What to do when this event occurs
If you are using a version earlier than DSM 20.0.789 and have already applied DSRU 24-024 or later, please do the following:
- Rollback the rule update.
- Log in to the DSM management console and click Administration > Updates > Security > Rules.
- A list of imported rule updates will be displayed. Right-click the previous rule of 24-024.dsru then select Rollback.
- The Rule Update Rollback window will open and display your changes. Click Finish to perform the rollback.
- Once the rollback is complete, the check in the Applied column changes to the rule you rolled back.
- Cancel the currently running recommendation search.
- Log in to the DSM management console and click [Computer].
- Right-click the Agent you want to stop scanning and select Actions > Cancel Recommendation Scan.
*Multiple selections can be made by holding down the 'Ctrl' key.
- Disable the scan for recommendation from scheduled task.
- Log in to the DSM management console and click Administration > Scheduled Tasks.
- Right-click the task whose "Type" is "Search my computer for recommended settings" and select Disable.
Additionally, if you have enabled to continuously scan computers for recommendations in an assigned policy, you can check the "Recommended settings" option in the "Recommended settings" field under Settings > General tab of the policy or computer's advanced. Disable the option "Perform continuous search for".
For DSM lower than 20.0.789 and DSRU 24-024 or later is not applied:
- If DSRU 24-024 or later is applied in the future, the conditions for this event will be met, so please disable the search for recommended settings above.
Workarounds until DSM version upgrade
The solution to this issue is to upgrade to DSM 20.0.789 or later. If you are unable to upgrade DSM immediately, there is a workaround. In the "What to do when an event occurs," you are asked to "roll back the rule update," but when you perform the security update, the DSRU will also be updated. This issue occurs when you run a recommendation scan in an environment that is lower than DSM 20.0.789 and DSRU 24-024 or later is applied. Please continue to disable the recommendation scan, so the recurrence of the event can be avoided. Until you upgrade to DSM 20.0.789 or later, you can manually apply rules for Intrusion Prevention, Integrity Monitoring, and security log monitoring functions.
Please refer to the following Help Center articles for instructions on how to manually apply rules for each function.
- Deep Security 20
- Deep Security 12
Frequently Asked Questions
Common inquiries
- Will a rule that corrects DSRU 24-024 be issued?
We have considered revising the rules, but this issue is not a problem with the rules. This is caused by the version of DSM that handles the rules, and these rules cannot be revised.
- DSM versions earlier than 20.0.789 are also supported. Will it matter if the system is compatible with rules DSRU 24-024 or later?
Fixes for Deep Security products are provided by releasing new builds. The five-year support policy for Deep Security products means that builds will be released to address issues and allow upgrades to those builds during the support period.
We apologize for the inconvenience, but we strongly recommend update to DSM 20.0.789 or higher.
About this event
To resolve or avoid the event, it is necessary to implement the mentioned counter-measures, as well as the procedures under "What to do when this event occurs" and "Workarounds until DSM version upgrade".
- Will this issue be resolved by rebooting the OS?
Restarting the OS does not resolve the issue nor improve the situation.
- What is the impact on DSM when the event occurs.
This issue results in high CPU usage in DSM and a long time required to search for recommended settings. It does not affect other DSM functions. However as a secondary issue, high CPU usage may cause tasks and processes executed by DSM such as security update tasks to take longer to complete or may fail.
- Will DSA and DSVA protection continue during an event?
This event does not directly affect the protection of DSA and DSVA. However, as a side-effect there is a possibility that security updates may fail on DSM due to a sharp rise in CPU usage, making it impossible to distribute the latest pattern files.
- Is there a way to check this event on the system event or DSM console?
There is no way to check this event on the system event or DSM console. Please check if the CPU usage is increasing when searching for recommended settings is running on versions below DSM 20.0.789, and DSRU24-024 or later.
Regarding countermeasures
- How do I update DSM? Also, are there concerns I need to know regarding DSM version upgrades?
Please refer to the following Help Center articles about upgrading the DSM:
There are no concerns when upgrading DSM, but in order to deal with unforeseen circumstances, please back up your database before proceeding.
- Is it necessary to update the Deep Security Agent (DSA)?
DSA version upgrade is not required to resolve this issue. However for Deep Security products, bugs are fixed and vulnerabilities are addressed by releasing new builds. We recommend using the latest build.
Regarding workarounds
By updating the DSM version as a counter-measure, you will be able to use the latest DSRU and search for recommended settings, so please implement the counter-measure. If it takes time to implement counter-measures, please refer to the "Workarounds until DSM version upgrade" section, use the latest DSRU, and consider applying rules manually.
- What are the security risks of rolling back rule updates?
By performing a DSRU rollback, existing rule updates and newly created rules for the firewall, Intrusion Prevention, Integrity Monitoring, and security log monitoring functions will no longer be available. Therefore, it is not possible to fix bugs in the rules of each function provided by the new DSRU, address vulnerabilities using new rules, or support security monitoring.
Please refer to the counter-measures and "Workarounds until DSM version upgrade" mentioned above. - After rolling back a rule update and a new DSRU is released, will the new DSRU will still be applied?
After a new DSRU is released, the new DSRU will be applied by running a security update. This issue occurs when you run a recommended settings search in an environment that is lower than DSM 20.0.789 and DSRU 24-024 or later is applied. Continue to disable the recommended settings search so the recurrence of the event can be avoided. For details, please refer to the section "Workarounds until DSM version upgrade".
- If you perform a rule update rollback, what features will be affected?
This affects the firewall, Intrusion Prevention, Integrity Monitoring, and security log monitoring functions. The rule rollback will change the DSRU applied to each policy. If new rules or modified rules in DSRU24-024 are applied to DSA after this, the policy will be sent and changes will be made based on the rolled back rules.
- Does this mean that we should not update the rules in the future after implementing steps under "What to do when this event occurs"?
Please update the version of DSM as a counter-measure. If it takes time to implement the counter-measures, please refer to the section "Workarounds until DSM version upgrade".
- I performed a rollback of the rule update, but the rule update is displayed as "24.024" in the Deep Security Notifier (DSN).
The rules displayed in the DSN with Deep Security Relay enabled will display the rules downloaded from iAU, and not the currently applied rules. Rules that are currently applied are those that are checked in the "Applied" column under Management > Update > Security > Rules screen in the DSM console.
- Will canceling a recommendation scan cause any inconsistencies in the rules that are applied?
Canceling a recommendation scan does not result in any inconsistencies in the applied rules.
- What are the security risks of disabling recommended settings scanning?
When a new vulnerability is discovered in the OS or application, or when a change is made to the system, recommended rules for Intrusion Prevention, change monitoring, and security log monitoring functions will no longer be automatically searched and applied. Please refer to the counter-measures and "Workarounds until DSM version upgrade" mentioned above.
- What should I do if rollback procedure fails probably due to high CPU usage?
First, try canceling the search for recommended settings and see if the CPU usage decreases. If you confirm that the CPU usage rate has decreased, please implement the steps described in "What to do when this event occurs".
- After implementing counter-measures, is it better to continue with what was done in "What to do when this event occurs"?
We recommend that you periodically perform a search for recommended settings (once a week) and restore your settings. For rules update rollbacks, after a new DSRU is released, running a security update will apply the new DSRU.