Professional Documents
Culture Documents
DS8 STS 20feb2012 PDF
DS8 STS 20feb2012 PDF
d Micr
M o™
Deeep
p Se
ecurrity 8.0
0
Sup
pportt Trac
ck
Stu
udent Textb
book
Trend Micro Deep Security Support Track
Information in this document is subject to change without notice. The names of companies, products, people,
characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual,
company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the
responsibility of the user.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without
the express prior written consent of Trend Micro Incorporated.
All other brand and product names are trademarks or registered trademarks of their respective companies or
organizations.
References
Vording, Mike, and Lee, Wesley; Remove MD5 from DSM specification.doc
Salted hash:
http://www.aspheute.com/english/20040105.asp
http://msdn.microsoft.com/en-us/magazine/cc164107.aspx
Kozierok, Charles M., The TCP/IP Guide, San Francisco, CA: No Starch Press Inc., 2005
Russinovich, Mark E., Solomon, David A., Microsoft Windows Internals, Redmond, WA: Microsoft Press, 2005
RFC 793 – Transmission Control Protocol
RFC 826 – Ethernet Address Resolution Protocol
RFC 3164 – BSD syslog protocol
Third Brigade Deep Security Wikipedia
Port scanning techniques: http://nmap.org/book/man-port-scanning-techniques.html
Xmas scan: http://www.networkuptime.com/nmap/page3-5.shtml
Understanding TCP Reset attacks: http://kerneltrap.org/node/3072
MSI debug: http://support.microsoft.com/kb/223300
OSSEC: http://www.ossec.net/
CERT Advisory CA-1998-01 Smurf IP Denial-Of-Service attacks
PING-of-death: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci822096,00.html
Spangler, Ryan, Analysis of Remote Active Operating System Fingerprinting Tools, University of Wisconsin, 2003
Browsing and enumeration: http://www.sans.edu/resources/securitylab/attacks_browsing.php
ARP poisoning: http://www.watchguard.com/infocenter/editorial/135324.asp
Session hijacking: http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm
Cross-site scripting: http://www.ibm.com/developerworks/web/library/wa-secxss/
SQL injection: http://technet.microsoft.com/en-us/library/ms161953.aspx
Conficker / Worm_Downad:
Deep Security Server Protection – Conficker Worm Use Case, April 2009
http://threatinfo.trendmicro.com/vinfo/secadvisories/default6.asp?vname=MS08-
067_SERVER_SERVICE_REMOTE_EXECUTION_EXPLOIT
http://blog.trendmicro.com/downad-gearing-up-for-a-botnet/
http://blog.trendmicro.com/where-in-the-world-is-downadconficker/
http://blog.trendmicro.com/downadconficker-turns-1yr/
http://blog.trendmicro.com/new-downad-generates-more-urls/
Acknowledgements
The author wishes to acknowledge the assistance of the following individuals. Without them, this document would
not have been possible.
Mike Gibson
Bob Durie
Bilal Baig
Christopher McKenzie
Eric Rosenquist
Rick Abbott
Sharan Hiremath
Marion Mora
Jesus Escolar
Jill Chua-Maceda
Alwin Yu
Ernesto Jimenez
Dale Sabo
Kevin Boyce
Justin Foster
Bart Trojanowski
Saif Chaudhry
Aphyr Lee
Ron Chittaro
Kevin C Chen
Michael Dysart
The following individuals have offered help with feedback and reviews:
Brent Huffman
Ryan Delaney
Chris Pratico
Mark van Ryck de Groot
John Burroughs
Bob Lewinski
The following individuals from the AMSP team provided information for their component:
Joyce Chang
John H Lee
Sebie Shieh
Travis Lin
Ziv Huang
Table of Contents
Chapter 1: Course Overview ....................................................................................... 13
1.1 > Course Objectives ................................................................................. 13
1.2 > Target Audience and Prerequisites ........................................................ 13
1.3 > How to Use This Material ....................................................................... 14
Chapter 2: Product overview ...................................................................................... 15
2.1 > Chapter overview .................................................................................. 16
2.2 > What’s new ........................................................................................... 16
2.2.1 External enhancements ................................................................ 16
2.2.2 Internal enhancements ................................................................. 24
2.3 > Product overview ................................................................................... 26
2.4 > About Deep Security Agent .................................................................... 27
2.4.1 Agent architecture........................................................................ 28
2.4.2 Agent: User mode ........................................................................ 29
2.4.3 Agent: Kernel mode ..................................................................... 30
2.4.4 Protection functionality ................................................................ 31
2.4.5 Agent settings.............................................................................. 34
2.5 > About Deep Security Manager ............................................................... 34
2.5.1 Manager architecture ................................................................... 34
2.5.2 Web client .................................................................................... 35
2.5.3 Manager core ............................................................................... 36
2.5.4 Agent communication .................................................................. 38
2.6 > Management console ............................................................................ 38
2.7 > Database ............................................................................................... 39
2.7.1 Installation options ...................................................................... 39
2.7.2 Database operation ...................................................................... 41
2.7.3 Backup & recovery ........................................................................ 49
2.8 > Review questions .................................................................................. 50
Chapter 3: Installation ................................................................................................... 52
3.1 > Chapter overview .................................................................................. 53
3.2 > System requirements............................................................................. 53
3.2.1 Manager Hardware and Software Requirements ............................ 53
3.2.2 Web Console Requirements .......................................................... 53
3.2.3 Deep Security Agent / Relay Hardware and Software Requirements54
3.2.4 Virtual Appliance Hardware and Software Requirements ............... 54
3.3 > Installing Deep Security Manager ........................................................... 55
3.3.1 Installers ...................................................................................... 55
3.3.2 About the installation log ............................................................. 55
3.3.3 Deployment considerations .......................................................... 56
3.3.4 Changes to host ........................................................................... 60
3.4 > Installing the Deep Security agent ......................................................... 62
3.4.1 Installers ...................................................................................... 62
3.4.2 Changes to host ........................................................................... 63
3.4.3 Agent activation ........................................................................... 63
Cha
apte
er 1: Cou
C rse Over
O rview
w
In this couurse, you will leearn how to use
u Trend Miccro™ Deep Seecurity 8.0. Th his course provvides
information n about the baasic architectuure, deploymeent scenarios, installation,
i co
onfiguration, and
a
administrattion options, and
a troubleshooting details that a networrk administrattor needs to kn now
for successsful implemen ntation and lon ng-term mainttenance.
1.1
1 > Cou
urse Ob
bjective
es
Taking thiss course shoulld enable you to complete these
t knowleddge- and skills--based tasks:
Knowled
dge
● Descriibe the purposse, features, fuunctions, and capabilities off Deep Securitty 8.0
● Descriibe the high-leevel program architecture
a
● Understand system configuration
c and administration optionss and requirem
ments
● Understand the diffe
ferent networkk threats this product
p addresses
● Identiffy areas in whiich troublesho
ooting may bee required
Skills
● Install Deep Securityy manager andd agents
● oot common problems in Deep
Use deebugging toolss to troublesho D Security
1.2
2 > Tarrget Au
udience
e and Prerequisites
This coursee is designed for
f resellers an
nd IT professiionals responssible for proteecting networkks
from virus attacks and other
o security threats.
t Thosee who will typiically benefit the
t most incluude:
● System
m administrato
ors
● Netwo
ork engineers
Before youu take this couurse, Trend Miicro recommeends that you haveh ng knowledge of
a workin
Trend Micrro products an nd services as well as of bassic networkingg concepts and principles. You
Y
should also
o have a workiing knowledgee of the follow wing productss and conceptss:
● TCP/IIP protocol kn
nowledge
● Open System Intercconnection (O
OSI) reference model
● Microssoft Active Diirectory admin
nistration
● VMwaare Center Servver / ESX serrver administrration
Cha
apte
er 2: Prod
duct overview
w
Chapterr Objective
es
After comp
pleting this ch
hapter, you sho
ould be able to
o:
● Explain the featuress introduced in
n this version
● Understand the Deeep Security maanager architecture.
● Understand the Deeep Security ageent architecturre.
Version 8.0
DSM on Linux –64-bit RedHat Linux Enterprise Edition 5 and 6 are now officially
supported.
VMware ESX 5 support – DSVA version 8 is designed to work with VMware ESXi
version 5. It will not work with previous versions of ESXi
Anti-Malware functionality on DSA – Deep Security Agents can now perform Anti-
Malware functionality. This introduces a host of capabilities that were previously
unavailable with agent-less (DSVA-only) protection. This includes:
This removes Real-time Scan-specific settings (e.g., IntelliTrap, process image file
list, etc.) from the configuration of scan types that either can’t or shouldn’t use them.
● New Real-time Scan exclusion – a new exclusion list was created for use in Real-time
scan configurations. This only affects DSAs and does not apply to DSVA-initiated
scans.
● Reducing the impact of AM scans – administrators can reduce the impact of manual
or scheduled Anti-Malware scans on available CPU resources, by controlling the rate
at which the DSA cycles through the files it scans. This impact reduction, however,
is at the expense of the total time it takes to complete the scan. This only affects
DSAs and does not apply to DSVA initiated scans
● Granular scan action based on malware-type – administrators now have the option
to specify the scan action taken against malware according to malware type.
NOTE Worms, Trojans, and the similar malware are typically small files that
do not exceed 5MB. Viruses, which are now less prevalent, can infect larger
files but have been observed to have difficulty infecting large files without
damaging them. For this reason large files are not viewed as much of an issue.
Integrity monitoring on DSVA - the DSVA is now able to detect file-based Integrity
Monitoring events on a Virtual Machine even without a DSA installed.
Smart Protection Network (SPN) integration – DSAs and DSVAs can now send
information to the SPN.
Endpoint notifications – Windows users will now be able to receive notification about
malware and spyware events, and the status of protection through an application that
installs on the Windows system tray.
Th
hese are also in
nvolved in preeserving Integgrity Monitorin
ng baselines for
fo VMs that
vM
Motioned from m one ESX server to anotheer.
Web reputation
r fun nctionality – DSA/DSVA A can automatiically block malicious or
pootentially maliccious Web sitees. The sensitiivity level for this feature is configurable.
Agentt self-protectiion – administrators can no
ow prevent en
ndpoint users from
f removin
ng
DSSAs
Spywaare exclusionn – this featuree prevents Deep Security from removingg applications that
t
maay be identifieed as spyware
As shown above, by default the wizard will only show groups. The result of the filter is shown
below.
Administrators can include additional parameters to the filter to further refine the selection
shown on the screen above. For additional information about filter syntax, refer to the following:
http://msdn.microsoft.com/en‐us/library/aa746475(v=vs.85).aspx
User rights
● Filters that prevent users from seeing report data, and events, generated by hosts to
which they cannot view
Removal of weak ciphers – in support of efforts to obtain Common Criteria EAL +4
certification, the list of preferred ciphers for DSM-DSA communication has been
reduced. The following table shows the ciphers that were removed and retained
Retained Removed
TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
Activation and policy assignment via new Event-based tasks – Service Pack 1
introduced the concept of tasks that run when specific events occur. In previous
versions, events ran solely based on schedules.
Event-based tasks, first introduced in version 7.5 SP1, define system responses when a
Virtual Machine is added or moved to a protected ESX server. The following events can
trigger these tasks:
1. Attempt to activate agent on VM
2. Assign a profile based on the VM’s parameters
The relevant screen is shown below.
The profile assignment capability replaces the original system introduced in Deep
Security 7.0 SP1, and resulted in the deletion of the following section of system settings
In its place, event-based tasks allows the administrator to assign profiles according to the
following parameters:
Profile assignments, therefore, will no longer be global as it was previously, but can
actually be tailored for specific environments.
Performance profiles – Administrators now have some measure of control over the
number of threads that are devoted to particular tasks, based on the nature of the Deep
Security Manager installation.
SYN-Flood protection removal – discontinuation of Windows 2000 support has made this
feature redundant. For this reason, this feature has been removed.
Version 8.0
AMSP integration – this version includes the Anti-Malware Solution Platform, a Trend
Micro common module that acts as an interface between a product and the core
technologies (e.g., scan engines, etc.) that it uses to implement protection. This module
introduces a number of changes to include the following:
● Aegis support – on Windows-based agents, the Trend Micro Aeigis module is used to
hook into the file system to detect file I/O events, as well as to implement self-
protection
● Referential scanning – AMSP handles cooperation between VSAPI, SSAPI, and a DLL-
based Damage Cleanup Engine
Scan-storm avoidance – this feature controls the number of manual or scheduled AM,
Integrity, and Recommendation scans that take place on an ESX server. This feature
introduced changes the job queuing feature, and affects DSAs that are installed on VMs.
IP6 support – the packet processing pipeline has been modified to support IP6 traffic, to
include IP6 traffic that is encapsulated by IP6 transition mechanisms (i.e., IP6-to-IP4
and Teredo). Selected aspects of the DSM, DSA, and DSVA have been modified to
ensure compatibility with an IP6 environment.
Anti-malware report issues – an issue where the URL links in anti-malware and attack
reports were displaying no information was resolved
User interface issue - an issue where some UI items on DSM accept non-ascii characters
was resolved
Japanese language support – improvements designed to support a Japanese version of the
product were introduced
Deep Security
Relay
Port: 80 / 443 Port: 80 / 443
(HTTP / HTTPS) (HTTP / HTTPS)
Optional
Port: 4120
(SSL)
Named pipes
or TCP
Deep Security Deep Security
Database Manager Agent
Port: 4118
(SSL)
Web server
Port: 4119
(HTTPS)
DSM
Management
console
Each component will be discussed in detail in their respective sections. However, they are
described briefly below:
Deep Security Agent (DSA) – this component is responsible all protection functionality on
a host computer. The nature of that protection depends on the rules and security
settings that it receives from the Deep Security Manager.
Deep Security Manager (DSM) – this is the management component of the system and is
responsible for sending rules and security settings to its DSAs. The DSM is also
responsible for generating the DSM management console, and for interfacing with its
database and other network services required for proper operation (e.g., Active
Directory, ESX servers, security center, etc.)
Database – the database contains all persistent information that DSM needs to operate.
This includes configuration details and log information for each individual DSA, and a
multitude of records required for DSM operation.
Management console – this is primary means of administering the DSM network. This
java-based console is generated at the DSM and provides functionality for configuring
security settings and retrieving information about the DSM network.
Trend Micro Update server – this is a security knowledge deployment portal built upon
the content distribution network maintained by Akamai Technologies. Both
ActiveUpdate (AU) and Intelligent ActiveUpdate (iAU) use this facility.
Whenever Trend Micro defines new security rules designed to address emerging threats
or software vulnerabilities, or releases new Anti-Malware components, it makes them
available to its customers via this Website.
Deep Security Relay (DSR) – is a modified DSA that also serves as an update site for the
entire Deep Security network, and is responsible for downloading updates from the
Trend Micro update center. Each Deep Security network needs at least one DSR. While
DSAs can download from an update site if the DSR is absent, the version 8.0 DSM can
only get its updates from the DSR.
NOTE The DSR will not be discussed in detail in this chapter. For additional
information about it, see Chapter 15
Dsc.exe DSA
Agent: Kernel mode configuration
compiler
Each group will be discussed extensively in their respective sections, but here are their functions
in brief:
User mode – this is responsible for communication with the Deep Security Manager, and
for passing instructions from the manager to Kernel mode via IOCTLs
Kernel mode – this is responsible for implementing manager instructions – or rules – and
turning them into actual security functionality.
As shown in the diagram, both groups communicate by way of I/O controls (IOCTL). It must
be noted that although arrows in the illustration appear to be going in both directions, these only
refer to the flow of information. Responsibility for initiating the exchange is always the User
mode. The kernel does not actively communicate with the User mode.
In Linux-based DSAs, IOCTLs use the following communication channels.
/dev/dsa – for configuration, commands from user mode to the kernel, and logs in return
/dev/dsa_ssl – dedicated channel for SSL master key decryption requests from driver to
user mode
/proc/driver/dsa – used for sending statistical information, module version information,
etc
DSAs start differently on different platforms. On Windows-based machines, the Windows
Service Control module is responsible for loading both components.
Linux-based systems use separate scripts to load components. These are shown below:
/etc/init.d/ds_filter – selects appropriate kernel driver for environment and loads using
insmod
/etc/init.d/ds_agent – checks if driver is already loaded, and then loads the user-mode
component
User Mode
Protocol
Configuration
Audit analysis
compiler
Audit reader
DSA: Kernel
Protocol – this works the same way the protocol sub-module on the Deep Security Manager
does. It is responsible for sending and receiving the XML messages that make up
Manager-Agent communication.
Incoming Manager Communication – handles requests received from the Deep Security
Manager
Outgoing Manager Communication – initiates communication with the manager either as
part of a heartbeat or when an Event occurs
Manager Command Responder – Deep Security commands are essentially requests sent
to this agent component. Its acts as a server, providing security services as requested.
Configuration builder – once the protocol module receives a message from the Deep
Security manager, it passes the information in the message to Configuration builder,
which then assembles the information into an XML file that is passed to the
Configuration compiler.
Configuration compiler – this component (dsc.exe) takes the XML message that the
Configuration builder generates and then compiles it into a binary file that the Kernel
Mode component of the Agent uses.
Audit reader – this retrieves event information from the kernel module’s event buffer. This
Audit analysis – this component analyzes information contained in the event
Audit storage – this is responsible for storing the event for later retrieval by the DSM
Autonomous operation – this component monitors the agent host clock for changes,
network interface and firewall status.
SSL Session Key Decryptor – this component is responsible for decrypting SSL traffic in
preparation for analysis by Deep Packet Inspection functionality
Kernel
NOTE For details about the modules responsible for Firewall and DPI functionality, see
Chapter 4.
Firewall
HIPS functionality
Deep Packet Inspection
Integrity Monitoring
HIDS functionality
Log Inspection
HIPS functionality
For traffic analysis, the DSA intercepts network traffic destined for, and originating from, the
DSA host. The diagram below shows how the interception is accomplished.
Application
Transport layer
Network layer
Physical layer
(NIC)
Network
The layers in the diagram represent the bottom four layers of the OSI model. The bottom-most
layer, the Physical layer, represents the network interface card, while the top-most layer in the
diagram is the Transport layer, which is where packets are reassembled for use by the application
to which they were sent.
As shown, the agent uses a driver which is bound to the Data Link layer. This permits the agent
to scan network traffic for malicious content – immediately after it arrives at the NIC.
Tip When a computer starts up, drivers in the Data Link layer are loaded before the
rest of the operating system. This ensures timely protection even during a re-start.
The manner, in which traffic is intercepted and then redirected to the driver varies from platform
to platform. The following table presents OS-specific differences for this function.
On Windows systems, the driver is written according to the Network Driver Interface
Specification (NDIS), and appears in Local Area Connection properties, as shown below.
Drivers for Linux-based DSAs hook into the Linux kernel Netfilter API. This API provides the
following hooks for security applications that need access to network traffic traversing the
kernel.
The driver intercepts incoming traffic at the pre-routing hook, and outgoing traffic at the post-
routing hook.
NOTE Intercepting traffic at the pre-routing hook, before the routing decision phase
where the kernel decides whether or not the packet was actually meant for the host,
means that the DSA operates promiscuously – analyzing any and all traffic that arrives at
the NIC with no regard for its destination. This is true for all DSAs regardless of platform.
Solaris-based DSAs use IP filter (pfil) or Netinfo interfaces to the Solaris kernel. The latter is
available on the more recent versions of the kernel.
This driver does not exist for DSAs on the HPUX and AIX platforms since these do not have
firewall and Deep Packet Inspection functionality.
HIDS functionality
Host analysis functionality involves monitoring pre-defined system areas for changes, and then
notifying the DSM of these changes for later analysis.
Event
Deep notification Deep
Security Security
Manager Agent
Detect
change System
area
These features can also serve to either confirm the effectiveness of HIPS settings, or alert the
administrator of protection gaps.
Anti-Malware functionality
In version 8.0, the DSA incorporates the Anti-Malware Solution Platform (AMSP), which gives
it access to various scan engines that detect and remove malware.
Deep Security Agent
Anti‐Malware Solution Platform
XML
message
Deep
Deep Security Agent
Security ds_agent.config
(ds_agent.exe)
Manager
Used by
config.bin NDIS driver
Settings arrive from the Deep Security manager in the form of XML messages. After the DSA
receives this message, it generates an encrypted version of the message, called config.3bc, and
stores this on disk. This security measure protects the information contained therein, and makes
the file unique to this particular agent. The latter is made possible because the private key used
for encryption incorporates hardware information (e.g., MAC addresses, etc.).
The configuration compiler converts config.3bc into the binary config.bin file, and then deletes
config.3bc. Each time the DSA starts up, it loads config.bin so that it gets it applies the correct
settings.
Other
(Active Directory,
Email SMTP
VMWare, etc.) notifications server
Agent
communication
Deep Security
Agent
Each module will be discussed in detail in their respective sub-sections, but they are introduced
briefly below:
Web client – these modules are responsible for generating the DSM Web console
Manager core – as the name implies this is responsible for the bulk of DSM functionality,
to include command queuing and deployment, database access, downloading updates
from the security center, to interfacing with various network services (e.g., SMTP, Active
Directory, VMware servers, etc.)
Agent communication – this is responsible for establishing and maintaining the
management relationship with Deep Security Agents.
Browser
Web client
Static Webservice
images API
Dynamic
images Model-View-
Control
(MVC)
RPC
Manager core
The DSM uses a Web console. Consequently, it needs a Web server to serve the console to its
administrators. For this purpose, DSM uses a built-in, Tomcat-based, Web server. When
accessing unsecured resources, such as static images, the Web server assumes responsibility for
displaying these items on the console. However, for dynamic content and secure resources where
user permissions are a consideration, the Web server passes the relevant information to the
Model-View-Control (MVC) GUI architecture for processing. It then displays the information
that the MVC returns.
For additional information about the MVC architecture, see Appendix A: Deep
dive information > Chapter 2: Product overview > About the Model-Control-View
architecture.
Dynamic images consist of graphs and charts generated by Model components. While the RPC
sub module generates XML documents required by AJAX features used on the browser.
The Webservice API allows third-party applications, written in accordance with API guidelines, to
obtain information from the Deep Security database. The API uses its own access methods, and
is separate from the MVC.
Autonomous
operation
Commands - is responsible for processing all configuration requests, security checks, and
validation logic processing.
Audit - handles storage and management of events (system, agent, DPI, and firewall events.
It works in conjunction with the Web client and Agent communication modules for data
usage and collection.
Alerts - analyzes system data to generate, maintain, and resolve alerts. It works with the
Email notification module for SMTP alerts. Its primary role is to provide administrators
with a list of actionable issues to resolve.
Autonomous operation - responsible for non-user-driven “housekeeping” functions. These
include performance of scheduled tasks, session management, password expiration, and
the like. It is also responsible for the job queue – a to-do list for the outgoing agent
communication sub-module of the agent communication module.
Security center interface - used to access the Trend Micro security center. This module is
responsible for all aspects of security center access from authentication to session
management.
Security - manages authentication, identification, and access control functionality. All user-
initiated actions go through this module for approval, before accessing middleware
functions.
Middleware - provides an interface for all persistent (stored in the database) data on the
Deep Security system. It contains all the operating logic required to maintain data
consistency.
Persistence layer - directly interfaces with the Deep Security database, and is compatible
with a variety of JDBC-compatible databases.
Manager core
Manager core
(Audit)
Agent jobs (Active, Update, Upgrade, Heartbeat) (Autonomous
operation)
Protocol
Agent jobs – contains the logic for a variety of agent operations to include: activation,
update, upgrade, and heartbeat. Certain outgoing jobs that it sends out are in response to
requests from the Autonomous operations module of the Manager core.
Outgoing agent communication – processes messages destined for the agent
Incoming agent communication – receives messages from the agent
Protocol – this module encapsulates messages in an XML file and sends them to agents.
Deep Security
Browser Tomcat
Manager
servlets
Important: The embedded database is only recommended for testing purposes, and for no
more than 50 agents. In some environments issues are encountered when a DSM has more
than 10 agents. All production environments should use external databases.
JVM
Deep Security
dsm.properties
Manager
JDBC
Derby Database
engine files
As shown in the illustration, the data storage architecture involves the following components in
addition to Deep Security Manager:
dsm.properties – the DSM properties file configures DSM to use the embedded database.
This can be found in the following location:
. . . Deep Security Manager\webclient\webapps\ROOT\WEB‐INF
JDBC – DSM uses Java Database Connectivity (JDBC) to access its database. This is true
for the embedded database as well as the external database.
Derby engine – named derby.jar, this component is responsible for database functionality.
Files related to the Derby engine are stored in the following location:
. . . Deep Security Manager\webclient\webapps\ROOT\WEB‐INF\lib
Database files – these files store the information in DSM database tables. These files are
stored in the following location:
. . . Deep Security Manager\dsm\seg0
Note that the domain field might not be visible upon opening the Advanced screen.
Select Named Instance to reveal the field and then enter the domain. If you are need to
use the default instance, simply re-select Default after entering the domain.
The data storage architecture implemented when DSM uses an external database is shown below
JVM
Deep Security
dsm.properties
Manager
Named pipe
or
TCP/IP
JDBC
Database
As shown in the illustration, the data storage architecture involves the following components in
addition to Deep Security Manager:
dsm.properties – the DSM properties file configures DSM to use an external database.
JDBC – DSM uses Java Database Connectivity (JDBC) to access its database. This is true
for the external database as well as the embedded database.
Database – this is the external relational database the DSM uses for data storage
● Demo mode
database.name=dsm
database.directory=C\:\\Program Files\\Third Brigade\\Deep Security Manager\\
database.type=Embedded
These three parameters set DSM to use the embedded database stored in the following folder
structure:
When using the external database, this file contains the following parameters:
database.SqlServer.user=sa
database.name=DSM
database.directory=null\\
database.SqlServer.password=$1$55e98874c689f1dd4cf9b72ca619bf8c09eed5a234513c2dde541e
0d8803060cb305c873951f60f7035ca483d6ab94498dc84989823116dd342a55e8e9513c5659d8d83d9
a47506555a1e5c625be2815c913d52cbea784abdb4923d6e34e63ca4523d88c445d2432955ed8d6c9c9
6bf51dfbfe1ae0b3839ea81dd45e5905947e
database.SqlServer.instance=DSM
. . .
database.SqlServer.namedPipe=true
database.type=SqlServer
database.SqlServer.server=.
NOTE The sample above shows the properties file for a DSM that uses a Microsoft
SQL server. The only difference between the a dsm.properties file of a DSM using an
MS-SQL database and on using an Oracle database is substitution of all instances of
“sqlserver” with “Oracle. For example:
#Fri Aug 28 10:45:16 EDT 2009
database.Oracle.user=dsm_admin
manager.node=1
database.Oracle.server=bh‐oracle10g‐1
database.name=dsm
database.type=Oracle
database.Oracle.password=$1$5bdfd1787ae64e2c34a5927ae07541f887993d5ce4c3903e
d6d951c845a8509c8e1e92da196b59daa81c263da6cdb41228a5510d4d5ee7bf1fbd4ec66845
1200
mode.demo=false
Compared with the properties file for an embedded database, this file contains
additional parameters, namely:
SqlServer.user – this is the user account that DSM uses to access its database. For MS-
SQL databases, the “sa” account is used by default. For Oracle-based databases, this
is the user account used to create the DSM schema.
SqlServer.password – this is the password that DSM uses to access its database.
Tip To change the password, simply enter the new password in this parameter
in plain text. DSM will automatically hash the password when it starts, thereby
protecting the password
Tip Use named pipes only if the database is installed on the DSM server.
#Fri Aug 28 10:45:16 EDT 2009
database.Oracle.user=dsm_admin
manager.node=1
database.Oracle.server=bh‐oracle10g‐1
database.name=dsm
database.type=Oracle
database.Oracle.password=$1$5bdfd1787ae64e2c34a5927ae07541f887993d5ce4c3903ed6d951c
845a8509c8e1e92da196b59daa81c263da6cdb41228a5510d4d5ee7bf1fbd4ec668451200
mode.demo=false
Fail
No
Yes
Is Yes
the password End
encrypted?
No
Encrypt
password
Database communication
DSM supports the use of both local and remote databases. The choice of location affects the
choice of Transport options shown below.
For local databases, administrators can use either TCP or Named Pipes. For remote databases,
only TCP is recommended.
By default, database communication is not encrypted. However, if DSM uses a remote database,
and the SQL server is protected by a DSA, the contents of DPI rules may cause false alarms
when the DSM saves these rules to its database.
The following workarounds are available to avoid this condition:
Option 1: Create a bypass firewall rule for traffic between the database and DSM servers. In
this scenario, a static IP address for the DSM would be preferred.
Option 2: Enable encryption for the database channel. To accomplish this, add the
following line to the dsm.properties file:
For MS SQL
database.SqlServer.ssl=require
For Oracle
database.Oracle.oracle.net.encryption_types_client=(3DES168)
database.Oracle.oracle.net.encryption_client=REQUIRED
database.Oracle.oracle.net.crypto_checksum_types_client=(MD5)
database.Oracle.oracle.net.crypto_checksum_client=REQUIRED
MD5 IN ORACLE
Although Trend Micro sought to eliminate use of MD5 in Deep Security, as of writing, this
was reportedly the only algorithm that Oracle supported for encrypted traffic.
M
Multi-node operation
Deep Security allows administrators to link multiple managers into a single multi-node
installation, thus allowing DSAs to failover to alternative DSMs whenever one node. This is
NOTE Administrators should not go beyond three DSM nodes. Larger numbers have
reportedly resulted in performance penalties.
NOTE The order in which DSM URLs appear on the list above have no bearing on the
order in which the DSA connects to them.
The sample above shows a DSA with three DSM options. These URLs have been
obfuscated for security purposes.
The DSA randomizes the DSM list with each heartbeat, thereby constantly changing the DSM to
which it connects. This is designed to spread a particular DSA’s communication load across the
different nodes.
Consider the following log trace taken from a DSA in a two-node DSM network. This DSA does
not receive any configuration updates during the course of this test, so all communication is
based entirely on the heartbeat cycle. For security purposes, the hostname and IP address of the
test machines involved have been obfuscated.
As shown here, the IP address of one DSM ends with the octet “153”, while the other ends with
“150”. The DSM randomization algorithm switches the DSA between DSMs in an irregular
fashion. Connections are generally expected to even out amongst the different node by the 3rd or
4th heartbeat to each node. In this example, connections evened out by the 4 connection to each
node. Here the process took 70 minutes. This interval, however, will vary.
If the chosen DSM is not available at the time of the connection attempt, the DSA will
automatically switch to the next DSM on its list for that attempt. This is illustrated below.
DSM
database
Deep
Security
Agent
In multi-node arrangements of 3 or more DSMs, it is not actually feasible to predict which of the
alternative DSMs the DSA will choose as its secondary DSM. Logs will only show the DSM to
which it successfully connected.
Demo mode
When the Administrator uses the Demo mode option, DSM generates 7-days of fictitious data in
its database which it then keeps current. This mode is not meant to be used on a production
server.
A DSM in demo mode has the following parameter in dsm.properties set as shown
mode.demo=true
. . . Deep Security Manager\dsm\seg0
To manually backup the database, copy the contents of the seg0, log, and tmp folders.
4. What is a DSA?
d) Oracle Express
e) MS SQL Express
f) Apache Derby
g) MySQL
h) RPC
i) Named pipes
j) TCP
k) SOAP
a) dsm.properties
b) logging.properties
c) credentials.properties
Chapter 3: Installation
Chapter Objectives
After completing this chapter, you should be able to:
● Understand how to install the Deep Security manager
● Understand how to install the Deep Security agent
Component Requirement
Memory 8 GB (Recommended)
Linux:
Red Hat Enterprise Linux 6 (64-bit)
Red Hat Enterprise Linux 5 (64-bit)
Disk Space 20 GB
Important: Deep Security uses the VMware VMsafe-Net API to intercept network traffic at the
hypervisor. The VMsafe API is not available in the free version of ESXi.
3.3.1 Installers
There are currently three types of installers for the Deep Security Manager. These are shown
below.
64-bit installers are available for Windows and RedHat Linux distributions. The 32-bit installer is
only available for Windows.
<Install path>\Deep Security Manager
<Install path>/dsm
Unlike other Trend Micro installation logs, the Deep Security installation log is more of an after-
installation report, rather than an action-by-action account what the installer does. For
information about installation logs see Appendix A: Deep dive information > Chapter 3:
Installation.
GUI requirements
This consideration affects Linux-based DSM installations rather than Windows-based
environments. By default, the DSM installer for Linux looks for the X Windows interface. If
your run the the installer either on a Linux machine with the Graphical User Interface disabled,
or via an SSH client that cannot display the GUI, then the following error will appear
In these environments, you must prepare a properties file that contains the responses to the
installation wizard expects, and use it with the following command:
<installer>.sh ‐q ‐console ‐varfile <PropertiesFile>
Deep Security Agents that apply Anti-Malware protection can send details about the malware
that they find on their host systems, to Trend Micro to aid in the development of security
solutions and updates.
Administrators can configure participation during installation, and modify their selections
afterwards from within the DSM console.
Database selection
As discussed in Chapter 1, the embedded Derby database was not meant to be used in
production environments and should only be used for evaluation. The Derby database can only
accommodate 50 DSAs or less.
Production environments require either an MS SQL or Oracle database.
Database location
The DSM must be able to maintain a database PING time of less than 2 million nanoseconds.
Any figure higher than this can cause unpredictable problems. The DSM System Information
screen provides information about that connection speed with the database.
For this reason, the DSM must be co-located on the same network as its database, ideally with a
1GB LAN connection. Connections over WAN are discouraged.
Database communication
By default, DSM-to-database communication is not encrypted. When the DSM and its database
are installed on the same host, or when the connection is via a dedicated switch or crossover
cable, this should not be an issue.
However, in other remote database scenarios, this lack of encryption means that database
communication is vulnerable to snooping. In these instances, enablement of encryption
functionality is recommended.
Oracle and MS SQL require their own procedures. Both are shown below. In both instances, the
DSM service must be stopped and then re-started to take effect.
database.SqlServer.ssl=require
database.Oracle.oracle.net.encryption_types_client=(3DES168)
database.Oracle.oracle.net.encryption_client=REQUIRED
database.Oracle.oracle.net.crypto_checksum_types_client=(MD5)
database.Oracle.oracle.net.crypto_checksum_client=REQUIRED
Database growth
The following table shows the amount of database space that a DSM typically requires in the
indicated states.
Number of nodes = Number of devices / 50,000 + 1
Based on actual field experience, administrators should not go beyond three nodes. Going
beyond this recommended limit will result in system instability.
Required ports
When deploying Deep Security in a highly segmented network environment, with multiple
internal gateways and corresponding firewalls, knowledge about the various ports that Deep
Security uses will be useful for preventing unintended functionality disruptions. The relevant
ports, and their directions, are shown below.
HTTPS: 443, HTTP: 80
4118
Deep Security Relay
Deep Security Manager
4122
4120
4119
4118
Browser Deep Security Agent
ActiveUpdate
MSSQL: 1433
Product registration
(olr.trendmicro.com)
80 4122
Oracle: 1521
License information
Trend Micro Database
Virtual
environments 4120
4118
Deep Security Virtual appliance
443
443
443
4119
VMware vCenter Vmware vShield Manager
Network
services 25
UDP: 514
SMTP server Syslog / SIEM
53
Non SSL: 389
DNS server
UDP: 162
SSL: 636
LDAP server SNMP server
The upper part of the diagram shows the interaction between Deep Security components, which
consist of the following:
Deep Security Relay (DSR) – all members of a Deep Security 8.0 network get their
components from Deep Security Relays. This is true for agents/appliances as well as the
DSM. To download updates, DSAs and DSVAs must connect to the relay at port 4122.
The DSM downloads updates over port 4118 using the protocol used for downloading
diagnostic packages. DSRs can either connect to the update server via HTTPS (port
443) or HTTP (port 80).
Trend Micro servers – if the DSM supports legacy version 7.5 DSVAs, then it will
continue to connect to the Trend Micro ActiveUpdate site on port 80. It also uses this
port for license verification
Browser – the management console is accessible via Web browsers connecting to the
manager Web server at port 4119
Deep Security Agent – the manager listens for traffic from the agent at port 4120, while
the latter listens for instructions from the manager at port 4118
Database – the manager can use either a Microsoft SQL or Oracle database. TCP
communication these databases go over ports 1433 or 1521 respectively.
When providing protection for virtualized environments, the following components require the
following ports for the indicated purposes:
Deep Security Virtual Appliance – like physical agents, the DSVA communicates with the
DSM on port 4120, listens for manager traffic on port 4118. and downloads update
components at port 4119. It also sends Anti-Malware functionality status information to
the vShield Manager
VMware vCenter Server – the manager retrieves virtual environment information from the
Center server over port 443, and downloads the filter driver from the DSM at port 4119
VMware vShield Manager – the manager communicates with the vShield Manager to
register itself with the VMware Endpoint Security (EPSec) infrastructure.
The DSM can also interface with the following network services:
SMTP server – this is used to send email notification, and listens for SMTP message at port
25
DNS server – the DSM queries the DNS server for host name lookups at port 53
LDAP server – the manager retrieves LDAP information for user, contact information and
to obtain a list of computers on the network. It can use both non-SSL and SSL-based
communication methods, which use ports 389 and 636 respectively.
Syslog/SIEM – the manager can send event information to Syslog servers and similar
Security Information and Event Management (SIEM) systems. By default it sends these
UDP-based messages over port 514
SNMP server – UDP-based notifications to SNMP servers are sent over port 162
Various Microsoft • By default, DSA files are written to: <install path>\Program
Windows versions Files\Trend Micro\Deep Security Manager
• Register service and driver with Windows Service Control for
service start/stop functionality respectively
• Addition to the Add/Remove programs list
3.4.1 Installers
Deep Security agents can be installed on a variety of operating system platforms. Each, therefore,
will require their own installation methods. The different installers are discussed in the following
sections:
● Agents for Microsoft Windows
● Agents for Red Hat and SuSE Linux
NOTE Deep Security does not have its own native client deployment mechanism.
Unlike the Intrusion Defense Firewall, which leverage the OfficeScan plug-in architecture,
Deep Security relies on third-party software distribution solutions, e.g., Active Directory,
for large scale deployments. Agent upgrades, however, can be performed from the DSM
console.
The DSA MSI installation package can be deployed via Active Directory as a GPO.
Tip One method for enabling MSI debug functionality can be found in the following
MSDN article: http://support.microsoft.com/kb/223300
The log that is generated can be found in:
. . .\Documents and Settings\<user folder>\Local Settings\Temp
In addition to the regular DSA installation package, version 8.0 now includes installation
packages for the Deep Security Relay.
All installers utilize the Red Hat Package Manager format, and therefore can be installed using
standard RPM commands.
Various Microsoft • By default, DSA files are written to: <install path>\Program
Windows versions Files\Trend Micro\Deep Security agent
• Register service and driver with Windows Service Control for
service start/stop and load/unload functionality respectively
• Addition to the Add/Remove programs list
Once computers are added to the Computer list, the DSM determines if an agent is installed on
these machines and identifies the ones that have agents, and those that do not.
In addition to activation from the DSM, administrators can also initiate activation from the DSA
host via the agent’s command line interface. The following commands activates the agent
dsa_control /a dsm://<host or IP>:<port>/
or
dsa_control –‐activate dsm://<host or IP>:<port>/
For the command line option to work, the DSM must be set to accept agent-initiated activations.
The control for this functionality is shown below.
Administrators have extensive control over which DSAs are able to initiate their own activations.
Be it based on name or IP address. Self-activated DSAs can even be automatically assigned a pre-
determined Security Profile to ensure at least a minimum level of protection.
To avoid duplication of DSA records on the DSM, the DSM can control Computer list record
creation in the event of duplicate names. In previous versions, the DSM would perform a reverse
DNS lookup for the hostname. Starting in version 6.0, however, the DSM relied on the DSA to
provide its own hostname.
NOTE When the DSA provides it’s own name, it uses its host’s FQDN.
Tip The term “update” and “upgrade” are not interchangeable in Deep Security
terminology. An update refers to a configuration change. An upgrade, on the other
hand, refers to the replacement of software with newer version.
Remote upgrades via the console, however, are only supported for DSA versions 5.2, Update 4
or newer. Older versions must be updated manually. The following table presents manual
upgrade procedures for the indicated platforms.
Platform Procedure
Windows Copy the MSI file to the target computer and run it. The MSI will
detect the previous package and upgrade it.
Linux distributions Copy the RPM to the target computer, and run the following
command:
rpm –U <installation file>
The “-U” parameter instructs that installer to perform an upgrade
a) MSI
b) RPM
c) EXE
d) TAR
a) True
b) False
a) Yes
b) No
a) MS SQL
b) Oracle
c) Apache Derby
Populating this tree, and seeing to it that it correctly reflects that composition of the network is a
critical security task. This section focuses on how this functionality works and discusses DSM
features designed to facilitate collection of this information, and is divided into the following
sub-sections
● Detection methods
● Hosts from VMware
● Hosts from LDAP/X.500 directories
● Scheduling discovery and synchronization
NOTE Unlike Trend Micro Intrusion Defense Firewall -- an OfficeScan plug-in based on
Deep Security -- Deep Security Agents cannot be deployed using this tree. In fact, Deep
Security does not have client deployment functionality and requires third-party
deployment tools.
Networks where both physical and virtual machines are listed in Active
Directory will require careful handling. For information see Appendix A: “Deep
dive” information > Chapter 4: Detecting Hosts > Hosts in vCenter and Active
Host #1 Computer #1
Host #2 Computer #2
Host #3 Computer #3
After the initial data retrieval, DSM needs to periodically synchronize its host information with
the information in the directory to keep its information up-to-date.
Add
LDAP
Directory
server
Wizard
Depending on the communication needs of the directory, the wizard can send its query as a clear
text query at port 389, as a secure SSL or TLS connection at port 636.
IMPORT
The import operation copies a list of computers from a pre-selected domain on an LDAP server
– hereinafter referred to as a “directory”. The import operation also collects connection and
LDAP query information, thereby facilitating updates of the list during the synchronization
process, which is discussed separately.
Hosts are imported by way of the Add Directory Wizard. The wizard is found in
directorywizard.jsp and DirectoryWizardBean.java, and is invoked when administrators click the
following button.
The following flowchart shows the phases involved in the initial import of hosts from a
directory.
Verify
Establish
Select administrator’s Import Display
connection with
directory information information summary
directory
schema selection
Here the administrator is asked to specify the address of the directory, communication port, and
the access method. Depending on the access method, logon credentials may be required.
Upon clicking Next, the wizard attempts to connect to the directory using the information
provided. If this fails, the wizard does not move to the next step.
If a connection is established, the process of building the directory tree, under Hosts, begins. It
starts with the creation of a HostGroup object like the one shown below.
HostGroup
objects
As shown the name of the directory host group object is Directory – 10.2.34.12. Subsequent steps
in the wizard use this object as the root node for retrieving host information from the directory.
Once retrieved, these hosts will appear on the management console as child objects of this host
group.
The information supplied here is used to perform an LDAP query, designed retrieve a single
host record using the information supplied above. This is a test to determine if the information
entered is correct. If this fails, then the process ends in an error, and the wizard does not
proceed.
