
environments, and ensures that strong external IDs are always used.
Agent Integrity Check
Deep Security 20 verifies the digital signature on the Deep Security Agent package to ensure that the
software files have not been modified or tampered with since the time of signing.
Deep Security Manager API updates
The Deep Security Manager API has been updated with the following:
Automate Google and AWS accounts
Deep Security 20 provides REST APIs to allow you to automate the adding of both AWS and Google
Cloud accounts into Deep Security.
New Anti-malware Features
A Deep Security update introduces four new anti-malware features:
Windows Antimalware Scan Interface (AMSI)
The Windows Antimalware Scan Interface (AMSI) is an interface provided by Microsoft in Windows 10
and newer. Deep Security leverages AMSI to help detect malicious scripts.
Behavior Monitoring Action
Behavior Monitoring includes a new Action to take list, choose the remediation action that you want
Deep Security to take when it detects malware:
•
•
478
ActiveAction (recommended): Use the action that ActiveAction determines.
Pass: Allows full access to the infected file without doing anything to the file. (An AntiMalware Event is still recorded.)
© 2020 Trend Micro Inc. Education
Appendix D: What's New in Deep Security 20
Predictive Machine Learning Action
When Predictive Machine Learning is enabled, you can now choose the remediation action that you
want Deep Security to take when it detects malware:
•
Quarantine (recommended): Moves the infected file to the quarantine directory on the
protected computer.
•
Pass: Allows full access to the infected file without doing anything to the file. (An AntiMalware Event is still recorded.)
•
Delete: On Linux, the infected file is deleted without a backup. On Windows, the infected file
is backed up and then deleted.
Behavior Monitoring on Linux
Behavior Monitoring capabilities are now supported on Linux server.
Database Encryption
Editing a configuration file is no longer necessary for enabling a secure encrypted connection with the
database. If the database server is configured to require a secure encrypted connection, Deep Security
Manager will use the encrypted connection.
The mechanisms for creating the encrypted connection are built into the database library that Deep
Security Manager is based on, therefore, the server certificate does not need to be imported nor any
configuration file updated.
© 2020 Trend Micro Inc. Education
479
Appendix D: What's New in Deep Security 20
480
© 2020 Trend Micro Inc. Education
Appendix E: FIPS 140-2 Support in Deep
Security
Federal Information Processing Standard (FIPS) is a set of U.S. government standards for cryptographic
modules. Deep Security provides settings that enable cryptographic modules to run in a mode that is
compliant with FIPS 140-2 standards. Trend Micro obtained certification for the Java crypto module and
Native crypto module (OpenSSL).
There are some differences between a Deep Security deployment running in FIPS mode instead of nonFIPS mode. These Deep Security features are not available when operating in FIPS mode:
•
Agentless protection, including connecting to an NSX Manager and settings related to the Deep
Security Virtual Appliance
•
Connecting to a Microsoft Azure account using the Quick and Advanced methods in Add Azure
Account. Key Pair Generation for use with Azure is also not available with FIPS mode.
•
•
•
Connecting to virtual machines hosted on VMware vCloud.
•
•
•
•
Deep Security Scanner (integration with SAP Netweaver)
Multi-tenant environment
Load balancer settings (From the Administration menu, click System Settings > Advanced > Load
Balancers)
Connected Threat Defense
Identity provider support via SAML 2.0
When configuring SMTP settings, the STARTTLS option is not available.
Enable FIPS Mode for Deep Security Manager on
Windows
Perform the following steps to enable FIPS mode on an installation of Deep Security Manager running on
Windows:
1
In Windows Services stop the Trend Micro Deep Security Manager service.
2 In the Windows Command Prompt, navigate to the following folder:
C:\Program Files\Trend Micro\Deep Security Manager
3 Type the following command to enable FIPS mode:
dsm_c -action enablefipsmode
4 Restart the Deep Security Manager service.
Note:
FIPS mode must also be enabled on the Windows operating systems you are protecting, as well
as the database server used by Deep Security.
© 2020 Trend Micro Inc. Education
481
Appendix E: FIPS 140-2 Support in Deep Security
Enable FIPS mode for Deep Security Manager on Linux
Perform the following steps to enable FIPS mode on an installation of Deep Security Manager running on
Linux:
1
In the Linux Terminal navigate to the following folder:
/opt/dsm
2 Type the following command to stop the Deep Security Manager service:
service dsm_s stop
3 Type the following command to enable FIPS mode:
dsm_c -action enablefipsmode
4 Type the following command to restart the Deep Security Manager service:
service dsm_s start
Note:
482
FIPS mode must also be enabled on the Linux operating systems you are protecting, as well as
the database server used by Deep Security.
© 2020 Trend Micro Inc. Education
CHAPTER 1
Trend Micro™ Deep Security™ 20
Training for Certified Professionals
Lab Guide
© 2020 Trend Micro Inc. Education
Copyright © 2021 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system,
or transmitted without the express prior written consent of Trend Micro Incorporated.
Released: February 18, 2021
Trend Micro Deep Security 20 Software
Courseware v1.1
© 2020 Trend Micro Inc. Education
Trend Micro Deep Security 20 Training for Certified Professionals - Lab Guide
Lab 1: Accessing the Deep Security Lab Environment .............................................................1
Exercise 1: Access the Product Cloud Lab Environment ................................................................................. 3
Lab 2: Deploying Deep Security Agents .....................................................................................9
Exercise 1: Import the Deep Security Agent Software into Deep Security Manager ................................ 9
Exercise 2: Export the Deep Security Agent Installer..................................................................................... 13
Exercise 3: Install a Deep Security Agent Manually ........................................................................................ 13
Exercise 4: Install a Deep Security Agent Using a Deployment Script ....................................................... 17
Exercise 5: Install a Deep Security Agent Using the Command Line ........................................................ 20
Exercise 6: Add the Task column ....................................................................................................................... 20
Exercise 7: Add Devices to the Computers List................................................................................................ 21
Lab 3: Deploying a Deep Security Relay .................................................................................. 27
Exercise 1: Enable a Deep Security Relay .......................................................................................................... 27
Lab 4: Protecting Servers from Malware ................................................................................. 31
Exercise 1: Create a New Malware Scan Configuration .................................................................................. 31
Exercise 2: Create a New Policy .......................................................................................................................... 34
Exercise 3: Apply the Policy to a Computer ..................................................................................................... 35
Exercise 4: Test Agent-Based Malware Protection and Quarantine .......................................................... 37
Exercise 5: Test Agent-Based Grayware/Spyware Protection ................................................................... 40
Exercise 6: Enable Predictive Machine Learning ............................................................................................. 41
Lab 5: Blocking Malicious Web Sites ......................................................................................... 45
Exercise 1: Modify a Policy to Activate Web Reputation Protection ......................................................... 45
Exercise 2: Access Sample Web Sites ............................................................................................................... 46
Lab 6: Filtering Traffic Using Firewall Rules ............................................................................ 51
Exercise 1: Perform a Port Scan ...........................................................................................................................51
Exercise 2: Enable the Firewall Protection Module on the Computer........................................................ 53
Exercise 3: Create a Firewall Rule to Deny Incoming Traffic ...................................................................... 54
Exercise 4: Create a Firewall Rule to Force Allow Incoming Telnet Connections
From a Single Host........................................................................................................................... 58
Lab 7: Protecting Servers From Vulnerabilities ...................................................................... 61
Exercise 1: Run a Recommendation Scan ...........................................................................................................61
Exercise 2: Enable Intrusion Prevention Protection and Apply an Additional Rule .............................. 64
Exercise 3: Test Intrusion Prevention Protection .......................................................................................... 65
Lab 8: Blocking Application Traffic with Intrusion Prevention Rules ............................... 67
Exercise 1: Block Internet Explorer .....................................................................................................................67
Lab 9: Detecting Changes to Protected Servers ................................................................... 73
Exercise 1: Create an Object to Monitor ............................................................................................................ 73
Exercise 2: Create a New Integrity Monitoring Rule ...................................................................................... 73
Exercise 3: Generate Integrity Monitoring Events.......................................................................................... 76
Exercise 4: Deploy an Additional Integrity Monitoring Rule ........................................................................ 78
Exercise 5: Generate Integrity Monitoring Events........................................................................................ 80
© 2021 Trend Micro Inc. Education
1
Trend Micro Deep Security 20 Training for Certified Professionals - Lab Guide
Lab 10: Blocking Unapproved Software ................................................................................... 83
Exercise 1: Activate Application Control Protection .......................................................................................83
Exercise 2: Install a New Application ................................................................................................................ 85
Lab 11: Inspecting Logs on Protected Servers ........................................................................89
Exercise 1: Create a New Log Inspection Rule ................................................................................................ 89
Exercise 2: Generate Log Inspection Events................................................................................................... 90
Exercise 3: Scan for Recommendations ........................................................................................................... 94
Lab 12: Accessing Deep Security Through the Application Programming Interface .... 97
Exercise 1: Create an API key ...............................................................................................................................97
Exercise 2: Access the API Reference .............................................................................................................. 98
Exercise 3: Use the API to List Computer Details ......................................................................................... 100
Exercise 4: Use the API to Create a Group ..................................................................................................... 103
Lab 13: Integrating Deep Security With Connected Threat Defense .................................. 111
Exercise 1: Integrate Deep Security With Apex Central ..................................................................................111
Exercise 2: Integrate Deep Discovery Analyzer with Apex Central............................................................ 112
Exercise 3: Add Deep Discover Analyzer and Deep Security to the Apex Central
Product Directory ............................................................................................................................. 114
Exercise 4: Configure Deep Security for Connected Threat Defense....................................................... 116
Exercise 5: Create a Malware Scan Configuration......................................................................................... 118
Exercise 6: Enable Connected Threat Defense............................................................................................... 118
Exercise 7: Submit a File to Deep Discovery For Analysis ........................................................................... 119
Exercise 8: Track the Submission ....................................................................................................................... 121
Appendix Lab: Activating and Managing Multiple Tenants ................................................ 125
Exercise 1: Enable Multi-Tenancy ...................................................................................................................... 125
Exercise 2: Create Multiple Tenants................................................................................................................. 128
Exercise 3: Lock Down Tenants......................................................................................................................... 130
Exercise 4: Add Computers to a Tenant.......................................................................................................... 135
Appendix Lab: Configuring Agentless Protection ................................................................ 137
Exercise 1: Verify the Import of the Deep Security Virtual Appliance Package into
Deep Security Manager ....................................................................................................................137
Exercise 2: Add VMware vCenter to the Computers List............................................................................ 138
Exercise 3: Install the Guest Introspection Service on VMware ESXi ...................................................... 142
Exercise 4: Install the Trend Micro Deep Security Service on VMware ESXi......................................... 147
Exercise 5: Create an NSX Security Group..................................................................................................... 150
Exercise 6: Create an NSX Security Policy ..................................................................................................... 154
Exercise 7: Apply the NSX Security Policy to the NSX Security Group ................................................... 160
Exercise 8: Apply Deep Security Protection to the Virtual Machines...................................................... 162
2
© 2021 Trend Micro Inc. Education
Lab 1:
Accessing the Deep Security Lab
Environment
This first lab introduces participants to the virtual lab environment used to complete the hands-on
exercises in this Deep Security training course.
The classroom lab environment is delivered as a virtual application through Trend Micro Product Cloud
2.0 and will be accessed from a Web browser on your computer. Google Chrome is the preferred browser
for this environment.
Network Settings
The settings and login credentials for each virtual machine in the classroom environment are listed here.
VM Name
VM-SERVER-01
VM-SERVER-02
VM-SERVER-03
VM-SERVER-04
VM-ANALYZER
Hostname
Operating System
server-01.trend.local
server-02.trend.local
server-03.trend.local
server-04.trend.local
DDAN
Addressing
Login
Windows Server 2016
(hosting Active
Directory)
IP: 192.168.4.1
Subnet mask: 255.255.240.0
Default gateway: 192.168.0.1
DNS 1: ::1
DNS 2: 127.0.0.1
Login Name:
administrator
Windows Server 2016
(hosting SQL Server 2016
and Deep Security
Manager)
IP: 192.168.4.2
Subnet mask: 255.255.240.0
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1
DNS 2: 8.8.8.8
Login Name:
administrator
Windows Server 2012 R2
(hosting Apex Central)
IP: 192.168.4.3
Subnet mask: 255.255.240.0
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1
DNS 2: 8.8.8.8
Login Name:
administrator
Login Name:
administrator
Windows Server 2019
IP: 192.168.4.4
Subnet mask: 255.255.240.0
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1
DNS 2: 8.8.8.8
IP: 192.168.4.5
Subnet mask: 255.255.240.0
Default gateway: 192.168.0.1
DNS 1: 192.168.4.1
DNS 2: 8.8.8.8
Login Name:
admin
CentOS
© 2021 Trend Micro Inc. Education
Password:
trendmicro
Password:
trendmicro
Password:
trendmicro
Password:
trendmicro
Password:
Admin1234!
1
Lab 1: Accessing the Deep Security Lab Environment
Application Credentials
The URLs, user names and passwords used for each application pre-installed within the classroom lab
environment are listed here for easy reference.
