Views:

Trend Micro Deep Security Agent Support Tool GUI Version

 
Please run the Trend Micro Deep Security Agent Support Tool for GUI Version with administrator permission.
 

Module state

  • It is recommended to use the current tool version which has the latest build.
  • Please note the validity of the version, which will be updated regularly in Solution Center. If it has expired, the UI will display:

    "This version of the program is Expired. Please request for newer version."

    Module state

In this tab, you can view the current DSA status by checking on the UI.

Module state

  • Software: Indicates whether DSA is installed on this computer
  • Version: Indicates current DSA version number
  • Services Status: If DSA is installed, this indicates whether the DSA service status is on or off.
  • Debug Mode: Indicates whether log debug level is enabled
  • Self-Protection: Indicates whether self-protection is disabled (Some module debug cannot be enabled provided that self-protection is enabled.)
  • You may also press Other Item button to check the specific module feature status.

    Module state

  • For "Debug Items", to enable AMSP debug level is by default. You can also choose more options if necessary.

    Module state

    Debug Items

  • Then, Enable Debug logging"/"disable Debug logging can be used to control the debug status.

    Module state

  • Press button Collect Data to generate a diagnostic package.

    Module state

After the collection, there will be 3 files/folder under the same path as this tool:

  • A ZIP file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].zip". This is the collection package, including diagnostic package and other necessary information.
  • A TXT file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].txt". It contains a SHA256 value, which should match above ZIP file.
  • A "logs" folder. A folder that stores temp files and tool log(temp files will be removed when finishing the collection).

As best practice, the steps of log collection are:

  1. Enable Debug log.
  2. Reproduce the issue.
  3. Disable Debug log.
  4. Collect Data.

There are two parts for DSA performance collection. On the left side of this UI is Process Monitor log collection. On the right side of this UI is Windows Performance Recorder log collection.

You may choose automatic collection with a timer(suggested) or manually start/stop the collection.

Module state

  • Process Monitor

    For the reason that Microsoft does not allow third-party software to integrate Process Monitor directly, you need to download or select existing Process Monitor manually.

    • Use "Download Process Monitor" button to download.

      If the environment can connect to Internet, press Download Process Monitor to download the software. The default downloaded path is the same as the tool path.

      After downloading, the tool points to this "Process Monitor" path by default. You can start "Process Monitor" logs collection.

      Module state

    • Select an existing "Process Monitor".

      You can also select an existing "Process Monitor" via "Change Path" option. Then import "Process Monitor" from the specified path.

      Module state

      Whichever method, the tool will judge the signature of the specified "Process Monitor" software. Once passing the verification, tool will run "Process Monitor" in backend according to user's options.

    • Change altitude of Process Monitor

      In cases where Process Monitor needs to have higher altitude to collect logs, you may check this option. Please refer to the Microsoft Tech Community article: Change Altitude of Process Monitor (ProcMon).

    You may encounter the following error:

    "Unable to load Process Monitor device driver."

    This error may be the result of an older Windows version not being able to support SHA256.

    Module state

    It is recommended to update Windows as the new version of Process Monitor only supports SHA256.

    For further information, refer to this Microsoft article, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

    To lessen the events that Process Monitor collects, a local process monitor configuration will be loaded if the file exists in the same path as the tool. The size of the log file will be smaller. To use the Process Monitor:

    1. Create a filter for events that are only needed to be monitored.
    2. Enable the option “Drop Filtered Events”.
    3. In the File menu, choose “Export Configuration..”, and save the file as “ProcmonConfiguration.pmc”.
    4. Copy the configuration file to the same folder of the tool and start the process monitoring.

    This setting is useful for issues where "file access violation" is not always reproducible and occurs in random.

  • Windows Performance Recorder

    You can check/uncheck corresponding checkbox to choose the option. The tool will run according to the checked option at backend to collect WPR logs.

    Module state

    If there is no WPR being detected as installed in environment, the tool will alert and give a link to guide user to install WPR software.

    Module state

  • Automatically compress performance logs

    After performance log collection, there will be a performance folder under the same path as tool, which stores original performance logs. At this moment, when user wants to quit the tool, it will pop up (as shown below). You may choose to compress or not compress the original performance log files.
    Finally, the tool will help generate a ZIP file and delete original "performance" folder.

    Module state

    Module state

    Module state

This tab lists the top-10 scanned files and top-10 busy processes, which are scanned the most times by AMSP module (only supported by newly released Deep Security 20 version). You may have a quick check to decide whether specific files/processes need to be excluded provided that these are trusted but have affected device performance.

The data on this tab resets when AMSP service restarts.

Module state

There are two main features under Network Analysis: Network Packet Capture and Network Check. These features help users collect and check network related problems.

Module state

  • Background

    The tool needs to use a driver to catch network packets. There are two options: WinPCAP and NPCAP. Both cannot coexist.

