Deep Security - DS - 8.0 - PSTL - v1.9

●●●●●●
Trend Micro™
Deep Security 8 SP1
Student Lab Textbook for

Single-Machine High-Performance
Environment
Deep Security 8.0 Lab Exercises – v1.9
Lab Environment Datasheet for Workstations with 16GB RAM

Domain name is emea-training.tm and the Domain Controller is VM-AD-SQL-01
Logon on to all Windows machines using administrator\trendmicro.
Logon to ESXi servers using root\trendmicro
VMs are configured with static IP addresses as below:
Subnet Mask 255.255.255.0

Default Gateway 172.20.1.2
DNS1 172.20.1.10
DNS2 172.20.1.2
Domain Controller (2GB RAM) Deep Security Manager (2GB RAM)

Name VM-AD-SQL-01 Name VM-DSM-01
IP ADDRESS 172.20.1.10 IP ADDRESS 172.20.1.20
vCenter Server (4GB RAM)

Name VM-VCENTER-01
IP ADDRESS 172.20.1.30
Subnet Mask 255.255.255.0
ESX Server 1 (3GB RAM) ESX Server 2 (3GB RAM)

Name VM-ESX-01 Name VM-ESX-02
IP ADDRESS 172.20.1.40 IP ADDRESS 172.20.1.50
Subnet Mask 255.255.255.0 Subnet Mask 255.255.255.0
Target Server (1GB RAM) run in VM-ESX-02

Name VM-TARGET-01
vShield Manager (1GB RAM) run in VM-ESX-01

Name VM-VSM-01
DSVA (512MB RAM) run in VM-ESX-02

Name VM-DSVA-01
2
Contents
1.1 > Install Deep Security Manager ............................................................................................. 4
1.2 > Deploy 2 Deep Security Agents and 1 Relay......................................................................... 8
1.3 > Configure Updates through Deep Security Relay ............................................................... 12
1.4 > Assigning Security Profiles and running a Recommendation Scan .................................... 20
1.5 > Firewall Rules...................................................................................................................... 25
1.6 > DPI Web Application Protection (SQL Injection & XSS) ..................................................... 29
1.7 > Integrity Monitoring & Log Inspection ............................................................................... 33
1.8 > Testing Agentful Anti-Malware .......................................................................................... 37
1.9 > Deployment and configuration of vShield Manager .......................................................... 41
1.10 > Add vCenter to DSM ......................................................................................................... 51
1.11 > Import Filter Driver and Virtual Appliance to DSM .......................................................... 54
1.12 > Preparing the VM-ESX-02 ................................................................................................. 56
1.13 > Deploying Deep Security Virtual Appliance...................................................................... 58
1.14 > Testing the Agentless Anti-Malware functionality ........................................................... 61
1.15 > Testing the Web Reputation protection .......................................................................... 64
1.16 > Advanced DPI protection.................................................................................................. 67
1.17 > Syslog Integration ............................................................................................................. 70
1.18 > Testing the DS Agent Self-Protection ............................................................................... 71
1.19 > Case Study ........................................................................................................................ 72
3
1.1 > Install Deep Security Manager

Aim: In this workshop you will install a DSM. The Domain Controller has SQL Express
2005 installed which will be used for your DSM setup. The Domain Controller is also your
DNS server.
Activity 1 : Install the Manager on VM-DSM-01
1. Power on the virtual machine called VM-AD-SQL-01.

2. Power on the virtual machine called VM-DSM-01.
3. Logon using “administrator/trendmicro” as the credentials.
4. Please refer to your Workshop Datasheet to find all of this information. Once you
have established that the above configuration is correct you can continue with the rest
of the workshops.
5. Before starting DSM installation please make sure that on the VM-AD-SQL-01 a
database named DSM already exists on the SQL Server instance. If not you can create
it using default settings.
Database credentials are as follows:

• Username : sa
• Password : trendmicro
If you are not familiar with SQL Server Management Studio just ask the Trainer for
support. You should see the databases as below:
4
6. In the “C:\Workshops_Folder” folder you will find the necessary Deep Security
Manager installation program. Install the Manager.
o Use the default installation directory.

o Use the SQL Database:
• Hostname : VM-AD-SQL-01
• Database name : dsm
• Username : sa
• Password : trendmicro
7. Enter the license when prompted (the Trainer will provide it)
8. Keep the default settings for Address and Ports.
9. Type in the password you want to use for the MasterAdmin account, which you can
rename to simply Admin, and make sure to clean checkbox “Enforce Strong
Passwords”. This way, you can use an easy to remember password like “trendmicro”.
5
10. To save time make sure to clean the checkboxes to “Automatic Update..” and
“Automatic Check for new..“. We will update the solution later on.
Activity 2: Activate Demo Mode and get familiarized with viewing Events.
Aim: Demo Mode is used to populate the DSM Database with a number of fictitious
Computer and Event entries.
1. Open the DSM Web Console from the VM-DSM-01 machine itself.
2. Go to System Information
3. Click on the button Demo Mode, it should take 5 to 10 minutes to complete.
After Demo mode is complete you can familiarize with viewing events of an
individual Host.
4. Choose a Host in the Computer list and right-click on it
5. Note that the Computer Details interface has been opened
6. Events can be accessed by expanding the appropriate feature (Firewall, Deep
Packet Inspection, Anti-Malware etc..) in Deep Security Manager and selecting the
events item.
7. Experiment by changing options such as:
• Period – the time period of log entries displayed
• Computer – to select which computers or computer groups to view (not
available when viewing events in Computer Details)
• Columns – can be used to sort entries, rearranged to suite preferences, even
added and removed (click on the Add/Remove Columns button)
• Advanced Search – to apply search criteria to the events being viewed
6
Activity 3: A look on the dashboard
The Dashboard is composed of information panels commonly called widgets. To add and
remove widgets, perform the following:
1. Click Add/Remove Widget from the top-right of the DSM menu bar when viewing
the Dashboard
2. Select the desired widgets from the list and click OK
3. Wait a few moments for the Dashboard to refresh
Each DSM user can create and save multiple dashboard layouts as follows:
4. Click on Configuration at the upper-right of the Dashboard frame