Administrators provide the following information here:
Naming context – this defines the location, or LDAP path of the domain, in the directory
from which hosts are retrieved. A sample is shown below:
dc=test,dc=gtc
This sample above would map to the following Active Directory forest
When information from the root node, obtained in the previous step, contains multiple
contexts, these are presented in a drop-down menu. Alternatively, if there is no context
information in the root node, the drop-down is replaced by a blank field that allows the
administrator to manually enter distinguished name (DN) information.
NOTE In Active Directory, there is only one naming context per forest.
(http://technet.microsoft.com/en-us/library/aa998469(EXCHG.65).aspx)
Directory type – the wizard presents the choice of “Microsoft Active Directory” or
“Other/Unknown”. By default, the wizard checks if the Directory is based on Active
Directory by looking for Microsoft-specific Object IDs (OID) in the supportControl
attribute of the root node. If this attribute, which was retrieved in the previous step,
begins with “1.2.840.113556”, then the wizard assumes that the Directory is an Active
Directory server.
Search filter – the filter restricts the LDAP query to hosts (computers and domain
controllers) and leaves out other objects in the directory (e.g. users, network devices,
etc.). For this filter to work, the object class that corresponds to hosts must be specified.
When connecting to Active Directory, the filter defaults to “objectClass=computer”.
Other directories use different conventions, ApacheDS for example requires the filter
“objectClass=device”. When the directory type is “Other/Unknown”, the filter field
becomes editable, thereby allowing the administrator to define the filter.
HostName attribute – this tells the wizard the three attributes that the wizard needs to
look for to obtain the name of the host. The default syntax, which is optimized for
Active Directory, is as follows:
Windows NT / host name
dNSHostName;name;cn
Common name
For other directories, the wizard field for this attribute will be editable, and the
administrator must enter the appropriate value. This string indicates the order in which
these attributes are checked, and the first non-null value that the wizard encounters is
used as the host name. However, all attributes specified here must be present. See
below.
Host description attribute – this is an optional field that administrators can use to retrieve
host description information from the directory. It has no default value and the
corresponding wizard field is editable for all directory types.
When the “Next” button on the wizard is clicked the single-host LDAP query is sent to the
directory. The following flowchart shows how the query proceeds.
As mentioned earlier Naming context defines the location in the directory that serves as the top
of the search tree, while the Search filter specified the object to retrieve.
For this test, the directory is free to return any object that matches the criteria. The wizard then
cycles through the three hostname attributes and verifies if the host information contains all
three attributes. If any of these attributes are not found, the wizard stops. Otherwise the wizard
proceeds to bulk importation of host data.
The illustration above maps directory objects with their corresponding objects in DSM, and
presents the following noteworthy points:
● As discussed earlier, the root node of the directory is represented by a Host Group Object
named Directory – 10.2.34.12.
● The Naming Context, dc=test, dc=gtc has been deconstructed, with Host Group objects
assigned to each context component.
● Host objects, namely computers and domain controllers, are imported under the second
naming context group object
The importation process creates records in the following tables of the DSM database.
Both tables contain information about each other’s primary keys, thereby allowing DSM to
determine their hierarchical relationship between directories and the host groups within, when
generating the Hosts tree.
NOTE Host groups that are not associated with directories will have “0” in their
DirectoryID fields.
The actual process of recreating the hierarchy can be broken down into the following four steps:
● Step one: Import LDAP objects
● Step two: Split into component RDNs
● Step three: Reconstruct directory structure in memory
● Step four: Add information to DSM database
NOTE Whenever practical, Wireshark packet sniffer logs will be used to illustrate the
different actions performed in this step.
655 29.310645 10.2.34.113 10.2.34.12 LDAP searchRequest(2)
"DC=test,DC=gtc" wholeSubtree
The sample above clearly shows the Naming Context “DC=test,DC=gtc”. In the sample
directory used to generate the Wireshark logs shown here, this node contained the following
LDAP objects:
Domain controllers
Computers
The following Wireshark log entries show the directory returning all four objects in response to
the query.
663 29.730917 10.2.34.12 10.2.34.113 LDAP searchResEntry(2)
"CN=US‐CALVINMAN10,OU=Domain Controllers,DC=test,DC=gtc"
664 29.730940 10.2.34.12 10.2.34.113 LDAP searchResEntry(2)
"CN=US‐CALVINMAN4,CN=Computers,DC=test,DC=gtc"
666 29.731437 10.2.34.12 10.2.34.113 LDAP searchResEntry(2)
"CN=us‐calvinman,CN=Computers,DC=test,DC=gtc"
667 29.731474 10.2.34.12 10.2.34.113 LDAP searchResEntry(2)
"CN=US‐CALVINMAN11,CN=Computers,DC=test,DC=gtc"
Since the LDAP query returns object information with no regard to their hierarchal relations, it
creates a “flat list” from which DSM needs to re-assemble into its correct structure. This is done
in the next step.
CN=US‐CALVINMAN4,CN=Computers,DC=test,DC=gtc
The individual RDNs form an ordered list of structured components. With RDNs, from left to
right, defining the hierarchy where the entity itself – identified by the last, left-most, RDN –
resides. This information is mapped to the final directory representation under Hosts as follows:
DC=gtc
DC=test
CN=Computers
CN=US-CALVINMAN4
Once deconstructed, the RDNs for the individual hosts are used to create the hierarchy shown
above. Note that the last RDN is actually the root node of the Naming Context.
Create Host
Group Objects
based on last 3
RDNs
No
No
Split DN into Create Host
Do last 3 RDNs
individual Read RDN Object based More RDNs? Next step
already exist?
RDNs on first RDN
Yes Yes
Re-use existing
Host Group
Objects
Others – Other Host fields are initialized with reasonable defaults, not specific to the
Directory
SYNCHRONIZE
Administrators have two options for synchronizing DSM host information with corresponding
information on LDAP servers:
Manual – this allows administrators to synchronize directory information on-demand. The
control for this is shown below.
Scheduled task – this sets DSM to synchronize information regularly, without operator
intervention. As shown below, this option is actually presented as an option during the
directory addition process.
Regardless of how the synchronization function is triggered, the underlying process for
accomplishing the task remains the same. This process can be broken down into the following
three phases:
Phase 3:
Phase 1: Phase 2:
Begin
Compare host End
synchronization Create host Access
list with
lists directory
directory
These phases collect information required to detect disparities in the Host information
permitting DSM to correct the inconsistencies.
In this phase, DSM functions access the directory to retrieve an updated list of computers in its
hierarchy. The retrieval process itself identical to the import process used to add the directory to
DSM.
As with the importation process, logon credentials may be required to access the directory
information.
for each host in DSM
for each host in the Directory
if uniqueIDs match
Hosts match
else if DNs match
Hosts match
else
Hosts do not match
As shown above, DSM host records can be matched with directory records either based on
object GUIDs or with their distinguished names (DN).
NOTE All Active Directory objects have GUIDs. Other LDAP servers, however, do not.
This is why DNs are used as an alternative identifier.
The disadvantage of using DNs is that they change if the host is moved around within
the directory hierarchy, or when they are renamed. For this reason, those two operations
cannot be tracked and will result in new host records and deletion of previous ones.
If a host is found in all three lists the follow fields in the DSA host table (dbo.hosts) are
compared with the information retrieved from the directory.
Delete host
record
Verify agent Is
Begin
state in DSA present or End
analysis
database activated?
Set
Delete
DirectorySynch
DirectoryID
State to “not
information
found”
If the host does not have an activated agent, then it is deleted. However, if the host has an
activated agent, then the host record is retained but its existing directory association information
is removed. Hosts in this state require manual processing discussed in the Cleanup operation.
NOTE Hosts that are matched with their directory counterparts using DN information
instead of object IDs, as would be the case in non-Active Directory LDAP servers, can
experience the non-deletion scenario described above.
CLEANUP
The Cleanup function allows administrators to edit hosts that were orphaned by the dissolution
of the hierarchical relationship with its directory HostGroup object. This can happen with non-
Active Directory LDAP servers where variable DN information is used to map directory objects
with DSM host objects instead of object GUIDs.
If a computer object is renamed or moved on the LDAP server, its DN changes and DSM will
no longer be able to associate this computer with its original host object. As a result, DSM will
create a new record for the renamed computer, and the original record will be given a
DirectorySynchState of “not found” and will require administrator intervention to either: delete
the host, or rename it.
NOTE ”Orphaned”, but activated, DSAs will still retain whatever profiles were assigned
to them to before they were orphaned.
REMOVE
The Remove operation deletes the directory HostGroup from the DSM database. What is done
to the Hosts and HostGroups in the deleted directory HostGroup, however, depend on the
Administrator’s selection in the screen below.
NOTE The synchronization task is automatically deleted from the database because of
a foreignKey relationship between the task and the directory HostGroup object.
generate a list of all HostGroup IDs under the top level HostGroup object
generate a list of all Hosts belonging to these groups
for each host in the host list
delete the host
for each group in the group list
delete the group
delete all Directory objects associated with top level HostGroup
This option preserves the relationship between the HostGroups and hosts contained in the
original directory. The HostGroups then appear directly under Hosts in the Hosts tree.
To accomplish this, records for each Host and HostGroup are updated. The pseudo code for
this action is shown below:
generate a list of all HostGroup IDs under the top level HostGroup object.
generate a list of all Hosts belonging to these groups.
for each host in the host list
set the DirectoryDN to “”
for each group in the group list
set the DirectoryID to 0
delete all ScheduledTask objects associated with top level HostGroup
delete all Directory objects associated with top level HostGroup
generate a list of all HostGroup IDs under the top level HostGroup object.
generate a list of all Hosts belonging to these groups.
for each host in the host list
set the DirectoryDN to “”
set the HostGroup to the top‐level group
for each group in the group list (except the top level)
delete the group
set the DirectoryID in the top level group to 0
delete all ScheduledTask objects associated with top level HostGroup
delete all Directory objects associated with top level HostGroup
This opens the following screen, which allows administrators to specify the Center Server.
NOTE Starting with version 7, Deep Security will only interact with WMware Center
Server, and not with ESX server directly. This ensures that Deep Security always leverage
Center Server management functionality.
a) Novell eDirectory
b) Apache DS
c) Microsoft Active Directory
d) Open LDAP
2. Which of the following is are supported as a means of adding a host to Computers list?
3. If a computer is deleted from Active Directory, it will ALWAYS be deleted from the DSM
Computer list
a) True
b) False
Chapter 5: Applying a
security plan
Chapter Objectives
After completing this chapter, you should be able to:
● Understand the role, and limitations of profiles
● Understand the value of Recommendation scanning
● Understand how to use component lists
This tree contains the settings the can be associated with specific profiles. With the exception of
a few minor differences, these are also the same settings that can be assigned to each DSA.
NOTE Anti-malware settings can be specified for all profiles. However in this version,
they only work if the profile is applied to a Deep Security Virtual Appliance.
Global settings
Profile settings
Host settings
Profiles take precedence over global settings. But host-level settings take precedence over all
others.
A new feature added in version 7.0 allows administrators to view host-level overrides that a
specific DSA may have. The console screen for this is shown below.
At the Computer list screen, DSAs with overrides standout because their profile names are
shown in bold, as shown below.
DSA-specific rules can also be distinguished from profile-assigned rules at the rule list screen.
Profile rules are grayed out, while rules directly assigned to the DSA are clickable.
NOTE A firewall “allow” will automatically block any traffic that does not satisfy the
allow rule. This is called an “implicit denial”.
Port 1
Port 2
Port 3
Port 4
Port 5
Port 6
Port 7
Deep Security ... Computer
Manager Port X
The DSM checks for open ports by initiating connections with them. If a connection is
established, then the port is identified as open.
Consider the following Wireshark screen capture:
In the example above, the DSM is connecting to a target machine at port 81. Note that unlike
other forms of reconnaissance scanning, it simply uses a TCP packet with the SYN flag enabled.
NOTE The DSM automatically adds its own IP address in the “Ignore reconnaissance” IP
list so that Port scans do not generate reconnaissance scan alerts.
Ports to scan
By default, DSMs scan ports “1” to “1024”. However, as shown below, administrators can use
port lists to scan alternative ports, such as those associated with specific applications or threats.
Consider the following list for ports that are used/exploited by the Back Orifice remote
administration system.
The required ports are well beyond port 1024, and therefore would not be detected in a regular
scan. Port scanning using this port list allows the administrator to diagnose a computer’s
susceptibility to being taken over by this tool.
To prevent the DSM from monopolizing socket resources on its host, it only scans 3 ports at a
time. The resulting sliding-three is shown below.
Port 1
If port “1” is completed
while ports “147” and “2” Port 147 First three ports in job queue
are still in process, Port 2
scanning for port “293”
begins Port 293
Port 148
...
Port X
Scan results
Port scan results are displayed on the target computers details screen, particularly in the Port
Scan section as shown below.
On the DSM database, this information is stored the hostscanports table, as shown below.
Note each time that a machine’s ports are scanned, the scan event is assigned a HostScanID.
Administrators can study the circumstances behind the scan event by looking for the relevant
HostScanID in the hostscans table, which will show all the ports scanned in the event, as shown
below.
Scan triggers
Administrators can initiate port scans in two locations on the DSM console:
● Computers list
● Computer details
COMPUTERS LIST
The screen capture below highlights the Port scan button on the computers list. Initiating the
scan here facilitates analysis of multiple hosts at the same time.
COMPUTER DETAILS
When analyzing or troubleshooting a specific computer, Administrators can choose to initiate
the scan where port scan results are displayed – at Computer details. The specific location is
shown below.
Note that this is found in the Firewall screen of the Computer details screen only. The global and
Profile Firewall screens will not have this option.
● Recommendation basics
● Scan triggers
● Assigning DPI rules
Recommendation basics
The objective of a recommendation scan is to provide the administrator with a snapshot of
existing vulnerabilities on a host, and a selection of actions that can be taken to address these
vulnerabilities. This eliminates much of the guesswork involved in configuring security.
The following diagram presents a very high-level overview of what happens during a
recommendation scan.
Deep Deep
Security Security
Manager Agent
Collect host
metadata
Return host information
Identify
recommendations
that apply to host
Rule configurations
This sample is based on an on-demand scan, which is triggered with the following management
console control.
Scans can also be triggered by the following events, which are discussed in greater detail in the
Scan trigger section:
Scheduled recommendation scan
The result of the most recent recommendation scan require follow up scans
Important: Steps 1 and 2 of the process can actually occur numerous times in a
recommendation scan. Depending on the result of the scan, the DSM can send “follow-up”
queries to obtain information about system areas whose existence had been confirmed by the
previous recommendation scan.
While the way the scan begins is different, the manners in which they are carried out are mostly
the same.
As shown in the diagram, a recommendation scan can be divided into the following steps:
● Step 1: Query host information
● Step 2: Collect host metadata
● Step 3: Return host information
● Step 4: Identify recommendations that apply to the host
● Step 5: Filter configurations
100 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
As shown above, the console presents the administrator with a variety of filters to manage how
rules are displayed. To facilitate deployment of unapplied rules, administrators can use the Show
Recommended by Not Assigned filter.
The final act of applying these recommendations is not actually part of the Recommendation
scan process. This will be discussed in the next section.
Scan trigger
Recommendation scans are triggered by the following events.
On demand scan
Scheduled or automated recommendation scans
Follow up scans as part of recommendation scanning
As already shown in previous paragraphs, Administrators manually initiate Recommendation
scans by selecting the appropriate DSA from the Computer list and then either clicking the
following button:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 101
Trend Micro Deep Security Support Track
Or by right clicking the DSA entry and selecting the appropriate action as shown below.
Recommendation scans can also be set to run as a scheduled task. This can be set as a global
setting, or at the DSA and profile level. The control below shows the scan control for profiles
and DSAs.
Scans that are triggered by other scans can be likened to two workers who are figuring out what
tools are needed for a job. Consider the following:
Worker Worker
A B
What are we working on?
A screw
A Philips head
102 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Rules assigned this way override both global and profile-level settings. Maintaining these rules
therefore may become tedious and may eventually require use of the Override function at the
profile.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 103
Trend Micro Deep Security Support Track
Directory
File
File
extension
IP list
MAC Lists
Port list
Rule
context
Schedule
NOTE Application types are themselves used as a kind of component list for Deep
Packet Inspection Rules.
The first three lists are used mainly for anti-malware scanning configuration. They can be used to
restrict scanning to specific files or folders, as shown below.
104 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
To illustrate how non-anti-malware related lists are used, test lists named Trend Test List were
created for each type of component list, and then used in a number of test rules. The following
fictitious firewall rule called AA Trend Test Firewall uses lists in the packet source, schedule, and
rule context fields.
As shown above, the IP, MAC, and Port lists can be used to define packet source and
destination. The Schedule and Rule Context lists can be used in the Options tab of a custom
rule.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 105
Trend Micro Deep Security Support Track
The Port list, as shown below, can be used to form the basis of Port scanning functionality.
Port lists can also be used as a parameter for Application Types as shown below.
Both the Off Domain and Remote Domain VPN contexts use the DSA host’s domain controller
as their reference servers. This behavior is specified using the control shown below.
106 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The Interface Isolation option refers to network interfaces that are affected by the Interface
Isolation feature, shown below.
This feature forces the DSA host to use only one network interface, thereby facilitating
protection. This is particularly useful for laptops that have wireless functionality as well as a
network connection.
A context that uses the Interface Isolation option will apply to interfaces that have been disabled.
This is useful for Allow and Force Allow rules.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 107
Trend Micro Deep Security Support Track
Anti-Malware
setting
NOTE In other Trend Micro products, scan types and configuration are inseparable.
This design gives administrators the ability to define multiple scan configurations that can be
assigned to the different scan types as warranted.
By default, Deep Security includes the following scan configurations.
Important: Scan types can accept any scan configuration. The names assigned to the default
scan configurations are, therefore, merely suggestions.
Important: Scan exclusions create potential security gaps and must be created with care.
108 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
To better enable system administrators to select files and folders for exclusion, this section is
divided into the following sub-sections:
● Guiding principles
● Specific recommendations
Guiding principles
System areas that are prime candidates for exclusion are those folders and/or files that accessed
very frequently during the normal course of operation. Log and database files, for example, are
samples of these system areas.
Files that are already protected by other security products, for example mailbox files of email
systems that are already protected by products like Trend Micro ScanMail, can also be excluded
from scanning.
Scan exclusions need not apply to all types of scanning. Administrators can choose to exclude
files from real-time scanning simply to avoid performance issues, but then configure scheduled
scans that inspect these files, during off-peak hours.
Specific recommendations
The following table presents suggested entries for scanning exclusion lists. Only commonly
excluded files and folders are presented here. Ultimately, administrators must determine what
systems are present in the VMs that Deep Security is protecting, and apply scanning exclusions
based on the principles laid out in the previous section.
Important: The Best Practices Guide for Deep Security, maintained by the technical support
organization, offers a more extensive, constantly updated, list of suggested exclusions. The
list below is merely an example of what areas are excluded.
Mapped drives / Real-time scanning in DS 7.5 can scan mapped drives and shared folders
shared folders that are accessed. This may cause additional network traffic during
these events. Consider excluding these shared resources if they already
protected by other anti-malware products (e.g., OfficeScan, etc.)
Microsoft IIS Web server log files change very frequently, and are therefore often
candidates for exclusion. By default, these logs are found in the
following location:
<drive>:\WINNT\system32\LogFiles
<drive>:\WINNT\\system32\IIS Temporary Compressed files
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 109
Trend Micro Deep Security Support Track
Exchange Server partition, where it stores its mailbox. Use anti-malware applications like
Trend Micro ScanMail for Exchange to protect against malware in email.
Installable File System (IFS) drive M must also be excluded to prevent
the corruption of the Exchange Information Store
Key folders per version
110 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a) Firewall
b) Deep Packet Inspection
c) Integrity Monitoring
d) Log Inspection
e) All of the above
2. Can administrators specify the ports that are scanned as part of a port scan?
a) Yes
b) No
a) On demand scan
b) Scheduled scan
c) Follow up scan requested as part of the recommendation scan
d) All of the above
a) Web server
b) DSM
c) Domain controller
d) A specific IP address
a) Firewall
b) Deep Packet Inspection
c) Application types
d) Port scan
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 111
Trend Micro Deep Security Support Track
112 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Prohibited
Prohibited
Allowed
The unavoidable presence of a door means that there will always be a way for unauthorized
individuals to enter. Therefore if the security features of the door prove insufficient, an inventory
of assets will at least identify whatever is stolen or damaged, thereby facilitating post-mortem,
forensic, and recovery efforts.
That, in a nutshell, is the kind of protection that Deep Security provides to the computers it
protects. It features:
● A firewall to block unauthorized traffic
● Packet inspection to ensure that traffic that is allowed does not contain malicious content
● Log inspection and Integrity Monitoring functionality to detect successful intrusions
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 113
Trend Micro Deep Security Support Track
Wall
Prevent unauthorized
access to the room
Equipment inventory
Items that should be in
the room
Door
Controls who can enter
the room
Visitor guestbook
Records visitors and
their purpose
The four control elements shown above work together to secure the office. Deep Security
protects computers much the same way.
The four elements shown above can be mapped to four Deep Security features shown in the
table below:
Each feature is explained extensively in their respective sections. But here are their functions in
brief:
Firewall – this defines what types of traffic, to and from, the protected machine are allowed
or denied. Rules can be applied based on a combination of protocol, port, direction,
interface, and host identification triggers.
Deep packet inspection – this performs analysis on traffic that is allowed actually allowed,
to prevent or detect attacks that are masquerading as legitimate traffic. This can address
traffic that may be designed to exploit a specific vulnerability on a host.
Integrity monitoring – this feature sets the DS agent to monitor pre-defined system areas
for changes. The DSA, however, does not distinguish between legitimate and malicious
changes.
Log inspection – this sets the DS agent to monitor certain system logs for potential
malware-related events.
114 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Deep security features can take one of three actions: allow, log rule violation, or prevent. The
following table shows the actions that the four features can take.
Traffic Traffic
Packet
analysis analysis
From From
network
Packet Application network
Packet Application
Traffic analysis takes place with both modes. However, Tap mode only performs analysis on a
copy of the incoming packet. Therefore it is not able block traffic. Only the inline mode provides
security functionality.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 115
Trend Micro Deep Security Support Track
DSA driver
Network Interface
Card
Once traffic is intercepted, the analysis that the driver performs upon it can be divided into the
following phases:
● Phase 1: Fragment analysis
● Phase 2: Packet analysis
Each phase will be discussed in their respective sections.
IP6 support in version 8 resulted in separate analysis tracks for IPv4 an IPv6 traffic. For the
most part, fragment analysis and reassembly work the same way. Differences will be highlighted
in the relevant sections below.
Reassembly
Fragment analysis &
Transition Firewall
(IP4)
(IP4)
DPI, Stateful
Protocol stack
configuration
Reassembly
Fragment analysis &
Transition
(IP6)
(IP6)
There is currently no firewall support for IP6, hence its absence from the IP6 track. DPI and
stateful configuration work the same way for both protocols so they share the same modules.
116 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Because IPv4 and IPv6 networks are expected to co-exist for an extended period, and IPv4
remains the dominant protocol, there will be a need for transition mechanisms that allow IPv6
traffic to go over IPv4 infrastructure. In this version, two mechanisms are supported:
6to4 – this transition mechanism that encapsulates IPv6 packets in IPv4 packets
Teredo – in this transition mechanism IPv6 packets are encapsulated in UDP/IPv4
datagrams
Both methods use encapsulation. To properly analyze traffic, the DSA driver must be able to
access the encapsulated data. For this reason, transition modules were added to the IPv4 and
IPv6 analysis tracks to remove the encapsulation. Additional details are available in the
Transition section below.
NOTE If the routers through which the packet passes do not fragment the packet, then
whole packets will be analyzed here.
No
Do packet-level
Intercept Begin
attributes match any block or
packet Phase 2
bypass rules?
Yes
Bypass rule
Which rules does Bypass DSA
the packet match? analysis
Block rule
Drop packet
The modules responsible for implementing the logic shown above are shown below.
Packet
analysis
From packet source Verification Micro filter Blacklist
(Phase 2)
The functions performed in each module are discussed in detail in their respective sections.
Verification
In this step, the driver verifies the validity of the packet. It makes sure that the packet is actually
suitable for analysis. Furthermore, attacks such as the following involve malformed packets that
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 117
Trend Micro Deep Security Support Track
can be detected by their deviation from protocol requirements, and can therefore be addressed
here:
● Tiny fragment
● Overlapping fragment
● Teardrop
● Ping-of-death (POD)
Tip For additional information about these attacks see Anatomy of an attack >
Performing the attack > Denial of Service on page 460.
SIZE
Invalid IP datagram length – Check to confirm that the length of the datagram is not less
than the length specified in the IP header.
First fragment too small – Check to confirm that the first fragment which contains most
of the header information is of a certain minimum size and is not less than the size of
the TCP packet.
Fragment out of bound – Check to confirm that the offset specified in the fragmented
packet is not outside the range of the maximum size of a datagram.
Fragment offset too small – Check to confirm that the offset specified in the datagram
packet sequence is not less than the size of a valid datagram.
HEADER CONDITION
Invalid IP header length - Check to confirm that the TCP header length is valid
No IP header – Check to confirm that the first 20 bytes containing the IP address is not
absent or corrupt.
Unreadable Ethernet header – Check to confirm that there is no Ethernet header which is
not readable.
Invalid TCP header length – Check to confirm that the TCP header length is valid
Unreadable protocol header – Check to confirm that the header is not unreadable.
Unreadable IPv4 header – Check to confirm that the IPV4 header is readable
Unknown IP version – Check to confirm that the packet is either IPv4 or IPv6.
The following non-mandatory checks are disabled by default, and can be enabled from the DSM
management console:
Null IP – Check to confirm that the IP header is not null (i.e., 0.0.0.0).
118 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Microfilter
Traffic bypass rules are enforced here. Such rules apply to known legitimate traffic that does not
require firewall or Deep Packet Inspection analysis.
Administrators designated analysis-exempt traffic by way of Bypass rules, such as the rule shown
below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 119
Trend Micro Deep Security Support Track
Blacklist
At this point, the driver evaluates the traffic to determine if it originates from IP addresses that
have been blacklisted. IP addresses are blacklisted through the Deep Security Reconnaissance scan
feature.
This feature, however, is only available for IPv4 traffic. Blacklisting is not support in IPv6.
Tip For additional information about malicious reconnaissance scans, see Anatomy of
an attack > Performing the attack > Finding a point of entry on page _____.
The DSM management console screen that corresponds to this feature is shown below.
When the Block Traffic option is set to “Yes”, the Blacklist module is responsible for dropping
the packet.
Reassemble No No
DPI / SSL / To
fragments to Firewall rule
Phase 1 Transition Stateful rule Transport
analyze data match?
match? layer
being sent
Yes Yes
No No
Block Block
required? required?
Yes Yes
Drop packet
120 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Deep Packet
Fragment
Inspection,
analysis
Reassembly Transition Firewall Stateful Destination
configuration,
(Phase 1)
SSL inspection
The functions performed in each module are discussed in their respective sections.
NOTE Prior to version 7.5 Service Pack 1, packets were re-fragmented to match the
number of fragments that arrived at the Reassembly step, before passing them up the
protocol stack. This was an artifact of a deprecated, pre-version 6.0, ability to
change/delete malicious content in a packet stream. Performance issues led to the
discontinuation of this capability. In version 7.5 Service Pack 1, the associated code was
removed entirely, and the redundant fragmentation step was deleted.
Reassembly
As discussed in the Packet fragmentation thread, fragments are normally assembled at the
Transport layer. However, for traffic analysis to work, Deep Security needs to reassemble the
packets for its own purposes. So if the packet is indeed fragmented (which is not always the
case), this step prepares the fragments for packet analysis later in the phase.
Consider the following illustration based on the analogy used in the Packet fragmentation
section.
#6 #10 #11 #8 #3 #15 #1 #2 #14 #7 #13 #12 #5 #4 #9 #16
m i n t _ a Do B e _ g oSh d
Re-assembly
Do _ S o m e t h i n g _ B a d
For firewall and DPI functions in the next phase to recognize the “Do_Something_Bad”
instruction (also called “payload”) in the packet, the unordered packets have to be re-arranged
based on their sequence numbers and then reassembled.
Note that this reassembly happens even before the Transport layer. As a consequence, there is
no danger of applications at the Application layer ever getting the malicious packet before Deep
Security analysis.
Transition
The transition module is responsible for decoding IPv6 transition mechanisms. As discussed
earlier, both 6to4 and Teredo are supported.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 121
Trend Micro Deep Security Support Track
There are parallel analysis tracks for IPv6 and IPv4 traffic that converge at a common DPI and
stateful configuration module. Both can independently handle their respective IP versions.
However if the IPv4 track encounters a transition packet, the following happens
Fragment Reassembly Transition Firewall
analysis
(IP4) (IP4)
(IP4)
6to4 or
Teredo
Fragment
Reassembly Transition
analysis
(IP6) (IP6)
(IP6)
The transition module decodes the transition packet and then re-injects it into the IPv6 track for
proper IPv6 processing.
Firewall
With the exception of the Bypass rule, which is applied at the Microfilter, firewall rules are
applied at this point. Firewall rules can filter traffic based on the following characteristics.
Protocol
(TCP, UDP, ICMP, etc.) Direction
(Incoming, outgoing)
Source Destination
(IP address, port, (IP address, port,
MAC address) MAC address)
Packet
For additional information about the firewall and firewall rules, see About the firewall on page
158.
122 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
STATEFUL CONFIGURATION
Stateful configuration functionality monitors connections that traverse the firewall, and ensures
that such connection behave within pre-determined parameters thereby protecting the DSA host
from Denial of Service (DoS) attacks.
There are different Stateful Configuration parameters for different protocols. The following
protocols are supported: TCP, UDP, and ICMP.
SSL INSPECTION
If the packet is part of an SSL connection, the driver will decrypt the traffic to allow Deep
Packet Inspection. This feature, however, requires the administrator to provide the relevant
certificates to permit decryption.
NOTE SSL inspection is not available in IP6. Because of security features built into IP6,
the role of SSL in an IP6 world is currently unclear.
DPI rule
Shellcode:do_something_bad
Reassembly Fragmentation
Network Packet:do_something_bad Application
process process
For details on how DPI works, see About Deep Packet Inspection on page 176.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 123
Trend Micro Deep Security Support Track
Important: Both Integrity Monitoring and Log Inspection cannot distinguish between
legitimate and malicious changes or events.
Both HID features bring these changes and events to the attention of the Deep Security
administrator. The following diagram shows how this is accomplished.
Log
Detect HIDS-
upload via
related log
heartbeat Check for events, or
Deep Deep compare with baseline
Security Security
Manager Agent
Alert
System
Attack
Change detected area
Information about changes and events are stored in SQLLite database files on the DSA, and
then uploaded to the DSM during agent heartbeats. Once the DSM detects logs related to
HIDS functionality, it can generate alerts on the DSM console.
124 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a) Firewall
b) Deep Packet Inspection
c) Integrity Monitoring
d) Log Inspection
a) Firewall
b) Deep Packet Inspection
c) Integrity Monitoring
d) Log Inspection
a) Physical Layer
b) Data-link Layer
c) Network Layer
d) Transport Layer
a) Tap mode
b) Inline mode
a) Allow
b) Deny
c) Bypass
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 125
Trend Micro Deep Security Support Track
126 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The image on the left is the Windows Event log record that was generated when the OfficeScan
Proxy Service was stopped. Since the computer where the event occurred had a suitably
configured DSA, Integrity Monitoring functionality was able to detect the event, thereby
generating the Deep Security Integrity Monitoring Event shown on the right.
This chapter focuses on this feature and is divided into the following sub-topics:
● Integrity Monitoring basics
● Integrity Monitoring operations
● Dissecting an Integrity Monitoring rule
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 127
Trend Micro Deep Security Support Track
Deep
Object Security
Agent
Compare
with
baseline
Baseline
This feature can monitor system objects such as, but not limited to, the following
Files
Folders
Registry entries
Processes
Services
Listening ports
NOTE Integrity Monitoring will detect any change that happens to an object. It
currently lacks the ability to distinguish between legitimate and malicious changes.
Baselines are created a number of ways, to include the rule assignment process. The resulting
snapshot is stored in a SQLLite3 DB file on the agent host which is then uploaded to the DSM.
See 7.3.4. Creating baselines for additional information about this DB file.
When a change is detected, the DSM creates a record of the event that is displayed in the
Integrity Monitoring Events screen as shown below.
Each Integrity Rule includes an Alert feature that is enabled using the control shown below.
128 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
When an integrity event occurs with a rule that has the alert feature enabled, it will generate an
alert like the one shown below.
NOTE In contrast to Integrity Monitoring threads, threads that read data from the NDIS
driver are assigned “Above normal” priority.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 129
Trend Micro Deep Security Support Track
Each object that is monitored (e.g., files, Registry, processes, etc.) is handled by a single thread.
Starting with version 7.5, these threads work sequentially. Previous versions worked in parallel.
Trend Micro implemented this change because of issues with simultaneous access by different
threads.
Manual trigger
Deep Security administrators can initiate an on-demand comparison by clicking the following
control on the DSM console.
On-change trigger
This trigger was introduced in version 7.0 and is only available on Windows-based hosts. It uses
the ReadDirectoryChanges( ) function within the Windows API to detect changes.
130 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Change
notification
Deep Security
Windows API
Agent
Windows file system
File File
(Original) (Changed)
This functionality is only available for files and folders. All other system objects, with the
exception of the Registry, use pseudo-real-time triggers, which are explained in the next section.
Important: Although the DSA will be able to detect changes as soon as they happen, they will
not be reported to the DSM the next heartbeat.
By default, changes to the DSA’s own database files are ignored regardless of rule settings.
Pseudo-real-time trigger
This feature constantly scans the DSA host for system changes. These scans are performed
anywhere between every 10 seconds or every 10 minutes. The DSA implements an algorithm
that selects the appropriate interval based on how long it takes to scan all system areas. This
design was implemented to avoid frequent, excessively long, scans.
This feature is supported on all Deep Security platforms, and is applicable all system objects with
the exception of the file system – files and folders --, and the Registry on Windows system,
which would take too long to scan to be practical given the 10 to 600 second interval between
each scan.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 131
Trend Micro Deep Security Support Track
Elapsed Yes
Complete Interval =
time > thread up
scan 10,000ms
time?
No
Yes
Interval =
Scan time <= 2,500ms ?
15,000ms
No
Interval =
Scan time <= 5,000ms ?
20,000ms
Yes
Interval =
Scan time <= 10,000ms ?
30,000ms
No
Yes
Interval =
Scan time <= 20,000ms ?
60,000ms
No
Yes
Interval =
Scan time <= 30,000ms ?
120,000ms
No
Yes
Interval =
Scan time <= 60,000ms ?
300,000ms
No
Interval =
600,000ms
The minimum interval is 10 seconds. If the scan takes up to 2.5 seconds to complete, the interval
for the next scan goes up to 15 seconds. Alternative intervals are specified for scans that take, 5,
10, 20, 30, and 60 seconds. At 60 seconds, the interval is 5 minutes.
The interval decision is refreshed after each scan. So an abnormally fast or slow scan will only
affect the next immediate pseudo real-time scan.
As shown in the diagram, the algorithm begins with a comparison of the elapsed time with the
thread up time. The DSA refers to time stamps for previous scans in its local SQLLite database.
If the elapsed time is greater than the latter, then the DSA will conclude that the agent had
recently been restarted, and will disregard data about previous scanning times because in all
likelihood the interval does not reflect how long the previous scan actually took. It will default to
10 seconds.
If a pseudo real-time scan is interrupted, the DSA is designed to re-start the scan at the earliest
opportunity. It reads information about what aspects of the scan had already been completed,
from its local SQLLite database, and then takes off from there.
132 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
<Install path>\si.db
Integrity events are only stored in the local database until they uploaded to the DSM as part of a
heartbeat operation. Once fetched, the events will be deleted from the DB file – with the
exception of 2000 of the most recent integrity events. These are retained for display on the DSA
console.
NOTE On Windows this value does not get updated immediately, and recording of the
last accessed timestamp can be disabled as a performance enhancement. The act of
scanning a file requires that the DSA open the file, which will change its last accessed
timestamp.
On Unix, the DSA will use the O_NOATIME flag if it is available when opening the file.
This will prevent the OS from updating the last accessed timestamp and will speed up
scanning.
Permissions - The file's security descriptor. This varies per platform as follows:
Microsoft Windows variants SSDL format
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 133
Trend Micro Deep Security Support Track
DeviceNumber - Unix only. This is the device number of the disk on which the inode
associated with the file is stored.
BlocksAllocated - Unix only. The number of blocks allocated to store the file.
As shown in the list above, the hash of the object being monitored is included in the baseline.
The algorithm used to generate this hash is set at the DSM console using the control shown
below.
These baselines, as well as unreported integrity events, are stored in a SQLLite3 database on the
DSA host. For Windows-based DSAs, this file can be found in the following location:
<Install path>\si.db
NOTE Unlike Log Inspection rules, Integrity Monitoring rules are not based on Open
Source Security (OSSEC).
Here we will dissect the rule designed to detect changes to attributes of Windows services, as
shown below.
134 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The details tab for this rule shows the system areas that the rule monitors.
<!‐‐ Service attributes changed through configuration console ‐‐>
<ServiceSet>
<include key="*" />
<attributes>
. . .
</attributes>
</ServiceSet>
<!‐‐ Registry changes to Service keys ‐‐>
<RegistryValueSet base="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services">
. . .
</RegistryValueSet>
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 135
Trend Micro Deep Security Support Track
Both sections targeted different system objects and are therefore discussed below separately.
Tip The online help for the Deep Security Manager contains a complete reference for
the Integrity Monitoring rule syntax. Look for the Integrity Monitoring Rules Language
topic.
All services
The <ServiceSet> . . . </ServiceSet>
tags are only used in Windows
platforms, and indicates that this section
of the rule focuses on Windows
services. The <include key= /> define
the system objects to include in the
scope of the rule. Since this example
uses an all-inclusive wildcard (*) then all
Windows services on the host are
monitored.
The <attributes> . . . </attributes> tag
indicate what aspects of the service are
of interest. These refer to the
configuration options that are visible in
service properties, as shown on the
right.
The following table matches the options in the rule configuration tab with the corresponding
tags in the rule’s XML file.
136 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
<attributes>
<Permissions/>
<Owner/>
<Group/>
<BinaryPathName/>
<State/>
<StartType/>
<LogOnAs/>
<FirstFailure/>
<SecondFailure/>
<SubsequentFailures/>
<ResetFailCountAfter/>
<RunProgram/>
<DependsOn/>
</attributes>
</ServiceSet>
NOTE Since ProcessId, LoadOrderGroup, and Description were not selected, they are
not included in the XML code.
Each tag between the two attributes tags represents a particular service property. <StartType>
attribute, for example, refers to how the Windows Service Control Module starts the service, as
shown by the highlighted control below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 137
Trend Micro Deep Security Support Track
<!‐‐ Registry changes to Service keys ‐‐>
<RegistryValueSet base="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services">
<include key="DcomLaunch/ImagePath" />
<include key="SSDPSRV/ImagePath" />
<include key="upnphost/ImagePath" />
<include key="Dhcp/ImagePath" />
<include key="Dnscache/ImagePath" />
<include key="NetBT/ImagePath" />
<include key="kdc/ImagePath" />
<include key="Wmi/ImagePath" />
</RegistryValueSet>
The base parameter defines where in the Registry the DSA looks for the protected entries. In this
example, the keys are in HKLM\System CurrentControlSet\Services. By defining the base
parameter, the rule writer no longer needed to specify the full path for each key.
Consider the <include> tag for the key DcomLaunch. This key, and its contents, are shown below.
This is the DCOM Server Process Launcher which provides service launching functionality for
Distributed Component Object Model (DCOM) components. Certain systems require this for
communication functionality.
To load this service, the operating system runs SvcHost.exe with the “–k DcomLaunch
parameter”, as indicated by the ImagePath Registry entry for this service. It is, therefore,
important that any changes to this entry be monitored.
138 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 139
Trend Micro Deep Security Support Track
The more importantly, it asks for the data points that will trigger the tag. The following screen
capture shows a selection of data points
If an event shares the same data points defined for a tag, then that event will be tagged.
Increasing the number of data points restricts the events that will be tagged.
140 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a) An on-demand request
b) Scheduled task
c) Windows API notification
d) All of the above
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 141
Trend Micro Deep Security Support Track
142 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The image on the left is the Windows Event log record that was generated when the OfficeScan
Proxy Service was changed from “demand start” to “auto start”. Since the computer where the
event occurred had a suitably configured DSA, Log Inspection functionality was able to obtain a
copy of the event, thereby generating the Deep Security Log Inspection Event shown on the
right.
This chapter focuses on this feature and is divided into the following sub-topics:
● Log inspection basics
● Dissecting a log inspection rule
● Log inspection operation
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 143
Trend Micro Deep Security Support Track
Server
Client
Event log
The Deep Security Agent monitors logs defined by log inspection rules. Once an event with the
relevant severity level is detected, the DSA copies the event, and then uploads it to the DSM.
Upon receipt of the log information, the DSM normalizes the information in the log using a
decoder specifically designed for the log format sent, and then performs the following event
handling actions:
1. Store the event in the database and display on the Log Inspection Events screen as shown
below.
NOTE Events will only be captured if their severity values exceed severity clipping
values configured at System Settings > Log Inspection.
2. If the Log Inspection rule was configured to send alerts, as shown immediately below, DSM
will generate an alert for the log.
144 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The alert itself appears as shown below. Alerts highlight specific events on the DSM console to
draw the administrator’s attention to them.
The screen capture above highlights the Application event log. If the relevant rule is applied, the
DSA can monitor this file and read events that are being written to it.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 145
Trend Micro Deep Security Support Track
NOTE Log inspection can only read new events. This inspection feature cannot be set
retrieve a specific range of logs.
Product /
DSA DSM
Log source
Create
alert
Yes
Database
Pre- Rule Database Is an alert
Event Decoding storage
decoding matching storage required?
(Local)
No
End
<Install path>\lca.db
This information is stored in the local database until they uploaded to the DSM as part of a
heartbeat operation. Once fetched, the events will be deleted from the DB file – with the
exception of 2000 of the most recent integrity events. These are retained for display on the DSA
console.
146 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE For additional information about Open Source Security (OSSEC), visit the
following Website: http://www.ossec.net/.
Dependency
Note that in addition to the Microsoft Windows Events rule, the Default Rules Configuration
rule had to be applied to DSA as well. All log inspection rules use this rule, which help defines
the log format that the parser should expect from the log.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 147
Trend Micro Deep Security Support Track
Like other DSM rules, administrators can view the details of log inspection rules by clicking the
View Rules button on the rule’s Configuration tab
An abbreviated version of the XML output of the Default Rules Configuration rule is shown
below. As shown
<group name="syslog">
<description>Generic template for all syslog rules</description>
. . .
<group name="squid">
<description>Generic template for all web proxy rules</description>
<group name="windows">
<rule id="06" level="0">
<category>windows</category>
<description>Generic template for all windows rules</description>
</rule>
</group>
<group name="ossec">
<description>Generic template for all ossec rules</description>
</group>
148 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
<location>/var/log/messages</location>
NOTE Like other rules, the Microsoft Windows Events rule also uses decoders.
However, unlike the Microsoft Exchange rule, its decoders are not exposed in its XML file.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 149
Trend Micro Deep Security Support Track
The XML rule that provides the functionality shown above can also be inspected by clicking the
View Rules button. When the rule appears, the pertinent entries are bound by the following tags:
<group name="ms,exchange,">
. . .
