Views:

Functionality: Intrusion Prevention System (IPS)

Best Practices

  • How do I customize an IPS rule?

    Perform the following tasks to configure and work with intrusion prevention rules:

    1. Navigate to Policies > Common ObjectsRules Intrusion Prevention Rules. Click New Intrusion Prevention Rule.
    2. On General page, edit options of General Information, Details and Events.
    3. On Rules page, set different templates of rules according to the article Types of custom Intrusion Prevention rules in Deep Security.
    4. On Options page, decide whether this rule triggers an event or not, and set the Context, Schedule active times for this rule as well.
    5. Confirm all settings and click OK.
    6. Assign the new customized rule to the machine to be protected.

    For more details, please refer to the Deep Security Help Center: Configure intrusion prevention rules.

  • How do I tune IPS rules?
    1. Recommendation scan

      You can use recommendation scans to discover the Intrusion Prevention rules that you should assign to your policies and computers. To automatically and periodically fine tune your assigned Intrusion Prevention rules, you can schedule recommendation scans.

      See more at Deep Security Help Center: Manage and run recommendation scan.

    2. Monitor your system

      Monitor Intrusion Prevention events to ensure that rules are not matching legitimate network traffic. Monitor CPU, RAM, and network usage to verify that system performance is still acceptable.

      See more at Deep Security Help Center: Set up Intrusion Prevention.

    3. If rules are manually assigned, do not assign more than 300 rules as it affects system performance. See more in page 30 of the Best Practice Guide.
  • How do I optimize performance-related settings and avoid IPS performance issue?

    To maximize performance, it is recommended to have less than 300 intrusion prevention rules assigned to a computer. When an agent is assigned too many intrusion prevention rules, the status of the agent could change to "Agent configuration package too large" and the event message "Configuration package too large" appears.

    Visit this article on Performance tips for intrusion prevention.

  • Where can I check the IPS audit logs?

    Follow these steps:

    1. To see what kind of changes been made on this agent during that update, including IPS rules assign/un-assign, find it in "system event": "Computer updated" event.
    2. To query this event, log on to the DSM console, go to Computers, and find the agent that needs to be checked.
    3. Double-click on the agent and open its properties > Overview > System Events.
    4. Change the Period to proper date range, and click Refresh on the right.
    5. In the Event column, find the "Computer Updated" event. Take note that you may add a tag to an event so that you can query such events faster in the future.
    6. To look for a place that records all agents changes, search specified computer events under "Events & Reports".

IPS events

  • Why does my application get blocked by an IPS rule?

    To ensure your computers are protected until patches that fix the vulnerability are released, tested, and deployed, IPS blocks the application matches below condition:

    When patches are not available for known vulnerabilities in applications or operating systems, Intrusion Prevention rules can intercept traffic that is trying to exploit the vulnerability. It identifies malicious software that is accessing the network and increases visibility into, or control over, applications that are accessing the network.

  • How do I know why a specific IPS rule is detected and what I should do to mitigate the issue accordingly?

    Follow these steps:

    1. Open the event details page by double-clicking the event.
    2. Click the link in Reason section to open the rule details page.
    3. Read the Description to understand the detection.
    4. Switch to the Vulnerability tab and access external link under External References. Usually, the links point to a Mitre CVE page or the vulnerable application's official website.
    5. Find the mitigation method from the Mitre CVE page or the vulnerable application's official website. Usually, the methods are upgrading/patching the OS/application or changing certain OS/application configuration.

    Visit this KB article for more detailed instructions.

Rule Assignment

  • How do I assign/unassign an IPS rule?

    Intrusion Prevention rules can be assigned or unassigned on either Computer or Policy level. See Assign and unassign rules for the detailed steps.

  • How do I check the details of an IPS rule?

    To check the details of an IPS rule, log in to the Cloud One - Workload Security console then go to Policies > Common Objects > Rules > Intrusion Prevention Rules. Search the rule by the rule ID or key words.

    Module state

    You can read the Description to understand the rule under the General tab. Find other information about the vulnerability, configuration and other options by switching tabs.

    Module state

  • Why is the Intrusion Prevention's status "State: On, Prevent, no rules"?