5. Click Save Configuration
6. Enter a name for the Dashboard layout. Access saved layouts by click on
Configuration
Activity 4: Locating the certificate generator (Optional)
1. Go to the DSM main Program folder

2. Locate the DSM installation log. Typically this log can be found in the main folder:
\Deep Security Manager
3. Search for the following keyword “SSLTask: Creating a new certificate”

4. Identify the location of “genkey.bat”
5. Look for the following values: CN= , OU= , O= , L= , S= , C=
7
1.2 > Deploy 2 Deep Security Agents and

1 Relay
Aim: Objective of this Workshop is to deploy 2 Deep Security Agents and 1 Deep
Security Relay in you environment, in order to do this you will use the following
machines:
a. VM-DSM-01
b. VM-TARGET-01
c. VM-AD-SQL-01
IMP: on VM-DSM-01 you must NOT activate the Anti-Malware functionality because it
can compromise the Metasploit framework which will be needed later on.
1. On the VM-DSM-01, open the Workshop_Folder folder, find the installation

program for the Deep Security agent and install it on the DS Manager machine:
8
2. on VM-DSM-01 install DSA with Anti-Malware excluded:
9
3. When setup is complete you should see the following info on the system tray:
4. Open the machine VM-TARGET-01 and install the Deep Security Agent on that
machine with Anti-Malware included. If you cannot find the deep security agent setup
just copy it from another machine.
10
5. Open the machine VM-AD-SQL-01 and install the Deep Security Relay on that
machine. The DSR installation includes the DSA as well. If you cannot find the deep
security relay setup just copy it from another machine.
6. Install all the components, Anti-Malware included:
11
1.3 > Configure Updates through Deep

Security Relay
Activity 1: Activating a DSR
1. Log into the Deep Security Manager Web Console. Go to the Computers section.
Select the computer on which the Deep Security Relay is installed (or add it if not
present).
2. Activate the machine and check that the Deep Security Relay computer status
3. Initially it will show a Component Update in progress and it can take more or less
time depending on how fast or busy is the network. You should wait until it shows
Managed (Online).
4. Now go back to the Deep Security Relay computer, double click on the Deep Security
Notifier icon in System Tray. The status should display the Agent Running.
12
Activity 2: Creating a DSR Group
1. In the Deep Security Manager Web Console, go to System > System Settings >
Updates.
2. Click the View Relay Groups button.
3. On the Relay Groups window, click New, and create a new relay group with a name
of your choice. Select the newly activated DSR computer in the Members section and
Click OK.
13
4. The newly created DSR Group should show on the screen as below:
Activity 3: Update the DSR Group
1. Go to System > Updates. In the Relays section you should see the DSR computer as
the only member of the newly created DSR Group:
14
2. In the Security Updates section, the list of Components will all show “Not updated”
yet. Click Update Components Now:
3. In the Component Update Wizard click Finish.
4. Updating the Components on the Deep Security Relay may take a few minutes:
15
5. When the Component Update Wizard shows that the update has completed, click
Finish.
6. Return to System > Updates. In the Security Updates section, the list of Components
should all show 100% Updated.
7. On the DSR computer, open the Deep Security Notifier and you will see that the
Components list has been updated.
16
Activity 4: Configure Deep Security Agents for Update
1. On the Deep Security Manager console select a computer where a DSA is installed
with the status Managed (Online)
2. Right click and select Actions > Assign Relay Group:
3. Select the newly created Relay Group:
17
4. After clicking OK, the new settings will be configured on the DSA, you can now
trigger an Update selecting Action > Update Components, after a while the update
process will start and you should see it in progress as below:
5. The update process should complete successfully after a while and the DSA status
should read again Managed (Online)
Activity 5: Generate an update bundle (Optional)
1. Go to the command line of a DSR computer

2. Open a command prompt and enter the following command at the command line:
dsa_control –b
3. Go to the DSR folder and copy the update bundle to another location on the DSR
host
4. Extract the contents of the update bundle, and compare it with the contents of the
following folder:
< DSR install path> \Trend Micro\Deep Security

Relay\relay\iau
18
Activity 3: Setup a weekly task
1. Go to System > Tasks and then click New

