Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Testing the Deep Security modules

    • Updated:
    • 18 May 2016
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • Windows 2008 Enterprise 64-bit
Summary

Learn how to evaluate the following modules of Deep Security:

  • Anti-malware
  • Firewall
  • File Integrity Monitoring
  • Log Inspection
  • Web Reputation Service
  • Deep Security Administration
  • Integration with VMware
  • High Availability or Failover
Details
Public

Test requirements

Before testing this module, make sure you have the following:

  • Installed Deep Security Manager (DSM) and Virtual Appliance (DSVA)
  • One or more virtual machines (VMs) protected by Deep Security
  • Physical or virtual machines with Deep Security antivirus agent (optional)

Test procedure for anti-malware

  1. Activate a physical or virtual machine with anti-malware module enabled.
  2. Download the EICAR test file on the virtual machine. The file should be quarantined.
  3. On the DSM console, go to Events & Reports > Anti-Malware Events to verify the record of the malware detection.
  4. Set up scheduled scans.
    1. On the DSM console, go to Administration tab.
    2. Click Scheduled task > New.
    3. Select Scan for Malware.
  5. Demonstrate file exclusions.
    1. On the DSM console, go to the assigned policy or security profile.
    2. Click Anti-malware.
    3. On the Default Real-Time Scan configuration, click Edit.
    4. Go to Exclusions tab, and then expand the Directory List.
    5. Click Create New.
    6. Provide a name for this directory list.
    7. On the Directory section, specify the path of the directory you want to exclude from the scan. For example, C:\Test Folder.
    8. Download the EICAR test file and save it in the folder specified on the previous step. The file should be saved and uncaught by the anti-malware.
  6. Perform virus pattern updates on DSM and set up automatic updates.
    By default, Deep Security 9.0 has a pre-created scheduled task for Daily Download Security Update and Daily Component Update. To immediately run the task, go to Administration > Scheduled Tasks, and then click Run Task Now.
  7. As an option, you may get a sample virus quarantined by saving to another path and test the Real-time and Scheduled scans.

Test requirements

Before testing this module, make sure you have:

  • Selected a network protocol, such as TCP/UDP, to test
  • VMs protected by DSVA
  • Disabled host-based firewall such as Windows firewall or Linux iptables (optional)
  • Deep Security Agents (DSA) on VMs to demonstrate port or protocol scanning or to evaluate Linux/Unix VMs
  • Rule sets in Deep Security console:
    • IP address
    • MAC Address
    • TCP/UDP port
    • Groups of rules (by profile)

    To check, you can go to the DSM console, select a computer or policy, then click Firewall > Firewall rule > Assign/Unassign.

Test procedure for firewall

  1. Evaluate the Secure Shell (SSH) and Remote Desktop Protocol (RDP) rules.

    To test the SSH rule (port 22):

    1. Activate a Windows or Linux virtual machine with the SSH rule.
    2. Using another machine, try to establish SSH connection to the virtual machine.
    3. On the DSM console, go to Events & Reports > Firewall events to view the denied event.

    To test the RDP rule (port 3389):

    1. Activate a Windows or Linux virtual or physical machine.
    2. Try to connect to the virtual machine using RDP.
    3. On the DSM console, select the computer or policy.
    4. Click Firewall and go to Firewall Events to view the denied event.
  2. Test the stateful configuration feature.
    1. On the DSM console, select a computer and add the SSH rule to the current firewall rules.
       
      • You can also add the rule via Policy/Security Profile to apply it on multiple machines.
      • Use the pre-created SSH rule that allows incoming SSH traffic.
      • There should be no firewall rule on outgoing SSH.
       
    2. From another computer, try to connect to the target computer using an SSH application such as Putty.
    3. Check the firewall events. This should appear as "Out of allowed Policy".
    4. Go back to the Computer/Policy view, and then go to Firewall.
    5. Under Firewall Stateful Configuration, select Enable Stateful Inspection.
    6. Click Save.
  3. Test the port scanning to show running ports and services on a VM.
    1. On the DSM console, go to Computers tab.
    2. Right-click the computer to be scanned and click Scan for Open ports.
    3. From the Computer view, go to the Firewall section to view the result.
      Close unused open ports to prevent exposure to malicious attacks, worms, or Trojans.
  4. Test Event Tagging in the DSM console.
    1. On the DSM console, go to Events.
    2. Right-click an event for tagging and click Add tags.
    3. Enter a Name for the tag.
    4. Tick To Selected events check box. The tags will be added to the Tag(s) column.
    5. If you want to auto-tag similar events in the future:
      1. On the DSM console, go to the Events tab.
      2. Right-click an event and click Add tags.
      3. Select Apply to Selected and Similar System Events.
      4. Filter the Similar System Events criteria, and then click Next.
      5. Tick the Future System Events check box.

Before testing this module, make sure you have Windows VMs with DSA.

To test File Integrity Monitoring:

  1. On the DSM console, enable Integrity Monitoring.
    1. Click Integrity Monitoring on the left pane.
    2. Under Integrity Monitoring State, select On and click Save.
  2. Add the Microsoft Windows-'Hosts' file modifiedrule to a computer, policy, or security profile.
    This protects the Windows host file C:\windows\system32\drivers\etc\hosts.
  3. After the Rebuild Baseline process is completed, modify the C:\windows\system32\drivers\etc\hosts file of the computer.
  4. Verify the events in the Deep Security console. You should see an alert that the file has been modified.

