fool TrendMicro Deep Security to look for a folder rather than entire server for On-Demand scan

Posted on 2014-08-26
Last Modified: 2014-09-16
Our environment's (early version 9) of Trend's Deep Security on-demand scan for Linux
can only scan the entire server and not selected folder/files only : this is what Trend
Micro support confirms to us in email & phone.

So if we trigger  
    /opt/ds-agent/dsa_control -m "AntiMalwareManualScan:true"  
it will scan the entire server but this will take a while & chew quite some resources.
DeepSecurity console is not accessible to our tenants & our tenants have applications
which they used to call the above dsa_control command to scan on demand files

Is there any way that I could create a Linux soft link (say create a temporary soft link
/ root which points to only a folder say /var/tmp/avscan) combined with spawning a
shell so that it scans only a specific folder?  Just a guess, don't have any idea how this
can be achieved

Or does anyone know if DS 9 (not the beta 9.5) could do selective folder  or  files'
on-demand scan?  How is this done?  From the DS manager console, I could specify
a specific folder/files but my cloud tenants can't access the DSM console to manually
activate the scan (ie on-demand scan)

Apps team wants that after users use an application to upload/publish files, the
application will then call a DS command to do a scan immediately after the upload
Question by:sunhux

    Author Comment

    Sounds unbelievable: even the freeware ClamAV could do on-demand
    scan of selected folder / files in Linux but not Trend's Deep Security
    LVL 69

    Expert Comment

    Can you select the desired folder and scan with?
    LVL 61

    Expert Comment

    Deep security is a firewall, so no wonder it does not scan files.
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    can only scan the entire server and not selected folder/files only doesn't it already scan new files as they are written to disk?
    LVL 61

    Assisted Solution

    It hooks over disk driver and scans content of disk writes, not intercepts file accesses not knows anything past its log file about files.
    LVL 60

    Assisted Solution

    probably is to include exception instead on necessary parent path (but not the one you are interested in or the mounted path) - exclude directories, files, and file extensions from Anti-Malware scans, either by listing them specifically or through the use of wildcards since DS8SP1 OR exclude a UNC path from scanning even if “ \\ “ is not a valid entry for network share or UNC path in DS9.

    for optimisation aspects check on the Scan Cache settings ( introduced in Deep Security 9.0.)

    For Linux, the Anti-malware (not other feature like DPI, FW etc) support for on-demand scan only. Maybe more support to advice if you have share with them the diagnostic (under "Create Diagnostics Package") on the impacted servers so that they can better advice to the issue and not simply clarifying feature coverage...

    also if DS is in the virtual appliance mode, I doubt it can go granular as it is not even an agent in the Guest VM OS and I understand the DS agent is not anti-malware covered as I see in the  v9 manual (pg8). Good if support really advice how to move ahead and as user trying to find workaround a product limit issue.

    Author Comment

    >Can you select the desired folder and scan with?
    There's no parameters/options to indicate the desired folder.
    TrendMicro confirms this too.

    The closest command that TrendMicro's support could give us is
    # cd /opt/ds_agent
    # ./dsa_control -m "AntiMalwareManualScan:true"  
    & this scans the entire server (which will take very long)

    Btw, dsa=deep security agent & it's not firewall only, it has
    anti-malware & IPS amongst other things.

    Ver 9.5 has realtime scan ie if a new infected file is introduced
    into the server, it will flag out & quarantine it but this is not
    what the apps team want
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    then the apps team needs you to use another product..
    Realtime scanning should be sufficient.. A Deep Scan as you mentioned is a full server scan which can take hours if not days.
    LVL 60

    Assisted Solution

    probably go for exception rule instead if support can confirm viable for dsa. in TM best practice for dsa, you can check out "5.2.1 Anti-Malware " in the pdf below on possible option to configure as well as following up pages which also stated th quick/full scan and Scan Exclusions

    6.3.1 Exclude Database files from Anti-Malware scans
    To optimize and establish a stable DB performance, make sure to exclude database related files (Example: dsm.mdf and dsm.ldf) from any type of anti-malware scanning.

