Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Test/trigger events of Cloud One - Workload Security modules for Linux

    • Updated:
    • 17 Sep 2020
    • Product/Version:
    • Cloud One - Workload Security All
    • Platform:
Summary

This article covers the steps on how to trigger an event for each Cloud One - Workload Security module.

Details
Public
 
Events are not instantly forwarded to the console, it usually takes 10 minutes for the next heartbeat or you can manually trigger "Get Events" on the console.
 

Anti-Malware

Download eicar test file:

curl -LO https://secure.eicar.org/eicar.com

Web Reputation Service

Access WRS test website:

curl http://wrs21.winshipway.com

Firewall

Before testing this module, make sure you have the following test requirements:

  • Selected a network protocol, such as TCP/UDP, to test
  • Disabled host-based firewall such as Linux iptables (optional)
  • Rule sets in Cloud One console:
    • IP address
    • MAC address
    • TCP/UDP port

    To check, you can go to the Cloud One console. Select a computer or policy, then click Firewall > Firewall rule > Assign/Unassign.

To test procedure for firewall, evaluate the Secure Shell (SSH) and Remote Desktop Protocol (RDP) rules. To test the SSH rule (port 22):

  1. Make sure a firewall ruleset to Deny SSH access from your test server is applied.
  2. Activate a Windows or Linux virtual machine with the SSH rule.
  3. Using another machine, try to establish SSH connection to the virtual machine.
  4. On the Cloud One console, go to Events & Reports > Firewall events to view the denied event.

Intrusion Prevention

The eicar IPS rule does not apply anymore as eicar.org updated their download format. To test IPS, create a new custom rule blocking (detect only) any website you specified.

  1. Create a custom IPS rule with similar configuration:

  2. Make sure that the rule is applied on the server.
  3. Access the website via cURL:

    curl http://www.example.com

Integrity Monitoring

For integrity monitoring, create a custom rule that will monitor a test file created:

  1. To create IM rule, refer to this Cloud One article.
  2. Make sure that the IM rule is applied on the server and included in Integrity Baseline.
  3. Modify the test file you created.
  4. If IM Real-time is not enabled, trigger "Scan for Integrity Changes".
  5. There should be an IM event.

Log Inspection

For Log Inspection, you can create a custom rule that will inspect a test log file:

  1. Create Log Inspection rule that will monitor /tmp/test_access.log for "200" entry. Follow the configuration from the following screenshot:

  2. Apply the rule on server, make sure to apply LI rule "Default Rules Configuration" as it is a dependency for LI to work properly.

  3. On the server, add the entry "200" on /tmp/test_access.log:

    echo "200" >> /tmp/test_access.log

  4. Back to web console, go to Computers, open Computer properties > Log Inspection > Log Inspection Events. Wait for 10 minutes or click Get Events to see the test LI rule event.

Application Control

  1. Install the DSA on Linux machine (feature currently not available for Windows) and turn on the application control feature.

  2. Create a test .jar file and execute it. You will find that it is blocked.

    [root@localhost ~]# echo abc > test.jar
    [root@localhost ~]# chmod 777 test.jar
    [root@localhost ~]# ./test.jar
    -bash: ./test.jar: Operation not permitted

  3. It will be recorded in application control events.

  4. Click Allow All and then run the file again. It should turn out successful.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000268660
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.