    This state means that there is no Intrusion Prevention rules assigned neither on Policy level nor Computer level.

    Please assign rules by referring to Deep Security Help Center: Assign and unassign rules.

Rule Configuration

  • The IPS rule is not working. What should I do?

    When the IPS rule doesn’t seem to be working as expected, below are some basic checks to perform to ensure that everything is in order:

    1. Make sure the Intrusion Prevent module has been enabled on the affected system.
    2. Carry out some testing to ensure the Intrusion Prevention module is functioning properly, you can follow either Test Intrusion Prevention on the Deep Security Help Center or this KB Article on Testing the Deep Security modules.
    3. Make sure you have configured the appropriate policies at this policy or specific computer level, detection/prevention action of this rule. Refer to Policies, inheritance, and overrides , and Configure intrusion prevention rules in the Deep Security Help Center.
    4. Implement best practices for specific rules.
  • What is the difference between Prevent mode and Detect mode?

    Detect: Intrusion prevention uses rules to detect matching traffic and generate events, but does not block traffic. Detect mode is useful to test that intrusion prevention rules do not interfere with legitimate traffic.

    Prevent: Intrusion Prevention uses rules to detect matching traffic, generate events, and block traffic to prevent attacks.

  • How do I use Prevent/Detect mode?

    When you first apply new intrusion prevention rules, use Detect mode to verify that they don't accidentally block normal traffic (false positives). When you are satisfied that no false positives occur, you can use Prevent mode to enforce the rules and block attacks.

Functionality: Communication

Agent Status

  • How does Cloud One Workload Security Manager check if the DSA is online?

    By default, the DSA will initiate the heartbeat to communicate to the Manager, once the Manager receives a heartbeat from DSA, it will show the computer as "Online".

  • How do I resolve agent offline issue?

    A computer status of "Offline" or "Managed (Offline)" means that the Deep Security Manager has not received heartbeats from the Deep Security Agent for some time and the continuously missing heartbeat number exceeded the threshold.

    When you're experiencing an 'Offline' problem, it is recommended to update the agent status of the problematic machine first by doing the following steps:

    1. Reactivate the agent.
    2. Restart the agent service.
    3. Reinstall the agent.

    If none of the above steps can resolve the offline issue, it is probably due to heartbeat connection failure which caused by network communication, and the agent is presumed to be offline.

    Refer to the online help Offline Agent to fix network communication problem.

    Visit this KB article for detailed instructions.

  • What are the URLs, IP addresses and ports used by Cloud One Workload Security components?

    Cloud One Workload Security default port numbers, URLs, IP addresses, and protocols are listed in Deep Security Help Center: Port numbers, URLs, and IP addresses.

     
    • Cloud One Workload Security port numbers: all 'Mandatory ports' must be enabled while 'Optional ports' will depend on the features or components need to be deployed.
    • Cloud One Workload Security URLs: make sure firewall allows traffic from the listed 'Source' to the listed 'Destinations', make sure the access to its associated HTTP and HTTPS URLs is allowed.
    • Cloud One Workload Security IP addresses: restrict the inbound/outbound IP addresses that are allowed in the environment to be protected.
     

Communication

  • What are the default communication direction?

    For Cloud One Workload Security, Agent-initiated communication (AIA) is enabled by default. This means that the Deep Security Agent initiates all interactions with the manager and establish an encrypted TCP connection over the manager heartbeat port (443).

    Visit this KB article for more detailed information.

  • Which communication direction option shall I choose for a policy or a computer?
     
    For Cloud One Workload Security, agent-initiated communication is enabled by default and it is strongly recommended not to change this setting. You may change to one of the below communication directions if the default communication direction won't work in your network environment.
     

    Bidirectional: The agent normally initiates the heartbeat and also listens on the agent's listening port number for connections from the Deep Security Manager. The manager can contact the agent to perform the required operations. The manager can apply changes to the security configuration of the agent. The network traffic between the DSM and agent should be reachable.

    Manager Initiated: The manager initiates all communication with the agent. These communications include security configuration updates, heartbeat operations, and requests for event logs. The network traffic from the DSM to the DSA should be reachable.