    WinPCAP's advantage is that the tool can help install/uninstall WinPCAP automatically during the collection running time. Although its disadvantage is its poor compatibility as the version is old and not have been updated.

    on the other hand, NPCAP has better compatibility, and is updated on a regular basis. Its disadvantage is that it has to be installed manually first, then use tool to catch network packets.

    Mechanism

    As NPCAP and WinPCAP are enforced to not coexist.

    • If tool detects that NPCAP or WinPCAP driver has been installed in environment, tool will call corresponding driver directly.
    • If tool detects that neither NPCAP nor WinPCAP driver has been installed in environment, tool will help install and uninstall WinPCAP automatically itself.

    Below is an example:

    • If you have already installed Wireshark software in your environment (We have known that new version of Wireshark uses NPCAP while the old version uses WinPCAP), our tool will use the existing NPCAP/WinPCAP driver.

      Module state

    • If it is a clear environment, the tool will help install/uninstall the driver. (An alert will be given, as installing a driver is a sensitive procedure.)

      Module state

      Module state

      Module state

  • Network Packet Capture

    You may use a timer or manually start/stop to catch network packets for all computer NICs in "Network Packet Capture" section. The collection logs are printed to indicate the collection status.

    Module state

  • Network Check

    You can specify the URL or leave it as blank (DSM/C1WS URL by default). After clicking Check, the tool will try to verify the network connection status between DSA client and target URL(DSM/C1WS). Verification results can be checked from the UI.

    Module state

  • Automatic compression of network logs

    This feature is the same as in Chapter 1.2.3, when collecting network packets and do the check, the original network related logs in folder "Network", tool can help compress the collected network related logs into ZIP file.

    Module state

    Module state

  • Check and Fix

    Server & Workload Protection (Trend Vision One Endpoint Security) Pre-check

    This feature can help users perform a pre-check on their endpoints, and see if the endpoint can meet Server & Workload Protection environment requirements.

    Navigate to Environment Check > Check and Fix > Server & Workload Protection (V1ES) -PreCheck, then press Start.

    Module state

    1. Fill in the information.

      Module state

      • Proxy information
        If your endpoint does not need a service gateway nor a customized proxy server to connect to the Internet (Trend Vision One backend server), do not check and fill in any proxy information.
        If your endpoint needs a service gateway to connect to Internet (Trend Vision One backend server), fill in the service gateway FQDN or IP (default port is 8080). Also fill in the service gateway API value.
        Tip 1: You can get SG API key from the Trend Vision One portal under Workflow and Automation > Service Gateway Management > Manage API Key.

        Module state

        Tip 2: If your XBC agent has reported to Trend Vision One, you can identify from the check result (basic information) the registered Service Gateway (FPS enabled) for XBC.

        Module state

        If your endpoint needs a customized proxy server to connect to Internet (Trend Vision One backend server), input the proxy FQDN/IP and port. Username and password are optional.

      • Region
        Some users' Trend Vision One endpoints and Server & Workload Protection agents do not belong to the same region. For this, user needs to choose correct region information separately.

        Module state

    2. After setting the correct information, press Start. After a few minutes, you can check the returned results.

      Module state

      If some check points failed to pass the test, you will get alert from the UI.

      Module state

    Refer to the appendix for more check points details.

    Server & Workload Protection (Trend Vision One Endpoint Security) Post-check

    This feature can help users perform post-check on their endpoints to verify the current module status of the endpoint.

    Navigate to Environment Check > Check and Fix >Server & Workload Protection (V1ES) - PostCheck, and press Start.

    Module state

    This feature can help users determine current local status of Trend Vision One agent and Deep Security Agent (DSA) modules. It will be very helpful to provide necessary information when troubleshooting endpoint side issues.

    Module state

    Refer to the appendix for more check points details.

    Troubleshooting UMH

    When troubleshooting UMH driver related issues, UMH usually needs to be disabled. Make sure to isolate the root cause if there are issues. However, the enable/disable UMH action is difficult for most customers. This feature is introduced to help perform the enable/disable action faster.
    Navigate to Environment Check > Check and Fix > Troubleshoot UMH, then press Start.

    1. When current UMH is enabled, the green part can be seen with "Running" status. You may choose the option to disable UMH, as seen below.

      Module state

      When the action is done, you can see the UMH service has been disabled, while AMSP is still running.

      Module state

    2. When current UMH is disabled, the red part will show "Stopped" status. You may choose to enable UMH.

      Module state

      When the action is done, user can see the UMH service has been enabled, and both AMSP and UMH are running.

      Module state

    3. For security concerns, if you exit the tool and leave UMH disabled status, it will give an alert.

      Module state

    4. If you prefer to use the CMD version tool, use following parameters.
      ScenarioParameters
      To enable TMUMH"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 1}}
      To disable TMUMH"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 0}}
      Not use this feature"Check and Fix": {"Troubleshoot UMH": {"enableCheck":0, "enableFix": 0}}

      For more details, please refer to Chapter: Trend Micro Deep Security Agent Support Tool for CMD Version.

