Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Cloud One - Workload Security Frequently Asked Questions (FAQ)

    • Updated:
    • 19 Nov 2020
    • Product/Version:
    • Platform:
Summary

This article answers the most common questions about Cloud One - Workload Security.

Functionality: Intrusion Prevention System (IPS)

Best Practices

IPS events

Rule Assignment

Rule Configuration

Network Engine Status

 

Functionality: Communication

Agent Status

Communication

Proxy Configuration

Activation

Backend

 

Functionality: Activation

Agent Activation Error

Agent Inquiry

Agent Unable to Reach Manager

 

Functionality: SIEM

Forward Configuration

Best Practices

 

Deployment

Upgrade

Activation Failure

 

Administration: Billing

Billing Information

Usage

Renewal

Details
Public

Functionality: Intrusion Prevention System (IPS)

Best Practices

  • What is IPS?

    The Intrusion Prevention module inspects incoming and outgoing traffic to detect and block suspicious activity. This prevents exploitation of known and zero-day vulnerabilities. You can configure Deep Security to automatically receive new rules that shield newly discovered vulnerabilities within hours of their discovery.

    The Intrusion Prevention module also protects your web applications and the data that they process from SQL injection attacks, cross-site scripting attacks, and other web application vulnerabilities until code fixes can be completed.

    To enable and configure Intrusion Prevention, see Set up Intrusion Prevention.

  • How do I enable IPS protection for Deep Security Agent (DSA)?

    Enable the Intrusion Prevention module and monitor network traffic for exploits using Detect mode. When you are satisfied with how your Intrusion Prevention rules are assigned, switch to Prevent mode. Steps are as follow:

    1. Enable Intrusion Prevention in Detect mode.
    2. Test Intrusion Prevention.
    3. Apply recommended rules.
    4. Monitor your system.
    5. Enable 'fail open' for packet or system failures.
    6. Switch to Prevent mode.
    7. Implement best practices for specific rules.

    For detailed information of each step, please refer to Deep Security Help Center: Set up Intrusion Prevention.

  • How do I customize an IPS rule?

    Perform the following tasks to configure and work with intrusion prevention rules:

    1. Navigate to Policies > Common ObjectsRules Intrusion Prevention Rules. Click New Intrusion Prevention Rule.
    2. On General page, edit options of General Information, Details and Events.
    3. On Rules page, set different templates of rules according to the article Types of custom Intrusion Prevention rules in Deep Security.
    4. On Options page, decide whether this rule triggers an event or not, and set the Context, Schedule active times for this rule as well.
    5. Confirm all settings and click OK.
    6. Assign the new customized rule to the machine to be protected.

    For more details, please refer to the Deep Security Help Center: Configure intrusion prevention rules.

    Visit this KB article for more detailed instructions.

  • How do I test the IPS rule?

    Method 1:

    1. Make sure IPS function is enabled.
    2. To test IPS, set up rule 1005924 as an example rule for testing: assign rule "1005924 Restrict Download of EICAR Test File Over HTTP" to the machine to be protected.
    3. Download the EICAR file to the machine to be protected.
    4. Check the IPS events to ensure the blocking of EICAR file.

    For more information about testing IPS, refer to Deep Security Help Center: Set up Intrusion Prevention

    Method 2:

    1. Make sure IPS function is enabled.
    2. Create the EICAR test virus by typing or copying the following string to a text file, then renaming the file with 'eicar.com'.
      		X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    3. Upload 'eicar.com' to any local HTTP server and try downloading it on the machine to be protected.
    4. Check the IPS events to ensure the blocking of EICAR file.
  • How do I tune IPS rules?
    1. Recommendation scan

      You can use recommendation scans to discover the Intrusion Prevention rules that you should assign to your policies and computers. To automatically and periodically fine tune your assigned Intrusion Prevention rules, you can schedule recommendation scans.

      See more at Deep Security Help Center: Manage and run recommendation scan.

    2. Monitor your system

      Monitor Intrusion Prevention events to ensure that rules are not matching legitimate network traffic. Monitor CPU, RAM, and network usage to verify that system performance is still acceptable.

      See more at Deep Security Help Center: Set up Intrusion Prevention.

