Deep Security AMEA Partner Handbook1.5

TREND MICRO™Deep Security
AMEA Partner
Case Submission Handbook
TREND MICRO™ Deep Security AMEA Partner Case Submission Handbook

Document Version 1.5
Prepared by: Michael Mortiz
Contributor: Glen Ronidel
Copyright © <2020> by <Trend Micro Inc.>. All Rights Reserved.

Table of contents
Introduction ...................................................................................................................... 4
Deep Security Environment ................................................................................................. 5
System Requirement and Sizing Guide .............................................................................. 6
Deep Security Version 10 ............................................................................................ 6
Port numbers, URLs, and IP addresses ............................................................................. 8
Deep Security Agent supported platforms ......................................................................... 8
Deep Security Version 11 .......................................................................................... 10
Deep Security Version 12 .......................................................................................... 10
Deep Security Agent dependencies ................................................................................. 11
Windows ................................................................................................................. 11
Linux ...................................................................................................................... 11
Aix ......................................................................................................................... 11
Solaris .................................................................................................................... 12
Debian/Ubuntu ........................................................................................................ 13
Deep Security Agent Kernel Support ............................................................................... 15
Agent/Manager Upgrade Matrix ...................................................................................... 16
Enabling Debug Logs ........................................................................................................ 19
Manager ...................................................................................................................... 19
Enable Advance Logging ........................................................................................... 19
Debug Options ......................................................................................................... 20
Increase File Size and Count ...................................................................................... 23
Generate Diagnostic Package ..................................................................................... 23
Agent ......................................................................................................................... 25
Enable Advance Logging ........................................................................................... 25
Increase File Size and Count ...................................................................................... 25
Generate Diagnostic Package ..................................................................................... 26
Enable Anti-malware Debug ...................................................................................... 27
Common Issues ............................................................................................................... 29
Deep Security Agent Installation .................................................................................... 30
Troubleshooting ....................................................................................................... 30
Logs to Collect ......................................................................................................... 30
Anti-malware Engine Offline .......................................................................................... 32
Logs to Collect ......................................................................................................... 33
Security Update Failed .................................................................................................. 34
Logs to Collect ......................................................................................................... 34
Agent Offline ............................................................................................................... 34
Logs to Collect ......................................................................................................... 36
Crash Issue (kernel panic / bsod) ................................................................................... 37
Logs to Collect ......................................................................................................... 37
Performance issue (High CPU, High Memory) .................................................................. 38
2 / 40
Logs to Collect ......................................................................................................... 38
Feedback ......................................................................................................................... 40
3 / 40
Deep Security Partner Handbook
This document serves as a manual for troubleshooting common issues. It provides in-depth
troubleshooting guidelines about configuration, components, and functionality of Deep Security On
Premise.
By following this document, we can ensure that submitted cases are already isolated and verified from
the given troubleshooting guidelines.
4 / 40
Deep Security Environment
Verify if your environment meets Deep Security requirements.
· System Requirement and Sizing Guide

· Port numbers, URLs, and IP addresses
· Deep Security Agent supported platforms
· Deep Security Agent dependencies
· Deep Security Agent Kernel Support
· Agent/Manager Upgrade Matrix
5 / 40
System Requirement and Sizing Guide
Requirements vary by version. For previous versions of Deep Security Manager, agents, Relays, or
virtual appliances, see those versions' documentation.
Deep Security Version 10 System Requirement and Sizing Guide
Here are the system requirements for each of the Deep Security components.
· Deep Security Manager requirements

· Deep Security Agent requirements
· Deep Security Virtual Appliance requirements
· Deep Security Notifier requirements
Sizing Guide
· Deep Security Manager and Database Sizing Guide

· Deep Security Relay Sizing Guide
· Sizing for Azure Marketplace

· Deep Security Agent 11.0 requirements
· Deep Security Notifier requirements
Sizing Guide
· Deep Security Version 11 Sizing Guide
6 / 40

· Deep Security Agent requirements
Sizing Guide
· Deep Security Version 12 Sizing Guide
7 / 40
Port numbers, URLs and IP address used by Deep Security
Deep Security default port numbers, URLs, IP addresses, and protocols are listed in the sections
below. If a port, URL or IP address is configurable, a link is provided to the relevant configuration page.
· Deep Security port numbers
· Deep Security URLs
Note: If your network uses a proxy or load balancer, you can configure Deep Security to use
it instead of the default ports and URLs listed on this page. For details, see Proxy
settings and Load Balancers.
Note: In addition to the ports on this page, Deep Security uses ephemeral ports when
opening a socket (source port). Under rare circumstances these may be blocked, causing
connectivity issues. For details, see Activation Failed - Blocked port.
Deep Security port numbers