</group> <!‐‐ MS,Exchange ‐‐>
Each group of settings in the rule corresponds to a section in the XML file. The tables below will
match these settings with their corresponding sections.
<decoded_as>msexchange</decoded_as>
<description>Grouping of Exchange
rules.</description>
</rule>
The <rule id> tag indicates the OSSEC rule grouping for this particular log. Microsoft Exchange
rules are given IDs ranging from 3800 to 3899.
The level parameter defines the order in which a rule is processed. OSSEC supports level 0 to
15, with the higher value being evaluated before all others – with the exception of “0”, which is
always evaluated first, but no action will actually be taken. By assigning “0” to this rule, the DSM
immediately knows that it needs to use the msexchange decoder before any other analysis is
performed.
NOTE The DSA will cycle through its list of decoders until it finds a match.
The <description> . . . </description> tag simply allows Log inspection functionality to provide a
description for rule on the user interface.
The <decoded_as> . . . </decoded_as> tag defines the Log decoder required to parse MS Exchange
logs. Decoders are accessible via the following portion of the DSM console.
150 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
For MS Exchange logs, the corresponding decoder is called msexchange. If we view Default Log
Decoders, as shown above, and then click View Decoder, we will see that the msexchange
decoder appears as follows
<decoder name="msexchange">
<parent>windows‐date‐format</parent>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ SMTPSVC</prematch>
<regex offset="after_parent">^(\d+.\d+.\d+.\d+) \S+ \S+ \S+ \S+ </regex>
<regex>\d+ (\S+) \S+ \S+ (\d+) </regex>
<order>srcip, action, id</order>
</decoder>
Once the appropriate decoder for the log has been identified, the OSSEC component within
DSM applies the following logic when decoding the log:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 151
Trend Micro Deep Security Support Track
The decoder begins its work by determining if a log entry matches a pre-match syntax, contained
within the prematch tag. If the log entry matches, then the entry is of interest and is parsed using
the pattern specified in the regex tag.
NOTE Configuration tabs like the one shown above are only available for rules that are
created by Trend Micro. Custom rules will not have this tab.
The <if_sid> . . . </if_sid> tags indicate that this rule is evaluated after the previous rule
(#3800). Both this rule and the next rule are both actually surbordinates of Rule #3800
152 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The rule below is executed if a match is found with Rule #3801. As explained in the description,
this rule is designed to detect attempts to send emails to an invalid account, indicating a Denial
of Service (DOS) attack.
<if_matched_sid>3801</if_matched_sid>
<same_source_ip />
<description>Multiple e-mail attempts to
an invalid account.</description>
<group>multiple_spam,</group>
</rule>
The rule above is executed if a match is found with Rule #3802. As explained in this rule’s
description, this rule is designed to detect Error 500 events.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 153
Trend Micro Deep Security Support Track
<if_matched_sid>3802</if_matched_sid>
<same_source_ip />
<description>Multiple e-mail 500 error
code (spam).</description>
<group>multiple_spam,</group>
</rule>
154 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
This is a global setting, and since there is not industry standard for logging levels, advanced
information about the logging behavior of the products being protected is advisable.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 155
Trend Micro Deep Security Support Track
a) Microsoft .NET
b) OSSEC
c) GNU
a) Syslog
b) Microsoft Windows
c) Squid
d) All of the above
a) Log location
b) Log severity
c) Log name
156 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 157
Trend Micro Deep Security Support Track
158 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
For a comparison between the OfficeScan and Deep Security firewalls, see
Appendix A: Deep dive information > Chapter 9.
Protocol
(TCP, UDP, ICMP, etc.) Direction
(Incoming, outgoing)
Source Destination
(IP address, port, (IP address, port,
MAC address) MAC address)
Packet
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 159
Trend Micro Deep Security Support Track
● Frame type
IP ADDRESS
The following table discusses the different ways hosts can be identified using IP addresses
Option Description
No address is specified so
any host can be either a
source or destination
A specific machine is
identified using its IP
address.
160 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
MAC ADDRESS
The following table discusses the different ways that hosts can be identified by their MAC
addresses
Option Description
No MAC address was
specified, so the rule
applies to all addresses
PORTS
The following table discusses the different ways that hosts, with specific applications, can be
identified using ports
Option Description
Rule applies to a single port
Transport protocols
If the rule is meant for the Internet Protocol (IP) frame type, the protocol field is enabled, and
administrators will be asked to specify the transport protocol that will be analyzed. The protocol
options are shown below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 161
Trend Micro Deep Security Support Track
Selecting “Other” displays a prompt for the protocol number, as shown below.
Direction
The Deep Security firewall is a bi-directional firewall. Therefore it is able to enforce rules on
traffic originating from the network to the Deep Security host, also shown below as incoming, and
traffic from the host to the network, called outgoing.
Firewall rules only apply to a single direction; therefore policies for specific types of traffic often
come in pairs.
The SYN, ACK, and FIN flags, and the threat conditions that involve them, have been explained
in great detail in TCP flags and states on page 452. So only the following flags will be discussed
here:
URG
PSH
162 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
RST
There are a number of ways these flags can be used in different attacks. Only a selection will be
used here.
Important: The text below should not be misconstrued as being the only way that
hackers/crackers can use these flags. Refer to a Trend Micro threats course for more detailed
information.
The URG flag indicates that the packet is urgent and must be processed before all others, while
the PSH flag sets the TCP stack to flush its buffers and send all information up to the
application. Both flags can be used in a type port scan called the Xmas scan which is typically a
FIN packet with the URG and PSH flags enabled. This scan gets its name from the alternating
bits turned on and off in the flags byte (00101001), much like the lights of a Christmas tree.
When an unprotected machine receives packets related to a Xmas scan, the following happens:
Condition Response
Closed port Returns an RST packet
The RST, or RESET, flag abruptly terminates TCP connections. As described above, among its
legitimate uses is to terminate connects to closed ports indicating an impossible or disallowed
connection. However, the RST flag can also be used as part of an RESET attack, designed to
disrupt existing sessions. Consider the following diagram.
Message using
terminated connection
????
The diagram above shows a situation where an attack, Host C, was able to calculate the TCP
sequence number that Host A expected from a packet from Host B, thereby spoofing Host A
into believing that Host B had sent it a RST packet. The end result is a denial of service attack.
Frame types
The term “frame” refers to Ethernet frames, and the protocols in the drop-down menu shown
below specify the data that the frame carries.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 163
Trend Micro Deep Security Support Track
Internet Protocol (IP), Address Resolution Protocol (ARP), and Reverse Address Resolution
Protocol (RARP) are the most commonly carried protocols on contemporary Ethernet networks.
These, however, are not the only protocols that can leverage Ethernet frames. For this reason,
Administrators are allowed to specify Frame types.
Consider the following firewall Allow rule designed to permit incoming traffic bearing Point-to-
Point Protocol over Ethernet (PPPoE) data.
As shown above, the Frame Type is “Other”, and the Frame number is 8863.
164 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Bypass – this allows traffic to bypass both firewall and DPI analysis. Use this setting only
for media-intensive protocols. Only the port, direction and protocol can be set with this
action. For additional information see About bypass on page 165
Deny – this action explicitly blocks traffic that matches the rule
Force allow – this forcibly allows traffic that would otherwise be denied by other rules. The
traffic, however, will still be subject to DPI analysis. See About Force allow on page 166
for an example of how this can be used
Log only – traffic will be only be logged. No other action will be taken
Allow, Force allow and Bypass are explained further below.
About “Allow”
“Allow” rules have a two-fold function:
1. Permit traffic that is explicitly allowed.
2. Implicitly deny all other traffic
If traffic is neither covered by a Deny rule, but is not explicitly allowed by an Allow rule, then it
is dropped and is logged as an Out of allowed policy event in firewall logs.
Commonly applied “Allow” rules – which are part of the default Deep Security rule set --
include, but are not limited to, the following:
ARP – permits incoming Address Resolution Protocol traffic
Allow solicited TCP/UDP replies – this ensures that the host is able to receive replies to
its own TCP and UDP messages. This works in conjunction with TCP and UDP stateful
configuration
Allow solicited ICMP replies - this ensures that the host is able to receive replies to its
own ICMP messages. This works in conjunction with ICMP stateful configuration
Tip Rules can be set in Security Profiles, and then applied to computers with similar
traffic patterns. For information about Security Profiles, see 91.
About “Bypass”
As mentioned in the previous section, the Bypass rule is designed for media-intensive protocols
where filtering, be it by the firewall or DPI, is neither required nor desired.
These rules have the following noteworthy characteristics:
● Bypass skips both firewall and DPI analysis
● Since stateful inspection is skipped for bypassed traffic, bypassing traffic in one direction
does not automatically bypass the response in the other direction. As a result bypass rules are
always in pairs, one for incoming traffic and another for outgoing.
● Bypassed rules will not be logged. This is not a configurable behavior
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 165
Trend Micro Deep Security Support Track
Tip If DSM uses a remote database that is protected by a DSA, DPI-related false alarms
may occur when the DSM saves DPI rules to the database. The contents of the rules
themselves could be misidentified as an attack. One of two workarounds for this is to create
a Bypass rule for traffic from the DSM to the database host. See Database communication
on page 44 for additional details.
Tip When using multiple DSM machines in a mutli-node arrangement, it may be useful
to define an IP list for these machines and then using this list for the custom DSM traffic
rule.
Allow
Deny
Force
allow
Force allow has the same effect as a Bypass rule. However, unlike Bypass, traffic that passes the
firewall because of this action is still subject to Deep Packet Inspection.
The Force allow action is particularly useful for making sure that essential network services are
able to communicate with the DSA computer. Among the default Force allow rules that are
commonly enabled in real-life are:
166 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
DHCP client – allows DHCP offer traffic to the DHCP client on the DSA host. This
ensures that the client can obtain its dynamic IP address
Wireless authentication – allows wireless authentication traffic via the Extensible
Authentication Protocol (EAP)
One situation that would require a “force allow” action would be when an administrators wants a
host to accept ICMP and/or UDP traffic, but the Deep Security Agent has stateful configuration
for ICMP and UDP traffic enabled.
Important: The drop action above will happen even if there are no firewall rules that prevent
incoming UDP and ICMP traffic. Stateful configuration will always drop the packet.
Therefore to allow incoming UDP and ICMP traffic, administrators need to configure a force
allow rule like the one shown below.
Traffic is evaluated against firewall rules according to this priority setting, in the following
fashion.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 167
Trend Micro Deep Security Support Track
From network
Priority 4:
Log only Bypass Force allow Deny
Highest
Priority 3:
Deny Force allow Bypass
High
Priority 0:
Bypass Force allow Deny Allow
Lowest
To application
“Log only” rules can only be at priority 4, and are always evaluated first. They will not, however,
interfere with the other rules.
“Allow” rules can only be given priority 0, and are the last rules to be evaluated.
The remaining rules are applied in the following order:
3. Bypass
4. Force Allow
5. Deny
Consider the following rules:
Both rules apply to TCP traffic at port 80, presumably HTTP traffic. The first rule blocks traffic,
while the second rule forcibly allows it. However, since the Deny rule has a higher priority than
the allow rule, the former will always prevail.
168 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
On DSVA, each Virtual Agent will have its own firewall log file stored in the following location:
/var/opt/ds_agent/guests/<virtual agent GUID>/log
Once the events in the logs exceed 4MB, the DSA creates a new dsa_mpnp file and assigns the
numerical file extension to the previous file. By default, these DSA only maintains three event
files.
Response
These scans typically involve two types of messages: scanning packets, and responses -- or even
the absence of a response. For example, when the Deep Security Manager performs a port scan,
it sends a SYN packet to the target host, at a particular port. If a connection is established, then
the port is declared open. Other techniques focus on the absence of a reset (RST) response to
detect open ports.
Whereas network administrators use this capability to protect their networks, crackers/hackers
can leverage reconnaissance scanning tools (e.g., NMAP) to look for security gaps.
Reconnaissance scanning can consist of any or a combination of the following activities:
Network mapping/scanning – this refers to the process of collecting a list of computers
on a network that could then be attacked.
Port scanning – this is the process of looking for open ports, betraying the presence of
specific applications and or vulnerabilities. This is the type of scan discussed in the
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 169
Trend Micro Deep Security Support Track
NOTE The firewall must be enabled, and firewall rules assigned, for reconnaissance
scan to work.
NOTE Because of the relationship between ICMP and UDP, both will be discussed in the
same sub-section below.
170 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Denial of Attacker either causes Limit the number of Once the number of
Service other machines on a incoming connections connections to and
network to flood the DSA from a single from a computer
host with connections, or computer to: XXX exceeds this setting,
uses the DSA host to DSA prevents additional
launch a similar attack on Limit the number of connections.
other hosts outgoing connections
to a single computer The default value is 100
to: XXX connections
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 171
Trend Micro Deep Security Support Track
Host A Host B
X seconds
The diagram shows Host A sending a UDP message to Host B, and then receiving a response.
Host A has a DSA with stateful configuration for UDP traffic enabled. So when Host A sends
the message, it creates a record for this in its pseudo-state table. This record sets the DSA to
expect a UDP response from Host B within 60 seconds. So when it receives a UDP message
from Host B within that timeframe, the agent decides that this UDP message is related to the
first message and lets the message pass to the host.
Both configuration settings affect how hosts deal with unsolicited UDP or ICMP messages.
Consider a situation where Host B sends Host A an unsolicited UDP message, like the one
shown below.
Host A Host B
X seconds
Since DSA cannot associate the incoming message with an earlier outgoing message, then DSA
will drop this message.
172 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE To permit unsolicited ICMP and/or UDP messages while stateful configuration
for both protocols is enabled, administrators need to apply a Force Allow rule for this
traffic. See About “Force allow” on page 166.
ICMP types 0 and 8, 13 and 14, 15 and 16, and 17 and 18 are supported.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 173
Trend Micro Deep Security Support Track
a) Allow
b) Deny
c) Bypass
d) Force allow
e) Log only
f) All of the above
2. If a priority 4 Deny rule conflicts with a priority 3 Force allow rule, which rule will prevail?
a) Deny rule
b) Force allow rule
c) None of the above
a) Allow
b) Deny
c) Bypass
174 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 175
Trend Micro Deep Security Support Track
176 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Application
Malicious instruction:
Vulnerability
Do_Something_Bad
Protocol
stack
Protocol
DPI
stack
Computer 2 in the illustration represents a machine with an unpatched vulnerability. The reasons
for this situation can range from dereliction on the part of the IT department to complexities
involved in the application of the patch which prevent timely application. If the Deep Security
Agent is configured correctly during the attack above, meaning the corresponding DPI rule is
enabled, the attack is thwarted at the protocol stack.
Virtual patching mitigates the impact of falling behind on patch application duties. Once the
patch is applied, it is then possible to safely disable the DPI rule that protects against that
particular vulnerability.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 177
Trend Micro Deep Security Support Track
DPI rule
Shellcode:do_something_bad
Reassembly Fragmentation
Network Packet:do_something_bad Application
process process
The DSA looks at the content of packet to determine if it contains malicious content. It is able
to determine if content is malicious by referencing instructions within DPI rules. If the content
matches what the rule looks for, then the packet is dropped.
178 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
IDS/IPS - designed to defend against software vulnerabilities and exploits. These rules
provide virtual patching functionality
Application control – as its name implies, these rules detect the use of particular
applications on the DSA host
Web application protection – these rules are designed to protect Web applications from
malicious attacks
IDS/IPS rules are further sub-divided into the following categories:
● Exploit rules
● Vulnerability rules
● Smart rules
The following diagram illustrates how these rules are inter-related.
For any vulnerability, there can be multiple exploits. For example, the Server Service
vulnerability, discussed very extensively in Gaining access on page 114, can be exploited by
several variants of the Conficker/WORM_DOWNAD malware.
A rule that specifically targets how malware leverages the vulnerability would be an exploit rule.
There will be as many exploit rules as there are methods for using the vulnerability. Depending
on the nature of the exploit, multiple exploits can be addressed by a single exploit rule.
A vulnerability rule, on the other hand, applies a virtual patch on the vulnerability, thereby
rendering all exploits that use that vulnerability harmless. Vulnerability rules, therefore, can
theoretically take the place of several exploit rules.
Smart rules are generic rules that provide virtual patching for one or several vulnerabilities.
Because of the breadth of these rules, some configuration may be required to prevent false
positives.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 179
Trend Micro Deep Security Support Track
Given the option to create one-size-fits-all Smart rules for multiple vulnerabilities, it would be
natural for any reader of this document to ask: “Why bother with Exploit or Vulnerability rules if
Smart rules can be made?” The short answers are “false-positive avoidance” and “forensics”.
The broader the applicability of the rule, the greater the chances of blocking traffic that really
shouldn’t be blocked. For this reason, Smart rules will probably not be made for every
vulnerability. As of writing there are only a little over 100 Smart rules available, a number that is
expected to grow over time. These were only released after completion of exhaustive testing to
address false-positive concerns.
Rules generate DPI events when they are triggered. Unless packet capture functionality is
enabled, these events typically only contain the name of the rule that was triggered, and the time
and location of the event.
The usefulness of these events for forensic analysis of attacks is directly proportional to the
granularity of the information they contain. Smart rules alone, therefore, are too broad for
forensic analysis because they cover too many attack vectors. Targeted exploit filters, on the
other hand, offer the most targeted DPI logging information.
When all three rules are available for a particular vulnerability are available, they form a kind of
“layered defense” around the vulnerability. This illustrated below.
180 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Exploit #1
for Vulnerability
#1
Exploit #2 rule
Exploit #2 rule
Exploit #2
for Vulnerability Smart rules
Vulnerability Vulnerability
#1 for vulnerability
#1 #2
#1 & #2
Exploit #3
for Vulnerability
#1
Note the different exploits targeted at Vulnerability #1. Each attack vector has a corresponding
Exploit rule. Each vulnerability has a vulnerability rule that can address all of the attack vectors
by itself. Both vulnerabilities can be protected by a single Smart rule that can deal with all the
attack vectors for vulnerability #1 as well as attacks for vulnerability 2.
NOTE The “layering” illustrated here simply shows the coverage of each rule type. They
have no bearing on which rule actually gets triggered first.
Overlapping rules can be applied to a DSA. However, the rule that is actually triggered is the rule
that first matches whatever pattern is found in the traffic. Consider the following hypothetical
rules
The Smart rule, #1, will drop traffic associated with an attempt to enter more than 100
characters into a password field. This will protect Acme software from vulnerabilities 1 and 2, as
well as Exploit 1.
However since the Smart rule protects any application on the machine with a password field, its
rule event will not provide information about the specific application being attacked. It also will
not provide information about the vulnerability that the attacker was attempting to exploit. For
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 181
Trend Micro Deep Security Support Track
this reason, Smart rules are typically written with the setdrop action, instead of drop. With setdrop,
the rule will not instruct the DSA to drop the packet until the entire packet is analyzed. This
action gives applicable vulnerability or exploit rules a chance to be triggered, and become
responsible for dropping the packet.
NOTE The rule compilation mechanism is designed so that it gives all relevant rules –
regardless of type -- a chance to be triggered, before the packet is dropped. This is
meant to provide the administrator with as much forensic information as possible.
Once the events in the logs exceed 4MB, the DSA creates a new dsa_mpnp file and assigns the
numerical file extension to the previous file. By default, these DSA only maintains three event
files.
182 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
SSL COMPRESSION
The Deep Security agent does not support filtering on SSL connections with SSL
compression enabled. This creates the following conditions with respect to HTTPS
payload inspection:
• When HTTPS payload inspection is enabled, any encrypted traffic that the DSA
cannot decrypt will be dropped. This includes SSL connections with SSL
compression enabled.
• If HTTPS payload inspection is NOT enabled, then SSL connections with SSL
compression enabled will simply be allowed through without analysis.
This section focuses on how HTTPS payload inspection works and is divided into the following
sub-sections:
● SSL basics
● DSA in an SSL connection
● Payload inspection
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 183
Trend Micro Deep Security Support Track
Client Server
Send certificate
As shown above, the “key” to making the SSL connection possible is the server’s certificate,
which contains one part of the asymmetric key pair that is used in protecting the connection. By
providing the DSA with the server’s certificate, all that it needs to be able to decrypt the SSL
session is the information contained in the challenge.
NOTE HTTPS payload inspection must be able to observe the SSL session
establishment shown above to be able to decrypt SSL traffic. It cannot read an already-
established session. If an established secure session is present when HTTPS Payload
inspection is enabled, the DSA will terminate this connection.
Server
Decrypt
&
Analyze
Decrypt
&
Analyze
Each time an SSL packet passes through a DSA the traffic is decrypted and analyzed. This
decryption is applied both to incoming traffic and its corresponding response.
184 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
DSA
Application
Intended
destination
After the firewall module completes its analysis of the packet, it is handed off to DPI and
HTTPS payload inspection for analysis.
Deferred
Firewall
The decryption engine is not able to re-encrypt the traffic that it decrypts. Therefore to preserve
the original encrypted packet, a copy of the packet is created, and all analysis is done upon this
packet. The copy is decrypted, and then inspected. If the packet contains malicious content, then
it is dropped.
On the other hand, if the packet does not trigger any DPI rules then the deferred encrypted
packet is allowed to proceed to its destination.
Packet delivered
DSA
Application
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 185
Trend Micro Deep Security Support Track
This section consolidates the lessons derived from the lab exercise / demonstration, and is
divided into the following sections:
● The demo site’s vulnerabilities
● How the site was attacked
● How DPI protected the site
'‐‐<script>alert('XSS Executed')</script>
The site was deliberately designed to with a vulnerability that would be triggered by the script.
186 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Both have the same parameters that are exposed and configurable. Each parameter is explained
in their respective sub-sections.
PATTERNS
The pattern field contains the characters that DPI looks for in the HTTP message. Consider the
following pattern in the default Generic Cross Site Scripting (XSS) filter.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 187
Trend Micro Deep Security Support Track
<,%3c,>,%3e:1
Character in
UTF-8 encoding
This pattern prompts the NDIS driver to keep track of instances of “<” and “>”. Each time the
driver encounters these characters in the URL, it increments the URL score by “1”.
Let’s apply this pattern to the XSS attack used on the demo site:
'‐‐<script>alert('XSS Executed')</script>
In addition to the same pattern above, the following XSS patterns also apply to the string used
for the attack.
script,object,iframe,applet,embed:2
. . .
',%27,\x22,%22:1
When all three patterns are applied to the string, the result is shown below.
1 1 2 1 1 1 1 2 1
' -- < script > alert( ' XSS Executed ' ) < / script >
The word “script” is part of the second pattern, and is given a score of “2”. All other matches,
‘
including “ “, are given a score of 1. This gives this script a total score of “11”. In practice,
however, the filter implements a score threshold, which may be breached before the full script is
analyzed.
DROP THRESHOLD
This parameter defines the maximum score that a string can accumulate before it is dropped.
The default value is “4”, so when the score reaches “5” the packet is dropped.
Applied to the attack string, the threshold is breached by the time the “>” after “script” is read.
188 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Total score = 5
(Threshold exceeded)
1 1 2 1 1 1 1 2 1
' -- < script > alert( ' XSS Executed ' ) < / script >
LOG THRESHOLD
This works the same way as the Drop threshold parameter. When the string’s score reaches this
value, the NDIS driver creates a log entry for this event.
yyyXyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyXyyyyy
If there are no pattern matches beyond this value, then the score is reset to zero. The default
value for this parameter is “30”.
this%20is%20my%20site.com
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 189
Trend Micro Deep Security Support Track
As shown on the right, the filter has the following groups of parameters:
● URI normalization options
● Encoding options
● Raw character options
Encoding options
By default, DSA assumes that URLs use UTF-8 encoding. The decoding filter, however, can use
either UTF-8 or Latin1 encoding.
Tip If you are seeing “Invalid UTF8 Encoding” events in Deep Security logs for
legitimate traffic, then administrators may need to change encoding methods in this
filter.
Host
Web
server
190 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
By default, Deep Security includes Web server filters that offer the following functionality.
Administrators can extend this list by creating their own custom filters.
● HTTP method control
● HTTP request control
● Length restrictions
● Resource access control
Each filter-functionality is discussed in their respective sections
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 191
Trend Micro Deep Security Support Track
As shown above, the configuration options for both filters are identical, and only differ in the
fact that one explicitly disallows methods, thereby implicitly allowing those that aren’t listed,
while the other is the reverse.
Administrators can allow or disallow standard HTTP 1.1 methods, as well as methods from the
Microsoft HTTP protocol extension WebDAV.
In addition to specifying specific methods, both filters also allow the administrator to specify
pages in a site that are exempted from the filter.
192 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Length restrictions
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 193
Trend Micro Deep Security Support Track
194 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a) Virtual patching
b) Protocol hygiene
c) Application control (limited)
d) All of the above
3. Which Trend Micro pattern contains information that is comparable to DPI rules?
a) VSAPI pattern
b) SSAPI pattern
c) Generic Stream Scanning rules
d) OfficeScan firewall rules
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 195
Trend Micro Deep Security Support Track
196 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 197
Trend Micro Deep Security Support Track
Master
agent Instantiated agents
Virtual
Virtual agent Machine
Actual path
Intended path
Network vmKernel
traffic (with vmSafe)
Important: Details of how DSVA is able to get vmKernel to send packets its way, instead of to
the VM, are discussed in later sections in this chapter. At this point, the key concept to
remember that it can be done.
Important: The vmSafe API is not present in the free version of VMware ESXi. DSVA in version
8 requires the full featured ESXi version 5. For version 7.5, it requires version ESX or ESXi
version 4.1
DSVA is able to intercept traffic to the protected VM through a Fast-path driver that is installed
on the vmKernel. This is shown below.
198 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
DSVA
Virtual
Virtual
agent
Machine
vNIC_d vNIC
vSwitch FastPath
dvFilter driver
Actual path
Intended
path
Network vmKernel vSwitch
After interception, the FastPath driver redirects the packet to the DSVA vNIC, which then
passes it to the Virtual agent created for the VM.
ESX
DSVA VM
EPSec API
EPSec API
(Anti-Malware
(VMTools)
daemon)
To provide Anti-Malware functionality, the DSVA interfaces with the VMware Endpoint
Security (EPSec) system. The system consists of EPSec API components that reside within the
Anti-Malware daemon on DSVA, the EPSec drivers on the protected virtual machines, and a
EPSec service that is installed on the ESX hypervisor.
The EPSec service handles the routing of data between DSVA and EPSec compatible virtual
machines. It is responsible for passing file system data from the virtual machine to the DSVA,
and for retrieving EPSec configuration from the DSVA and applying them to the EPSec drivers.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 199
Trend Micro Deep Security Support Track
Administrators install this component using VMware vShield Manager, using the following
screen control.
Tip In version 7.5, a Loadable Kernel Module (LKM) performed the function of the
EPSec service.
On the virtual machine side of the relationship the EPSec API is contained within a version of
VMTools that was first made available in ESXi 5. Previously this component was only available
as a “thin client” that administrators had to install using a separate MSI installer. Although the
relevant drivers are incorporated in VMTools, they are not actually installed by default.
Administrators must perform a “custom” installation of VMTools and install VMCI and vShield
drivers.
VMTools is responsible for hooking I/O events on the virtual machine, and then passing data to
Anti-Malware daemon on the DSVA, where the VSAPI scan engine analyzes the data. If VSAPI
determines that a file needs to be cleaned, a copy of the file is created in the DSVA for the
VSAPI to work upon, and then the cleaned copy replaces the file on the VM.
As mentioned earlier, the DSVA hosts an Anti-Malware daemon. This interacts with the modules
listed below.
200 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Events
Virtual Scan
request
Common modules
Agent
Scan Scan
configuration engine
Anti-
Malware
Patterns
Scan
Common module update result
Master
Agent Smart scan
Start / Stop interface
EPSec
Data from VMTools
module
Each VA is given its own scan settings. So the AM daemon can scan files from each VM and
apply the corresponding scanning configuration. Consequently, all scanning events generated for
a particular VM are sent back to its corresponding VA.
The Master Agent is responsible for starting and stopping the AM daemon, as well as updating
the various common modules.
“Common modules” refer to the following components:
Scan engine – this is the same Virus Scanning API (VSAPI) scan engine that is used in
other Trend Micro products.
Patterns – depending on the scanning mode selected, DSVA can use conventional (lpt$vpn)
or Smart scanning (icrc$) patterns.
Smart scan interface – this refers to the icrchandler that is responsible for querying scan
servers when the DSVA is in Smart scanning mode
ANTI-MALWARE TOPICS
Details about Anti-Malware functionality are available in the next Chapter.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 201
Trend Micro Deep Security Support Track
Disk 1 is the called the root disk, which contains the source files for DSVA functionality. Disk 2
is a spare disk to which upgrade files are downloaded in preparation for an upgrade of the root
disk. Disk 3 is used to store VM data and for storing quarantine files.
True to its role as protector of the DSVA, it consists of many of the same files that would be
found on a DSA. Its files can be found in the following directory within the DSVA:
/var/opt/ds_agent/
Note the sub-directory called guests in the screen capture above. This directory contains the files
associated with Virtual Agents. As explained in the Network traffic protection section, Master
Agents instantiate Virtual Agents (VA) for each protected virtual machine that does not have a
DSA installed.
Details about the instantiation process are available in the DSVA Operation section.
Consider the following environment. This ESX server is protected by a DSVA called GECS-
DSVA), and contains five other VMs, of which three are powered on and activated.
202 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The Master Agent corresponds to the ds_agent process. To protect the three active Virtual
Machines, the master agent creates three VAs. Each VA corresponds to a ds_guest_agent process.
NOTE Virtual Agents are matched with VMs based on the latter’s UUID.
This corresponds to the following view of a VMware vSphere client that shows the
aforementioned ESX server. The Virtual Machines tab provides details for each VM, to include
their BIOS UUIDs.
You can also view a VM’s UUID by opening its VMX file (configuration file). For example, the
VMX file for the CentOS VM is CentOS.vmx.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 203
Trend Micro Deep Security Support Track
uuid.bios = "42 3a d4 fc 9c e2 e5 b7‐90 82 a9 b5 34 cd ce aa"
vc.uuid = "50 3a e8 ff b4 26 d0 ce‐c6 45 28 91 e2 f6 1c 38"
The screen capture below shows the VA directories the guests directory of the GECS-DSVA
appliance.
NOTE In version 7.0 ESX preparation was separate and distinct from the DSVA
deployment process. Both wizards were linked in 7.5, so that users had the option to
start the deployment wizard immediately after completing the preparation wizard. This
design has been retained in 8.0
204 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
● ESX preparation
● DSVA deployment
ESX preparation
The following vCenter events record the preparation process. Note that these entries start from
the bottom and progress upward.
Important: VMs on an ESX server will lose network connectivity when their host goes into
maintenance mode. For this reason, the DSM, Center Server, and vShield Zones Manager
cannot be installed on VMs that are hosted on the server that is being prepared.
Early in the DSVA activation wizard, administrators are presented with the following option.
Choosing “No” sets the wizard to wait for 10 minutes for the ESX server to go into
maintenance mode, before verifying the status of the attempt. During this interval,
administrators need to enter the ESX server into Maintanance Mode through using a vSphere
Client, as shown below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 205
Trend Micro Deep Security Support Track
As shown above, a properly prepared ESX server will have at least two vSwitches:
External communication vSwitch – the DSVA uses this for communication with the
DSM. It shares this switch with the VMs that it protects that also use this switch to
connect with the outside network. In the screen capture above, this is vSwitch0.
Internal communication vSwitch – the DSVA uses this to communicate with the kernel
driver. In the screen capture above, this is vmservice-vswitch.
To operate on both switches, the DSVA maintains the interfaces shown below:
For DSM communication on the external switch, it uses eth0, and uses eth1 for the internal
switch from which it receives redirected traffic.
For information, about how to verify the condition of the interfaces, see
Appendix A: Deep dive information > Chapter 11: Protecting virtual appliances
> Connectivity issues
To ensure connectivity between the eth1 the kernel driver, the driver must bind to the IP address
of the vmKernel itself. This IP address is collected during the Center Server addition process,
and the DSVA wizard simply re-uses the information already available.
As shown in the network diagram earlier, the default IP address of the kernel is 169.254.50.1. For
this reason the kernel driver IP address, which is shown in the DSVA deployment wizard – with
strongly worded warnings against modification – must be identical to the default kernel IP
address.
206 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The wizard presents default IP and subnet mask values are should not be changed unless
absolutely necessary. If a change is required, administrators must observe the following rules to
maintain connectivity and protect vMotion functionality.
● DSVAs in the same vCenter must have the same Appliance IP address
● VM Kernel and DSVA must reside within the same subnet to communicate. As a
consequence of the first rule, all appliances must be in the same subnet.
1. The DSM passes a temporary URL to vCenter indicating the location of the DSVA kernel
driver on the DSM
2. vCenter passes this URL information to the ESX server
3. ESX server downloads the kernel driver from the DSM and then enters into maintenance
mode and installs the driver upon itself. Throughout this process the ESX server sends
events to vCenter.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 207
Trend Micro Deep Security Support Track
The key point to emphasize here is that the ESX server must be able to download the driver
from the DSM. If it is not able to do so, then the preparation process will fail.
This deployment design has the following implications:
● The DSM cannot be installed on the ESX server where the DSVA will be installed. Since the
ESX server must go into maintenance mode during preparation, it will lose connectivity with
the DSM
● Preparation failures are often related to connectivity and name resolution issues
Once installation is complete, the ESX server is brought out of Maintenance mode. The end-
result, as seen from the DSM, should appear as follows.
DSVA deployment
Once the ESX is prepared, the DSVA can be deployed. While it is actually possible to deploy a
DSVA to an unprepared ESX server, the appliance would still require preparation of its host
before it could operate.
Like the preparation process, DSVA deployment is done via vCenter which records the
following events.
As shown above, DSVA deployment leverages the VMware template deployment mechanism.
DSVA activation
DSVA activation works the same way as with DSAs. This action enables DSVA self-protection,
and initiates Virtual Agent instantiation functionality.
ACTIVATION PRE-REQUISITE
If the DSVA is deployed to an unprepared ESX machine, it cannot be activated. Activation
attempts would fail resulting in the following error message.
208 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
With the addition of Anti-Malware functionality, the activation process now incorporates EPSec
functionality verification. The following flowchart illustrates the current activation process.
Retrieve Yes No
Network Activate DSVA
Initiate networking Prompt user for vSM details
configuration w/ AM
activation details for vSM details available?
available? functionality
Center server
Yes
No
Fail Connect to
vSM
No
Connection
successful?
Yes
Verify EPSec
components
As shown above, DSVA activation can proceed even if vSM details are not given. In such
situations, the following message appears on the wizard.
It should be noted that Anti-Malware functionality will be absent if vSM information is not
available.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 209
Trend Micro Deep Security Support Track
The wizard uses vSM information logon to the server, and determine if the ESX host upon
which the DSVA is being installed is “EPSec ready”. A host that is “ready” must have the EPSec
service installed and properly registered with vSM.
They can also be activated manual by right clicking on the VM record on the DSM screen.
The VA activation process, however, goes beyond simply establishing communication with the
DSM. It implements changes in the following areas:
● DSVA files and file structure
● VM configuration
Subsequent sub-sections discuss each of these areas.
Aug 8 03:50:57 dsva logger: starting guest uuid=423ad4fc‐9ce2‐e5b7‐9082‐a9b534cdceaa ...
210 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Aug 8 03:50:57 dsva ds_guest_agent[433]: Updating database
/var/opt/ds_agent/guests/423ad4fc‐9ce2‐e5b7‐9082‐a9b534cdceaa/ds_guest_agent.db from
schema version 0 to version 3
. . .
Aug 8 03:50:58 dsva logger: started guest uuid=423ad4fc‐9ce2‐e5b7‐9082‐a9b534cdceaa (1)
The VA created above protects the VM with the following BIOS UUID: 423ad4fc-9ce2-e5b7-
9082-a9b534cdceaa. The VA directory name is based on this UUID. Once the files are created,
the Master Agent starts the VA and protection rules can be applied to the VM.
NOTE The DSVA syslog is stored in /var/log. The in-use syslog is named messages.
Where deactivation of a DSA simply causes the deletion of select files, VA deactivation results in
termination of the VA process, and deletion of its directory from the guests folder. The DSVA
syslog records this as follows:
Aug 8 04:51:16 dsva logger: stopping guest uuid=423ad4fc‐9ce2‐e5b7‐9082‐a9b534cdceaa ...
Aug 8 04:51:16 dsva logger: stopped guest uuid=423ad4fc‐9ce2‐e5b7‐9082‐a9b534cdceaa (0.1)
Select an Interactive tools upgrade retain control over the process. This is the only option
available if VMTools is being installed for the first time.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 211
Trend Micro Deep Security Support Track
212 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
DSA driver
Network Interface
Card
Fragment analysis – this involved inspection characteristics of the individual fragments for
issues and/or problems that could be analyzed without re-assembly of the fragments
Packet analysis – this involved re-assembly of the packet from the individual fragments to
permit more complex analysis of the actual content of the packet
The DSVA used a so-called fast path driver, which was installed on the vmKernel on the ESX
server, to process fragment analysis, while a slow path driver, installed within the individual
Virtual Agents handled packet analysis.
Since version 7.5 Service Pack 1, and continuing into version 8.0, DSVA designers took
advantage of improvements to the vmSafe API, first introduced in ESX 4.1, and re-architected
the process as follows:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 213
Trend Micro Deep Security Support Track
Verification
Fragment
Micro filter
analysis
Blacklist
Fast path
driver
Reassembly
Packet Firewall
analysis
NOTE The sequence shown above also holds true for packets that originate at the VM
and is destined for either other VMs or the network.
Most processing now occurs in the vmKernel. The DSVA now only process DPI, stateful
configuration, and SSL inspection, and instead of spreading this out to the individual VAs, all
this is consolidated within the DSVA. The relevant components appear below.
214 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
This section will focus on the nature of this communication and when they are necessary.
Disruption of either communication is undesirable, but will not actually disrupt protection
functionality once it is already in place. This section provides information about when either
communication is critical and is divided into the following sub-sections:
● DSVA communication basics
● DSM and VMware Center Server
● DSM and vShield Zones
Traffic between: DSVA & DSM Center server & DSM ESX & DSM
Description This is virtually The DSM needs this This only applies to
identical to the traffic communication to the state prior to
that would transpire receive VM-related DSVA deployment.
between a DSM and events. This includes:
DSA. This consists of:
• VM creation
• Rule updates • VM start/stop
• Log events events
• Heartbeat • vMotion events
messages
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 215
Trend Micro Deep Security Support Track
The Center-Server-only design was implemented to ensure that DSM would be able to support
VMware functionality that required information that would only be available from the Center
Server. An example of this would be vMotion information.
216 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
As shown below, there are three aspects of Center Server communication that can be
reconfigured.
General – this defines basic DSM – Center Server communication. The latter’s host
information, communication port, and logon credentials can be reconfigured here.
vShield Manager – this defines access to the vShield Manager, and is only required when
Anti-Malware functionality is used
Network configuration – this defines the IP address and subnet configuration that DSVA
kernel drivers use when they are deployed to ESX servers. This should not be modified
unless absolutely necessary.
Both the General and vShield Manager tabs feature test buttons for verifying settings. Incorrect
settings will generate the following message within the window.
This can be done from two locations. One location is from the host tree, as shown below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 217
Trend Micro Deep Security Support Track
If the DSM is unable to synchronize with Center Server, it won’t generate alerts or send
notifications to the DSM administrator. But it will record these failures in System Events.
NOTE As shown in the sample, the DSM automatically attempts to re-synchronize every
10 minutes and 21 seconds.
VM creation detection
Among the activities that DSM monitors is VM creation. If it is not able to detect these events,
then it will not be able to automatically instantiate the corresponding virtual agent. The following
diagram shows how VMs are detected.
218 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Bind Fastpath
Bind Fastpath to
vNIC Create filter
instance
Phase 1
Create virtual
agent Create virtual
agent instance
Fork Slowpath
Register
Slowpath
Phase 2
Activate agent
Set config
Set Fastpath
Phase 3 config
As shown in the diagram the process for protecting new virtual machines that do not already
have DSAs installed can be broken down into three phases:
● Phase 1: Bind VM vNIC
● Phase 2: Create virtual agent
● Phase 3: Activate virtual agent
Each time a virtual machine is created, the Center server notifies DSM, thereby prompting the
Master agent in DSVA to instantiate a virtual agent for that VM. Once the virtual agent is
created, administrators can either activate them like they would with a regular DSA, or activate
them automatically using Event based tasks.
Event-based tasks, first introduced in version 7.5 SP1, define system responses when a Virtual
Machine is added or moved to a protected ESX server. The following events can trigger these
tasks:
1. Attempt to activate agent on VM
2. Assign a profile based on the VM’s parameters
The relevant screen appears below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 219
Trend Micro Deep Security Support Track
DSM administrators can manually verify the presence of EPSec components on the ESX by
logging on to the Center Server client, or to the vShield Manager console.
220 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
From the vCenter client, the administrator can choose to use one of the following:
● Command line interface
● Graphical interface
Each option is discussed below.
After entering the appropriate credentials, the appliance offers the administrator a bash shell.
To return to the graphical console, enter Alt-F1.
Graphical interface
To use the graphical interface, press “F2” to open the user authentication dialog box, where
administrators can enter the password to access the console.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 221
Trend Micro Deep Security Support Track
222 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The Show var option show the system variable that in use with the VA.
The Show stats option presents information about the packet analysis activities. This is
comparable to the data that is available via the RATT tool.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 223
Trend Micro Deep Security Support Track
NOTE Prior to Update 1, ESX 4.0 restricted the number of protected VMs to 15
powered-on VMs.
It is, however, possible to increase the number of protected VMs through tuning. See note
below.
224 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The list above shows a solitary protected VM, which would correspond to the following entry in
Computers List
NOTE Disks representing Integrity Monitoring and Log Inspection are greyed out,
indicating their absence.
Administrators can view detailed information about status and security information about the
protected VM from either location.
Additional information about the VM is available from the DSVA console, which is accessible
from vCenter by way of the Virtual Agents menu
Like the sample on the DSM console, there is a solitary virtual agent, which represents the
protected VM. Selecting the VM from the list reveals information about the traffic that the agent
is processing as shown below. Information about the VA’s state table is also visible on this
screen.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 225
Trend Micro Deep Security Support Track
Feature comparison
The following tables compare DSVA-based (Agentless) and DSA-based (In-guest) Anti-Malware
protection.
226 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Security
How it works
The switch between DSVA-based protection and DSA-based protection, and vice versa, is
triggered by DSA status messages using the proprietary Coordinated Approach Status Protocol
(CASP).
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 227
Trend Micro Deep Security Support Track
ESX server
FIOCTL CASP
Filter
DSVA driver DSA
(Fast path)
If protected If protected
by DSVA by DSA
VM
Network
traffic
As discussed earlier in this document, when an ESX server is prepared and DSVA is deployed, a
fast path filter driver is installed on the ESX hyperviser to intercept network traffic on behalf of
the DSVA. When a DSA is installed on a protected VM, it will send CASP messages to the filter
driver, which will initiate the following switching process:
Filter
DSVA Driver DSA
(Fast path)
X
DSVA active
Y
CASP message
Z
IOCTL
[
Switch DSVA to
standby mode
1. An active DSVA is present on the ESX server when the DSA is installed on the VM
2. The DSA sends a CASP message to the filter driver on the ESX server
3. The filter driver generates an IOCTL in response to the CASP message
4. The DSVA receives the IOCTL and the DSVA switches to standby mode
The resulting status message appears in the screen capture below.