2. Create a scheduled task to download Components, which are in fact security
updates
3. Setup the appropriate weekly schedule.
4. At the last screen, select Run Task on Finish, and then click Finish
19
1.4 > Assigning Security Profiles and

running a Recommendation Scan
Aim: Now that installed Deep Security Agents you are ready to provide Agentful protection
to your hosts. In order to do this you must Activate Agents and assign Security Profiles.
Activity 1: Detecting hosts and activating agents
1. In the previous lab you should have installed at least 3 DSAs on 3 different hosts. Now
you are asked to import one of those hosts into the Computer list using the following
control.
2. Go on Computer > New Computer and follow the instructions in the wizard.
Activity 2: Discovering hosts on the network
1. Now you can add your 2nd host to your Computer list, this time you will use the
Discovery functionality.
2. Go on the Computers tab and click Discovery. Instead of providing a wide IP address
range you are highly recommended to restrict that address range to the single IP address
of one of the two remaining hosts where you previously installed a DSA in Lab 1.1.
20
3. Wait for the Discovery Task to complete and check if a new Host has been added to your
Computer List
Activity 3: Importing hosts from Active Directory (Optional)
1. Now you can add your 3rd host to your Computer list, this time you will use the
Add Directory feature:
2. On the DSM Console, click on Computers. In the “New” menu then select “Add
Directory”. Enter the details required to connect to the AD. Pay attention to
properly specify domain\username
21
3. On the next screen you can accept defaults and click finish.
Activity 4: Activate DSAs
1. In Deep Security Manager console, on the left hand pane click on Computers, then
in the right hand pane right click on the host you wish to activate, right click and
among the available actions select “Activate”
2. Once activated with no errors the machine status should change to

“managed/online”.
3. Right click and among the various options choose “Assign a Security Profile” and
select the most appropriate security profile for that machine depending on the
operating system or application running on it.
4. Pay attention that the proper Security Profile for VM-DSM-01 is Deep Security
Manager Security Profile, any different Security Profile could affect DSM <-> DSA
communications !!!
22
Activity 5: Run a Recommendation Scan
1. Before running a Recommendation Scan, using your computer’s system clock, note
the time and then run a Recommendation Scan using the button below
2. Enter how long the Recommendation Scan took in the field below
Start time:
End time:
23
3. Select IPS/IDS from the tree and then change the view from Show all to Show
Recommended for Assignment
4. Now open whatever profile in the Security Profile list, view the DPI rule list, and then
change the view to Show only the Recommended for Assignment rules.
5. Note the presence or absence of recommended rules depending on the operating

system and applications running on the machine
24
1.5 > Firewall Rules

Aim: In this workshop you will get familiar with the Firewall and how to implement FW
rules. You will then test and troubleshoot your new rules to understand the complexity of the
DS firewall module.
Activity 1: Perform a port scan
1. Choose a machine without any Security Profile or remove it from a machine. We

recommend to choose the VM-AD-SQL-01
2. Deep Security Manager is equipped with a Port Scan tool which is a useful support to
an endpoint firewall configuration.
Select a managed computer in the Computers list, and then right-click and then select
Details, as shown below:
25
3. Select the Firewall in the navigation pane, and then click Scan For Open Ports in the
main work area. A Scan For Open Ports task is started and once the task is complete
the result Is presented on the same screen.
26
Activity 2: Deny in-bound Telnet
You will create a rule to deal with Telnet traffic. Creating a rule that specifically denies telnet
traffic gives information in event entries created by traffic that triggers the rule.
1. Telnet the guest on port 80 from the DOS command prompt on the computer
machine, do you get a reply?
________________________________________________________________
________________________________________________________________
________________________________________________________________
________________________________________________________________
2. Make a new Firewall rule (either on the machine itself or in the Security Policy
then explain your choice).
3. Enter the following information into the Firewall Rule configuration dialogue:
a. Name: Deny Inbound Telnet Port 80
b. Action: Deny
c. Priority: 3 – High
d. Direction – Incoming
e. Frame Type: IP
f. Protocol: TCP
g. Packet Source (IP and MAC): Any
h. Port: Any
i. Packet Destination (IP and MAC): Any
j. Port: 80
k. Any Flags: checked
4. Click on OK to save the Firewall Rule

5. Click Save at the lower-right of the frame and attempt to telnet again
6. Check the Firewall Events; has the entry changed?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
27
Activity 3: Force-allow inbound telnet from a single computer
The Firewall Rule that was created in the last task stops all inbound telnet traffic to Port80.
The rule created by the following task allows inbound telnet traffic from a single source,
defined by IP address.
1. Go to the Firewall Rules tab of the Computer Details

2. Click on New
3. Enter the following configuration:
a. Name: Force Allow Telnet from a Single Computer
b. Action: Force Allow
c. Priority: 3-High
d. Direction – Incoming
e. Frame Type: IP
f. Protocol: TCP
g. Packet Source:
i. IP: <the IP address of the computer machine>
ii. MAC: Any
iii. Port: Any
h. Packet Destination (IP and MAC): Any
i. Port: 80
j. Any Flags: checked
4. Click OK to save the new Firewall Rule
5. Attempt to telnet to the virtual machine, what happens?