    3. If rules are manually assigned, do not assign more than 300 rules as it affects system performance. See more in page 30 of the Best Practice Guide.
  • How do I optimize performance-related settings and avoid IPS performance issue?

    Follow these steps:

    1. Ensure all available patches are applied to the DSA's operation system and any third-party software that is installed.
    2. Un-assign rules to ensure less than 300 intrusion prevention rules are assigned to a computer.
    3. Apply the solution from this KB article to resolve the error "too many application types apply to port".
    4. Get more performance tips from the Deep Security Help Center: Performance tips for intrusion prevention and Manage and run recommendation scan.

    Visit this KB article for more detailed instructions.

  • Where can I check the IPS audit logs?

    Follow these steps:

    1. To see what kind of changes been made on this agent during that update, including IPS rules assign/un-assign, find it in "system event": "Computer updated" event.
    2. To query this event, log on to the DSM console, go to Computers, and find the agent that needs to be checked.
    3. Double-click on the agent and open its properties > Overview > System Events.
    4. Change the Period to proper date range, and click Refresh on the right.
    5. In the Event column, find the "Computer Updated" event. Take note that you may add a tag to an event so that you can query such events faster in the future.
    6. To look for a place that records all agents changes, search specified computer events under "Events & Reports".

IPS events

  • Why does my application get blocked by an IPS rule?

    To ensure your computers are protected until patches that fix the vulnerability are released, tested, and deployed, IPS blocks the application matches below condition:

    When patches are not available for known vulnerabilities in applications or operating systems, Intrusion Prevention rules can intercept traffic that is trying to exploit the vulnerability. It identifies malicious software that is accessing the network and increases visibility into, or control over, applications that are accessing the network.

  • How do I know why a specific IPS rule is detected and what I should do to mitigate the issue accordingly?

    Follow these steps:

    1. Open the event details page by double-clicking the event.
    2. Click the link in Reason section to open the rule details page.
    3. Read the Description to understand the detection.
    4. Switch to the Vulnerability tab and access external link under External References. Usually, the links point to a Mitre CVE page or the vulnerable application's official website.
    5. Find the mitigation method from the Mitre CVE page or the vulnerable application's official website. Usually, the methods are upgrading/patching the OS/application or changing certain OS/application configuration.

    Visit this KB article for more detailed instructions.

  • How do I handle the event "URI Path Length Too Long"?

    Follow these steps:

    1. Assign the IPS rule "1000763 - URI Length Restriction" if it is not assigned to the computer(s) in question.
    2. In the rule's configuration page, increase "Allowed URI path length" and "Number of directory levels allowed in URI path" as needed, their default values are 1024 and 100 respectively.

    For more details, please check this KB article.

    Visit this KB article for more detailed instructions.

Rule Assignment

  • How do I assign / unassign an IPS rule?

    Assign / unassign IPS rules on Policy level:

    1. Go to the Policies page, right-click the policy to configure and click Details.
    2. Click Intrusion Prevention > General.
    3. Under Assigned Intrusion Prevention Rules, click Assign/Unassign.
    4. To assign/unassign a rule, select/deselect the check box next to the rule.
    5. Click OK.

      For more information about "Assign and unassign rules", see Deep Security Help Center: Assign and unassign rules .

    Assign/unassign IPS rules on Computer level:

    1. Go to the Computers page, double click on the computer to be protected.
    2. Click Intrusion Prevention > General.
    3. Under Assigned Intrusion Prevention Rules, click Assign/Unassign.
    4. To assign/unassign a rule, select/deselect the check box next to the rule.
    5. Click OK.
  • How do I check the details of an IPS rule?

    Follow these steps:

    1. Open the event details page by double-clicking on an event triggered by the rule.
    2. Click the link in the Reason section to open the rule details page.
    3. If no event triggered by the rule, locate the rule by Policies > Common Objects > Rules > Intrusion Prevention Rules > Search the rule by the rule ID or keywords.
    4. Read the Description to understand the detection.
    5. Find other information like vulnerability, configuration, and options by switching to the corresponding tab.

    Visit this KB article for more detailed instructions.

  • Why is the Intrusion Prevention's status "State: On, Prevent, no rules"?