Deep Security Manager
URL: https://server-02.trend.local:4119
•
•
User name: MasterAdmin
Password: trendmicro
Apex Central
URL: https://server-03.trend.local/WebApp/Login.html
•
•
User name: Admin
Password: Pa$$w0rd
Deep Discovery Analyzer
URL: https://192.168.4.5
•
•
2
User name: admin
Password: Admin1234!
© 2021 Trend Micro Inc. Education
Lab 1: Accessing the Deep Security Lab Environment
Exercise 1: Access the Product Cloud Lab
Environment
In this exercise, participants will access the classroom virtual application through the email link delivered
to participants by Trend Micro Product Cloud. The lab environment is available for the duration of the
training session only and will be reset automatically at the end of the final day of class. Google Chrome is
the recommended browser to use for the classroom exercises.
1
Note:
In the email message that was sent to you by Trend Micro, click the link to access the lab
environment.
If you did not receive the email message with the link, you may not have been correctly
registered for the class. Please advise the instructor immediately.
© 2021 Trend Micro Inc. Education
3
Lab 1: Accessing the Deep Security Lab Environment
2 The Product Cloud Training page is displayed in the browser. The name of the class is displayed in
the frame at the top of the Web page. The Status should be listed as provisioned.
3 Hover your mouse over the computer icon on the right side of the page and click Go To Lab
Detail.
4
© 2021 Trend Micro Inc. Education
Lab 1: Accessing the Deep Security Lab Environment
4 A frame with the vApp details is displayed on the right side of the Web page, listing the virtual
machines available in the environment.
5 Hover your mouse over one of the virtual machines, and click Remote Control to enter that
virtual machine.
© 2021 Trend Micro Inc. Education
5
Lab 1: Accessing the Deep Security Lab Environment
6 The selected virtual machine will be launched. It will take a moment for the virtual machine to
load and the window to be resized.
7 To log into the virtual machine, click
on the toolbar to send a CTRL+ALT+DEL command to
the virtual machine. Log in with the appropriate username and password as indicated in the
exercise steps.
6
© 2021 Trend Micro Inc. Education
Lab 1: Accessing the Deep Security Lab Environment
8 To maximize the virtual machine window, click
on the toolbar.
9 To switch between the different virtual machines in the environment, click the image switcher in
the upper right-hand corner of the window.
Note:
The connection icon on the toolbar
will indicate if the network connection is adequate to run
the lab environment. Green bars should be displayed.
Once you are comfortable with navigating around the Product Cloud environment, proceed to Lab 2.
© 2021 Trend Micro Inc. Education
7
Lab 1: Accessing the Deep Security Lab Environment
8
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
In this lab, participants will deploy Deep Security Agents on the computers within the virtual lab
environment using a variety of methods.
Estimated time to complete this lab: 30 minutes
Exercise 1: Import the Deep Security Agent Software
into Deep Security Manager
In this exercise, a Deep Security Manager Agent software package will be imported into Deep Security
Manager.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log in to Windows Server 2016 using the following credentials:
•
•
Username: administrator
Password: trendmicro
Note:
Verify that the keyboard language is set correctly for your locale. If required, click the Change
Language shortcut on the Windows Server 2016 desktop to change the keyboard to another
language.
Alternately, a text file on the desktop called Copy and Paste.txt contains entries that can be
copied into any requested fields.
Note:
If an Enable Network Discovery message is displayed when logging into ANY virtual machine,
click Yes.
© 2021 Trend Micro Inc. Education
9
Lab 2: Deploying Deep Security Agents
3 Double-click the Deep Security Manager shortcut on the Windows Server 2016 desktop and log
into the Deep Security Manager Web console with the credentials:
•
•
Username: MasterAdmin
Password: trendmicro
4 Click the Administration menu. In the left-hand pane, expand Updates > Software > Download
Center.
The Trend Micro Download Center is displayed in the right-hand pane of the console, listing of all
Deep Security Agent software packages available.
5 Scroll through the list and locate the latest version of the Deep Security Agent for 64-bit
Windows called Deep Security Agent for Windows x86_64.
Note:
10
To limit scrolling in this window, you can type the name of the Agent in the Search field. For
example, type windows to display the Windows Agents at the top of the list.
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
6 Click to select the file and click the icon in the Import Now column. Alternately, you can rightclick the file and click Import from the pop-up menu.
The Deep Security Agent software is downloaded from the Trend Micro Download Center onto
the Deep Security Manager server.
Once the download is complete, a green check mark will appear in the Imported column.
© 2021 Trend Micro Inc. Education
11
Lab 2: Deploying Deep Security Agents
7 Under Updates > Software > Local, verify that the Agent software package is listed as having been
imported. A green check mark is displayed in the Is Latest column to indicate that the latest
version has been imported.
Note:
Deep Security Agents are modular. Initially, the Deep Security Agent contains core functionality
only. When you enable a Protection Module, the Agent downloads that plug-in and installs it.
Before you can activate any Agents, download the software packages into Deep Security
Manager first (by importing them) so that they will be available to the Agents.
Installing an Agent when the corresponding software package has not been imported to Deep
Security Manager can lead to later complications.
Importing the Deep Security Agent software packages into Deep Security Manager makes it
convenient for administrators to extract the installer from the Deep Security Manager Web
console.
8 In Windows Explorer, locate the following folder to view the Agent package stored on the Deep
Security Manager computer:
C:\Program Files\Trend Micro\Deep Security Manager\temp\
12
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
9 Open the Agent-Windows-20._____.x86_64 folder to view the list components available to
install on the Agent computer as Protection Modules are enabled.
10 Close Windows Explorer.
Exercise 2: Export the Deep Security Agent Installer
In this exercise, participants will export the Deep Security Agent installer for Windows from the Agent
package and store it locally where it can be accessed later when deploying the Deep Security Agents in
the virtual lab environment.
1
Still on the Local Software page, right-click the 64-bit Windows software package (AgentWindows-12.0.___x64.zip) in the list and click Export Installer.
2 Save the *.msi file for the installer to the Lab Files folder located on the Windows Desktop.
This folder can be accessed from different virtual machines in the environment to simplify
installation.
Exercise 3: Install a Deep Security Agent Manually
In this exercise, a Deep Security Agent will be manually installed on the Windows Server 2016 server
hosted on the VM-SERVER-01 virtual machine.
1
In the lab environment, switch to the VM-SERVER-01 virtual machine.
2 Log in to Windows Server 2016 using the following credentials:
•
•
Username: administrator
Password: trendmicro
3 In the previous exercise, the Deep Security Agent installer was exported to the Lab Files folder. A
shortcut to this folder has been placed on the desktop of the VM-SERVER-01 image.
Double click the shortcut and locate the installer called Agent-Core-Windows20.0.____.x64.msi. Double-click to start the installation.
© 2021 Trend Micro Inc. Education
13
Lab 2: Deploying Deep Security Agents
4 Ignore any security warning and click Run to launch the Deep Security Agent Setup Wizard.
5 The Welcome window is displayed. Click Next.
6 If the terms of the license agreement are acceptable, click I accept the terms in the License
Agreement and click Next.
14
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
7 Accept the default installation folder and click Next.
8 Click Install.
9 A Deep Security Notifier message should be displayed above the system tray.
© 2021 Trend Micro Inc. Education
15
Lab 2: Deploying Deep Security Agents
10 Once complete, click Finish to close the Setup window.
11 Right-click the Deep Security Notifier icon in the system tray and click Open Console. Details of
the protection on this computer will be displayed. Note that in this scenario, the Deep Security
Agent has not been activated yet, and no protection is being applied.
12 Click Cancel to close the Notifier window.
13 In the lab environment, switch to the VM-SERVER-03 virtual image.
14 Repeat the manual Deep Security Agent setup on SERVER-03.
If prompted, log in to Windows Server 2012 using the following credentials:
•
•
16
Username: administrator
Password: trendmicro
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
Exercise 4: Install a Deep Security Agent Using a
Deployment Script
In this exercise, a Deep Security Agent will be installed on the Windows Server 2019 computer on the VMSERVER-04 virtual machine using a deployment script. Agent-Initiated Activation must be enabled
before the script can be run to insure that the Agent activates properly. In this example, the resulting
script will be executed in Windows Powershell.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Return to the Deep Security Manager Web console and click the Administration menu. In the lefthand pane, click System Settings and click the Agents tab.
3 Click to enable Allow Agent-Initiated Activation and Allow Agent to specify hostname. In the
Agent activation token field, type a token for Agent activation, for example, trendmicro and
click Save.
Note:
The Agent activation token insures that only scripts created on this installation of Deep Security
Manager are accepted for activation on this installation.
© 2021 Trend Micro Inc. Education
17
Lab 2: Deploying Deep Security Agents
4 At the top of the Deep Security Manager Web console page, click Support > Deployment Scripts.
Select Windows Agent Deployment from the Platform list and click to enable Activate Agent
automatically after installation. The script is generated and is displayed in the lower frame of the
window. Scroll through the script code to examine the commands that will issued when executed.
Note:
The token required for Agent-initiated activation is automatically added to the script. Note the
entry “token:trendmicro” near the end of the script.
5 Click Save to File and save the resulting AgentDeploymentScript.ps1 file to the Lab Files
folder on the desktop.
6 Click Close to exit the Deployments Scripts window.
7 In the lab environment, switch to the VM-SERVER-04 virtual machine.
8 Log into Windows Server 2019 using the following credentials:
•
•
18
Username: administrator
Password: trendmicro
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
9 Open the Lab Files shortcut on the desktop and locate the AgentDeploymentScript.ps1
script file you saved in the previous step. Right-mouse click the file and click Run with
PowerShell.
10 Click Open. If the permissions to allow PowerShell scripts to run automatically are not set by
default, click Y to execute the script, otherwise, the script will execute and the Deep Security
Agent will be installed and activated.
The script will execute and the Deep Security Agent will be installed and activated.
It may take a couple of minutes for the script to complete since the sleep value in the script will
pause the process to allow the Deep Security Agent setup to complete before activating the
Agent. Wait for the DSA Deployment Finished message to be displayed in Powershell, or the
Powershell window disappears, before continuing.
© 2021 Trend Micro Inc. Education
19
Lab 2: Deploying Deep Security Agents
Exercise 5: Install a Deep Security Agent Using the
Command Line
In this exercise, participants will install a Deep Security Agent on the VM-SERVER-02 virtual machine. In
the exercise, the Deep Security Agent will be installed using a Microsoft Installer command.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Open the Lab Files folder on the desktop and a copy the
Agent-Core-Windows-20.____.x86.msi file to the root of C:\.
3 Open the Windows Command Prompt from the taskbar and type the following command to
change directories to C:\:
cd\
4 Type the following command and note the name of the Deep Security Agent *.msi file:
dir
5 Type the following command to install the Deep Security Agent:
msiexec.exe /q /i <name of Deep Security Agent *.msi file>
This command will install the Deep Security Agent core.
Since the /q switch runs a quiet install, no dialog boxes will be displayed during the installation of
the Deep Security Agent, but the Deep Security Notifier icon will appear in the system tray after
a few moments.
6 Wait until the Notifier icon is displayed in the system tray in the lower right-hand corner of the
Windows screen before closing the Command Prompt and proceeding to the next exercise.
Exercise 6: Add the Task column
In this exercise, a new column will be added to the console to display Deep Security Agent activities being
processed.
1
In the Deep Security Manager Web console, click the Computers menu.
2 Just above the list of computers, click Columns.
20
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
3 In the list of available columns, click to display Tasks and click OK.
4 The new column in displayed. This column will display the tasks in progress, such as when a
policy is being updated, or Recommendation Scans are being performed. Click and drag the
column header to reposition the column in the list, if required.
Exercise 7: Add Devices to the Computers List
In the previous labs, Deep Security Agents were installed on host computers in our lab environment. In
this exercise, we will add these computers to the Deep Security Manager Computers list.
1
Still in the Computers list, note that SERVER-04 is already displayed.
This computer was added to the Computers list and activated automatically through the script.
2 Double-click the entry to view its Details.
© 2021 Trend Micro Inc. Education
21
Lab 2: Deploying Deep Security Agents
The server is listed as Managed and Online. Click Close.
3 In the right-hand pane, click Add > Add Computer. The New Computer Wizard is launched.
22
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
4 Complete the new computer details as follows and click Next:
•
•
•
Hostname: SERVER-01
Policy: We are not applying a policy at this time, leave this field as None
Download Security Updates From: Default Relay Group
5 The New Computer Wizard displays a notification indicating that it will automatically activate the
Deep Security Agent found on the newly added computer. Click Finish.
6 Click Close.
© 2021 Trend Micro Inc. Education
23
Lab 2: Deploying Deep Security Agents
7 The SERVER-01 computer is now displayed in the Computers list and the Details window is
opened. Note that since the computer was added using the New Computer wizard, the Agent was
automatically activated. Click Close.
8 Repeat the Add Computer process for the SERVER-03 computer.
9 The Windows 2016 Server hosted on the VM-SERVER-02 image will also be added to Computers
list using the Discover operation. Click Add > Discover.