228 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
To retain DSA-based protection, the filter driver must continue to receive CASP messages from
the DSA. If a configurable number of CASP messages are missed, then the filter driver will
automatically switch protection back to the DSVA according to the following process:
Filter
DSVA Driver DSA
(Fast path)
X ???
No CASP message
received (default: 2)
Y
IOCTL
Z
DSVA active
The following system setting controls define how often CASP messages are sent, and how many
times it can be missed before the DSVA regains responsibility for protection.
By default, if two messages are missed, the filter driver issues another IOCTL in response, and
the DSVA becomes active again.
CASP messages can also return VM protection back to the DSA once either communication is
restored or the DSA is restarted. The process for this switch is similar to the first diagram,
however, instead of a single CASP message, the filter driver will require multiple messages before
initiating the process. The number of messages is configured using the control shown below.
By default, the filter driver must receive two CASP messages. This requirement was designed to
ensure that connectivity between the DSA and the filter driver is sufficiently stable before
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 229
Trend Micro Deep Security Support Track
placing the DSVA on standby. This reduces connection disruptions caused by the DSVA-DSA-
DSVA switch.
NOTE By design, the DSVA cannot be migrated to another ESX server via vMotion.
230 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
ESX 1 ESX 2
VM VM
VM
communication
VA within DSVA channel VA within DSVA
VA data VA data
Deep Security Relay
During vMotion, the following data, that define a VA’s identity, are compressed into a tar file
and then transferred to the destination ESX server using the default VM communication
channel:
● Certificates used for VA-DSM communication (ds_guest_agent.crt, ds_guest_agent_dsm.crt)
● AM component version information
● System event database (ds_guest_agent.db)
● Miscellaneous vMotion-related data
This communication channel, however, is limited to files that are up to 2KB. This is a concern
for the baseline database (si.db) used for File Integrity Monitoring (FIM), which can become
very large depending upon the IM rules that are applied to the VM.
For this reason IM-related data is transferred through an alternative, proprietary Trend Micro
channel involving a Deep Security Relay (DSR) – a modified version of a regular DSA that
contains an Nginx Web server. In version 8.0, DSRs are responsible for downloading updates on
behalf of its Deep Security network, and then functioning as a local update server. It normally
uses its Web server to distribute component updates.
When migrating a IM-protected VM, the DSVA does the following:
1. Encrypts the IM database on the VA
2. Includes the keys for decrypting the database into the tar file that is transferred using the
default VM channel
3. Uploads the database to the DSR
4. Once the transfer is complete, the VA has 10 minutes to:
4.1. Re-locate the DSR to which it uploaded its IM database
4.2. Download and decrypt the database
If the DSR is not able to download its database within this 10 minute window, or the some other
aspect of the transfer fails, then the VA will rebuild its baseline.
NOTE For details about how the DSVA uploads its database to the Nginx Web Server
on the DSR, see DSR Basics in Chapter 14.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 231
Trend Micro Deep Security Support Track
232 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a) Microsoft .NET
b) VM Safe API
c) Windows API
a) Firewall
b) Deep Packet Inspection
c) Integrity Monitoring
d) Log Inspection
a) VM Safe API
b) EPSec
c) DSA
d) SSAPI
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 233
Trend Micro Deep Security Support Track
234 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 235
Trend Micro Deep Security Support Track
AMSP basics
The following illustrations show how it fits into a product, and how it compares with previous
Trend Micro Anti-Malware functionality implementation.
Product Product
New
VSAPI SSAPI DCE
technology
Anti‐Malware Solution Platform
New
VSAPI SSAPI DCE
technology
AMSP was designed to facilitate integration of new technologies into a product with –
theoretically – minimal effort.
AMSP turns the product into a user interface generator whose principal function is to capture
Administrator’s security intentions, and then translates these into instructions for AMSP. The
latter is then responsible for leveraging the capabilities of the various technology plug-ins to
convert those intentions into action.
In a DSA installation, the DSA and AMSP actually exist as separate entities under the Trend
Micro folder.
236 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The modules that make up AMSP can be grouped into the following functions:
Product
AMSP
(e.g., Deep Security)
Request
Core framework Action
Client library
(Administration &
(Product interface)
updates)
Technology plug‐ins
(Scan engines, patterns,
system hooks, and
Result
scan flows)
Core framework – this is a collection of files and libraries that are responsible for managing
and using the various technology plug-ins, and obtaining component updates from the
Trend Micro update center so that the plug-ins provide timely and relevant protection.
AMSP is actually separate and distinct service from the DSA, as appears below.
Technology plug-ins – these refer to the various Trend Micro scan engines (e.g., VSAPI,
SSAPI, DCE), their patterns, their corresponding drivers for hooking into the operating
system, and associated libraries that allow the AMSP framework to use them. These are
called “plug-ins” because AMSP is designed to accommodate additional technologies.
Client library - products that use AMSP, such as the Deep Security Agent, use an AMSP
client library to interface with the AMSP Core framework. The product receives the
Administrator’s user input, and then uses the client library to translate this into requests
that the Core framework then uses to configure protection.
AMSP components that make up the Core Framework and Plug-ins are stored in individual
folders in the following location: <install path>\Trend Micro\AMSP\module.
Each component is assigned an ID number, which is also used as the name of its sub-folder
under the module folder. For example, the AMSP module responsible for updating AMSP
components is called the coreUpdateManager.dll. Its ID is “7”, so it is stored in sub-folder “7”:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 237
Trend Micro Deep Security Support Track
Within this sub-folder is another folder named after the component’s version. In this example
the coreUpdateManager.dll is version 2.1.1134.
NOTE DSAs also use the Trend Micro URL Filtering Engine (TMUFE) for Web Reputation
Services functionality, but interfaces with this engine directly, outside the AMSP
framework.
These engines work together to provide full protection. VSAPI detects and removes file-based
components of malware, while SSAPI and DCE address malware-related system alterations
outside the file system (e.g., malware processes in memory, Registry entries, Layered Service
Providers in the protocol stack, etc.)
In addition to the engines above, AMSP uses a multi-function assemblage of components called
Eyes. It consists of several User Mode and Kernel Mode sub-components. These are:
Tmevtmgr – Event-hooking component. It registers with the Windows OS Filter Manager
as mini filter driver, thus giving it visibility into Input / Output Request Packets (IRP) to
the file system
Tmactmon – User mode communication component. It receives events from Tmevtmgr
and passess this to Tmsysevt.dll in user mode
Tmsysevt.dll – User mode interface to Eye kernel components. Passes events to the Real
Time Scan Flow controller which it uses to initiate scans
Tmcomm – provides utility functions for other kernel mode drivers and contains the logic
for the Rootkit Common Module (RCM)
238 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Eyes
Application
tmcommtapi tmsysevt AMSP
Create / write
User mode
Kernel mode
IRP
Filter
I/O Manager tmcomm
manager
tmevtmgr tmactmon
File system
driver
When applications create, write, or read files, they create I/O Request Packets (IRP) to the File
System driver through a Windows kernel component called the I/O Manager. Since Windows
2003, the I/O manager provided third-party applications (e.g., security, anti-malware) visibility
into the IRP exchange through another component called the Filter Manager. Third-party drivers
– called mini filter drivers -- register themselves with the Filter Manager, which then passes the IRP
to these drivers.
NOTE All mini filter drivers are registered with Microsoft Corp, which assigns “altitude”
numbers that determine their IRP receipt priority. Security software, for example, typically
receive IRPs before other applications.
Responsibility for making sure these engines work together, and are used appropriately rests
upon AMSP, particularly a component called Scan Manager (coreScanManager.dll). This
component is responsible for starting, stopping, and resuming scans.
DCE
components
SSAPI
components
The relationship between the Scan Manager and the various engines can be likened to a
craftsman and his tools. To use a tool, a craftsman must know what the tool is for, and possess
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 239
Trend Micro Deep Security Support Track
the requisite skills for it. In the Scan Manager, the engines are its tools, and the tool-usage
knowledge is contained within internal functions called scan handlers.
Scan Manager
Rootkit Common
Driver scan
Module
handler
(Eyes)
Damage
Cleanup DCE
DCE
Scan wrapper
handler
Process
Scan
handler
File Scan
handler
Scan flow VSAPI
VSAPI
controller wrapper
Boot Scan
handler
Memory
Scan
handler
Spyware
SSAPI
Scan SSAPI
wrapper
handler
When a scan request requires, for example, a scan of the file system, the Scan Manager uses its
File Scan handler to call VSAPI to perform the scan. In this version, the Scan Manager
incorporates the following scan handlers:
240 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
File scan handler Responsible for calling VSAPI to Receives information from a file
scan files that are not covered by system driver that detects file I/O
file-related exclusions (e.g., file, events and then uses VSAPI to
folder, file extension). analyze the event
Boot scan handler Uses VSAPI to scan the Master Boot N/A
Record (MBR)
Spyware scan Uses SSAPI to scans the host for the N/A
handler following Spyware-related artifacts:
• Processes
• Services
• Cookies
• Registry entries
• Shortcuts
• Layered Service Providers
• IE plugins
• Add/Remove Programs entries
• Windows policy settings
• Host file changes
In addition to the Scan Engine Wrappers, Scan handlers also interact the following other AMSP
components:
Query
Response
Scan request
Action request
Action result
Before a scan handler sends a scan request to scan engine components, it first verifies the
relevant exclusion lists to determine if product settings permit the scan. It only sends the scan
request if it the scan object’s characteristics do not match the exclusion list.
For information the contents of exclusion lists, see Exclusion on page 257.
Once the scan handler receives the result of the scan, it calls Action Manager
(coreActionManager.dll) to take appropriate action upon whatever was scanned. This “action”
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 241
Trend Micro Deep Security Support Track
can leverage the capabilities of one or a combination of scan engines. Quarantine operations,
however, are handled by the Action Manager itself.
The action result is sent to the Report Manager (coreReportManager.dll), which is responsible
for returning threat detection and scanning status information back to the AMSP.
The scan handlers used for a scan depends on the nature of the scan: Real-time or
Manual/Schedule scan. Each scan type has its corresponding scan controller which contains the
scanning logic required to accomplish a particular type of scan. Scan manager uses the scan flow
information in the scan controllers to determine which engines are used, when they are used, and
in what order.
Real-Time
Scan Flow
Controller
Scan Scan
Manager engines
Manual
Scan Flow
Controller
Real-Time
Scan cache
Real Time
Scan Scan
Scan Flow
Manager engines
Controller
Common Manual
cache scan
242 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The Common cache includes files that are part of the Good Company List, which is stored in
tmwhlchk.ptn.
EPSec DSVA
Initial evaluation
2nd evaluation
File event (Cache & simple Send 1st block Start VSAPI
(IntelliScan
detected exclusion lists of file data scan
[optional])
[optional])
Send additional
file information
Determine
appropriate
action
Take action
In addition to detecting events, EPSec is also responsible for maintaining the scanning cache, to
avoid redundant scanning of files that were not actually modified. If non-IntelliScan exclusion
lists are used, these are also implemented by EPSec on the VM side of the process.
If EPSec determines that a file requires a scan, it is responsible for sending the appropriate data
to DSVA. DSVA, where the VSAPI scan engine resides, is then responsible for detecting the
presence of malware. If malware is detected, it determines the appropriate action based on scan
configuration settings, and then instructs EPSec to implement the action.
The diagram below shows a “clean” scan action.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 243
Trend Micro Deep Security Support Track
VM DSVA
VSAPI
Read Clean
File Renamed
(Infected) file
Memory
File
(Infected file
overwritten)
Once VSAPI confirms the presence of malware, a copy of the file that was locked earlier is
created in a temp folder on DSVA for cleaning. The copy is given a random name that DSVA
maps to the original file. Once cleaned, EPSec overwrites the original file with the cleaned
version of the file.
As will be explained in Actions on page 232, DSVA can be set to perform a host of actions. If
the scan action is “delete”, then DSVA simply instructs EPSec to delete the file. If the action is
quarantine, then the copy is in Temp is transferred to the quarantine folder, and then EPSec is
instructed to delete the file.
LIMITATIONS
Agentless AM functionality is limited to file-based malware. It can deal with the file
components of Trojans, but cannot undo the damage that they create since Damage
Cleanup Services (DCS) is not resident on the VM. It also cannot deal with non-file
components of Spyware (e.g., shortcuts, Registry changes, LSPs, etc.)
244 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE Ideally, the names of the configurations describe the scan types that use them.
However there are actually no restrictions as to what configurations a particular scan type
can use.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 245
Trend Micro Deep Security Support Track
For as long as a host has at least one configuration, the orb on the Anti-Malware icon will appear
green. Otherwise it will appear blue.
RTS IN DSA
The Real-Time scan flow controller initiates scans in response to input from the following
components:
Real Time
Scan Scan
Eyes Scan Flow
Manager engines
controller
As discussed in the About technology plug-ins section, Eyes interfaces with the Windows OS
Filter manager to gain visibility into Input/Output (I/O) events. If the I/O event is malicious,
then AMSP will prevent it.
RTS IN DSVA
The following illustration shows how this feature works.
ESX
DSVA VM
Application File
File access
request (I/O
VSAPI event) Intended
destination
of I/O event
Guest OS kernel
Anti-Malware
VM Tools
daemon
As applications, both benign and malicious, attempt to access files within the VM, EPSec-related
system drivers that are included in VMTools detect the Input/Output (I/O) event, and send data
about the file being accessed to DSVA for analysis. If malware is detected, DSVA is able to
leverage VMTools functionality to prevent the malicious change.
246 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
SCANNING ON DSA
When the Manual Scan Flow Controller notifies the Scan Manager to perform a scan, its internal
scan handlers call the enumeration utilities for their respective engines. For example, to perform
memory scan it needs the utility that lists all running processes, for file scan, it uses the utility
that lists all the files and folders on the file system, etc.
The Manual Scan Flow controller requests the Scan Manager to use its scan handlers in the
following order:
1. Driver scan handler
2. Damage Cleanup scan handler
3. Process scan handler
4. Memory scan handler
5. Boot scan handler
6. Files scan handler
7. Spyware scan handler
NOTE The AMSP implementation in this version of Deep Security only implements “Full
Scan”, and does not perform “Quick Scan”. Whereas Full Scan enumerate all files on a
disk, Quick scans only enumerate run keys, and do not involve the Boot Scan Handler,
thus resulting in a faster, but less thorough, scan.
SCANNING ON DSVA
The DSVA requests the EPSec components within VMTools to perform enmueration. This
process is shown below.
ESX
DSVA VM
VSAPI
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 247
Trend Micro Deep Security Support Track
Unlike the DSA that can analyze multiple system areas (e.g., registry, etc.), as of writing, EPSec is
limited to the file system.
SCAN TRIGGER
For the most part, both Manual and Scheduled scan work the same way. The principal difference
between the two being in the way they are started.
Important: Scheduled scans will only scan one virtual machine at a time to avoid resource
contention issues. This is not configurable in this version.
As with other recurring tasks within Deep Security, Scheduled Scans are set using the Scheduled
Task wizard.
Administrators can initiate manual scans from three locations. Two options are available at the
Computers list. The scan button on menu shown below is one option.
Alternatively administrators can right-click one of the host records and then click Actions >
Scan for Malware, as shown below.
248 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The final option can be found on the VM’s details screen, under the Anti-Malware section.
Aborting scans
Deep Security allows administrators to pre-terminate scans – both manual and scheduled. To be
able to abort a scan, the following conditions must be met:
● Administrator must have update rights to the appliance
● The appliance must not be locked
● Direct communication with the client is possible. This cannot work with appliances with
agent-initiated communication
If all three conditions are satisfied, administrators can abort the scan by selecting the button
shown below
Alternatively, administrators can right click the appliance on the Computer list, and then select
Actions > Abort Malware scan.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 249
Trend Micro Deep Security Support Track
Scan settings
These settings define the scope and nature of the scan. The portion of the scan configuration
screen devoted to these settings is shown below. Each group of setting is discussed in their
respective sub-sections below.
250 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
FOLDERS TO SCAN
This option allows administrators to define the file system areas that are scanned. A directory list,
like the one shown below, is used to restrict scanning to specific folders.
FILES TO SCAN
The settings in this section define scan coverage. Administrators can manually specify the kinds
of files to scan by selecting Specified file extensions, and using a file list component. Note that
this option relies on file extensions, which may not necessarily indicate the true nature of the file.
Alternatively, administrators can rely on Trend Micro recommendations by choosing “All file
types” or “Intelliscan”. These two options have very subtle differences which are illustrated by
the following diagram.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 251
Trend Micro Deep Security Support Track
Skip file
No No
Safe file High-risk file File size
type? extension? <=70KB
A A
All files
Skip file
No What is
High-risk
Begin scan the scan
file type?
coverage
Yes Intelliscan
B B
No File size No
High-risk file
<=70KB and
extension?
*.COM
Yes Yes
Scan file
NOTE The scan-coverage assessment process is, for the most part, the same for both
IntelliScan and All scannable files. The only difference being the absence of Step 2 for
IntelliScan, and in the decision criteria in Step 4.
The process illustrated above can be divided into the following steps
● Step 1: Determine if the file can be infected
● Step 2: Determine if the file cannot be infected
● Step 3: File extension assessment
● Step 4: File size and/or COM verification
Both steps 1 and 2 use file header information to determine a file’s true file type.
252 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE Like in the previous step the scan engine uses built-in and pattern-based file
type information to identify these types of files.
If a file falls in this category, then the file is not scanned. Otherwise, the process proceeds to step
3
A DSVA / DSA that is set to scan All files will not scan any file smaller then, or equal to, 70KB.
If it is set to use IntelliScan, DSVA will only skip scanning files of this size if they files that do not
have header information such as *.COM files as identified by their file extensions.
Tip True-file-type indentification does not work with .COM files because of the lack of
the necessary header information.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 253
Trend Micro Deep Security Support Track
Exclusion
Scan exclusions prevent DSVA / DSA from scanning selected files, file types, and/or folders. In
an effort strike a balance between security and performance, administrators can use this
functionality to manage the impact of Anti-Malware scans on their systems.
This section is divided into the following sections
● Exclusion options
● Implementing exclusions
● Recommended exclusions
EXCLUSION OPTIONS
The first exclusion option was already discussed in the Files to scan sub-section: IntelliScan.
IntelliScan uses true file type information, or the absence of this information, to decide which
files would be scanned, and which ones would not.
The remaining options can be found in the Exclusions tab of scan configuration properties
screens, as shown below.
Directory lists
254 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
File lists
In addition to the exclusion lists, there are two additional types of exclusions:
● IntelliScan-related exclusions
● Shadow copies
IntelliScan exclusions deal with specific file types and sizes, as explained in Files to scan section.
Shadow copies are older versions of shared files or folders that file servers maintain for a pre-
determined amount of time. They are designed to facilitate recovery of shared objects that may
be inadvertently deleted.
Backup processes take longer to finish when real-time scanning scans these files. There are also
instances when real-time scan detects an infected file in these copies but cannot enforce the scan
action because shadow copies are read-only files. These files are excluded by default.
Intelliscan-related exclusions
z
Shadow copies
z
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 255
Trend Micro Deep Security Support Track
Important: This division of responsibility is the primary factor behind the differences between
exclusion behavior in the DSA and the DSVA. See next section.
Scan configurations allow administrators to specify file extensions to include in, or exclude from,
a scan. The EPSec Thin Agent can only implement one of these options. So if a scan
configuration uses a list of file extensions to scan, this list will be sent to the EPSec component,
and file extension exclusions – if any – will be processed on the DSVA.
HOW THE DSA AND DSVA DEAL WITH FILE PATHS IN EXCLUSIONS
The EPSec module currently requires path information for excluded files. This results in the
following differences in DSVA and DSA exclusions.
RECOMMENDED EXCLUSIONS
Scan exclusion functionality must be used judiciously. The greater the number of system areas
are excluded from scanning, the number of entry vectors that malware could exploit also
increases.
Exclusion-related recommendations in Trend Micro best practice documents dwell on the
following common exclusion targets:
Quarantine folders – if another Anti-Malware product is present on the protected machine
(e.g., Trend Micro ScanMail for Exchange protecting an MS Exchange server), then
scanning the quarantine folder of that product would be redundant – since any file
found there has already been flagged as malware.
Volume shadow copies - shadow copies are older versions of shared files or folders that
file servers maintain for a pre-determined amount of time. They are designed to facilitate
recovery of shared objects that may be inadvertently deleted. If these are scanned while
backups are in progress, it may take longer for the process to complete.
256 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Files that are subject to constant change – these include log files, transaction files,
mailboxes in email applications, physical database files, etc. Since scanning entails
locking files during scanning, this process can cause latency in applications that use these
files.
Actions
The settings shown below define what the agent/appliance does when it detects malware. The
first option is called ActiveAction. With this option, the administrator relies on Trend Micro action
recommendations that are stored within the VSAPI pattern. Trend Micro antivirus engineers
define these actions based on their analysis of various malware types.
Alternatively, administrators can specify the action to be taken upon malware, as shown below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 257
Trend Micro Deep Security Support Track
Options
This section has three sub-sections
● General options
● Real-time scan options
● Alerts
Alerts are the same as with other security features, and define whether or not a malware event
generates an alert on the DSM. The first two options are discussed here in greater detail
General options
These options are shown below.
Enabling Spyware/Grayware scan sets Deep Security to scan for the file components of spyware
using the Spyware Active Monitoring Pattern.
Important: Spyware components in the Windows Registry, network stack, etc. will not be
cleaned in this version.
The Scan compressed files option specifies how Deep Security analyzes compressed files and
archives. When enabled, the following will occur.
Anti-
EPSec VSAPI
Malware
Obtain copy of
compressed file
Uncompress file
Return result
Scan file
Instruct EPSec to take
action
258 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Scan files when defines the I/O events Real-time scan traps. Note that files that are opened for
exclusive write only, and are not read, are not scanned.
The Enable IntelliTrap option enables Trend Micro’s solution for “Packed malware”. This is a type
of malware that use compression algorithms to evade detection.
Deep Security implements this feature in a straightforward manner: If it is enabled, all files will
be scanned using this functionality. This is in contrast with other Trend Micro products that only
implement IntelliTrap in specific system folders.
IntelliTrap uses two patterns:
IntelliTrap pattern – this file, named tm_black.<version>, contain heuristic rules that are
used to detect known malware that use real-time compression techniques.
IntelliTrap exclusion list – this pattern, named tm_white.<version>, contains a list of files
that are excluded from action
VSAPI uses these patterns in conjunction with the main antivirus pattern as shown below:
TmWhite > LPT$VPN > TmBlack
NOTE This only applies to DSAs. The DSVA will ignore this setting.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 259
Trend Micro Deep Security Support Track
The terms “High”, “Medium”, and “Low” are all in reference to the DSA’s priority with regard
to CPU resources. The higher the setting chosen for this feature, the higher the priority that is
given to the DSA, and consequently the greater the impact on other operations taking place on
that machine while a scan is in progress.
About Quarantine
Among the four scan actions listed above, the Quarantine action is most complication option to
execute, because it involves a multitude of modules beyond the scan engine. For this reason, it
discussed in its own section, which is divided into the following:
● Quarantine operations
● Sizing and limitations
QUARANTINE OPERATIONS
Quarantine functionality was designed to give administrators a chance to verify if the file that
was flagged as malware really was a malicious file. For this to work, administrators must receive
notifications when files are quarantined, and must have a means to access the quarantined files.
This section focuses on the mechanisms that allow Deep Security to satisfy both requirements,
and is divided into the following sections.
● Alerts and events
● Quarantine in DSA
● Quarantine in DSVA
● Working with quarantined files
● Restoration
● Limitations
260 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Quarantine in DSA
Quarantine functionality on the DSA is based on the AMSP backup mechanism. Whenever
AMSP performs a scan action that results in a change in a file (i.e., clean, delete, quarantine), it
creates a backup in the following location.
The following AMSP_DebugLog.log entries correspond to the creation of the file above.
2012/01/04 16:28:39.437,[01052:01036],[INFO],[Plugin VSAPI], SM handle was not
initialized,[.\vsapi_implementation.cpp(2327)]
2012/01/04 16:28:39.438,[01052:01036],[INFO],[Core Scan Manager], ScanCallBackFunc(): Virus
found!, file path: \\?\C:\Users\Administrator\Documents\eicar\Test ‐ Copy
(9)\eicar.com,[.\AMSP_VsapiProcessFileCallback.cpp(186)]
2012/01/04 16:28:39.438,[01052:01036],[INFO],[Core Scan Manager], ScanCallBackFunc(): Virus
Name: Eicar_test_file,[.\AMSP_VsapiProcessFileCallback.cpp(187)]
. . .
2012/01/04 16:28:39.447,[01052:01036],[INFO],[Core Action Manager], Backup file path =
C:\Program Files\Trend Micro\AMSP\quarantine\AMTITEF0.10C,[.\ActionHelper.cpp(178)]
. . .
2012/01/04 16:28:39.448,[01052:01036],[INFO],[Core Action Manager], result.pwszBackup:
C:\Program Files\Trend Micro\AMSP\quarantine\AMTITEF0.10C,[.\ActionHelper.cpp(100)]
Note how the backup is stored in the quarantine folder. That means that whenever the DSA
cleans, deletes, or quarantines a file, the action will create a quarantine event.
Consider the following AMSP_DebugLog samples taken from tests involving the Eicar test file.
The column on the left is from a test where the scan action was “Quarantine”, while on the log
on the right, the scan action was clean. To generate these logs, the log level in AmspConfig.ini
was set to “2”.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 261
Trend Micro Deep Security Support Track
2012/01/04 2012/01/04
16:17:51.759,[01052:00752],[INFO],[Core 16:28:39.440,[01052:01036],[INFO],[Core
Action Manager], Value: Action Manager], Value:
0xc,[.\ActionManagerImp.cpp(174)] 0x3,[.\ActionManagerImp.cpp(174)]
... ...
As appears above, the action ID for Quarantine is 0xc, while a clean action has a value of 0x3.
2012/01/04 2012/01/04
16:17:51.759,[01052:00752],[INFO],[Core 16:28:39.441,[01052:01036],[INFO],[Core
Action Manager], Default Action: Action Manager], Default Action:
0xc,[.\ActionManagerImp.cpp(423)] 0x3,[.\ActionManagerImp.cpp(423)]
2012/01/04 2012/01/04
16:17:51.764,[01052:00752],[INFO],[Core 16:28:39.445,[01052:01036],[INFO],[Core
Action Manager], Default Action: Action Manager], Default Action:
0xc,[.\ActionManagerImp.cpp(462)] 0x4,[.\ActionManagerImp.cpp(462)]
... ...
In addition to the user-defined action, the Action Manager also applies a hidden secondary
action in the event the user defined action fails. For quarantine, the secondary is quarantine
again since this actually an option is not expected to fail. For clean, on the other hand,
secondary action is 0x4 – the action ID for delete.
2012/01/04 2012/01/04
16:17:51.764,[01052:00752],[INFO],[Core 16:28:39.445,[01052:01036],[INFO],[Core
Action Manager], result.nPreviousAction: 0, Action Manager], result.nPreviousAction:
result.nPreviousActionResult: 0x3, result.nPreviousActionResult:
0,[.\ActionHelper.cpp(101)] 0xe0ff0022,[.\ActionHelper.cpp(101)]
2012/01/04 2012/01/04
16:17:51.764,[01052:00752],[INFO],[Core 16:28:39.445,[01052:01036],[INFO],[Core
Action Manager], result.nAction: 0xc, Action Manager], result.nAction: 0x4,
result.nActionResult: result.nActionResult:
0xe0ff0001,[.\ActionHelper.cpp(102)] 0xe0ff0001,[.\ActionHelper.cpp(102)]
2012/01/04 2012/01/04
16:17:51.764,[01052:00752],[INFO],[Core 16:28:39.445,[01052:01036],[INFO],[Core
Action Manager], result.nSuggestedAction: Action Manager], result.nSuggestedAction:
0xc,[.\ActionHelper.cpp(103)] 0x4,[.\ActionHelper.cpp(103)]
... ...
In this part of the log above, the result of the desired action appears as well as the action
actually taken. For quarantine, the action is recorded as a success – the file was deleted. On
the otherhand for the clean action, it shows that the clean (0x3) action failed, and the
secondary action of delete (0x4) actually took place.
In both instances a copy of the malware that had been scanned is created in the quarantine
folder, as appears below.
2012/01/04 2012/01/04
16:17:51.766,[01052:00752],[INFO],[Core 16:28:39.447,[01052:01036],[INFO],[Co
Action Manager], Backup file path = re Action Manager], Backup file path =
C:\Program Files\Trend
C:\Program Files\Trend
Micro\AMSP\quarantine\AMSV4U80.0NG,[.\Act
ionHelper.cpp(178)]
Micro\AMSP\quarantine\AMTITEF0.10C,
[.\ActionHelper.cpp(178)]
Quarantine in DSVA
As introduced in the Anti-malware protection section on page 199, a quarantine action proceeds
as shown below.
262 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Anti- Quarantine
EPSec VSAPI
Malware folder
Return result
Each Virtual Agent has its own quarantine folder. A sample with three quarantined files is shown
below.
VSAPI
Read Clean
File Renamed
(Infected) file
Memory
File
(Infected file
overwritten)
If the file cannot be cleaned, then the renamed file would be transferred to the Quarantine folder
on the DSVA and the original infected file would be deleted. If the original scan action chosen
were Quarantine, then the cleaning attempt would be skipped altogether.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 263
Trend Micro Deep Security Support Track
The Quarantined file list enumerates the files that have been quarantined
To either download or delete the files, administrators can select one or several entries in the
quarantine list, and click either the download or delete option from the menu below.
Both download and delete options start a short two-step wizard that serves to provide status
information on the operation, as well as to give administrators the option to abort the action.
The follow illustration shows what happens in the background.
Validate command
Start wizard
Prepare synchronous
requests for each file-host
combination
264 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Step 4 – the wizard thread processes selected files one at a time, for each host-file
combination
Step 5 – the progress bar appears on the DSM console, and the DSVA acts upon the
quarantined file
Step 6 – quarantine functionality leverages the same file download mechanism used in the
diagnostic package. A zip file containing the quarantined files will be downloaded to the
Temp folder of the browser that requested it. The resulting file looks like the one shown
below.
QuarantinedFiles_20100805143353‐3C48[1].zip
NOTE The naming convention used for the quarantine file is as follows:
QuarantineFiles_<server upload time stamp yyyMMddHHmmss>-<4 characters from
GUID>.
Restoration
Once a product is quarantined, there is currently no way to reverse the operation from within
Deep Security. The variety of valid actions that the owner of the quarantined file could take,
independent of the system (e.g., replace it with a valid clean file), that could then be inadvertently
undone by Deep Security were simply too plentiful to consider.
For this, and other, reasons, Deep Security administrators are simply given tools with which they
can manually restore quarantined folders to their original locations. At the final screen of each
wizard, administrators are given a link to a restoration tool.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 265
Trend Micro Deep Security Support Track
Clicking the link downloads a self-extracting zip file called QFAdminUtil_win32.exe. This tool is
stored on the DSM at the following location
Extracting this file yields the three other files shown below.
To decrypt the file, extract the contents of the ZIP file downloaded from the quarantine list. The
result should be similar to the following file.
266 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
After clicking Open, the original name of the file should appear in the file name field. Choose a
safe location for saving the file.
LIMITATIONS
Administrators can configure disk space limitations for quarantine functionality at the Anti-
Malware tab on the System Settings screen.
The DSA and DSVA implement this setting in the following manner:
In-guest protection / DSA – this defines the amount of disk space on the DSA allocated
for quarantined files
Agentless protection / DSVA – this defines the amount of space used within the DSVA.
All VAs share this space.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 267
Trend Micro Deep Security Support Track
If a VM is either deactivated or migrated to another ESX server, its quarantined folders in the
DSVA will be deleted.
The following table shows what happens when this limit is reached
Agentless protection / The Quarantine action will fail, and the I/O event that triggered
DSVA the quarantine action will be blocked.
In-guest protection / DSA The oldest quarantined files will be deleted until 20% of
allocated space is freed up.
EPSec DSVA
File Open /
Close event
detected
Yes
File covered by
folder or extension
exclusions?
No
Yes
Send additional
Is part Yes data about the
Invalidate file
of a “write”
cache entry
operation?
No
No Has a Yes
change occurred Take action
since last
scan?
268 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
As a resource conservation measure, EPSec starts the scanning process by determining if the file
is really worth sending to DSVA for scanning. It references two resources to make this
assessment:
● Exclusion lists
● File cache
EPSec is responsible for implementing all exclusion lists short of IntelliScan. If the I/O event
corresponds to a file in either list, then the file is skipped.
The second reference is the file cache. The file cache contains identifying information about files
that had already been scanned before and were not infected. If a file is found in the cache,
remains unchanged, and was not involved in a write operation, then it is not scanned.
However if the file is involved in a write operation, then it is always scanned. Its cache record is
then updated using data from this event.
Once the need for a scan is ascertained, EPSec sends first of what may be several data transfers
to DSVA. The first request involves the first blocks of data from the file. VSAPI on DSVA uses
this first segment of information to determine things like true file type, etc. Depending on the
results of the first batch of data, VSAPI may request additional segments of the file. If malware is
detected, the whole file may be sent to DSVA for processing.
Important: Once the first 8KB of data is sent to DSVA, the file is locked with a FileOpen
command. It will remain locked until VSAPI tells EPSec to take the appropriate action on the
file.
Once VSAPI determines the appropriate action that must be taken upon the infected file, DSVA
sends an action request to EPSec, which then takes responsibility for implementing the
corrective action.
For information about scan actions (e.g., clean, quarantine, etc.), see Actions on page 231.
The diagram below show the actions for which DSVA is responsible.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 269
Trend Micro Deep Security Support Track
DSVA
EPSec
Yes
Evaluate Determine scan type Use Covered by
event based on (Real-time/Manual/ corresponding additional Skip file
1st block of file Scheduled) scan settings exclusions?
No
Request additional
Start VSAPI
information about
scan
the file
No
Read file Malware
data detected?
Yes
Take Take
action action
Unblock file
Like EPSec, DSVA also works to avoid redundant scanning. After receipt of file data, it
determines the type of scan that initiated the scan. As discussed in the previous section, each
scan type (Real-time, Manual, and Scheduled scan) has corresponding scan settings, which
includes scanning scope: All files scan or IntelliScan. If the file does not match the scanning
criteria set by either scope, then the file is skipped. Otherwise, the data is passed to VSAPI.
The specifics of how VSAPI detects malware are beyond the scope of this document. However
it is important to note the following:
● The steps “Request additional information about the file” and “Read file data” can occur
several times depending on the query results
● VSAPI can request EPSec to return different parts of the file for its analysis
270 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 271
Trend Micro Deep Security Support Track
If the file being analyzed does not match any signatures in the Smart scan agent pattern, then the
scan engine queries the smart scan server for additional information. Before it performs the
query, however, the scan engine first checks a local index of the information on the smart scan
server to determine the likelihood that that the server contains relevant signatures. If it finds that
there are absolutely no possible matches for the file on the scan server, then it flags the file as
safe, and no further analysis of the file takes place. The file is not malware.
Otherwise, it downloads signatures from the scan server to continue with the analysis. The scan
engine then takes the appropriate action if the file is flagged as malware.
Total 32,821KB
272 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
For the most part, Smart scanning works the same way as conventional scanning. The difference
lies in the presence of the iCRC handler, shown below.
From a purely Deep Security perspective, this is how the scan works:
8. The DSA/DSVA receives data about a file that needs to be scanned, which it then passes to
VSAPI for analysis.
9. Instead of referencing a VSAPI pattern (lpt$vpn.xxx), the scan engine requests malware
identification information from the iCRC handler.
10. The iCRC handler works to retrieve the necessary information. When necessary, it references
the external CRC database that is stored on what is called a Scan Server.
11. After retrieving the information, the handler returns this information to the scan engine,
which then acts upon the file as required
The ICRCHandler is the component that is largely responsible for Smart scan functionality. It is
responsible for the following functions:
● Send queries to the Scan Server and receive the corresponding replies
● Verify Scan Server connectivity
● Provide the OfficeScan client with interfaces with which it can control Smart scan settings
● Load/unload Smart scan-related components
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 273
Trend Micro Deep Security Support Track
DSVA/DSA cycles through the scan servers in the list in the order they are listed. This list must
be filled with at least one syntactically correct entry, otherwise the following error is generated
and feature enablement will fail.
If for whatever reason the DSVA fails to connect to any Smart scan server, the DSM will
generate an alert as shown below.
274 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE Trend Micro PC-cillin and variants of the Trend Micro InterScan product family
also have Web threat protection functionality. Although all these products access the
same classification database that Deep Security uses, the act upon the information
differently. Deep Security implementation is more closely related to OfficeScan.
Block site
Yes
Retrieve No
Host Compare
Website Threshold Grant access
accesses score with
score from exceeded? to site
Website threshold
Trend Micro
Web threat protection functionality permits or prevents access to Web sites based on their
numerical security ratings – hereinafter refered to as credibility scores. Deep Security administrators
determine the types of sites that are blocked by configuring the security levels in the global Web
threat protection policy.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 275
Trend Micro Deep Security Support Track
Important: The URL filtering engine is not actually involved in the URL blocking function. It
merely provides the information necessary for the blocking decision.
SAMPLE SITES
Trend Micro maintains sample sites for purposes of testing/demonstrating blocking and
score retrieval functionality. These are the WRS equivalent to the EICAR test file. The
following table lists these sites and their corresponding scores:
Credibility URL Credibility URL
score score
91 wr91.winshipway.com 51 Wr51.winshipway.com
81 Wr81.winshipway.com 41 Wr41.winshipway.com
71 Wr71.winshipway.com 31 Wr31.winshipway.com
61 Wr61.winshipway.com 21 Wr21.winshipway.com
276 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
● Score evaluation
About ratings
A Web site’s security ratings determine whether or not agents/appliances permit or prevent
access to that site. This section focuses on these ratings, and is divided into the following sub-
sections:
● About credibility scores
● URL rating process
● Dealing with false positives
Important: Due to the volume of site-related information that is collected, a portion of the
sites in the database are given an interim category called unrated.
Deep Security will block a site if its score is equal, or less, than the threshold value that a specific
security setting prescribes. As discussed in Score evaluation on page ___, currently the lowest
security setting uses a threshold score of 50. Based on the table above, a DSA/DSVA using this
setting will always block known malicious sites since these sites are assigned a score of 49.
Yes
Antivirus team
analyses the
application
As shown above the rating process can be divided into the following steps:
● Step one: Accept URL to be rated
● Step two: Evaluate if the URL downloads an application
● Step three: Score assignment process
● Step four: Add score to rating database
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 277
Trend Micro Deep Security Support Track
Score retrieval
The diagram below provides additional details about the credibility score retrieval process.
Deep Security
DSA or
DSVA
278 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE Administrators can specify proxies at the global, profile, or even host level.
Score evaluation
The following flowchart illustrates the URL analysis process.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 279
Trend Micro Deep Security Support Track
On Yes
Start URL Do not block
approved End
analysis site
list?
No
Yes
On deny list? Block site
No
Existing Yes
Use existing
rating in
rating
cache?
Evaluate Perform
No
score action
Request WRS
score from
rating server
Tip The DSVA and DSA will lose the contents of their cache when they shutdown.
URL analysis begins with the DSA/DSVA comparing the captured URL being analyzed with an
approved list. If the URL matches an entry on the list, then it is excluded from further analysis.
The approved list can exclude either entire domains or specific directories within these domains.
The same is true for the block list
For additional information about approved lists see page Error! Bookmark not defined..
Regardless of the source of the rating, the following steps in the decision-making process are the
same:
● Evaluate rating
● Perform action
EVALUATE RATING
Ratings consist of a credibility score that the DSA / DSVA compares Do not
with a pre-selected threshold value. If a Web site’s rating is equal to or block
lower than the threshold value, then the agent / appliance blocks this 73
site. 72
Note the illustration on the right. Consider a Website that is given a 71
score of “71”. If the security level has a threshold score of 70 and
below, the unrated site will not be blocked. 70 Threshold
value
69
For a list of credibility scores, and the types of sites that are
given these scores, see About credibility scores on page 279. 68
Block
These threshold values are set on the Deep Security Manager. The following management
console screen capture shows the relevant control.
280 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Specific security level settings, shown above, correspond to specific threshold values. These
values are shown on the table below.
High 80
Medium 65
Low 50
PERFORM ACTION
Web threat security can only perform two actions: block or allow.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 281
Trend Micro Deep Security Support Track
282 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 283
Trend Micro Deep Security Support Track
284 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
WRS in Rating query
DSA Notifier
Browser
WRS
WRS handler TMUFE
rating server
Rating result
WRS events
(db & DSM)
IOCTL IOCTL
User space
Kernel space
DSA driver
WRS in Rating query
DSVA Notifier
WRS
WRS handler TMUFE
rating server
Rating result
WRS events
(db & DSM)
IOCTL IOCTL
DSVA
Hypervisor
Browser dvFilter driver
Both the DSA and DSVA have WRS handlers that use the Trend Micro URL Filtering Engine
(TMUFE) to query the WRS rating server to obtain site scores. The handler is also responsible
for sending events to the DSM and to the Notifier.
The principal difference between the two implementations is in the how they intercept browser
traffic. In the DSA, the DSA driver is used to detect HTTP traffic. The DSVA, on the other
hand, uses the VMSafe API for this. The dvFilter driver, that is installed in Hypervisor for
network traffic re-direction, is also used for WRS.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 285
Trend Micro Deep Security Support Track
A Connect to Website
Request Website
B score
Intended connection Reply (Dropped) A
Score B
Reply
Instead of blocking the initial connection to the Website, as is done in other WRS
implementations (e.g., Trend Micro OfficeScan), the DSVA / DSA lets the HTTP request
through to the intended Website, but blocks the reply.
Once the DSVA receives the a response from the WRS rating server, the DSVA takes the
appropriate action: either it lets the page through to the browser, or it displays the blocked page
warning screen.
286 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
2. If the DSA is unable to perform the configured scan action, what will happen to the
suspected malware?
a) Pass
b) Delete
c) Quarantine
d) Re-scan
a) Registration
b) Activation
c) Melding
d) Binding
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 287
Trend Micro Deep Security Support Track
288 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The Deep Security Management console is a Web-based console generated by a Tomcat Web
server as shown below.
Tomcat servlet folder
Deep Security
Browser Tomcat
Manager
servlets
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 289
Trend Micro Deep Security Support Track
https://dsm_server:4119
Although the contents of the DSM database are not encrypted, user passwords are obfuscated as
shown above.
NOTE This obfuscation behavior discussed here only applies to user passwords.
Deep Security stores passwords as “salted hashes”. It adds a set of random characters,
collectively called “salt”, to the password text and then generates a hash of the combination.
Together they defend against basic dictionary attacks that rely on passwords alone.
290 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Prior to Deep Security 7.5 Service Pack 1, passwords were obfuscated using an MD5 hash. These
can be identified by the value “1” in the hash algorithm section. The samples above, for example,
use MD5.
Starting with 7.5 Service Pack 1, in accordance with efforts to satisfy Common Criterial EAL4+
security certification requirements, the algorithm was upgraded to SHA-256. Passwords that are
hashed this way are identified by the number “5” in the hash algorithm section.
dsm_c – action unlockout –username USERNAME ‐newpassword NEWPASSWORD
For example
dsm_c –action unlockout –username MasterAdmin –newpassword seCret101
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 291
Trend Micro Deep Security Support Track
Purpose of heartbeats
Hearbeats fulfill the following two-part function:
● Deploy the latest system configuration from the DSM to the DSA
● Obtain logs from the DSA to populate DSM statistics counters and events logs
Heartbeats, therefore, play a very important part in creating an overall picture about the state of a
Deep Security network.