__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
28
1.6 > DPI Web Application Protection

(SQL Injection & XSS)
AIM: This workshop will show two different kinds of commonly used Web attacks and how
to protect from them.
Activity 1: The SQL Injection
1. Open a Web browser on a whatever machine other than the target machine itself, and
go to the target Website using the address http://172.20.1.60/
2. To make sure that user authentication is working log in using jdoe and password (or
create another userid and password at your choice).
3. Once logged in you see that you have access to the “services” tab. Then you can
signout.
4. Try again with the same user and incorrect passwords to show that the authentication
process is working.
5. Now try the SQL Injection attack.
6. Try to Log in with jdoe using an incorrect password, but appending the following
string “ ' or 1=1; -- “ after it (double quotes not included but including spaces and
the single quote). What happens?
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
29
Activity 2: Cross Site Scripting Attack
1. Now Log in copying the script below as your username and type some random letters
into the password field and press enter:
<script type="text/javascript">alert("XSS Executed: " + document.cookie)</script>
2. This should pop up an alert box with the text “XSS Executed“. This is a very simple
example, but far more complex code could have been executed including malicious server
side instructions. Click on the OK button to close the window.
Activity 3: Protecting you Web application with proper DPI rules
1. Choose a machine which is protected by a DSA. You must protect the machine deploying
the following DPI rules designed to intercept and block SQL Injection and XSS attacks.
30
2. As soon as the rules are successfully deployed the Target machine should be protected,
and when you attempt the same attack you should receive a screen as below:
31
Activity 4: Viewing Events
1. In the DSM, click Computers in the left hand panel then right click on the host called
target and select Get Events Now. This will manually retrieve the events instead of
waiting for the scheduled heartbeat.
2. Click on DPI Events and you should see the event that was generated by the attacks
(Generic SQL Injection Prevention)
32
1.7 > Integrity Monitoring & Log

Inspection
Activity 1: Create a custom IM rule
Creating a custom Integrity Monitoring rule is a straightforward procedure but

remember that this can be done at the Computer level or at the Security Profile
level, which is normally recommended. The following steps lead you to create a
simple custom Integrity Rule at the Computer level.
1. Choose managed computer (where a DSA is running) and open the

Computer Details screen.
2. Access Integrity Monitoring Rules in the Integrity Monitoring
section.
3. Click on the New button and enter the following in the General tab:
a. Name: Monitor a Custom file
4. Enter the following in the Content tab:
a. Template: File
b. Base Directory: <the directory of the custom file to monitor >
c. File Names: <name of file>
5. In the Options tab check “Allow Real Time Monitoring” and click OK
to save the new rule.
6. Once saved, if you want to open again your custom rule, just change the
filter to Show Assigned rules, or you have to search it among hundreds
of predefined rules.
7. Click Save in the Computer Details dialogue to apply the new rule.
8. Double click on the main Integrity Monitoring section and select “Real
Time”(deselect “Inherit”)
9. A Baseline is automatically created as soon as your rule is deployed to the
DSA. This can also be done on the same screen simply clicking the “Scan
For Integrity Changes” button.
10. Now go to the protected machine and modify the monitored file.
33
11. Get The Events from the Computer -> Actions -> Get Events Now
12. Go to the Integrity Monitoring Events and see if any events have been
reported.
Activity 2: Detecting changes to Service status and event tagging
1. Apply the following rules to one of your DSA hosts:

Log inspection 1002795 Microsoft Windows Events
Integrity 1002781 Microsoft Windows - Attributes of a service modified

Monitoring
2. Access rule properties by selecting the menu shown below. This creates a
DSA-specific override
3. Modify the Log inspection rule as shown below
4. Save the rule and ensure the DSA receives necessary updates
5. Open Windows Service Manager, Select a Windows service at your
choice and change its Startup type
34
6. Stop the Service

7. Locate the service related event in Windows Event Viewer. Click Start >
All Programs > Administrative Tools > Event Viewer, and check if the
log entry corresponding to service that you stopped is present
8. Trigger an Integrity Monitoring scan on the DSA
9. Locate the corresponding Log Inspection and Integrity Monitoring
events on the DSM console and compare with the Event Viewer log
10. Create an event tag for the above events, and name it “LI-IM test”
11. Filter events based on the “LI-IM test” tag, and observe results
Activity 3: Web Access Events Rule (advanced)
1. As a prerequisite for this lab, you must be able to generate errors of the
type 404 in IIS on a machine where a DSA is running
2. Open the Log Inspection rule Web Server – Web Access Events
3. Go to the Configuration tab and specify the Web Server log to monitor
as follows:
a. Log Files to monitor (click Add after entering the value):
C:\Windows\system32\LogFiles\W3SVC1\ex%y%m%d.log
b. Type of Log File(s): IIS
4. In order to get the rule triggered by your test activity, you have to change
some properties as needed, in case of doubts just ask the Trainer.
5. Save the rule, apply the rule and ensure the DSA receives corresponding
updates
6. To trigger the Log Inspection rule you must generate the proper number
of 404 errors in the proper period of time
7. Check the Log Inspection events
35
Activity 4: Log Inspection recommendations
1. In the Computer Details go to the Log Inspection section

2. Go to Log Inspection Rules
3. Select Show Recommended for Assignment from the drop-down list
at the top of the list of rules
4. Right-click and select all.
5. Assign the rules
6. After a few moments get any new events. What do you see?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
7. Reboot the DS Agent machine and then get the Log Inspection Rules.
What do you see?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
36
1.8 > Testing Agentful Anti-Malware