    MS Azure Code Signing Check

    According to this KB article, after mid-February 2023 there will be an impact on machines that do not meet the MS operation system requirements. Based on this, the tool has a feature to detect OS version/KB and give alert if the current OS did not meet the MS requirements.

    • Scenario 1: OS version passed the test

      Module state

    • Scenario 2: OS version failed to pass the test

      Module state

    Anti-Malware Test - Eicar

    This is a built-in check script. The user can verify if the anti-malware realtime-scan feature has worked normally on the agent side.

    When starting this feature, the user needs to choose a specific local path. This is supposed to be monitored by DSA realtime-scan policy(CMD version uses "C:\temp\" by default).

    Tool will extract eicar.com file to the path and take action.

     
    Due to support tool being signed by Trend Micro, the behavior of operating eicar.com file will be bypassed. Therefore, the action of eicar.com file is taken by windows scheduled task, which is initialized by the tool.
     

    After waiting for a few seconds, the tool will judge whether "eicar.com" file still exists. If it does not, it means realtime-scan has taken effect and removed "eicar.com" file. User can check the anti-malware events on console. Otherwise, realtime-scan might not work normally.

    TMDSSupportTool

    Please make sure that the chosen path is not in the exclusion list and that the anti-malware realtime-scan is enabled for the correct action.

    ExclusionList

    Refer to the following text examples:

    2022-09-26 13:52:01 Starts Executing [AntiMalware Test - Eicar].
    2022-09-26 13:52:01 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
    2022-09-26 13:52:01 Waiting for input value of path to write/read EICAR.com . . .
    [Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
    2022-09-26 13:52:11 Creating scheduled task . . .
    2022-09-26 13:52:11 Successfully created a scheduled task named [EicarTestDSA]
    2022-09-26 13:52:11 Modifying the scheduled task to run even in battery power mode . . .
    2022-09-26 13:52:12 Successfully modify the scheduled task [EicarTestDSA]
    2022-09-26 13:52:12 Running the scheduled task . . .
    2022-09-26 13:52:12 Successfully run the scheduled task [EicarTestDSA]
    2022-09-26 13:52:12 Delete the scheduled task.
    
    [Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
    2022-09-26 13:52:22 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during write operation.
    
    [Step 3] Reading the content of C:\Users\Administrator\Desktop\EICAR.com through scheduled task.
    2022-09-26 13:52:27 Creating scheduled task . . .
    2022-09-26 13:52:28 Successfully created a scheduled task named [EicarTestDSA]
    2022-09-26 13:52:28 Modifying the scheduled task to run even in battery power mode . . .
    2022-09-26 13:52:28 Successfully modify the scheduled task [EicarTestDSA]
    2022-09-26 13:52:28 Running the scheduled task . . .
    2022-09-26 13:52:29 Successfully run the scheduled task [EicarTestDSA]
    2022-09-26 13:52:29 Delete the scheduled task.
    
    [Step 4] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the read operation.
    2022-09-26 13:52:34 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during read operation.
    
    [Cleanup] Remove the test file C:\Users\Administrator\Desktop\EICAR.com.
    
    2022-09-26 13:52:37 Done executing [AntiMalware Test - Eicar].
    2022-09-26 13:52:37 Finish Executing all the chosen function(s).
    
                                            
    2022-09-26 14:02:19 Starts Executing [AntiMalware Test - Eicar].
    2022-09-26 14:02:19 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
    2022-09-26 14:02:19 Waiting for input value of path to write/read EICAR.com . . .
    [Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
    2022-09-26 14:02:22 Creating scheduled task . . .
    2022-09-26 14:02:22 Successfully created a scheduled task named [EicarTestDSA]
    2022-09-26 14:02:22 Modifying the scheduled task to run even in battery power mode . . .
    2022-09-26 14:02:22 Successfully modify the scheduled task [EicarTestDSA]
    2022-09-26 14:02:22 Running the scheduled task . . .
    2022-09-26 14:02:23 Successfully run the scheduled task [EicarTestDSA]
    2022-09-26 14:02:23 Delete the scheduled task.
    
    [Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
    2022-09-26 14:02:33 ---> Cannot find C:\Users\Administrator\Desktop\EICAR.com, the AntiMalware might have removed it. Please check the AntiMalware log.
    
    2022-09-26 14:02:33 Done executing [AntiMalware Test - Eicar].
    2022-09-26 14:02:33 Finish Executing all the chosen function(s).
    
                                            
    2022-09-26 14:10:47 Starts Executing [AntiMalware Test - Eicar].
    2022-09-26 14:10:47 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
    2022-09-26 14:10:47 Waiting for input value of path to write/read EICAR.com . . .
    [Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
    2022-09-26 14:10:49 Creating scheduled task . . .
    2022-09-26 14:10:51 Successfully created a scheduled task named [EicarTestDSA]
    2022-09-26 14:10:51 Modifying the scheduled task to run even in battery power mode . . .
    2022-09-26 14:10:52 Successfully modify the scheduled task [EicarTestDSA]
    2022-09-26 14:10:52 Running the scheduled task . . .
    2022-09-26 14:10:52 Successfully run the scheduled task [EicarTestDSA]
    2022-09-26 14:10:52 Delete the scheduled task.
    