The following diagram shows the default ports in a Deep Security system. For details, see the table
below the diagram.
Deep Security Agent supported platforms
8 / 40
This guide will show supported agent version and platform per Deep Security Manager version.
Deep Security Agent 10 supported platforms
Deep Security Manager 10.0 supports Deep Security Agent on the operating systems shown in the
table below. If platform support was added in an update release, the minimum update version is noted
next to the check mark in the table.
Deep Security Manager supports the use of older agent versions, but we do encourage customers to
upgrade agents regularly. New agent releases provide additional security features and protection,
higher quality, performance improvements, and updates to stay in sync with releases from each
platform vendor. Each agent has an end-of-life date. For details, see Deep Security LTS life cycle
dates.
· Agent platform support table and Docker support
9 / 40
Deep Security Manager 11.0 supports the Deep Security Agents on the operating systems shown in
the table below. If platform support was added in an update release, the minimum update version is
noted next to the check mark in the table.
dates and Deep Security FR life cycle dates.
· Agent platform support table
· Docker support
· Systemd support
See also Agent platform support policy.
Deep Security Manager 12.0 supports the Deep Security Agents on the operating systems shown in
the table below. If platform support was added in an update release, the minimum update version is
noted next to the check mark in the table.
dates and Deep Security FR life cycle dates.
· Agent platform support table
· Docker support
· Systemd support
See also Agent platform support policy.
10 / 40
Pre-checking the dependencies of Deep Security Agent before installation
This list dependencies needed by the agent for installation.
· Windows
· Linux
· AIX
· Solaris
· Debian/Ubuntu
Windows
An external tool, such as depends.exe, can check if there is any DLL file missing.
Linux
Below are the dependencies for Linux:
· linux-vdso.so.1 (0x00007ffc86953000)
· /opt/ds_agent/lib/libwx_baseu-2.9.so.4 (0x00007f584ac58000)
· /opt/ds_agent/lib/dsa_core.so (0x00007f584a7d7000)
· /opt/ds_agent/lib/libslb.so (0x00007f584a5cb000)
· /opt/ds_agent/lib/liblua.so (0x00007f584a399000)
· /lib64/libdl.so.2 (0x0000003c87200000)
· /opt/ds_agent/lib/libcrypto.so.1.0.0 (0x00007f5849f50000)
· /opt/ds_agent/lib/libssl.so.1.0.0 (0x00007f5849ce0000)
· /usr/lib64/libstdc++.so.6 (0x0000003c92a00000)
· /lib64/libm.so.6 (0x0000003c88200000)
· /lib64/libgcc_s.so.1 (0x0000003c92600000)
· /lib64/libpthread.so.0 (0x0000003c87a00000)
· /lib64/libc.so.6 (0x0000003c87600000)
· /lib64/libz.so.1 (0x0000003c88600000)
· /lib64/ld-linux-x86-64.so.2 (0x0000003c86e00000)
· /lib64/libacl.so.1 (0x0000003c93600000)
· /opt/ds_agent/lib/libwxsqlite.so (0x00007f5849aaf000)
· /opt/ds_agent/lib/libsqlite.so (0x00007f5849825000)
· /opt/ds_agent/lib/libexpat.so.1 (0x00007f58495fb000)
· /lib64/libattr.so.1 (0x0000003c97200000)
AIX
Below are the dependencies for AIX:
11 / 40
· /opt/ds_agent/lib/librpc.so
· /opt/ds_agent/lib/dsa_core.so
· /opt/ds_agent/lib/libfingerprint.so
· /opt/ds_agent/lib/libwx_base-2.8.a
· /opt/ds_agent/lib/libsqlite.so
· /opt/ds_agent/lib/libssl.so
· /opt/ds_agent/lib/libcrypto.so
· /usr/lib/libpthread.a(shr_xpg5_64.o)
· /opt/ds_agent/lib/libz.so
· /opt/ds_agent/lib/liblua.so
· /opt/ds_agent/lib/libstdc++.a(libstdc++.so.6)
· /opt/ds_agent/lib/libgcc_s.a(shr.o)
· /usr/lib/libc.a(shr_64.o)
· /unix
· /opt/ds_agent/lib/libexpat.a(libexpat.so.0)
· /opt/ds_agent/lib/libslb.so
· /usr/lib/libiconv.a(shr4_64.o)
· /usr/lib/libpthreads.a(shr_xpg5_64.o)
· /usr/lib/libcrypt.a(shr_64.o)
12 / 40
Solaris
Solaris 11 will perform some dependency check based on the publisher before the program
installation.
To disable the publisher, run any of the following commands:
pkg unset-publisher solaris

pkg set-publisher --disable solaris
Note that Solaris 11 requires gcc-45-runtime. If IPS function is required, OS also needs the ksh
package as it provides the ksh93 package, which provides the /usr/bin/sh shell.
Debian/Ubuntu
Below are the dependencies for Debian and Ubuntu:
· linux-vdso.so.1 (0x00007fff301ff000)
· /opt/ds_agent/./lib/libwx_baseu_net-2.9.so.4 (0x00007f24cd439000)
· /opt/ds_agent/./lib/libwx_baseu-2.9.so.4 (0x00007f24ccf81000)
· /opt/ds_agent/./lib/dsa_core.so (0x00007f24ccb1e000)
· /opt/ds_agent/./lib/libslb.so (0x00007f24cc911000)
· /usr/lib/libstdc++.so.6 (0x00007f24cc5f3000)
· /lib/libm.so.6 (0x00007f24cc370000)
· /lib/libgcc_s.so.1 (0x00007f24cc15a000)
· /lib/libpthread.so.0 (0x00007f24cbf3e000)
· /lib/libc.so.6 (0x00007f24cbbdb000)
· /opt/ds_agent/./lib/libssl.so.0.9.8 (0x00007f24cb985000)
· /opt/ds_agent/./lib/libcrypto.so.0.9.8 (0x00007f24cb5f3000)
· /opt/ds_agent/./lib/liblua.so (0x00007f24cb3c2000)
· /usr/lib/libz.so.1 (0x00007f24cb1ab000)
· /lib/libdl.so.2 (0x00007f24cafa7000)
· /lib64/ld-linux-x86-64.so.2 (0x00007f24cd63d000)
· /lib/libacl.so.1 (0x00007f24cad9f000)
· /usr/lib/libapt-pkg.so.4.10 (0x00007f24caa99000)
· /opt/ds_agent/./lib/libwxsqlite.so (0x00007f24ca869000)
· /opt/ds_agent/./lib/libsqlite.so (0x00007f24ca5e0000)
· /opt/ds_agent/./lib/libexpat.so.0 (0x00007f24ca3b8000)
· /lib/libattr.so.1 (0x00007f24ca1b3000)
· /lib/libutil.so.1 (0x00007f24c9fb0000)
· /opt/ds_agent/./lib/libwx_baseu-2.9.so.4 (0x00007f4b94e44000)
· /opt/ds_agent/./lib/libsqlite.so (0x00007f4b94bbc000)
· /opt/ds_agent/./lib/dsa_core.so (0x00007f4b94759000)
· /opt/ds_agent/./lib/libdsam.so (0x00007f4b9452e000)
· /opt/ds_agent/./lib/libssl.so.0.9.8 (0x00007f4b942d8000)
· /opt/ds_agent/./lib/libscancache.so (0x00007f4b93d3a000)
· /opt/ds_agent/./lib/libvmpdcommon.so (0x00007f4b93b31000)
· /opt/ds_agent/./lib/libglib-2.0.so.0 (0x00007f4b9381d000)
13 / 40
· /opt/ds_agent/./lib/libgthread-2.0.so.0 (0x00007f4b933f3000)
· /lib/librt.so.1 (0x00007f4b91319000)
14 / 40
Deep Security Agent Kernel Support
Deep Security Agent Linux kernel support