    5. For issues involving Anti-Malware:
    Performance Related:

    - If there are performance or access issues experienced when the AM module is turned on, consider adding the directory/file being scanned to the exclusion list first. To do so, go to the Scan Configuration used by the Computer/Policy. Do so under Policy/Computer> Anti-Malware > General > Select scan type > Configuration > Edit > Exclusions. Verify if the issue still persists.

    - If adding the file/directory to the exclusion does not work, remove the policy assigned to the affected machine.

    - If the issue persists, try to turn off Anti-Malware protection. Go to Policy/Computer> Anti-Malware > General > Anti-Malware State.

    - If the issue continues, de-activate the agent.

    - Should the issue still persist, check other features that are enabled.

    Author Comment

    > then the apps team needs you to use another product..
    The above is not something that could be decided easily as it involves
    design change & replacing existing product (ie Trend's DS) with a new
    product which will require extensive evaluation/assessment.

    > Realtime scanning should be sufficient
    We just rolled out Ver 9.0 of DS & was told by TrendM that only Ver 9.5
    onwards support realtime scan in Linux.  Ver 9.0 dont.  What our tenants
    & the governing authority questions now is : how do we know the realtime
    scan is working?  We can do a test but the tenant/authority wants to see
    a scan log: in the latest TM's DS, the scan log is not available in Linux.

    Btan's suggestion of exclusion stands a chance but is it only for Windows
    or Linux?  I'll check it out with Trend support.  But one more thing is
    missing: the tenants/authority want to see scan log of files that was
    just published/uploaded/exported : having nothing to verify makes
    them uncomfortable.  

    For gmail: if I upload an infected file, it will flag out & block the
    upload & if it's multiple files being uploaded, I think it will flag
    out which ones are the infected files.  I was being questioned
    that even free tools (like ClamAV / gmail) can do better
    LVL 60

    Accepted Solution

    I believe it may be mainly Windows but I do not see why they don't support Linux too - better to get Support to advise and confirm this understanding.

    From the different platforms and Linux kernels supported by Deep Security 9.0. From the below, it seems that DSVA (but exist for agent though) does not support antimalware in Linux

    For the log, Deep Security Manager collects Log Inspection Events from the Deep Security Agents at every heartbeat. The data from the logs is used to populate the various reports, graphs, and charts in the Deep Security Manager. Once collected by the Deep Security Manager, Event logs are kept for a period of time which can be set from System tab in the System > System Settings screen. The default setting is one week.

    Probably there can also be log inspection rule written to trigger alert upon certain keyword or event e.g. OSSEC defines 100000 - 109999 as the space for User-defined rules. (Deep Security Manager will pre-populate the field with a new unique Rule ID.). There is Pattern matching that supports Regular Expressions or simpler String Patterns. TM did state in their guide the Log Inspection Rules included with Deep Security Manager require "1002791 - Default Decoders" to function. Users should not have to write their own decoders. And there is also the System Event log but they are record of system-related events (as opposed to security-related events).

    better to get Support to advice ...

    But also note below

     "Known issues in Deep Security 9"
    The control CPU usage made available through a Deep Security 8.0 SP1 hot fix was not included in Deep Security 9.0.
    "Known issues in Deep Security 9.5"
    Process Image File exclusion is only supported in Deep Security Agent protection for Windows.

    In Linux platforms, some malwares may not be detected if the DNS slowly responds to queries.

    During anti-malware Real-time scan, Deep Security Agent may produce multiple Delete Failed events even when the deletion is successful. This rarely occurs but it happens when the file is being temporarily locked by other processes.

    Author Comment

    Thanks BTan, what you've last posted is useful.

    Just learnt that a few months back, Trend has given us a 'fix'/'enhancement'
    for Solaris x86 which enables on-demand scan of specified file/folder with
    the scan log accessible/viewable by the tenant.

    Now pushing for Trend to release similar fix for Linux as more tenants
    are requesting for it.

    Currently we did not permit DSM console's access to tenants : quite a
    considerable change needed

    Author Comment

    One of my colleague escalated that case a few months back via HQ
    to Trend & got the fix.  I was not aware of that till I asked around
    LVL 60

    Expert Comment

    thanks for sharing - the Support will be in best position since they can feedback to their internal R&D on the demand and needs. Good to hear from them instead.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
    Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now