Test requirements

Before testing this module, make sure you have the following:

• Installed Deep Security Manager (DSM) and Virtual Appliance (DSVA)
• One or more virtual machines (VMs) protected by Deep Security
• Physical or virtual machines with Deep Security antivirus agent (optional)

Test procedure for anti-malware

1. Activate a physical or virtual machine with anti-malware module enabled.
2. Download the EICAR test file on the virtual machine. The file should be quarantined.
3. On the DSM console, go to Events & Reports > Anti-Malware Events to verify the record of the malware detection.
4. Set up scheduled scans.
   1. On the DSM console, go to Administration tab.
   2. Click Scheduled task > New.
   3. Select Scan for Malware.
5. Demonstrate file exclusions.
   1. On the DSM console, go to the assigned policy or security profile.
   2. Click Anti-malware.
   3. On the Default Real-Time Scan configuration, click Edit.
   4. Go to Exclusions tab, and then expand the Directory List.
   5. Click Create New.
   6. Provide a name for this directory list.
   7. On the Directory section, specify the path of the directory you want to exclude from the scan. For example, C:\Test Folder.
   8. Download the EICAR test file and save it in the folder specified on the previous step. The file should be saved and uncaught by the anti-malware.
6. Perform virus pattern updates on DSM and set up automatic updates.
   By default, Deep Security 9.0 has a pre-created scheduled task for Daily Download Security Update and Daily Component Update. To immediately run the task, go to Administration > Scheduled Tasks, and then click Run Task Now.
7. As an option, you may get a sample virus quarantined by saving to another path and test the Real-time and Scheduled scans.

Test requirements

Before testing this module, make sure you have:

• Selected a network protocol, such as TCP/UDP, to test
• VMs protected by DSVA
• Disabled host-based firewall such as Windows firewall or Linux iptables (optional)
• Deep Security Agents (DSA) on VMs to demonstrate port or protocol scanning or to evaluate Linux/Unix VMs
• Rule sets in Deep Security console:
  • IP address
  • MAC Address
  • TCP/UDP port
  • Groups of rules (by profile)

  To check, you can go to the DSM console, select a computer or policy, then click Firewall > Firewall rule > Assign/Unassign.

Test procedure for firewall

1. Evaluate the Secure Shell (SSH) and Remote Desktop Protocol (RDP) rules.

   To test the SSH rule (port 22):

   1. Activate a Windows or Linux virtual machine with the SSH rule.
   2. Using another machine, try to establish SSH connection to the virtual machine.
   3. On the DSM console, go to Events & Reports > Firewall events to view the denied event.

   To test the RDP rule (port 3389):

   1. Activate a Windows or Linux virtual or physical machine.
   2. Try to connect to the virtual machine using RDP.
   3. On the DSM console, select the computer or policy.
   4. Click Firewall and go to Firewall Events to view the denied event.
2. Test the stateful configuration feature.
   1. On the DSM console, select a computer and add the SSH rule to the current firewall rules.
       

      • You can also add the rule via Policy/Security Profile to apply it on multiple machines.
      • Use the pre-created SSH rule that allows incoming SSH traffic.
      • There should be no firewall rule on outgoing SSH.

       
   2. From another computer, try to connect to the target computer using an SSH application such as Putty.
   3. Check the firewall events. This should appear as "Out of allowed Policy".
   4. Go back to the Computer/Policy view, and then go to Firewall.
   5. Under Firewall Stateful Configuration, select Enable Stateful Inspection.
   6. Click Save.
3. Test the port scanning to show running ports and services on a VM.
   1. On the DSM console, go to Computers tab.
   2. Right-click the computer to be scanned and click Scan for Open ports.
   3. From the Computer view, go to the Firewall section to view the result.
      Close unused open ports to prevent exposure to malicious attacks, worms, or Trojans.
4. Test Event Tagging in the DSM console.
   1. On the DSM console, go to Events.
   2. Right-click an event for tagging and click Add tags.
   3. Enter a Name for the tag.
   4. Tick To Selected events check box. The tags will be added to the Tag(s) column.
   5. If you want to auto-tag similar events in the future:
      1. On the DSM console, go to the Events tab.
      2. Right-click an event and click Add tags.
      3. Select Apply to Selected and Similar System Events.
      4. Filter the Similar System Events criteria, and then click Next.
      5. Tick the Future System Events check box.

Before testing this module, make sure you have Windows VMs with DSA.