· Deep Security Agent 12.0 Linux kernel support
· Deep Security Agent 9.6 SP1 Linux kernel support
· Deep Security Agent 9.5 SP1 Linux kernel support
You can also use a JSON version of the complete list of the supported Linux kernels for Deep Security
Agent 10.0 and higher with scripts and automated workflows.
15 / 40
Agent/Manager Upgrade Matrix
Manager Version 10 11 12
11.3 FR X X Y
11.2 FR X X Y
11.1 FR X X Y
11.0 LTS Update 20 11.0.415 X X Y
11.0 LTS Update 19 11.0.408 X X Y
11.0 LTS Update 18 11.0.399 X X Y
11.0 LTS Update 17 11.0.389 X X Y
11.0 LTS Update 15 11.0.381 X X Y
11.0 LTS Update 14 11.0.374 X X Y
11.0 LTS Update 13 11.0.360 X X Y
11.0 LTS Update 12 11.0.349 X X Y
11.0 LTS Update 11 11.0.346 X X Y
11.0 LTS Update 10 11.0.340 X X Y
11.0 LTS Update 9 11.0.336 X X Y
11.0 LTS Update 8 11.0.328 X X Y
11.0 LTS Update 7 11.0.319 X X Y
11.0 LTS Update 6 11.0.308 X X N
11.0 LTS Update 5 11.0.298 X X N
11.0 LTS Update 4 11.0.292 X X N
11.0 LTS Update 3 11.0.270 X X N
11.0 LTS Update 2 11.0.249 X X N
11.0 LTS Update 1 11.0.240 X X N
11.0 GA 11.0.221 X X N
10.3 FR X Y Y
10.2 FR X Y Y
10.1 FR X Y Y
10.0 LTS Update 25 10.0.3466 X Y Y
10.0 LTS Update 24 10.0.3461 X Y Y
10.0 LTS Update 23 10.0.3458 X Y Y
10.0 LTS Update 21 10.0.3456 X Y Y
10.0 LTS Update 20 10.0.3445 X Y Y
10.0 LTS Update 19 10.0.3437 X Y Y
10.0 LTS Update 18 10.0.3432 X Y Y
10.0 LTS Update 17 10.0.3428 X Y Y
10.0 LTS Update 16 10.0.3419 X Y N
10.0 LTS Update 15 10.0.3410 X Y N
10.0 LTS Update 14 10.0.3402 X Y N
10.0 LTS Update 13 10.0.3392 X Y N
10.0 LTS Update 12 10.0.3382 X Y N
10.0 LTS Update 11 10.0.3376 X Y N
10.0 LTS Update 10 10.0.3374 X Y N
10.0 LTS Update 9 10.0.3370 X Y N
10.0 LTS Update 8 10.0.3367 X Y N
16 / 40
10.0 LTS Update 7 10.0.3359 X N N
10.0 LTS Update 6 10.0.3346 X N N
10.0 LTS Update 5 10.0.3325 X N N
10.0 LTS Update 4 10.0.3315 X N N
10.0 LTS Update 3 10.0.3305 X N N
10.0 LTS Update 2 10.0.3297 X N N
10.0 LTS Update 1 10.0.3271 X N N
10 GA 10.0.3259 X N N
9.6SP1_P1_U26 9.6.4218 Y Y N
9.6SP1_P1_U25 9.6.4214 Y Y N
9.6_SP1_P1_U24 9.6.4212 Y Y N
9.6SP1_P1_U23 9.6.4208 Y Y N
9.6SP1_P1_U22 9.6.4204 Y Y N
9.6SP1_P1_U21 9.6.4199 Y Y N
9.6SP1_P1_U20 9.6.4193 Y Y N
9.6SP1_P1_U19 9.6.4191 Y Y N
9.6SP1_P1_U18 9.6.4184 Y Y N
9.6SP1_P1_U17 9.6.4179 Y Y N
9.6SP1_P1_U16 9.6.4178 Y Y N
9.6SP1_P1_U15 9.6.4174 Y Y N
9.6SP1_P1_U14 9.6.4168 Y Y N
9.6SP1_P1_U13 9.6.4159 Y Y N
9.6SP1_P1_U12 9.6.4152 Y Y N
9.6SP1_P1_U11 9.6.4145 Y Y N
9.6SP1_P1_U10 9.6.4143 Y Y N
9.6SP1_P1_U9 9.6.4133 Y Y N
9.6SP1_P1_U8 9.6.4125 Y Y N
9.6SP1_P1_U7 9.6.4111 Y Y N
9.6_SP1_P1_U6 9.6.4093 Y Y N
9.6_SP1_P1_U5 9.6.4085 Y Y N
9.6_SP1_P1_U4 9.6.4072 Y Y N
9.6_SP1_P1_U3 9.6.4064 Y Y N
9.6_SP1_P1_U1 9.6.4014 Y Y N
9.6_SP1_P1_CP1 9.6.4000 Y Y N
9.6_SP1_P1 9.6.3400 Y Y N
9.6_SP1 9.6.3177 Y N N
9.6 GA 9.6.1589 N N N
9.5SP1_P3_U8 9.5.7235 Y N N
9.5SP1_P3_U7 9.5.7232 Y N N
9.5SP1_P3_U6 9.5.7230 Y N N
9.5_SP1_P3_U5 9.5.7228 Y N N
9.5_SP1_Patch3_U4 9.5.7226 Y N N
9.5_SP1_Patch3_U3 9.5.7222 Y N N
9.5_SP1_P3_CP1 9.5.7200 Y N N
9.5_SP1_P3 9.5.7008 Y N N
9.5_SP1_P2 9.5.6511 N N N
9.5_SP1_P1 9.5.6008 N N N
9.5_SP1 9.5.5600 N N N
17 / 40
9.5_Patch1 9.5.4112 N N N
9.5_CP1 9.5.2459 N N N
9.5 GA 9.5.2456 N N N
18 / 40
Enabling Debug Logs
Enabling debug logs gathers more detailed information for your Deep Security Environment and can
help support identify issue easily.
· Manager
· Agent
Deep Security Manager
· Enable Advance Logging

