Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting guidelines for common Deep Security issues

    • Updated:
    • 16 Mar 2016
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Platform:
    • N/A N/A
Summary

Learn necessary troubleshooting information when addressing encountered issues in Deep Security.

Details
Public

If you encounter a PSOD issue, collect the necessary files and submit to Trend Micro Technical Support in order to determine whether the issue is coming from the VMware side or Trend Micro side.

  1. Capture a screen shot of the Purple Diagnostic Screen via remote KVM or take a picture of the physical console's Purple Diagnostic Screen prior to reboot.
  2. Get the core dump from the VMkernel sent to the ESXi Dump Collector Network Service.
    1. Log in to the vSphere client and navigate to the Home page.
    2. Click Hosts and Clusters, and select the host.

      vSphere client Home page

    3. Click Export > Export System Logs.

      Export System Logs

    4. Select all and choose the log store location to complete the process.

      Select system logs

  3. Extract the log from the dump. Follow the procedure in this VMware article: Extracting the log file after an ESX or ESXi host fails with a purple screen error (1006796).
  4. Gather a vm-support log bundle from the host by typing "vm-support" in ESXi command line.

Perform the following necessary checkpoints:

  1. Check the service and port to ensure that the Deep Security Agent (DSA) is running.
    1. Open services.msc on cmd, and check the service status of Trend Micro Deep Security Agent.
    2. Telnet port 4118 locally using the following:

      telnet 127.0.0.1:4118
      telnet [manager IP]:4120

  2. Ping test between Deep Security Manager (DSM) and DSA to ensure the package is accessible for heartbeat.
  3. Test the DNS by checking whether DSM and DSA can resolve the host name of each other. If the host name cannot be resolved into IP address, communication will fail.
  4. Check the firewall status and disable it if there is any:
    • Linux: itables or selinux
    • Window: Window firewall profile
  5. Reset the DSA using "dsa_control -r" when some IPS or Firewall rules in DSM block the connection between DSM and DSA. In this situation, there is no way to unassign a policy.

When you have an offline Anti-Malware, the following notification appears.

Anti-Malware offline

Do the following to check and fix the offline status:

  1. Open cmd and type "sc query ds_am" to check whether the ds_am process is up and running.
  2. Verify that the DSVA is activated with vShield Manager registered.

    vShield Manager registered

  3. Check the VMCI driver status.
    1. Log into the machine and go to cmd.
    2. Run the following commands:

      sc query vmci
      sc query vsepflt

    VMCI driver status

  4. Check the VMware drivers. During the default installation of VMtools, the VMware drivers are not selected. You need to manually select them or choose Full Installation.

    VMware drivers

  5. Check the vShield license.
    1. Double-click the vSphere console.
    2. Navigate to Home > Licensing > Product.
    3. View if there is any expired license.

Issue caused by limited resource

To resolve the issue:

  1. Make sure that DSVA resource is reserved from settings.
  2. Ensure that the deployment has met the requirement specified in the Installation Guide.

Issue caused by Anti-Malware

To resolve the issue, disable the Anti-Malware (AM):

  1. Log in to the DSM web page.
  2. Double-click on the protected machine.
  3. Go to Anti-Malware and change its status to Off.

Issue caused by network traffic

To resolve the issue, add exclusion by following this article: Recommended scan exclusion list for Trend Micro Endpoint products.

 
The thin driver exclusion is case-sensitive.

Issue caused by policy

To resolve the issue, assign the policy of VM into None.

Issue caused by high CPU

  1. Identify which DSVA has high CPU issue.
    1. Go to the vCenter console.
    2. Click each DSVA machine and select Performance tab to identify the DSVA with high CPU issue.
  2. Run the hop tool to determine which process is consuming most of the CPU usage.
  3. Identify the high CPU process memory consumption.
    1. Execute the following to check the process memory status:
       
      Replace the "$PID" with your own PID. For example, "cat /proc/4615/status".

      #cat /proc/$PID/status

    2. Double-check if "vmsize" is reasonable.
    3. Export the content to a log file using this command:

      #cat /proc/$PID/status > /tmp/HighCPUProcessMemeory.txt
      #sudo lsof –p $PID > /tmp/HighCPUProcessOpenedFile.t

  4. Check whether DSVA has enough free memory.
    1. Run the command "cat /proc/meminfo" to identify the DSVA system free memory.
    2. Run the command "cat /proc/meminfo > /tmp/DSVAMemory.txt" to export the content to a log file.

To resolve the issue:

  1. Make sure the filter driver has been successfully installed and running on the ESXi host.
  2. Check the DSVA side.
    1. Run the following command to check if slowpath is running or not in DSVA:

      # ps -edf | grep slowpath

      slowpath

      If the process is not running, restart the ds_filter service to enable the slowpath. If it still cannot be run, activate the debug log for slowpath based on the checklist guide.

    2. Check if the connection has been established between DSVA and ESXi using the command below:

      # netstat -nap | grep 2222

      netstat

      If there is a problem in the connection, try to ping each other first to check if the connection is reachable.

To resolve the issue:

  1. Check the relay's connection to its update source or proxy server.
    1. Check with IT for your proxy setting if there is any.
    2. Log in to the DSM web page.
    3. Navigate to Administration > System Settings > Proxy.
    4. Check whether the configuration settings (IP address, port, username, and password) are correctly typed.
  2. Perform a ping test between the DSA and DSR.
  3. Make sure that the relay port is open using "telnet x.x.x.x 4122".
  4. Test the DNS and check if the relay's hostname can be resolved.
  5. Check whether any firewall block the communication and disable them if there are any.
    • Linux: itables or selinux
    • Window: Window firewall profile
  6. Unassign the current policy and check if the issue persists.

If the failed activation shows "Duplicate Computer" error message, follow the procedure in this article: Deep Security Manager (DSM) imported via vCenter shows "Activation Failed (Duplicate Computer)".

For other issues regarding DSA activation, refer to this article: Event ID 705: Activation Failed appears when activating the Deep Security Agent (DSA).

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1111440
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.