In the Discover Computers window, enter the following IP address range:
•
•
Note:
24
Range From: 192.168.4.2
Range To: 192.168.4.2
Limiting the range will reduce the time needed for the discovery process to complete in our
classroom environment.
© 2021 Trend Micro Inc. Education
Lab 2: Deploying Deep Security Agents
Click OK.
10 The discovery processing is visible in the bottom-left corner of the Deep Security Manager Web
console task bar. The process may take a moment.
11 After the Discovery task completes, the Computers list will refresh and computers with IP
addresses within the identified range will be displayed. Since our range only included one
address, only one computer (server-02.trend.local) will be added to the list.
The computer will display a status of Discovered (Activation Required) since the discovery task
doesn't automatically activate discovered Agents. Discovered computers are identified by their
fully qualified domain name.
© 2021 Trend Micro Inc. Education
25
Lab 2: Deploying Deep Security Agents
12 Right-mouse click the discovered computer and click Actions > Activate/Reactivate. Note the
Task column displays Activating.
Computer Status Summary
At this point, the Computers list in Deep Security Manager Web console should appear similar to this:
26
•
The SERVER-04 computer was added and activated automatically through the deployment
script.
•
Deep Security Agents were installed manually on the SERVER-01 and SERVER-03 computers.
The Deep Security Agents on these computers were activated automatically when the
computers were added by hostname.
•
The Deep Security Agent on SERVER-02 was installed through the command line using
Microsoft Installer and activated manually by clicking Activate/Reactivate.
© 2021 Trend Micro Inc. Education
Lab 3: Deploying a Deep Security Relay
In this lab, the Deep Security Agent on SERVER-01 will be promoted to become the Relay for the
environment.
Estimated time to complete this lab: 10 minutes
Exercise 1: Enable a Deep Security Relay
Relay functionality is enabled by promoting a Deep Security Agent to a Relay. You must have at least one
Relay enabled in your environment for software distribution as well as pattern and security updates.
The Deep Security Agent on the VM-SERVER-01 virtual machine is already activated. In this exercise, this
Deep Security Agent will be promoted to become a Relay within the Default Relay Group.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 In the Deep Security Manager Web console, click the Administration menu.
3 In the left-hand pane, expand Updates and click Relay Management.
© 2021 Trend Micro Inc. Education
27
Lab 3: Deploying a Deep Security Relay
4 Click to select the Default Relay Group and click Add Relay.
5 A list of all of the 64-bit Deep Security Agents activated in Deep Security will be displayed.
Click to select the SERVER-01 Deep Security Agent computer in the list and click Enable Relay
and Add to Group.
28
© 2021 Trend Micro Inc. Education
Lab 3: Deploying a Deep Security Relay
The Relay component will be installed and enabled on the Deep Security Agent. This may take a
moment to complete.
6 Once the Agent Status is listed as Online, return to the Computers list.
7 The Status column for SERVER-01 will display a message indicating that a security update is in
progress.
This is the Relay retrieving the distributable update components from the Trend Micro
ActiveUpdate Server on the Smart Protection Network. Wait for the message to clear before
continuing.
8 Hover the pointer over the SERVER-01 computer in the list, and click Preview
. The icon for
the server in the Computers list will be updated to indicate that it is now operating as a Deep
Security Relay. The number of components available on the Relay for distribution is also
displayed.
© 2021 Trend Micro Inc. Education
29
Lab 3: Deploying a Deep Security Relay
A Sending Policy status may also be displayed for other computers in the list as they are advised
of the new Relay in their assigned Relay Group.
Note:
30
A small red icon will be displayed over the computer icon in the Computers list for any Agents
promoted to Relays.
© 2021 Trend Micro Inc. Education
Lab 4: Protecting Servers from Malware
In this lab, malware and grayware/spyware scanning will be enabled through the Anti-Malware protection
module and applied to a server in lab environment though a customized policy.
Estimated time to complete this lab: 20 minutes
Exercise 1: Create a New Malware Scan Configuration
In this exercise, a new Malware Scan Configuration will be created as a reusable Common Object.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console as MasterAdmin.
3 In the Deep Security Manager Web console, click the Policies menu. In the left-hand pane, expand
Common Objects > Other and click Malware Scan Configurations. The default Malware Scan
Configurations are displayed in the right-hand pane.
4 Click New > New Real-Time Scan Configuration.
5 The Malware Scan Configuration Properties window is displayed.
Create a new configuration with the following details:
General tab:
•
Name: Type a name for this scan configuration, for example Classroom Scan
Configuration
•
Document Exploit Protection: Click to enable Scan documents for exploits and Scan for
exploits against known vulnerabilities only
•
•
Spyware/Grayware: Click to Enable spyware/grayware protection
Alerts: Enable to send Alerts when this Malware Scan Configuration logs an event.
© 2021 Trend Micro Inc. Education
31
Lab 4: Protecting Servers from Malware
Advanced tab
•
•
32
Remediation Actions: Custom
Use custom actions: Set the actions for viruses to Quarantine
© 2021 Trend Micro Inc. Education
Lab 4: Protecting Servers from Malware
Click OK.
6 The Malware Scan Configuration is created and added to Common Objects, but has not been
applied to any policies or computers yet.
© 2021 Trend Micro Inc. Education
33
Lab 4: Protecting Servers from Malware
Exercise 2: Create a New Policy
In this exercise, a new policy will be created by duplicating an existing policy and modifying its attributes.
1
Still in the Deep Security Manager Web Console, click the Policies menu and in the left-hand
pane, click Policies.
2 Instead of creating a new policy from scratch, we will copy an existing policy and modify some of
its attributes. In the right-hand pane, expand Base Policy and click to select the Windows policy.
From the menu at the top of the list, click Duplicate.
A new policy called Windows_2 will be created.
3 Double-click the Windows_2 policy to display the Details Windows. Rename this policy to
Classroom and click Save.
34
© 2021 Trend Micro Inc. Education
Lab 4: Protecting Servers from Malware
4 In the Policy Details windows, click the Anti-Malware Protection Module in the left-hand frame
and set the following on the General tab:
•
•
•
Anti-Malware State: On
•
Schedule: Select Every Day All Day
Real-Time Scan: De-select Inherited
Malware Scan Configuration: Select the newly created configuration called Classroom
Scan Configuration
Click Save
Click Close when done.
Exercise 3: Apply the Policy to a Computer
The new policy must be applied to computers to take effect. In this exercise, the new Classroom policy
will be applied to the Windows Server 2012 computer hosted on the VM-SERVER-03 virtual image.
1
Still in the console, click the Computers menu to display the computers currently added to Deep
Security Manager.
2 Locate and double-click the SERVER-03 computer to display its details.
© 2021 Trend Micro Inc. Education
35
Lab 4: Protecting Servers from Malware
3 From the Policy list, select the new Classroom policy. Click Save, then Close.
Since this module was not previously enabled, Deep Security Manager executes the installation
of the Anti-Malware protection module and other required components on this Deep Security
Agent.
4 The Task column for the computer displays Sending Policy.
A progress prompt is also displayed as the change is applied.
5 Security updates will also be applied for the Anti-Malware components. Another progress prompt
may be displayed after a moment and the Task column for the computer will change to Security
Update in Progress. The updates may take a moment to download.
6 Wait until the Task column clears before continuing.
36
© 2021 Trend Micro Inc. Education
Lab 4: Protecting Servers from Malware
7 Hover your mouse over the SERVER-03 computer and click Preview. The Anti-Malware
Protection Module now displays as On, with Real Time scanning enabled.
Note:
If the Relay was not properly enabled in the previous lab, the Anti-Malware component
installation will fail.
Exercise 4: Test Agent-Based Malware Protection and
Quarantine
In this exercise, a sample virus file will be accessed to test the malware protection.
1
In the lab environment, switch to the VM-SERVER-03 virtual machine.
2 Double-click the Deep Security Notifier in the Windows System Tray. In the Status pane, confirm
that Real Time scanning is enabled for Anti-Malware.
© 2021 Trend Micro Inc. Education
37
Lab 4: Protecting Servers from Malware
3 In a Web browser on the Windows Server 2012 computer, type the following URL to access the
EICAR web site:
http://www.eicar.org/download/eicar.com
4 A Malware Detected message should be displayed notifying that the Eicar test virus file was
detected.
5 Cancel the download of the eircar.com file.
6 In a Web browser, click the bookmark to access the Detections Web site, or enter the following
URL:
http://detection.trend.local
7 Click l1-1.doc in the Deep Discovery Analyzer Sample Submission section to download the
malware sample.
38
© 2021 Trend Micro Inc. Education
Lab 4: Protecting Servers from Malware
8 The Notifier should display a message indicating that new malware has been encountered.
Cancel the Save operation.
9 Double-click the Deep Security Notifier in the Windows System Tray, and click View Events. Click
the Anti-Malware Events tab to view the events.
10 Click OK and OK to close the Notifier console.
11 In the lab environment, switch to the VM-SERVER-02 virtual machine.
12 To verify the corresponding events, return to the Deep Security Manager Web console and locate
SERVER-03 in the Computers list. Double-click to open Details.
13 Click the Anti-Malware Protection Module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the events were logged. You may need to click Get Events to the refresh the
events list.
© 2021 Trend Micro Inc. Education
39
Lab 4: Protecting Servers from Malware
14 Click the Identified Files tab and examine the results. The malware was quarantined as dictacted
by the Action in the Malware Scan Configuration. Click Close.
Exercise 5: Test Agent-Based Grayware/Spyware
Protection
In this exercise, a sample spyware file will be accessed to test the grayware/spyware protection.
1
In the lab environment, switch to the VM-SERVER-03 virtual machine.
2 Open the Lab Files folder and locate the following spyware file in the Spyware_Test_Files subfolder.
Spycar_Files_Password_novirus.zip
3 Move (or copy) this file to the Windows Server 2012 desktop.
4 Right-click the file and select Extract All. When prompted, type the password of novirus.
5 A Malware Detected message should be displayed notifying that the test spyware file was
detected.
6 Double-click the Deep Security Notifier in the Windows System Tray, and click View Events. Click
the Anti-Malware Events tab to view the events.
7 In the lab environment, switch to the VM-SERVER-02 virtual machine.
8 To verify the corresponding events, return to the Deep Security Manager Web console and locate
SERVER-03 in the Computers list. Double-click to open Details.
40
© 2021 Trend Micro Inc. Education
Lab 4: Protecting Servers from Malware
9 Click the Anti-Malware Protection Module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the event was logged. You may need to click Get Events to the refresh the
events list.
Exercise 6: Enable Predictive Machine Learning
In this exercise, virus and grayware/spyware scanning will be disabled and Predictive Machine Learning
will be enabled. By disabling virus and grayware/spyware scanning beforehand, we can be assured that
the malware is being captured through Predictive Machine Learning and not by a virus or grayware/
spyware pattern.
1
Still in the Deep Security Manager Web console on the VM-SERVER-02 virtual machine, click the
Policies menu and in the left-hand frame, click Policies.
2 Double-click the Classroom policy to open its Details.
3 Click the Anti-Malware Protection Module in the left-hand frame. Click Edit for the Malware Scan
Configuration called Classroom Scan Configuration.
4 Click to disable Scan documents for exploits and Spyware/Grayware scanning.
© 2021 Trend Micro Inc. Education
41
Lab 4: Protecting Servers from Malware
5 Click Enable Predictive Machine Learning and set the Action to take to Quarantine
(recommended). Click OK. The Classroom policy is updated with the new Malware Scan
Configuration settings and computers using this policy will inherit these new settings.
6 Close the Details window for the Classroom policy.
7 In the lab environment, switch to the VM-SERVER-01 virtual machine.
8 Double-click the Lab Files folder on the SERVER-01 desktop to display the contents of the folder.
This folder is a shortcut to a folder on the SERVER-03 computer.
9 In Windows Explorer on SERVER-01, locate the TRENDX_detect.exe file in the following folder:
C:\web\detection\trendx\
42
© 2021 Trend Micro Inc. Education
Lab 4: Protecting Servers from Malware
10 Drag TRENDX_detect.exe from the folder on SERVER-01 to the Lab Files folder hosted on
SERVER_03.
Folder on SERVER-01
Folder on SERVER-03
11 The file will copy to SERVER-03, but will disappear after a moment. (Refresh the display if the file
does not disappear a few seconds after being dropped.) The file is captured as malware on
SERVER-03 and is quarantined, based on the action set for this type of malware.
12 In the lab environment, switch to the VM-SERVER-02 virtual machine.
13 To verify the corresponding events, return the Deep Security Manager Web console and locate
SERVER-03 in the Computers list and double-click to open Details.
14 Click the Anti-Malware protection module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the event was logged. (You may need to click Get Events to the refresh the
events list.) Double-click the entry to view the details.
© 2021 Trend Micro Inc. Education
43
Lab 4: Protecting Servers from Malware
You will note that the file was captured through Predictive Machine Learning as it displays the
probability that the file is a threat, as well as the threats the sample displays similar
characteristics to. Click Close when done.
15 To view malware events for the entire system, click Events & Reports. In the left-hand frame,
expand Events, then click Anti-Malware Events. All the malware-related events for all computers
will be displayed. At this point in our exercises, the only malware events that have occurred have
been on the SERVER-03 computer.