DSM modules send instructions opportunistically on top of the heartbeat mechanism. So when
an administrator initiates a Port Scan, or a Recommendation Scan, these instructions will be sent
to the DSA on the next available heartbeat opportunity.
As will be explained in the next section, in certain communication modes, the DSM can pre-
empt the heartbeat, forcing the DSA to send the heartbeat even before it is due, thereby allowing
commands to be sent to the DSA on demand. In such scenarios, commands would not have to
wait for the polling cycle.
Anatomy of a heartbeat
The following log sample shows a DSA trace log, filtered to show only connection (“[Conn]”)
events.
292 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
These log entries were taken from an activated DSA that did not have any rules assigned to it.
Therefore all DSA-to-DSM communication consisted entirely of heartbeat messages.
These log samples contain the following noteworthy points:
● The “OnRun( )” entries indicate the start of a heartbeat message.
● Between each “OnRun” and “OnExit” pair, the commands listed below were issued. These
represent the default data-set that the DSA regularly sends to the DSM in the absence of
additional instructions from the manager.
GetAgentStatus – this retrieves status information from either the agent or appliance. This
status information includes operating system information, driver status, and connection
details. Information retrieved by this command allows the DSM to set the various
functionality status indicators.
GetAgentEvents – retrieves event information that updates the DSM’s “view” of the
agent’s current state.
GetLogData – this command retrieves firewall and DPI data from the text-based
dsa_mpnp database. This command appears twice in each heartbeat. One each for the
firewall and DPI data
GetDatabases – this command retrieves the GUID of the various SQLLite databases. The
DSM uses the GUID to detect if the DSA created a new set of databases (e.g., if these
were deleted, or if the DSA was reinstalled) from one used in previous logs
GetEntitys – retrieves environment information not included in AgentStatus
GetEvents – this command retrieves Integrity Monitoring, Log Inspection, and Anti-
Malware data from their respective SQLLite databases. In this sample, GetEvents
appears twice, one each for Integrity Monitoring and Log Inspection data.
Heartbeat frequency
By default, DSAs can be set to send out heartbeats out every 10 minutes. These can be delayed
to as much as 24 hours if necessary. If the DSM does not receive heartbeats according to this
schedule for a pre-defined number of times, alerts will be raised.
The actual schedule of the heartbeat that the DSA sends out, however, is actually imprecise.
Consider the following DSA trace logs, collected using DebugView, that show the DSA checking
if a heartbeat is required.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 293
Trend Micro Deep Security Support Track
NOTE Certain events, such as “port scan detected”, can pre-empt the heartbeat
process to immediately send information to the DSM, thereby triggering it before it is
due. The DoHeartbeatIfNecessary( ) function checks the agent’s internal heartbeat timer
to see if the heartbeat had already been sent.
The agent used in the test above was set to use the default heartbeat interval of
However, if we tabulate the time stamps of the heartbeat events shown above, the actual
heartbeats are sent a few seconds sooner.
9:51:01 AM 09:09.0
10:00:17 AM 09:16.0
10:09:18 AM 09:01.0
10:18:36 AM 09:18.0
10:28:28 AM 09:52.0
To prevent the DSAs from inadvertently performing a denial of service attack on its own DSM,
for example if the entire DSA network encounters network connectivity issue, heartbeats are
randomized within a range of 10% of the selected interval. For a heartbeat interval of 10
minutes, for example, the shortest possible heartbeat would be 9 minutes. The first heartbeat
after an agent starts up, however, will be 100% of the prescribed interval.
294 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Deep Deep
Security Security
Manager Agent
Port: 4118
Port: 4120
ListenPort=<port>
For Windows-based platforms, this file is called “ds_agent.ini” and must be created in the
Windows system folder. For Solaris/Linux platforms, it is called “ds_agent.conf” and must
be placed in the /etc directory.
Administrator/root privileges will be required to create this file. After creating the file, the
DSA must be restarted.
DSAs, by design, cannot block these ports. Default bypass rules prevent this from happening.
However, if there are other impediments on the network that prevent traffic to these ports, then
administrators need to configure the DSM to work within these restrictions.
Administrators can restrict the direction of communication using the following System setting
control.
If the DSA cannot receive communication from the DSM at port 4118, then the DSM can be set
to avoid sending communication to the DSA altogether by using Agent Initiated communication.
In this situation, the DSA assumes all responsibility for obtaining configuration changes and for
uploading its logs in accordance with the heartbeat schedule. On-demand configuration will be
impossible in this scenario.
When set to use Manager-initiated communication, the DSA will only communicate with the DSM
when specifically instructed to do so. The DSA will not keep track of the heartbeat cycle, and
will only perform the heartbeat operation when notified.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 295
Trend Micro Deep Security Support Track
Tip When the DSA is responsible for initiating heartbeats, there is typically a wide
dispersion of heartbeat events since each DSA follows its own 10-minute heartbeat
counter. In a manager-initiated heartbeat, all DSAs are asked to perform a heartbeat
almost at the same time, resulting in a heavy load on the DSM.
DSM socket timeout 120000 milliseconds This is the amount of time the DSM will wait
for a response after it sends something to
the agent.
Agent socket timeout 120 seconds This is the amount of time the Agent will
wait for a response from the DSM after it
sends something, or is simply waiting for
commands.
296 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Activation basics
The Activation concept was first discussed on page 63. Here we will discuss the internal
mechanics of this action. The following diagram shows what happens during the activation
process.
Deep Deep
Security Security
Manager Agent
Encrypted communication
The process starts when the DSM and DSA exchange bootstrap certificates to identify
themselves to each other. The exchange takes place over SSL and is therefore protected
throughout. All subsequent communication use symmetric-key encryption.
The following command line messages were generated during a manual activation (using
dsa_control.exe). These clearly show the steps taken during activation.
The first two lines show the process illustrated above. The Activation process started with an
SSL handshake, thereby establishing a secure session.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 297
Trend Micro Deep Security Support Track
Next, the DSA and DSM negotiated the highest level of encryption that either side would
support. In the example above, it was AES256SHA. Encryption details are discussed in the next
session.
Finally, the DSM leveraged encrypted communication to obtain information about the DSA and
its host, and configure agent settings.
About encryption
When a connection is established, the DSM sends a list of encryption protocols that it uses to
the DSA. The DSA then responds with the highest level of encryption it supports, and then the
authentication certificates are exchanged.
CLIENT-SERVER IN DSM
The communication architecture in DSM is setup such that the DSA actually acts as a
HTTPS/SSL server, while the DSM functions as a HTTPS/SSL client. The DSM sends its
requests to the DSA, which then performs “services” in response to these requests.
In version 7.5 Service Pack 1, a number of previously used ciphers were removed as part of
efforts to pursue Common Criteria EAL +4 certification. The following table shows the ciphers
that remain, the those that were removed.
Retained Removed
TLS_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
298 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
User-initiated commands
Command Description and action
Update This command deploys configuration changes to DSAs and performs
the additional actions:
• Obtain statics for use on DSM console counters
• Determine if the agent requires an update
• Perform outstanding agent-initated requests
Check status This commands collects information required by DSM counters, and
performs the following:
• Determine if the agent requires and update
• Perform outstanding agent-initiated requests
Activate This command initiates the activation process and deploys agent
configuration changes
Upgrade This upgrades DSA agents and collection information used in DSM
counters
System-initiated commands
Command Description and action
Set Security Sets the security configurations on the DSA.
Configuration
Get Interfaces Returns information about network interfaces on the DSA host
Status Events & Verifies collects the following information: status, events, counters,
Counters compatibility
Heart Beat This command ensures that the DSA is remains in synch with the DSM,
and performs the following actions:
• Obtain updated configuration file
• Upload statics for use on DSM console counters
• Upload logs
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 299
Trend Micro Deep Security Support Track
d) Heartbeat
e) Firewall rules
f) Interface changes
g) All of the above
e) Bi-directional
f) Manager-initiated
g) Agent-initiated
h) All of the above
e) Registration
f) Activation
g) Melding
h) Binding
300 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 301
Trend Micro Deep Security Support Track
302 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The DSM generates these alerts based on log information that DSAs upload as part of the
normal heartbeat process, as shown below.
Dsa_mpnp
file
Store
Retrieve (DPI & firewall
events)
Upload
Deep log Deep
Security Security Event
Manager Agent
Alert Store
Retrieve Store Retrieve (Log Inspection & Integrity
Monitoring events)
SQL SQLite3
database database
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 303
Trend Micro Deep Security Support Track
When events occur on the DSA, they are initially stored in local databases. Firewall and DPI
events are stored in flat text files, while Log Inspection, and Integrity Monitoring use encrypted
SQLLite3 database files. When a heartbeat is due, the DSA reads the logs stored in the files, and
sends them to the DSM.
For events stored in the SQLLite3 database, the DSA deletes most of these logs after they’ve
been sent, save for the 500 most recent entries. These are retained so that the DSA console will
have information to display it its event tabs.
Firewall and DPI events, on the other hand, are not deleted after these are uploaded to the DSM,
and remain in the file.
NOTE DSAs use gzip compression to reduce the size of the logs when they are sent to
the DSM.
Once uploaded, a DSM cycles through the different logs, and then generates alerts and
notifications as required.
304 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Firewall logs are stored in the “packetlogs” table, since the original name for the firewall was the
“packet filter”. DPI logs, on the other hand, are in the “payloadlogs” table for the same reason.
NOTE Heartbeat selection becomes less of a concern if DSAs are configured to send
logs to a Security Information and Event Management (SIEM) system such as a Syslog.
The DSA sends event logs in blocks of 1,000 logs during a heartbeat event.
To avoid excessive bandwidth utilization, Trend Micro offers the following rule-of-thumb
heartbeat settings
Desktops 60 minutes This setting can be used for machines that end-
user machines
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 305
Trend Micro Deep Security Support Track
For the purposes of this document, these settings are grouped as follows:
● Size limitation
● Counter data
● Ignore computer
● Log aggregation
● Data filters
Each group is discussed in their respective sections below.
Size limitation
The following flowchart shows the log file usage logic.
306 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
No
Has
Write event
Begin write log reached size End
to log
limit?
Yes
No
Has the
Create new
Number of log files
log file
reached limit?
Yes
Delete oldest
log file
The default maximum size for events logs is 4MB. Given that the average size of a single log is
200 bytes, this limit roughly translates to 20,000 log entries. The rate at which the limit is reached
depends on the number of rules in place, as well as network activity on the DSA.
The following parameters fall under this group:
Maximum size of the event log files (on Agent/Appliance)
Number of event log files to retain (on Agent/Appliance)
DSA data
DSAs can send both, or either, of the following information to the DSM:
Event – a 1-to-1 record of events that occur on the DSA host
Counters – an aggregated count of identical events that occur on the DSA host
Event information is used to populate events screens, while counters are used to populate the
various dashboard widgets. The controls in this group allow the administrator to define which of
these two types of information the DSM receives from its DSAs.
For example, an administrator that already collects log information from the DSAs using Syslog
may only want to receive counters. This reduces the traffic and data storage overhead for his
DSM network.
The following parameters fall under this group:
Collect Firewall Events from Agent/Appliance – defines the firewall-related information
is retrieved from the DSA with every heartbeat
Collect DPI Events from Agent/Appliance – defines the DPI-related information that is
retrieved from the DSA with every heartbeat
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 307
Trend Micro Deep Security Support Track
Ignore computer
This group, which only consists of the Do Not Record Events with Source IP, allows administrators
to refrain from keeping records of events from select “safe” or “trusted” servers.
Log aggregation
The following three settings fine tune Event aggregation functionality. To save disk space, DSAs
will take multiple occurrences of identical events and aggregate them into a single entry and
append a "repeat count", a "first occurrence" timestamp, and a "last occurrence" timestamp. To
aggregate event entries, DSAs need to cache the entries in memory while they are being
aggregated before writing them to disk.
The following parameters below to this group:
Cache Size – defines the number of events to track at any given time. Setting a value of 10
means that 10 events will be tracked (with a repeat count, first occurrence timestamp,
and last occurrence timestamp). When a new type of event occurs, the oldest of the 10
aggregated events will be flushed from the cache and written to disk.
Cache Lifetime - defines how long a record is kept in the cache before flushing to disk. If
this value is 10 minutes and nothing else causes the record to be flushed, any record that
reaches an age of 10 minutes gets flushed to disk.
Cache Staletime - defines how long to keep a record whose repeat-count has not been
incremented. If Cache Lifetime is 10 minutes and Cache Staletime is two minutes, an
event record which has gone two minutes without being incremented will be flushed and
written to disk.
Regardless of the above settings, the cache is flushed whenever Events are sent to the Deep
Security Manager.
Data filters
The following settings provide additional filters for potentially superfluous data:
Generate Firewall Events for packets that are "Out Of Allowed Policy" – the implicit
denial functionality in firewall Allow rules, can generate an excessive number of these
events. This disabling this option allows administrators to ignore these events
Allow DPI Rules to capture data for the first hit of each rule (in period) – this retains
the data from the packet that triggered a log entry. The packet's data can be viewed with
the log entry. Each rule will only capture data once in a five second period to avoid
unnecessarily large log files.
308 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 309
Trend Micro Deep Security Support Track
By default, SMTP servers use port 25. For servers with non-standard ports, enter the mail server
address as shown below:
mail.trendmicro.com:587
The DSM can work with SMTP servers that require authentication. The fields that are relevant
for user credentials are also shown above.
Alert configuration
This screen allows Administrators to select which event results in alerts. This is shown below.
310 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Administrators can access this screen either from the System Settings screen, via the following
button.
Alternatively, administrators can access this from the Alert view/dismiss screen using the control
highlighted below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 311
Trend Micro Deep Security Support Track
Alert view/dismiss
Administrators can view a list of alerts that have been generated thus far by accessing the Alerts
screen. This is shown below
On this screen administrators can view details about the alerts and dismiss them if they are
dismissible.
312 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Agent event
logs (Batched)
Syslog server
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 313
Trend Micro Deep Security Support Track
The DSM sends its system events to the Syslog. Administrators configure this functionality from
the following screen.
The Deep Security Agent, on the other hand, sends firewall, DPI, Log Inspection, and Integrity
Monitoring events, as configured in screen sections like the following.
Unlike DSA events that are sent to the DSM, Syslogs are immediately sent to the Syslog server as
they occur. They are not batched in the DSA databases.
NOTE In July 2009, Arcsight issued an updated version of the CEF standard. Deep
Security 7.0 does not support this standard as of writing.
314 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
This section focuses on reports and is divided into the following sub-sections:
● Report templates
● Report filters
● Report access
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 315
Trend Micro Deep Security Support Track
Tag
Time
Computer
316 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
If password access is enabled, Administrators can choose to restrict access only to the user that
generated the report by selecting the Use Current User’s Report Password option. The report
password is defined in the following user properties screen.
For reports meant for wider distribution, administrators can choose to specify a password that is
specific to the report. This option grants access to both DSM and non-DSM users.
If the generated report is a PDF, readers will be prompted for a password when opening the file,
as show below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 317
Trend Micro Deep Security Support Track
318 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a) Apache Derby
b) MS SQL
c) SQLLite3
d) MySQL
a) RTF
b) Excel
c) PDF
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 319
Trend Micro Deep Security Support Track
320 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 321
Trend Micro Deep Security Support Track
Alternative
Trend Micro
update server
Update Server
(HTTP or HTTPS)
Deep Security
Deep Security Deep Security
Virtual
Manager Agent
Appliance
By default, all members of a Deep Security network get their updates from Deep Security relays.
The only exceptions are:
● DSMs that manage DSVA version 7.5 and therefore need to function as update servers
using legacy ActiveUpdate technology
● DSVA and DSAs that are allowed to update directly from the primary update server as an
alternative to the DSR
The DSA, DSVA, and DSR all use iAU technology to obtain updates from their update sources.
The DSM, however, leverages the same mechanism used for obtaining diagnostic packages to get
its Deep Security Rule Updates (DSRU) and Deep Security manifest file from the DSR.
NOTE Since the DSM neither uses AU or iAU to obtain its updates it cannot obtain
DSRUs from Trend Micro by itself.
Update events generate the following entries in the System Events screen. These events only
provide the result of an update event, and do not provide granular information about the update.
322 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Trend Micro
DSM DSA / DSVA DSR
update server
Update notification
Publish
components
Update notification
The following DSM System Event logs record the update process. Note the update sequence.
The DSM initiates DSR updates in the order in which they were added to the network. The
order in which they appear on the DSR list is the same order in which they are updated.
DSA/DSVAs randomize the DSR from which they obtain updates, so they never download
from the same source successively. If they fail to connect to the primary DSR for an update
event, they cycle through the remaining DSRs until they connect successfully.
Consider the following two update attempts using the following environment.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 323
Trend Micro Deep Security Support Track
Deep Security
Agent
In this test, all DSRs were shutdown. So the DSA that generated these logs would never be able
to connect with any of its DSRs.
324 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
● On the first attempt, the DSA attempted to connect to its DSRs in the following order: #1 (.
. . 150), #3 (. . . 154), and then #2 (. . . 151)
● On the second attempt, the DSA followed the following sequence: #2 (. . . 151), #3(. . .
154), and then #1 (. . . 150)
● The DSA tried to download from a DSR three times before moving on to the next DSR.
● After connection with the final DSR failed, the DSA abandons the update attempt.
During the update process, the DSR disables the Nginx Web server to prevent DSAs and DSMs
from downloading updates from it. It disables the Web server by modifying the “location/”
section of the Nginx configuration files (nginx.conf). The relevant sections appear in the table
below.
DSR accepts download requests from DSAs Only the DSR can update from itself
location / { location / {
allow all; allow 127.0.0.1;
} allow ::1;
deny all;
}
During an update, the DSR re-writes the section to appear like the right column. All access is
denied, and only local access is permitted. When a DSA tries to connect to this DSR in this state,
the following entries appear in the Nginx access log.
10.xxx.xxx.15 ‐ ‐ [02/Dec/2011:16:03:05 ‐0800] "GET /c22t2200v8.0.0l1p5889r1o1 HTTP/1.1" 403
564 "‐" "Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)"
As the log sample above shows, the DSA receives an HTTP 403 error.
The corresponding Nginx error log appears below:
2011/12/02 16:03:05 [error] 5552#0: *5 access forbidden by rule, client: 10.xxx.xxx.15,
server: , request: "GET /c22t2200v8.0.0l1p5889r1o1 HTTP/1.1", host: "10.xxx.xxx.151:4122"
The DSR remains in this state for the duration of an update, and returns to normal once the
update is complete.
NOTE If Anti-Malware functionality is set to use Smart scanning, the DSVA/DSA only
downloads the OTH pattern from DSR. It still downloads BF.ptn from the Smart Scan
server.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 325
Trend Micro Deep Security Support Track
Inf 20111128 11:32:23 1216 2072 Load dynamic link library [C:\Program Files\Trend
Micro\AMSP\update\iau_sdk\iaucore\libs\patchw64.dll] succeed
The iAU module then initiates the merge and records the original and updated versions of the
pattern being merged in its iau.log
[2011‐Nov‐28 11:32:23 1216|2072] [app] iAU::MergedPackage::Retrieve
[src\common\src\merged_package.cpp(69)]
start to merge pattern class: 3,type:
536870944,from version 71100 to version 71700
[2011‐Nov‐28 11:32:23 1216|2072] [app] iAU::MergerUtility::MergeFiles
[src\common\src\merger_utility.cpp(199)]
TmIUApply: newDir(C:\Program Files\Trend
Micro\AMSP\update\iau_sdk\iaudata\iaudata5a\temp\merge\a885‐f761‐3683‐9fae)
diffFile(C:\Program Files\Trend Micro\AMSP\update\iau_sdk\iaudata\iaudata5a\temp\f395‐
a5d0‐e295‐a946\w_711.717) baseFile(C:\Program Files\Trend
Micro\AMSP\\.\Module\10000\2.1.1078\9.500.1008\.)
The pattern in this example is not the SSAPI pattern, then iAU uses the RTPatch merge.
Inf 20111128 11:32:23 1216 2072 RTPatchApply32: cmd: ‐NoPathSearch ‐subdirsearch ‐
NOALLOWSPLIT "C:/Program
326 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Files\Trend
Micro\AMSP\update\iau_sdk\iaudata\iaudata5a\temp\merge\a885‐
f761‐3683‐9fae" "C:/Program Files\Trend
Micro\AMSP\update\iau_sdk\iaudata\
iaudata5a\temp\f395‐a5d0‐e295‐a946\w_711.717"
Inf 20111128 11:32:23 1216 2072 Code page before calling RTPatch APIs: ANSI
[2011‐Nov‐28 11:32:23 1216|2072] [app] iAU::RtpatchMerger::Merge
[src\common\src\rtpatch_merger.cpp(129)]
End Rtpatch Merge, result:
IAU_STATUS_SUCCESS[0(0,0,0)]
. . .\Trend Micro\AMSP
Information for the lone non-AMSP component is stored in an XML file called product.xml in
the following location:
. . .\Deep Security Agent\lib
Deep Security Relays that have been configured to provide full AM functionality, obtain the
relevant components the same way that DSAs do. The principal difference being the name of the
installation folder: Deep Security Relay.
However, in addition to obtaining components that it uses for itself, it also needs to download
components on behalf of its Deep Security network. For this, it creates a copy of the file and
folder structure of its source update server in a process called duplication. Additional details about
this process are available in the Deep Security Relay section, further below in this chapter.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 327
Trend Micro Deep Security Support Track
The DSR determines the versions of the components that it serves up to its Deep Security
network by reading a file called a product index. This is the same kind of file that update servers
use to store version information. More details about this file is available in the next section.
10.x.x.1 ‐ ‐ [11/Nov/2011:14:19:03 ‐0800] "GET /c22t2202v8.0.0l1p5889r1o1 HTTP/1.1" 200 606
"‐" "Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)"
Observe the following noteworthy points about the log sample above:
● The source of the request (10.x.x.1) has been obscured
● The product downloads the index file using an HTTP GET request
● The index involved in this sample is named c22t2202v8.0.0l5889r1o1. This corresponds to the
index for a version 8.0 Deep Security Relay for the Windows 64-bit platform.
The naming convention for the index file is illustrated below.
OEM = 1
Platform = 5889
Version = 8.0.0
Class = 22
C22t2202v8.0.0l1p5889r1o1
Type = 2202
Language = 1
Region = 1
Class – identifies the product. The value “22” indicates that it is for Deep Security
Type – identifies the sub-component within the product. The value “2202” indicates that
this is for the Deep Security relay. Other valid values for Deep Security software are:
2200 – Deep Security Agent
2201 – Deep Security Virtual Appliance
2203 – Deep Security Manager
Version – indicates the version the version of the product. This is for version 8.0
328 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Language – indicates the language of the product. The value “1” means this is for the
English version
Platform – indicates the operating system of the product. The value “5889” is for Windows
64-bit. Other valid values for Deep Security are:
1 – Windows (32-bit)
257 – Linux (32-bit)
9217 – Linux (64-bit)
Region – indicates geographical limitations for the index. The value “1” means that this is a
global index
OEM – identifies OEM-specific version of the product (e.g., is it for a specific customer,
etc.) to which the index corresponds. The value “1” means that this is the retail version
of the index available to all customers
NOTE Additional information about the these codes are available in Appendix X
https://<update server>/iau_server.dll/c22t2202v8.0.0l1p5889r1o1
https://<relay>:4122/iau_server.dll/c22t2202v8.0.0l1p5889r1o1
As mentioned earlier, product indices are XML files. Expanding the file to show its first-level
entities shows the product types for which updates are available, and their corresponding
versions.
<response version="2.0.0">
<update id="c22t2202v8.0.0l1p5889r1o1">
<products>
<product id="c22t2202v8.0.0l1p5889r1o1">
<entity class="22" type="2212" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="8.0.585">...</entity>
<entity class="22" type="2213" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="11.032">...</entity>
<entity class="2" type="574619648" language="‐1" platform="5889" region="‐1" oem="‐1"
version="3.5.1047">...</entity>
<entity class="22" type="2211" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="8.0.0">...</entity>
</product>
</products>
</update>
</response>
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 329
Trend Micro Deep Security Support Track
Update Tree
The iAU module populates the local tree with information about the components that
DSA/DSR possesses, and records this action in the iAU log. A sample appears below.
[2011‐Nov‐11 14:33:53 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(271)]
Product local tree:
‐‐‐+ "Product_Family[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product_Group[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐‐ "Component[c22t2212v8.0.585l‐1p‐1r‐1o‐1]<‐‐[]"
‐‐‐‐ "Component[c22t2211v8.0.0l‐1p‐1r‐1o‐1]<‐‐[]"
‐‐‐‐ "Component[c22t2213v11.031.0l‐1p‐1r‐1o‐1]<‐‐[]"
‐‐‐‐ "Component[c2t574619648v3.5.1047l‐1p5889r‐1o‐1]<‐‐[]"
It then stores the information it obtains from the update server in the remote tree. The following
iAU log entry records this.
[2011‐Nov‐11 14:33:54 3840|3972] [app] iAU::Context::GetRemoteUpdateTree
[src\core\src\context.cpp(153)]
Product remote tree:
‐‐‐+ "Product_Family[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product_Group[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐‐ "Component[]<‐‐[c22t2212v8.0.585l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c22t2213v11.031.0l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c2t574619648v3.5.1047l‐1p5889r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c22t2211v8.0.0l‐1p‐1r‐1o‐1]"
The actual comparison is recorded in yet another tree called the update tree. The relevant iAU
log entry appears below.
[2011‐Nov‐11 14:19:03 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(336)]
330 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Update tree:
‐‐‐+ "Product_Family[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product_Group[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐‐ "Component[c22t2212v0.0.0l‐1p‐1r‐1o‐1]<‐‐[c22t2212v8.0.585l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[c22t2211v0.0.0l‐1p‐1r‐1o‐1]<‐‐[c22t2211v8.0.0l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[c22t2213v0.0.0l‐1p‐1r‐1o‐1]<‐‐[c22t2213v11.031.0l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[c2t574619648v3.5.1047l‐1p5889r‐1o‐1]<‐‐[]"
‐‐‐+ "Product[c4t0v6.3.0l1p5889r1o1]"
The update tree sample above contains the following noteworthy points:
● The first three “component” lines show two sets of brackets, with values within, separated
by arrows. These represent components that are newer than what the DSA/DSR currently
possesses.
● In the fourth line, the bracket to the right of the arrow is empty. This means that the local
component is newer, or equivalent to, the component in the server. Inspection of the
corresponding lines in the local and remote trees shows that the component version is
actually the same.
Product local tree Product remote tree
Had there been a version difference, the iAU module would have summarized the result of
comparison in the following manner.
[2011‐Nov‐11 14:19:03 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(304)]
There are 3 component(s) need update
If no updates are required, the iAU module creates a product synch tree like the following, and
writes it to the iAU log before the update tree
[2011‐Nov‐28 11:32:19 1580|2588] [app] iAU::Context::GetRemoteUpdateTree
[src\core\src\context.cpp(157)]
Product sync tree:
‐‐‐+ "Product_Family[c22t2200v8.0.0l1p5889r1o1]"
‐‐‐+ "Product_Group[c22t2200v8.0.0l1p5889r1o1]"
‐‐‐+ "Product[c22t2200v8.0.0l1p5889r1o1]"
‐‐‐‐ "Component[c2t574619648v3.5.1047l‐1p5889r‐1o‐1]<‐‐[]"
‐‐‐+ "Product[c4t0v6.3.0l1p5889r1o1]"
‐‐‐‐ "Component[c4t112v6.3.1043l1p5889r1o1]<‐‐[]"
Product sync trees are also always followed by the following summary.
[2011‐Nov‐28 11:32:19 1580|2588] [app] iAU::Context::GetRemoteUpdateTree
[src\core\src\context.cpp(158)]
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 331
Trend Micro Deep Security Support Track
It is already update‐to‐date from product
index:c22t2200v8.0.0l1p5889r1o1
<response version="2.0.0">
<update id="c22t2202v8.0.0l1p5889r1o1">
<products>
<product id="c22t2202v8.0.0l1p5889r1o1">
<entity class="22" type="2212" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="8.0.585">...</entity>
<entity class="22" type="2213" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="11.032">...</entity>
<entity class="2" type="574619648" language="‐1" platform="5889" region="‐1" oem="‐1"
version="3.5.1047">...</entity>
<entity class="22" type="2211" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="8.0.0">...</entity>
</product>
</products>
</update>
</response>
If the administrator were to expand the content of type “574619648”, it would reveal the
following additional information.
<entity class="2" type="574619648" language="‐1" platform="5889" region="‐1" oem="‐1"
version="3.5.1047">
<priority>2</priority>
<share>0</share>
<applyto maxver="3.5.1047" minver="0"/>
<full dig="68d1eacc126f3dd4b0a1c4511cd2e89b" size="388355">
<url>
https://iaus.activeupdate.trendmicro.com/activeupdate/preopr/22_2202_8.0.0_1_5889_1_1/ctlr
po/c2t574619648l‐1r‐1p5889o‐1/3.5.1047_51805141‐4b2c‐4afc‐9c26‐e9e59b4f95d4.7z
</url>
</full>
</entity>
The URL parameter provides the product with update source for the required component. The
iAU module uses this URL to download the update.
332 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 333
Trend Micro Deep Security Support Track
Anti-Malware (cloud Smart scan server DSAs and DSVAs obtain copies of the
components) BF.ptn file, which acts as an index for the
contents of the Smart Scan filter, from
the smart scan server using the ICRC
protocol. This is a completely different
update channel.
Behavioral monitoring Deep Security Relay / The DSA obtains AEGIS components as it
Update site would normal patterns and engines
Web reputation (engine) Deep Security Relay / The agent and appliance use iAU the
Update site Trend Micro URL Filtering Engine
(TMUFE). As will be discussed in later
sections, they download this component
outside the AMSP framework.
Web reputation (ratings) Rating server DSAs and DSVAs obtain rating
information as required from a rating
server. This information is not persistent
locally.
Some of this knowledge is deployed directly to the DSA/DSVA, while others are sent to the
DSM first before applying them to the agent/appliance. Only Anti-Malware and Behavioral
Monitoring components are deployed directly to the protection tier using iAU technology.
This section focuses on components that are sent directly to the DSA / DSVA using iAU
technology, and is divided into the following sections:
● Download behavior
● Update process
● Smart scan modes
334 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The DSA downloads each of the abovementioned groups of components independently, using
separate copies of the iAU module: one that downloads AMSP components for AMSP, and
another to download TMUFE.
NOTE Since Windows-based DSAs use two iAU modules, and each module has its own
set of two logs (iau.log and TmuDump.txt) troubleshooting update issues will require
identifying the logs that correspond to the module that encountered the issue.
Download TMUFE
The diagram above shows the two modules are used. The DSA starts the update process by
downloading TMUFE. If this download is successful, it proceeds to download AMSP related
components.
By design, pattern updates will not interfere with Anti-Malware scanning. This is true for all
DSAs and DSVAs. When a pattern, scan engine, and their associated configuration options, are
loaded into memory, they become part of a memory construct called a Virus Scan Context
(VSC). Agents and appliances maintain two VSCs: one for operational use, and another for
updates. The following diagram illustrates how these VSCs are used.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 335
Trend Micro Deep Security Support Track
Anti-Malware
service
During normal operation, DSVA only uses one VSC. When an update occurs, the new
component (e.g., pattern, scan engine) is loaded in the dormant VSC, represented by VSC #2
above. If the update occurs while the DSVA is scanning a file, it will complete the scan on that
file with the old components, and will then switch to the new pattern for the next file. After
switching to the new file, the old component is removed from memory.
DSM DSR
Prepare update
(Diagnostic package
mechanism)
Download package
336 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
. . . \relay\iau
In addition to preparing the iau folder for use in DSA/DSVA, DSM, and even DSR updates, the
DSR also maintains a DSR manifest file in the following location:
The DSR manifest file, which is stored in the same location as iAU libraries, contains
information about the products on behalf of which it obtains updates. It defines the components
that it downloads. This file’s content, as of writing, appears below:
c22t2200v8.0.0l1p1r1o1
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 337
Trend Micro Deep Security Support Track
c22t2200v8.0.0l1p5889r1o1
c22t2201v8.0.0l1p9217r1o1
c22t2202v8.0.0l1p1r1o1
c22t2202v8.0.0l1p5889r1o1
c22t2202v8.0.0l1p9217r1o1
DSM COMPONENTS
The DSM (id#2203) does not have its own product index because it does not use iAU to
obtain its rule updates from the DSR. It also does not appear in the DSR manifest because
DSM-related information is already available in the DSR product index.
The DSR periodically checks to see if it has the latest manifest so that it is able to service all the
elements of the Deep Security network that needs it.
Download DSRU
Download TMUFE
Download AMSP
components
The DSR starts the update process with downloading the following components when
warranted. The DSR downloads these components based on etag information. If there is a
difference in between the etag for a component on the DSR, and on the update source, then that
component is downloaded.
DSR manifest – this is a summary of the components that the DSR is supposed to offer to
its Deep Security network.
DSRU – this contains all the rule updates that DSMs require. This contains updated DPI
rules, Log Inspection rules, Integrity Monitoring rules, etc.
338 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
TMUFE – this is Trend Micro URL filtering engine that the DSR uses to provide WRS
protection for its host
DSM product manifest – this is the file that the DSM uses to update its list of
components. This information is displayed on the DSM update screen
Once this is complete, it duplicates the patterns, engines, and other components that it needs to
make available to the Deep Security network. This includes full and/or incremental patterns.
If the DSR also provides Anti-Malware protection for its host, the iAU module in AMSP
downloads updates for itself from its own Nginx Web server. This updates its own host
protection capabilities.
Debug log samples that show how the DSR obtains updates are available in
Appendix A: Deep dive information > Chapter 14 > DSR update process.
The key point to remember about this list is that “Latest” is not relative to the components that
are available on the update site. It is actually based on the information taken from the most-up-
to-date DSR.
To database tables are used as a basis for comparison:
dbo.components – this contains information about the most recently obtained components
on the Deep Security network, as reported by the different DSR
dbo.hostcomponents – this table records component versions on all DSAs and DSRs on
the network
Whenever the Updates screen is displayed, the DSM compares these two tables and then
generates the appropriate values for the Is Latest column.
NOTE DSRs are always the basis for what is considered the latest component on the
network. If a DSA downloads a component from an update source directly, and actually
contains components that are newer than what is available on the DSRs, it will not affect
the “Is Latest” status of the DSRs.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 339
Trend Micro Deep Security Support Track
AMSP
Non-AMSP
Relay
340 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 341
Trend Micro Deep Security Support Track
AMSP
Non-AMSP
It should be noted that patterns and engines are renamed with the “cfg” file extension. This was
done to avoid issues related to Windows System Restore functionality. This Microsoft Windows
OS feature can roll back system files, registry keys, installed programs, etc. to a pre-existing state.
Binary files are restored (e.g., *.dll, *cfg, etc.), but other files are not (e.g., *.ptn, *.da6, etc.).
This can create issues in AMSP if its program components are rolled back to older versions that
can’t work with the versions of the pattern or engines that are left alone by system restoration.
Therefore to avoid this situation, all patterns, engines, etc. were given “cfg” extensions.
342 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Important: Unlike the ActiveUpdate module in version 7.5, this version cannot obtain updates
from a UNC path.
NOTE If the DSA/DSVA’s DSR is configured to download directly from Trend Micro,
then the DSA/DSVA will also download from Trend Micro.
The following TmuDump.txt log shows how this transition to the DSR’s update source takes
place.
Inf 20111201 09:44:59 4524 1095911760 Connecting ... 10.xxx.xxx.x50:4122
Inf 20111201 09:44:59 4524 1095911760 Use nonblocking connect with timeout(20 s).
Err 20111201 09:45:02 4524 1095911760 Connect returns, errno(113), errstr(No route to host)
Err 20111201 09:45:02 4524 1095911760 Can't connect to server
Err 20111201 09:45:02 4524 1095911760 HttpsConnection: Socket connect fail
Err 20111201 09:45:02 4524 1095911760 TmDownloader: Connection fail when try to open
resource
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 343
Trend Micro Deep Security Support Track
Inf 20111201 09:45:02 4524 1095911760 Connecting ... 10.xxx.xxx.x50:4122
. . .
Err 20111201 09:45:05 4524 1095911760 HttpsConnection: Socket connect fail
Err 20111201 09:45:05 4524 1095911760 TmDownloader: Connection fail when try to open
resource
Inf 20111201 09:45:05 4524 1095911760 Connecting ... 10.xxx.xxx.x50:4122
. . .
Err 20111201 09:45:09 4524 1095911760 HttpsConnection: Socket connect fail
Err 20111201 09:45:09 4524 1095911760 TmDownloader: Connection fail when try to open
resource
Inf 20111201 09:45:09 4524 1095911760 Connecting ... 10.xxx.xxx.x50:4122
. . .
Err 20111201 09:45:12 4524 1095911760 HttpsConnection: Socket connect fail
Err 20111201 09:45:12 4524 1095911760 TmDownloader: Connection fail when try to open
resource
Inf 20111201 09:45:12 4524 1095911760 Connecting ... 23.xx.xx.83:443
Inf 20111201 09:45:12 4524 1095911760 Use nonblocking connect with timeout(20 s).
Inf 20111201 09:45:12 4524 1095911760 Connected!
Inf 20111201 09:45:12 4524 1095911760 Connected to iaus.trendmicro.com:443
After failing to connect to the DSR three times, the DSA switched to the DSR’s update source.
dsa_control ‐b
344 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
< DSR installation path >/relay
Linux-based /opt/ds_agent
Clicking the link above starts the sequence of updating DSRs followed by DSAs.
The second update trigger is by way of a scheduled update task. The details for the default task
are shown below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 345
Trend Micro Deep Security Support Track
346 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track
15.10
0 > Upd
dates in
n a mu
ulti-node envirronmen
nt (Only
y
av
vailable
e when DSVA 7.5 is presennt)
The followwing node syncchronization behavior
b is on
nly relevant if the
t DSMs maanage version 7.5 7
DSVAs. Th his is no longeer necessary inn a purely 8.0 environment since the DSM M does not acctually
retain updaate componen nts other that rule
r updates, which
w are actuually stored in the database that
all nodes allready share.
Debug log sa
amples that show how the DSR obtains updates
u are available
a in
Appendix A: Deep dive infformation > Chapter
C 14 > Legacy Active
eUpdate
mechanism.
In these typpes of multi-D DSM deploym ments, the firstt DSM that do
ownloads an update
u is
responsiblee for initiatingg updates on other
o nodes. Each
E time a DSSM completess the downloaad of
a particularr component, it notifies othher DSMs. It does
d so in the following maanner:
Notification
Download update
e,
second componeent
Proc
cess
upddate
Notification
Aug 13, 2
2010 3:31:05 P
PM com.thirdbr
rigade.manager
r.core.au.Acti
iveUpdateUtili
ities
duplica
ateComponentsF
FromAU
FINE: AU
Components ha
ave changed, w
will update in
nternals and n
notify other m
managers.
. . .
Aug 13, 2
2010 3:31:05 P
PM com.thirdbr
rigade.manager
r.core.au.Acti
iveUpdateUtili
ities
setAUSe
equenceNumber
FINE: Set
tting AU seque
ence number to
o: 15
. . .
Aug 13, 2
2010 3:31:05 P
PM com.thirdbr
rigade.manager
r.core.au.Acti
iveUpdateUtili
ities
notifyA
AndWaitForOthe
erManagersToUp
pdateFromOurAU
U
FINE: Com
mpleted notify
ying 0 other m
manager nodes
about AU upda
ates.
348 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 349
Trend Micro Deep Security Support Track
This starts the diagnostic package wizard which lists the information that the package will collect,
as shown below.
350 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The contents of the three sub-folders will be discussed in their respective sub-sections. Only the
following files are discussed at this point:
Configuration.properties – contains information about configuration properties including
listen port and keystore information
Debug.xml – this file contains information about the errors that occurred on the various
hosts, the users on the DSM along with information about their privileges, alerts
generated by DSM and DSA events, rules, etc.
Derby.log – contains information about the embedded Derby database. This will be present
even if the embedded database is not actually used
Dsm.properties – this is a copy of the DSM’s dsm.properties file, which contains its logon
credential settings for the DSM database
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 351
Trend Micro Deep Security Support Track
Error.log – this contains information about startup and shutdown events before java
logging is initialized, or after it is de-initialized. This log is cleared whenever the DSM is
restarted, so its contents will always refer to the current running state.
Filelist.txt – this is a list of files installed in the DSM folder
Install.log – this is the post installation report for the DSM. See Parts of an installation log
on page 319 for details.
Service.log – contains information on the service code before java.logging is initialized. It is
appended to each start and stop of the service
Logging.properties sets the debug log level of the DSM Java framework.
352 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The diagnostic package wizard lists the information that the agent package contains.
The compressed file that the wizard generates contains the following:
At the root path of the resulting ZIP file are the following files:
Builder.log – this is a running account of how the diagnostic package was generated.
System.properties – this is the system.properties file on the DSM at the time the package
was generated. This file shows key Java environment settings that were in use at that
time.
Within the agent package are two folders:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 353
Trend Micro Deep Security Support Track
● Agent
● Manager
Their contents are discussed in their respective sub-sections.
[16] WARNING: 10‐06‐04 13:10:29.436
com.thirdbrigade.manager.core.diagnostic.AgentDiagnosticPackageBuilder.addFirewallEv
ents() Unable to include all 34412 firewall events in the past 24 hours. Max events:
10000
Systeminformation.xml – this file provides a snapshot of what the agent was doing at the
time the package was created. In additional environment information, this file includes
information such as number and types of jobs the agent is executing, the time taken to
complete these jobs, status of the different threads, etc.
354 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Config.bin – this is a copy of the configuration settings used by the DSA. The data within is
in binary format and cannot be read without assistance
Config.p7 – this is the DSA configuration in P7 format
Ds_agent.config – this is an encrypted file that contain the DSA configuration in XML
format
dsa_blacklist.txt – a list of known bad IPs
Dsa_conn_states.txt – contains driver connection statistics
Dsa_stats.txt – this contains driver statistics information
Dsa_tcp_conn.txt – contains TCP connection information
Dsa_variables.txt – this contains the advanced driver settings information
Runningprocesses.xml – a list of processes running on the DSA host
Platform-specific folders
DSAs on different platforms will include platform-specific information in their diagnostic
packages. The following are discussed here:
Windows folder
Linux/Solaris folder
WINDOWS FOLDER
This contains the following:
msinfo – this contains Windows-generated system information for the DSA host
setupapi.log – this is a copy of the driver installation log
LINUX/SOLARIS FOLDER
This contains the following:
dsa-state-capture-output.txt – this log contains the following:
○ several files from proc
○ list of loaded modules
○ list of PCI devices
○ list of USB devices
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 355
Trend Micro Deep Security Support Track
356 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 357
Trend Micro Deep Security Support Track
To facilitate mapping of this the deep-dive information in this appendix with their parent
discussions, the following sub-section naming convention will be used.
Heading 1 (Section number) > Deep dive topic title
Let’s take installation logs as an example. Instead of discussing Deep Security Manager
installation logs in the main installation section in Chapter 2, the logs will now be discussed in
the following section in this appendix
A. 2. Chapter 3: Installation
. . .