    [Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
    2022-09-26 14:11:02 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during write operation.
    
    [Step 3] Reading the content of C:\Users\Administrator\Desktop\EICAR.com through scheduled task.
    2022-09-26 14:11:07 Creating scheduled task . . .
    2022-09-26 14:11:08 Successfully created a scheduled task named [EicarTestDSA]
    2022-09-26 14:11:08 Modifying the scheduled task to run even in battery power mode . . .
    2022-09-26 14:11:08 Successfully modify the scheduled task [EicarTestDSA]
    2022-09-26 14:11:08 Running the scheduled task . . .
    2022-09-26 14:11:08 Successfully run the scheduled task [EicarTestDSA]
    2022-09-26 14:11:08 Delete the scheduled task.
    
    [Step 4] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the read operation.
    2022-09-26 14:11:14 ----> Cannot find C:\Users\Administrator\Desktop\EICAR.com, the AntiMalware might have removed it. Please check the AntiMalware log.
    
    2022-09-26 14:11:14 Done executing [AntiMalware Test - Eicar].
    2022-09-26 14:11:14 Finish Executing all the chosen function(s).
    
                                            

    Inspect CA Certificates

    This is a built-in check script. A user may prefer this method to verify whether certificates used by Deep Security components have been installed in system. You may refer to the Appendix section - The certificate list that the tool checks. A big part of engine offline issues are due to lack of CA certificates in the OS that Deep Security components cannot be loaded normally.

    Please note that DSA may still be able to work normally even when missing some certificates or if certificates expire. However, we still recommend checking and importing all the certificates to avoid some potential issues.

    Module state

    How to Import Certificates in Batches

    It is recommended to use the CMD version tool if you prefer to certificates in batches. To do this, enable the feature in configuration file (disable other features). Administrators can deliver CMD version and configuration file to the endpoints then run the tool directly. The CMD version tool will check and import the missing certificates in the background.

    Refer to the following "DSTool.json" example:

    {
    "Log Collection": {
        "enableAMSP": 0,
        "enableUMH": 0,
        "enableEYES": 0,
        "enableAEGIS": 0,
        "timerInSecondDebug": 30,
        "disableDebugAfterTimer": 1,
        "enableLogCollection": 0
    },
    ............
    
    "Check and Fix": {
        "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0},
        "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0}
    },
    
    ............
    
    "Tool": {
        "PressKeyToEnd": 0
    }
    }
    
                        

    Please refer to the chapter, Trend Micro Deep Security Agent Support Tool for CMD Version, for more configuration details.

    Anti-Malware Status Analysis

    This is a built-in check script. When there are errors occurring on DSA that are related to Anti-Malware feature offline, this can help analyze the possible root cause quickly.

    Module state

    Customized script for checking issues

    This is a hidden feature for back-end team. When support/RD engineer wants to do some special checks and operations in user's environment, they create a simple Python script and let the customer to put the script in the path such as the sample script. The customer's computer does not require a Python environment.

    1. Write a customized python script.

      Write a python script according to the specific scenario. For instructions on how to write a script in detail, please refer to the Appendix: How to write a Support Cases Script. Trend Micro welcomes anyone to provide more useful scripts for common issues.

    2. Choose whether to enable script integrity check and sign the script.

      For safety reasons, by default, the tool has an integrity check of the script before running it. Tool only loads script that is from a signed ZIP file. The integrity check can prevent scripts from being maliciously tampered with or exploited. User can contact allofcncorerd@dl.trendmicro.com to sign the script. Trend Micro will sign from SampleCase.py to SignedSampleCase.zip. Afterwards, SignedSampleCase.zip can be used with our tool. User can also disable the integrity check by registry key to use original python file script without integrity check.
      To disable, create a key "SOFTWARE\TrendMicro\DSASupportTool" with value "disableMaliciousScriptCheck" as "DWORD" data.
      - Data of "1", means disable integrity check.
      - Data of "0" or registry key doesn't exist, means integrity check will be enabled upon running the tool.

      Module state

    3. Put python file or signed ZIP file in the environment.

      If tool is located at C:\Users\Administrator\Desktop\DSASupportTool_GUI.exe, the python file should be at C:\Users\Administrator\Desktop\SupportCases\DSA\SampleCase.py
      The signed ZIP file should be at C:\Users\Administrator\Desktop\SupportCases\SignedSampleCase.zip or C:\Users\Administrator\Desktop\SupportCases\DSA\SignedSampleCase.zip. Either of the two can be used.

    4. Run the script

      After restarting tool, there will be a new option for user to choose.
      You may press the button on UI to run the script.