Test requirements

Before testing this module, make sure you have:

  • VMs with installed DSA and log files such as Microsoft Windows Events, Microsoft Windows Registry, and Linux syslog files
  • Activated the machine

Test procedure for Log Inspection

  1. On the DSM console, select a computer or policy.
  2. Enable Log Inspection on the selected computer or policy.
    1. Click Log Inspection on the left pane.
    2. Under Log Inspection State, select On and click Save.
  3. Go to Advanced tab, change the "Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level" to "Low (3)" and click Save.
  4. Configure the DSM to read log files and Microsoft Windows registries on the VMs by clicking Assign/Unassignand then selecting the following rules:
    • 1002792 - Default Rules Configuration – This is required for all other Log Inspection rules to work.
    • 1002795 - Microsoft Windows Events – This logs events every time the Windows auditing functionality registers an event.
  5. Click OK, and then click Save to apply the rules to the policy.
  6. Generate log and event entries on the VMs, for example changing the Windows Audio Service from "Automatic" to "Manual".
  7. Verify the generated events.
    1. On the DSM console, select the computer or policy.
    2. Click Log Inspection > Log Inspection events.

Testing this module requires VMware virtual or physical machine protected by Deep Security.

To test this module:

  1. On the DSM console, select a computer or policy.
  2. Enable Web Reputation.
    1. Click Web Reputation on the left pane.
    2. Under the Web Reputation State, select On and click Save.
  3. Navigate to Exception tab.
  4. Add “http://www.facebook.com” under Blocked URL and click Save.
  5. From a protected computer, open a browser and acecss Facebook. A message denying the access should appear on the client machine.
  6. On the DSM console, go to Web Reputation and click Events to verify if the website blocking is recorded.

To test the Deep Security Administration:

  1. Evaluate the Role Based Access Control (RBAC).
    1. Create a user in Deep Security and add roles with limited functionality such as View Only.
    2. Log on as the newly created user and verify the limited functionality. An account with View Only role is allowed to read or view settings but is unable to modify them or perform any administrative task.
  2. Evaluate integration with Active Directory (AD) Users.
     
    This requires a published AD certificate
    1. On the DSM console, go to Administration tab.
    2. Click Synchronize with Directory.
    3. Select the appropriate options and click Next.
    4. After the synchronization is completed, click Finish.
    5. Use the newly created Active Directory account to login.
  3. As an option, you may also add SMTP, SNMP, and SYSLOG servers to Deep Security.
    • To add SMTP account, go to Administration > System Settings > SMTP and provide the necessary information.
    • To add SNMP account, go to Administration > System Settings > SNMP and provide the necessary information.
    • To add Remote Syslog Server, go to Administration > System Settings > SIEM and provide the necessary information.
  4. Generate reports.
    1. On the DSM console, go to Events & Reports > Generate Reports.
    2. Select a report to generate, such as Firewall Report.
    3. Select a format, such as PDF.
    4. Click Generate, and then click Save.
    5. Open the report.

Test requirements

Testing the integration with VMware requires the following:

  • Two VMware ESXi hosts that are both prepared and deployed with DSVA
  • VMs protected by DSVA
  • VMware vSphere with enabled and licensed DRS
  • Shared storage for vMotion

Test procedure for the integration with VMware

  1. Check Deep Security synchronization with states of VM on vCenter.
    1. Add, remove, shut down, or start VMs in vSphere client.
    2. Verify if the change reflected in the Deep Security console.
  2. Test the Deep Security tasks for moved or new VM created prior to the tests.
    1. On the DSM console, go to Administration > Event-based task > Computer Created.
    2. Indicate the action to perform, then click Activate a computer & Assign a Policy.
    3. Select an appropriate condition.
    4. Provide a name for this task and click Finish.
    5. On the DSM console, go to Administration > Event-based task > Computer Moved.
    6. Indicate the action to perform, then click Activate a computer & Assign a Policy.
    7. Select an appropriate condition.
    8. Provide a name for this task and click Finish.
    9. Create a new computer on Vcenter, or Vmotion a computer to another protected ESXi host.
    10. Verify if the VM is automatically activated and assigned the selected policies.
    11. You may opt to resume a suspended VM. A resumed VM is instantly protected with the latest antivirus patterns and DPI rules.

Test requirements

Testing this requires:

  • Two instances of a DSM using a shared database
  • VMs protected by Deep Security

Test procedure for the High Availability or Failover

  1. Check both Deep Security consoles if they display same data from the protected environment.
  2. Shut down or disable the network interface on the operating system of one DSM. The second Deep Security console should still function and display data.
  3. Start or enable the first DSM again.
  4. Shut down or disable the network interface on the operating system of the second DSM. The first Deep Security console should still function and display data.

To check whether the IPS module is working:

  1. For Deep Security Agent (DSA) users, make sure that the Trend Micro LightWeight Filter Driver is enabled on the interface you want to protect.
    For agentless protection users, make sure your Deep Security Virtual Appliance (DSVA) is working normally.

    Trend Micro LightWeight Filter Driver

  2. Assign the rule to restrict the download of EICAR file in the IP Rules Assign/Unassign page.
    1. From the DSM console, double-click the protected machine.
    2. Click Intrusion Prevention > Assign/Unassign.
    3. Enable the Rule ID 1005924 Restrict Download of EICAR Test File Over HTTP.

    Restricy Download of EICAR Test File

  3. Download the EICAR file to the protected machine.
  4. Check the IPS events to ensure it logs the event for blocking the EICAR file.
    1. From the DSM console, double-click the protected machine.
    2. Go to Intrusion Prevention > Events.
    3. Click Get Events. When you find the detailed events for blocking the EICAR file, it means the IPS module works fine.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1098449
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.