    This state means that there is no Intrusion Prevention rules assigned neither on Policy level nor Computer level.

    Please assign rules by referring to Deep Security Help Center: Assign and unassign rules.

Rule Configuration

  • The IPS rule is not working. What should I do?

    When the IPS rule doesn’t seem to be working as expected, below are some basic checks to perform to ensure that everything is in order:

    1. Make sure the Intrusion Prevent module has been enabled on the affected system.
    2. Carry out some testing to ensure the Intrusion Prevention module is functioning properly, you can follow either Test Intrusion Prevention on the Deep Security Help Center or this KB Article on Testing the Deep Security modules.
    3. Make sure you have configured the appropriate policies at this policy or specific computer level, detection/prevention action of this rule. Refer to Policies, inheritance, and overrides , and Configure intrusion prevention rules in the Deep Security Help Center.
    4. Implement best practices for specific rules

    Visit this KB article for more detailed instructions.

  • What is the difference between Prevent mode and Detect mode?

    Detect: Intrusion prevention uses rules to detect matching traffic and generate events, but does not block traffic. Detect mode is useful to test that intrusion prevention rules do not interfere with legitimate traffic.

    Prevent: Intrusion Prevention uses rules to detect matching traffic, generate events, and block traffic to prevent attacks.

  • How do I use Prevent/Detect mode?

    When you first apply new intrusion prevention rules, use Detect mode to verify that they don't accidentally block normal traffic (false positives). When you are satisfied that no false positives occur, you can use Prevent mode to enforce the rules and block attacks.

  • Why does "Intrusion Prevention Rules Failed to Compile" error appear?

    This error may occur because the maximum number of Application Type that can be assigned on a port is reached. By default, the maximum number allowed is eight (8). Once it reaches nine (9) or above, the error will display.

    Refer to the solution on this KB article. You may also refer to the Deep Security Help Center: Apply Intrusion Prevention best practices.

Network Engine Status

  • Why is the IPS engine showing offline?

    There are a couple of possible root causes for this issue: IPS feature installation failure, network issue between DSA and DSR/DSM, network driver not working, etc. To find out the specific reason, review the system event:

    1. Log on to the DSM console > Computers, find the agent you want to check.
    2. Double-click on the agent and open its properties > Overview > General > Click Intrusion Prevention Engine Offline to check.
    3. If the reason is still not found, collect DSA diagnostic package and contact Trend Micro Support.

    Visit this KB article for more detailed instructions.

 

Functionality: Communication

Agent Status

  • How does Cloud One Workload Security Manager check if the DSA is online?

    By default, the DSA will initiate the heartbeat to communicate to the Manager, once the Manager receives a heartbeat from DSA, it will show the computer as "Online".

    The default heartbeat interval is 10 mins and it is configurable, please refer to Deep Security Help Center: Agent-manager communication to check how to configure the heartbeat.

  • How do I resolve agent offline issue?

    A computer status of "Offline" or "Managed (Offline)" means that the Deep Security Manager has not received heartbeats from the Deep Security Agent for some time and the continuously missing heartbeat number exceeded the threshold.

    When you're experiencing an 'Offline' problem, it is recommended to update the agent status of the problematic machine first by doing the following steps:

    1. Reactivate the agent.
    2. Restart the agent service.
    3. Reinstall the agent.

    If none of the above steps can resolve the offline issue, it is probably due to heartbeat connection failure which caused by network communication, and the agent is presumed to be offline.

    Refer to the online help Offline Agent to fix network communication problem.

    Visit this KB article for detailed instructions.

  • What are the URLs, IP addresses and ports used by Cloud One Workload Security components?

    Cloud One Workload Security default port numbers, URLs, IP addresses, and protocols are listed in Deep Security Help Center: Port numbers, URLs, and IP addresses.

     
    • Cloud One Workload Security port numbers: all 'Mandatory ports' must be enabled while 'Optional ports' will depend on the features or components need to be deployed.
    • Cloud One Workload Security URLs: make sure firewall allows traffic from the listed 'Source' to the listed 'Destinations', make sure the access to its associated HTTP and HTTPS URLs is allowed.
    • Cloud One Workload Security IP addresses: restrict the inbound/outbound IP addresses that are allowed in the environment to be protected.
     