    Agent Initiated: This is the default communication direction of Cloud One Workload Security. The agent does not listen for connections from the manager. Instead, they contact the manager on the port number where the Manager listens for agent heartbeats. Once the agent has established a TCP connection with the manager, all normal communication takes place: the manager first asks the agent for its status and for any events. (This is the heartbeat operation.) If there are outstanding operations that need to be performed on the computer (for example, the policy needs to be updated), these operations are performed before the connection is closed. Communications between the manager and the agent only occur on every heartbeat. If an agent's security configuration has changed, it is not updated until the next heartbeat.

    More detailed information, please refer to the Deep Security Help Center: Agent-manager communication.

Proxy Configuration

  • What Cloud One Workload Security traffic should I allow on the proxy or firewall in my environment?

    You can find the Cloud One Workload Security default port numbers, URLs, IP addresses, and protocols that need to be allowed on your proxy or firewall on Deep Security Help Center: Port numbers, URLs, and IP addresses.

  • How do I configure a proxy in Cloud One Workload Security for different purposes?

    Configure proxies for following purposes in Cloud One Workload Security:

    • Agents/Relays connect to 'primary security update source' via a proxy.
    • Agents connect to Workload Security via proxy.
    • Agents connect to Relays via proxy.
    • Agents connect to the Smart Protection Network via proxy.

    For more information about detailed configuration steps, please refer to Deep Security Help Center: Configure proxies.

Activation

  • How do I resolve DSA activation failure for Windows DSA?

    Follow these steps:

    1. Check the description of the error why the activation failed. Most of the time, the problem is self-explanatory.
    2. Check if there's any network issue by telnet Workload Security URL on Agent machine: telnet app.deepsecurity.trendmicro.com 443.
    3. Check the DSA and make sure that it is not activated or registered to another Deep Security Manager.
    4. You may activate the Agent from the Workload Security web console or via command line.
    5. Refer to Error: Activation Failed for more activation-failed error types.
    6. If above steps are unable to resolve the issue, please contact Trend Micro support.

    Visit this KB article for detailed instructions.

  • How do I resolve DSA activation failure for Linux DSA?

    Follow these steps:

    1. Check the network communication between the Agent machine and the Workload Security URL's, using the telnet command on the Agent Machine.
    2. Try an agent-initiated activation and check if this can help resolve the issue.
      1. On Workload Security console, navigate to Administration > System Settings > Agents. Make sure both "Allow Agent-Initiated Activation" and  "re-activate the existing computer" are ticked.
      2. On Agent machine, Change directory to the DSA using the command "/opt/ds_agent".
      3. Type the command "./dsa_control –r".
      4. Type command "./dsa_control -a dsm://:/ "tenantID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" "token:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     
    To find the appropriate values for and , in the Workload Security console, go to Support > Deployment Scripts, scroll to the end of the script that is generated, and copy the tenantID and token values.
     

    For more activation-failed error types, please refer to Deep Security Help Center: Error: Activation Failed.

    Visit this KB article for more detailed instructions.

Backend

  • Where can I check the Cloud One Workload Security incident history?

    At the moment, Cloud One Workload Security incident is not public. If you want to check Cloud One Workload Security incident for any specific time range, please contact support team for help.

 

Functionality: Activation

Agent Activation Error

  • How do I fix "HTTPS Status: 400 Failure" when activating agent?

    Below are some recommendations for troubleshooting this issue:

    • Check the agent activation syntax for any typographical error.
    • Double check the agent-Initiated Activation settings.
    • Check the communication between agent and manager.
    • Verify agent service status.

    Visit this KB article for more detailed instructions.

  • How do I activate the agent?

    To activate an agent, generate a Windows deployment script on the manager console, then run the Powershell script on the server.

    Visit this article for more detailed instructions.

  • Why does a mass deployment procedure cause activation issues on random machines?

    Check how the deployment process works. Make sure to follow the same process as how the deployment script works such as the sleep time. Perform this before running the activation of the agent after the installation which is sleep 15.

Agent Inquiry

  • Does upgrading the DSA version require a reboot?

    On Windows with DSA being upgraded, a reboot is needed for its AMSP driver to be updated/installed and hook on the kernel level of the OS for the driver to function. This happens on the AMSP 6.1.6025.
    As an enhancement, on DSA 20, the driver AMSP version 6.6 no longer requires a reboot. Also when you upgrade the Agent, there will be no warnings stating a reboot while Anti-malware is installing. This means that you will not need a reboot.

