• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2104
  • Last Modified:

fool TrendMicro Deep Security to look for a folder rather than entire server for On-Demand scan

Our environment's (early version 9) of Trend's Deep Security on-demand scan for Linux
can only scan the entire server and not selected folder/files only : this is what Trend
Micro support confirms to us in email & phone.

So if we trigger  
    /opt/ds-agent/dsa_control -m "AntiMalwareManualScan:true"  
it will scan the entire server but this will take a while & chew quite some resources.
DeepSecurity console is not accessible to our tenants & our tenants have applications
which they used to call the above dsa_control command to scan on demand files
uploaded/exported.

Q1:
Is there any way that I could create a Linux soft link (say create a temporary soft link
/ root which points to only a folder say /var/tmp/avscan) combined with spawning a
shell so that it scans only a specific folder?  Just a guess, don't have any idea how this
can be achieved

Q2:
Or does anyone know if DS 9 (not the beta 9.5) could do selective folder  or  files'
on-demand scan?  How is this done?  From the DS manager console, I could specify
a specific folder/files but my cloud tenants can't access the DSM console to manually
activate the scan (ie on-demand scan)

Apps team wants that after users use an application to upload/publish files, the
application will then call a DS command to do a scan immediately after the upload
/publishing
0
sunhux
Asked:
sunhux
  • 5
  • 4
  • 2
  • +2
5 Solutions
 
sunhuxAuthor Commented:
Sounds unbelievable: even the freeware ClamAV could do on-demand
scan of selected folder / files in Linux but not Trend's Deep Security
0
 
MereteCommented:
Can you select the desired folder and scan with?
0
 
gheistCommented:
Deep security is a firewall, so no wonder it does not scan files.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
David Johnson, CD, MVPOwnerCommented:
can only scan the entire server and not selected folder/files only doesn't it already scan new files as they are written to disk?
0
 
gheistCommented:
It hooks over disk driver and scans content of disk writes, not intercepts file accesses not knows anything past its log file about files.
0
 
btanExec ConsultantCommented:
probably is to include exception instead on necessary parent path (but not the one you are interested in or the mounted path) - exclude directories, files, and file extensions from Anti-Malware scans, either by listing them specifically or through the use of wildcards since DS8SP1 OR exclude a UNC path from scanning even if “ \\ “ is not a valid entry for network share or UNC path in DS9.
http://esupport.trendmicro.com/solution/en-us/1096634.aspx

for optimisation aspects check on the Scan Cache settings ( introduced in Deep Security 9.0.) http://esupport.trendmicro.com/solution/en-us/1098155.aspx

For Linux, the Anti-malware (not other feature like DPI, FW etc) support for on-demand scan only. Maybe more support to advice if you have share with them the diagnostic (under "Create Diagnostics Package") on the impacted servers so that they can better advice to the issue and not simply clarifying feature coverage...
http://esupport.trendmicro.com/solution/en-us/1097444.aspx

also if DS is in the virtual appliance mode, I doubt it can go granular as it is not even an agent in the Guest VM OS and I understand the DS agent is not anti-malware covered as I see in the  v9 manual (pg8). Good if support really advice how to move ahead and as user trying to find workaround a product limit issue.
http://docs.trendmicro.com/all/ent/dsa/v9.0/en-us/dsa_9.0_ig.pdf
0
 
sunhuxAuthor Commented:
>Can you select the desired folder and scan with?
There's no parameters/options to indicate the desired folder.
TrendMicro confirms this too.

The closest command that TrendMicro's support could give us is
# cd /opt/ds_agent
# ./dsa_control -m "AntiMalwareManualScan:true"  
& this scans the entire server (which will take very long)

Btw, dsa=deep security agent & it's not firewall only, it has
anti-malware & IPS amongst other things.

Ver 9.5 has realtime scan ie if a new infected file is introduced
into the server, it will flag out & quarantine it but this is not
what the apps team want
0
 
David Johnson, CD, MVPOwnerCommented:
then the apps team needs you to use another product..
Realtime scanning should be sufficient.. A Deep Scan as you mentioned is a full server scan which can take hours if not days.
0
 
btanExec ConsultantCommented:
probably go for exception rule instead if support can confirm viable for dsa. in TM best practice for dsa, you can check out "5.2.1 Anti-Malware " in the pdf below on possible option to configure as well as following up pages which also stated th quick/full scan and Scan Exclusions

http://files.trendmicro.com/documentation/guides/deep_security/DS%209.0%20Best%20Practice%20Guide.pdf

6.3.1 Exclude Database files from Anti-Malware scans
To optimize and establish a stable DB performance, make sure to exclude database related files (Example: dsm.mdf and dsm.ldf) from any type of anti-malware scanning.