· Debug Options
· Increase File Size and Count
· Generate Diagnostic Package
Enable advance logging (Debug)
Follow steps below to enable DSM debug.
Windows Linux
Enable debug using the following steps: Enable debug using the following steps:
1. Stop the Deep Security Manager service. 1. Stop the Deep Security Manager
service.
2. Open the logging.properties file under: 2. Open the logging.properties file under:
For Windows: ..\Program Files\Trend For Linux: /opt/dsm/jre/lib
Micro\Deep Security Manager\jre\lib\
3. Add one or more of the debug options 3. Add one or more of the debug options
enumerated below, depending on the issue enumerated below, depending on the issue
you encountered. We recommend adding the you encountered. We recommend adding
lines to the last part of the file for easy the lines to the last part of the file for easy
monitoring and maintenance.Debug Options monitoring and maintenance.Debug
Options
Ex. If you have AD Synchronization Issues
Just add Ex. If you have AD Synchronization Issues
com.thirdbrigade.manager.core.util.UserUtilities.l Just add
evel=ALL on the last line com.thirdbrigade.manager.core.util.UserUtilitie
s.level=ALL on the last line
If you are unsure on what to use just add

below to enable all logging.
com.thirdbrigade.level = ALL
19 / 40
If you are unsure on what to use just add below
to enable all logging.
com.thirdbrigade.level = ALL
4. Save the changes and close the file. 4. Save the changes and close the file.
5. Start the DSM service. 5. Start the DSM service.
(# /opt/dsm/dsm_s start)
Note: Can Enable Debugging via DSM as well. (DSM > Administration > System
Information > Diagnostic Logging
Debug Options
Here are the debugging options:
Option 1: UI Related Issues

· com.thirdbrigade.manager.webclient.screens.level=ALL
Option 2: Configuration and Protocol Issues
· com.thirdbrigade.manager.webclient.screens.level=ALL
· com.thirdbrigade.manager.core.protocol.session.CommandProtocolSession.level=ALL
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterJob.level=ALL
Option 3: Scan Management Issues
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdater
Command.level=ALL
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdater
CommandGetStatusEvents.level=ALL
· com.thirdbrigade.manager.core.db.AgentEventPeer.level=ALL
Option 4: Anti-Malware Scan Issues
· com.trendmicro.ds.antimalware.jobs.HostUpdaterCommandInvokeAntiMalwareScanAction.level=FINE
20 / 40
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterCommandVirtual
AgentSync.level=FINE
· com.thirdbrigade.manager.core.db.AgentEventPeer.level=FINE
Option 5: All screens, including Wizard-related Issues
· com.thirdbrigade.manager.webclient.screens.level = ALL
Option 6: vCenter-related Issues
· com.thirdbrigade.manager.core.virtual.level=ALL
· com.thirdbrigade.manager.core.virtualization.vmware.level = ALL
Option 7: Database-related Issues

· com.thirdbrigade.persistence1.level = ALL
Option 8: Startup Information Logging
· com.thirdbrigade.manager.webclient.initialization.level = ALL
· com.thirdbrigade.manager.core.Core = ALL
· com.thirdbrigade.manager.core.security.ClientSecurityManager.level=ALL
Option 9: Host Updater Job (including agent security configuration XML) Debugging
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterJob.level=ALL
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterCommand.level=ALL
Option 10: Agent Communication Protocol Logging
· com.thirdbrigade.manager.core.protocol.level = ALL
Option 11: Detection Engine (ie Recommendation Scans) Logging
· com.thirdbrigade.manager.core.detectionengine.level=ALL
Option 12: Manager Job-related Issues
· com.thirdbrigade.manager.core.scheduler.jobschedulers.HostJobScheduler.level=ALL
· com.thirdbrigade.manager.core.scheduler.JobQueuingThread.level=ALL
· com.thirdbrigade.manager.core.scheduler.JobCreationThread.level=ALL
· com.thirdbrigade.manager.core.scheduler.ManagerJobs.level=ALL
Option 13: AD Synchronization Issues
· com.thirdbrigade.manager.core.util.UserUtilities.level=ALL
Option 14: Dashboard Bean Performance Issues
· com.thirdbrigade.manager.webclient.screens.DashboardBean.level=ALL
21 / 40
· com.thirdbrigade.manager.webclient.ScreenServlet.level=ALL (to replace the preceding bullet)
Option 15: Active Update Issues

· com.thirdbrigade.manager.core.au.level=ALL
· com.thirdbrigade.manager.webclient.ActiveUpdateServlet.level=ALL
· com.trendmicro.ds.vulnerabilityprotection.au
Option 16: Maintenance Job and Entity Purge-related Issues

· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.MaintenanceJob.level=ALL
· com.trendmicro.ds.integrity.db.EntityPeer.level=ALL
Option 17: Enable ALL Logging on the manager
· com.thirdbrigade.level = ALL
Option 18: Job Load and Performance Profile related
· com.thirdbrigade.manager.core.scheduler.JobQueuingThread.level=ALL
· com.thirdbrigade.manager.core.scheduler.JobLoad.level=ALL
Option 19: NSX syncing related logging
· com.thirdbrigade.manager.core.virtual.NSXSync.level=ALL
Option 20: Rehoming
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSession
· com.trendmicro.manager.core.cloud.CloudSupportingServices
Option 21: AMI Baking Support
· com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterSession
· com.trendmicro.manager.core.cloud.CloudSupportingServices
Option 22: CTD jobs
· Com.thirdbrigade.manager.core.scheduler.jobschedulers.SuspiciousFileSubmission.Job.level=ALL
· Com.thirdbrigade.manager.core.scheduler.jobschedulers.DDAnReportQueryJob.level=ALL
Option 23: DDAn API
· Com.trendmicro.manager.core.ddan.level=ALL
Option 24: CTD AM
22 / 40
· Com.trendmicro.ds.antimalware.ctd.level=ALL
· Com.trendmicro.ds.antimalware.models.AntiMalwareQuarantinedFilesWizardDean.level=ALL
Option 25: Enable ALL Logging on the manager
· com.thirdbrigade.level = ALL
Increase File Size and File Count
This will increase default size of log files and the maximum number of logs files that can be generated.
We recommended to increase this when replication might take hours or days so we can capture as
much log as we can during the replication. Once completed with the replication revert to default
settings.
Windows Linux
Open the logging.properties file. Change the Open the logging.properties file. Change the
values for the following below values for the following below
java.util.logging.FileHandler.limit = java.util.logging.FileHandler.limit =
10000000(Default) 10000000(Default)
java.util.logging.FileHandler.count = 5(Default) java.util.logging.FileHandler.count = 5(Default)
Generate Diagnostic Package