In this lab you will familiarize with the Anti-Malware protection, we called
“agentful” because you will use a machine at your choice where you already
installed a DS Agent (DSA).
Activity 1: Creating a new Anti-Malware configuration and set action to Quarantine
1. On the DSM Web console go to Anti-Malware item and create a new Anti-
Malware configuration:
2. Rename it at your choice:
37
3. Click the Actions tab and then select the following actions:
4. Then click OK. Now you are ready to assign the newly created Anti-Malware
configuration. In order to do this, right click on a protected VM from the Computers list
where you previously installed the DS Agent, and then select Details:
5. At the details screen select Anti-Malware Configuration and change Manual Scan Settings
to use the configuration you created.
6. Click Save.
38
Activity 2: Download a test Malware and see how quarantine works
1. In order to allow downloading of a test Malware from Eicar you have to disable Anti-
Malware protection for the selected machine, just switch DSA Anti-Malware to off:
2. Download Anti-malware test file from Eicar.org
3. Re-enable Anti-Malware protection on the machine:
4. Scan the DSA using the configuration created earlier

5. At the DSM console, click Quarantine files
39
6. Go to the . . . \Trend Micro\AMSP\quarantine folder

7. List the contents of the quarantine directory, and compare with the number of files with
the quarantined files shown in the DSM console.
Activity 3: (OPTIONAL) Change action to Clean and repeat Action 2
1. From the DSM console, delete all contents of the quarantine folder
2. Change the scan action of Anti-Malware configuration to “Clean”
3. Repeat step 1 to 4 of Action 2
40
1.9 > Deployment and configuration of

vShield Manager
Aim: In this workshop you will deploy the vShield Manager on VM-ESX-01.
Activity 1 : Deploy VMware vShield Manager
1. You can proceed with the installation of the vShield Manager virtual machine.
This machine will be deployed on VM-ESX-01 as a standard .ova file. In
vSphere Client (connected to the vCenter Server) click on File and then start
“Deploy OVF Template...”
2. Then vShield Manager template “.ova” file is available on the VM-DSM-01 and
VM-VCENTER-01 machines. You cannot find it just ask to the Trainer.
41
3. Click on Next. Then accept default setting, accept the License agreements, and
click next again.
4. On the next screen give your vShield Manager virtual machine a name and make
sure you are installing it on VM-ESX-01.
5. Click on next, then select the server where you will install the virtual machine
(there is only option). And click on Next.
6. Then choose “Thin Provisioned format”. Then click on Next and then click
on Finish.
7. Once the Virtual Machine has deployed, before powering it on, on the virtual
machine settings reduce the VM-VSM-01 memory from the default 3GB to
only 1GB.
8. Power on the VM-VSM-01 and log on interactively form from the machine
console, use admin/default as the username and password.
42
9. Once you have logged on, type enable in the console to enable privileged mode
with default as the password.
10. Then type setup and follow the steps to complete the vShield Manager network
configuration, use settings in the lab datasheet.
11. Now open the VSM Web Console from whatever virtual machine where Internet
Explorer is installed (we suggest from VM-DSM-01), now log into the vShield
Manager Web Console using https://IP-ADDRESS
43
12. Our next step is to connect the vShield Manager to vCenter server in order to
deploy vShield Endpoint (EPSec) component to the VM-ESX-02.
13. On the right pane side of the VSM console, enter your vCenter server details
accordingly with you lab datasheet.
14. Select Host & Cluster, you will find it in the pull down menu in the left hand
navigation pane.
15. Underneath the section Datacenters you should see your ESX instances. If you
don’t, log into the vSphere client console and reboot the vShield machine.
16. Now you have to enter a license for vShield Endpoint using vCenter console.
The vShield Endpoint License can be found on C:\Workshop_Folder on the
44
VM-VCENTER-01 machine. Come back to vSphere Client and click on Home

Administration Licensing and enter the new license.
17. Then click on “Manage vSphere Licenses” and add the license provided by the
Trainer
45
18. The vShield Endpoint Security license is available on a text file in the
Workshop_Folder on VM-DSM-01.
19. Then click on Add License Keys.
20. Then click on Next until you reach the last screen, then click on Finish button.
46
21. Before continuing, it is recommended to double check if the license has been
correctly loaded. To do this change view clicking on “Asset”. If the vShield-
Enpoint still appears Unlicensed you have to fix it
22. Double Click on vShield-Endpoint and make sure the radio button is checked,
click OK.
47
Activity 2 : Install VMware vShield Endpoint Security component on VM-ESX-02
1. Now go back to the vShield Manager Web Console and just refresh the
Summary page. You must install the vShiled Enpoint Driver on VM-ESX-
02.
2. Make sure to click the Install button in the up right corner, as shown below:
48
3. After installation, make sure that the Endpoint installation has a version
number available.
49
Activity 4: Log on vShield Web Console again to check if proper information is still in
place
1. Now Login again to VSM Web Console https://<VSM-IP>
2. Select the VM-ESX-02 and click on the tab Endpoints on the right hand
navigational window. All of the Health and Alarms should be Green.
3. In this small lab environment we must save resources reducing memory allocated
to virtual machines, so reduce the memory allocated to the vShield Manager
from the default 3GB to 1GB.
4. When powering off the VM-VSM-01 virtual machine make sure to first
shutdown the vShield Manager operating system from the command line
console (log on and execute the shutdown command), and then from
VMware.
50
1.10 > Add vCenter to DSM