      Module state

  • Deep Security Agent Modules CPU Utilization

    Agent Modules CPU Utilization allows user to monitor the CPU utilization of DSA modules (only supports DSA later than 20.0.0-3445). When there are performance issues, the problem can be located faster, which is the targeted DS modules. This allows back-end team to narrow down the issue accurately.

    Module state

    This tool uses "sendCommand.cmd --get Metrics" to get original data and filters "ThreadInfo" field in backend and displays the real time data with bar chart.

    In the future, more metrics will be added to help users monitor the performance usage of DSA components.

     
    Monitoring for too long may increase and accumulate memory usage. It is recommended to perform monitoring not more than 5 hours. This is a limitation as the tool must constantly refresh data in the background
     

DSA Metrics is a type of data that provides details on how DSA works. The data is stored in local path as a file with json format.

DSA Metrics can be generated by DSA. More precise interval can be used to manually generate and collect data. I will be helpful to troubleshot an issue with detailed metrics data.

This feature is introduced here:

Module state

Importing metrics

For importing metrics, the data source should be the file:

  • C:\ProgramData\Trend Micro\Deep Security Agent\metrics\537bc5e5-4e35-9d89-b209-402a17b0583c.json (generated by DSA)
  • C:\Users\Administrator\Desktop\DSA_Metrics\20220517-195214\195619_jsonRecords.json (generated by tool)
    Select the matched time zone on UI then import the correct metrics file. The tool will display the data on a chart.

    Module state

This feature can be used to display the below data from the collected metrics:

  • Count of real-time-scan newly scanned file(s) every iteration
  • Virtual Memory Reserved (MB) of the anti-malware module
  • CPU utilization (%) of the anti-malware module

Module state

Module state

Module state

Metrics collection

Metrics data is usually generated every 10 minutes by DSA under "C:\ProgramData\Trend Micro\Deep Security Agent\metrics\". However, it is often not enough to do further research in some cases. More accurate data is necessary for backend team sometimes.

A user can use the tool to do the collection with shorter interval, set the timer to start the metrics collection, and also stop manually during the collection.

Module state

Once finishing the collection, user can press Import Metrics and Display As a Chart to make a fast view of the metrics just collected as the charts(The same type of chart as Import Metrics part). After the collection, the tool can help compress the data files into ZIP. If there is a case, it is recommended to provide the collected metrics data ZIP file to support team to make further investigation.

Module state

Module state

The default password of ZIP file is trend.



Trend Micro Deep Security Agent Support Tool CMD Version

 
Please run the Trend Micro Deep Security Agent Support Tool for CMD Version with administrator permission.
 

Run the program via command line. The progress will last several minutes, and you should be able to get the diagnostic package

User needs to configure "DSTool.json" first according to requirements. Without "DSTool.json", the tool will only take log collection action by default.

Module state

Example of "DSTool.json"

{
    "Log Collection": {
        "enableAMSP": 1,
        "enableUMH": 0,
        "enableEYES": 0,
        "enableAEGIS": 0,
        "timerInSecondDebug": 30,
        "disableDebugAfterTimer": 1,
        "enableLogCollection": 1
    },
    "Process Monitor": {
        "enableProcMon": 0,
        "enableChangeAltitude": 0,
        "timerInSecondProcMon": 10
    },
    "WPR": {
        "enableWPR": 0,
        "timerInSecondWPR":10,
        "optionsWPR": "-start CPU -start DiskIO  -start FileIO -start Registry -start Network  -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter"
    },
    "Network Packet Capture": {
        "enableNetPCap": 0,
        "timerInSecondNetPCap": 10
    },
    "Network Check": {
        "enableNetCheck": 0,
        "URL2NetCheck": ""
    },

    "Check and Fix": {
        "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0},
        "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0},
 "AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0}
"MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0}  content
    },

    "Metrics": {
        "collectMetrics": 0,
        "MetricsIntervalInSecond": 5,
        "MetricsDurationInSecond": 300
    },

    "Tool": {
        "PressKeyToEnd": 1,

        "enableFeedback": 1
    }
}

Explanation (1: Yes ; 0: No):

"enableAMSP": 1        Whether enable AMSP debug
"enableUMH": 0        Whether enable UMH debug
"enableEYES": 0        Whether enable EYES debug
"enableAEGIS": 0        Whether enable AEGIS debug
"timerInSecondDebug": 30        The duration of enabling debug, units as seconds
"disableDebugAfterTimer": 1        Whether disable debug after enabling debug (not recommend to modify it)
"enableLogCollection": 1        Whether collect logs after enable/disable debug (not recommend to modify it)



## Due to Microsoft policy limitation, tool cannot integrate with Process Monitor, directly. User must put Process Monitor software to the same path as this tool, manually. Otherwise, this collection will be skipped.

