This article explains how to troubleshoot the Intrusion Prevention module of Deep Security.
Trend Micro releases new rule updates every Tuesday, but it is recommended to create a schedule for checking the Security Updates on a daily basis.
- Navigate to Administration > System Settings.
- Click Updates > Security.
- Check the status of pattern updates and rule updates. If the patterns or rules are not up-to-date, manually run a checking by clicking Check for Updates and Download....
- Go to Administration > System Settings.
- Click Updates > Security > Rules.
- Verify if the latest DSRU has been applied.
After you enable Intrusion Prevention and assigned rules, it is recommended to start from Detect Mode, instead of Prevent Mode.
When you are satisfied that Intrusion Prevention is not finding false positives, configure your policy to use Intrusion Prevention in Prevent Mode so that rules are enforced and related events are logged.
Recommendation Scans provide a good starting point for establishing a list of rules that you should implement. However, there are some important additional rules that are not identified by Recommendation Scans. You should implement those rules manually.
Also, in order to maximize performance, minimize the number of Intrusion Prevention rules that are assigned to your policies and computers. Therefore, you should assign only the rules that are required.
If you need to submit a case to Trend Micro Technical Support, kindly collect all necessary logs below:
- Deep Security Manager diagnostic package
- Deep Security Agent diagnostic package
- Network packets
Capture network packets in the affected host, if possible. Use Wireshark on Windows and tcpdump on Linux. Include the date and time when the issue occured.
- Export IPS event
By default, Deep Security records the data only on the first instance when the event occurs within a specified period of time. The default time is five (5) minutes.
You can manually enable Always Include Packet Data to help support analysis.
Let's take Rule ID 1001933 for example. Right-click the Rule ID 1001933 and select Properties (Global) > General > Events. Then enable Always Include Packet Data.