Installing Deep Security Manager (Section 3.3) > Parts of an installation log
358 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
On Windows Explorer, adding the DSM to the list of trusted sites resolves this issue.
C:\Program Files\Trend Micro\Deep Security Manager
dsm_c –action createinsertstatements –databasetype sqlserver –generateDDL –goparameter GO
4. Optional: To exclude security logs, and thereby make the resulting SQL file more
manageable, include the following after “GO” above.
‐excludetables packetlogs,agentinstallers,integrityevents,loginspectionevents,payloadlogs
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 359
Trend Micro Deep Security Support Track
SQLCMD –U <username> ‐P <password> ‐d <database name> ‐i “<full path to DSMData.sql>”
Modify dsm.properties
When a DSM is set to use an embedded Derby database, the contents of dsm.properties appears
as follows:
database.name=dsm
database.directory=…\\Deep Security Manager
database.type=Embedded
mode.demo=false
It must be replaced with entries required for operation with an MS-SQL database. Do the
following
1. Open dsm.properties. This can be found in the following location:
<Install path>\webclient\webapps\ROOT\WEB‐INF\dsm.properties
database.type=SqlServer
database.name=<database_name>
database.SqlServer.server=<hostname>
database.SqlServer.user=<username>
database.SqlServer.password=<password>
database.SqlServer.namedPipe=true
database.SqlServer.appName=Trend Micro
database.type=SqlServer
database.SqlServer.progName=Deep Security Manager
mode.demo=false
360 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
B1 B1.B Consult
Error No Was the No
Unable to connect related flowcharts
encountered during database password
to database or contact Trend
installation? changed?
Micro
Yes Yes
A1 B1.A1
A2 B1.A2
Check if selected
communication protocol Restart DSM
is supported
No
A3.B B1.A3.B
Step Notes
Start This process begins with a database connectivity error. This problem can manifest
itself in the following ways:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 361
Trend Micro Deep Security Support Track
Apr 2, 2010 12:32:25 PM
com.thirdbrigade.manager.core.db.SystemEventPeer saveEvent
SEVERE: Logging event (999) for target (targetId: null
targetName: null) failed due to a database error.
java.sql.SQLException: Network error IOException: Connection
refused: connect
362 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
B1.A1 Administrators can enter the password in the password field in dsm.properties
shown below. The password will be in plain text at this point in the process.
database.SqlServer.user=sa
database.name=DSM
database.directory=null\\
database.SqlServer.password=Password here
database.SqlServer.instance=DSM
B1.A3 As discussed in Section 2.7.2, the DSM will automatically encrypt clear-text
passwords if it successfully logs on to the database with that password.
B1.A3.B Remember that the DSM can only logon with the “sa” account. Therefore the “sa”
password must be used in dsm.properties.
Missing database
Unlike other Trend Micro products, Deep Security does not create its own database.
Administrators must create it before pointing the DSM to it.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 363
Trend Micro Deep Security Support Track
Unable to
connect to database
(Step A3.B)
2
B2.A
Determine if the
database exists on the Resolved
database application
A1 B1 B2 Yes
3
Consult
related flowcharts Does the Create database and Was the problem
or contact Trend database exist? retry database selection resolved?
Micro Yes No
B2.B No
Step Notes
Start The chart below begins with Step A3.B of the Beginning analysis flowchart.
2 On MS SQL administrators can perform this step by verifying the existence of the
database node. The following example shows that the default database, dsm, exists
on the database.
364 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
There are numerous Internet references to the MVC. However among the more concise
definitions can be found on Java Website at the following URL:
http://java.sun.com/blueprints/patterns/MVC-detailed.html
Change notification
(e.g., visual cues for what its
doing)
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 365
Trend Micro Deep Security Support Track
PostInstallAction: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
PostInstallAction: Installing Trend Micro Deep Security Manager
PostInstallAction: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
PostInstallAction: Starting : Thu Sep 01 15:15:37 PDT 2011
PostInstallAction: Installation Directory : /opt/dsm
PostInstallAction: Service Name : dsm_s
[10] INFO: 11‐09‐01 15:15:37.853
com.thirdbrigade.manager.core.install4j.actions.PostInstallAction.doInstall() Logging
intercepted into install.log
PostInstallAction: Mode : FRESH_INSTALL
PostInstallAction: Hostname : 10.xxx.xxx.xx4
PostInstallAction: Manager Port : 4119
PostInstallAction: Heartbeat Port : 4120
PostInstallAction: Pre‐Install Log :
PostInstallAction: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
PostInstallAction: Installing Trend Micro Deep Security Manager
PostInstallAction: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
PostInstallAction: Starting : Wed Sep 07 13:21:45 PDT 2011
PostInstallAction: Installation Directory : C:\Program Files\Trend Micro\Deep Security
Manager
PostInstallAction: Service Name : Trend Micro Deep Security Manager
366 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
[10] INFO: 11‐09‐07 13:21:45.052
com.thirdbrigade.manager.core.install4j.actions.PostInstallAction.doInstall() Logging
intercepted into install.log
PostInstallAction: Mode : UPGRADE
PostInstallAction: Hostname : 10.202.214.150
PostInstallAction: Manager Port : 4119
PostInstallAction: Heartbeat Port : 4120
PostInstallAction: Pre‐Install Log :
If the DSM is being added as a new node on an existing DSM installation, then this portion of
the log would appear as follows:
PostInstallAction: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
PostInstallAction: Installing Trend Micro Deep Security Manager
PostInstallAction: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
PostInstallAction: Starting : Thu Sep 01 15:31:03 PDT 2011
PostInstallAction: Installation Directory : /opt/dsm
PostInstallAction: Service Name : dsm_s
[10] INFO: 11‐09‐01 15:31:03.235
com.thirdbrigade.manager.core.install4j.actions.PostInstallAction.doInstall() Logging
intercepted into install.log
PostInstallAction: Mode : NEW_NODE
PostInstallAction: Hostname : 10.xxx.xxx.xx6
PostInstallAction: Manager Port : 4119
PostInstallAction: Heartbeat Port : 4120
PostInstallAction: Pre‐Install Log :
PostInstallAction: Pre‐Install Log :
Running Upgrade Detector (Attempt: 1)
No trace found. Using fresh install mode
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 367
Trend Micro Deep Security Support Track
Connecting to SQL Server...
Connecting to SQL Server...
Connecting to Embedded...
Running Upgrade Detector (Attempt: 1)
No trace found. Using fresh install mode
Connecting to SQL Server...
Connecting to SQL Server...
Connecting to SQL Server...
Connecting to SQL Server...
Test Query Success...
Find Button:Next >
UPGRADE
In this scenario, the Upgrade Detector found an existing dsm.properties file on the indicated
folder. In this example, the upgrade is for different builds of DSM version 8.
Running Upgrade Detector (Attempt: 1)
Did not find a 32bit version of DSM installed while installing 64 bit version.
Found dsm.properties in: C:\Program Files\Trend Micro\Deep Security
Manager\webclient\webapps\ROOT\WEB‐INF\dsm.properties
Connecting to existing database...
Looking for system versions...
Detecting version...
Detected version (8.0.617) is older than this package version (8.0.765)
Parsed managerUniqueNodeID: 1
Found matching manager node:
Hostname: 10.202.214.150
Manager Port: 4119
Heartbeat Port: 4120
This node is marked as not being the same version as the latest installed. The recorded last
version installed of this node is: 8.0.617
No suitable Relay install packages found
Find Button:Next >
ADDING A NODE
This is a scenario that only works with an external database. If the installer detects that the
database already has an existing database, the installer will present the administrator with the
following option:
368 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Running Upgrade Detector (Attempt: 1)
No trace found. Using fresh install mode
Connecting to SQL Server...
Test Query Success...
Database has data
Schema Same
Find Button:Next >
The sample above shows an instance where the installer recognizes that existing database was
created by the same version of the DSM, and can therefore be installed as a second node. In the
event of a difference in schemas, indicating a different version, only the Overwrite option is
available. See next sections.
Running Upgrade Detector (Attempt: 1)
Did not find a 32bit version of DSM installed while installing 64 bit version.
No trace found. Using fresh install mode
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 369
Trend Micro Deep Security Support Track
Connecting to SQL Server...
Test Query Success...
Database has data
Unable to add a node, schema different
Overwrite requested...
Connected...
Overwrite confirmed...
Find Button:Next >
NOTE The sample was taken from a 64-bit DSM installation, hence the additional line
below the Upgrade Detector entry.
PostInstallAction: Administrator Username : MasterAdmin
PostInstallAction: Default Locale :en_US
PostInstallAction: Activation Codes : AP‐xxxx‐xxxx‐xxxx‐xxxx‐xxxx‐xxxx
NOTE Deep Security switched to the standard Trend Micro activation code system in
version 7.5.
PostInstallAction: Starting Database...
PostInstallAction: Database Instance In Use:
com.thirdbrigade.persistence1.db.EmbeddedInstance
PostInstallAction: Loaded Drivers:
PostInstallAction: sun.jdbc.odbc.JdbcOdbcDriver
PostInstallAction: org.apache.derby.jdbc.AutoloadedDriver
PostInstallAction: org.apache.commons.dbcp.PoolingDriver
PostInstallAction: net.sourceforge.jtds.jdbc.Driver
370 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
SchemaManagerTask: Running schema manager...
UpdateDatabaseTask: Updating the database...
AdministratorCreatorTask: Installing Administrator Account...
SettingRecorderTask: Recording Settings...
PostInstallAction: Starting Database...
PostInstallAction: Database Instance In Use:
com.thirdbrigade.persistence1.db.SqlServerInstance
PostInstallAction: Loaded Drivers:
PostInstallAction: sun.jdbc.odbc.JdbcOdbcDriver
PostInstallAction: org.apache.derby.jdbc.AutoloadedDriver
PostInstallAction: org.apache.commons.dbcp.PoolingDriver
PostInstallAction: net.sourceforge.jtds.jdbc.Driver
SchemaManagerTask: Running schema manager...
UpdateDatabaseTask: Updating the database...
. . .
AdministratorCreatorTask: Installing Administrator Account...
SettingRecorderTask: Recording Settings...
PostInstallAction: Starting Database...
PostInstallAction: Database Instance In Use:
com.thirdbrigade.persistence1.db.SqlServerInstance
PostInstallAction: Loaded Drivers:
PostInstallAction: sun.jdbc.odbc.JdbcOdbcDriver
PostInstallAction: org.apache.derby.jdbc.AutoloadedDriver
PostInstallAction: org.apache.commons.dbcp.PoolingDriver
PostInstallAction: net.sourceforge.jtds.jdbc.Driver
SchemaManagerTask: Running schema manager...
UpdateDatabaseTask: Updating the database...
: Counters do not need to be upgraded.
ADDING A NODE
While a new node is added, other nodes are shutdown
PostInstallAction: Starting Database...
PostInstallAction: Database Instance In Use:
com.thirdbrigade.persistence1.db.SqlServerInstance
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 371
Trend Micro Deep Security Support Track
PostInstallAction: Loaded Drivers:
PostInstallAction: sun.jdbc.odbc.JdbcOdbcDriver
PostInstallAction: org.apache.derby.jdbc.AutoloadedDriver
PostInstallAction: org.apache.commons.dbcp.PoolingDriver
PostInstallAction: net.sourceforge.jtds.jdbc.Driver
PostInstallAction: Shutting down other nodes...
[10] INFO: 11‐09‐01 15:15:49.929
com.thirdbrigade.manager.core.iau.IAuUtilities.evaludateCanSkipAU() no AU agent is
detected. AU is turn off.
TempDirectoryCreatorTask: Creating Temp Directory...
ReportDirectoryCreatorTask: Creating Reports Directory...
ReportDirectoryCreatorTask: Copying report: report‐antimalwarereport‐1.3.2.jar
ReportDirectoryCreatorTask: Copying report: report‐integrityreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐alertreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐integritybaselinereport‐1.4.2.jar
ReportDirectoryCreatorTask: Copying report: report‐attackreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐webreputationreport‐1.0.0.jar
ReportDirectoryCreatorTask: Copying report: report‐loginspectiondetailedreport‐1.4.0.jar
ReportDirectoryCreatorTask: Copying report: report‐loginspectionreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐suspiciousactivityreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐ipsreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐systemeventreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐forensicauditreport‐1.3.2.jar
ReportDirectoryCreatorTask: Copying report: report‐systemreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐summaryreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐integritydetailedchangereport‐1.4.0.jar
ReportDirectoryCreatorTask: Copying report: report‐administratorreport‐1.3.1.jar
372 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
ReportDirectoryCreatorTask: Copying report: report‐firewallreport‐1.3.1.jar
ReportDirectoryCreatorTask: Copying report: report‐recommendationreport‐1.3.3.jar
ReportDirectoryCreatorTask: Copying report: report‐hostreport‐1.3.1.jar
PluginsDirectoryCreatorTask: Creating Plugins Directory...
HelpSystemIndexerTask: Indexing Help System...
ReportFontFinderTask: Finding Unicode Font For PDF Generation...
ReportFontFinderTask: preferredReportFont:
ReportFontFinderTask: No suitable fonts located.
Tip Administrators are advised to download security updates for the DSM shortly after
installation.
SecurityHardeningTask: Hardening Security Settings...
ExampleProfilesTask: Importing Example Security Profiles...
CopyActiveUpdateContent: Copying au content '/opt/dsm/installfiles/au/content' ‐>
'/opt/dsm/au/content/'
PostInstallAction: Using security update included in package...
SecurityUpdateApplierTask: Decrypting Security Update...
SecurityUpdateApplierTask: Applying Security Update...
SecurityUpdateApplierTask: Version: 11‐015
SecurityUpdateApplierTask: Available: Tue May 10 11:17:00 PDT 2011
SecurityUpdateApplierTask: Storing update: 11‐015.dsru
ExampleProfilesToSecurityUpdateMappingTask: Mapping Security Update to Example Security
Profiles...
The log above also shows the Anti-Malware components being prepared for DSVA use. As of
this version, DSVA still obtained updates via the legacy ActiveUpdate mechanism.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 373
Trend Micro Deep Security Support Track
ManagerOverrideCreatorTask: Creating Application Type Override for Manager Port...
ManagerPortListEditorTask: Correcting Manager Port List...
To prevent DSAs from generating reconnaissance scan alerts when the DSM performs port
scanning, the installation program adds the DSM IP address to an IP list called Ignore
Reconnaissance as shown below.
IgnoreReconnaissanceCreatorTask: Creating IP List for Ignore Reconnaissance...
This list is used as the default list for the reconnaissance scan exclusion feature.
ScheduledTaskCreatorTask: Creating Scheduled Task for Component Update...
ScheduledTaskCreatorTask: Creating Scheduled Task for Software Check...
ExampleAssetImportanceCreatorTask: Creating Sample Asset Importance Values...
AuditorRoleCreatorTask: Creating the Auditor Role...
ExampleProfileAuditAdjusterTask: Correcting Security Profile Audit...
< Part 10 occurs here>
< Part 11 occurs here>
< Part 12 occurs here>
InstallationRecorderTask: Recording Installation...
PostInstallAction: Automation : false
PostInstallAction: Shutting down the database...
PostInstallAction: Automation : false
Note that the next section, Part 10, is recorded in the midst of this part.
For upgrade scenarios, where the Auditor role is already present, this portion will appear as
follows:
374 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
AuditorRoleCreatorTask: Auditor Role already exists...
UnixTask: Setting the ?nix settings...
ImportSoftwareTask: dsmInstallerDirectoryString=/home/administrator/Documents/
Administrators can verify the import action by selecting View imported software in the screen
shown below.
ImportSoftwareTask: Successfully imported software package. Name:Appliance‐ESX‐8.0.0‐
651.x86_64.zip Version: 8.0.0.651 Platform: ESX_5.0
Fingerprint:D4:02:5D:37:7D:02:D1:E5:88:A5:43:71:6C:55:3A:5A:95:86:96:94
. . .
ImportSoftwareTask: Successfully imported software package. Name:FilterDriver‐ESX_5.0‐8.0.0‐
651.x86_64.zip Version: 8.0.0.651 Platform: ESX_5.0
Fingerprint:99:AC:F2:ED:32:F8:18:16:C5:EB:45:E1:1C:FD:8C:71:18:7C:08:06
. . .
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 375
Trend Micro Deep Security Support Track
ImportSoftwareTask: Successfully imported software package. Name:Relay‐Windows‐8.0.0‐
636.x86_64.msi Version: 8.0.0.636 Platform: Microsoft Windows x86_64
Fingerprint:C0:0B:EF:29:19:8E:DD:68:F1:E2:FA:5B:68:AB:D7:80:7D:FA:78:CC
ImportSoftwareTask: zipEntr to import:dsva.ovf
ImportSoftwareTask: The zip entry dsva.ovf is either not compatible for
import or the same package has already been imported, Importing skipped.
ImportSoftwareTask: zipEntr to import:dsva‐disk1.vmdk
ImportSoftwareTask: The zip entry dsva‐disk1.vmdk is either not compatible
for import or the same package has already been imported, Importing
skipped.
ImportSoftwareTask: zipEntr to import:dsva‐disk2.vmdk
ImportSoftwareTask: The zip entry dsva‐disk2.vmdk is either not compatible
for import or the same package has already been imported, Importing
skipped.
ImportSoftwareTask: zipEntr to import:dsva‐disk3.vmdk
ImportSoftwareTask: The zip entry dsva‐disk3.vmdk is either not compatible
for import or the same package has already been imported, Importing
skipped.
ImportSoftwareTask: The software package "Manager‐Linux‐8.0.617.x64.sh" is
not compatible for import, or the same package has already been imported.
Importing skipped.
The settings associated with these profiles are stored in unencrypted text files that must be
imported during installation. The following installation log entries record this action. It also
shows that the default profile is “1”, meaning “Aggressive”.
376 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
ImportPerformanceProfiles: Importing Performance Profiles '/opt/dsm/installfiles'
ImportPerformanceProfiles: Setting the perferred performance profile for all nodes to: 1
PropertiesTask: Storing dsm.properties SSL...
PropertiesTask: dsm.properties exists
PropertiesTask: dsm.properties is writable
ShortcutTask: Creating Shortcut...
SSLTask: Configuring SSL...
SSLTask: Creating a new certificate...
SSLTask: dname: CN=10.202.214.154, OU=Deep Security Manager, O=Trend Micro, L=Ottawa,
S=Ontario, C=CA
SSLTask: Generating certificate on Linux...
Executing: /bin/bash /opt/dsm/installfiles/genkey
STDIN:
STDERR:
SSLTask: Certificate generated
ChkconfigTask: Running chkconfig
Executing: /sbin/chkconfig ‐‐del dsm_s
STDIN:
STDERR:
Executing: /sbin/chkconfig ‐‐add dsm_s
STDIN:
STDERR:
JavaSecurityTask: Altering java.security....
JavaLoggingTask: Using the default logging.properties file
PostInstallAction: Complete : Thu Sep 01 15:22:02 PDT 2011
As shown above, the installation program uses the Sun Microsystems Keytool.exe utility to
generate the certificate. The parameters for certification generation are stored in the genkey.bat
batch file, whose contents are also shown above.
Tip Companies that need to generate their own certificates can modify the contents of
genkey.bat to suit their needs, and run it to generate their own custom keys.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 377
Trend Micro Deep Security Support Track
UpgradeVerificationScreen Settings
If an existing installation is detected the user has the option to repair/upgrade (depending on
the version) or overwrite. Overwrite implies a completely new manager installation, discarding
all existing data.
Note that this screen/setting is not used unless an existing installation is detected.
Acceptable values are "True" and "False". The default is "False". Sample:
UpgradeVerificationScreen.Overwrite=True
DatabaseScreen Settings
This section defines the database type and optionally the parameters needed to access certain
database types. Note that the interactive install provides an "Advanced" dialog to define the
instance name and domain of a Microsoft SQL server, but because the unattended install does
not support dialogs these arguments are included in the DatabaseScreen settings below.
Database Type - acceptable values are "Embedded", "Microsoft SQL Server", and
"Oracle". The default is "Embedded". The following sample is for an MS SQL server
DatabaseScreen.DatabaseType=Microsoft SQL Server
Host Name – this is not required if the embedded database is used. Acceptable values are
the name or IP address of the database host. Default is the current host name. Sample:
DatabaseScreen.Hostname=10.203.137.90
Database Name – this is not required if the embedded database is used. Acceptable value is
any string. Default is "dsm". Sample:
378 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
DatabaseScreen.DatabaseName=dsm
Transport – this is used for MS SQL servers only. Acceptable values are "Named Pipes"
and "TCP". Default is "Named Pipes". Sample:
DatabaseScreen.Transport=TCP
User Name – this is not required for the embedded database. Default value is blank, which
is discouraged
DatabaseScreen.Username=sa
Password – this is not required for the embedded database. Default value is blank, which is
discouraged
DatabaseScreen.Password=Apple1995!
SQLServer Instance – this is optional and is only required on MS SQL servers are have
multiple instances. Default is blank, which implies default instance. Sample:
DatabaseScreen.SQLServer.Instance=
SQLServer Domain – this is optional and is only required for MS SQL servers.Default is
blank
DatabaseScreen.SQLServer.Domain=
LicenseScreen Settings
This section provides information that would normally be entered on the license screen. The
information here is only valid for version 7.5 and later.
Like the installation wizard, the properties file uses different parameters for different licenses.
For a license that activates all features. Note the “-1” after “license”
LicenseScreen.License.‐1=AP‐xxxx‐xxxxx‐xxxxx‐xxxxx‐xxxxx‐xxxxx
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 379
Trend Micro Deep Security Support Track
AddressAndPortsScreen Settings
This screen defines the address and ports for the manager. In the interactive installer this screen
also supports the addition of a new manager to an existing database, but this option is not
supported in the unattended install.
Manager Address - acceptable value is either the name or IP address of the manager host.
Default is the current host name.
AddressAndPortsScreen.ManagerAddress=10.203.137.162
AddressAndPortsScreen.ManagerPort=4119
AddressAndPortsScreen.HeartbeatPort=4120
CredentialsScreen Settings
This screen defines the username and password for the master administrator.
Administrator Username - the default value is blank, which is not acceptable. Sample:
CredentialsScreen.Administrator.Username=MasterAdmin
Administrator Password - the default value is blank, which is not acceptable. Sample:
CredentialsScreen.Administrator.Password=Apple1995!
Use Strong Passwords – acceptable values are "True" or "False". The default is "True".
CredentialsScreen.UseStrongPasswords=True
Other Settings
These are optional settings that broaden installation options
Disable the addition of DSM to Add/Remove - the default is false. Sample:
Disable.AddRemove=true
Disable the addition of DSM to the Start Menu - the default is false. Sample:
Disable.ProgramGroup=true
Override the example security profile XML file included in the installer - this only
applies to fresh installs. The default is to use the normal file. Sample:
Override.SecurityProfilesFilename=C:\SecurityProfiles.xml
380 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Override the latest security update XML file included in the installer – this only
applies to fresh installations, and requires the use of the default the bootstrap license for
encryption. The default is to use the normal file. Sample:
Override.LatestSecurityUpdateFilename=C:\latest.3bsu
Override the Example Security Profile mapping file – this affects Deep Packet
Inspection functionality and only applies to fresh installations. The default is to use the
normal file. Sample:
Override.LatestSecurityUpdateMapFilename=C:\latest_3bsu_map.csv
Override the generated certificate DN values – this only applies to fresh installations,
and is best reserved for situations when a specific CN is required for a particular DNS
(e.g., dsm.myco.com). The default values are:
CN=<AddressAndPortsScreen.ManagerAddress>, OU=Deep Security Manager,
O=Third Brigade, L=Ottawa, S=Ontario, C=CA
Samples for each certificate-related parameter:
Override.Certificate.CN=
Override.Certificate.OU=Deep Security Manager
Override.Certificate.O=Trend Micro
Override.Certificate.L=Ottawa
Override.Certificate.S=Ontario
Override.Certificate.C=CA
Override the Default Locale for the system – this only applies to fresh installations. The
default is English. Sample:
Override.Default.Locale=fr_CA
Unable to activate
Deep Security Agent
Consult
related
flowcharts
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 381
Trend Micro Deep Security Support Track
Manager-initiated activation
After determining that the activation failure involved a manager-initiated activation, follow the
following process:
A B B1
No
Unable to activate Verify if the DSA is Is a DSA Install DSA and
Resolved
Deep Security Agent installed on the host installed? activate
Yes
B2
B2.B B2.A1
Consult No Yes
Was the DSA Look for the agent’s
related flowcharts
included in the host *.ini, *.crt, and *.db
or contact Trend
image? files
Micro
B2.A2
B2.A2.B No
Are the files
present?
Yes
B2.A2.A1
B2.A2.A2
B2.A2.A2.B No Yes
Was the problem
resolved?
Step Notes
A The initial step is important since the DSM is not actually able to deploy DSAs, unlike
other Trend Micro client-server products
B2 Agent activation establishes a one-to-one relationship between a DSM and a DSA with
382 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a specific host. This creates challenges for Administrators that want to include DSAs in
server or desktop images that they deploy to new machines via GPO.
If an activated agent is included in the image, it will not work once the image is
deployed. The DSA will recognize that it is no longer on its original host, and it will
not function.
To avoid this issue, administrators must do the following when preparing an a DSA in
an image:
• Deactivate the agent, so that it will not look for a specific DSM
• Delete all instances of following files that tie it to a specific host: *.crt, *.ini,
and *.db
Agent-initiated activation
After determining that the activation failure involved an agent-initiated activation, follow the
following process:
B B1.B1 B1.B2
Is No Yes
Configure DSM to Was the issue
DSA allowed to self-
permit self-activation resolved?
activate?
Yes No
B1.A1
Yes No
B1.A2.A1
Verify connectivity
between the DSM and
DSA
B1.A2.A2
Consult
Yes Can the DSM No Address
related flowcharts
be accessed from connectivity
or contact Trend
the DSA host? issue
Micro
Step Notes
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 383
Trend Micro Deep Security Support Track
A Agents cannot activate themselves if the DSM is not configured to allow it. The
relevant control for this is shown below.
B1.A1 Agent activation is accomplished from the command line and requires the following
syntax:
The value “port” refers to the DSM heartbeat port, which is “4120” by default
If a DSM imports a list of computers from Active Directory, that are actually virtual machines
that the DSM will also import when it establishes a relationship with Center Server, then these
machines will appear on the DSM Computer list twice. This has been an issue since version 6.0.
384 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
This section will offer guidelines for how to deal with this situation, and is divided into the
following sections:
● What to expect
● Working with the problem
● Implications
Implications
This design limitation introduces a number of issues in different customer environments. The
full range of issues is beyond the scope of this book. However, specific examples of how
customers have dealt with this scenario will be useful for putting this issue into context.
Scenarios will be added to this section as they become available.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 385
Trend Micro Deep Security Support Track
386 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Cisco WAAS
The Cisco Wide Area Application Services is a WAN optimization solution. Additional
information about this technology is available here:
http://www.cisco.com/en/US/products/ps5680/Products_Sub_Category_Home.html
This protocol adds additional information that alter TCP sequence numbers. This interferes with
stateful firewall functionality. On Deep Security, this generates “invalid SEQ” or “invalid ACK”
entries in the firewall log.
To avoid this, administrators can enable the following option:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 387
Trend Micro Deep Security Support Track
This causes the DSA driver to ignore WAAS-related oddities when performing analysis. TCP
stateful sequence number checks are still performed for non-WAAS enabled connections.
Ssh‐server start
388 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE Verification of the above-mentioned areas must be done via the command line
interface (CLI).
Preparation failure
cleanup
If the DSM is unable to
prepare an ESX server, it
rolls back its changes to
ensure a clean server for the
next attempt. The following
is a screen capture of the
vCenter events window
showing the rollback
process in action.
The preparation fails at the
“Install” event. Once this
failure is detected, all
changes are removed.
sudo ping <IP address to vSwitch>
Tip Using sudo privileges grants the dsva account root privileges for the ping.
dsva@dsva:~$ sudo ping 192.xxx.2.61
PING 192.168.2.61 (192.xxx.2.61): 56 data bytes
84 bytes from 192.168.2.61: icmp_seq=0 ttl=64 time=1.4 ms
84 bytes from 192.168.2.61: icmp_seq=1 ttl=64 time=0.1 ms
The interfaces
The following diagram shows the two interfaces on DSVA
Interface eth0 connects the DSVA to the management network and permits communication
with the DSM. eth1 connects to the vSwitch and the protected VMs
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 389
Trend Micro Deep Security Support Track
ethtool ‐i <interface number>
eth0 eth1
dsva@dsva:~$ ethtool -i eth0 dsva@dsva:~$ ethtool -i eth1
driver: e1000 driver: vmxnet3
version: 7.3.20-k2-NAPI version: 1.0.0.32-NAPI
firmware-version: N/A firmware-version: N/A
bus-info: 0000:02:00.0 bus-info: 0000:03:00.0
For eth1, the key indicator that the interface is working is that the driver is set to vmxnet3.
netstat ‐n –t
390 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track T
Trend Micro Deep Security
About CRCs
C (Section 11.6.5
5)
Smart scann technology iss a new implemmentation of malware identtification via Cyclic
C Redunddancy
Check (CR RC) values. Preevious version
ns of the VSAPI scan engin ne already use this
t method, anda a
significant portion of thee current VSA
API virus patteern is already devoted
d to CR
RC-based
signatures. The followingg diagram shoows how much h of a VSAPI pattern’s sizee consists of CRC
C
information n:
15%
CRC
Non‐CRC
85%
The specifiics of how Treend Micro usees CRCs in itss signature dattabases are understandably
secret. How
wever for purp poses of this document,
d wee can explain that
t CRC info ormation can be
b
divided into two parts:
nitial malware identification
Part 1 – Used for in
Part 2 – Used for malware
m confirrmation
To illustratte how these parts
p work, co
onsider the folllowing diagram that represeents a file thatt has
been infectted by a virus.
Jump cod
de
The scan engine uses this information to detect if a file has been infected with a specific virus.
After detecting the first part of the virus using CRC part 1, the scan engine looks for the
corresponding CRC part 2 for information about the remainder of the virus. Part 2 contains
additional identification information about the remaining portion of the virus and is designed to
confirm that the file is indeed a virus.
To locate Part 2, the scan engine requires information about its expected location within the file.
This information is stored in what pattern builders call the CRC table, and the location within the
file is called its offset.
Offset
Once the virus has been identified, the scan engine requires information to clean/remove the
virus. This information is stored in what antivirus engineers call the virus information table. Once
the scan engine retrieves the cleaning/removal information that corresponds to the identified
virus from the table, it is then able to take action against the virus.
Prior to Smart scan, both CRC parts and the Virus info table were contained within the same
malware signature pattern file. So when the scan engine and pattern file were loaded into
memory as a data structure called a scan context, all the malware-identification information that the
scan engine required accompanied it in memory.
Scan context
Existing pattern
CRC Part 1
Scan
CRC Part 2
engine
Virus info
Non-CRC data
Smart scan addresses the needs enumerated in the previous section by deconstructing the
existing pattern as shown below:
392 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Non-CRC data
Non-CRC data
Non-CRC pattern
(Smart scan agent pattern)
Tip In the next section, pay attention to a file called the CRC cache in the next
section. This file serves a local repository for CRC part 2 and Virus info data once these
are queried from the Cloud Virus pattern during the normal course of the CCFR process.
Important: Both the Smart query filter and Smart scan agent pattern reside on the DSVA.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 393
Trrend Micro De
eep Security Suppo
ort Track
name, and many people can share the same first nam me. There a combination of
o first and lastt
names is reequired to iden
ntify a specificc individual.
Consider a bus conductoor, shown belo
ow, who has been
b given thee task of keepiing specific
individuals from boardin
ng his bus.
The ticketing office has complete bioggraphical inforrmation about these individduals, to ensurre
accurate identification.
A logical way
w for the con nductor to maatch passengerrs with these records
r wouldd be to have alll
available in
nformation on
n-hand. This so
olution may work
w when deaaling with onlyy a few individduals.
But as the number of peeople to watch
h out for increeases, this metthod will beco
ome cumberso ome.
39
94 CONFIDENT
TIAL — Release Pursuant
P to NDA
A — CONFIDENT
TIAL © 2012 Trend
d Micro Inc.
Support Track Trend Micro Deep Security
This makes the information more manageable, albeit at the expense of completeness The
conductor, therefore, will have to obtain additional information as required.
The operating schema is shown below.
My name is All details
John Smith for: “Smith”
Smith
The conductor gets the name of every individual who gets on board the bus. If the individual’s
last name does not match names in the list that the conductor keeps, then that person can get on
without further interference.
However, if there is a match, as in the example above where the passenger “Smith” matches one
of the last names on the list, the conductor calls the ticketing office asking for detailed files about
all undesirables named “Smith”.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 395
Trend Micro Deep Security Support Track
The ticketing office then responds by sending the required records. Only then will the conductor
have complete records on-hand, and only for a small subset of bad passengers. The conductor
then compares the individual’s full identity with those on the “Smith files”.
Had the person’s full name been “Denzel Smith”, as shown below, then it would not be a full
match for the information on the records. This indicates that he is not on the no-ride list, and is
free to board the bus.
Welcome
My name is aboard!
Denzel Smith
(No match)
Smith
However, if a match is found, then the conductor reports this to the ticketing office and asks for
instructions about how to deal with a known bad passenger.
Confirmed!!!
How do I deal
with him?
Smith
396 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
● The question “How dow I deal with him” represents a call for malware cleaning/removal
information (VInfo).
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 397
Trend Micro Deep Security Support Track
In-the-wild verification
The Smart scan agent pattern contains complete CRC Parts 1 & 2, and VINFO information for
malware that are considered “in-the-wild”. The DSVA, therefore, is able to use this locally-
available information to clean the malware without querying an external database.
Continue with
other Step 1
activities
If the scan engine finds that the file being scanned matches CRC signatures for in-the-wild
malware in the Smart scan agent pattern, then it will act upon the file as it would in a
conventional scan. If a match is not found, then the client continues with other uncompleted
tasks in this step.
CRC-pattern applicability
Step 1 gives the individual anti-malware functions within the scan engine a chance to analyze the
malware. Each individual function evaluates its ability to clean/remove the malware, and at the
end of the step, only the relevant scan engine function acts upon the file.
When the DSVA scans a file, it first identifies its file type to determine the appropriate malware
identification technique. This information is then passed to each scan engine function for
analysis. Each function follows the following logic:
398 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Yes
Scan module Do Proceed with
(1-n) evaluates CRC-patterns Smart scan in
file type apply? Step 2
Determine
Begin
True File No
scan
Type
Use
Scan for malware
Smart Scan
without CRC
information Agent Pattern
(Icrc$oth.xxx)
Individual scan engine functions evaluate the file’s file-type, and decide whether or not to use
CRC-based patterns.
Certain types of malware, for example script-based malware, do not use CRC patterns. These,
therefore, do not benefit from Smart scan and instead use information in the Smart scan agent
pattern (icrc$oth.xxx).
If the file being scanned cannot be analyzed with CRC-based patterns, then the scan engine uses
non-CRC pattern information in Smart scan agent pattern. Smart scanning for this file, therefore,
is no longer required.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 399
Trend Micro Deep Security Support Track
No
End analysis
When a file is flagged as “malware” in this assessment process, it means that there is a high
probability that it is malware. It is not yet, however, confirmed that it truly malware. This
confirmation occurs later in the process. However when the file is flagged as “not malware”,
then the scan engine ends analysis for that file.
Here, the VSAPI scan engine uses the CRC part 1 information calculated in Step 1 for reputation
assessment. The following are details of how the client implements the logic outlined above:
Yes
Verify Smart Verify CRC
Compute CRC Match found?
query filter cache
No
Not a virus
As shown above, DSVA refers to a file called the Smart query filter (BF.ptn) to determine if the file
is indeed malware. This filter acts like an index to the malware information on the Scan Server.
If the file’s CRC part 1 is not found in the BF.ptn, then it is not malware. This information is
passed to the scan engine which then ends the scanning process for this particular file. However,
if the file is found, then there is a statistical probability that it is indeed malware, and is therefore
subject to further verification.
2009/03/27 13:04:18 Pacific Daylight Time [02520] [DEBUG] [MakeBF.cpp (104)]
false positive probability: 0.3036%
Important: This “false positive” figure should not be confused with false alarms where
legitimate files are misidentified as malware. This false positive occurrence simply results
superfluous scan server queries.
The percentage above refers to the likelihood that analysis of what is actually a safe file will result
in a smart scan query to the scan server. To understand why this happens, let us use an adjusted
version of the bad passenger analogy.
400 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The key point to remember is that the CRC Part 1 information contained within the Smart query
filter pattern is not the full CRC Part 1 information, and is merely an abstraction. Applying this
to the analogy, the piece of paper that the conductor carries would not really contain the full
name “Smith”, but would appear as below:
Smith Sm
By abbreviating the name, in this example to just two letters, it is possible to fit more names
within the existing piece of paper. This reduction of information, of course, reduces the accuracy
of the match that would result in a call to the ticketing office for additional information. Not
only will a passenger named “Smith, Denzel” result in a call, but so will the following names:
The abstraction introduces the possibility of a false positive. It is not, however, a fatal false
positive since the conductor won’t eject the passenger until the records from the ticketing office
arrive. Since the passenger won’t match any of the bad passenger records, no action will actually
be taken upon this passenger.
All that this causes is superfluous calls. Provided the ratio between valid and superfluous calls
remains reasonable, the situation will remain manageable. Otherwise, it will be necessary for the
conductor to add letters to the names on his list. Changing “Sm” to “Smi”, for example,
immediately eliminates 2/3 of the false positives shown in the sample above.
The effect of this bump in accuracy, however, is a need for a larger piece of paper since it must
contain more information.
As discussed earlier, the piece of paper is a representation of the Smart query filter pattern. The
CRC Part 1 records it contains are much more complicated than five-letter names, but are still
abbreviations of the full CRC Part 1 information in the full pattern, and therefore have margins
for error.
By design, the maximum tolerable false positive rate is 5%. If the query filter generation process
detects that this limit has been exceeded, it automatically compensates by increasing the amount
of CRC Part 1 information the filter contains. This results in an increase in the size of the filter
pattern. This pattern increase behavior is hard-coded and cannot be modified.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 401
Trend Micro Deep Security Support Track
Important: The information within the cache determines what DSVA does when the Scan
Server is inaccessible.
No No
Proceed to Proceed to
Step 4 Step 6
If all the required information about the file is available in the cache, then the VSAPI scan
engine re-uses this information to deal with the file.
However if the information is not present in the CRC cache, then DSVA queries the scan server.
As shown above, the nature of the query depends upon the information available in the cache.
The purpose of CRC and VINFO information are described in Steps 4 and 6 respectively.
NOTE This is the first of what will be two queries to the scan server.
As of writing, the CRC database is stored in a file called the Smart scan pattern (icrc$tbl.xxx). The
manner of storage is the object of continual review.
The query process proceeds as shown below:
Client-side
processing
Scan server-side
processing
402 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
As shown above, this step can be divided into two sub-steps that run concurrently: client-side
and scan server-side processing.
Client-side processing
By design, the DSVA only waits for a response, from the Scan Server, for a maximum of 500
milliseconds. The following flowchart shows this process.
Required Yes
Wait for response
Send CRC
response Begin Step 5
query
(max time = 500ms) received?
No
Important: For this brief period, VSAPI locks the file. This is normal behavior for VSAPI, and is
how it behaves in conventional scanning.
If the iCRC handler is unable to query the Scan Server, then the server-side processing portion
of this step does not occur, and the client attempts to query another scan server if one is
available, or proceeds to what this document refers to as offline protection. See Error! Reference
ource not found. on page Error! Bookmark not defined..
Part 1 Part 2 #
Smith Denzel 1
Deveci Jen 2
Lim Jack 3
Sm Smith John 4
Costa Jack 5
Smits Bob 6
Chua Alp 7
At the end of the query, the scan server parses the the necessary information, and then returns
only the relevant records to the DSVA, as shown in the representation below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 403
Trend Micro Deep Security Support Track
Part 1 Part 2 #
Smith Denzel 1
Smith John 4
Smits Bob 6
The scan engine on the DSVA then uses this information to identify the specific variant of the
malware that was detected – if it is indeed malware.
When the Scan Server receives the CRC query, it implements the following process:
Not malware
No
Yes
Retrieve
“Part 2”
information
If the CRC information sent in the query matches “Part 1” information in the Smart scan
pattern, then the Scan Server returns all the corresponding “Part 2” records to the DSVA. The
client then uses this information for malware identification. otherwise, it returns no records, and
the scanning process ends for this file.
Pass Yes
End Step 4 Receive result information to Match found? Query Virus ID
VSAPI
No
Add
information Not malware
the cache
When the DSVA receives CRC information from the Scan Server, it does the following:
Pass the information to VSAPI – the scan engine performs the matching operation
described at the start of this step. If no match is found, the file is safe and the scanning
process ends. However if a match is found, the DSVA queries the Scan Server for
records that correspond to the malware’s virus ID . This is described in the next step.
404 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Add the information to the cache - All the records that were returned by the CRC query
in the previous step are entered into the cache – regardless of whether or not they
correspond to the malware that is detected in the system.
NOTE The CRC cache can store a maximum of 6,000 records. If this is exceeded,
entries would be deleted on a Least-Recently-Used basis.
Next, it proceeds with the scan itself. As with other aspects of scanning technology, how this is
actually done is restricted information. However the following representation approximates how
this is done.
The illustration below combines the representation of the records that were returned in the
previous step, with the representation of the infected file from the About CRCs section.
Part 1 Part 2 #
Smith Denzel 1
Smith John 4
Smits Bob 6
Jump code
The scan engine identifies the virus by comparing the “Part 1” and “Part 2” information in the
malware records, with the corresponding parts of the virus. If a match is found, then the
malware has been identified. Otherwise, the file is not malware, and the process ends.
In this example, Part 1 and Part 2 information in record #4 matches the parts of the virus that
infected the file in the illustration. This indicates that the virus is malware #4. Since a match was
found, the process proceeds to step 7 to obtain the information required to remove this specific
malware.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 405
Trend Micro Deep Security Support Track
Client-side
processing
Scan server-side
processing
Like step 4, this step can be divided into the following sub-steps: client-side and server-side
processing
Client-side processing
As with Step 4, the DSVA waits for a maximum of 500 milliseconds for the Scan Server to reply.
The following flowchart shows what the client does in this step:
Yes
Wait for response
Send VINFO Response
Begin Step 7
query received?
(max time = 500ms)
No
Perform 2nd
action
If the DSVA does not receive a timely reply, the client will abandon the primary action, in favor
of the secondary action.
If the client were using the settings above, a VINFO query failure would cause the client to
quarantine the malware instead of cleaning it.
Important: At this point, the DSVA has already confirmed that the file is malware. Therefore
action is warranted.
Server-side processing
As explained in the About CRC section, knowledge about how to clean/remove malware is
stored in the virus information table, which is now part of the Smart scan pattern on the Scan
Server. To obtain this knowledge, the DSVA sends a second query to the Scan Server. However,
instead of sending CRC information like in the first query, the client sends the Virus ID (VID) of
the CRC record that matched the malware that was detected. The Scan Server then searches for
the Virus Information (VINFO) that corresponds to this VID.
Consider the following representation of this process:
406 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The representation in the previous step matched malware record #4 with the malware that was
detected.. The VINFO that the DSVA needs to remove the malware, therefore, is the VINFO
that corresponds to “VID = 4”.