## Process Monitor downloaded link: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

"enableProcMon": 0        Whether enable using Process Monitor to collect performance logs
"enableChangeAltitude": 0        Whether enable high priority of Process Monitor
"timerInSecondProcMon": 10        The duration of enabling Process Monitor, units as seconds



"enableWPR": 0        Whether enable using WPR to collect performance logs
"timerInSecondWPR":10        The duration of enabling WPR, units as seconds
"optionsWPR": "-start CPU -start DiskIO -start FileIO -start Registry -start Network -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter"

The backend command that is used to run WPR (not recommend to modify if not familiar with the WPR command)



"enableNetPCap": 0         Whether enable Network Packets Capture
"timerInSecondNetPCap": 10        The duration of enabling Network Packets Capture, units as seconds

"enableNetCheck": 0        Whether enable Network Check
"URL2NetCheck":""        The target URL that need to be checked(empty double quotes means detect the DSM URL)



 "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0}    Whether run "Inspect CA certificates" feature to check environment and whether take action  if finding lacking of CA certificates. The two configurations are based on the specific customized scripts
 "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0}     Whether run "AntiMalware Status Analysis" feature to return checking result.  Currently, "enableFix" is an invalid parameter as this feature has no action to be done.
"AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0}    Whether run "AntiMalware Test - Eicar" feature to return checking result.  Currently, "enableFix" is an invalid parameter as this feature has no action to be done.
"MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0}  content


"collectMetrics": 0         Whether enable to collect Metrics data
"MetricsIntervalInSecond": 5        The interval of collecting Metrics data, units as seconds
"MetricsDurationInSecond": 300       The duration of collecting Metrics data, units as seconds



"PressKeyToEnd": 1        Whether ask "key press" to end the program in command console

"enableFeedback": 1        Whether allow tool collects and transfers usage feedback data



Appendix

  • About collecting usage feedback data

    Starting DSSupportTool_GUI/CMD Build-1.0.0.1160, the tool has enabled collecting usage feedback data by default. Enabling this feature can help Trend Micro know more about tool usage and operation behavior, then further improve the features.

    Module state

    For GUI version, user can uncheck the option on UI to disable this feature. For CMD version, you can set the parameter ["enableFeedback": 1] from 1 to 0 in "DSTool.json" file to disable this feature. Then no data will be collected.

    When enabling this feature, the following data will be collected and transferred to backed through Google Analytics(www.google-analytics.com):

    Data CollectedDescriptionExample
    AgentGuidIdentification number"AgentGuid:": "42001A42-0C16-67BC-7B0E-FA099177EB00"
    ToolVersionThe version of the tool being used"ToolVersion": "GUI-1.0.0.1155" or "ToolVersion": "CMD-1.0.0.1155"
    DSAversionThe version of the DSA being used"DSAversion": "20.0.1123"
    OS versionThe version of the OS being used"OS": "Windows 10.567 AMD64"
    Console LocationData CollectedExample
    Data Collection for DSA > Enable Debug LoggingWhen clicking "Enable Debug Logging" button, the customized debug status will be collected.{"DebugItems":{"Anti Malware Features":1,"AMSP":1,"EYES":0,"UMH":0,"AEGIS":0}}
    Data Collection for DSA > Collect Data StartWhen clicking "Collect Data" button, the action data will be collected.{"CollectData": {"CollectData": "True"}}
    Data Collection for DSA > Collect Data CancelWhen clicking "Cancel" button, the action data will be collected.{"CollectData": {"CollectData": "False"}}
    Data Collection for DSA > Other ItemsWhen clicking "Other Items" button, DSA module status will be collected.{"OtherItems":{"Relay":0,"AM":1,"WRS":1,"Sensor":0,"AC":0,"IM":1,"LI":0,"FW":0,"IP":0,"CCTRL":0,"SAP":0,"iCAP":0,"DC":0}
    Data Collection for DSA > Module Debug StatusWhen clicking "Module Debug Status" button, Debug status will be collected.{"ModuleDebugStatus":{"AMSP":"ON", "EYES":"OFF", "UMH":"OFF", "AEGIS":"OFF}}
    Performance Collection for DSA > Process Monitor> Process Monitor Altitude When checking/unchecking "change altitude of process monitor" checkbox, this behavior will be collected.{"ProcessMonitor": {"ProcessMonitorEnableHighAltitude": "False"}
    Performance Collection for DSA > Windows Performance Recorder > WPR Option/startWhen clicking "start" button in "windows performance recorder" section, the WPR parameters being used will be collected.{"WPR": {"Option": "-start CPU -start DiskIO -start FileIO -start Registry -start Network"}}
    Network Analysis > Network packet Capture > startWhen clicking "start" button in "network packet capture" section, whether using WinPcap is collected.{"NetworkCapture": {"WinPcap": "True"}}
    Network Analysis > Network Check >checkWhen clicking "check" button in "network check" section, whether using WinPcap and target URL are collected.{"NetworkCheck": {"WinPcap": "True", "URL":"https://192.168.38.116:4120"}}
    Environment Check > Check and Fix > startWhen clicking "start" button in "Check and Fix" section, which checking script being used is collected.{"CheckAndFix": {"Inspect CA certificates": "True", "Sample case": "False", "Antimalware Status analysis": "False", "Eicar Test": "False"}}
    Environment Check > CPU Utilization > start monitoringWhen clicking "start monitoring" button in  CPU Utilization section,  whether using CPU Utilization is collected.{"CPUUtilization": {"Start Monitoring": "True"}}
    Top N list > start monitoringWhen clicking "start monitoring" button in Top N list tab, whether using Top N list is collected.{"TopN": {"Start Monitoring": "True"}}
    DSA Metrics > Import Metrics > Import Metrics and Display to a ChartWhen clicking "Import Metrics and Display to a Chart" button in DSA Metrics tab, time zone will be collected.{"ImportMetrics": {"Timezone": "+0800"}}
    DSA Metrics >Metrics Collection > startWhen clicking "start" button in DSA Metrics tab, duration and interval of the collection will be collected.{"MetricsCollection": {"Duration": "5", "Interval": "3"}}
    DSA Metrics >Metrics Collection > Display Collected Metrics to a ChartWhen clicking "Display Collected Metrics to a Chart" button in DSA Metrics tab, whether using Display Collected Metrics to a Chart will be collected.{"DisplayCollectedMetricsToAChart": {"DisplayCollectedMetricsToAChart": "True"}}
  • The certificate list that the tool checks:
    Subject CNThumbprint
    DigiCert Assured ID Root CA 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
    DigiCert Global Root CA A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
    DigiCert Global Root G2DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
    DigiCert High Assurance EV Root CA5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
    DigiCert Trusted Root G4 DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
    Microsoft Root Certificate Authority 2010  3B1EFD3A66EA28B16697394703A72CA340A05BD5
    Microsoft Root Certificate Authority 20118F43288AD272F3103B6FB1428485EA3014C0BCFE
    Microsoft Root Certificate Authority CDD4EEAE6000AC7F40C3802C171E30148030C072
    Thawte Timestamping CABE36A4562FB2EE05DBB3D32323ADF445084ED656
    USERTrust RSA Certification Authority 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
    VeriSign Class 3 Public Primary Certification Authority - G54EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
    VeriSign Universal Root Certification Authority3679CA35668772304D30A5FB873B0FA77BB70D54
    Microsoft Indentity Verification Root Certificate Authority 2020F40042E2E5F7E8EF8189FED15519AECE42C3BFA2
  • How to write a Support Cases Script