Communication

  • What are the default communication direction?

    For Cloud One Workload Security, Agent-initiated communication (AIA) is enabled by default. This means that the Deep Security Agent initiates all interactions with the manager and establish an encrypted TCP connection over the manager heartbeat port (443).

    Visit this KB article for more detailed information.

  • Which communication direction option shall I choose for a policy or a computer?
     
    For Cloud One Workload Security, agent-initiated communication is enabled by default and it is strongly recommended not to change this setting. You may change to one of the below communication directions if the default communication direction won't work in your network environment.
     

    Bidirectional: The agent normally initiates the heartbeat and also listens on the agent's listening port number for connections from the Deep Security Manager. The manager can contact the agent to perform the required operations. The manager can apply changes to the security configuration of the agent. The network traffic between the DSM and agent should be reachable.

    Manager Initiated: The manager initiates all communication with the agent. These communications include security configuration updates, heartbeat operations, and requests for event logs. The network traffic from the DSM to the DSA should be reachable.

    Agent Initiated: This is the default communication direction of Cloud One Workload Security. The agent does not listen for connections from the manager. Instead, they contact the manager on the port number where the Manager listens for agent heartbeats. Once the agent has established a TCP connection with the manager, all normal communication takes place: the manager first asks the agent for its status and for any events. (This is the heartbeat operation.) If there are outstanding operations that need to be performed on the computer (for example, the policy needs to be updated), these operations are performed before the connection is closed. Communications between the manager and the agent only occur on every heartbeat. If an agent's security configuration has changed, it is not updated until the next heartbeat.

    More detailed information, please refer to the Deep Security Help Center: Agent-manager communication.

Proxy Configuration

  • What Cloud One Workload Security traffic should I allow on the proxy or firewall in my environment?

    You can find the Cloud One Workload Security default port numbers, URLs, IP addresses, and protocols that need to be allowed on your proxy or firewall on Deep Security Help Center: Port numbers, URLs, and IP addresses.

  • How do I configure a proxy in Cloud One Workload Security for different purposes?

    Configure proxies for following purposes in Cloud One Workload Security:

    • Agents/Relays connect to 'primary security update source' via a proxy.
    • Agents connect to Workload Security via proxy.
    • Agents connect to Relays via proxy.
    • Agents connect to the Smart Protection Network via proxy.

    For more information about detailed configuration steps, please refer to Deep Security Help Center: Configure proxies.

Activation

  • How do I resolve DSA activation failure for Windows DSA?

    Follow these steps:

    1. Check the description of the error why the activation failed. Most of the time, the problem is self-explanatory.
    2. Check if there's any network issue by telnet Workload Security URL on Agent machine: telnet app.deepsecurity.trendmicro.com 443.
    3. Check the DSA and make sure that it is not activated or registered to another Deep Security Manager.
    4. You may activate the Agent from the Workload Security web console or via command line.
    5. Refer to Error: Activation Failed for more activation-failed error types.
    6. If above steps are unable to resolve the issue, please contact Trend Micro support.

    Visit this KB article for detailed instructions.

  • How do I resolve DSA activation failure for Linux DSA?

    Follow these steps:

    1. Check the network communication between the Agent machine and the Workload Security URL's, using the telnet command on the Agent Machine.
    2. Try an agent-initiated activation and check if this can help resolve the issue.
      1. On Workload Security console, navigate to Administration > System Settings > Agents. Make sure both "Allow Agent-Initiated Activation" and  "re-activate the existing computer" are ticked.
      2. On Agent machine, Change directory to the DSA using the command "/opt/ds_agent".
      3. Type the command "./dsa_control –r".
      4. Type command "./dsa_control -a dsm://:/ "tenantID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" "token:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     
    To find the appropriate values for and , in the Workload Security console, go to Support > Deployment Scripts, scroll to the end of the script that is generated, and copy the tenantID and token values.
     

    For more activation-failed error types, please refer to Deep Security Help Center: Error: Activation Failed.

    Visit this KB article for more detailed instructions.

Backend

  • Where can I check the Cloud One Workload Security incident history?