Aim : In this workshop you will connect DSM to vCenter Server
1. Go to the Deep Security Manager Web Console and from the left navigation
panel right click on Computers and select Add VMware vCenter…
2. Enter vCenter Server IP address or FQDN .FQDN is always recommended in

production environments, but in this simple lab environment IP Address can be
used. Specify Username and Password, click Next.
51
3. In the next screen provide the vShield Manager Server IP Address, Username
and Password, then click Next.
Note :- Unless you have manually assigned an FQDN for the vShield Manager, it is
more convenient to use the IP address of vShield Manager.
4. Configure network settings accordingly with your Workshop Datasheet and

specify correct vShield credentials.
5. If asked accept the SSL certificate
6. You will then see the window reviewing how many DataCenters you will add,
how many hosts and how many virtual machines.
52
7. In the end of the process you will be informed that now you are ready to
“Prepare” ESX Server for the Virtual Appliance Deployment.
8. Click on “Close” button and double check that the vCenter item has been
correctly created and that your two ESX Servers are properly listed.
53
1.11 > Import Filter Driver and Virtual

Appliance to DSM
Aim : In this workshop you will upload the Filter Driver and Virtual Appliance to the Deep
Security Manager.
Activity 1 : Import the Filter Driver to DSM
1. Go to the Deep Security Manager Web Console and from the left navigation
panel select System Updates
2. Select Import Software from the Software Package section.
3. Browse and select the Filter-Driver zip file from C:\Workshop_Folder. Click on
Next. Then click on Finish.
54
Activity 2: Import the DSVA
1. Follow the same steps as above to upload the DSVA.

2. Once the Software has uploaded click on View Imported Software and make
sure that both files have been imported.
55
1.12 > Preparing the VM-ESX-02

Aim : In this workshop you will prepare the ESX server by deploying the Filter Driver.
Activity 1: Prepare ESX for Filter Driver Installation
1. Go to the Deep Security Web Console and select Computer vCenter

Hosts and Clusters. Select the VM-ESX-02, right click and choose Prepare.
2. The Wizard will try to enter the VM-ESX-02 into maintenance mode and this
cannot be done automatically if any machine is running on it. Make sure that VMs
on that ESX are suspended or switched off.
56
3. In the end of the process you will be proposed to deploy the Virtual Appliance,
click Next and start deployment:
57
1.13 > Deploying Deep Security Virtual

Appliance
Activity 1 : Deploy the DSVA
1. The Wizard will guide you through the deployment process. Specify the Appliance
name according to your datasheet and accept default settings in term of
Datastore, Folder and Network dedicated to VMkernel communication.
2. Choose “Thin Provisioned format” when asked.
3. For the Management Network configure static network settings accordingly with
your datasheet
4. Accept the certificate:
58
5. In the end you should get the message telling you that the appliance was deployed
successfully. Choose “Activate Deep Security Appliance now”, click next and
select a proper Security Profile.
59
6. To activate protection on VM-TARGET-01 of course the machine must be

started. Double check it before clicking finish:
7. After DSVA deployment to save resources you can reduce the memory allocated
to 512MB, first shutdown the DSVA same as you did for v Shield, if any doubts
just ask to the Trainer.
60
1.14 > Testing the Agentless Anti-

Malware functionality
Aim : In this workshop you will use some Malware test files to test Agentless Anti-Malware.
1. In the DSM Web Console, select the machine called VM-TARGET-01, right click
on it, then choose Actions and Assign a Security Profile. Choose the
Windows Anti-Malware Protection and click OK.
61
2. Make sure that the DSVA is protecting the machine, so the status should be
Managed (Online):
3. You can also see from the above image that the Anti-Malware is On and that it is
managed by the Appliance VM-DSVA-01, running on the VM-ESX-02 server.
4. Now with vSphere Client open a console to your VM-TARGET-01 machine.
5. The easiest way to test if Anti-Malware is working is attempting to download an
EICAR test malware, same as you did in lab “1.8 Testing Agentful Anti-Malware”
6. In the folder C:\Workshop Folder you will also find some more Malware test
files.
62
7. To open test files the password is novirus, otherwise it is reported in the file
name itself. In order to trigger Anti-Malware protection you have to extract the
files from their zipped format and then double click on a Malware test file.
8. Once you have tested one or more of the test files go back to the Deep Security
Manager and right click on the VM-TARGET-01 and select Get Events Now.
9. Once that has finished you can open up the VM-TARGET-01 window and go to
Anti-Malware events. You should see your events in the right hand panel. If
not, then troubleshoot the problem.
10. Go to http://eicar.org and download the eicar.com test file directly from their
website.
11. What is the error message that you see on your windows machine?
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
12. Now go back to the DSM, do another Get Events Now and then check the
events in the windows of your agent machine. What is the result given for the
eicar file?
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
13. Where can you find this file and what options do you have when you right click
on the file?
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
_______________________________________________________________
63
1.15 > Testing the Web Reputation