  • Computer status is "Unmanaged (unknown)", what does this mean?

    Unmanaged (unknown) status appears on instances that are part of a cloud connector. This status means the agent is not yet activated. Run the deployment script to install and activate the agent.

    Visit this Help Center article for more details.

  • How do I activate the agent and fix agent accidentally deactivated?

    Use the reactivation part from the deployment script:

    • Activate the agent through a deployment script. See Use deployment scripts to add and protect computers for details.
    • Activate the agent from the computer where the agent is installed. Run this command:

      dsa_control -a dsm://agents.deepsecurity.trendmicro.com:443/ "tenantID:<tenant ID>" "token:<token>"

      To find the appropriate values for <tenant ID>and <token>, in the Workload Security console, go to Support > Deployment Scripts, scroll to the end of the script that is generated, and copy the tenant ID and token values.

      For details on this command including additional parameters, see Command-line basics.

  • Why is the deployment script not working for Windows agent installation/activation?

    Make sure to run Windows Powershell and not Windows Powershell (x86). The latter is different and will not execute the deployment script successfully.

  • How do I uninstall an agent?

    To uninstall an agent:

    1. Deactivate the agent using the DSM. Go to the Computers page, right-click the computer and select Actions > Deactivate.
    2. If you are unable to deactivate the agent because the DSM is unable to communicate with it, do the following command before continuing:

      C:\Program Files\Trend Micro\Deep Security Agent>dsa_control --selfprotect 0

    3. In the Control Panel look for "Trend Micro Deep Security Agent" and then select Uninstall.

    You may find more information about uninstalling the agent on this article.

  • How do I reinstall and reactivate an agent?

    To reinstall and reactivate an agent:

    1. Generate a deployment script on the manager console:
      1. Open the manager console > Support > Deployment Scripts, and select the platform (Windows/Linux).
      2. Select Activate agent automatically after installation. Save the script or copy it to the clipboard.
    2. Run the generated deployment script on the computer. (The script format is .ps for Windows and .sh for Linux)
    3. Verify on the console if the computer is added, this should appear as Managed (Online).

    You may find more information about activating the agent on this article.

  • What should I do if "Integrity Monitoring Compile Issue" appeared after activation?

    The agent will generate an " Integrity Monitoring Rule Compile Issue" if the path supplied in an include or exclude rule is syntactically invalid. An example of an invalid path would be C:\test1\D:\test2 since a file name may not contain two volume identifiers.

    Please refer "Syntax and concepts" from this article on Integrity Monitoring rules language.

    You may also rebuild the baseline of Integrity Monitoring for the affected system\s and it should solve the issue because the baseline is the original secure state that an Integrity Scan's results will be compared against.

    To Rebuild the Baseline of the system, please refer on this article, Set up Integrity Monitoring: Build a baseline for the computer.

  • How do we move current agent to a new tenant?

    Follow these steps:

    1. Log in to the machine hosting the DSA.
    2. Open the command line, and navigate to the Deep Security Agent folder.

      For Windows: C:\Program Files\Trend Micro\Deep Security Agent
      For Linux: /opt/ds_agent

    3. Turn off the agent self-protect:

      dsa_control –s 0

      If you have a password configured add "-p <password>"

    4. Run the deactivation command:

      dsa_control –d

    5. Refer to this article to activate the agent.

Agent Unable to Reach Manager

  • What should I allow for the agent to be able to communicate with the Cloud One Workload Security?

    Allow Cloud One Workload Security Ports on the Firewall/Security Group.

    To learn more, visit this article.

  • How do I check Agent communication to Cloud One - Workload Security?

    Follow these steps:

    1. Allow all outbound traffic to IP addresses, ports, URLs used by Cloud One - Workload Security. Visit this article for details.
    2. Perform a network connectivity test:

      telnet app.deepsecurity.trendmicro.com 443
      telnet agents.deepsecurity.trendmicro.com 443
      telnet dsmim.deepsecurity.trendmicro.com 443
      telnet relay.deepsecurity.trendmicro.com 443

    3. After allowing the traffic, and the connection test is successful, you may now activate the agent.

 

Functionality: SIEM

Forward Configuration

  • Is there an option available in the DSM console to forward customized events to external Syslog collector?

