Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Recommendation Scans are being stuck in Deep Security Manager (DSM) 9.5

    • Updated:
    • 10 Nov 2015
    • Product/Version:
    • Deep Security 9.5
    • Platform:
    • Windows 2003 Server R2
    • Windows 2003 Small Business Server
    • Windows 2003 Small Business Server R2
    • Windows 2008 Server Foundation
    • Windows 2008 Server R2
    • Windows 2008 Server R2 Datacenter
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Foundation R2
    • Windows 2012 Standard R2
Summary

When you are using DSM pre-Manager Windows build 9.5.6511, the Recommendation Scans may become stuck and DSM may take longer time to respond.

Details
Public

To get the best possible interoperability with Recommendation Scans, ensure that the DSM resources are assigned accordingly. This means there should be enough IO assigned to handle large Recommendation Scan tasks.

For example, if you have to scan 300 virtual machines (VMs), it is recommended to have a DSM with 4 CPU and 12 GB of RAM. You need to adjust the JVM heap size to around 8 GB for the DSM server and modify the timeout values for the Recommendation Scans as well.

To resolve the issue, do the following:

  1. Download DSM 9.5.6511.exe and execute it to upgrade the DSM. For more information, refer to this article: Manually updating the Deep Security Manager (DSM) database schema.
  2. When the DSM has completed the upgrade and it didn't purge out the tasks within 2-3 hours, modify the timeout values.
    Scan recommendation is actually done by the DSM even in agentless protection. In agentless mode, DSVA collects meta data from the protected VM and send it to DSM to perform scan recommendation.

    Adjust the same agent socket timeout settings below to avoid timeout in agentless mode:

    // Default socket channel timeout (in milliseconds)
    defaultSocketChannelTimeout

    // Default agent socket timeout override (in seconds)
    agentSocketTimeoutOverride

    1. Run the following command to adjust the hidden settings:

      > cd C:\Program Files\Trend Micro\Deep Security Manager\
      > dsm_c.exe -action changesetting -name configuration.defaultSocketChannelTimeout -value 1200000
      > dsm_c.exe -action changesetting -name configuration.agentSocketTimeoutOverride -value 1200

    2. Perform the following SQL command against the DSM database (DB) to make sure that the settings have been modified:
       
      The following command will show the new settings in DSM. By default, the values are 300,000 and 300.

      select *
      from [dsm].[dbo].[systemsettings]
      where UniqueKey like N'%Socket%Timeout%'

  3. Increase the JVM heap size on the DSM to allow larger java memory acquisition for DSM purposes. Follow the steps in this article: “The memory warning threshold…has been exceeded” appears in Deep Security Manager (DSM).
  4. Perform again the Recommendation Scan.

If the issue still persists, do the following:

  1. Enable the DSM logging for detection engine and protocol.

    java.util.logging.FileHandler.limit = 100000000
    java.util.logging.FileHandler.count = 10
    com.thirdbrigade.manager.core.protocol.level = ALL
    com.thirdbrigade.manager.core.detectionengine.level=ALL
    com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.HostUpdaterCommandGetHostMetaData.level=ALL

  2. Make sure that configuration settings are correct.
    • Use at least ESX 5.1, VSM 5.1, and vCenter 5.1.
    • The ESX should be prepared with vShield Installed status.
    • DSVA should be deployed with vShield Registered status.
    • Each Windows VM has VMtools and optional vShield drivers installed.
  3. Run the following command to make sure vShield endpoint is configured correctly:

    $ cd /var/opt/ds_agent/guests/<GUEST_GUID>
    $ export LD_LIBRARY_PATH=/opt/ds_agent/lib
    $ sudo /opt/ds_agent/dsampoke <GUEST_GUID> status

    The output should be similar to the following:

    amStatus <AmStatus driverOffline="true" imScanStatus="4" rcScanStatus="4" scanStatus="4" />

    If the status value is "5", it means the vShield endpoint driver is not configured well or improperly working.

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1112836
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.