    At the moment, Cloud One Workload Security incident is not public. If you want to check Cloud One Workload Security incident for any specific time range, please contact support team for help.

 

Functionality: Activation

Agent Activation Error

  • How do I fix "HTTPS Status: 400 Failure" when activating agent?

    Below are some recommendations for troubleshooting this issue:

    • Check the agent activation syntax for any typographical error.
    • Double check the agent-Initiated Activation settings.
    • Check the communication between agent and manager.
    • Verify agent service status.

    Visit this KB article for more detailed instructions.

  • How do I activate the agent?

    To activate an agent, generate a Windows deployment script on the manager console, then run the Powershell script on the server.

    Visit this article for more detailed instructions.

  • Why does a mass deployment procedure cause activation issues on random machines?

    Check how the deployment process works. Make sure to follow the same process as how the deployment script works such as the sleep time. Perform this before running the activation of the agent after the installation which is sleep 15.

Agent Inquiry

  • Does upgrading the DSA version require a reboot?

    On Windows with DSA being upgraded, a reboot is needed for its AMSP driver to be updated/installed and hook on the kernel level of the OS for the driver to function. This happens on the AMSP 6.1.6025.
    As an enhancement, on DSA 20, the driver AMSP version 6.6 no longer requires a reboot. Also when you upgrade the Agent, there will be no warnings stating a reboot while Anti-malware is installing. This means that you will not need a reboot.

  • Computer status is "Unmanaged (unknown)", what does this mean?

    Unmanaged (unknown) status appears on instances that are part of a cloud connector. This status means the agent is not yet activated. Run the deployment script to install and activate the agent.

    Visit this Help Center article for more details.

  • How do I activate the agent and fix agent accidentally deactivated?

    Use the reactivation part from the deployment script:

    • Activate the agent through a deployment script. See Use deployment scripts to add and protect computers for details.
    • Activate the agent from the computer where the agent is installed. Run this command:

      dsa_control -a dsm://agents.deepsecurity.trendmicro.com:443/ "tenantID:<tenant ID>" "token:<token>"

      To find the appropriate values for <tenant ID>and <token>, in the Workload Security console, go to Support > Deployment Scripts, scroll to the end of the script that is generated, and copy the tenant ID and token values.

      For details on this command including additional parameters, see Command-line basics.

  • Why is the deployment script not working for Windows agent installation/activation?

    Make sure to run Windows Powershell and not Windows Powershell (x86). The latter is different and will not execute the deployment script successfully.

  • How do I uninstall an agent?

    To uninstall an agent:

    1. Deactivate the agent using the DSM. Go to the Computers page, right-click the computer and select Actions > Deactivate.
    2. If you are unable to deactivate the agent because the DSM is unable to communicate with it, do the following command before continuing:

      C:\Program Files\Trend Micro\Deep Security Agent>dsa_control --selfprotect 0

    3. In the Control Panel look for "Trend Micro Deep Security Agent" and then select Uninstall.

    You may find more information about uninstalling the agent on this article.

  • How do I reinstall and reactivate an agent?

    To reinstall and reactivate an agent:

    1. Generate a deployment script on the manager console:
      1. Open the manager console > Support > Deployment Scripts, and select the platform (Windows/Linux).
      2. Select Activate agent automatically after installation. Save the script or copy it to the clipboard.
    2. Run the generated deployment script on the computer. (The script format is .ps for Windows and .sh for Linux)
    3. Verify on the console if the computer is added, this should appear as Managed (Online).

    You may find more information about activating the agent on this article.

  • What should I do if "Integrity Monitoring Compile Issue" appeared after activation?

    To activate an agent, generate a Windows deployment script on the manager console, and run the powershell script on the server.

    You may find more information on this article.

  • How do we move current agent to a new tenant?

    Follow these steps:

    1. Log in to the machine hosting the DSA.
    2. Open the command line, and navigate to the Deep Security Agent folder.

      For Windows: C:\Program Files\Trend Micro\Deep Security Agent
      For Linux: /opt/ds_agent

    3. Turn off the agent self-protect:

      dsa_control –s 0

      If you have a password configured add "-p <password>"

    4. Run the deactivation command:

      dsa_control –d

    5. Refer to this article to activate the agent.

Agent Unable to Reach Manager

  • What should I allow for the agent to be able to communicate with the Cloud One Workload Security?