44
© 2021 Trend Micro Inc. Education
Lab 5: Blocking Malicious Web Sites
In this lab, you will activate the Web Reputation Protection Module in the Classroom policy and attempt
to visit potentially hazardous Web sites.
Estimated time to complete this lab: 10 minutes
Exercise 1: Modify a Policy to Activate Web
Reputation Protection
In this exercise, the Web Reputation Protection Module will be enabled in the Classroom policy and
sample Web sites will be accessed.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Sign in to the Deep Security Manager Web console as the Master Admin.
3 In the Deep Security Manager Web console, click the Policies menu. Locate and double-click the
Classroom policy to open the Details windows.
4 Click the Web Reputation Protection Module in the left-hand frame and set the following:
General tab
•
•
Web Reputation State: On
Security Level: De-select Inherited and set the level to Medium
Click Save.
© 2021 Trend Micro Inc. Education
45
Lab 5: Blocking Malicious Web Sites
Advanced tab:
•
Alert: Yes
Click each of the other tabs to view the different configuration options.
5 Click Save, then Close.
6 Deep Security Manager will now deploy the Web Reputation Protection Module to Deep Security
Agents using this policy. This may take a few moments. While the installation is in progress, the
Task column on the Computers tab for SERVER-03 (a computer using the Classroom policy) will
display Sending Policy. Once the Task column clears, proceed to the next step.
7 Click the Events & Reports menu. Expand Events and click System Events in the left-hand pane
and note the entries for the update of the Deep Security Agent on SERVER-03. Double-click the
entry to view the Details.
8 Click Close.
Exercise 2: Access Sample Web Sites
In this exercise, sample web sites will be visited to test blocking through the Web Reputation Protection
Module.
1
46
In the lab environment, switch to the VM-SERVER-03 virtual machine.
© 2021 Trend Micro Inc. Education
Lab 5: Blocking Malicious Web Sites
2 Open a Web browser on the SERVER-03 computer, and attempt to access the following links:
•
wrs91.winshipway.com (should be allowed)
•
wrs71.winshipway.com (should be allowed)
•
wrs41.winshipway.com (should be blocked and the following error message displayed)
© 2021 Trend Micro Inc. Education
47
Lab 5: Blocking Malicious Web Sites
3 A Notifier message will also be displayed on the server desktop.
4 Still on the VM-SERVER-03 computer, double-click the Deep Security Notifier and open the
console. Click View Events. Click the Web Reputation Events tab to display the web reputation
events for the web sites you accessed earlier.
Click OK and OK again to close the Notification Console.
5 In the lab environment, switch to the VM-SERVER-02 virtual machine.
6 In the Deep Security Manager Web console, click the Computers tab, and locate and double-click
the SERVER-03 computer.
48
© 2021 Trend Micro Inc. Education
Lab 5: Blocking Malicious Web Sites
7 The computer Details page is displayed, click the Web Reputation protection module and click the
Web Reputation Events tab. A list of events is displayed. (You may need to click Get Events to
trigger the heartbeat and retrieve the latest events).
8 Double-click one of the events to examine its details.
© 2021 Trend Micro Inc. Education
49
Lab 5: Blocking Malicious Web Sites
9 Click Add to Allow List. The option to create an Allow exemption is displayed. The Allow can be
applied to the SERVER-03 computer only, or to the computer’s policy (in this case, the Classroom
policy).
10 Click Cancel to close the window.
11 Close the Details for the SERVER-03 computer.
50
© 2021 Trend Micro Inc. Education
Lab 6: Filtering Traffic Using Firewall
Rules
In this lab, participants will become familiar with the Firewall protection module and implement Firewall
rules on the Windows Server 2012 computer.
Estimated time to complete this lab: 20 minutes
Exercise 1: Perform a Port Scan
In this exercise, open ports on the SERVER-01 computer will be identified using a Port Scan.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log in to the Deep Security Manager Web console as the MasterAdmin.
3 Click the Computers menu. Locate and double-click the SERVER-01 computer to open the Details
window.
4 Click the Firewall protection module from left-hand pane and click the General tab. Click Scan For
Open Ports.
© 2021 Trend Micro Inc. Education
51
Lab 6: Filtering Traffic Using Firewall Rules
The Task column for the computer will display Scanning for Open Ports.
5 Once the task is complete, open the computer Details to view the results.
Take note of the open ports that are found. Port 4118 is identified as open. This port is used by
Deep Security Manager to communicate with Deep Security Agents and is enabled by default
during setup.
52
© 2021 Trend Micro Inc. Education
Lab 6: Filtering Traffic Using Firewall Rules
Exercise 2: Enable the Firewall Protection Module on
the Computer
Since the firewall rules in the Classroom policy are inherited from the Base policy and can not be
deselected, we will enable the Firewall rules directly to the SERVER-01 computer.
1
Still on the Details page for the SERVER-01 computer in the Deep Security Manager Web Console,
click the Firewall protection module and set the Configuration to On. Click Save and Close.
2 Since this module was not already enabled, Deep Security Manager installs the Firewall module
for this Deep Security Agent. The Task column for the computer will display Sending Policy.
Wait for the Firewall module installation to complete and the Task column to clear.
3 On the SERVER-02 computer, open the Command Prompt and type the following telnet
command to connect to port 80 on the SERVER-01 computer:
telnet 192.168.4.1 80
The connection should be accepted and a blinking cursor will be displayed as no rules are
blocking the connection at this point.
4 Type <ctrl>+c to terminate the command.
© 2021 Trend Micro Inc. Education
53
Lab 6: Filtering Traffic Using Firewall Rules
Exercise 3: Create a Firewall Rule to Deny Incoming
Traffic
In this exercise, participants will create a rule that denies Telnet traffic on port 80 on the SERVER-01
computer and then examine the Firewall events that are created when this traffic is blocked.
1
Back in the Deep Security Manager Web console, click the Computers menu. Locate and doubleclick the SERVER-01 computer to display the Details page.
2 Click the Firewall protection module. On the General tab, click Assign/Unassign in the Assigned
Firewall Rules section.
54
© 2021 Trend Micro Inc. Education
Lab 6: Filtering Traffic Using Firewall Rules
3 Click New > New Firewall Rule.
4 Create a new firewall rule with the following settings:
•
•
•
•
•
•
•
Name: Deny Inbound Telnet Port 80
Action: Deny
Priority: 3-High
Packet Direction: Incoming
Frame Type: IP
Protocol: TCP
Packet Source:
•
MAC: Any
Port: Any
Packet Destination:
•
IP: Any
IP: Any
MAC: Any
Port: Port(s): 80
Any Flags: Enabled
Verify the settings you have entered and click OK to save the firewall rule.
© 2021 Trend Micro Inc. Education
55
Lab 6: Filtering Traffic Using Firewall Rules
Click OK to close the Firewall Rules window.
56
© 2021 Trend Micro Inc. Education
Lab 6: Filtering Traffic Using Firewall Rules
5 On the General tab, confirm that Firewall Configuration is set to On and the Deny Inbound Telnet
Port 80 rule is applied. Click Close.
6 Once the Task column clears, click Preview to display the computer’s current status, and note
that the Firewall rule is in effect.
© 2021 Trend Micro Inc. Education
57
Lab 6: Filtering Traffic Using Firewall Rules
7 From the SERVER-02 computer, attempt the telnet command once again to the SERVER-01 on
port 80. The connection should fail as the Firewall rule is blocking the connection.
Exercise 4: Create a Firewall Rule to Force Allow
Incoming Telnet Connections From a Single Host
The firewall rule that was created in the previous exercise blocks all inbound telnet traffic to port 80. In
this exercise, you will create a rule to force allow inbound telnet traffic but only from a single source,
defined by its IP address.
1
On the Details page for the SERVER-01 computer in the Deep Security Manager Web console,
click the Firewall protection module. On the General tab, click Assign/Unassign.
2 Click New > New Firewall Rule and configure a new rule with the following settings:
•
•
•
•
•
•
•
Name: Force Allow Telnet from a Single Address
Action: Force Allow
Priority: 3-High
Packet Direction: Incoming
Frame Type: IP
Protocol: TCP
Packet Source:
•
MAC: Any
Port: Any
Packet Destination:
•
Single IP: 192.168.4.2
IP: Any
MAC: Any
Port: Port(s): 80
Any Flags: Enabled
Verify the settings you have entered and click OK to save the new firewall rule.
58
© 2021 Trend Micro Inc. Education
Lab 6: Filtering Traffic Using Firewall Rules
3 Ensure that both custom Firewall rules are assigned, and OK again to close the Firewall rule list.
4 Wait for the Task column to clear then attempt to telnet to port 80 on the SERVER-01 computer
once again. The connection should be allowed once again.
5 Before proceeding to the next lab, disable the Firewall protection module on SERVER-01.
© 2021 Trend Micro Inc. Education
59
Lab 6: Filtering Traffic Using Firewall Rules
6 Once the Task column clears, click Preview for the SERVER-01 computer and confirm that Firewall
protection is off.
Note:
60
The Firewall protection module components remain installed on the computer and the rules are
preserved in case they need to be re-enabled at a later time.
© 2021 Trend Micro Inc. Education
Lab 7: Protecting Servers From
Vulnerabilities
In this lab, participants will enable the Intrusion Prevention Protection Module to protect a server from
known vulnerabilities. A Recommendation Scan will be run and the suggested rules will be applied
automatically. A sample rule will be enabled to block access to a test file over HTTP.
Estimated time to complete this lab: 10 minutes
Exercise 1: Run a Recommendation Scan
In this exercise, you will run a Recommendation Scan to determine which rules are appropriate for the
Windows Server 2016 computer on the VM-SERVER-04 image.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console as the Master Administrator.
3 Click the Computers menu. Locate and double-click the SERVER-04 computer.
4 In the left-hand frame, click the Intrusion Prevention Protection Module. On the General tab in
the Recommendations section, set Automatically implement Intrusion Prevention
Recommendations (when possible) to Yes and Save. Click Scan For Recommendations.
© 2021 Trend Micro Inc. Education
61
Lab 7: Protecting Servers From Vulnerabilities
5 The Task column for the computer will display Scanning for Recommendations.
6 While the scan is running, click Settings in the left-hand frame of the Details window. On the
General tab, set Perform Ongoing Recommendation Scans to Yes and the Ongoing Scan Interval
to 3 Days and click Save.
62
© 2021 Trend Micro Inc. Education
Lab 7: Protecting Servers From Vulnerabilities
7 Once the scan in complete, return to the Intrusion Prevention Protection Module. On the General
tab, the recommended rules will be displayed and enabled in the Assigned Intrusion Prevention
Rules section.
This list will be refreshed based on the assigned Ongoing Scan Interval setting. Any new rules
released by Trend Micro will be applied to the machine when the scan is run again and any rules
no longer needed (for example, if the vendor patches the vulnerable operating system or
application) will be removed.
Note that the recommended rules are not yet being enforced since the Protection Module
Configuration is not yet enabled.
© 2021 Trend Micro Inc. Education
63
Lab 7: Protecting Servers From Vulnerabilities
Exercise 2: Enable Intrusion Prevention Protection
and Apply an Additional Rule
In this exercise, an additional rule not suggested by the Recommendation Scan will be applied and the
Protection Module enabled. This rule has been included to allow testing of Intrusion Prevention and
blocks the download of the eicar test file over HTTP.
1
Note:
Still on the General tab for the Intrusion Prevention Protection Module, click Assign/Unassign
and locate rule 1005924 - Restrict Download of EICAR Test File Over HTTP.
Use the Search field to simplify locating the rule.
2 Click to enable the rule and click OK.
3 On the General tab, set the Configuration to On and the Intrusion Prevention Behavior to
Prevent. Click Save, and Close.
The Protection Module is installed on the SERVER-04 computer.
64
© 2021 Trend Micro Inc. Education
Lab 7: Protecting Servers From Vulnerabilities
Exercise 3: Test Intrusion Prevention Protection
In this exercise, confirm that Intrusion Prevention Protection is being applied to the SERVER-04
computer by attempting to download the EICAR test file.
1
Still logged into the Deep Security Manager Web console, click Computers and hover your mouse
over the SERVER-04 computer. Click Preview and confirm that the Intrusion Prevention
Protection Module is On and enforcing the rules.
2 In the lab environment, switch to the VM-SERVER-04 virtual machine.
3 In a Web browser on the Windows Server 2019 computer, type the following URL to access the
EICAR web site:
http://www.eicar.org/download/eicar.com
The connection to the Web site should be reset.
© 2021 Trend Micro Inc. Education
65
Lab 7: Protecting Servers From Vulnerabilities
4 In the lab environment, switch to the VM-SERVER-02 virtual machine.
5 In the Deep Security Manager Web Console, return to the Computers list and double-click the
SERVER-04 computer to display its Details.
6 Click the Intrusion Prevention Protection Module in the left-hand frame and click the Intrusion
Prevention Events tab.
7 Events related to the EICAR test file download being blocked should be displayed. You may need
to click Get Events.
66
© 2021 Trend Micro Inc. Education
Lab 8: Blocking Application Traffic with
Intrusion Prevention Rules
In this lab students will enable an Intrusion Prevention rule to block connections from Internet Explorer.