5. For issues involving Anti-Malware:
Performance Related:

- If there are performance or access issues experienced when the AM module is turned on, consider adding the directory/file being scanned to the exclusion list first. To do so, go to the Scan Configuration used by the Computer/Policy. Do so under Policy/Computer> Anti-Malware > General > Select scan type > Configuration > Edit > Exclusions. Verify if the issue still persists.

- If adding the file/directory to the exclusion does not work, remove the policy assigned to the affected machine.

- If the issue persists, try to turn off Anti-Malware protection. Go to Policy/Computer> Anti-Malware > General > Anti-Malware State.

- If the issue continues, de-activate the agent.

- Should the issue still persist, check other features that are enabled.
0
 
sunhuxAuthor Commented:
> then the apps team needs you to use another product..
The above is not something that could be decided easily as it involves
design change & replacing existing product (ie Trend's DS) with a new
product which will require extensive evaluation/assessment.

> Realtime scanning should be sufficient
We just rolled out Ver 9.0 of DS & was told by TrendM that only Ver 9.5
onwards support realtime scan in Linux.  Ver 9.0 dont.  What our tenants
& the governing authority questions now is : how do we know the realtime
scan is working?  We can do a test but the tenant/authority wants to see
a scan log: in the latest TM's DS, the scan log is not available in Linux.

Btan's suggestion of exclusion stands a chance but is it only for Windows
or Linux?  I'll check it out with Trend support.  But one more thing is
missing: the tenants/authority want to see scan log of files that was
just published/uploaded/exported : having nothing to verify makes
them uncomfortable.  

For gmail: if I upload an infected file, it will flag out & block the
upload & if it's multiple files being uploaded, I think it will flag
out which ones are the infected files.  I was being questioned
that even free tools (like ClamAV / gmail) can do better
0
 
btanExec ConsultantCommented:
I believe it may be mainly Windows but I do not see why they don't support Linux too - better to get Support to advise and confirm this understanding.
http://esupport.trendmicro.com/solution/en-US/1096634.aspx

From the different platforms and Linux kernels supported by Deep Security 9.0. From the below, it seems that DSVA (but exist for agent though) does not support antimalware in Linux
http://esupport.trendmicro.com/solution/en-US/1096380.aspx

For the log, Deep Security Manager collects Log Inspection Events from the Deep Security Agents at every heartbeat. The data from the logs is used to populate the various reports, graphs, and charts in the Deep Security Manager. Once collected by the Deep Security Manager, Event logs are kept for a period of time which can be set from System tab in the System > System Settings screen. The default setting is one week.

Probably there can also be log inspection rule written to trigger alert upon certain keyword or event e.g. OSSEC defines 100000 - 109999 as the space for User-defined rules. (Deep Security Manager will pre-populate the field with a new unique Rule ID.). There is Pattern matching that supports Regular Expressions or simpler String Patterns. TM did state in their guide the Log Inspection Rules included with Deep Security Manager require "1002791 - Default Decoders" to function. Users should not have to write their own decoders. And there is also the System Event log but they are record of system-related events (as opposed to security-related events).

better to get Support to advice ...


But also note below

 "Known issues in Deep Security 9"
http://esupport.trendmicro.com/solution/en-us/1096120.aspx
The control CPU usage made available through a Deep Security 8.0 SP1 hot fix was not included in Deep Security 9.0.
"Known issues in Deep Security 9.5"
http://esupport.trendmicro.com/solution/en-us/1104745.aspx
Process Image File exclusion is only supported in Deep Security Agent protection for Windows.

In Linux platforms, some malwares may not be detected if the DNS slowly responds to queries.

During anti-malware Real-time scan, Deep Security Agent may produce multiple Delete Failed events even when the deletion is successful. This rarely occurs but it happens when the file is being temporarily locked by other processes.
0
 
sunhuxAuthor Commented:
Thanks BTan, what you've last posted is useful.

Just learnt that a few months back, Trend has given us a 'fix'/'enhancement'
for Solaris x86 which enables on-demand scan of specified file/folder with
the scan log accessible/viewable by the tenant.

Now pushing for Trend to release similar fix for Linux as more tenants
are requesting for it.

Currently we did not permit DSM console's access to tenants : quite a
considerable change needed
0
 
sunhuxAuthor Commented:
One of my colleague escalated that case a few months back via HQ
to Trend & got the fix.  I was not aware of that till I asked around
0
 
btanExec ConsultantCommented:
thanks for sharing - the Support will be in best position since they can feedback to their internal R&D on the demand and needs. Good to hear from them instead.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 5
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now