The Scan Server implements the following process in this step.
To obtain VINFO, the DSVA sends the VID of the malware identified in Step 6 to the Scan
Server. Receipt of this VID is recorded on Web server logs on the scan server. A sample of this
is shown below:
2009‐01‐29 20:58:16 W3SVC4 10.2.34.89 GET /tmcss/VSAPIInfo.dll
BF=580456&VID=08000000BCB30800306725B1& 4345 ‐ 10.10.10.10 iCRCHdler+1.0.1081 200 0 0
The Scan Server then uses this VID to search for the appropriate VINFO. Once the VINFO is
retrieved, the Scan Server returns this to the DSVA for use by the scan engine.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 407
Trend Micro Deep Security Support Track
408 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
False positives, however, are possible. This is expected since the filter does not contain all the
data points required to accurately identify malware. This is why CRC part 2 information is
required prior to any action.
The false positive probability is computed each time the filter is generated on the scan server.
This is recorded on diagnostic.log on the scan server, as shown below.
2009/03/27 13:04:18 Pacific Daylight Time [02520] [DEBUG] [MakeBF.cpp (104)]
false positive probability: 0.3036%
The scan server generates an updated smart query filter each time the Smart scan pattern is
updated. In addition to the filter itself, incremental versions of the pattern are also generated.
ABC 123 1
ABC 789 4 351
ABC 723 6
Deletion Part 1 Part 2 #
ABC 123 1
ABC 789 4
ABC 723 6
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 409
Trend Micro Deep Security Support Track
ABC 123 1
ABC 789 4
ABC 723 6
ABC 426 9 ABC 426 9
CRC cache updates can implement all of the above changes to the information already in the
DSVA CRC cache.
NOTE This is the only Smart scan pattern that is visible in the pattern summary
screens.
410 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
D
Collect PING, TELNET,
and NSLookup results
(DSM and DSA)
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 411
Trend Micro Deep Security Support Track
Ste Notes
p
A This involves collection of information about the DSM and DSA hosts involved in the
issue, as well as basic product information. This includes:
uname –a
Cat /proc/driver/dsa/info
rpm –qa ds_agent
uname ‐a
pkginfo –l ds_agent
uname ‐a
swlist ds_agent
uname ‐a
lslpp –L ds_agent.rte
412 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
As of writing, only the Windows version of Deep Security was supported, so this
procedure only applies to this platform. Collect the following files:
Collect the following information from the DSA. Platform-specific differences are listed
in the sub-tables shown below
Diagnostic The procedure for generating the package from within the
package (agent) DSM console is discussed in DSA diagnostic package on page
306. This is standard for all DSA platforms.
• Platform information
• Driver information
• DSA package information
uname –a
Cat /proc/driver/dsa/info
rpm –qa ds_agent
uname ‐a
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 413
Trend Micro Deep Security Support Track
pkginfo –l ds_agent
uname ‐a
swlist ds_agent
uname ‐a
lslpp –L ds_agent.rte
Debug view log Visibility into what the DSA is doing at any given time will
greatly facilitate analysis of problems. To enable this
functionality an agent configuration file -- that is not actually
present by default -- must be created.
The file, and where the log output appears, varies according
to the DSA platform. However, in all instances, administrators
must add the following line to the configuration file:
Trace=Appl Beat Cmd Cfg Conn HTTP Log Lstn Srvc SSL
Alternatively, to generate output for all functionality, add
the following line instead
Trace=*
414 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Solaris /etc/ds_agent.conf
HPUX /etc/ds_agent.conf
AIX /etc/ds_agent.conf
*.err;kern.debug;daimon.notice;mail.crit;*.info
/var/adm/messages
svcadm restart /system/system‐log:default
*.info /var/adm/syslog/syslog.log
/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start
local0.info /var/log/syslog
refresh ‐s syslogd
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 415
Trend Micro Deep Security Support Track
Collect a file called dsm.properties. This file contains information that the DSM uses to
connect to its database. This can be found in the following location:
C:\Program Files\Trend Micro\Deep Security Manager\webclient\ROOT\WEB‐INF
For this procedure, all the administrator needs to do is view the client configuration on
the DSA user interface. This is provides a quick way to determine if the agent is
applying the expected rules.
D Perform PING, TELNET, and NSlookup tests on both DSM and DSA hosts
From the DS Manager, open command prompt and run the following commands then
copy the results:
416 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 417
Trend Micro Deep Security Support Track
corresponds.
Inc. ptn
Pattern #7
Consider the illustration on the #1
418 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
new virus signatures that were added in versions 6 to 8. The ActiveUpdate module downloads
this incremental pattern, and then merges it with Pattern #5, thereby updating it to Pattern #8.
NOTE For merge functionality, AU leverages the RT Patch library from Packet Soft, Inc.
Incremental updates obviate the need to download complete patterns, thereby reducing the
bandwidth consumed during pattern updates.
Consider the table on the right, which
shows the file sizes for virus pattern Virus pattern xxx
____ and the associated incremental Pattern Size
virus patterns. When comparing the Full pattern (compressed for
size of the full pattern with those of the download)
incremental patterns, the benefits for Increment 14
bandwidth are obvious.
Increment 13
Increment 12
NOTE Gaps between versions
exist because these missing Increment 11
versions are allocated for Incremental patterns 4 to 10 skipped
Controlled Pattern Releases.
Increment 3
Incremental patterns are available for Increment 2
14 of the most recent Official Pattern Increment 1
Releases. If a product uses a pattern
that is more than 14 versions older than
the current pattern, then the product will download the latest full pattern.
Duplication methods
The Deep Security Manager acts as a local update server for its agents. This means that is must
be able to offer both full and incremental updates to its endpoints. The ActiveUpdate module
offers two methods for providing this functionality:
● Site duplication
● Smart duplication
The end result for both methods is essentially the same: agents are given a choice of 14
incremental patterns to choose from. The difference lies in how these 14 incremental patterns
are obtained.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 419
Trend Micro Deep Security Support Track
server.
The following diagram on the right shows
what happens during site duplication. As
shown, site duplication is a very bandwidth
intensive process. For each pattern type, 15
files need to be downloaded: the full pattern
and the 14 corresponding incremental
patterns. For the virus pattern alone
(lpt$vpn), this was already 44.3 MB as of
writing.
As a bandwidth conservation measure, an alternative duplication method was first introduced in
AU 2.8: Smart duplication. This is discussed in the next section
NOTE Other pattern types, such as “bandage” patterns are beyond the scope of this
section.
About OPR
The regular updates that Trend Micro customers receive are released as part of an OPR. Upon
release, these patterns are posted on the ActiveUpdate system, where products can download
them from their default update sources.
OPR patterns are easy to differentiate from CPR patterns by their version numbers. The former
always use odd-numbered file extensions. For example
icrc$oth.373
CPRs are given even numbered version. This numbering convention is readily seen on the
download page of the Trend Micro Website
420 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
About CPR
The formal definition of a CPR is shown below
A Controlled Pattern File Release (CPR) is a manually loadable, pre-release version of a Trend Micro virus
protection database, designed to provide users with additional antivirus protection in between official pattern file
releases.
These patterns are made available via the Trend Micro Website, and not through the standard
Trend Micro update server. As a consequence, these have to be applied to the products
manually.
CPR patterns are full patterns, and no incremental patterns are generated for them. So if a
product uses a CPR, then the next update will download a full OPR pattern, since incremental
updates to update the CPR version to OPR are not available.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 421
Trend Micro Deep Security Support Track
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::DirectoryManager::DirectoryManager
[src\common\src\directory_manager.cpp(28)]
Auto control the path : C:\Program Files\Trend Micro\Deep Security
Relay\relay\iau\feedback
Max size is : 1048576
Force size is : 1048576
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::FeedbackClientID::Load
[src\common\src\feedback_client_id.cpp(67)]
If the x-tag is not found, it proceeds to generate the file. The following log sample shows this
process. This action is skipped if a valid x-tag is detected.
Unable to get xtag from local: "C:\Program Files\Trend Micro\Deep Security
Relay\relay\iau\xtag", this is fresh install.
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::FeedbackClientID::Load
[src\common\src\feedback_client_id.cpp(77)]
Generating the uuid because of no xtag: 3ec37aea‐e1ae‐4656‐85ee‐3b2f6ebfe5c9
Also at this point, the DSR verifies the existence of product indices and the
common_components file.
[2011‐Nov‐11 14:18:08 3840|3972] [err] iAU::Source::GetUpdateTree
[src\common\src\source.cpp(57)]
Product index is empty.
[2011‐Nov‐11 14:18:08 3840|3972] [err] iAU::LocalSource::GetUpdateTree
[src\common\src\local_source.cpp(101)]
Failed loading C:\Program Files\Trend Micro\Deep
Security Relay\relay\iau\common_components
The sample above corresponds to a freshly installed DSR, so the product indices are empty. On
an already-in-use DSR, this step is not recorded.
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::Context::GetRemoteTree
[src\relay\src\context.cpp(528)]
Duplicating for product: IAURELAY_Product {
id: c22t2202v8.0.0l1p5889r1o1
components: 0000000000000000
componentCount: 0
422 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
}
[2011‐Nov‐11 14:18:08 3840|3972] [err] iAU::Source::GetUpdateTree
[src\common\src\source.cpp(57)]
Product index is empty.
[2011‐Nov‐11 14:18:08 3840|3972] [err] iAU::LocalSource::GetUpdateTree
[src\common\src\local_source.cpp(101)]
Failed loading C:\Program Files\Trend Micro\Deep
Security Relay\relay\iau\c22t2202v8.0.0l1p5889r1o1
A freshly installed DSR, however, does not actually include any components. The product index
is empty and therefore cannot be loaded.
The following iaurelay.log entries record the relay downloading the DSR product index. In this
example, the index is for a Windows 64-bit relay.
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::Context::GetUpdateTree
[src\relay\src\context.cpp(729)]
Building remote source for duplicate.
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(125)]
Query index for protocol :
c22t2202v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(130)]
Temp query index for protocol :
c22t2202v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:18:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(144)]
Query URI : https://iaus‐
preopr.trendmicro.com/iau_server.dll/c22t2202v8.0.0l1p5889r1o1
The DSR records the attempt to connect to the update server in a TmuDump.txt log. The entry
that corresponds to the download attempt above appears below.
Inf 20111111 14:18:08 3840 3972 Connecting ... 96.7.153.83:443
Inf 20111111 14:18:08 3840 3972 Use nonblocking connect with timeout(20 s).
Inf 20111111 14:18:08 3840 3972 Connected!
Inf 20111111 14:18:08 3840 3972 Connected to iaus‐preopr.trendmicro.com:443
. . .
Inf 20111111 14:18:09 3840 3972 GET /iau_server.dll/c22t2202v8.0.0l1p5889r1o1 HTTP/1.1
Host: iaus‐preopr.trendmicro.com:443
User‐Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)
Accept: */*
Pragma: No‐Cache
Cache‐Control: no‐store, no‐cache
Connection: Keep‐Alive
X‐Trend‐ActiveUpdate: 6.3.1043
Proxy‐Connection: Keep‐Alive
pragma: akamai‐x‐cache‐on
Accept‐Encoding: gzip
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 423
Trend Micro Deep Security Support Track
Inf 20111111 14:18:09 3840 3972 HTTP request headers send OK
Inf 20111111 14:18:10 3840 3972 HTTP/1.1 200 OK
Server: TMUpdateServer 2.0.0.1024
Content‐Encoding: x‐gzip
Content‐MD5: YjRiNmZjNjM2ZTVjMWJlZjQxZWY0MDQyZDYxMzFkNWY=
ETag: "c22t2202v8.0.0l1p5889r1o1:b4b6fc636e5c1bef41ef4042d6131d5f"
Last‐Modified: Fri, 11 Nov 2011 21:46:55 GMT
Content‐Type: application/xml
Content‐Length: 602
Expires: Fri, 11 Nov 2011 22:18:13 GMT
Date: Fri, 11 Nov 2011 22:18:13 GMT
X‐Cache: TCP_MISS from a204‐2‐136‐180 (AkamaiGHost/6.6.0‐8695903) (‐)
Connection: close
Inf 20111111 14:18:10 3840 3972 response OK, content followed
Inf 20111111 14:18:10 3840 3972 HttpsConnection: Successful: HTTP 200 OK
Inf 20111111 14:18:10 3840 3972 Start to get the file...
Inf 20111111 14:18:10 3840 3972 TmDownloader: Succeeded getting the file
<response version="2.0.0">
<update id="c22t2202v8.0.0l1p5889r1o1">
<products>
<product id="c22t2202v8.0.0l1p5889r1o1">
<entity class="22" type="2212" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="8.0.585"> . . .</entity>
<entity class="22" type="2213" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="11.031">...</entity>
<entity class="2" type="574619648" language="‐1" platform="5889" region="‐1" oem="‐1"
version="3.5.1047">...</entity>
<entity class="22" type="2211" language="‐1" platform="‐1" region="‐1" oem="‐1"
version="8.0.0">...</entity>
</product>
</products>
</update>
</response>
424 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
2211 – Deep Security Manifest. The DSM uses this to display component versions on the
DSM console
[2011‐Nov‐11 14:18:10 3840|3972] [app] iAU::Context::GetRemoteTree
[src\relay\src\context.cpp(552)]
Product remote tree:
‐‐‐+ "Product_Family[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product_Group[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐‐ "Component[]<‐‐[c22t2212v8.0.585l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c22t2213v11.031.0l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c2t574619648v3.5.1047l‐1p5889r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c22t2211v8.0.0l‐1p‐1r‐1o‐1]"
Incremental updates, when possible occur in this step. If incremental updates are not available,
iAU relay writes the following to its log
[2011‐Nov‐11 14:18:10 3840|3972] [app] iAU::MergeOptimize::Optimize
[src\common\src\merge_optimize.cpp(106)]
Read extern for mutil‐merge
IAU_STATUS_UNCLASSIFIED_ERROR[‐1073741824(3,0,0)]
NOTE For an example of a successful merge, see the Incremental update section in
this chapter.
Since an incremental update is not possible in this example, iAU downloads full packages. This is
recorded in the iaurelay.log below
[2011‐Nov‐11 14:18:10 3840|3972] [app] iAU::Context::Duplicate
[src\relay\src\context.cpp(296)]
0 full package(s) will be generated via merge
instead of download.
The DSR begins by downloading the DSR manifest. The following iaurelay.log entries record
this action.
[2011‐Nov‐11 14:18:10 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(92)]
Parsing URI :
https://iaus.activeupdate.trendmicro.com/activeupdate/preopr/22_2202_8.0.0_1_5889_1_1/ctlr
po/c22t2212l‐1r‐1p‐1o‐1/8.0.585_c01b58b9‐2d70‐4360‐9241‐36fa7370e36e.7z
Inf 20111111 14:18:10 3840 3972 Connecting ... 96.7.144.158:443
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 425
Trend Micro Deep Security Support Track
Inf 20111111 14:18:10 3840 3972 Use nonblocking connect with timeout(20 s).
Inf 20111111 14:18:10 3840 3972 Connected!
Inf 20111111 14:18:10 3840 3972 Connected to iaus.activeupdate.trendmicro.com:443
. . .
Inf 20111111 14:18:10 3840 3972 Establish SSL connection OK with peer
Inf 20111111 14:18:10 3840 3972 GET
/activeupdate/preopr/22_2202_8.0.0_1_5889_1_1/ctlrpo/c22t2212l‐1r‐1p‐1o‐
1/8.0.585_c01b58b9‐2d70‐4360‐9241‐36fa7370e36e.7z HTTP/1.1
. . .
Inf 20111111 14:18:10 3840 3972 HttpsConnection: Successful: HTTP 200 OK
Inf 20111111 14:18:10 3840 3972 Start to get the file...
Inf 20111111 14:18:10 3840 3972 Successfully wrote [475]B to disk.
Inf 20111111 14:18:10 3840 3972 TmDownloader: Succeeded getting the file
Inf 20111111 14:18:10 3840 3972 Successfully wrote cache [475]B, currently cached [475]B.
After successfully downloading a component, the DSR writes the following entry in iaurelay.log
[2011‐Nov‐11 14:18:55 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(145)]
Succeed downloading, remove cache file.
[2011‐Nov‐11 14:18:55 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(204)]
Finish downloading, result:
IAU_STATUS_SUCCESS[0(0,0,0)]
The DSR downloads the rest of the items in the product index in a similar matter. The following
iaurelay.log entries correspond to the indicated components.
Deep Security Rule Update
[2011‐Nov‐11 14:18:10 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(92)]
Parsing URI :
https://iaus.activeupdate.trendmicro.com/activeupdate/preopr/22_2202_8.0.0_1_5889_1_1/ctlr
po/c22t2213l‐1r‐1p‐1o‐1/11.031_aab90948‐ab7d‐4a08‐a0a6‐3e3c462f21f9.7z
TMUFE
[2011‐Nov‐11 14:18:55 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(92)]
Parsing URI :
https://iaus.activeupdate.trendmicro.com/activeupdate/preopr/22_2202_8.0.0_1_5889_1_1/ctlr
po/c2t574619648l‐1r‐1p5889o‐1/3.5.1047_51805141‐4b2c‐4afc‐9c26‐e9e59b4f95d4.7z
DS product manifest
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(92)]
Parsing URI :
https://iaus.activeupdate.trendmicro.com/activeupdate/preopr/22_2202_8.0.0_1_5889_1_1/ctlr
po/c22t2211l‐1r‐1p‐1o‐1/8.0.0_b2c5a7d7‐2876‐42e2‐8cf9‐777fe8ee17f7.7z
426 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
After downloading all relevant components, the DSR moved them to their destination folders.
The following iaurelay.log entries record this action.
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::GetPackages
[src\relay\src\context.cpp(426)]
Succeed to get update packages, start to install.
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Duplicate
[src\relay\src\context.cpp(300)]
Getting pakcages result:
IAURELAY_STATUS_SUCCESS(1)
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Duplicate
[src\relay\src\context.cpp(319)]
Generating product index and component external
index...
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::IndexVisitor::GenerateIndexFile
[src\common\src\visitor.cpp(604)]
save product index to: C:\Program Files\Trend
Micro\Deep Security Relay\relay\iau\c22t2202v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Duplicate
[src\relay\src\context.cpp(327)]
Generating common components...
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::IndexVisitor::GenerateIndexFile
[src\common\src\visitor.cpp(604)]
save product index to: C:\Program Files\Trend
Micro\Deep Security Relay\relay\iau\common_components
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Update [src\relay\src\context.cpp(778)]
Start loading local components information to
memory
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::LocalSource::ScanRepository
[src\common\src\local_source.cpp(225)]
Initilizing and checking local repository:
C:\Program Files\Trend Micro\Deep Security Relay\relay\iau
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::IndexVisitor::GenerateIndexFile
[src\common\src\visitor.cpp(604)]
save product index to: C:\Program Files\Trend
Micro\Deep Security Relay\relay\iau\all_components
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Update [src\relay\src\context.cpp(813)]
Local components information loaded
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Cleaner::CleanPackages
[src\common\src\cleaner.cpp(59)]
Start cleaning packages: C:\Program Files\Trend
Micro\Deep Security Relay\relay\iau\packages
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 427
Trend Micro Deep Security Support Track
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Cleaner::CleanPackages
[src\common\src\cleaner.cpp(99)]
End clean packages.
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Cleaner::CleanCache
[src\common\src\cleaner.cpp(116)]
Start cleaning cache files: C:\Program Files\Trend
Micro\Deep Security Relay\relay\iau\cache
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Cleaner::CleanCache
[src\common\src\cleaner.cpp(143)]
End clean cach files.
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::DataManager::GetInformation
[src\relay\src\data_manager.cpp(29)]
Get the memory space: 00000000057794C0
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Duplicate
[src\relay\src\context.cpp(388)]
Duplicate result: IAURELAY_STATUS_SUCCESS(1)
At this point, the iAU relay module submits a result to the Trend Micro update site via an ISAPI
filter on the update server called iau_visibility.dll. It starts the process in with the following entry
in iaurelay.log
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::FeedbackProtocolbuffer::UploadReport
[src\common\src\feedback_protocolbuffer.cpp(98)]
Post the feedback report return true
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Sdk::GetStatusMessage
[src\relay\src\sdk.cpp(149)]
The connection attempt with the update server appears in TmuDump.txt as follows:
Inf 20111111 14:19:00 3840 3972 Connecting ... 150.70.74.55:80
Inf 20111111 14:19:00 3840 3972 Use nonblocking connect with timeout(20 s).
Inf 20111111 14:19:00 3840 3972 Connected!
Inf 20111111 14:19:00 3840 3972 POST /iau_visibility.dll HTTP/1.1
Host: iaufdbk.trendmicro.com
User‐Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)
Accept: */*
X‐Trend‐ActiveUpdate: 6.3.1043
Proxy‐Connection: Keep‐Alive
pragma: akamai‐x‐cache‐on
XEtag: 3ec37aea‐e1ae‐4656‐85ee‐3b2f6ebfe5c9
Connection: Keep‐Alive
Content‐Length: 435
Inf 20111111 14:19:00 3840 3972 HTTP request headers send OK
Inf 20111111 14:19:00 3840 3972 [173]B of [213]B is parsed as response header
Inf 20111111 14:19:00 3840 3972 HTTP/1.1 200 OK
Date: Fri, 11 Nov 2011 22:19:03 GMT
Server: Apache/2.2.17 (Unix)
Connection: close
428 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Transfer‐Encoding: chunked
Content‐Type: text/html; charset=UTF‐8
Inf 20111111 14:19:00 3840 3972 HttpConnection: Connect to source success
Inf 20111111 14:19:00 3840 3972 Start to get the file...
Inf 20111111 14:19:00 3840 3972 TmDownloader: Succeeded getting the file
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Core::IAU_Update [src\core\src\sdk.cpp(739)]
updating with input products information:
<product_information version="1.0"><products id="c22t2202v8.0.0l1p5889r1o1"><product
id="c22t2202v8.0.0l1p5889r1o1"><path>C:\Program Files\Trend Micro\Deep Security
Relay\lib</path><install>C:\Program Files\Trend Micro\Deep Security
Relay\lib</install><components><component version="0" oem="‐1" region="‐1" platform="‐1"
type="2212" class="22" language="‐1"><install>C:\Program Files\Trend Micro\Deep Security
Relay\lib/resource/c%(class)t%(type)/%(version)</install></component><component
version="0" oem="‐1" region="‐1" platform="‐1" type="2211" class="22" language="‐
1"><install>C:\Program Files\Trend Micro\Deep Security
Relay\lib/resource/c%(class)t%(type)/%(version)</install></component><component
version="0" oem="‐1" region="‐1" platform="‐1" type="2213" class="22" language="‐
1"><install>C:\Program Files\Trend Micro\Deep Security
Relay\lib/resource/c%(class)t%(type)/%(version)</install></component><component
version="3.5.1047" oem="‐1" region="‐1" platform="5889" type="574619648" class="2"
language="‐1"><install>C:\Program Files\Trend Micro\Deep Security
Relay\lib/resource/c%(class)t%(type)/%(version)</install></component></components></produc
t></products></product_information>
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(215)]
Begin to update...
Note that Product.xml also contains information about where components are stored on the
DSR. This information will be used in step 5.
Next, the iAU module creates various temporary folders for its cache and download folders.
Actions related to this are labeled “Auto control the path”. An example appears below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 429
Trend Micro Deep Security Support Track
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::DirectoryManager::DirectoryManager
[src\common\src\directory_manager.cpp(28)]
Auto control the path : C:\Program Files\Trend
Micro\Deep Security Relay\lib\iaudata\iau_5AA21871‐EE90‐4937‐B591‐6F5253D070D9\download
Max size is : 157286400
Force size is : 1073741824
As with the first step of phase 1, the iAU module also assigns an x-tag to this instance of the iAU
module. If this tag is missing, it generates this file. The following log records this action.
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::FeedbackClientID::Load
[src\common\src\feedback_client_id.cpp(67)]
Unable to get xtag from local: "C:\Program
Files\Trend Micro\Deep Security Relay\lib\iauclient.xtag", this is fresh install.
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::FeedbackClientID::Load
[src\common\src\feedback_client_id.cpp(77)]
Generating the uuid because of no xtag: c87d2878‐
b60b‐4306‐8c13‐bb8a8ede421b
Using the product information parsed from Product.xml, the product generates the product local
tree in this step. This summarizes with iAU “knows” about the components that its host product
is using.
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(271)]
Product local tree:
‐‐‐+ "Product_Family[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product_Group[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐‐ "Component[c22t2212v0.0.0l‐1p‐1r‐1o‐1]<‐‐[]"
‐‐‐‐ "Component[c22t2211v0.0.0l‐1p‐1r‐1o‐1]<‐‐[]"
‐‐‐‐ "Component[c22t2213v0.0.0l‐1p‐1r‐1o‐1]<‐‐[]"
‐‐‐‐ "Component[c2t574619648v3.5.1047l‐1p5889r‐1o‐1]<‐‐[]"
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::Context::GetRemoteUpdateTree
[src\core\src\context.cpp(151)]
Try to get index from product
index:c22t2202v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(125)]
Query index for protocol :
c22t2202v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(130)]
Temp query index for protocol :
c22t2202v8.0.0l1p5889r1o1
430 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
[2011‐Nov‐11 14:19:00 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(144)]
Query URI :
https://localhost:4122/c22t2202v8.0.0l1p5889r1o1
The product index that it downloads from itself is similar to the index from the update site. The
principal difference is that the URL to component points to the DSR’s package folder. A sample
entry from this index appears below.
<entity class="22" language="‐1" oem="‐1" platform="‐1" region="‐1" type="2212"
version="8.0.585">
<priority>2</priority>
<applyto maxver="8.0.585" minver="0"></applyto>
<full dig="3aaac579b7bcecab75406299085a7300" size="475">
<url>packages\8.0.585_c01b58b9‐2d70‐4360‐9241‐36fa7370e36e.7z</url>
<last_modify_time>20111111T221810</last_modify_time>
</full>
</entity>
[2011‐Nov‐11 14:19:03 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(300)]
Product remote tree:
‐‐‐+ "Product_Family[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product_Group[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐+ "Product[c22t2202v8.0.0l1p5889r1o1]"
‐‐‐‐ "Component[]<‐‐[c22t2212v8.0.585l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c22t2213v11.031.0l‐1p‐1r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c2t574619648v3.5.1047l‐1p5889r‐1o‐1]"
‐‐‐‐ "Component[]<‐‐[c22t2211v8.0.0l‐1p‐1r‐1o‐1]"
[2011‐Nov‐11 14:19:03 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(304)]
There are 3 component(s) need update
[2011‐Nov‐11 14:19:03 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(92)]
Parsing URI :
https://localhost:4122/packages/8.0.585_c01b58b9‐2d70‐4360‐9241‐36fa7370e36e.7z
[2011‐Nov‐11 14:19:03 3840|3972] [app] iAU::UriDownloader::GetFile
[src\common\src\uri_downloader.cpp(132)]
Downloading from a remote URL.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 431
Trend Micro Deep Security Support Track
[2011‐Nov‐11 14:19:06 3840|3972] [app] iAU::Context::GetPackages
[src\core\src\context.cpp(757)]
Succeed to get update packages, start to install.
The following log sample is an update summary, written further down in the DSR iau.log, that
shows how the DSR knows where destination folders are:
<components>
<component class="22" type="2212" version="0"
language="‐1" platform="‐1" region="‐1" oem="‐1"
update_class="22" update_type="2212"
update_version="8.0.585"
update_language="‐1" update_platform="‐1"
update_region="‐1" update_oem="‐1">
<status>0</status>
<install>C:\Program Files\Trend Micro\Deep Security
Relay\lib/resource/c22t2212/8.0.585</install>
</component>
This is information was parsed from Product.xml, and shows that the
destination folders named after the component’s product code, and are all
under the . . ./lib/resource folder on the DSR.
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::Context::Update [src\core\src\context.cpp(441)]
Update finished with result :
IAU_STATUS_SUCCESS[0(0,0,0)]
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::FeedbackProtocolbuffer::~FeedbackProtocolbuffer
[src\common\src\feedback_protocolbuffer.cpp(57)]
Feedback returned without information saved
because of feeback disabled.
Next, the DSR deletes files that were generated during the update, but are not longer used. The
following iau.log entries record this action.
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(82)]
432 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Start to cleanup the directory : C:\Program
Files\Trend Micro\Deep Security Relay\lib\iaudata\iau_5AA21871‐EE90‐4937‐B591‐
6F5253D070D9\index
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(139)]
End clean up the directory.
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(82)]
Start to cleanup the directory : C:\Program
Files\Trend Micro\Deep Security Relay\lib\iaudata\iau_5AA21871‐EE90‐4937‐B591‐
6F5253D070D9\feedback
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(139)]
End clean up the directory.
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(82)]
Start to cleanup the directory : C:\Program
Files\Trend Micro\Deep Security Relay\lib\iaudata\iau_5AA21871‐EE90‐4937‐B591‐
6F5253D070D9\temp
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(88)]
FileOperations(RemoveFile)Directory size is larger
than 0 , remove this folder.
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(82)]
Start to cleanup the directory : C:\Program
Files\Trend Micro\Deep Security Relay\lib\iaudata\iau_5AA21871‐EE90‐4937‐B591‐
6F5253D070D9\download
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::DirectoryManager::Cleanup
[src\common\src\directory_manager.cpp(139)]
End clean up the directory.
This phase ends with the iau module preparing a summary of the update that it sends to DSR.
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::Core::IAU_SetWideString
[src\core\src\sdk.cpp(194)]
succeed to set data into data handle : "
Download DSA product index, contains data for AMSP, DSRU, TMUFE
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(144)]
Query URI : https://iaus‐
preopr.trendmicro.com/iau_server.dll/c22t2200v8.0.0l1p1r1o1
[2011‐Nov‐11 14:19:07 3840|2064] [app] iAU::Sdk::GetInformation [src\relay\src\sdk.cpp(583)]
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 433
Trend Micro Deep Security Support Track
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(125)]
Query index for protocol :
c22t2200v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(130)]
Temp query index for protocol :
c22t2200v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:19:07 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(144)]
Query URI : https://iaus‐
preopr.trendmicro.com/iau_server.dll/c22t2200v8.0.0l1p5889r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(125)]
Query index for protocol :
c22t2201v8.0.0l1p9217r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(130)]
Temp query index for protocol :
c22t2201v8.0.0l1p9217r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(144)]
Query URI : https://iaus‐
preopr.trendmicro.com/iau_server.dll/c22t2201v8.0.0l1p9217r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(125)]
Query index for protocol : c22t2202v8.0.0l1p1r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(130)]
Temp query index for protocol :
c22t2202v8.0.0l1p1r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(144)]
Query URI : https://iaus‐
preopr.trendmicro.com/iau_server.dll/c22t2202v8.0.0l1p1r1o1
. . .
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(174)]
Index server return : 16
434 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(180)]
Etag is not modified, use the etag file in local
cache.
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(184)]
Use the index file in local cache.
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(245)]
Query successfully
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(125)]
Query index for protocol :
c22t2202v8.0.0l1p9217r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(130)]
Temp query index for protocol :
c22t2202v8.0.0l1p9217r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::UriQuery::QueryIndex
[src\common\src\uri_query.cpp(144)]
Query URI : https://iaus‐
preopr.trendmicro.com/iau_server.dll/c22t2202v8.0.0l1p9217r1o1
[2011‐Nov‐11 14:19:08 3840|3972] [app] iAU::Context::Duplicate
[src\relay\src\context.cpp(296)]
0 full package(s) will be generated via merge
instead of download.
Download files
[2011‐Nov‐11 14:33:53 3840|3972] [app] iAU::Context::Duplicate
[src\relay\src\context.cpp(388)]
Duplicate result: IAURELAY_STATUS_SUCCESS(1)
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 435
Trend Micro Deep Security Support Track
Code Class
436 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE Although the logs are presented in their correct sequence, the specific samples
may be taken from separate update events.
Inf 20101029 13:51:02 2412 4620 Start TmuUpdateEx()
Inf 20101029 13:51:02 2412 4620 Downloader: retry = 3, timeout = 120:120:1, cache path is:
[C:\Program Files\Trend Micro\Deep Security Manager\au\bin\win64\AU_Data\AU_Cache]
Inf 20101029 13:51:02 2412 4620 CacheCleaner: CacheTTL = 7 Day,MaxCacheSize = 50 MB.
Inf 20101029 13:51:02 2412 4620 Dump parameters:
SourceInfo[http://tmds75‐
p.activeupdate.trendmicro.com/activeupdate]
. . .
Inf 20101029 13:51:02 2412 4620 Downloading [http://tmds75‐
p.activeupdate.trendmicro.com/activeupdate/
ini_xml.zip] to [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_4620\ini_xml.zip]...
. . .
Inf 20101029 13:51:02 2412 4620 End TmuUpdateEx()
However, the actual decision logic is contained within DSM, and the AU module is simply used
as a means to download server.ini. In this part of the process the DSM compares the file
information in the definition file with the component information in its database and makes a
determination if an update is required.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 437
Trend Micro Deep Security Support Track
The update wizard downloads each component using distinct TmuDuplicate( ) calls. The
following log excerpt, for example, show the portion related to the download of the Smart Scan
agent pattern (icrc$oth / 0x48020000).
Inf 20100810 18:33:52 1636 10712 Start TmuDuplicateEx()
Inf 20100810 18:33:53 1636 10712 Downloader: retry = 3, timeout = 120:120:1, cache path is:
[C:\Program Files\Trend Micro\Deep Security Manager\au\bin\win32\AU_Data\AU_Cache]
Inf 20100810 18:33:54 1636 10712 CacheCleaner: CacheTTL = 7 Day,MaxCacheSize = 50 MB.
Inf 20100810 18:33:55 1636 10712 Dump parameters:
SourceInfo[http://beta.external.trendmicro.com/activeupdate/tmds75]
useProxy[FALSE] nOption[0x0]
Item[0]:
class[3](Pattern) type[0x48020000] language[L1] platform[P0] action[0x40]
destination[C:\Program Files\Trend Micro\Deep Security Manager\au\content\]
original version[0] result version[0]
< ‐‐‐ Download related log entries here ‐‐‐ >
Inf 20100810 18:41:29 1636 10712 before UpdateManager end, version info in items:
items[0] ([3][0x48020000][L0][P1]): 737100 ‐> 737300
Inf 20100810 18:41:30 1636 10712 Release dynamic link library[C:\Program Files\Trend
Micro\Deep Security Manager\au\bin\win32\patchw32.dll]
Inf 20100810 18:41:31 1636 10712 End TmuDuplicateEx()
Note that this TmuDuplicate( ) call is specific to the Smart Scan agent pattern. Each component
that the update wizard downloads will have its own section shown above.
Each phase in the flowchart above is discussed in its own section below. To facilitate discussion,
the log samples here will be restricted to the Smart Scan agent pattern.
Aug 13, 2010 3:00:14 PM com.thirdbrigade.manager.core.au.ActiveUpdateUtilities
getLatestComponentInfo
FINE: Init the TmuLoader with: C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win32\
Inf 20100813 15:00:15 13140 13228 Load 32 bit AU 2.82.0.1099 from: [C:\Program Files\Trend
Micro\Deep Security Manager\au\bin\win32\]
438 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Aug 13, 2010 3:00:15 PM com.thirdbrigade.manager.core.au.ActiveUpdateUtilities
getLatestComponentInfo
FINE: Create a context...
Inf 20100813 15:00:15 13140 13228 Start TmuCreateContext()
Inf 20100813 15:00:15 13140 13228 new context for thread: 13228
Inf 20100813 15:00:15 13140 13228 End TmuCreateContext()
In preparation for the download itself, the ActiveUpdate module creates a temporary directory as
shown below.
Inf 20100810 18:33:56 1636 10712 Creating Temp dir [C:\Program Files\Trend Micro\Deep
Security Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712]
NOTE Among the four phases in this part of the update process, Phase one is the only
one that is not repeated for each component.
Inf 20100810 18:33:56 1636 10712 Downloading
[http://beta.external.trendmicro.com/activeupdate/tmds75/
ini_xml.zip] to [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\ini_xml.zip]...
. . .
Inf 20100810 18:34:04 1636 10712 HttpConnection: Connect to source success
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 439
Trend Micro Deep Security Support Track
Inf 20100810 18:34:05 1636 10712 Start to get the file...
Inf 20100810 18:34:06 1636 10712 Successfully wrote [1677]B to disk.
Inf 20100810 18:34:07 1636 10712 TmDownloader: Succeeded getting the file
Inf 20100810 18:34:08 1636 10712 Unzipping... [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\
win32\AU_Data\AU_Temp\1636_10712\ini_xml.zip] to
[C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712]
Inf 20100810 18:34:09 1636 10712 Unzip return [0]
Inf 20100810 18:34:09 1636 10712 [UPAU]Serverini Analyzer Init: C:\Program Files\Trend
Micro\Deep Security Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\server.ini
Inf 20100810 18:34:09 1636 10712 [UPAU]Expand Item:[3][0x48020000][L1][P0]
Inf 20100810 18:34:10 1636 10712 [UPAU]Add item:[3][0x48020000][L0][P0]
Inf 20100810 18:34:10 1636 10712 [UPAU]Expand item successfully!
Inf 20100810 18:34:10 1636 10712 [UPAU]Expand item success input item class=3
type=0x48020000 language=1 platform=0. Expand to 1 item(s)
Inf 20100810 18:34:10 1636 10712 [UPAU]find item[3][0x48020000][L0][P0] info (for
dup)version: 737300 version is 737300(description is not available)
Inf 20100810 18:34:10 1636 10712 ready to copy C:\Program Files\Trend Micro\Deep Security
Manager\au\content\
server.ini ‐> C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\server.ini.tmp
Inf 20100810 18:34:10 1636 10712 Retry Counter: 1
Inf 20100810 18:34:10 1636 10712 [LOLD]Serverini Analyzer Init: C:\Program Files\Trend
Micro\Deep Security Manager\au\content\server.ini
Inf 20100810 18:34:10 1636 10712 [LNEW]Serverini Analyzer Init: C:\Program Files\Trend
Micro\Deep Security Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\server.ini.tmp
Since the need for the update had already been ascertained in Part One of the update process,
the result of version of analysis will always show that an update is required. Analysis results are
written to the log as shown below.
Inf 20100810 18:34:10 1636 10712 Duplicate Processing: item[3][0x48020000][L0][P0]
Inf 20100810 18:34:11 1636 10712 [LOLD]find item[3][0x48020000][L0][P0] info (for
dup)version: 737100 version is 737100(description is not available)
Inf 20100810 18:34:11 1636 10712 local version is lower than server. Dup it.
Inf 20101029 13:51:12 2412 2236 ActiveUpdate start download patch files...
440 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Inf 20101029 13:51:12 2412 2236 Downloading [http://tmds75‐
p.activeupdate.trendmicro.com/activeupdate/
pattern/icrc/ioth757900.zip] to [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\
ioth757900.zip]...
Inf 20101029 13:51:12 2412 2236 Connecting ... 10.x.xx.35:8080
Inf 20101029 13:51:12 2412 2236 Use nonblocking connect with timeout(120 s).
Inf 20101029 13:51:12 2412 2236 Connected!
Inf 20101029 13:51:12 2412 2236 GET http://tmds75‐
p.activeupdate.trendmicro.com:80/activeupdate/pattern/
icrc/ioth757900.zip HTTP/1.1
Host: tmds75‐p.activeupdate.trendmicro.com:80
User‐Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)
Accept: */*
Pragma: No‐Cache
Cache‐Control: no‐store, no‐cache
Proxy‐Connection: Keep‐Alive
Connection: Close
X‐Trend‐ActiveUpdate: 2.82.0.1099
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 441
Trend Micro Deep Security Support Track
Inf 20100810 18:34:26 1636 10712 Downloading
[http://beta.external.trendmicro.com/activeupdate/tmds75/
pattern/ioth_737100.737300] to [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\AU_Down\pattern\ioth_737100.
737300]...
In the log extract above, the DSM is downloading an incremental pattern that can update Smart
Scan pattern version 371 to version 373.
Inf 20101029 13:51:15 2412 2236 HttpConnection: Connect to source success
Inf 20101029 13:51:15 2412 2236 Start to get the file...
. . .
Inf 20101029 13:53:17 2412 2236 TmDownloader: Succeeded getting the file
Inf 20101029 13:53:17 2412 2236 Downloading [http://tmds75‐
p.activeupdate.trendmicro.com/activeupdate/pattern/icrc/ioth_757700.757900] to [C:\Program
Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\ioth_757700.757900]...
. . .
Inf 20101029 13:53:40 2412 2236 HttpConnection: Connect to source success
Inf 20101029 13:53:40 2412 2236 Start to get the file...
. . .
Inf 20101029 13:53:40 2412 2236 TmDownloader: Succeeded getting the file
Inf 20101029 13:53:40 2412 2236 Downloading [http://tmds75‐
p.activeupdate.trendmicro.com/activeupdate/pattern/icrc/ioth_755100.757900] to [C:\Program
Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\ioth_755100.757900]...
As in the previous steps, this ActiveUpdate log extract comes from a fresh DSM installation. It
shows the DSM downloading 14 incremental updates, that update versions 551 to 577 to version
579.
Inf 20101029 13:53:41 2412 2236 Download all patch files success, checking ...
Inf 20101029 13:53:41 2412 2236 Check [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\ioth757900.zip], size
[15048223] B
. . .
442 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Inf 20101029 13:53:41 2412 2236 Check [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\ioth_755100.757900],
size [84948] B
Inf 20101029 13:53:41 2412 2236 Check over, All files are OK.
Inf 20100810 18:40:16 1636 10712 RTPatchApply32: cmd: ‐NoPathSearch ‐NOALLOWSPLIT
"C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\DupMerge\3\1208090624" "C:\Program
Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\AU_Down\pattern\ioth_737100.737300"
Inf 20100810 18:40:16 1636 10712 Code page before calling RTPatch APIs: ANSI
Inf 20100810 18:40:49 1636 10712 RTPatchApply32: ret: 0
Inf 20100810 18:40:49 1636 10712 Compress [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\DupMerge\3\1208090624] to [C:\Program
Files\Trend Micro\Deep Security
Manager\au\bin\win32\AU_Data\AU_Temp\1636_10712\AU_Down\pattern\ioth737300.zip]...
Inf 20100810 18:40:59 1636 10712 Compression finished!
In the sample above, the incremental update was used to update Smart scan agent pattern
version 371 was updated to version 373. The merged pattern is initially stored in a sub-folder
under AU_Temp.
Inf 20101029 13:53:41 2412 2236 ready to copy C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\server.ini.tmp ‐> C:\Program Files\Trend
Micro\Deep Security Manager\au\content\server.ini
Inf 20101029 13:53:41 2412 2236 deleting out of date files...
Inf 20101029 13:53:41 2412 2236 copying [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\ioth757900.zip] ‐>
[C:\ Program Files\Trend Micro\Deep Security
Manager\au\content\pattern\icrc\ioth757900.zip]
Inf 20101029 13:53:42 2412 2236 there is no dsc file[C:\Program Files\Trend Micro\Deep
Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\ioth757900.dsc],
ignore it.
Inf 20101029 13:53:42 2412 2236 copying [C:\Program Files\Trend Micro\Deep Security
Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236\AU_Down\pattern\icrc\ioth_757700.757900] ‐>
[C:\ Program Files\Trend Micro\Deep Security
Manager\au\content\pattern\icrc\ioth_757700.757900]
. . .
