Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep Security Smart Check Vulnerability Scan failed

    • Updated:
    • 11 Feb 2020
    • Product/Version:
    • Deep Security Smart Check
    • Platform:
Summary

Deep Security Smart Check (DSSC) registry scan might fail when Deep Security Agent (DSA) is installed on Kubernetes nodes. It displays the following error message:

"Status: scan failed - Vulnerability scan failed"

This happens only if the image from registry has malware, and DSA detects it during DSSC registry scanning.

DSSC pulls the image from the registry to scan it for contents, vulnerabilities and malwares. During this time, DSA detects real-time scan detects malicious files from the image as it operates on kernel level of the container host.

Also, AM events on Deep Security web console is generated.

On the logs, it shows that image layer download fail. (image-scan-*.log)

{"image":"a33e891b-93d5-46fd-a656-3cbde4ed9af2","insecureSkipVerify":false,"layer":"http://scan-internal:8081/api/scans/a33e891b-93d5-46fd-a656-3cbde4ed9af2/jobs/image/layers/sha256:0fa025a8e643b99f25e2f8078d41ab85691bf810fc61bb64c076f76f7a18808f","message":"Received HTTP response","method":"GET","response":"HTTP/1.1 500 Internal Server Error\r\nConnection: close\r\nContent-Length: 559\r\nCache-Control: no-cache\r\nCache-Control: no-cache,no-store,must-revalidate\r\nContent-Security-Policy: default-src: 'none';block-all-mixed-content;disown-opener;reflected-xss filter\r\nContent-Type: application/json\r\nDate: Thu, 06 Feb 2020 19:53:52 GMT\r\nExpires: 0\r\nPragma: no-cache\r\nReferrer-Policy: no-referrer\r\nStrict-Transport-Security: max-age=31622400\r\nX-Api-Version: 2018-05-01\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: DENY\r\nX-Request-Id: 511f9321-13e1-45ad-bb83-49d68d800127\r\nX-Xss-Protection: 1;mode=block\r\n\r\n","severity":"debug","timestamp":"2020-02-06T19:53:52Z","url":"http://scan-internal:8081/api/scans/a33e891b-93d5-46fd-a656-3cbde4ed9af2/jobs/image/layers/sha256:0fa025a8e643b99f25e2f8078d41ab85691bf810fc61bb64c076f76f7a18808f"}
{"error":"unable to download layer: response code 500","image":"a33e891b-93d5-46fd-a656-3cbde4ed9af2","layer":"http://scan-internal:8081/api/scans/a33e891b-93d5-46fd-a656-3cbde4ed9af2/jobs/image/layers/sha256:0fa025a8e643b99f25e2f8078d41ab85691bf810fc61bb64c076f76f7a18808f","message":"Unable to download layer","severity":"warning","timestamp":"2020-02-06T19:53:52Z"}
{"api":"internal","component":"image-scan","error":"Unable to download layer: unable to download layer: response code 500","message":"Failed to extract image","root":"work/images/4a555442-5cb4-4757-9e4e-e743f586bcee","scan":"4a555442-5cb4-4757-9e4e-e743f586bcee","severity":"error","timestamp":"2020-02-06T19:53:52Z"}
Details
Public

To resolve this, create real-time scan anti-malware exclusions with the following entry:

File Exclusion:

/tmp/vs*

Directory Exclusion:

/work/layers/
/work/images/

Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot
Solution Id:
000240745
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.