To diagnose an issue, your support provider may ask you to send a diagnostic package containing
debug information for either or both:
Deep Security Manager diagnostics
Create a diagnostic package for Deep Security Manager

1. Go to Administration > System Information.
2. Click Create Diagnostic Package.
The package will take several minutes to create. After the package has been generated, a summary
will be displayed and your browser will download a ZIP file containing the diagnostic package.
Enable debug logs for Deep Security Manager
23 / 40
In addition to a diagnostic package, your support provider may ask you to enable diagnostic logging.
Don't enable diagnostic logging unless recommended by your support

provider. Diagnostic logging can consume large amounts of disk space and increase
CPU usage.
1. Go to Administration > System Information.
2. Click Diagnostic Logging.
3. In the wizard that appears, select the options requested by your support provider.
If you have a multi-tenant Deep Security Manager, and the issue that you want to diagnose only occurs
with a specific tenant, select that tenant's name in the option that appears. This will focus the debug
logs, and minimize performance impacts while debug logging is enabled.
Some features need more time and disk space to collect enough debug logs. For example, you might
need to increase Maximum log file size to 25 MB and the time period to 24 hours for Database-
related Issues and Cloud Account Synchronization - AWS.
If you decrease Maximum number of log files, Deep Security Manager does not
automatically delete existing log files that now exceed the maximum. For example, if you
reduce from 10 to 5 log files, server5.log to server9.log would all still exist. To reclaim
disk space, manually delete those files from the file system.
While diagnostic logging is running, Deep Security Manager will display the
message Diagnostic Logging enabled on the status bar. If you changed the default options, the
status bar will display the message Non default logging enabled upon diagnostic logging
completion.
4. To find diagnostic logging files, go to the root directory of the Deep Security Manager, and look
for file names with the pattern server#.log, such as server0.log.
24 / 40
Deep Security Agent
· Enable Advance Logging

· Debug Options
· Increase File Size and Count
· Generate Diagnostic Package
Follow steps below to enable DSA debug.
Windows Linux
To enable detailed logging:
1. Create a file named ds_agent.ini under the % 1. Modify the /etc/syslog.conf
SystemRoot% directory (example: C: (or /etc/rsyslog.conf) file by adding any of the
\Windows\ds_agent.ini). following lines:
2. Put the either line inside the file: local0.info /var/log/messages
Trace=Appl Beat Cmd Cfg Conn HTTP Log Lstn local0.* /var/log/messages
Srvc SSL
Trace=* 2. Create a file named ds_agent.conf under
the /etc directory.
Alternatively you can add additional switches 3. Add the following line inside the
ds_agent.conf file:
Trace.file_name=dsa_debug_Computer1 Trace=Appl Beat Cmd Cfg Conn HTTP Log
Lstn Srvc SSL
Trace.file_count=10 This will enable extra tracing for the various
sub-components of the Deep Security Agent.
If you do not want output from a certain
component, just exclude that component from
the line.
Trace.file_size=1048576 4. Restart the Trend Micro Deep Security
Agent Service using this command:
Restart dsa service # service ds_agent restart
Delete the ds_agent.ini once done with replication The output goes to syslog using "local0", so
and restart agent. the location depends on your /etc/syslog.conf
settings.
Delete the ds_agent.ini once done with
replication and restart agent.
Increase File Size and File Count
25 / 40
This will increase default size of log files and the maximum number of logs files that can be generated.
We recommended to increase this when replication might take hours or days so we can capture as
much log as we can during the replication.
Windows Linux
Open the ds_agent.ini file. Change the values Open the ds_agent.conf file. Change the
for the following below values for the following below
dsa.log.maxSize dsa.log.maxSize
dsa.log.maxFiles dsa.log.maxFiles
Generate Diagnostic Package

To diagnose an issue, your support provider may ask you to send a diagnostic package containing
debug information for either or both:
Deep Security Agent diagnostics

For an agent, you can create a diagnostic package either:
· via the Deep Security Manager
· using the CLI on a protected computer (if the Deep Security Manager cannot reach the agent
remotely)
Create an agent diagnostic package via Deep Security Manager
Deep Security Manager must be able to connect to an agent remotely to create

a diagnostic package for it. If the Deep Security Manager cannot reach the agent remotely, or if the
agent is using agent-initiated activation, you must create the diagnostic package directly from the
agent.
1. Go to Computers.
2. Double-click the name of the computer you want to generate the diagnostic package for.
3. Select the Actions tab.
4. Under Support, click Create Diagnostics Package.
5. Click Next.
The package will take several minutes to create. After the package has been generated, a summary
will be displayed and your browser will download a ZIP file containing the diagnostic package.
When the System Information checkbox is selected, it might create a huge diagnostic package that
could have a negative impact on performance. The checkbox is greyed out if you are not a primary
tenant or do not have the proper viewing rights.
Create an agent diagnostic package via CLI on a protected computer
Linux, AIX, or Solaris