    Currently, there is no way to customize the security logs that are being sent by the DSM.

  • How do I forward Cloud One Workload Security events to a SIEM/Syslog Server?

    You can send events to an external Syslog or SIEM server. Follow these steps:

    1. Allow event forwarding network traffic.
    2. Request a client certificate.
    3. Define a Syslog configuration.
    4. Forward system events and/or security events.

    For detailed information, you can refer to this article on Forwarding Deep Security events to a Syslog or SIEM server.

  • Can we forward events to Splunk Cloud?

    Yes, it is supported to forward Cloud One - Workload Security events to Splunk Cloud. Deep Security has been tested with the enterprise version of Splunk 6.5.1.

    For detailed information about how to forward events, you can refer to this article on Forwarding Deep Security events to a Syslog or SIEM server.
  • How do I forward Cloud One Workload Security events to Amazon SNS?

    If you have an AWS account, you can take advantage of the Amazon Simple Notification Service (SNS) to publish notifications about Workload Security events and deliver them to subscribers. See details about Amazon SNS.

    To set up Amazon SNS:

    1. Create an AWS user.
    2. Create an Amazon SNS topic.
    3. Enable SNS in Workload Security.
    4. Create subscriptions.

    For details, please refer to this article on Setting up Amazon SNS.

Best Practices

  • How long are events stored/retained on Cloud One Workload Security?

    Workload Security retains security events for 32-39 days and system events for 13-17 weeks (depending on when database maintenance is scheduled). Customers requiring a longer event retention period should consider the following as best practice:

    1. Forward events to an external SIEM. For more information, see Forward Workload Security events to an external Syslog or SIEM server.
    2. Set thresholds in the log inspection module for event storage or event forwarding. Severity clipping allows you to send events to a Syslog server (if enabled) or to store events based on the severity level of the log inspection rule. See Thresholds for Event Storage or Event Forwarding.

    Event history is retained for:

    • Anti-Malware events
    • Application Control events
    • Firewall events
    • Integrity Monitoring events
    • Intrusion Prevention events
    • Log Inspection events
    • Web Reputation events
    • System events
  • Can I forward Cloud One Workload Security events to a SIEM/Syslog Server using UDP?

    Yes. You can forward the events to the SIEM/Syslog server using either TLS or UDP.

    With UDP, Syslog messages are limited to 64 KB. If the message is longer, data may be truncated.

    With TLS, the manager and Syslog server must trust each other's certificates. The connection from the manager to the Syslog server is encrypted with TLS 1.2, 1.1, or 1.0.

    Check this article on Forwarding Deep Security events to a Syslog or SIEM server for more information about Event forwarding with a transport protocol.

  • Can Cloud One Workload Security forward the Syslog event directly to either AWS Cloudwatch or AWS S3?

    Currently, this is not supported. Cloud One Workload Security has no ability to forward Syslog events directly to Amazon S3 and Cloudwatch.

    Nevertheless, Cloud One Workload Security can support forwarding events to Amazon SNS, please refer to Online Help for more details.

 

Deployment

Upgrade

  • Why does the upgrade banner disappear?

    To be able to receive the upgrade banner you can follow these steps:

    1. Log on to your Management Console.
    2. Go to Administration > Software.
    3. On the "Update Check" part click Check for updates.

    The banner should show up after checking the updates or by refreshing the page.

    Please note that there is no upgrade banner if the DSM version is earlier than 11.0. Please upgrade the DSM manually (AWS Marketplace / Azure Marketplace).

  • How do I perform system hardening for Deep Security Manager AMI?

    There's no need to perform a manual security patching to the OS, as Trend Micro already follow a recommended hardening standard for DSM. For more information, please check the Deep Security Help Center articles About Deep Security hardening" (AWS Marketplace / Azure Marketplace).

Activation Failure

  • Why can't DSA be activated?

    The possible reasons are as follows:

    • Protocol Error
    • Unable to resolve hostname
    • No Agent/Appliance
    • Blocked port
    • Maximum five protected computers

    Please refer to Online Help for more details.

