We help IT Professionals succeed at work.

fool TrendMicro Deep Security to look for a folder rather than entire server for On-Demand scan

2,561 Views
Last Modified: 2014-09-16
Our environment's (early version 9) of Trend's Deep Security on-demand scan for Linux
can only scan the entire server and not selected folder/files only : this is what Trend
Micro support confirms to us in email & phone.

So if we trigger  
    /opt/ds-agent/dsa_control -m "AntiMalwareManualScan:true"  
it will scan the entire server but this will take a while & chew quite some resources.
DeepSecurity console is not accessible to our tenants & our tenants have applications
which they used to call the above dsa_control command to scan on demand files
uploaded/exported.

Q1:
Is there any way that I could create a Linux soft link (say create a temporary soft link
/ root which points to only a folder say /var/tmp/avscan) combined with spawning a
shell so that it scans only a specific folder?  Just a guess, don't have any idea how this
can be achieved

Q2:
Or does anyone know if DS 9 (not the beta 9.5) could do selective folder  or  files'
on-demand scan?  How is this done?  From the DS manager console, I could specify
a specific folder/files but my cloud tenants can't access the DSM console to manually
activate the scan (ie on-demand scan)

Apps team wants that after users use an application to upload/publish files, the
application will then call a DS command to do a scan immediately after the upload
/publishing
Comment
Watch Question

Author

Commented:
Sounds unbelievable: even the freeware ClamAV could do on-demand
scan of selected folder / files in Linux but not Trend's Deep Security
CERTIFIED EXPERT

Commented:
Can you select the desired folder and scan with?
Top Expert 2015

Commented:
Deep security is a firewall, so no wonder it does not scan files.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Top Expert 2015
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
>Can you select the desired folder and scan with?
There's no parameters/options to indicate the desired folder.
TrendMicro confirms this too.

The closest command that TrendMicro's support could give us is
# cd /opt/ds_agent
# ./dsa_control -m "AntiMalwareManualScan:true"  
& this scans the entire server (which will take very long)

Btw, dsa=deep security agent & it's not firewall only, it has
anti-malware & IPS amongst other things.

Ver 9.5 has realtime scan ie if a new infected file is introduced
into the server, it will flag out & quarantine it but this is not
what the apps team want
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
then the apps team needs you to use another product..
Realtime scanning should be sufficient.. A Deep Scan as you mentioned is a full server scan which can take hours if not days.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
> then the apps team needs you to use another product..
The above is not something that could be decided easily as it involves
design change & replacing existing product (ie Trend's DS) with a new
product which will require extensive evaluation/assessment.

> Realtime scanning should be sufficient
We just rolled out Ver 9.0 of DS & was told by TrendM that only Ver 9.5
onwards support realtime scan in Linux.  Ver 9.0 dont.  What our tenants
& the governing authority questions now is : how do we know the realtime
scan is working?  We can do a test but the tenant/authority wants to see
a scan log: in the latest TM's DS, the scan log is not available in Linux.

Btan's suggestion of exclusion stands a chance but is it only for Windows
or Linux?  I'll check it out with Trend support.  But one more thing is
missing: the tenants/authority want to see scan log of files that was
just published/uploaded/exported : having nothing to verify makes
them uncomfortable.  

For gmail: if I upload an infected file, it will flag out & block the
upload & if it's multiple files being uploaded, I think it will flag
out which ones are the infected files.  I was being questioned
that even free tools (like ClamAV / gmail) can do better
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks BTan, what you've last posted is useful.

Just learnt that a few months back, Trend has given us a 'fix'/'enhancement'
for Solaris x86 which enables on-demand scan of specified file/folder with
the scan log accessible/viewable by the tenant.

Now pushing for Trend to release similar fix for Linux as more tenants
are requesting for it.

Currently we did not permit DSM console's access to tenants : quite a
considerable change needed

Author

Commented:
One of my colleague escalated that case a few months back via HQ
to Trend & got the fix.  I was not aware of that till I asked around
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
thanks for sharing - the Support will be in best position since they can feedback to their internal R&D on the demand and needs. Good to hear from them instead.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.