    Allow Cloud One Workload Security Ports on the Firewall/Security Group.

    To learn more, visit this article.

  • How do I check Agent communication to Cloud One - Workload Security?

    Follow these steps:

    1. Allow all outbound traffic to IP addresses, ports, URLs used by Cloud One - Workload Security. Visit this article for details.
    2. Perform a network connectivity test:

      telnet app.deepsecurity.trendmicro.com 443
      telnet agents.deepsecurity.trendmicro.com 443
      telnet dsmim.deepsecurity.trendmicro.com 443
      telnet relay.deepsecurity.trendmicro.com 443

    3. After allowing the traffic, and the connection test is successful, you may now activate the agent.

 

Functionality: SIEM

Forward Configuration

  • Is there an option available in the DSM console to forward customized events to external Syslog collector?

    Currently, there is no way to customize the security logs that are being sent by the DSM.

  • How do I forward Cloud One Workload Security events to a SIEM/Syslog Server?

    You can send events to an external Syslog or SIEM server. Follow these steps:

    1. Allow event forwarding network traffic.
    2. Request a client certificate.
    3. Define a Syslog configuration.
    4. Forward system events and/or security events.

    For detailed information, you can refer to this article on Forwarding Deep Security events to a Syslog or SIEM server.

  • Can we forward events to Splunk Cloud?

    Yes, it is supported to forward Cloud One - Workload Security events to Splunk Cloud. Deep Security has been tested with the enterprise version of Splunk 6.5.1.

    For detailed information about how to forward events, you can refer to this article on Forwarding Deep Security events to a Syslog or SIEM server.
  • How do I forward Cloud One Workload Security events to Amazon SNS?

    If you have an AWS account, you can take advantage of the Amazon Simple Notification Service (SNS) to publish notifications about Workload Security events and deliver them to subscribers. See details about Amazon SNS.

    To set up Amazon SNS:

    1. Create an AWS user.
    2. Create an Amazon SNS topic.
    3. Enable SNS in Workload Security.
    4. Create subscriptions.

    For details, please refer to this article on Setting up Amazon SNS.

Best Practices

  • How long are events stored/retained on Cloud One Workload Security?

    Workload Security retains security events for 32-39 days and system events for 13-17 weeks (depending on when database maintenance is scheduled). Customers requiring a longer event retention period should consider the following as best practice:

    1. Forward events to an external SIEM. For more information, see Forward Workload Security events to an external Syslog or SIEM server.
    2. Set thresholds in the log inspection module for event storage or event forwarding. Severity clipping allows you to send events to a Syslog server (if enabled) or to store events based on the severity level of the log inspection rule. See Thresholds for Event Storage or Event Forwarding.

    Event history is retained for:

    • Anti-Malware events
    • Application Control events
    • Firewall events
    • Integrity Monitoring events
    • Intrusion Prevention events
    • Log Inspection events
    • Web Reputation events
    • System events
  • Can I forward Cloud One Workload Security events to a SIEM/Syslog Server using UDP?

    Yes. You can forward the events to the SIEM/Syslog server using either TLS or UDP.

    With UDP, Syslog messages are limited to 64 KB. If the message is longer, data may be truncated.

    With TLS, the manager and Syslog server must trust each other's certificates. The connection from the manager to the Syslog server is encrypted with TLS 1.2, 1.1, or 1.0.

    Check this article on Forwarding Deep Security events to a Syslog or SIEM server for more information about Event forwarding with a transport protocol.

  • Can Cloud One Workload Security forward the Syslog event directly to either AWS Cloudwatch or AWS S3?

    Currently, this is not supported. Cloud One Workload Security has no ability to forward Syslog events directly to Amazon S3 and Cloudwatch.

    Nevertheless, Cloud One Workload Security can support forwarding events to Amazon SNS, please refer to Online Help for more details.

 

Deployment

Upgrade

  • Why does the upgrade banner disappear?

    To be able to receive the upgrade banner you can follow these steps:

    1. Log on to your Management Console.
    2. Go to Administration > Software.
    3. On the "Update Check" part click Check for updates.