Estimated time to complete this lab: 10 minutes
Exercise 1: Block Internet Explorer
In this exercise, a rule will be applied to block connections from Internet Explorer.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console.
3 Click the Policies menu and locate and double-click the Classroom policy to open Details.
4 Click the Intrusion Prevention Protection Module. On the General tab, set the Intrusion
Prevention State to On and click Save.
5 Click Assign/Unassign in the Assigned Intrusion Prevention Rules section.
In the IPS Rules list, click Application Traffic from the first drop-down list to filter the list.
6 Type Internet Explorer in the Search field in the upper-right and press Enter.
© 2021 Trend Micro Inc. Education
67
Lab 8: Blocking Application Traffic with Intrusion Prevention Rules
7 Click to select the following rule and click OK.
•
1002312 - Microsoft Internet Explorer Web Browser
Click Close.
Note:
By default, the mode for this rule is set to Detect Only. Initially, traffic will not be blocked, just
logged.
8 The Task column for the SERVER-03 computer (which uses the Classroom policy) displays
Sending Policy.
9 In the lab environment, switch to the VM-SERVER-03 virtual machine.
10 Open Internet Explorer on SERVER-03 and attempt to visit the following Web site:
wrs71.winshipway.com
What is the result? _________________________________________________________
68
© 2021 Trend Micro Inc. Education
Lab 8: Blocking Application Traffic with Intrusion Prevention Rules
11 Clear the browsing history in the Web browser and close the browser.
12 In the lab environment, switch to the VM-SERVER-02 virtual machine.
13 Back in the Policy details for Classroom and click the Intrusion Prevention Protection Module in
the left-hand frame. Right-click the Internet Explorer rule and select Properties. This will modify
the properties for this instance of the rule.
© 2021 Trend Micro Inc. Education
69
Lab 8: Blocking Application Traffic with Intrusion Prevention Rules
14 Change the Mode from Inherited (Detect only) to Prevent and click Apply, then OK.
15 Once the security update is complete and the Task column for the computer clears, switch to the
VM-SERVER-03 virtual machine.
Open Internet Explorer and attempt to visit the same Web site as in the previous step. What is the
behavior this time? _________________________________________________________
Open a different browser and attempt to access the Web site. What is the behavior this time?
_________________________________________________________
16 In the lab environment, switch to the VM-SERVER-02 virtual machine.
17 In the Deep Security Manager Web console, open the Details for SERVER-03 and locate the
Intrusion Prevention Events related to this second Internet Explorer connection attempt.
70
© 2021 Trend Micro Inc. Education
Lab 8: Blocking Application Traffic with Intrusion Prevention Rules
18 As you may want to use Internet Explorer on this Windows 2012 Server later in the course,
disable the Internet Explorer rule from the Classroom policy.
© 2021 Trend Micro Inc. Education
71
Lab 8: Blocking Application Traffic with Intrusion Prevention Rules
72
© 2021 Trend Micro Inc. Education
Lab 9: Detecting Changes to Protected
Servers
In this lab, participants will create and deploy Integrity Monitoring rules to a Windows Server 2012
computer. In this lab, settings will be applied directly to the computer.
Estimated time to complete this lab: 15 minutes
Exercise 1: Create an Object to Monitor
In this exercise, participants will create a file on a protected computer which will be monitored for
changes.
1
In the lab environment, switch to the VM-SERVER-03 virtual machine.
2 In the root of the C: drive of the Windows Server 2012 computer, create a new text document
called IM Test.txt and type some content in the file. Save and close the file.
Exercise 2: Create a New Integrity Monitoring Rule
In this exercise, participants will update SERVER-03 to include Integrity Monitoring protection.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console as the MasterAdmin.
3 Click the Computers menu. Locate and double-click the SERVER-03 computer to open its Details.
4 In left-hand pane, click the Integrity Monitoring Protection Module. On the General tab, set the
Integrity Monitoring Configuration to On and click Save.
© 2021 Trend Micro Inc. Education
73
Lab 9: Detecting Changes to Protected Servers
5 Click Assign/Unassign and in the Integrity Monitoring Rules window, click New > New Integrity
Monitoring Rule. Create a new rule with the following details:
On the General tab:
•
•
Note:
Name: 1000000-IM file test
Severity: Medium
By prefixing the rule name with a numerical value such as 1000000, it will appear at the top of
the Integrity Monitoring Rules list.
On the Content tab:
•
•
•
Template: File
Base Directory: C:\
Include Files With Names Like (One Per Line): IM Test.txt
Leave the other settings at their default values and click OK to save the rule.
74
© 2021 Trend Micro Inc. Education
Lab 9: Detecting Changes to Protected Servers
6 Click OK again to close the rules window. Ensure that the 1000000 - IM file test rule is enabled
and close Details.
© 2021 Trend Micro Inc. Education
75
Lab 9: Detecting Changes to Protected Servers
7 The baseline for the computer will be created. The Task column for the SERVER-03 computer will
display Sending Policy and Baseline Rebuild in Progress. Wait for the Task column to clear before
continuing.
8 Click Preview for SERVER-03 and ensure that Integrity Monitoring is on and one rule is in place.
Exercise 3: Generate Integrity Monitoring Events
In this exercise, Integrity Monitoring Events will be generated by making changes to the IM Test.txt
file on the SERVER-03 computer.
1
In the lab environment, switch to the VM-SERVER-03 virtual machine.
2 Locate the file created earlier:
C:\IM Test.txt
3 Open the file and make a change to the content. Save and close the file.
4 In the lab environment, switch to the VM-SERVER-02 virtual machine.
5 Return to the Deep Security Manager Web console and click the Computers menu.
6 Locate and double-click the SERVER-03 computer to open the Details screen. Click Integrity
Monitoring from the left-hand pane.
76
© 2021 Trend Micro Inc. Education
Lab 9: Detecting Changes to Protected Servers
7 Click Scan for Integrity to run a manual scan.
8 Click the Integrity Monitoring Events tab and click Get Events to refresh the list. Deep Security
Manager will contact the Deep Security Agent on this computer to retrieve Events. Events related
to the changes to the monitored file should be displayed.
© 2021 Trend Micro Inc. Education
77
Lab 9: Detecting Changes to Protected Servers
9 Double-click the Event to display its Details, then click Close.
Exercise 4: Deploy an Additional Integrity Monitoring
Rule
In this exercise, a second Integrity Monitoring Rule will be applied to SERVER-03.
1
Still in the Deep Security Manager Web console, return to the Details for the SERVER-03
computer
2 Click Integrity Monitoring in the left-hand frame and click Assign/Unassign.
78
© 2021 Trend Micro Inc. Education
Lab 9: Detecting Changes to Protected Servers
3 Search for an Integrity Monitoring Rule called 1002781 - Microsoft Windows - Attributes of a
service modified. Click to enable this rule and click OK.
4 The baseline for the server will be rebuilt to incorporate the new objects.
© 2021 Trend Micro Inc. Education
79
Lab 9: Detecting Changes to Protected Servers
Exercise 5: Generate Integrity Monitoring Events
In this exercise, a Windows Service will be stopped to trigger Integrity Monitoring Events.
1
In the lab environment, switch to the VM-SERVER-03 virtual machine.
2 Click Start > Administrative Tools > Services. In Windows Services, stop the Print Spooler service.
3 In the lab environment, switch to the VM-SERVER-02 virtual machine.
4 In the Deep Security Manager Web console click the Computers menu. Locate and double-click
the SERVER-03 computer to open its Details.
5 From the left-hand pane, click the Integrity Monitoring Protection Module and click Scan For
Integrity to trigger a manual scan. Wait until the scan completes.
80
© 2021 Trend Micro Inc. Education
Lab 9: Detecting Changes to Protected Servers
6 Click the Integrity Monitoring Events tab. Events related to the service being disabled should be
displayed. Click Get Events if the items are not immediately displayed.
7 Double-click an event to examine the details.
8 Close the Event details and Computer details.
© 2021 Trend Micro Inc. Education
81
Lab 9: Detecting Changes to Protected Servers
82
© 2021 Trend Micro Inc. Education
Lab 10: Blocking Unapproved Software
In this lab, participants will block the execution of an application on a Windows Server 2019 computer
machine with Application Control.
Estimated time to complete this lab: 20 minutes
Exercise 1: Activate Application Control Protection
In this exercise, Application Control protection will be enabled on the SERVER-04 computer.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console as MasterAdmin.
3 Click the Computers menu and double-click the SERVER-04 computer to open its Details. Click
Application Control in the left-hand frame and set the following:
•
•
Application Control Configuration: On
Block unrecognized software until it is explicitly allowed: Enabled
Click Save and close Details.
© 2021 Trend Micro Inc. Education
83
Lab 10: Blocking Unapproved Software
4 The Task column for the SERVER-04 computer displays Sending Policy, then after a few minutes,
Application Control Inventory Scan in Progress. (It may take about 20 minutes for the inventory
scan to complete)
5 Wait until the Task column clears before continuing.
Note:
In some cases, the Application Control Inventory Scan in Progress message may not appear and
it can be difficult to determine if the inventory scan is complete. The start and end of the scan are
logged as events. Click Events & Reports and view the System Events. You should see a
Application Control Inventory Scan Completed entry which provides confirmation that the scan is
complete.
6 Hover the mouse over the SERVER-04 computer in the list and click Preview to confirm that
Application Control is being applied.
84
© 2021 Trend Micro Inc. Education
Lab 10: Blocking Unapproved Software
Exercise 2: Install a New Application
In this exercise, a new application will be added to the Windows Server 2019 computer to trigger
Application Control protection.
1
In the lab environment, switch to the VM-SERVER-04 virtual machine. Open the Deep Security
console and confirm that Application Control protection is enabled.
2 Open the Lab Files folder on the Windows Server 2019 desktop and locate the file called
WinMD5.exe. Drag the file to the Windows Server 2019 desktop.
Click OK if prompted with a warning message.
Note:
The WinMD5.exe file must be dragged from the Shared folder to the Windows Server 2019
desktop. Application Control will not block files that are executed from a remote folder or other
removable media like a USB stick.
3 Double-click WinMD5.exe to launch the application.
4 An application error is displayed as the new software is being blocked by the Application Control
ruleset.
5 In the lab environment, switch to the VM-SERVER-02 virtual machine.
6 In the Deep Security Manager Web console, click the Computers menu. Locate and double-click
the SERVER-04 computer to open its Details.
© 2021 Trend Micro Inc. Education
85
Lab 10: Blocking Unapproved Software
7 Click Application Control in the left-hand frame and click the Application Control Events tab. Click
Get Events.
8 An Execution of Unrecognized Software Blocked entry should be displayed in the list. Doubleclick to view the details of the event, then close the viewer window.
9 In the list of Application Control Events, click Change rules in the Rules column.
10 Click Create “allow” rule in Ruleset and click OK, then Close.
86
© 2021 Trend Micro Inc. Education
Lab 10: Blocking Unapproved Software
11 The ruleset for this computer is updated and the Tasks column displays Application Control
Ruleset Update in Progress. Wait until this message clears before proceeding.
12 In the lab environment, switch to the VM-SERVER-04 virtual machine.
13 Attempt to launch the WinMD5.exe application once again. Since the ruleset was changed to
allow the new application, it should start. Click Exit to close the application.
© 2021 Trend Micro Inc. Education
87
Lab 10: Blocking Unapproved Software
88
© 2021 Trend Micro Inc. Education
Lab 11: Inspecting Logs on Protected
Servers
In this lab participants will create and enable a Log Inspection rule to monitor Windows Events.
Estimated time to complete this lab: 10 minutes
Exercise 1: Create a New Log Inspection Rule
In this exercise, participants will create a new Log Inspection rule.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console as MasterAdmin.
3 Click the Policies menu. Locate and double click the Classroom policy to open its Details.
4 In left-hand menu, click Log Inspection. On the General tab, set the Log Inspection State to On
and click Save.
5 Click Assign/Unassign and use the search to locate the Log Inspection rule called 1002795 Microsoft Windows Events. Click to enable the rule then click OK.
© 2021 Trend Micro Inc. Education
89
Lab 11: Inspecting Logs on Protected Servers
6 This rule is dependent on another Log Inspection rule, click OK to accept any dependencies and
click Close.
7 Confirm that two Log Inspection rules are applied.
8 The Task column for the computers using the Classroom policy will display Sending Policy.
9 Wait for the Task column to clear before proceeding.
Exercise 2: Generate Log Inspection Events
In this exercise, participants will clear the Windows Security Event logs on a Windows Server 2012
computer and examine the Events generated by the Log Inspection Protection Profile.
1
In the lab environment, switch to the VM-SERVER-03 virtual machine.
2 Click Start and Event Viewer.
90
© 2021 Trend Micro Inc. Education
Lab 11: Inspecting Logs on Protected Servers
3 Once open, expand Windows Logs > Security in the left-hand pane.
4 Right-click Security and click Clear Log. Click Clear when prompted to save events.
© 2021 Trend Micro Inc. Education
91
Lab 11: Inspecting Logs on Protected Servers
5 The Security log is cleared and will display a single log entry containing details of the log being
cleared.
