sunhux
asked on
fool TrendMicro Deep Security to look for a folder rather than entire server for On-Demand scan
Our environment's (early version 9) of Trend's Deep Security on-demand scan for Linux
can only scan the entire server and not selected folder/files only : this is what Trend
Micro support confirms to us in email & phone.
So if we trigger
/opt/ds-agent/dsa_control -m "AntiMalwareManualScan:tru
it will scan the entire server but this will take a while & chew quite some resources.
DeepSecurity console is not accessible to our tenants & our tenants have applications
which they used to call the above dsa_control command to scan on demand files
uploaded/exported.
Q1:
Is there any way that I could create a Linux soft link (say create a temporary soft link
/ root which points to only a folder say /var/tmp/avscan) combined with spawning a
shell so that it scans only a specific folder? Just a guess, don't have any idea how this
can be achieved
Q2:
Or does anyone know if DS 9 (not the beta 9.5) could do selective folder or files'
on-demand scan? How is this done? From the DS manager console, I could specify
a specific folder/files but my cloud tenants can't access the DSM console to manually
activate the scan (ie on-demand scan)
Apps team wants that after users use an application to upload/publish files, the
application will then call a DS command to do a scan immediately after the upload
/publishing
can only scan the entire server and not selected folder/files only : this is what Trend
Micro support confirms to us in email & phone.
So if we trigger
/opt/ds-agent/dsa_control -m "AntiMalwareManualScan:tru
it will scan the entire server but this will take a while & chew quite some resources.
DeepSecurity console is not accessible to our tenants & our tenants have applications
which they used to call the above dsa_control command to scan on demand files
uploaded/exported.
Q1:
Is there any way that I could create a Linux soft link (say create a temporary soft link
/ root which points to only a folder say /var/tmp/avscan) combined with spawning a
shell so that it scans only a specific folder? Just a guess, don't have any idea how this
can be achieved
Q2:
Or does anyone know if DS 9 (not the beta 9.5) could do selective folder or files'
on-demand scan? How is this done? From the DS manager console, I could specify
a specific folder/files but my cloud tenants can't access the DSM console to manually
activate the scan (ie on-demand scan)
Apps team wants that after users use an application to upload/publish files, the
application will then call a DS command to do a scan immediately after the upload
/publishing
Can you select the desired folder and scan with?
Deep security is a firewall, so no wonder it does not scan files.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>Can you select the desired folder and scan with?
There's no parameters/options to indicate the desired folder.
TrendMicro confirms this too.
The closest command that TrendMicro's support could give us is
# cd /opt/ds_agent
# ./dsa_control -m "AntiMalwareManualScan:tru
& this scans the entire server (which will take very long)
Btw, dsa=deep security agent & it's not firewall only, it has
anti-malware & IPS amongst other things.
Ver 9.5 has realtime scan ie if a new infected file is introduced
into the server, it will flag out & quarantine it but this is not
what the apps team want
There's no parameters/options to indicate the desired folder.
TrendMicro confirms this too.
The closest command that TrendMicro's support could give us is
# cd /opt/ds_agent
# ./dsa_control -m "AntiMalwareManualScan:tru
& this scans the entire server (which will take very long)
Btw, dsa=deep security agent & it's not firewall only, it has
anti-malware & IPS amongst other things.
Ver 9.5 has realtime scan ie if a new infected file is introduced
into the server, it will flag out & quarantine it but this is not
what the apps team want
then the apps team needs you to use another product..
Realtime scanning should be sufficient.. A Deep Scan as you mentioned is a full server scan which can take hours if not days.
Realtime scanning should be sufficient.. A Deep Scan as you mentioned is a full server scan which can take hours if not days.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> then the apps team needs you to use another product..
The above is not something that could be decided easily as it involves
design change & replacing existing product (ie Trend's DS) with a new
product which will require extensive evaluation/assessment.
> Realtime scanning should be sufficient
We just rolled out Ver 9.0 of DS & was told by TrendM that only Ver 9.5
onwards support realtime scan in Linux. Ver 9.0 dont. What our tenants
& the governing authority questions now is : how do we know the realtime
scan is working? We can do a test but the tenant/authority wants to see
a scan log: in the latest TM's DS, the scan log is not available in Linux.
Btan's suggestion of exclusion stands a chance but is it only for Windows
or Linux? I'll check it out with Trend support. But one more thing is
missing: the tenants/authority want to see scan log of files that was
just published/uploaded/exporte
them uncomfortable.
For gmail: if I upload an infected file, it will flag out & block the
upload & if it's multiple files being uploaded, I think it will flag
out which ones are the infected files. I was being questioned
that even free tools (like ClamAV / gmail) can do better
The above is not something that could be decided easily as it involves
design change & replacing existing product (ie Trend's DS) with a new
product which will require extensive evaluation/assessment.
> Realtime scanning should be sufficient
We just rolled out Ver 9.0 of DS & was told by TrendM that only Ver 9.5
onwards support realtime scan in Linux. Ver 9.0 dont. What our tenants
& the governing authority questions now is : how do we know the realtime
scan is working? We can do a test but the tenant/authority wants to see
a scan log: in the latest TM's DS, the scan log is not available in Linux.
Btan's suggestion of exclusion stands a chance but is it only for Windows
or Linux? I'll check it out with Trend support. But one more thing is
missing: the tenants/authority want to see scan log of files that was
just published/uploaded/exporte
them uncomfortable.
For gmail: if I upload an infected file, it will flag out & block the
upload & if it's multiple files being uploaded, I think it will flag
out which ones are the infected files. I was being questioned
that even free tools (like ClamAV / gmail) can do better
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks BTan, what you've last posted is useful.
Just learnt that a few months back, Trend has given us a 'fix'/'enhancement'
for Solaris x86 which enables on-demand scan of specified file/folder with
the scan log accessible/viewable by the tenant.
Now pushing for Trend to release similar fix for Linux as more tenants
are requesting for it.
Currently we did not permit DSM console's access to tenants : quite a
considerable change needed
Just learnt that a few months back, Trend has given us a 'fix'/'enhancement'
for Solaris x86 which enables on-demand scan of specified file/folder with
the scan log accessible/viewable by the tenant.
Now pushing for Trend to release similar fix for Linux as more tenants
are requesting for it.
Currently we did not permit DSM console's access to tenants : quite a
considerable change needed
ASKER
One of my colleague escalated that case a few months back via HQ
to Trend & got the fix. I was not aware of that till I asked around
to Trend & got the fix. I was not aware of that till I asked around
thanks for sharing - the Support will be in best position since they can feedback to their internal R&D on the demand and needs. Good to hear from them instead.
ASKER
scan of selected folder / files in Linux but not Trend's Deep Security