    The banner should show up after checking the updates or by refreshing the page.

    Please note that there is no upgrade banner if the DSM version is earlier than 11.0. Please upgrade the DSM manually (AWS Marketplace / Azure Marketplace).

  • How do I perform system hardening for Deep Security Manager AMI?

    There's no need to perform a manual security patching to the OS, as Trend Micro already follow a recommended hardening standard for DSM. For more information, please check the Deep Security Help Center articles About Deep Security hardening" (AWS Marketplace / Azure Marketplace).

Activation Failure

  • Why can't DSA be activated?

    The possible reasons are as follows:

    • Protocol Error
    • Unable to resolve hostname
    • No Agent/Appliance
    • Blocked port
    • Maximum five protected computers

    Please refer to Online Help for more details.

  • How do I manually activate the DSA?

    Activate the agent from the computer where the agent is installed. Run the following command:

    • For Linux:

      /opt/ds_agent/dsa_control -a dsm://agents.deepsecurity.trendmicro.com:443/ "tenantID:<tenant ID>" "token:<token>"

    • For Windows:

      C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd -a dsm://agents.deepsecurity.trendmicro.com:443/ "tenantID:<tenant ID>" "token:<token>"

    To find the appropriate values for <tenant ID> and <token>, in the Workload Security console, go to Support > Deployment Scripts, scroll to the end of the script that is generated, and copy the tenantID and token values.
    Please refer to the Online Help for more details.

  • Why are the agents showing "Unable to communicate"?

    "Unable to communicate" means that Workload Security hasn't communicated with the DSA's instance for some time and has exceeded the missed heartbeat threshold. It will also cause the status change to "Offline".

    Please refer to Online Help to troubleshoot this issue.

 

Administration: Billing

Billing Information

  • Are servers with status "Unmanaged (Unknown)" billed?

    No. Servers with status "Unmanaged (Unknown)" are detected as no Deep Security Agent installed.

  • How much is the cost per hour per instance when using pay-as-you-go billing?

    The pricing for pay as you go depends on the computer size. Same rates apply for both AWS and Azure subscription.

    Please refer to the Cloud One™ Documentation: About billing and pricing.

  • Our bill is way too high than the normal. What does the 'NotCloud' column in the Metered Billing report means?

    The 'NotCloud' column are for computers which were added or activated outside a cloud connector.

  • How can I breakdown my billing per AWS account on Cloud One Workload Security?

    Generate Security module usage report then use Cloud Account column to compensate with the Metered Billing report.

Usage

  • How do I check current license seat usage and expiration date?

    Check currently protected machines and license expiration on the Account Details page.

  • How do I fix incorrect number of license seats?

    Check if activation code is correct on Account Details page. If yes, contact Sales.

  • Can I use my Cloud One - Workload Security license to AWS Marketplace BYOL?

    No, the license for Cloud One - Workload Security is not compatible with the AWS Marketplace BYOL version. The same goes with an AWS Marketplace BYOL version license would be incompatible with Cloud One - Workload Security.

  • Where can I check my license key?

    On the manager console, click the Account Name > Account Details.

  • Is there a license key for AWS Marketplace subscription?

    There isn't. License key is given for the AWS billing subscription. The license key is only provided for BYOL subscriptions.

  • Why am I getting 'Invalid Activation Code' error when entering license in Cloud One Workload Security console.

    Activation Code might be for DS-on prem,. Need to contact Sales or Technical Support Team.

  • Why is my AWS Marketplace subscription failing?

    Contact AWS Support. There are a few reasons why the subscription fails but the most common is an issue with your AWS account payment method. You need to ensure that you have a good account standing and a valid payment method.

  • Can I transfer my Cloud One Workload Security license to another tenant?

    Your Cloud One Workload Security BYOL license cannot be directly transferred to another tenant. It is recommended to contact your Trend Micro Sales Representative or Cloud One Technical Support Team for assistance.

Renewal

  • How do I request for a trial extension?

    Contact Sales.

  • How do I renew Cloud One Workload Security subscription?

    Contact Sales or Reseller.

  • What happens after my 30 day trial?

    Account will switch to Freemium mode.

Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot; Deploy; Install; Register
Solution Id:
000260809
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.