6 Close the Event Viewer.
7 In the lab environment, switch to the VM-SERVER-02 virtual machine.
8 In the Deep Security Manager Web console, locate and double-click the SERVER-03 computer to
open its Details.
9 From the left-hand pane, click Log Inspection Protection Module and click the Log Inspection
Events tab. An event related to the Security log being cleared is displayed.
92
© 2021 Trend Micro Inc. Education
Lab 11: Inspecting Logs on Protected Servers
If the events are not displayed, click Get Events and wait for the Deep Security Manager to
contact the Agent to retrieve events.
Note:
Alternately, click the Events and Reports menu, and in the left-hand frame, click Log Inspection
Events. This will display Log Inspection Events for all computers.
© 2021 Trend Micro Inc. Education
93
Lab 11: Inspecting Logs on Protected Servers
10 Double-click the event triggered by the 1002795 - Microsoft Windows Events rule and examine
the event details.
11 Click Close.
Exercise 3: Scan for Recommendations
In this exercise, participants will initiate a Recommendation Scan to view what other Log Inspection rules
would be suggested for this host computer.
1
94
Return to the Computers menu and double-click the SERVER-03 computer to open its Details
once again.
© 2021 Trend Micro Inc. Education
Lab 11: Inspecting Logs on Protected Servers
2 In left-hand menu, click Log Inspection. On the General tab, click Scan for Recommendations.
3 The scan will be initiated on the SERVER-03 computer. The Task column for the computer will
display Scanning for Recommendations. This process may take a few minutes to complete.
© 2021 Trend Micro Inc. Education
95
Lab 11: Inspecting Logs on Protected Servers
4 Once the Task column clears, click Assign/Unassign. In the Log Inspection Rule window, click
Recommended for Assignment from the first drop-down list The list of recommended rules is
displayed.
To apply any of the recommended rules, click to enable the rules from the list. Click Cancel
without applying any of the recommendations, and close Details.
96
© 2021 Trend Micro Inc. Education
Lab 12:
Accessing Deep Security Through the
Application Programming Interface
In this lab, participants will access some simple Deep Security functions through the Application
Programming Interface (API). An application called Postman will be used to forward the API requests to
Deep Security.
Estimated time to complete this lab: 30 minutes
Exercise 1: Create an API key
To use the Deep Security API, you will need an API key. In this exercise, a key with full access to Deep
Security will be created.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console as MasterAdmin.
3 Click Administration > User Management > API Keys and click New.
4 Create a new API key with the following details and click Next:
•
•
•
•
Name: Exercise key
Description: Type a description for the key
Role: Full Access
Expires on: Select the date a year from today
© 2021 Trend Micro Inc. Education
97
Lab 12: Accessing Deep Security Through the Application Programming Interface
5 The secret key value is displayed.
This is the only time you will have access to this key.
6 Click Copy to clipboard and paste the key into the API Keys.txt file on the Windows desktop.
Save the file.
7 Close the key creation wizard.
Exercise 2: Access the API Reference
In this exercise, participants will access the Deep Security API reference information on the Automation
Center. The Chrome browser is recommended to display the site.
1
Still on the VM-SERVER-02 virtual machine, access the Deep Security Automation Center by
clicking the bookmark in the Chrome browser, or enter the following URL in Chrome:
https://automation.deepsecurity.trendmicro.com
98
© 2021 Trend Micro Inc. Education
Lab 12: Accessing Deep Security Through the Application Programming Interface
The Deep Security Automation Center Web site is displayed.
2 In the Version list, select 20.0
3 Click the API Reference menu. The Deep Security API-accessible functions are displayed in the
frame on the left-hand side of the Web page.
4 Scroll down and expand Computers. The operations related to the Computers list available
through the API are displayed. Click List Computers.
© 2021 Trend Micro Inc. Education
99
Lab 12: Accessing Deep Security Through the Application Programming Interface
The parameters related to displaying the Computers list are displayed in the middle frame. Code
samples for Python, Javascript and Java are displayed in the right-hand frame.
5 In the code samples frame, click Get /computers to display the URL of the API path. Select the
entire path and copy to the clipboard.
Exercise 3: Use the API to List Computer Details
In this exercise, an API request for computer details will be submitted to Deep Security through the
Postman application. This application allows you to test submissions to the API without having to use a
specific programming language.
1
On the Windows desktop, open the Postman application.
2 In the GET frame, paste the URL of the API path. Replace dsm.example com with the URL of the
Deep Security Server, for example:
server-02.trend.local
100
© 2021 Trend Micro Inc. Education
Lab 12: Accessing Deep Security Through the Application Programming Interface
Note:
You can type the URL, or copy and paste the URL listed in the API Keys.txt file.
3 The API key and API version must be included in the request for the Computers list through
Postman. In Postman, click the Headers tab.
For the API key:
•
•
Click in the first row under Key and type the key name of api-secret-key.
Click under Value and paste the value of the secret API key from the API Keys.txt file.
For the API version:
•
•
Click in the second row of the list under Key and type the key name of api-version.
Click under Value and type v1.
© 2021 Trend Micro Inc. Education
101
Lab 12: Accessing Deep Security Through the Application Programming Interface
4 Click Send. Postman will pass the request for the Computers list to Deep Security through an
HTTP request.
5 The response, in this case a list of computer details in JSON format, is displayed in the Body
section in Postman. Scroll through the list to view details of all the computers.
102
© 2021 Trend Micro Inc. Education
Lab 12: Accessing Deep Security Through the Application Programming Interface
Exercise 4: Use the API to Create a Group
In this exercise, an API request to create a new computer group will be submitted to Deep Security
through the Postman application.
1
Return to the API Reference and expand Computer Groups. The operations related to Groups in
Deep Security that are available through the API are displayed. Click Create A Computer Group.
Note that this function uses a POST operation.
© 2021 Trend Micro Inc. Education
103
Lab 12: Accessing Deep Security Through the Application Programming Interface
2 In the code samples frame, click POST /computergroups to display the URL of the API path.
Select the entire path and copy to the clipboard.
3 Return to the Postman application and click + to create a new tab.
104
© 2021 Trend Micro Inc. Education
Lab 12: Accessing Deep Security Through the Application Programming Interface
4 Select POST from the operations list and paste the URL of the API path for this operation.
Replace dsm.example com with the URL of the Deep Security Manager computer, for example:
server-02.trend.local
5 On the Headers tab, add the API key and API version headers as in the previous exercise.
For the API key:
•
•
Click in the first row of the list under Key and type the key name of api-secret-key.
Click under Value and paste the value of the secret API key from the API Keys.txt file.
For the API version:
•
•
Click in the second row of the list under Key and type the key name of api-version.
Click under Value and type v1.
6 When using a POST operation, parameters must be a submitted along with the headers to
provide details to Deep Security, for example, the name and description of the group to be
created.
Return to the API Reference and in the Request Sample section, click Payload. Click Copy to copy
the JSON-formatted template data.
© 2021 Trend Micro Inc. Education
105
Lab 12: Accessing Deep Security Through the Application Programming Interface
7 Return to Postman. In the list of tabbed items below the API URL, click Body. In the list of
formats, click Raw, then at the end of the list of formats, expand the list and click JSON. Paste the
payload template data in the frame.
8 Modify the pasted template data in the Body to include the name and description for a new
computer group. Replace the string values with the group details, for example:
•
•
•
name: Classroom
description: Demonstration Group for API Lesson
parentGroupID: 0
9 Return to the Headers tab. Note that a new header called Content-Type has been automatically
added with a value of application/json as this was the format selected for the Body.
10 Click Send. Postman will pass the request for Deep Security through an HTTP API request.
106
© 2021 Trend Micro Inc. Education
Lab 12: Accessing Deep Security Through the Application Programming Interface
11 Return to the Deep Security Manager Web console and note that the new group has been
created.
© 2021 Trend Micro Inc. Education
107
Lab 12: Accessing Deep Security Through the Application Programming Interface
Optional Exercise: Use the API to Delete a Policy
If you have extra time at the end of the other exercises, you may attempt this extra task. In this optional
exercise, an unneeded policy will be deleted through the API using the Postman application.
1
In the API Reference, expand Policies. The operations related to Policies available through the
API are displayed. Click Delete a policy. Note that this function uses a DEL operation.
2 In the code samples frame, note the path of DELETE /policies/{policyID}.
This URL requires the policyID of the policy that is to be deleted. Before we can delete the policy,
we need to retrieve the IDs of the policies currently available in Deep Security.
3 In the API Reference menu, and expand Policies. Click List Policies and copy the API URL.
4 Return to the Postman application and click + to create a new tab. Select GET from the
operations list and paste the URL of the API path. Replace dsm.example com with the URL of
the Deep Security Manager computer.
5 On the Headers tab, add the API key and API version headers as in the previous exercise.
For the API key:
•
•
108
Click in the first row of the list under Key and type the key name of api-secret-key.
Click under Value and paste the value of the secret API key from the API Keys.txt file.
© 2021 Trend Micro Inc. Education
Lab 12: Accessing Deep Security Through the Application Programming Interface
For the API version:
•
•
Click in the second row of the list under Key and type the key name of api-version.
Click under Value and type v1.
6 Click Send. Postman will pass the request to Deep Security through an HTTP API request.
7 The list of policies and their details are displayed in the Body section.
© 2021 Trend Micro Inc. Education
109
Lab 12: Accessing Deep Security Through the Application Programming Interface
8 Scroll through the response body, or use Search, to locate the Solaris policy. This policy is not
required in your environment and you have decided it should be deleted. Once you locate the
Solaris policy, scroll through its parameters to locate its ID. Take note of the policy ID assigned to
the Solaris policy. You will find the ID field near the end of the parameters for the Solaris policy.
9 Return to the Delete a Policy operation in the API Reference and copy the policy delete API URL.
10 In Postman, change the operation type to DEL and paste the API URL. Replace dsm.example
com with the URL of the Deep Security Manager computer. Replace {policyID} in the URL with
the ID of the Solaris policy.
11 On the Headers tab, add the API key and API version headers as in the previous exercise.
For the API key:
•
•
Click in the first row of the list under Key and type the key name of api-secret-key.
Click under Value and paste the value of the secret API key from the API Keys.txt file.
For the API version:
•
•
Click in the second row of the list under Key and type the key name of api-version.
Click under Value and type v1
12 Click Send. Postman will pass the request to Deep Security through an HTTP API request.
13 Return to the Deep Security Manager Web console and verify that the Solaris policy has been
deleted.
14 Close Postman.
110
© 2021 Trend Micro Inc. Education
Lab 13: Integrating Deep Security With
Connected Threat Defense
In this lab, participants will integrate Deep Security with Deep Discovery Analyzer and Apex Central as
part of Connected Threat Defense. A file sample will be submitted manually and the progress of the file
through the phases of Connected Threat Defense will be observed.
Estimated time to complete this lab: 30 minutes
Exercise 1: Integrate Deep Security With Apex
Central
To participate in Connected Threat Defense, Deep Security must be added to Apex Central as a Manager
Server.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Open the Apex Central Web Management console by typing the following URL, or by clicking the
bookmark on the browser toolbar:
https://server-03.trend.local/WebApp/Login.html
3 When prompted, authenticate with the following credentials:
•
•
Note:
Username: Admin
Password: Pa$$w0rd (using the zero character)
If a license expired message is displayed, click Administration > License Management > Apex
Central and click Update License Information.
4 Click Administration > Managed Servers > Server Registration.
5 Select Deep Security from the Server Type list and click Add a product.
© 2021 Trend Micro Inc. Education
111
Lab 13: Integrating Deep Security With Connected Threat Defense
6 Type the details of the Deep Security Manager as follows and click Save.
•
•
•
•
Server: https://server-02.trend.local:4119
Display name: Deep Security
User name: MasterAdmin
Password: trendmicro
7 Deep Security is now listed as a Managed Server.
Exercise 2: Integrate Deep Discovery Analyzer with
Apex Central
The Deep Discovery Analyzer must also be added as a Managed Server in Apex Central.
1
112
Still in the Apex Central Web Management console, click Administration > Managed Servers >
Server Registration.
© 2021 Trend Micro Inc. Education
Lab 13: Integrating Deep Security With Connected Threat Defense
2 Select Deep Discovery Analyzer from the Server Type list and click Add a product.
3 Type the details of the Deep Discovery Analyzer device as follows and click Save.
•
•
•
•
Server: https://192.168.4.5
Display name: Analyzer
User name: Admin
Password: Admin1234!
4 Deep Discovery Analyzer is now listed as a Managed Server.
© 2021 Trend Micro Inc. Education
113
Lab 13: Integrating Deep Security With Connected Threat Defense
Exercise 3: Add Deep Discover Analyzer and Deep
Security to the Apex Central Product
Directory
In this exercise, Deep Security and Deep Discover Analyzer will be added to the Product Directories list in
Apex Central.
1
In the Apex Central Web Management console, click Directories > Products and click Directory
Management.
2 Click Local Folder, and click Add Folder.
3 Type a name for a new folder (or directory), for example, Trend Micro Servers and click
Save.
Click OK to confirm the creation of the new directory.