1. Connect to the server that you want to generate the diagnostic package for.
26 / 40
2. Enter the command:
sudo /opt/ds_agent/dsa_control -d
The output shows the name and location of the diagnostic package: /var/opt/ds_agent/diag
Windows
1. Connect to the computer that you want to generate the diagnostic package for.
2. Open a command prompt as an administrator, and enter the command.
In PowerShell:
& "\Program Files\Trend Micro\Deep Security Agent\dsa_control" -d
In cmd.exe:
cd C:\Program Files\Trend Micro\Deep Security Agent
dsa_control.cmd -d
The output shows the name and location of the diagnostic package: C:\ProgramData\Trend
Micro\Deep Security Agent\diag
Collect debug logs with DebugView
On Windows computers, you can collect debug logs using DebugView software.
Only collect debug logs if your support provider asks for them. During debug logging, CPU usage will
increase, which will make high CPU usage issues worse.
1. Download the DebugView utility.
2. If self-protection is enabled, disable it.
3. Stop the Trend Micro Deep Security Agent service.
4. In the C:\Windows directory, create a plain text file named ds_agent.ini.
5. In the ds_agent.ini file, add this line:
trace=*
6. Launch DebugView.exe.
7. Go to Menu > Capture.
8. Enable these settings:
· Capture Win32
· Capture Kernel
· Capture Events
9. Start the Trend Micro Deep Security Agent service.
10.Export the information in DebugView to a CSV file.
11.Re-enable self-protection if you disabled it at the beginning of this procedure.
Follow steps below to enable AM debug.
27 / 40
Windows Linux
1. Disable the self-protection and stop the AMSP Create file
service. "/var/opt/ds_agent/am/ds_am.ini"
with below content:
2. Go to the AMSP installation folder. By default, it /var/opt/ds_agent/am/ds_am.ini
is located under C:\Program Files\Trend main=debug_level=7,vmpd_log_fi
Micro\AMSP. le_count=[2~1000],vmpd_log_fil
3. Open the AmspConfig.ini file with an e_MB=[1~100]
administrative permission.
4. Set the following parameters and save the vmpd_log_file_count and
changes: vmpd_log_file_MB are supported
DebugLogAMSPServiceStart=1 after:
DebugLogMode=0 DSA 9.6_SP1_P1_U12_CP (9.6.2-
Where the values of DebugLogMode are as 8198)
follow: DSA 10 Update 4 (DSSEG-1305,
0 - Local mode merged into 10.0.0-2470)
1 - Remote pipe mode For example, log level is 6
and vmpd_log_file_count=10,vmpd_l
og_file_MB=10
main=debug_level=6,vmpd_log_fil
e_count=10,vmpd_log_file_MB=10
5. Start the AMSP service.

6. Open the AMSP installation folder\debug\ folder
and make sure the Amsp_LocalDebugLog.log file
exists.
28 / 40
Deep Security Common Issues
· Deep Security Agent Installation