  • How do I manually activate the DSA?

    Activate the agent from the computer where the agent is installed. Run the following command:

    • For Linux:

      /opt/ds_agent/dsa_control -a dsm://agents.deepsecurity.trendmicro.com:443/ "tenantID:<tenant ID>" "token:<token>"

    • For Windows:

      C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd -a dsm://agents.deepsecurity.trendmicro.com:443/ "tenantID:<tenant ID>" "token:<token>"

    To find the appropriate values for <tenant ID> and <token>, in the Workload Security console, go to Support > Deployment Scripts, scroll to the end of the script that is generated, and copy the tenantID and token values.
    Please refer to the Online Help for more details.

  • Why are the agents showing "Unable to communicate"?

    "Unable to communicate" means that Workload Security hasn't communicated with the DSA's instance for some time and has exceeded the missed heartbeat threshold. It will also cause the status change to "Offline".

    Please refer to Online Help to troubleshoot this issue.

 

Administration: Billing

Billing Information

  • Are servers with status "Unmanaged (Unknown)" billed?

    No. Servers with status "Unmanaged (Unknown)" are detected as no Deep Security Agent installed.

  • How much is the cost per hour per instance when using Pay-as-you-Go billing?

    The pricing for Pay-as-you-Go billing is shown on the table below. The rates below only apply to computers activated/managed under a cloud connector (AWS, Azure, Google Cloud). If a machine was activated outside the cloud connector, the protection-hours are billed at the highest rate (Data Center) regardless of the computer's size.

    For more information, refer to Pay-as-you-go billing for Trend Cloud One.

  • Our bill is way too high than the normal. What does the 'NotCloud' column in the Metered Billing report means?

    The 'NotCloud' column are for computers which were added or activated outside a cloud connector.

  • How do I check my current costs and usage for my AWS subscription?

    If you are using AWS subscription billing, you can check your current costs and usage from the AWS Billing and Cost Management console. For instructions on viewing or downloading your bills, see the AWS documentation on Viewing Your Monthly Charges. If you are new to using the AWS Billing and Cost Management console, see the AWS Getting Started documentation. To use this feature you must first activate the AWS-generated cost allocation tags.

    If you want a more detailed look at your costs and usage, you can enable the AWS Billing Cost Explorer feature. Cost Explorer can show you a daily breakdown of your costs and usage and forecast what your costs might be over the coming months.

    Using cost allocation tags to check usage by cloud account

     
    Currently, cost allocation tagging is only available for customers signed up for Trend Micro Cloud One through the AWS Marketplace. All services except Open Source Security by Snyk support cost allocation tagging.
     

    Cost allocation tagging provides more detailed information about the usage and costs in your environment, such as tracking how much usage was consumed by different departments and teams in your organization. Trend Micro Cloud One leverages the vendor-metered tags functionality to tag your costs and usage with the cloud account where you deployed your protection.

  • How can I breakdown my billing per AWS account on Cloud One Workload Security?

    Generate Security module usage report then use Cloud Account column to compensate with the Metered Billing report.

    Another way would be to use the cost allocation tags to check usage by cloud account.

Usage

  • How do I check current license seat usage and expiration date?

    Check currently protected machines and license expiration on the Account Details page.

  • How do I fix incorrect number of license seats?

    Check if activation code is correct on Account Details page. If yes, contact Sales.

  • Can I use my Cloud One - Workload Security license to AWS Marketplace BYOL?

    No, the license for Cloud One - Workload Security is not compatible with the AWS Marketplace BYOL version. The same goes with an AWS Marketplace BYOL version license would be incompatible with Cloud One - Workload Security.

  • Where can I check my license key?

    On the manager console, click the Account Name > Account Details.

  • Is there a license key for AWS Marketplace subscription?

    There isn't. License key is given for the AWS billing subscription. The license key is only provided for BYOL subscriptions.

  • Why am I getting 'Invalid Activation Code' error when entering license in Cloud One Workload Security console.

    Activation Code might be for DS-on prem,. Need to contact Sales or Technical Support Team.

  • Why is my AWS Marketplace subscription failing?