protection
Aim: In this lab you will get familiar with Web Reputation protection, first choose a
machine where Deep Security protection is available (Managed Online).
Activity 1 : Activate Web Reputation protection
Go to the Computer section and choose a host where you want to activate Web
Reputation. Both DSA and DSVA can provide Web Reputation, but in order to see
Web Reputation Events on the client side make sure that the Notifier is installed on
the end point. You will see events on the DSM console anyway.
The host’s details screen appears:
1. Select Web Reputation
2. Select “On”. If it was set to Inherit its settings, just double check it is already
on, or unselect Inherit and enable:
3. Set the Security Level to Low:
64
4. At the protected Host, open a browser and try access all the following links.
Then change the Security Level to Medium and then cycle through the links
again. Repeat for the High security setting.
Link Result
Low Medium High
wr91.winshipway.com
wr65.winshipway.com
wr21.winshipway.com
In order to Test the behavior with Web Sites that have not been tested by Trend
Micro you can use the following link:
Link Result
Low Medium High
wr71.winshipway.com
In addition to the above Web sites you can try the following or whatever suspicious
Web site you may know (be careful that some may show explicit images):
HTTP://ASTALAVISTA.BOX.SK
HTTP://WWW.NINJACLOAK.COM
5. At the protected Host, double-click the Notifier on the Windows System tray:
6. At the Notifier console, select View Events. All Web Reputation activity should
be shown here.
65
The screen below should appear reporting some Web Reputation Events:
7. At the DSM Console, go to the Computers list, right-click the Host and then
select Actions > Get Events
8. Select Web Reputation > Web Reputation Events.
66
1.16 > Advanced DPI protection

Aim: In this exercise first you will exploit a DNS vulnerability left on purpose on the machine
named VM-TARGET-01 and then you will protect the same machine with the DSVA or
DSA and proper DPI rules. The MetaSploit framework is available on VM-DSM-01, so this
will be your attacker machine.
Activity 1: Attack with MetaSploit
1. Depending on the version of MetaSploit the user interface can be very different, the most
important to know is the following information about the vulnerability:
• Exploit: MS07_029_MSDNS_ZONENAM
• Target platform: Windows
• Target Service: DCERPC
2. If you are not familiar with MetaSploit just ask support to the Trainer. Additional
parameters to be provided are the following:
• Microsoft DNS RPC Server extractquotedchar( ) (TCP)
• As the target: Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)
• As the payload: generic/shell_bind_tcp
• As the RHOST entry provide the IP address of the VM-TARGET-01
3. Launch the Exploit
4. If the exploit is successful you should see a remote shell open on the target machine and
execute commands.
5. Run a few commands at your choice, such DIR, hostname, or anything else to convince
yourself you hacked the target machine.
67
Activity 2: Defend with DSVA or DSA
Aim: Now you must shield this vulnerability using proper DPI rules. Choose if you want to
protect the machine with DSVA or if you prefer to install the DSA on it. If you install the
DSA you can benefit from Recommendation Scans, otherwise just manually select the DPI
rules mentioned in step 9:
1. Open the DSM console
2. Open details of the Target machine
3. Go to the Deep Packet Inspection section
4. In the drop-down list labelled “Automatically assign/unassign recommended DPI Rules
to Computer during Recommendation Scans” select Yes to override the default inherited
from the Security Profile.
5. Click Save to apply the changes.
6. Click on the “Scan for Recommendations” button.
7. The Recommendation Scan is complete when the greyed-out button is available.
8. Go to the DPI Rules section and check which rules are applied, and which are
recommended.
9. The appropriate rule to shield this vulnerability is under “Application Types” group, in
the group called Windows Services DNS Server RPC Interface. Ensure to check the
rule.
10. Save and make sure the rule are deployed.
11. Repeat the same MetaSploit attack again, this time you should be unsuccessful
12. Check the DPI events
7.1. Identify the rules that were triggered
7.2. Open the rule and check the Vulnerability tab for information
68
Activity 3: Application Control (optional)
1. In the Deep Security Manager profile, go to Application Control under DPI Rules, within the
Deep Packet Inspection section of the navigation tree
2. Enter Internet Explorer in the search text box at the upper right and press Enter
3. Assign the rule Application Control For Microsoft Internet Explorer Web Browser
4. Open IE in the virtual machine and go to a web site (Google may not be accessible if the
Google Block rule is still assigned)
5. Right click the aforementioned Internet Explorer rule and select Properties (For this
computer)
6. Change mode from Inherited (Detect only) to Prevent.
7. Repeat step 4.
8. Fetch and investigate the resulting DPI events
69
1.17 > Syslog Integration
Activity 1: Start up and configure the Syslog server
1. On DS Manager, go to Start Menu >Programs >Kiwi Enterprises >Kiwi Syslog

Daemon, and select Kiwi Syslog Daemon.
2. In the Kiwi Syslog Service Manager, click on Manage, then install and start the
syslogd service without rebooting the machine.
3. Check with Windows Services if the service called Kiwi Syslog Daemon is present in the
services list and started.
4. Open Details screen of a machine with DS Agent installed (better not the DS
Manager itself).
5. Go to System Settings -> Notification Tab.
6. For FW & DPI Event notifications, select Forward Events To:
7. Enter the IP address of the DS Manager as the destination (it is where the syslog
daemon has been activated)
8. Accept all the remaining default settings
9. Click on Save
10. Generate some Agent firewall and DPI events (you can just create rules as explained
in the Firewall lab)
11. Check the syslog display
12. Go to the global System Settings
13. Go to the Notifications tab
14. In the section System Event Notification (From The Manager) update the following:
a. Select Forward System Events to a remote computer (via Syslog)
b. Enter the IP address of the DS Manager as the destination
c. Change the Syslog Facility to Local 1
15. Click on Save
16. Check the syslog display of Kiwi Manager
17. How can the difference between Agent and System Events be recognized?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
70
1.18 > Testing the DS Agent Self-