· Anti-malware Engine Offline
· Security Update Failed
· Agent Offline
· Crash Issue (kernel panic / bsod)
· Performance issue (High CPU, High Memory)
29 / 40
Deep Security Agent Installation
Deep Security Agent Installation Issue
Issues related to installing Deep Security Agent core component only.
Troubleshooting Agent Installation
Procedure
Check if the agent installer is imported in the DSM console.
To install Deep Security Agent, you must download the agent installer and load
packages for the Agent's protection modules into Deep Security Manager. To view a
list of software that has been imported into Deep Security Manager, go to
Administration > Updates > Software > Local.
☐
Deep Security is modular. Initially, Deep Security Agent only has core functionality.
When you enable a protection module, then the agent downloads that plug-in and
installs it. So before you activate any agents, first download the agent software
packages into Deep Security Manager's database ("import" them) so that they will
be available to the agents and relays.
Make sure all dependencies are installed in the system.
☐
Pre-checking the dependencies of Deep Security Agent before installation
Confirm if platform is supported by your agent version.
☐
Agent platform support table
For non-windows systems check if the kernel version is supported.
☐ Run command uname -r
Deep Security Agent Linux kernel support
If using deployment script:
The deployment scripts generated by Deep Security Manager for Windows agent
deployments require Windows PowerShell version 4.0 or later. You must run
PowerShell as an Administrator and you may have to run the following command to
be able to run scripts: Set-ExcecutionPolicy RemoteSigned
☐ If you want to deploy an agent to an early version of Windows or Linux that doesn't
include PowerShell 4.0 or curl 7.34.0 at a minimum, remove the --tls1.2 tag (Linux)
or[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
line (Windows) so that early TLS (version 1.0) is used to communicate with the
manager. Also make sure that early TLS is allowed on the manager and relays.
See Determine whether TLS 1.2 is enforced and Enable early TLS (1.0) for details.
Logs to collect for Agent installation Issues
Logs
Platform Logs Detail Location
☐ Windows msinfo32.exe System Information .n.a
30 / 40
driver install log.
☐ Windows setupapi.log %SystemRoot%\
(OS log file)
driver install log.
☐ Windows setupapi.dev.log %SystemRoot%\inf\
(Device install file)
driver install log.
☐ Windows setupapi.app.log %SystemRoot%\inf\
(Device install file)
%programdata%\Trend
☐ Windows ds_agent.log Agent install log
Micro\Deep Security Agent\diag
sc query tbimdsa
%programdata%\Trend
☐ Windows sc query ds_agent AMSP install log
Micro\Deep Security Agent\am
screenshot
machine
☐ Linux uname -a .n.a
information
cat /proc/driver/d
☐ Linux Driver Information .n.a
sa/info
Package
☐ Linux rpm -qa ds_agent .n.a
Information
(syslog local0 (Depend on syslog
☐ Linux DSA main log.
facility) configuration)
☐ Linux ds_agent.log Agent install log /var/opt/ds_agent/diag/
lsmod | grep -i
dsa_filter
Network Driver
☐ Linux cat /proc/driver/d screenshot
Status
sa/info
screenshot
31 / 40
Anti-malware Engine Offline
Anti-malware Engine offline issue.
Troubleshooting Anti-Malware engine offline
Agent-based protection
Procedure
Check if there are other AV product/s (e.g. Officescan or other 3rd party AV)
☐
causing conflict with Deep Security.
Make sure “Trend Micro Solutions Platform” (Windows) service or ds_am (Linux)
☐
process is running.
Check in DSM Local Software repository if the agent package of the version you are
using is already imported
· Go to DSM > Administration > Updates > Software > Local
☐
If you're using a Linux server, your kernel might not be supported. For more
information, see Error: Module installation failed (Linux).
If using DNS in the environment, check if the hostname resolution is working fine
☐ · nslookup Relay-Hostname
· nslookup DSM-Hostname
Confirm if the agent can connect to the relay server on port 4122
☐ · telnet [Relay-Hostname] 4122 or curl –v telnet://[Relay-Hostname]:4122
· telnet [Relay-IP] 4122 or curl –v telnet://[Relay-IP]:4122
For Windows:
Check if the following drivers are installed. (Note: This step is applicable to Windows
machines only)
· sc query AMSP
· sc query tmactmon
· sc query tmcomm
☐ · sc query tmvetmgr
For Linux
ps -ef | grep ds
root 32501 1 0 17:23 ? 00:00:00 /opt/ds_agent/ds_am -g ../diag -v 6 -
d /var/opt/ds_agent/am -m /opt/ds_agent/lib/libvmpd_full_scan.so -
m /opt/ds_agent/lib/libvmpd_scanctrl.so -m /opt/ds_agent/lib/libvmpd_dsa_rtscan.so
If agent was upgraded specially on Windows platform it needs a server reboot to
☐
complete the agent upgrade.
Most of the time, agent reinstallation fixes this type of issue. If possible, perform an
agent reinstallation.
· Deactivate the agent from DSM console or use command “dsa_control –r”
☐ locally to reset the agent
· Uninstall the agent
· Restart the machine (for windows only)
32 / 40
· Reinstall the agent
Agentless protection
Procedure
In the Deep Security Manager, verify synchronization to vcenter and nsx. Under
the Computers section, right click on your Vcenter and go to Properties. Click Test
☐
Connection. Then click on the NSX tab and test the connection. Click Add/Update
Certificate in case the certificate has changed.
☐ Log into the NSX manager and verify that it is synching to vCenter properly.
Log into your vSphere client and go to Network & Security > Installation > Service
☐ Deployments. Check for errors with Trend Micro Deep Security and Guest
Introspection, and resolve any that are found.
In vSphere client, go to Network & Security > Service Composer. Verify that the
☐
security policy is assigned to the appropriate security group.
Verify that your VMware tools are compatible with Deep Security. For more
☐
information, see VMware Tools 10.x Interoperability Issues with Deep Security.
Verify that the File Introspection Driver (vsepflt) is installed and running on the target
☐
VM. As an admin, run sc query vsepflt at the command prompt.
All instances and virtual machines deployed from a catalog or vApp template from
vCloud Director are given the same BIOS UUID. Deep Security distinguishes
☐ different VMs by there BIOS UUID, so a duplicate value in the vCenter causes an
Anti-Malware Engine Offline error. To resolve the issue, see VM BIOS UUIDs are not
unique when virtual machines are deployed from vApp templates (2002506).
Logs to collect for AM Engine Offline Issues
Logs
AM debug Diagnostic
AM debug
☐ Windows Diagnostic Package with AM
Diagnostic Package
Package debug enabled
AM debug Diagnostic
AM debug
☐ Linux Diagnostic Package with AM
Diagnostic Package
Package debug enabled
33 / 40
Security Update Failed
· Troubleshooting
· Logs to Collect
Troubleshooting Security Update Failed
Procedure
Check if the Deep Security Manager and Deep Security Relay are using higher build
☐
version than the agents. Check the update number
Confirm if the deep security relay can download updates without issues and has
☐
green status in the console.
☐ Make sure Relay Group being used has an active working relay.
If using proxy server with ssl inspection, kindly add the Trend Micro URLs
☐ (specifically the Active Update) in the bypass/exception list in the web proxy server.
Port numbers, URLs, and IP addressePort numbers, URLs, and IP addressess
Check connection from agent to relay server:
☐ Telnet Relay_server 4122.
Ping test between DSA and DSR.
Logs to collect for Security Update Issues
Logs
Diagnostic Diagnostic
☐ Windows Diagnostic Package Agent
Package Package
☐ Linux Diagnostic Package Agent
Package Package
☐ Windows Diagnostic Package Relay
Package Package
☐ Linux Diagnostic Package Relay
Package Package
Result of telnet
☐ Window/Linux Result of telnet and ping test screenshot
and ping test
☐ Window/Linux Packet Capture Wireshark or tcpdump pcap file
Agent Offline
· Troubleshooting
· Logs to Collect
34 / 40
Troubleshooting Agent Offline Issues
A computer status of "Offline" or "Managed (Offline)" means that the Deep Security Manager hasn't
communicated with the Deep Security Agent's instance for some time and has exceeded the missed
heartbeat threshold. (See Configure the heartbeat.) The status change can also appear in alerts and
events.
Procedure
On the computer with the agent, verify that the Trend Micro Deep Security Agent
service is running. Method varies by operating system.
· On Windows, open the Microsoft Windows Services Console (services.msc)
or Task Manager. Look for the service named ds_agent.
· On Linux, open a terminal and enter the command for a process listing. Look
for the service named ds_agent or ds-agent, such as:
☐
sudo ps -aux | grep ds_agent
sudo service ds_agent status
· On Solaris, open a terminal and enter the command for a process listing. Look
for the service named ds_agent, such as:
sudo ps -ef | grep ds_agent
sudo svcs -l svc:/application/ds_agent:default
Check connection from Agent to Manager:
From DSA
Telnet DSM 4120.
Ping test between DSA and DSM.
From DSM
Telnet DSA 4118.
Ping test between DSA and DSM.
☐ If telnet fails, trace the route to discover which point on the network is interrupting
connectivity.
On Linux, enter the command:
traceroute [agent IP]
On Windows, enter the command:
tracert [agent IP]
Check the agent's or manager's system time is incorrect (required by SSL/TLS