114
© 2021 Trend Micro Inc. Education
Lab 13: Integrating Deep Security With Connected Threat Defense
4 Expand the New Entity folder. Drag Analyzer from the New Entity folder to the newly created
Trend Micro Servers folder.
When prompted, click OK to acknowledge the move.
5 The Analyzer device should now be displayed in the Trend Micro Servers folder.
© 2021 Trend Micro Inc. Education
115
Lab 13: Integrating Deep Security With Connected Threat Defense
6 Drag the Deep Security device from New Entity folder to the Trend Micro Servers folder. When
prompted, click OK to acknowledge the move.
Deep Discovery Analyzer and Deep Security should be displayed in the Trend Micro Servers
folder.
Exercise 4: Configure Deep Security for Connected
Threat Defense
In this exercise, Deep Security will be configured to use the Deep Discovery Analyzer and Apex Central.
1
Log into the Deep Security Manager Web console, click the Administration menu. In the left-hand
pane, expand System Settings and click the Connected Threat Defense tab.
In the Connected Threat Defense section, click Enable submission of suspicious file to Deep
Discovery Analyzer.
To automatically submit files to Deep Discovery Analyzer from Deep Security, click Enable
automatic file submission.
Note:
116
Automatic Submission to Deep Discovery Analyzer occurs every 15 minutes and will submit a
maximum of 100 files per submission.
© 2021 Trend Micro Inc. Education
Lab 13: Integrating Deep Security With Connected Threat Defense
Click Use the Deep Discovery Analyzer associated with the Apex Central that Deep Security is
registered with.
2 Click Add/Update the Certificate to update to the correct Deep Discovery Analyzer certificate.
Click Close.
3 Click Test Connection and insure that the connection is successful.
4 Scroll down and enable Compare objects against Suspicious Object List and click Use the Apex
Central That Deep Security is registered with.
5 Click Add/Update the Certificate to update to the correct Apex Central certificate. Click Close.
6 Click Test Connection and insure the connection is successful.
7 Click Save.
© 2021 Trend Micro Inc. Education
117
Lab 13: Integrating Deep Security With Connected Threat Defense
Exercise 5: Create a Malware Scan Configuration
In this exercise, a malware scan configuration will be modified to allow Deep Security to submit
suspicious objects to Deep Discovery Analyzer for further analysis.
1
In Deep Security Manager, click the Policies menu. In the left-hand pane, expand Common
Objects > Other > Malware Scan Configurations.
2 Edit the Classroom scan configuration created in a previous exercise. On the General tab, click
Scan for exploits against known critical vulnerabilities and aggressive detection of unknown
suspicious exploits. Click OK
3 Configure any other malware scan settings if required.
Exercise 6: Enable Connected Threat Defense
In this exercise, sandbox analysis will be enabled in the Classroom policy.
1
118
Still in the Deep Security Manager Web console, click the Policies menu and double-click to edit
the Classroom policy.
© 2021 Trend Micro Inc. Education
Lab 13: Integrating Deep Security With Connected Threat Defense
2 Click the Anti-Malware protection module and click the Connected Threat Defense tab. Ensure
that Submit files identified as suspicious... and Use Apex Central’s Suspicious Object List are both
set to Yes.
3 Click Save.
Exercise 7: Submit a File to Deep Discovery For
Analysis
In this exercise, a file previously captured as malware will be manually submitted for analysis.
1
In the Deep Security Manager Web console, click the Computers menu and open the details of the
SERVER-03 computer.
2 Click the Anti-Malware protection module in the left-hand pane, then click the Identified Files tab.
3 Locate the l1-1.doc file that was captured as malware in a previous lesson. Click the entry to
highlight and click Analyze. (You may need to change the Period value and click Refresh)
Note:
The l1-1.doc file is identified as EXPL_CVE20158 in the Malware column.
© 2021 Trend Micro Inc. Education
119
Lab 13: Integrating Deep Security With Connected Threat Defense
4 Follow the steps in the wizard by clicking Next.
5 Submission of the file will be confirmed.
120
© 2021 Trend Micro Inc. Education
Lab 13: Integrating Deep Security With Connected Threat Defense
Exercise 8: Track the Submission
In this exercise, the analysis of the submitted file will be tracked in Deep Discovery Analyzer and Apex
Central.
1
Log into the Deep Discovery Analyzer Web Management console by entering the following URL in
a web browser, or by clicking the bookmark in the browser:
https://192.168.4.5
2 Log in with the following Deep Discovery Analyzer credentials when prompted:
•
•
Note:
User name: admin
Password: Admin1234!
If a message is displayed about the license expiring, click Administration > License and click
Refresh.
3 Verify that the file has been submitted by the Deep Security by clicking Virtual Analyzer >
Submitters. Deep Security should be displayed as the submitter of the object.
4 Click Virtual Analyzer > Submissions. On the Processing tab, verify that the l1-1 [1].doc file is being
processed by the Analyzer under today's date. There will be some delay before the file is
forwarded from Deep Security Manager and processing of the file by Deep Discovery Analyzer
begins.
© 2021 Trend Micro Inc. Education
121
Lab 13: Integrating Deep Security With Connected Threat Defense
5 Once the submission is processed, the entry will be displayed on the Completed tab. There will be
some delay while the file is processed.
6 Click Virtual Analyzer > Suspicious Objects and verify the object it is now visible in the list. To
uniquely identify the object, the hash will be displayed instead of the file name.
7 Return to the Apex Central Web Management console and click Threat Intel > Virtual Analyzer
Suspicious Objects and verify the object it is now visible in the list. You may need to wait several
minutes for the results of the analysis to be passed to Apex Central.
122
© 2021 Trend Micro Inc. Education
Lab 13: Integrating Deep Security With Connected Threat Defense
8 Click to select the object in the list and click Configure Scan Action.
9 In the Scan Action window, select Block in the For selected files section and click Apply.
10 When prompted, confirm the application of the scan action. Click Apply Scan Action.
© 2021 Trend Micro Inc. Education
123
Lab 13: Integrating Deep Security With Connected Threat Defense
The Scan Action is changed to Block.
124
© 2021 Trend Micro Inc. Education
Appendix A Lab: Activating and
Managing Multiple
Tenants
In this lab, participants will explore multi-tenancy in Deep Security.
Note:
A dedicated Activation Code is required to enable multi-tenancy. This code is available in the
Activation Code.txt file in the Lab Files folder on the computer desktop.
Estimated time to complete this lab: 30 minutes
The scenario for Multi-Tenancy in this lab will use two tenants.
dsm
dsm_1
MasterAdmin
SQL
dsm_2
Tenant 0
ABC_Co
XYZ_Ltd
Admin_ABC
Admin_XYZ
Exercise 1: Enable Multi-Tenancy
In this exercise, multi-tenancy will be enabled in Deep Security Manager.
1
In the lab environment, switch to the VM-SERVER-02 virtual machine.
2 Log into the Deep Security Manager Web console as the MasterAdmin.
© 2021 Trend Micro Inc. Education
125
Appendix A Lab: Activating and Managing Multiple Tenants
3 In the Deep Security Manager Web console, click the Administration menu. Click System Settings
and the Advanced tab. Click Enable Multi-Tenant Mode.
4 Type (or paste) the Multi-Tenancy Activation Code from the Activation Code.txt file in the
Lab Files folder on the desktop and click Next.
5 Click Inherit Licensing from Primary Tenant and click Next.
126
© 2021 Trend Micro Inc. Education
Appendix A Lab: Activating and Managing Multiple Tenants
6 A Configuration Summary is displayed, click Finish to complete enabling multi-tenancy. This
operation is irreversible once applied.
7 Multi-Tenancy is now enabled. Click Close to continue.
8 A new menu item called Tenants now appears under the Administration menu, as well as a new
tab called Tenants.
© 2021 Trend Micro Inc. Education
127
Appendix A Lab: Activating and Managing Multiple Tenants
Exercise 2: Create Multiple Tenants
In this exercise, two new tenants will be created in Deep Security Manager Web console.
1
Still in the Deep Security Manager Web console with the Tenants item selected in the left-hand
pane, click New.
2 Configure a multi-tenant user account with the following details and click Next:
•
•
•
•
Account Name: ABC_Co
Email Address: Admin@ABC.com
Locale: English (US)
Time Zone: select the time zone for your location
3 Configure an administrator for the tenant with the following details and click Next:
•
•
•
128
Username: Admin_ABC
Password Option: No Email
Password: trendmicro
© 2021 Trend Micro Inc. Education
Appendix A Lab: Activating and Managing Multiple Tenants
4 Confirm the settings and click Finish to create the new tenant.
5 A progress bar will display the status of the tenant creation process. It will take a few minutes to
create the tenant.
© 2021 Trend Micro Inc. Education
129
Appendix A Lab: Activating and Managing Multiple Tenants
6 Once the tenant creation is complete, repeat the process to add another new tenant with the
following details:
•
•
•
•
•
•
•
Account Name: XYZ_Ltd
Email Address: Admin@XYZ.com
Locale: English (US)
Time Zone: select the time zone for your location
Username: Admin_XYZ
Password Option: No Email
Password: trendmicro
7 Two new tenants will be displayed in the Deep Security Manager Web console.
Exercise 3: Lock Down Tenants
In this exercise, tenants will be assigned different Protection Modules to illustrate how tenants can have
different configurations.
1
130
Sign out of the Deep Security Manager Web console as the MasterAdmin user.
© 2021 Trend Micro Inc. Education
Appendix A Lab: Activating and Managing Multiple Tenants
2 The Sign In window is displayed with a new Account Name field now that Multi-Tenancy is
enabled.
3 Sign back in as MasterAdmin for the Primary Tenant. Since you are logging in as the Primary
Tenant, leave the Account Field name empty.
An indicator on the top of the Deep Security Manager Web console page indicates you are logged
into the Primary tenant.
4 Click the Administration menu and click Tenants in the left-hand frame. Double-click the ABC_Co
tenant to open Properties.
5 Click the Modules tab. Click Selected Modules and click to enable the Integrity Monitoring and
Log Inspection Protection Modules only for this tenant.
© 2021 Trend Micro Inc. Education
131
Appendix A Lab: Activating and Managing Multiple Tenants
6 Click the Agent Activation tab and view the Agent-Initiated Activation string. The Tenant ID and
Tenant Password in the string will allow Deep Security Agents to activate on the correct tenant.
Click Apply then click OK.
7 Repeat this process for the XYZ_Ltd tenant, but enable only the Firewall and Intrusion Prevention
Protection Modules.
8 Click the Agent Activation tab once again and view the Deep Security Agent-initiated Activation
string. Compare the strings for both tenants and notice that they are different.
Click Apply, then OK.
132
© 2021 Trend Micro Inc. Education
Appendix A Lab: Activating and Managing Multiple Tenants
9 The Tenants list displays both tenants and the Visible Modules column displays the Protection
Modules enabled for each tenant.
10 Sign out, then sign in as the first tenant with the following details:
•
•
•
Account name: ABC_Co
Username: Admin_ABC
Password: trendmicro
11 Click the Policies menu, and in the left-hand frame, expand Common Objects > Rules. Note the
rules for the two Protection Modules enabled for this tenant.
12 Expand Policies in the right-hand frame and double-click the Windows policy. Note the Protection
Modules that are available for this tenant in the left-hand frame of the Details window. Click
Close.
13 Sign out, then sign in again as the second tenant with the following details:
•
•
•
Account name: XYZ_Ltd
Username: Admin_XYZ
Password: trendmicro
© 2021 Trend Micro Inc. Education
133
Appendix A Lab: Activating and Managing Multiple Tenants
14 Return to the Policies menu, and in the left-hand frame, expand Common Objects > Rules once
again. Note the rules for the two Protection Modules enabled for this tenant.
15 Again, expand Policies in the right-hand frame and double-click the Windows policy. Note the
Protection Modules that are available for this tenant in the left-hand frame of the Details window.
16 Sign out of the Deep Security Manager Web console.
17 Still on the SERVER-02 computer, click Start > Microsoft SQL Server Tools 17 > Microsoft SQL
Server Management Studio 17.
18 Log into Microsoft SQL Server with the following credentials that were assigned when the
database was initialized:
•
•
•
•
•
Server Type: Database Engine
Server Name: SERVER-02
Authentication: SQL Server Authentication
Login: sa
Password: trendmicro
Click Connect.
134
© 2021 Trend Micro Inc. Education
Appendix A Lab: Activating and Managing Multiple Tenants
19 Once connected to the SQL Server, expand Databases in the left-hand pane to view the individual
databases created for each Tenant.
Note the main dsm database for the Primary Tenant, and databases for each of the Tenants
(dsm_1 and dsm_2). When using Microsoft SQL Server, a separate database will be added for each
additional Tenant that is created.
20 Click File > Exit to close the Microsoft SQL Server Management Studio.
Exercise 4: Add Computers to a Tenant
In this exercise, a Deep Security Agent computer will be deactivated and deleted from Deep Security
Manager on the Primary tenant, then added back into one of the tenants.
1
Still on the SERVER-02 computer, log into the Deep Security Manager Web console on the
Primary tenant as the Master Administrator.