Protection
1. At the DSM, select System > System Settings on the tree
2. Select the Computers tab and scroll down to the Agent Self Protection section
3. Disable the Prevent local end-users from uninstalling, stopping, or otherwise modifying
the Agent
4. At the DSA host, stop the DSA server using the Windows Service console. Note the
result.
5. Go to the DSA host command line, go to < DSA install path>\Trend Micro\Deep
Security Agent, and generate a diagnostic package using the following command
dsa_control /d
6. Return to Select > System Settings and re-enable the Prevent local end-users from
uninstalling, stopping, or otherwise modifying the Agent
7. Repeat steps ___ and ____. Note the results
71
1.19 > Case Study
Aim : We have looked at each section of Deep Security on an individual basis, now it is time
to put all of that knowledge together to find solutions to the problems presented in the
following case study.
1. The company requests that all Windows 2003 Servers allow all Incoming
requests from the Manager on Port 139. This request is a high priority.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
2. You must also set up the necessary rules to monitor TrendMicro registry keys
for changes. This should be done regardless of the Security Profile in place.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
3. Any changes made to the downloads folder on the DS_Agent should also be
logged (sub folders should be included).
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
4. A report should be created to show recent IM activity and another for FW

activity.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
72
5. Because the management team are not happy with the FW report; they are
not seeing enough activity and are afraid they cannot justify its existence you
want to show them that the FW is infact doing a lot of work. How would you
show this? Implement the changes.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
_________________________________________________________________
6. The management team want to create reports about events on DS_Agent that
involve any time the attributes of a service are modified, anytime the
downloads folder is changed and any event on the registry keys of
TrendMicro. All similar events should be included in the report.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
7. The company have decided that they would like to block Yahoo Messenger,
MSN and ICQ. How would you implement these changes? However, these
blockages should only apply during working hours (from 08h00 to 18h00) and
should only apply to the Corporate network.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
8. The Management team has decided that they would like to keep all events
from the 4 modules for a minimum of 30 days, and the system events should
have a life span of 3 months. Implement the changes necessary.
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
__________________________________________________________________
_________________________________________________________________
73
9. Management is concerned about the overall size of the Database, what steps
could you take to eliminate unnecessary information from being stored there?
Implement the necessary changes.
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
74

Deep Security - DS - 8.0 - PSTL - v1.9

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deep Security - DS - 8.0 - PSTL - v1.9

Uploaded by

Copyright:

Available Formats

●●●●●●

Student Lab Textbook for

Lab Environment Datasheet for Workstations with 16GB RAM

VMs are configured with static IP addresses as below:

Subnet Mask 255.255.255.0

Domain Controller (2GB RAM) Deep Security Manager (2GB RAM)

vCenter Server (4GB RAM)

ESX Server 1 (3GB RAM) ESX Server 2 (3GB RAM)

Target Server (1GB RAM) run in VM-ESX-02

vShield Manager (1GB RAM) run in VM-ESX-01

DSVA (512MB RAM) run in VM-ESX-02

1.1 > Install Deep Security Manager

Activity 1 : Install the Manager on VM-DSM-01

1. Power on the virtual machine called VM-AD-SQL-01.

Database credentials are as follows:

o Use the default installation directory.

Activity 3: A look on the dashboard

4. Click on Configuration at the upper-right of the Dashboard frame

Activity 4: Locating the certificate generator (Optional)

1. Go to the DSM main Program folder

\Deep Security Manager

3. Search for the following keyword “SSLTask: Creating a new certificate”

1.2 > Deploy 2 Deep Security Agents and

1. On the VM-DSM-01, open the Workshop_Folder folder, find the installation

2. on VM-DSM-01 install DSA with Anti-Malware excluded:

6. Install all the components, Anti-Malware included:

1.3 > Configure Updates through Deep

Activity 2: Creating a DSR Group

2. Click the View Relay Groups button.

Activity 3: Update the DSR Group

3. In the Component Update Wizard click Finish.

Activity 4: Configure Deep Security Agents for Update

3. Select the newly created Relay Group:

Activity 5: Generate an update bundle (Optional)

1. Go to the command line of a DSR computer

< DSR install path> \Trend Micro\Deep Security

Activity 3: Setup a weekly task

1. Go to System > Tasks and then click New

1.4 > Assigning Security Profiles and

Activity 1: Detecting hosts and activating agents

Activity 2: Discovering hosts on the network

Activity 3: Importing hosts from Active Directory (Optional)

Activity 4: Activate DSAs

2. Once activated with no errors the machine status should change to

Activity 5: Run a Recommendation Scan

5. Note the presence or absence of recommended rules depending on the operating

1.5 > Firewall Rules

Activity 1: Perform a port scan

1. Choose a machine without any Security Profile or remove it from a machine. We

Activity 2: Deny in-bound Telnet

4. Click on OK to save the Firewall Rule

Activity 3: Force-allow inbound telnet from a single computer

1. Go to the Firewall Rules tab of the Computer Details

4. Click OK to save the new Firewall Rule

5. Attempt to telnet to the virtual machine, what happens?

1.6 > DPI Web Application Protection

Activity 1: The SQL Injection

Activity 2: Cross Site Scripting Attack

Activity 3: Protecting you Web application with proper DPI rules

Activity 4: Viewing Events

1.7 > Integrity Monitoring & Log

Activity 1: Create a custom IM rule

Creating a custom Integrity Monitoring rule is a straightforward procedure but