☐ connections)
Check if Computer has left the context of the private network
This can occur if roaming endpoints (such as a laptop) cannot connect to the
☐
manager at their current location. Guest Wi-Fi, for example, often restricts open
ports, and has NAT when traffic goes across the Internet.
Verify if communication direction is configure properly. Bi-directional communication
is enabled, but only one direction is allowed or reliable (see Configure
☐
communication directionality)
.
35 / 40
Logs to collect for Agent Offline Issues
Logs
Package Package
Package Package
☐ Windows Diagnostic Package Relay
Package Package
☐ Linux Diagnostic Package Relay
Package Package
Result of telnet Result of telnet and ping
☐ Window/Linux screenshot
and ping test test
☐ Window/Linux Packet Capture Wireshark or tcpdump pcap file
Network Netowrk diagram of
☐ Window/Linux screenshot
Diagram affected server to DSM
36 / 40
Crash Issue (kernel panic / bsod)
· Troubleshooting
· Logs to Collect
Troubleshooting Crash Issues
Procedure
Work with OS vendor (e.g Microsoft, Redhat etc.) to identify the cause of kernel panic
☐
or BSOD.
Check if platform is supported and agent security requirements are met.
☐
System Requirement and Sizing Guide
Logs to collect for Agent Offline Issues
Logs
Package Package
Package Package
Windows Full Windows Full
☐ Windows Windows Full Dump
Dump Dump
Windows Windows System,
☐ Windows Event Viewer
Events Application, Security Events
☐ Linux kdump (vmcore) kdump (vmcore) kdump (vmcore)
☐ Linux messages logs messages logs /var/log/messages
☐ Linux dmesg dmesg dmesg
Window/Linu Full RCA report Full RCA report from OS Full RCA report
☐
x from OS vendor vendor from OS vendor
37 / 40
Performance issue (High CPU, High Memory)
· Troubleshooting
· Logs to Collect
Performance issue (High CPU, High Memory, Network)
For performance we need to quantify the performance issue being encountered compared to normal
operation.
Ex. Download is taking too low which usually finish in 2 min now taking 10 minutes.
Procedure
Identify which process is consuming high CPU or high memory by disabling each
☐
module being used one by one until the issue disappear.
If Anti-malware is found causing the issue:
· Ensure proper scan exclusion list is added.

o Review this recommended scan exclusion list and add whichever is
necessary ~ https://success.trendmicro.com/solution/1059770
o If you have third party software installed that is not listed on the article,
☐ reach out to software vendor for the AV Exclusion lists
o For other references in configuring Anti-Malware, please refer to the
articles below;
1. Enable and configure anti-malware
2. Configure malware scans
3. Create anti-malware exceptions
4. Performance tips for anti-malware
If issue is caused by Intrusion Prevention, please ensure you remove all
☐ unnecessary IPS rules and run a recommendation scan to get trend micro
recommended rules.
If issue is caused by Integrity Monitoring and/or Log Inspection, review all the
☐
rules you have and only assign the rules you need.
For Network performance issue on cluster environment make sure cluster dedicated
☐
interface is bypassed in filter scanning.
Performance issue (High CPU, High Memory)
Logs
Package Package
Package Package
Task Manager Task Manager screenshot of
☐ Windows Task Manager
screenshot top process
☐ Linux top - look for Top Results top - look for PID
38 / 40
PID of
of top_process
top_process
top -Hp [PID]
top -Hp [PID]
gstack [PID]
gstack [PID]
39 / 40
Feedback
For comments and suggestions you can answer a quick survey below.
· Comments and Suggestions
40 / 40

Deep Security AMEA Partner Handbook1.5

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deep Security AMEA Partner Handbook1.5

Uploaded by

Copyright:

Available Formats

TREND MICRO™Deep Security

TREND MICRO™ Deep Security AMEA Partner Case Submission Handbook

Copyright © <2020> by <Trend Micro Inc.>. All Rights Reserved.

Verify if your environment meets Deep Security requirements.

· System Requirement and Sizing Guide

Deep Security Version 10 System Requirement and Sizing Guide

· Deep Security Manager requirements

· Deep Security Manager and Database Sizing Guide

Deep Security Version 11 System Requirement and Sizing Guide

· Deep Security Manager requirements

· Deep Security Version 11 Sizing Guide

· Deep Security Manager requirements

· Deep Security Version 12 Sizing Guide

Deep Security port numbers

Deep Security Agent supported platforms

Deep Security Agent 10 supported platforms

See also Agent platform support policy.

Deep Security Agent 12 supported platforms

See also Agent platform support policy.

This list dependencies needed by the agent for installation.

Below are the dependencies for Linux:

Below are the dependencies for AIX:

To disable the publisher, run any of the following commands:

pkg unset-publisher solaris

Below are the dependencies for Debian and Ubuntu:

Deep Security Agent Linux kernel support

Deep Security Manager

· Enable Advance Logging

Enable advance logging (Debug)

Follow steps below to enable DSM debug.

If you are unsure on what to use just add

Here are the debugging options:

Option 1: UI Related Issues

Option 7: Database-related Issues

Option 15: Active Update Issues

Option 16: Maintenance Job and Entity Purge-related Issues

Increase File Size and File Count

Generate Diagnostic Package

Deep Security Manager diagnostics

Create a diagnostic package for Deep Security Manager

Enable debug logs for Deep Security Manager

Don't enable diagnostic logging unless recommended by your support

· Enable Advance Logging

Enable advance logging (Debug)

Follow steps below to enable DSA debug.

Increase File Size and File Count

Generate Diagnostic Package

Deep Security Agent diagnostics

Create an agent diagnostic package via Deep Security Manager

Deep Security Manager must be able to connect to an agent remotely to create

Create an agent diagnostic package via CLI on a protected computer

Linux, AIX, or Solaris

Collect debug logs with DebugView

Enable advance logging (Debug)

Follow steps below to enable AM debug.

5. Start the AMSP service.

· Deep Security Agent Installation

Deep Security Agent Installation Issue

Issues related to installing Deep Security Agent core component only.

Troubleshooting Agent Installation

Logs to collect for Agent installation Issues

Anti-malware Engine offline issue.

Troubleshooting Anti-Malware engine offline

Logs to collect for AM Engine Offline Issues