Web Reputation Service (WRS) not working and Intrusion Prevention System (IPS) rules compilation failure in Trend Micro™ Deep Security™

Product / Version includes:

Deep SecurityAll

Last updated: 2025/03/26

Solution ID: KA-0019366

Category:

Summary

An issue is being caused by the new KSP ring feature, which updates the KSP files in /opt/ds_agent/$(uname -r). This leads to IPS compilation failures due to the new versions of WRS settings and DSC.

Refer to the following event description:

Description
This error may be caused by system memory issues. Please check the DS_Agent.Log file and search for the error messages related to Compile, or check the diagnostic package for details.

Agent/Appliance Event(s):

Time: March 20, 2025 09:19:35
Repeated: 2 times through March 20, 2025 09:19:36
Level: Error
Event ID: 2090
Event: Security Configuration Error
Description: Error compiling configuration:

Error(s) error: no ctype specified error: apptype="Mail Server Common": not all conType with same ctype are in the same direction revision missmatch info=12.6.0.5474:rev-5061 expecting-12.6.0.5443:rev-5060 8 errors during parsing

This issue affects Deep Security Agent (DSA) 20.0.2-4961 and all KSP released after this version.

Refer to the following scenarios where the problem is encountered:

Scenario 1 - Incomplete Agent Reload
The issue arises because the dsa_filter was not successfully unloaded during an agent restart. Additionally, the KSP ring feature, which downloads the latest KSP to /opt/ds_agent during each configuration update, causes our function for determining the loaded driver version to make incorrect judgments.

Due to this misjudgment, the system erroneously calls the InitScript, which resets the DSC. As a result, the new DSC version leads to compilation failures of IPS rules due to a version mismatch.
Scenario 2 - IPS Rule Changed While WRS Is On
While the rule settings change, the WRS attempts to copy the latest version of wrs.tbf, which causes DSC to fail to compile the IPS rule (due to a version mismatch). Consequently, the original settings are retained, and an alert is displayed on the UI indicating that the IPS rule compilation failed.
Scenario 3 - Only WRS Is On and Re-enabled WRS
While WRS is enabled (due to re-enablement), it attempts to copy the latest version of wrs.tbf, which causes DSC to fail to compile the IPS rule due to a version mismatch. This prevents the WRS feature from working. An alert indicating that the IPS rule compilation failed should be displayed on the UI, but the WRS status on the UI still remain On.

This problem is likely to recur if a new KSP is released for the OS. The solution is to reload the ds_agent to ensure proper synchronization. Please refer to the following steps to mitigate the issue:

Stop the ds_agent.
systemctl stop ds_agent
Ensure that no dsa_filter is loaded.
lsmod | grep dsa
Start the ds_agent.
systemctl start ds_agent

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Web Reputation Service (WRS) not working and Intrusion Prevention System (IPS) rules compilation failure in Trend Micro™ Deep Security™

Web Reputation Service (WRS) not working and Intrusion Prevention System (IPS) rules compilation failure in Trend Micro™ Deep Security™

Product / Version includes:

Summary