Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting tips for Intrusion Prevention of Deep Security

    • Updated:
    • 29 Mar 2019
    • Product/Version:
    • Deep Security 11.0
    • Platform:
    • N/A N/A
Summary

This article explains how to troubleshoot the Intrusion Prevention module of Deep Security.

Details
Public

Trend Micro releases new rule updates every Tuesday, but it is recommended to create a schedule for checking the Security Updates on a daily basis.

Create a daily schedule for checking the Security Updates

  1. Navigate to Administration > System Settings.
  2. Click Updates > Security.
  3. Check the status of pattern updates and rule updates. If the patterns or rules are not up-to-date, manually run a checking by clicking Check for Updates and Download....

    Check for Updates and Download

  4. Go to Administration > System Settings.
  5. Click Updates > Security > Rules.
  6. Verify if the latest DSRU has been applied.

    Verify the applied DSRU

After you enable Intrusion Prevention and assigned rules, it is recommended to start from Detect Mode, instead of Prevent Mode.

Enable Detect Mode for Intrusion Prevention

When you are satisfied that Intrusion Prevention is not finding false positives, configure your policy to use Intrusion Prevention in Prevent Mode so that rules are enforced and related events are logged.

If you need to submit a case to Trend Micro Technical Support, kindly collect all necessary logs below:

  • Deep Security Manager diagnostic package
  • Deep Security Agent diagnostic package
  • Network packets

    Capture network packets in the affected host, if possible. Use Wireshark on Windows and tcpdump on Linux. Include the date and time when the issue occured.

  • Export IPS event

    By default, Deep Security records the data only on the first instance when the event occurs within a specified period of time. The default time is five (5) minutes.

    You can manually enable Always Include Packet Data to help support analysis.

    Let's take Rule ID 1001933 for example. Right-click the Rule ID 1001933 and select Properties (Global) > General > Events. Then enable Always Include Packet Data.

    Always include packet data

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1122363
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.