2 Click the Computers menu. Locate and right-mouse click the SERVER-04 computer and click
Actions > Deactivate. Once the computer displays as Unmanaged, right-click again and select
Delete.
The SERVER-04 computer is no longer registered to the Primary tenant and is removed from the
Computers list.
3 Sign out of the Deep Security Manager Web console as the Master Administrator.
4 Sign back into Deep Security Manager Web console as the administrator for the ABC_Co tenant.
5 Click the Computers menu and add the SERVER-04 computer using Add Computer.
The Add Computer operation using the hostname automatically activates the Agent on the
SERVER-04 computer.
© 2021 Trend Micro Inc. Education
135
Appendix A Lab: Activating and Managing Multiple Tenants
6 Double-click the entry for SERVER-04. The Status for the computer is displayed as Managed
(Online). Note that in the left-hand pane only the allowed Protection Modules are displayed.
7 Close the Details window and sign out of the Deep Security Manager Web console as the tenant.
136
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless
Protection
In this lab, participants will deploy the Deep Security Virtual Appliance in a new environment. Deep
Security, VMware vCenter, VMware NSX Advanced and VMware ESXi are already deployed in this
environment.
Estimated time to complete this lab: 40 minutes
Exercise 1: Verify the Import of the Deep Security
Virtual Appliance Package into Deep
Security Manager
The Deep Security Virtual Appliance was already imported into Deep Security Manager. In this exercise,
you will confirm the appliance is available for deployment in a later exercise.
1
In the second email message you received from Trend Micro Product Cloud, click the link to open
the Deep Security Virtual Appliance Lab.
2 The Product Cloud 2.0 Training page is displayed in the browser. Expand Training in the left-hand
pane and click Labs.
3 Hover your mouse over the name of the Deep Security Virtual Appliance Lab class and click
Enter Training under the Operations column.
4 Hover your mouse over the Windows 2012 R2 virtual machine, and click Remote Control under
the Operations column.
5 Log in with the following credentials:
•
•
Username: Administrator
Password: trendmicro
6 IN Google Chrome, log into the Deep Security Manager Web console by clicking the bookmark in
the browser or typing the following URL:
https://winsrv2012r2std.trend.local:4119
Log into the Deep Security Manager Web console with the following credentials:
•
•
Username: MasterAdmin
Password: trendmicro
© 2021 Trend Micro Inc. Education
137
Appendix B Lab: Configuring Agentless Protection
7 Click Administration and in the left-hand pane, expand Software > Local Software.
8 Verify that the appliance installation package is displayed in the Local Software list.
Exercise 2: Add VMware vCenter to the Computers
List
To manage the security of the virtual machines hosted on the ESXi server agentlessly with Deep Security,
with an on-host Agent, or in combined mode, you must first add the vCenter to the Computers list in the
Deep Security Manager Web console.
1
138
In the Deep Security Manager web console, click the Computers menu and click Add > Add
VMware vCenter.
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
2 In the Add VMware vCenter Wizard, provide the details of vCenter as follows and click Next:
•
•
•
•
•
Server Address: 192.168.100.65
Server Port: 443
Name: Type a name and description of the datacenter (for display purposes only)
User name: admin@vsphere.local
Password: trendmicro
3 Accept the SSL certificate when prompted.
© 2021 Trend Micro Inc. Education
139
Appendix B Lab: Configuring Agentless Protection
4 When prompted, click Configure NSX Manager to bind with vCenter and provide the details of
NSX Manager as follows and click Next:
•
•
•
•
Manager Address: 192.168.100.66
Manager Port: 443
Username: admin
Password: trendmicro
5 Accept the SSL certificate when prompted.
Note:
140
If a Previous deployment detected... message is displayed, click I have removed all Deep Security
services.... and click Next.
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
6 Review the details of the imported vCenter and click Finish.
7 The Add VMware vCenter Wizard will display a success message when vCenter has been
imported. Click to enable the option to automatically create two Event-Based Tasks: one to
activate virtual machines when protection is added and another to deactivate virtual machines
when protection is removed.
Click Close.
© 2021 Trend Micro Inc. Education
141
Appendix B Lab: Configuring Agentless Protection
8 In the Computers list, expand vCenter. The ESXi clusters and virtual machines are displayed in the
Computers list.
9 Click Administration > Event-Based Tasks. Note the two tasks that were created as part of the Add
vCenter wizard.
Exercise 3: Install the Guest Introspection Service on
VMware ESXi
To protect the virtual machine with the Deep Security Virtual Appliance for file-based protection such as
Anti-Malware, you must install the Guest Introspection service on your ESXi servers.
1
Still on the Windows 2012 R2 virtual machine, access the vSphere Web Client by clicking the
bookmark on the browser toolbar in the Chrome browser, or by typing the following URL in
Chrome:
https://192.168.100.65
142
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
2 Select the option to log into the vSphere Web Client (Flash) version of the client with the
following credentials:
•
•
Username: admin@vsphere.local
Password: trendmicro
You will need to click Allow Flash when prompted to access the Web Console in the browser.
3 Click Home > Networking & Security.
© 2021 Trend Micro Inc. Education
143
Appendix B Lab: Configuring Agentless Protection
4 In the left-hand frame, click Installation and Upgrades and click the Service Deployments tab.
5 Click the green plus icon (+).
144
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
6 The Deploy Network & Security Services window is displayed. Click Guest Introspection, and click
Next.
7 Click the cluster that contains the ESXi servers and virtual machines that you want to protect, in
this case EMEA, and click Next.
© 2021 Trend Micro Inc. Education
145
Appendix B Lab: Configuring Agentless Protection
8 Select the network attributes as follows and click Next.
•
•
•
Datastore: datastore_1
Network: DPortGroup
IP assignment: Click Change. Click Use IP Pool and click the pool named Appliance Pool. Click
Next.
9 Review the settings, and click Finish.
10 vSphere will take a few minutes to install the Guest Introspection service.
146
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
11 When done, Installation Status will display as Succeeded and Service Status will display as Up. To
update the status, you may need to click Refresh on the title bar of the vSphere Web Client.
Note:
Do not proceed with the exercise until the statuses are correctly displayed. It may take a few
minutes to complete the needed operations.
Exercise 4: Install the Trend Micro Deep Security
Service on VMware ESXi
Deploying the Trend Micro Deep Security service will enable the Deep Security Virtual Appliance on the
ESXi server.
1
Still on the Service Deployments tab, click the green plus icon (+) once again.
© 2021 Trend Micro Inc. Education
147
Appendix B Lab: Configuring Agentless Protection
2 The Deploy Network & Security Services window is displayed. Click the Trend Micro Deep
Security service, and click Next.
3 Click the cluster that contains the ESXi servers and virtual machines that you want to protect, in
this case, EMEA and click Next.
148
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
4 Select the network attributes as follows and click Next.
•
•
•
Datastore: datastore_1
Network: DPortGroup
IP assignment: Click Change. Click Use IP Pool and click the pool named Appliance Pool. Click
OK, then Next.
5 Review the settings, and click Finish.
6 vSphere will take a few minutes to install the Deep Security service.
© 2021 Trend Micro Inc. Education
149
Appendix B Lab: Configuring Agentless Protection
7 When it is finished, Installation Status will display as Succeeded and Service Status will display as
Up. To update the status, you may need to click Refresh on the title bar of the vSphere Web
Client.
Note:
Do not proceed with the exercise until the statuses are correctly displayed. It may take a few
minutes to complete the needed operations.
The Guest Introspection and Deep Security services are now deployed.
Exercise 5: Create an NSX Security Group
A Security Group will assign policy settings to the virtual machines. In this exercise, an NSX security
Group will be created.
1
150
Still in vSphere Web Client, go to Home > Networking & Security > Service Composer.
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
2 Click the Security Groups tab.
3 Click New Security Group.
© 2021 Trend Micro Inc. Education
151
Appendix B Lab: Configuring Agentless Protection
4 Assign the details for the security group as follows and click Next:
•
•
Name: Protected by Deep Security
Description: Type a description for the Security Group
5 If you wish to restrict membership in this group based on certain filtering criteria, enter these
dynamic membership criteria here. Click Next to skip this step.
152
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
6 There are many ways to include or exclude objects in a NSX Security Group, but for this example,
we will simply include the virtual images that contains the host that we want to protect. In the
Select objects to include window, click Virtual Machine from the Object Type menu, and move the
client virtual machines to protect to the Selected Objects column.
Click Finish to create the new Security Group.
7 Return to the Security Groups tab to see the newly listed Security Group.
© 2021 Trend Micro Inc. Education
153
Appendix B Lab: Configuring Agentless Protection
Exercise 6: Create an NSX Security Policy
A NSX Security Policy with Deep Security enabled as both an Endpoint Service and as a Network
Introspection service must be created.
154
•
If you are using only the Anti-Malware or Integrity Monitoring modules, you will only need to
enable the Guest Introspection service.
•
If you are using only the Web Reputation, Firewall, or Intrusion Prevention protection modules,
you will only need to enable the Network Introspection services.
1
Still in the Service Composer, click the Security Policies tab.
2
Click Create Security Policy.
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
3 Assign the details for the Security Group as follows and click Next:
•
•
Name: Protected by Deep Security Policy
Description: type a description for the Security Policy
4 In the Add Guest Introspection Service window, click the green plus sign (+) to add a Guest
Introspection Service.
© 2021 Trend Micro Inc. Education
155
Appendix B Lab: Configuring Agentless Protection
Provide the following details for the service:
•
•
•
•
•
•
Name: Guest Introspection
Action: Apply
Service Name: Trend Micro Deep Security
Service Profile: If you are using event-based tasks to handle the creation and protection of
VMs, select Default (EBT). If you have synchronized your Deep Security policies with NSX
Service Profiles, select the Service Profile that matches the Deep Security policy that you
want to apply. In this case, use Default (EBT).
State: Enabled
Enforce: Yes
Click OK, then click Next.
5 Do not make any changes in the Firewall Rules window and click Next.
156
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
6 In the Network Introspection Services window you will add two Network Introspection Services to
the NSX Security Policy: a first one for outbound traffic, and a second one for inbound traffic.
Click the green plus sign to create a new service.
Create the first outbound service with the following details:
•
•
•
•
•
•
•
•
•
•
Name: Outbound
Description: Type a description for the service
Action: Redirect to service
Service Name: Trend Micro Deep Security
Profile: Select the same NSX Service Profile as you did in step 3.
Source: Policy's Security Groups
Destination: Any
Service: Any
State: Enabled
Log: Do not log
© 2021 Trend Micro Inc. Education
157
Appendix B Lab: Configuring Agentless Protection
7 For the second inbound service, click the green plus sign again to create another new service.
Provide the following details:
•
•
•
•
•
•
•
•
•
•
158
Name: Inbound
Description: Type a description for the service
Action: Redirect to service
Service Name: Trend Micro Deep Security
Profile: Select the same NSX Service Profile as you did in step 3.
Source: Any
Destination: Policy's Security Groups
Service: Any
State: Enabled
Log: Do not log
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
Click OK.
8 Both Network Introspection Services are displayed. Click Finish to complete.
© 2021 Trend Micro Inc. Education
159
Appendix B Lab: Configuring Agentless Protection
9 After a few moments, the policy is listed as published.
Exercise 7: Apply the NSX Security Policy to the NSX
Security Group
In this exercise, you will apply the Security Policy to the Security Group containing the virtual machines
to protect.
1
160
Still on the Security Policies tab with the new Security Policy selected, click Apply Security Policy.
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
2 In the Apply Policy to Security Groups window, select the Security Group that contains the VMs
you want to protect, in this case Protected by Deep Security, and click OK.
3 The NSX Security Policy is now applied to the virtual machines in the NSX Security Group.
4 Click Protected by Deep Security Policy to view the policy summary.
When virtual machines are moved into the security group, they will get the NSX Security Group
tag and the Deep Security Manager will automatically activate the virtual machines and assign
the Security Policy to them.
© 2021 Trend Micro Inc. Education
161
Appendix B Lab: Configuring Agentless Protection
Exercise 8: Apply Deep Security Protection to the
Virtual Machines
The Deep Security Virtual Appliance is now configured and virtual machines on the ESXi server activate
and are ready for Deep Security protection.
1
Log into the Deep Security Manager Web console as MasterAdmin.
2 Note that the Deep Security Virtual Appliance is listed as Managed (Online). The virtual machines
on the ESXi Server will activate automatically based on the event-based task and will list as
Managed (Online) within 5 minutes.
162
© 2021 Trend Micro Inc. Education
Appendix B Lab: Configuring Agentless Protection
3 Double-click the dsva.trend.local computer to view its details.
Note that this machine is listed as an Appliance and displays the protected guest virtual
machines on the ESXi server. The details of the appliance virtual machines are also displayed.
Click Close when done.
4 Double-click the win2012r2en computer to view its details.
© 2021 Trend Micro Inc. Education
163
Appendix B Lab: Configuring Agentless Protection
Note that this computer is listed as Managed (Online), but does not yet have a Deep Security
Policy applied to it. The policy can be assigned through these details. The ESXi server hosting this
virtual machine is also shown as well as the appliance providing the protection.
Close the Details window when done.
164
© 2021 Trend Micro Inc. Education