Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Abnormal kernel logs and reboot occur in Deep Security Virtual Appliance with Anti-Malware feature

    • Updated:
    • 28 Jul 2020
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 10.2
    • Deep Security 10.3
    • Deep Security 11.0
    • Platform:
    • CentOS 6 64-bit
Summary

Machines that are using the Anti-Malware feature may encounter issues in kernel logs. In addition, the machine frequently reboots. The reboot occurs due to failure in processing kernel paging request.

Details
Public

The issue happens because both CA ControlMinder and Deep Security RTS (RealTimeScan) access the same low-level system resource. When CA software starts first, Deep Security continuously restarts because the low-level system resource is already allocated. On the other hand, when Deep Security starts before the CA software, the CA software causes the kernel panic.

To resolve the issue:

  1. Create the ds_am.ini file under /var/opt/ds_agent/am/.
  2. Add the following line:

    /opt/ds_agent/lib/libvmpd_dsa_rtscan.so=rtscan_hook_enable=1,rtscan_hook_kern_method=2

  3. Restart the ds_agent service.
  4. If the issue persists, change the parameter in Step 2 by modifying its value from "2" to "1" as shown below:

    /opt/ds_agent/lib/libvmpd_dsa_rtscan.so=rtscan_hook_enable=1,rtscan_hook_kern_method=1

    Whereas:
    1 = use redirfs hook only
    2 = use syscall hook only
    3 = use both; default value

Disabling either redirfs hook or syscall hook should be able to avoid the hooking issue while keeping the real-time scan detection ability.
Note that there is a design limitation when using redirfs hook only that it still needs to do syscall hook to sys_mount/sys_unmount for dynamic detection on newly mounted filesystems, meaning there will be DS driver print syscall hook/unhook in the logs.
 

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
1120298
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.