    Below is a sample UI.

    Module state

    Below is a sample code. (Italicized lines can be replaced with your own customized codes)

    import sys
    import os
    
    from basecase import BaseCase
    from Utils.tmlog import TmLog
    
    logger = TmLog.getLogger("DSA_SupportTool")
    
    class SampleCase(BaseCase):
    
        def __init__(self):
            try:
                super().__init__()
                self.name = "Sample Case"
                self.detail = "Detail: This sample case will pop a question box."
            except Exception as err:
                logger.exception(str(err))
    
        def __del__(self):
            try:
                pass    
            except Exception as err:
                logger.exception(str(err))
        
        def run(self):
            try:
                #Pop-up a question box. Return value is True or False
                respond = self.askConfirmation("The is sample message.\n" +
                                                   "Do you want to continue?")
                
                #Display a message on the tool's UI
                self.displayMessage("You say %s" %(str(respond)))
    
                #Display a message on the tool's UI with clickable link
                self.displayMessage("%s" % ("https://developer.microsoft.com/en-us/windows/downloads/sdk-archive","Click here to download Windows 8.1 SDK."))
                
                #Write a line to DSA_SupportTool.log log file
                logger.info("Done running")
                return
            except Exception as err:
                logger.error(str(err))
                return
    	

    Below is the list of libs that are included. You can choose to import in your customized script.

    • import cchardet
    • import codecs
    • import configparser
    • import copy
    • import ctypes
    • import datetime
    • import hashlib
    • import importlib
    • import inspect
    • import json
    • import logging
    • import mmap
    • import multiprocessing
    • import os
    • import pefile
    • import platform
    • import psutil
    • import pythoncom
    • import re
    • import requests
    • import shutil
    • import socket
    • import subprocess
    • import sys
    • import telnetlib
    • import tempfile
    • import threading
    • import time
    • import urllib
    • import webbrowser
    • import win32con
    • import win32event
    • import win32evtlog
    • import win32evtlogutil
    • import winerror
    • import winreg
    • import wmi
    • import xml.etree.ElementTree
    • import zipfile
  • Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PreCheck
    NameDescription
    Basic InformationOperating systemDisplays OS version of the machine.
    HardwareDisplays the CPU, memory and free disk size of the machine
    Trend Micro Endpoint ProtectionDetects whether DSA/XBC/Apex One agent has existed  
    Proxy serverChecks if system proxy has been enabled on the machine
    Detected Vision One Service Gateway (With Forward Proxy feature enabled) Detects if local registry has record for Trend Vision One Service Gateway (with Forward Proxy feature enabled) 
    Trend Vision One agent PrecheckOperating systemChecks if the OS version of the machine is supported (2 CPU/512MB MEM/ 3GB Disk)
    SHA-2 code signing supportChecks if the required Microsoft KBs are applied on the current machine
    • Windows 7 and Windows 2008 R2 must have the SHA2 KB installed (Microsoft KB 4474419 and KB 4490628).
    HardwareChecks if the CPU and memory on this machine meet the requirements to enable Endpoint Sensor
    TLS protocolChecks if the required protocols meet the requirements to enable Endpoint Sensor
    System certificatesCheck if the required certificates meet the requirements to enable Endpoint Sensor
    Root Certificate:
    • Entrust Root Certification Authority - G2
    • DigiCert Assured ID Root CA
    • DigiCert Trusted Root G4
    • USERTrust RSA Certification Authority

