Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Smart Protection Server disconnected messages appear in Deep Security

    • Updated:
    • 27 Jun 2019
    • Product/Version:
    • Cloud One - Workload Security All
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 10.2
    • Deep Security 10.3
    • Deep Security 11.0
    • Deep Security 11.1
    • Deep Security 11.2
    • Deep Security 11.3
    • Deep Security 12.0
    • Deep Security 9.6
    • Platform:
    • HPUX 11.x
    • IBM AIX
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 4 64-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Linux - SuSE 10
    • Linux - SuSE 11
    • Unix - Solaris (Sun) version 10 (SunOS 5.10)
    • Unix - Solaris (Sun) version 9 (SunOS 5.9)
    • Windows 2003 Enterprise
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit

Know more about the disconnection issues that happen between Smart Protection Server and Deep Security.

When Web Reputation Services (WRS) is used and the profile/agents are set to connect to a local Smart Protection Server, users get frequent disconnection alerts in the Deep Security Manager (DSM).


The alerts possibly occur because of the following scenarios:

  • When there is a temporary communication issue, the alert on the Deep Security Manager remains until it is dismissed by the customer. Having the alert could be misinterpreted as an actual issue even if it is not. When the alert "Smart Protection disconnected" is raised in Deep Security Manager, it requires administrator to clear the warnings/errors as this alert will not dismiss itself. Therefore, even after the server has been reconnected, the alert will remain.
  • The option When off domain, connect to global Smart Protection Service (Windows only) is linked closely to the location awareness feature in Deep Security.

    If you have a machine on a domain and you have a local SPS with the abovementioned setting enabled, then Deep Security Agent will check for the domain controller (using an ICMP ping) at a regular interval. If the domain controller is present, Deep Security Agent will assume that you are on the domain and will continue to use the local SPS. However, if connection to the domain controller cannot be established, the agent will assume that you are "Off domain" and will switch to using global SPS instead.

    If you enabled the option on a machine that is not part of a domain or a machine that cannot ping the domain controller (e.g due to a firewall rule), then that machine will always use the global SPS. Therefore, this option should only be selected for machines that are part of a domain and have the potential to go off domain (i.e. laptops). It is not meant as a failover in case the local Smart Protection Server fails.

Deep Security has a complex design to determine connectivity and to report lost connectivity to/from Smart Protection Server.

  • For Anti-Malware, Deep Security is dependent on the AMSP component to determine if the Smart Protection Server can be detected. If a file is being scanned, AMSP may try to connect to the Smart Protection Server. If AMSP is unable to connect to SPS, then it raises an internal event that the Deep Security Agent receives and uses to mark the server as suspect.

    Deep Security tries to connect to each suspect server (as there may be multiple in the case of local Smart Protection Servers) every five minutes and waits for five seconds for the connection to complete. If Deep Security does not get a connection within five seconds, then it will try again for two more times (total of three tries). If it still cannot connect to any of the servers, it marks the server as disconnected and reports to Deep Security Manager that the specific SPS is disconnected from Smart Scan.

    Deep Security will then try again every five minutes and recheck all those servers marked as disconnected. If the server gets reconnected, then DSA will notify the Deep Security Manager and a Smart Protection Server Connected event will be returned.

  • WRS is handled differently because of WRS caching. When a URL is accessed, Deep Security Agent may attempt to connect to the Smart Protection Server if the URL is not yet cached. If Deep Security Agent is unable to connect to the server, it will raise an event and report to the Deep Security Manager that the Smart Protection Server is disconnected from Smart Scan for Web Reputation. This event will be generated every five minutes.

    For WRS, users can only detect whether the server is down. By default, there is no way to detect once the server is up because of the local and web caching effects. Therefore, there is no "Reconnected" event for WRS.

    These details hold true in all situations. However, in the case of local Smart Protection Server, when the When Roaming check box is selected, the reporting and checking behavior is different.

SPS Server URL is case sensive. In addition, the inheritance should be correct for policy.
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.