Views:

Follow these steps:

  1. Run the tool with root permission.

    Module state

  2. Below is the main menu. Select "1-Deep Security Agent" to use DSA support features.

    Module state

    Module state

  3. You may also choose "3-About the Tool" to know tool version number.

    Module state

Enable/Disable Debug Level Logs

After selecting tool console for Deep Security Agent, you may choose "Enable Debug Mode" / "Disable Debug Mode". Press 'Enter', the the tool will start to enable/disable debug log level.

  • Send command to enable debug logs in backend.

    Module state

  • Send command to disable debug logs in backend.

    Module state

Log Collection

From the main menu, you may choose Deep Security Agent > Collect logs. The tool will automatically collect log package and store it in local.

Module state

Module state

*ZIP password is trend.

Fast Logs Collection

From the main menu, choose Deep Security Agent > Fast Logs Collection (No DSA Diagnostic Logs). In the most cases, normal logs collection feature depends on DSA service to return diagnostic package. If the computer has low performance, the user will have to wait to get the log package.

Fast Logs Collection is a feature that allows to collect target path/files with "copy" command directly, which means it does not rely on DSA service. It can save time to collect necessary logs. The disadvantage is that the collected logs are less than in normal mode (but still enough for most of cases for troubleshooting).

Module state

Module state

After the collection, user can get a ZIP package for the logs with password "trend".

Module state

Top N List

From the main menu, you may choose Deep Security Agent > Top N list. There will be three options: Top Scanned Files, Top Busy Process, and Top Scanned Directories. Supported DSA version should be later than DSA 20.0.0.3445.

Module state

  • Top Scanned Files

    Module state

  • Top Busy Process

    Module state

  • Top Scanned Directories

    Module state

Network Packet Capture

Network Packet Capture is a feature running Linux "tcpdump" command in backend to help collect network packets. If the tool detects no "tcpdump" command has been installed in the environment, it will interrupt the collection and prompt "tcpdump" needs to be installed first. From the main menu, user can choose Deep Security Agent > Network Packet Capture.

Module state

In the next page, choose the correct NIC or "Any" (for all the NIC) for the capture collection, or "Exit" to go back to last page.

In the following example, when entering "1" for [ens32] and pressing 'Enter', the tool will start to collect network packets that go through [ens32].

Module state

After choosing the NIC, you may choose to either manually stop the capture or use a timer to stop automatically.

Module state

Press "Enter" to stop the collection, or you may just wait for the timer to stop. The tool will store the captured packets into a ZIP file in local.

Module state

Exit the tool, then find the ZIP file with password "trend".

Module state

Test Antimalware Through EICAR Test File

Support tool (Build-1.0.0.1015+) has a feature that verifies if the anti-malware realtime-scan has worked normally on agent side.

From the main menu, user can choose Deep Security Agent > Test Antimalware Through EICAR Test File.

EICAR

When starting this feature, the tool will extract "EICAR.com" file to the local path and take action. The local path is "/tmp/", which is supposed to be monitored by DSA realtime-scan policy.

After waiting for a few seconds, tool will judge whether "EICAR.com" file still exists. If it does not, it means that the realtime-scan has taken effect and removed "EICAR.com" file. User can check the anti-malware events on console. Otherwise, realtime-scan may not work normally.

Scenario 1: No Detection

Scenario1

Scenario 2: Set detection on WRITE

Scenario2

Scenario 3: Set detection on READ

Scenario3

 
Please make sure the "/tmp/" path is not in the exclusion list and anti-malware realtime-scan is enabled for the correct action.

Exclusions

 

Like the Windows version, the Linux version tool also has a non-console mode to work. If you put a configuration file (DSALinuxTool.json) at the same path as the tool, you may just run the tool directly, and it will run based on parameters in "DSALinuxTool.json" without the console. The tool process may take some time. In the end you will get command echo and the log package.

Module state

Module state

DSALinuxTool.json example:

		{
		    "Top N List": {
		        "generateTopNList": 1
		    },
		    "Debug Setting": {
		        "enableDebugMode": 1,
		        "timerInSecondDebug": 60,
		        "disableDebugAfterTimer": 1
		    },
		    "Log Collection": {
		        "enableLogCollection": 1
		    }
		}
		

The Trend Micro Deep Security Agent Support Tool is integrated with the "log collection script" for Solaris and AIX platform. It will automatically detect which platform the environment belongs to then call the corresponding Solaris or AIX script to run.

The following is an example when running script on Solaris platform:

Module state

 
For AIX, make sure of the following before proceeding:
  • run as root user and
  • /usr/sbin/tcpdump is installed
  • string "kern.debug /var/log/kern.log rotate size 10240k files 10" is existing in /etc/syslog.conf file
 
 
For Solaris, make sure of the following before proceeding:
  • run as root user and
  • /usr/sbin/snoop is installed, or
  • /usr/sbin/tcpdump is installed
 

Send back following 2 files (diag#1, diag#2 and diag#3). Refer to the following example:

diag#1=/var/opt/ds_agent/diag/1653885553.zip
diag#2=/var/opt/ds_agent/diag_2022-05-30_04-39-13.tar.gz
diag#3=/var/opt/ds_agent/if.pcap

Comments (0)