    Intermediate certificate:
    • Entrust Certification Authority - L1K
    Device timeChecks if the date/time on the machine meets the requirements to enable Endpoint Sensor
    Endpoint Basecamp Service ConnectivityTests if the network connection from the machine to the XBC backend server is available    
    Log Receiver Service ConnectivityTests if the network connection from the machine to the XLog Receiver server is available 
    Endpoint Inventory Service ConnectivityTests if the network connection from the machine to the XDR Endpoint Inventory backend server is available  
    Endpoint Basecamp Support Connector Service ConnectivityTests if the network connection from the machine to the Support Connector backend server is available 
    Cloud One Agent PrecheckOperating system          Checks if the OS version of the machine is supported                                            
    HardwareChecks if the CPU and memory on the machine meet the requirements to install DSA
    • RAM 2GB is required
    • Disk 1GB is required
    • CPU 2 is required
    ACS supportChecks if the OS can meet Azure Code Signing requirement.
    Cloud One Server ConnectivityTests if the network connection from the machine to the Cloud One server is available 
    System certificatesCheck if the required certificates meet the requirements (Refer to KB article, Updating the VeriSign, DigiCert, USERTrust RSA certificate on Deep Security and Cloud One - Workload Security)
  • Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PostCheck
    NameDescription
    Endpoint Basecamp PostcheckXBC: XBC is detected or not.Detects if any XBC components exist in the endpoint
    Registry: xdr_device_id   Registry: xdr_device_id   
    Detected Trend Vision One Service Gateway (with Forward Proxy feature enabled) Detects if local registry has record for Trend Vision One Service Gateway (w Forward Proxy feature enabled) 
    Service: Trend Micro Endpoint BasecampChecks if XBC service is installed
    Service: Trend Micro Cloud Endpoint Telemetry ServiceChecks if XBC service is installed
    Process: endpointbasecamp.exe (Trend Micro Endpoint Basecamp)Checks if XBC process is running
    Process: CETASvc.exe (Trend Micro Cloud Endpoint Telemetry Service)Checks if XBC process is running
    File: EndpointBasecamp.exeChecks if XBC executable file exists, if yes, show its file version, which indicates the XBC build version  
    File: CETASvc.exeChecks if XBC executable file exists, if yes, show its file version
    File: WSCommunicator.exeChecks if XBC executable file exists, if yes, show its file version
    Scheduled Task: Trend Micro Endpoint BasecampChecks if XBC scheduled task exists and if the status of the task is normal
    Endpoint Sensor PostcheckXES:XES is not detected.Detects if any XES components exist in the endpoint
    Cloud Endpoint ServiceService: Cloud Endpoint ServiceChecks if XES service is installed
    Process: CloudEndpointService.exeChecks if XES cloud endpoint process is running
    File: CloudEndpointService.exeChecks if XES cloud endpoint executable file exists, if yes, show its file version, which indicates the XES build version
    Cloud Endpoint ServiceService: Trend Micro Response ServiceChecks if XES response service is installed
    Process: ResponseService.exeChecks if XES response service process is running    
    File: ResponseService.exeChecks if XES response service executable file exists, if yes, show its file version
    XDR Endpoint SensorDriver: Trend Micro LWE DriverChecks if the LWE driver is running
    Vulnerability DetectionVulnerability DetectionChecks if DVASSTool is installed
    Server & Workload Protection Agent PostcheckDSA: DSA is (not) detected     Checks if DSA software is installed                                           
    DSA versionDetects current installed DSA version
    DSA service status: DSA service is (not) running    Checks if DSA service is running      
    Module statusAMSP (Windows anti-malware) feature status: ON/OFFChecks if AMSP is ON/OFF status (Only support DSA-20.0.3445+)
    ACM (Activity Monitoring) feature status: ON/OFFChecks if ACM is ON/OFF status (Only support DSA-20.0.3445+)
    Self-Protection status: ON/OFFChecks if Self-Protection is enabled or disabled
Comments (0)