Views:

The alerts possibly occur because of the following scenarios:

  • When there is a temporary communication issue, the alert on the Deep Security Manager remains until it is dismissed by the customer. Having the alert could be misinterpreted as an actual issue even if it is not. When the alert "Smart Protection disconnected" is raised in Deep Security Manager, it requires administrator to clear the warnings/errors as this alert will not dismiss itself. Therefore, even after the server has been reconnected, the alert will remain.
  • The option When off domain, connect to global Smart Protection Service (Windows only) is linked closely to the location awareness feature in Deep Security.

    If you have a machine on a domain and you have a local SPS with the abovementioned setting enabled, then Deep Security Agent will check for the domain controller (using an ICMP ping) at a regular interval. If the domain controller is present, Deep Security Agent will assume that you are on the domain and will continue to use the local SPS. However, if connection to the domain controller cannot be established, the agent will assume that you are "Off domain" and will switch to using global SPS instead.

    If you enabled the option on a machine that is not part of a domain or a machine that cannot ping the domain controller (e.g due to a firewall rule), then that machine will always use the global SPS. Therefore, this option should only be selected for machines that are part of a domain and have the potential to go off domain (i.e. laptops). It is not meant as a failover in case the local Smart Protection Server fails.

Deep Security has a complex design to determine connectivity and to report lost connectivity to/from Smart Protection Server.

  • For Anti-Malware, Deep Security is dependent on the AMSP component to determine if the Smart Protection Server can be detected. If a file is being scanned, AMSP may try to connect to the Smart Protection Server. If AMSP is unable to connect to SPS, then it raises an internal event that the Deep Security Agent receives and uses to mark the server as suspect.

    Deep Security tries to connect to each suspect server (as there may be multiple in the case of local Smart Protection Servers) every five minutes and waits for five seconds for the connection to complete. If Deep Security does not get a connection within five seconds, then it will try again for two more times (total of three tries). If it still cannot connect to any of the servers, it marks the server as disconnected and reports to Deep Security Manager that the specific SPS is disconnected from Smart Scan.

    Deep Security will then try again every five minutes and recheck all those servers marked as disconnected. If the server gets reconnected, then DSA will notify the Deep Security Manager and a Smart Protection Server Connected event will be returned.

  • WRS is handled differently because of WRS caching. When a URL is accessed, Deep Security Agent may attempt to connect to the Smart Protection Server if the URL is not yet cached. If Deep Security Agent is unable to connect to the server, it will raise an event and report to the Deep Security Manager that the Smart Protection Server is disconnected from Smart Scan for Web Reputation. This event will be generated every five minutes.

    For WRS, users can only detect whether the server is down. By default, there is no way to detect once the server is up because of the local and web caching effects. Therefore, there is no "Reconnected" event for WRS.

    These details hold true in all situations. However, in the case of local Smart Protection Server, when the When Roaming check box is selected, the reporting and checking behavior is different.

 
SPS Server URL is case sensive. In addition, the inheritance should be correct for policy.
 

The following event may appear in the console:

Level: Warning
Event ID: 9012
Event: Smart Protection Server Disconnected for Smart Scan
Description: Disconnected from Smart Protection Server: https://ds20.icrc.trendmicro.com/tmcss/? : Error message=536870919[0x20000007](ICRC_HTTP_ERROR), 28[0x1c](Timeout was reached)

To resolve the issue:

  1. Open a browser.
  2. On the iCRC disconnected agent, open the following URL:

    https://ds20.icrc.trendmicro.com/tmcss/?LCRC=08000000AC41080092000080C4F01936B21D9104

    There should be a 4-byte file requested to download. If none, it is a network connection problem.

Comments (0)