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 443
Trend Micro Deep Security Support Track
● The server.ini that DSM downloads from the update site is used as a replacement for its
existing definition file that DSVAs access when performing their own updates
● The full Smart scan pattern version 579 is transferred to the pattern\icrc folder. Regardless
of whether or not the full pattern is the product of an incremental update, or is downloaded
as a full pattern from the update site, its initial storage location will always be AU_Temp. So
the file-copy action shown above will occur in both situations.
● Incremental updates, in this case the update for Smart scan pattern version 577 to 579, is
copied to the \pattern\icrc folder
Inf 20101029 13:53:42 2412 2236 Flag "keep_cache_file_on_success" in configuration file is
off.
Inf 20101029 13:53:42 2412 2236 Cache Cleaner Action: Remove cached files.
Inf 20101029 13:53:42 2412 2236 Remove cached file[ioth757900.zip] in folder [tmds75‐
p.activeupdate.trendmicro.com\]
Inf 20101029 13:53:42 2412 2236 Remove etag file[ioth757900.zip.etag] in folder [tmds75‐
p.activeupdate.trendmicro.com\]
Inf 20101029 13:53:42 2412 2236 Remove cached file[ioth_757700.757900] in folder [tmds75‐
p.activeupdate.trendmicro.com\]
Inf 20101029 13:53:42 2412 2236 Remove etag file[ioth_757700.757900.etag] in folder [tmds75‐
p.activeupdate.trendmicro.com\]
. . .
Inf 20101029 13:53:42 2412 2236 Remove cached file[ioth_755100.757900] in folder [tmds75‐
p.activeupdate.trendmicro.com\]
Inf 20101029 13:53:42 2412 2236 Remove etag file[ioth_755100.757900.etag] in folder [tmds75‐
p.activeupdate.trendmicro.com\]
Inf 20101029 13:53:42 2412 2236 Cache Cleaner Action: Remove cached files end.
Inf 20101029 13:53:42 2412 2236 Cleanning Temp dir [C:\Program Files\Trend Micro\Deep
Security Manager\au\bin\win64\AU_Data\AU_Temp\2412_2236]
Aug 13, 2010 3:31:05 PM com.thirdbrigade.manager.core.au.ActiveUpdateUtilities
duplicateComponentsFromAU
FINE: AU Components have changed, will update internals and notify other managers.
. . .
Aug 13, 2010 3:31:05 PM com.thirdbrigade.manager.core.au.ActiveUpdateUtilities
setAUSequenceNumber
FINE: Setting AU sequence number to: 15
. . .
444 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 445
Trend Micro Deep Security Support Track
Fragmentation is a normal consequence of data traversing the Network and Data Link OSI
layers of the network stack. The protocols at these two layers have prescribed sizes for the
protocol data units/datagrams/packets that they handle. So if the data unit from the higher-level
layer is larger than what the lower layer supports, which is typically the case, then fragmentation
is the inevitable result.
Consider the following representation of a packet that contains a malicious instruction designed
to exploit a particular vulnerability in an application:
Do_Something_Bad
446 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
NOTE In real-life, this could take the form of malicious shellcode or scripts designed to
exploit a buffer overflow or cross-site scripting vulnerability.
The instruction issued from an “attack” machine, to a “victim” machine as shown below. Once
the packet reaches Computer 2, normal protocol stack processes will direct the message it
contains, to the vulnerable application which then executes the harmful instruction.
Application
Malicious instruction:
Vulnerability
Do_Something_Bad
Protocol Protocol
stack stack
For purposes of this analogy, we shall assume that the Transport and Network layers of the
protocol stack use a fictitious protocol that behaves somewhat like TCP/IP, and another
fictitious protocol that works at the Data Link layer.
Protocols in a protocol stack “know” the requirements of the protocols of the layers below
them. In this fictitious stack, the Data Link layer protocol prescribes that its protocol data unit
will only accept one letter at a time. As a consequence, the Network layer protocol fragments the
packet, and assigns sequence numbers to each letter of the message, as shown below.
Do _ S o m e t h i n g _ B a d
Where once there was a single TCP-like protocol packet, now there are sixteen individual
fragments, each of which will be encapsulated in the Data Link layer protocol’s protocol data
unit (PDU), and then sent individually to Computer 2.
Since the PDUs are sent individually, transient network conditions can result in each PDU
arriving at Computer 2 in a completely different order from when they were sent. For this
analogy, let’s assume they arrive in the following order:
m i n t _ a Do B e _ g oSh d
Protocols at the Data Link layer normally treat the packets as individual entities -- with no regard
to their sequence or relationships. However at the Transport layer, the fragments are collected,
re-arranged according to their sequence number, and then the original packet is reassembled.
Once a malicious packet is re-assembled, the application is then able to read the malicious
instruction.
NOTE Although this analogy focuses on a vulnerability exploit, there are a multitude of
other threats that Deep Security can address.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 447
Trend Micro Deep Security Support Track
Client state
Client Server Server state
CLOSED CLOSED
Passive open
LISTEN
Receive
acknowledgement
ESTABLISHED
The diagram above shows how two important message flags are used:
SYN – hosts exchange this type of message to initiate a connection with each other.
ACK – after receiving each other’s SYN messages, they each respond with an ACK message
as an acknowledgement. Upon receipt of the ACK message, the host switches to an
“Establish” state, indicating that it is open for messages from the other host.
“SYN” is short for “synchronize”. This initial message results in the exchange of information
required for the TCP connection to work reliably. Included in this information exchange are
sequence numbers that both hosts expect the other host to use in their messages. For example,
the first SYN message has a sequence number N. The client host, therefore, would expect that
its ACK message to have the sequence number “N+1”.
448 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Host 1 state
Host 1 Host 2 Host 2 state
ESTABLISHED ESTABLISHED
Awaiting message Awaiting message
To completely terminate a connection, the TCP protocol requires both hosts transition to a
“Closed” state, and to notify the other host about this transition by exchanging FIN messages.
The transition process, and the different TCP states the connection goes through, is shown
below.
NOTE The Deep Security Agent is able to monitor how long a TCP connection stays in
a particular TCP state during termination. To fully appreciate this capability, these states
are discussed here.
Host 1 state
Host 1 Host 2 Host 2 state
ESTABLISHED ESTABLISHED
Initiate termination
FIN
Receive FIN
Wait for
FIN-WAIT-1
acknowledgement CLOSE WAIT
Close application
using connection
ACK
FIN
ACK
CLOSED
Neither side of the communication considers the communication completely closed until it
receives an ACK message that acknowledges receipt of the FIN message.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 449
Trend Micro Deep Security Support Track
Tip For information about the product-based solutions above, refer to Support Track
documentation for Trend Micro OfficeScan 8.x or later, the ScanMail and IM Security
family or products, and the InterScan family of products.
450 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The nature of each step will be explained in the following sub-sections. The security features that
are available to a Deep Security administrator will be discussed in the next section.
The full spectrum of techniques for determining points of entry is beyond the scope of this
document. These techniques can range from social engineering methods for collecting
information, to using search engines to look for vulnerable sites with specific un-patched
versions of blog software.
Among these techniques are a set of activities collectively called Reconnaissance scans. For purposes
of this document, this is the technique upon which we will focus.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 451
Trend Micro Deep Security Support Track
Response
These scans typically involve two messages: the scanning packet, and the response -- or even the
absence of a response. When the Deep Security Manager performs a port scan, it sends a SYN
packet to the target host, at a particular port. If a connection is established, then the port is
declared open. Other techniques focus on the absence of a reset (RST) response to detect open
ports.
Whereas network administrators use this capability to protect their networks, crackers/hackers
can leverage the same reconnaissance scanning tools (e.g., NMAP) to look for security gaps.
Reconnaissance scanning can consist of any or a combination of the following activities:
Network mapping/scanning – this refers to the process of collecting a list of computers
on a network that could then be attacked.
Port scanning – this is the process of looking for open ports, betraying the presence of
specific applications and or vulnerabilities. This is the type of scan discussed in the
paragraph above. A successful port scan is essential to a variety of other reconnaissance
scans.
OS fingerprinting – this process discovers the operating system of potential target
machines. Different tools use different ways of creating fingerprints. NMAP, for
example, uses the results of seven different tests and matches the responses to a
database of known responses for each OS. Other tools use their own techniques.
Enumeration – this scan causes the target to list, or enumerate, the resources that are
available on it, or its host network. Such resources include user accounts, services,
network shares, and other information that may be of use to an attacker.
Once general information is collected, the attacker proceeds to Vulnerability scanning to look for
specific exploitable vulnerabilities.
NOTE Depending on the tool used, reconnaissance and vulnerability scanning can be
performed together. These are not necessarily separate steps.
The vulnerabilities detected – as well as the objectives of the attacker -- define the attack options
open to the attacker. The options are very broad, however, they can still be divided into the
following considerations.
452 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Yes
Gain access
to target
Does the
Evaluate
Vulnerability attack option require
attack
scan access to the
options
target?
Perform
attack
No
If the nature of the attack requires gaining access to the target, then the process described here
proceeds to the next section. Otherwise, it proceeds directly to the attack itself.
Important: The caveat “as of writing” is important because this malware has been known to
obtain upgrades that expand its capabilities.
Vulnerability exploit
Most variants of the malware Conficker/WORM_DOWNAD gain access to affected systems
through the following end-user reported vulnerability: Server Service Vulnerability (MS08-067). This
issue affected Windows operating systems from version 2000 to 2008/Vista, and involves the
Server Service, which is responsible for the following functionalities that are essential to network
operations:
● RPC support
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 453
Trend Micro Deep Security Support Track
Named-pipes
Later versions of the worm gained the ability to use named pipe connections to receive
components from remote systems.
The HTTP server can be another compromised computer where the worm creates an HTTP
server with a random port, or a Website that is accessible via the Internet.
NOTE An example of update to the worm is one that increased the number of Internet
domains from which it could download updates and payload, from 250 to 50,000
domains. This update changed the worm from WORM_DOWNAD.A to WORM_DOWNAD.KK.
Autorun.inf
This a passive access method that requires the victim to connect to an infected network or
removable drive with a malicious autorun.inf file.
Autorun functionality was originally intended to automate the device “mounting” process,
thereby facilitating the use of external data storage devices. A popup window like the one shown
below typically appears when a USB device is connected.
454 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
At this point, Windows automatically looks for a file called autorun.inf. This file contains
instructions that the OS executes to facilitate use of the device. If the USB drive contains
malware, such as Conficker/WORM_DOWNAD, a maliciously modified autorun.inf could be
used to initiate an attack on the desktop from the USB drive.
Denial of Service
A Denial of Service (DoS) is a type of attack that renders a particular service unavailable to its
intended users. For example, visitors to a Website that is subject to a DoS would receive
messages like “Host not found” because the site would no longer be able to respond to the
visitor’s browser request.
Request
DoS
Host not found attacker
NOTE DoS attacks can be directed a computer’s IP address or its domain name.
A DoS can also be used to facilitate other types of attacks. For example, an attacker seeking to
hijack a TCP session as part of a Man-in-the-Middle attack can initiate the attack by launching a
DoS on one of the machines in the session to temporarily disrupt communication, thereby
allowing the attacker to insert himself into future communication.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 455
Trend Micro Deep Security Support Track
There are a wide variety of DoS attacks, only a selection of which is discussed below:
● ACK Storm
● Smurf
● PING-of-death
● Teardrop
● Botnets
ACK STORM
The ACK storm is the uncontrolled exchange of ACK messages between two hosts that
eventually results in network congestion. This is typically the result of vulnerability in an
operating system’s implementation of TCP because this attack requires the attacker to know the
TCP sequence number that a particular host expects to elicit an ACK message from that host.
Consider the following diagram.
Host 1 Host 2
Message using spoofed
Host 2 identity and a
sequence# N that Host 1
accepts
Acknowledge receipt of
message from Host 2
ACK (Seq# N+1)
ACK (Seq# Y)
Incorrect sequence
number. Expected
number: Y+1
The initial attack causes Host 1 to send an ACK message to Host 2. The sequence number used
in this message comes from the attacker’s message, and will not be expected by Host 2. This will
prompt Host 2 to send an ACK message to Host 1 with the sequence number that it expects to
resynchronize the communication. Since Host 1 will receive an ACK message whose sequence
number is also not what it expects, it too will try to resynchronize the communication by sending
its own ACK message.
456 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
SMURF
A Smurf attack leverages the broadcast address of incorrectly configured routers to flood the
network with ICMP messages. By design, each router maintains a broadcast address that
automatically sends messages to all computers on the network.
In a Smurf attack, the attacker sends a PING message to the broadcast address of a router, or
similar intermediary, causing device to forward the PING to all machines on the network.
PING
255.255.255.255
When these machines make their ICMP Echo replies, they will send them back to the broadcast
address, thereby triggering additional broadcasts. This creates a kind of broadcast storm, and results
in network congestion.
PING-OF-DEATH
A PING-of-Death (POD) involves a PING message that exceeds protocol specifications, thus
causing buffer overflow problems in certain TCP/IP implementations.
Buffer
Transport Re-assembled packet
overflow
Data link #1 #4 #3 #5 #2
TEARDROP
A teardrop attack uses a malformed IP fragment with overlapping, oversized, payloads that can
cause errors at the Transport layer of a computer’s protocol stack when it tries to reassemble the
fragments.
Fragmentation attacks
Attackers can use packet fragments to infiltrate networks and cause Denial of Service. Since DoS
has already been discussed in the previous section, including the POD and Teardrop
fragmentation attacks, this section focuses attacks designed for infiltration, namely:
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 457
Trend Micro Deep Security Support Track
http://www.sans.org/security-resources/glossary-of-terms/t
With many IP implementations it is possible to impose an unusually small fragment size on outgoing packets. If
the fragment size is made small enough to force some of a TCP packet's TCP header fields into the second
fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not
enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter.
The fragmentation, therefore, is used as a means to circumvent HIPS solutions.
http://www.ouah.org/fragma.html
This attack can be used to overwrite part of the TCP header information of the first fragment, which contained
data that was allowed to pass through the firewall, with malicious data in subsequent fragments. A common
example of this is to overwrite the destination port number to change the type of service i.e. change from port 80
(HTTP) to port 23 (Telnet) which would not be allowed to pass the router in normal circumstances.
Man-in-the-middle attack
A man-in-the-middle (MITM) attack allows the attacker to divert the victim’s outgoing traffic
from its intended destination to a malicious alternative. This can be used to insert the attacker in
communication between two ends of a session. For example, if an attacker uses ARP poisoning
to trick the network router into believing the attacker machine is the victim’s machine, then
tricks the victim’s machine into believing the attacker’s machine is the router, and then the
attacker uses IP forwarding to send traffic to the appropriate destinations, then the all traffic to
and from the victim will always go through the attacker’s machine – without the victim knowing
about it.
Server
IP forwarding
Attacker
There are a number of techniques available for accomplishing this attack. These include DNS
poisoning, where domain name information is maliciously associated with the attacker’s preferred
458 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
alternative. This information can be entered at the network DNS server itself, or in the hosts file
on computers on the network.
Important: This is an example of an attack where the attacker does not even need to gain
access to the target machine before launching the attack. So for this attack, the attacker
would proceed from Step 1 to Step 3 in this attack process discussed here.
These applications typically reside in what is called the “DMZ”, a section of the network that is
accessible to both the “Trusted” network, and the “Untrusted” outside world (e.g., the Internet,
public WiFi access, etc.).
Console
Web
Management application
console Database
In the diagram above, anyone should be able to access the Web application in the DMZ, but
should not be able to directly access the backend resources in the trusted zone. In this example,
that resource is a database server. Only the Web application should be able to access this
database.
To preserve the integrity of the zones, the Web application must be able to resist attempts to
misuse it to gain access to the trusted zone. Not all Web applications, however, achieve this goal.
Among the methods attackers use to attack Web applications are the following:
Cross-Site Scripting (XSS) – the attacker introduces malicious script to a dynamic form
(e.g., an input field on a Web application) that does not perform sufficient validation.
SQL injection – the attacker includes malicious instruction into strings that are eventually
passed on to the database associated with a Web application. The malicious code can be
designed to be executed as soon as they are accepted, or to be stored in the database and
then executed when they are retrieved.
Botnets
A “bot” is an application that is installed on a machine, either surreptitiously via a Trojan or by
social engineering, that grants an attacker remote access to that machine’s system resources for
use in acts of malfeasance. For example, that machine could be used to establish malicious
connections to a web application as part of a Distributed Denial of Service (DDoS) attack.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 459
Trend Micro Deep Security Support Track
Once a bot is installed on a machine, that machine is thereinafter referred to as a “zombie”, and
becomes part of a network work of zombie machines collectively called a “botnet”.
VM VM VM
OFF ON ON
X seconds Y seconds
Window of vulnerability
This gap can last anywhere from minutes to even days, depending on the skill and availability of
personnel to administer the virtual infrastructure. The vulnerabilities mentioned here can include:
● Operating system vulnerabilities
● Application vulnerabilities
● Un-updated security software on the VMs
460 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
If an attacker initiates the attack process during this window, then they elevate their chances for
success.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 461
Trend Micro Deep Security Support Track
Once a reconnaissance scan is detected, the DSM generates an alert like the one below
Information about the reconnaissance scan also appears on the target machines details screen
and preview. The latter appears below.
462 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Action: Prevent
Brute force attack on Feature: Deep Packet Inspection > DPI rules
network shares
Action: Prevent
Action: Prevent
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 463
Trend Micro Deep Security Support Track
Malicious HTTP servers Feature: Deep Packet Inspection > Application control
Action: Prevent
This is a heuristics filter that detects HTTP traffic that does not
occur on ports 80, 8080, or some other administrator-authorized
port.
The following threats discussed in the Anatomy of the attack section are beyond the current
scope of Deep Security’s protection capabilities
Relevant product:
464 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
DENIAL OF SERVICE
Attack description Deep Security solution
ACK Storm Feature: Stateful configuration > TCP Packet Inspection
Generic, non-distributed Denial Feature: Stateful configuration > TCP Packet Inspection
of Service
Action: Prevent
Attacker either causes other
machines on a network to flood the
DSA host with connections, or uses
the DSA host to launch a similar
attack on other hosts
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 465
Trend Micro Deep Security Support Track
FRAGMENTATION ATTACK
Attack description Deep Security solution
Tiny fragment attack Feature: Firewall
466 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 467
Trend Micro Deep Security Support Track
Action: Prevent
Action: Prevent
BOTNETS
As illustrated in the threat section, botnets generally have the following common elements:
● A zombie with a bot
● A command center that controls the bots
● Communication between the bots and the command center
The third element is one of the principal ways that botnets are discovered, and eventually
eliminated.
468 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
The Trend Micro product that is specifically targeted at addressing botnets is the Trend Micro
Threat Management Service. This is a virtual appliance/hardware-based solution that deploys
sensors at strategic points in the network to detect the tell-tale traffic between bots and their
command center and then correlate this information to facilitate remediation.
Deep Security, on the otherhand, offers botnet traffic detection capability for a limited selection
of botnets through its Deep Packet Inspection functionality. As of writing, for example, a DPI
rule for detecting command center traffic associated with the Night Dragon network is currently
available.
Note that this rule will only detect and log the traffic emanating from the Deep Security host, but
will not actually block it.
Action: Prevent/Detect
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 469
Trend Micro Deep Security Support Track
470 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 471
Trend Micro Deep Security Support Track
Criteria
The following Deep Security versions
have been granted Common Criteria
certification.
Select security-conscious organizations, especially
Version Certification status
government entities, require that the security
software that they use be certified for “Common 7.0 Not certified
Criteria” compliance.
6.0 Not certified
The Common Criteria Website 5.0 Certified 08 April 2008
(http://www.commoncriteriaportal.org/) provides
the following definition for this certification:
● Products can be evaluated by competent and independent licensed laboratories so as to
determine the fulfilment of particular security properties, to a certain extent or assurance;
● Supporting documents, are used within the Common Criteria certification process to define
how the criteria and evaluation methods are applied when certifying specific technologies;
● The certification of the security properties of an evaluated product can be issued by a
number of Certificate Authorizing Schemes, with this certification being based on the result
of their evaluation;
● These certificates are recognized by all the signatories of the CCRA
472 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 473
Trend Micro Deep Security Support Track
474 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Installation – the ability to use an IP address, instead of a hostname, for DSM identification
has been highlighted. The current IP address is now clearly visible on the installation
screen for ease of reference. This is particularly useful when the DNS is not available
during installation.
Management console enhancements – the following changes were introduced to this
feature:
• Misidentification of Windows 7 machines – some Microsoft Windows 7 clients were
misidentified as “servers”
• Advanced search feature – optional fields on the User account details screen were
not included in searches
Syslog enhancements – the following changes were introduced to this feature:
• UTF-8 formatting for CEF – previously, CEF syslogs did not properly support
UTF-8 characters
• Packet data – base64 encoded packet information can be included in the syslog in
the TrendMicroDsPacketData column
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 475
Trend Micro Deep Security Support Track
Report template for Integrity Monitoring – a report for Integrity Monitoring baselines
has been added. The report includes the fingerprint date of the baseline, as well as the
relevant type and key
Default maximum memory usage for DSM – the default maximum amount of RAM
available to a 64-bit Deep Security Manager service has been increased from 1GB to
4GB. This, however, is configurable. The default maximum memory usage for a 32-bit
DSM service remains at 1GB.
UTF-8 support in SMTP notification – notification emails can now be sent to recipients
whose names require UTF-8 encoding.
Expanded character support – this resolved a number issues related to non-English
character sets. This included:
● Graphical user interface issues
● Log inspection would fail when it encountered Japanese characters
476 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Some customized DPI rules would not function correctly. This was caused by incorrect handling
of the rule’s metadata
• Baseline viewer – administrators can view a list of system areas for which Integrity
Monitoring has baselines. This is accessible via the DSA’s details.
Event tagging – administrators can now create custom tags to frequently occurring events
to facilitate tracking
Location awareness – DPI and Firewall rules can now based on a DSA’s location relative
to the network
Agent hardening – desktop users are not longer able to deactivate their DSAs from the
DSA console
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 477
Trend Micro Deep Security Support Track
478 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
5.2 1.1
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 479
Trend Micro Deep Security Support Track
480 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 481
Trend Micro Deep Security Support Track
482 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
D.2.2 Role-based
Most groups presented one variation or another of a role-based widget selection that was
coupled with specific account types.
D.2.3 Graph-centric
In this design, only graphical historical information would be shown on the dashboard, as shown
below.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 483
Trend Micro Deep Security Support Track
484 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 485
Trend Micro Deep Security Support Track
Deep Security Manager tables are listed below, and grouped according to functionality.
Dashboard
saveddashboards
Alerts
alert2administrators
alert2hosts
alert2s
alerttypes
emails
Reports
reporttemplatemetadatas
Counters
counter3s
counter3ips
counter3ports
counterintegritys
counterintegritykeys
counterloginspection
counterloginspectiondescriptions
countermatch2s
counterwatch2s
Host/Agent/Appliance Management
activehosterrors
agentevents
directories
hosts
hostassetimportance
hostbridges
hostconnectiontypes
hostconnectiontypeportoverrides
hostgroups
hostintegrityrules
hostinterfaces
hostinterfaceconnectiontypes
hostinterfaceips
hostinterfaceippacketfilters
hostinterfacepacketfilters
hostinterfacepayloadfilter2s
hostinterfacestatefulfilters
hostloginspectionrules
hostmetadatas
hostmetadataattributes
hostmetadatagroups
hostpacketfilters
hostpayloadfilter2s
hostrecommendations
hostscans
hostscanports
hostsystemsettings
virtuals
virtualesx
virtualvm
sslcredentials
sslhostconfigurations
486 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
sslhostconfigurationhostinterfaces
Security Profiles
interfacetypes
securityprofiles
securityprofileconnectiontypes
securityprofileconnectiontypeinterfacetypes
securityprofileconnectiontypeportoverrides
securityprofileintegrityrules
securityprofileloginspectionrules
securityprofilepacketfilters
securityprofilepacketfilterinterfacetypes
securityprofilepayloadfilter2s
securityprofilepayloadfilter2interfacetypes
securityprofilestatefulfilters
securityprofilesystemsettings
Firewall
packeterrors
packetfilters
packetfilteroverrides
packetlogs
packetlogdatas
packetloghistory
statefulfilters
Integrity Monitoring
attributes
entitys
integrityevents
integrityeventhistory
integrityrules
integrityrulemetadatas
integrityrulemetadataoverrides
integrityruleoverrides
supersededentitys
Log Inspection
loginspectiondecoders
loginspectiondecodermetadatas
loginspectionevents
loginspectioneventhistory
loginspectionrules
loginspectionrulemetadatas
loginspectionrulemetadataoverrides
loginspectionruleoverrides
portlists
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 487
Trend Micro Deep Security Support Track
Components
iplists
maclists
rulecontexts
schedules
Other (System)
autodiagnostic
availablesystemversions
checkedoutobjects
detectionexpressions
detectionrules
dsmcredentials
managernodes
pluginsettings
rulegroups
systemevents
systemeventhistory
systemsettings
systemversions
sslcertificates
Tagging/Syslog/SNMP
autotagrules
comments
postprocessor
recentcomments
tags
tagsets
tagsettags
Software
agentinstallers
agentinstallersegments
Job Framework
discoveryjobs
donotdiscoverips
locks
managerjobs
managerhistorys
managermessages
Scheduled Tasks
scheduledtasks
scheduledtaskadministrators
488 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
scheduledtaskcontactss
Help System
helparticles
Vulnerability Database
vulnerabilities
vulnerabilitylinks
vulnerabilitypayloadfilter2s
vulnerabilityshieldupdates
vulnerabilitysoftwares
softwares
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 489
Trend Micro Deep Security Support Track
490 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Appendix F: Intelligent
ActiveUpdate (iAU) IDs
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 491
Trend Micro Deep Security Support Track
OEM = 1
Platform = 5889
Version = 8.0.0
Class = 22
C22t2202v8.0.0l1p5889r1o1
Type = 2202
Language = 1
Region = 1
492 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 493
Trend Micro Deep Security Support Track
494 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Enforce type
Engine type
1 0x00000001 IAU_TYPE_ENGINE_VSAPI_ENGINE
2 0x00000002 IAU_TYPE_ENGINE_DCT_ENGINE
4 0x00000004 IAU_TYPE_ENGINE_VSAPI_ENGINE_X86
16 0x00000010 IAU_TYPE_ENGINE_VSAPI_DRIVER_X86
947 0x000003B3 IAU_TYPE_ENGINE_ENGINE_AMSP_LCS_x32
948 0x000003B4 IAU_TYPE_ENGINE_ENGINE_AMSP_LCS_x64
949 0x000003B5 IAU_TYPE_ENGINE_ENGINE_AMSP_LES_x32
950 0x000003B6 IAU_TYPE_ENGINE_ENGINE_AMSP_LES_x64
4096 0x00001000 IAU_TYPE_ENGINE_VSAPI_DRIVER_X64
33554432 0x02000000 IAU_TYPE_ENGINE_ENGINE_TMASE_ENGINE_32BIT_WIN,
Engine:TMASE Engine 32Bit Win:TM_AU_ENGINE_PIRANA
335544320 0x14000000 IAU_TYPE_ENGINE_ENGINE_TMUFE_X86, Engine:TMUFE
x86:TM_AU_ENGINE_TMUFE_WIN32
536871168 0x20000100 IAU_TYPE_ENGINE_VSAPI_ENGINE_X64
536871936 0x20000400 IAU_TYPE_ENGINE_VSAPI_X64_LINUX
553648132 0x21000004 IAU_TYPE_ENGINE_ENGINE_TMASE_ENGINE_64BIT_WIN, Engine:TMASE
Engine 64Bit Win:TM_AU_ENGINE_TMASE_WIN64
553650176 0x21000800 IAU_TYPE_ENGINE_VST_ENGINE_X86, VST engine x86
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 495
Trend Micro Deep Security Support Track
496 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 497
Trend Micro Deep Security Support Track
x64
1075838976 0x40200000 IAU_TYPE_ENGINE_ENGINE_BM_SYSTEM_EVENT_64, AEGIS3.0 System
Event Component x64
1077936128 0x40400000 IAU_TYPE_ENGINE_ENGINE_BM_USER_EVENT_64, AEGIS3.0 User Mode
Component x64
1082130432 0x40800000 IAU_TYPE_ENGINE_ENGINE_BM_ROOTKIT_SCAN_64, AEGIS3.0 Rootkit
Scan Component x64
1090519040 0x41000000 IAU_TYPE_ENGINE_ENGINE_BM_WHITE_LISTING_64, AEGIS3.0 White
Listing Component x64
1107296256 0x42000000 IAU_TYPE_ENGINE_ENGINE_VSAPI32_LINUX_GCC423, VSAPI 9.0 new
platforms
1140850688 0x44000000 IAU_TYPE_ENGINE_ENGINE_X64_MACOS_X, VSAPI 9.0 new platforms
1207959553 0x48000001 IAU_TYPE_ENGINE_ENGINE_NSC65_x86_BROWSER_PLUGIN_IE
1207959554 0x48000002 IAU_TYPE_ENGINE_ENGINE_NSC65_x64_BROWSER_PLUGIN_IE
1207959556 0x48000004 IAU_TYPE_ENGINE_ENGINE_TMSA_X86, Script Analyzer Lineup engine
for 32 bit
1207959560 0x48000008 IAU_TYPE_ENGINE_ENGINE_TMSA_X64, Script Analyzer Lineup engine
for 64 bit
1207959569 0x48000011 IAU_TYPE_ENGINE_ENGINE_NSC65_x86_FFExt, NSC 65
0x48000012 IAU_TYPE_ENGINE_ENGINE_DRE_X86, Damage Recovery Engine for
x86
0x48000014 IAU_TYPE_ENGINE_ENGINE_DRE_X64, Damage Recovery Engine for
x64
1207959577 0x48000019 IAU_TYPE_ENGINE_CLEANBOOT_ENGINE_X86, CleanBoot program
which loads VSAPI to do the virus clean and file restore in Linux
1207959585 0x48000021 IAU_TYPE_ENGINE_NCIE_x64_DRIVER
1207959586 0x48000022 IAU_TYPE_ENGINE_NCIE_x86_COORDINATOR, Network Content
Inspection Engine Coordinator
1207959587 0x48000023 IAU_TYPE_ENGINE_NCIE_x86_DRIVER, Network Content Inspection
Engine Scanner
1207959588 0x48000024 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_CONTROLLER_VISTA_X86,
EagleEye Controller on Vista (x86)
1207959592 0x48000028 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_CONTROLLER_VISTA_X64,
EagleEye Controller on Vista (x64)
1207959616 0x48000040 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_CONTROLLER_XP_X86,
EagleEye Controller on XP (x86)
1207959617 0x48000041 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_CONTROLLER_XP_X64, EagleEye
Controller on XP (x64)
1207959618 0x48000042 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_HOOK_DRIVER_WFP_X86,
EagleEye Vista WFP Hook Driver (x86)
1207959620 0x48000044 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_HOOK_DRIVER_WFP_X64,
EagleEye Vista WFP Hook Driver (x64)
1207959624 0x48000048 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_HOOK_DRIVER_TDI_X86,
EagleEye XP TDI Hook Driver (x86)
1207959680 0x48000080 IAU_TYPE_ENGINE_ENGINE_EAGLEEYE_HOOK_DRIVER_TDI_X64,
EagleEye XP TDI Hook Driver (x64)
1207959681 0x48000081 IAU_TYPE_ENGINE_NCIE_x64_COORDINATOR, Network Content
Inspection Engine Coordinator x64
1207959682 0x48000082 IAU_TYPE_ENGINE_PEDIF_ENGINE_X86, PeDif engine for 32 bits
1207959683 0x48000083 IAU_TYPE_ENGINE_PEDIF_ENGINE_X64, PeDif engine for 32 bits
1207959685 0x48000085 IAU_TYPE_ENGINE_CLEANBOOT_VSAPI_LINUX_ENGINE_X86, Cleanboot
Vsapi Linux Engine
1207959686 0x48000086 IAU_TYPE_ENGINE_SOFTMICE_V_X86, SoftMice V Engine for Windows
x86
1207959687 0x48000087 IAU_TYPE_ENGINE_SOFTMICE_V_X64, SoftMice V Engine for Windows
x64
1207959688 0x48000088 IAU_TYPE_ENGINE_CLEANBOOT_MBRTOOL_ENGINE_X86, MBR Tool
Engine for Windows x86
1207959689 0x48000089 IAU_TYPE_ENGINE_ENGINE_VSAPI_LINUX_RH6_X86, VSAPI 32-bit
498 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Function type
169 0x000000A9 IAU_TYPE_FUNCTION_FUNCTION_PRO_FEATURES_NAVIGATOR_INTERF
ACE
209 0x000000D1 IAU_TYPE_FUNCTION_FUNCTION_VSAPI_WRAPPER
210 0x000000D2 IAU_TYPE_FUNCTION_FUNCTION_SSAPI_WRAPPER
211 0x000000D3 IAU_TYPE_FUNCTION_FUNCTION_DCE_WRAPPER
212 0x000000D4 IAU_TYPE_FUNCTION_FUNCTION_TMPFW
213 0x000000D5 IAU_TYPE_FUNCTION_FUNCTION_TMPROXY
214 0x000000D6 IAU_TYPE_FUNCTION_FUNCTION_UPDATE
215 0x000000D7 IAU_TYPE_FUNCTION_FUNCTION_IAUUPDATE
216 0x000000D8 IAU_TYPE_FUNCTION_FUNCTION_IM_SCAN
217 0x000000D9 IAU_TYPE_FUNCTION_FUNCTION_LOADHTTP
218 0x000000DA IAU_TYPE_FUNCTION_FUNCTION_SERVER_AGENT
219 0x000000DB IAU_TYPE_FUNCTION_FUNCTION_HOMENETWORK
220 0x000000DC IAU_TYPE_FUNCTION_FUNCTION_HISTORYCLEAN
iAU client type
0 0x00000000 IAU_TYPE_IAUCLIENT_IAU_SDK
18 0x00000012 IAU_TYPE_IAUCLIENT_DETECTOR_PLUGINS, test for selfupdate
112 0x00000070 IAU_TYPE_IAUCLIENT_IAUCORE, iAU 2.0 self-update core component
113 0x00000071 IAU_TYPE_iAURELAY_PRODUCT_iAURELAY
114 0x00000072 IAU_TYPE_iAURELAY_RELAYCORE
Patterns
4 0x00000004 IAU_TYPE_PATTERN_VSAPI
5 0x00000005 IAU_TYPE_PATTERN_SPYWARE_DCT, tmadce.zip
6 0x00000006 IAU_TYPE_PATTERN_DCT, tscptn.zip
8 0x00000008 IAU_TYPE_PATTERN_ENT_LEGACY, lvsapi.zip
512 0x00000200 IAU_TYPE_PATTERN_GSS
2048 0x00000800 IAU_TYPE_PATTERN_TSC
65537 0x00010001 IAU_TYPE_PATTERN_PATTERN_TMAS_NO_HASH_PATTERN
524288 0x00080000 IAU_TYPE_PATTERN_VA_X86
1048576 0x00100000 IAU_TYPE_PATTERN_VA_DATABASE
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 499
Trend Micro Deep Security Support Track
500 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 501
Trend Micro Deep Security Support Track
502 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 503
Trend Micro Deep Security Support Track
504 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 505
Trend Micro Deep Security Support Track
<install path>\Trend Micro\Deep Security Manager\dsm_c.exe.
dsm_c –action <action name>
The following table presents what administrators can do with this tool
Objective Syntax
Change setting dsm_c -action changesetting -name NAME -value VALUE
506 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
<install path>\Trend Micro\Deep Security Agent\dsa_control.exe
dsa_control /<parameter> <string>
The following table presents what administrators can do with this tool
Objective Syntax
Activate agent with a specific Windows: dsa_control /a dsm://<host or IP>:<port>/
DSM
Linux: dsa_control –-activate=dsm://<host or IP>:<port>/
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 507
Trend Micro Deep Security Support Track
Linux: /opt/ds_agent/dsa_control –r
/opt/ds_agent/dsa_control --reset
508 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 509
Trend Micro Deep Security Support Track
Parameter Description
DebugFlag 1 – file
2 – console
4 – debug string
7 – all output options
DebugLogFilePath Absolute path for the debug log folder. By default, this is:
C:\Program Files\Trend Micro\AMSP\debug
DebugLogFilePrefix Prefix used in the AMSP debug log name. By default this is
“Amsp”, so debug logs are named Amsp_*.log
DebugLogFileMaxCount Maximum number of files that can be generated for each AMSP
module log. Acceptable values are from 1 to 10
Plugin <plugin name> Defines debug levels for individual AMSP plug-ins
DebugLevel
2011/10/10 16:11:53.258,[01040:02344],[INFO],[Core Scan Manager], ScanCallBackFunc(): Virus
found!, file path: \\?\c:\Users\Administrator\My
Documents\target\eicar\eicar.com,[.\AMSP_VsapiProcessFileCallback.cpp(186)]
YYYY/MM/DD HH:MM:SS, [Process ID: Thread ID], [Severity], [Module name], Debug message,
[Source file name (Line number)]
Administrators can enable debugging for all or individual modules. To enable individual logging,
each module must have their own section in Amsp_Config.ini like the one below:
510 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
[Plugin VSAPI]
DebugMode=1
DebugLevel=2
DebugFlag=1
DebugLogFilePath=.\debug\
DebugLogFilePrefix=PluginVSAPI
Action Manager Core Action Manager Real-Time Scan Flow Plugin Realtime Scan
Controller Flow
Command Manager Core Command
Manager Report Manager Core Report Manager
DCE Wrapper Plugin DCE Wrapper Scan Manager Core Scan Manager
Event Manager Core Event Manager Service Shell Core Service Shell
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 511
Trend Micro Deep Security Support Track
Each component is assigned an ID number, which is also used as the name of its sub-folder
under the module folder. For example, the AMSP module responsible for updating AMSP
components is called the coreUpdateManager.dll. Its ID is “7”, so it is stored in sub-folder “7”:
The following table provides the ID numbers for other components.
ID File
1 coreFrameworkBuilder.dll
2 coreCommandManager.dll
3 coreEventManager.dll
4 coreTaskManager.dll
5 coreConfigRepository.dll
6 coreReportManager.dll
7 coreUpdateManager.dll
10 coreActionManager.dll
11 coreScanManager.dll
10000 plugEngineVSAPI.dll
10001 plugEngineSSAPI.dll
10002 plugEngineDCE.dll
10007 plugEngineTMFBE.dll
10008 plugEngineICRC.dll
10015 plugEngineWL.dll
10016 plugEngineSMV.dll
20001 plugAdapterSystem.dll
30000 plugRealtimeScanFlow.dll
30001 plugManualScanFlow.dll
30004 plugRealTimeScanCache.dll
30006 plugCommonScanCache.dll
40000 plugUtilRCM.dll
40001 plugUtilEnum.dll
40002 plugUtilSysInfo.dll
40003 plugUtilException.dll
512 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 513
Trend Micro Deep Security Support Track
<debug log name><sequence number>.log
The default log name is “server”, and is defined by the following entry in the logging.properties
file:
# default file output is in user's home directory.
java.util.logging.FileHandler.pattern = DSMROOTPATH/server%g.log
java.util.logging.FileHandler.limit = 10000000
java.util.logging.FileHandler.count = 5
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.FileHandler.append = true
Administrators can rename the debug log by replacing “server” with the desired name.
<Install path>/Deep Security Manager/jre/lib
com.thirdbrigade.level = ALL
C:/Program Files/Trend Micro/Deep Security Manager/<alternative name>%g
514 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
By default, the Java framework only writes to the log file until it reaches 9,766KB as shown
above. Once a log reaches this limit, the framework changes the sequence number of file and
creates a new sequence-zero file. The sample above shows four renaming events.
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 515
Trend Micro Deep Security Support Track
516 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Appendix J: Answers to
review questions
Chapter 2 answers
1. What is a DSM?
a) Dynamic Security Module
b) Deep Security Manager
c) Deep Security Master
2. What is a DSA?
a) Deep Security Agent
b) Dynamic Security Agent
c) Digital Security Assistant
Chapter 3 answers
1. Which of the following package formats are relevant to DSAs?
a) MSI
b) RPM
c) EXE
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 517
Trend Micro Deep Security Support Track
d) TAR
Chapter 4 answers
1. Which of the following LDAP servers is officially support?
a) Novell eDirectory
b) Apache DS
c) Microsoft Active Directory
d) Open LDAP
2. Which of the following is are supported as a means of adding a host to Computers list?
a) Manually add a host
b) Import host list from Active Directory
c) Discover hosts from an IP range
d) Import host list from WMware Center server
e) All of the above
3. If a computer is deleted from Active Directory, it will ALWAYS be deleted from the DSM Computer list
a) True
b) False
Chapter 5 answers
1. Which of the following security features benefit from Recommendation scanning?
a) Firewall
b) Deep Packet Inspection
c) Integrity Monitoring
d) Log Inspection
e) All of the above
2. Can administrators specify the ports that are scanned as part of a port scan?
a) Yes
b) No
518 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Chapter 6 answers
1. Which features constitute HIPS?
a) Firewall
b) Deep Packet Inspection
c) Integrity Monitoring
d) Log Inspection
Chapter 7 answers
1. How does Integrity Monitoring detect changes?
a) By comparing select system areas with a baseline
b) By referencing a change log
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 519
Trend Micro Deep Security Support Track
Chapter 8 answers
1. What open-source technology is used for Log Inspection functionality?
a) Microsoft .NET
b) OSSEC
c) GNU
Chapter 9 answers
1. Which of the following are valid firewall actions?
a) Allow
b) Deny
c) Bypass
d) Force allow
e) Log only
f) All of the above
2. If a priority 4 Deny rule conflicts with a priority 3 Force allow rule, which rule will prevail?
a) Deny rule
b) Force allow rule
c) None of the above
520 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
a) Allow
b) Deny
c) Bypass
Chapter 10 answers
1. Which of the following are valid uses for Deep Packet Inspection
a) Virtual patching
b) Protocol hygiene
c) Application control (limited)
d) All of the above
3. Which Trend Micro pattern contains information that is comparable to DPI rules?
a) VSAPI pattern
b) SSAPI pattern
c) Generic Stream Scanning rules
d) OfficeScan firewall rules
Chapter 11 answers
1. Which of the following is directly responsible for VM protection functionality
a) Deep Security Virtual Appliance
b) Virtual Agent
c) Master Agent
d) vmKernel
Chapter 12 answers
Which of the following is an advantage of Agent-based protection over Agentless (DSVA-only) protection?
c) Memory scan
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 521
Trend Micro Deep Security Support Track
If the DSA is unable to perform the configured scan action, what will happen to the suspected malware?
a) Pass
b) Delete
c) Quarantine
d) Re-scan
Chapter 13 answers
1. Which of the following concepts dictates the rate at which information is transferred from the DSA to the DSM?
a) Heartbeat
b) Firewall rules
c) Interface changes
d) All of the above
Chapter 14 answers
1. What database does the DSA use for local Log Inspection and Integrity Monitoring event storage?
a) Apache Derby
b) MS SQL
c) SQLLite3
d) MySQL
522 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
Index
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 523
Trend Micro Deep Security Support Track
524 CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL © 2012 Trend Micro Inc.
Support Track Trend Micro Deep Security
© 2012 Trend Micro Inc. CONFIDENTIAL — Release Pursuant to NDA — CONFIDENTIAL 525