    Contact AWS Support. There are a few reasons why the subscription fails but the most common is an issue with your AWS account payment method. You need to ensure that you have a good account standing and a valid payment method.

  • Can I transfer my Cloud One Workload Security license to another tenant?

    Your Cloud One Workload Security BYOL license cannot be directly transferred to another tenant. It is recommended to contact your Trend Micro Sales Representative or Cloud One Technical Support Team for assistance.

Renewal

  • How do I request for a trial extension?

    Contact Sales.

  • How do I renew Cloud One Workload Security subscription?

    Contact Sales or Reseller.

  • What happens after my 30-day trial?

    After your 30-day trial, you will no longer have the ability to activate new agents and reconfigure existing agents as well as update functions. If you wish to learn more about this, you can click here.

Administration: Account

  • How do I get started with Cloud One - Workload Security?

    Refer to this KB article for basics such as account registration, agent deployment and policies.

  • I did not receive any confirmation email after registration. What should I do?

    For accounts that are created before August 4, 2021, proceed on filing a technical support ticket and provide the following:

    • Tenant/Account Name
    • Email Address used to register

    A customer support will assist you in sending out the confirmation link that you need to click on and activate your account. Once done, you should be able to log in to Cloud One.

    For accounts that are created before August 4, 2021

    1. Log in to Cloud One using the credentials you have used on registration.
    2. Resend the Confirmation Email.

    If you are still not receiving the Confirmation Email after resending, Proceed on filing a technical support ticket and provide the email address you used to register.

  • I am unable to log in. What should I do?

    If you have previously enabled MFA, try to log in with "Use Multi-Factor Authentication" enabled. Enter the MFA Code during login. Reset your password by clicking Forgot your password? option.

    If there are other users that can login to the account, ask them to reset your user password in the web console under Administration > User Management > Users.

    If everything above are not possible, contact Trend Micro Technical Support by clicking Help > Support on the Cloud One (DSaaS) login portal.

  • I forgot my username, what should I do?
     
    This is for accounts that are created before August 4, 2021.
     

    If you know another administrator also exists in the account, ask that administrator to locate your username and have it reset. File a technical support ticket to assist you with your concerns and provide the following:

    • Tenant/Account name
    • Email Address registered in tenant of the reporter
    • Last remembered username that was used to logged in
    • If another administrator exists, add those user's email address to the ticket so that they will be added to all correspondence.
  • I forgot our account name, what should I do?
     
    This is for accounts that are created before August 4, 2021.
     

    In the event that you forgot your account name, please contact the Support team and provide the following details:

    • Email address of a User on the account, if possible to provide the primary contact then please do so.
    • If there are previous cases that was filed for that account then please provide at least 1 case number.

    Please note that additional information might be requested of you and there is no 100% guarantee that the Support Team will be able to find the account for you.

  • Is it possible to change the account name for Cloud One - Workload Security

    For Cloud One Accounts created before August 4, 20201, it is not possible to change the account name for Cloud One - Workload Security. If you want to change your account name you will need to create a new account with the correct name. If you have a license, make sure to have the correct Account name for your Cloud One - Workload Security Account since the licenses cannot be transferred to another account.

    For Cloud One Accounts created after August 4, 2021, you can change your Account name alias. Login to your Cloud One account > User Management > Account Settings > Now change the Account Alias.

  • How do I cancel my Cloud One - Workload Security account?

    To cancel your Cloud One Workload Security Account you can follow this article.

  • How do we remove unmanaged instances from our console?

    You can delete the unmanaged instances by navigating to the Computers tab of manager console:

    1. Right-click on the computer and select Delete
    2. Select the computer and click the Delete button beside the +Add button.

    Note that you cannot delete instances that are under an AWS Connector.

    You may also remove instances automatically after a set period of time using the Inactive Agent Clean-up setting.

    1. On the manager console go to Administration > System Settings > Inactive Agent Cleanup
    2. Tick the box and set a time period (i.e. 1 week)

    You may find more information on this link regarding managing your instances.

  • How do I customize the dashboard?

    The dashboard is the first page that appears after you log in to the Workload Security console.

    To select which dashboard widget to display, you need to click Add/Remove Widgets to display the widget selection window and choose which widgets to display.

    For more information on dashboard customization, check our documentation here .