To test File Integrity Monitoring:

1. On the DSM console, enable Integrity Monitoring.
   1. Click Integrity Monitoring on the left pane.
   2. Under Integrity Monitoring State, select On and click Save.
2. Add the Microsoft Windows-'Hosts' file modified rule to a computer, policy, or security profile.
   This protects the Windows host file C:\windows\system32\drivers\etc\hosts.
3. After the Rebuild Baseline process is completed, modify the C:\windows\system32\drivers\etc\hosts file of the computer.
4. Verify the events in the Deep Security console. You should see an alert that the file has been modified.

Test requirements

Before testing this module, make sure you have:

• VMs with installed DSA and log files such as Microsoft Windows Events, Microsoft Windows Registry, and Linux syslog files
• Activated the machine

Test procedure for Log Inspection

1. On the DSM console, select a computer or policy.
2. Enable Log Inspection on the selected computer or policy.
   1. Click Log Inspection on the left pane.
   2. Under Log Inspection State, select On and click Save.
3. Go to Advanced tab, change the "Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level" to "Low (3)" and click Save.
4. Configure the DSM to read log files and Microsoft Windows registries on the VMs by clicking Assign/Unassign and then selecting the following rules:
   • 1002792 - Default Rules Configuration – This is required for all other Log Inspection rules to work.
   • 1002795 - Microsoft Windows Events – This logs events every time the Windows auditing functionality registers an event.
5. Click OK, and then click Save to apply the rules to the policy.
6. Generate log and event entries on the VMs, for example changing the Windows Audio Service from "Automatic" to "Manual".
7. Verify the generated events.
   1. On the DSM console, select the computer or policy.
   2. Click Log Inspection > Log Inspection events.

Testing this module requires VMware virtual or physical machine protected by Deep Security.

To test this module:

1. On the DSM console, select a computer or policy.
2. Enable Web Reputation.
   1. Click Web Reputation on the left pane.
   2. Under the Web Reputation State, select On and click Save.
3. Navigate to Exception tab.
4. Under Blocked URL, add a web URL which does not start with HTTPS and click Save. Note that the module does not block HTTPS traffic.
5. From a protected computer, open a browser and access the web URL you specified on the previous step. A message denying the access should appear on the client machine.
6. On the DSM console, go to Web Reputation and click Events to verify if the website blocking is recorded.

To test the Deep Security Administration:

1. Evaluate the Role Based Access Control (RBAC).
   1. Create a user in Deep Security and add roles with limited functionality such as View Only.
   2. Log on as the newly created user and verify the limited functionality. An account with View Only role is allowed to read or view settings but is unable to modify them or perform any administrative task.
2. Evaluate integration with Active Directory (AD) Users.
    

   This requires a published AD certificate

    
   1. On the DSM console, go to Administration tab.
   2. Click Synchronize with Directory.
   3. Select the appropriate options and click Next.
   4. After the synchronization is completed, click Finish.
   5. Use the newly created Active Directory account to login.
3. As an option, you may also add SMTP, SNMP, and SYSLOG servers to Deep Security.
   • To add SMTP account, go to Administration > System Settings > SMTP and provide the necessary information.
   • To add SNMP account, go to Administration > System Settings > SNMP and provide the necessary information.
   • To add Remote Syslog Server, go to Administration > System Settings > SIEM and provide the necessary information.
4. Generate reports.
   1. On the DSM console, go to Events & Reports > Generate Reports.
   2. Select a report to generate, such as Firewall Report.
   3. Select a format, such as PDF.
   4. Click Generate, and then click Save.
   5. Open the report.

Test requirements

Testing the integration with VMware requires the following:

• Two VMware ESXi hosts that are both prepared and deployed with DSVA
• VMs protected by DSVA
• VMware vSphere with enabled and licensed DRS
• Shared storage for vMotion

Test procedure for the integration with VMware

1. Check Deep Security synchronization with states of VM on vCenter.
   1. Add, remove, shut down, or start VMs in vSphere client.
   2. Verify if the change reflected in the Deep Security console.
2. Test the Deep Security tasks for moved or new VM created prior to the tests.
   1. On the DSM console, go to Administration > Event-based task > Computer Created.
   2. Indicate the action to perform, then click Activate a computer & Assign a Policy.
   3. Select an appropriate condition.
   4. Provide a name for this task and click Finish.
   5. On the DSM console, go to Administration > Event-based task > Computer Moved.
   6. Indicate the action to perform, then click Activate a computer & Assign a Policy.
   7. Select an appropriate condition.
   8. Provide a name for this task and click Finish.
   9. Create a new computer on Vcenter, or Vmotion a computer to another protected ESXi host.
   10. Verify if the VM is automatically activated and assigned the selected policies.
   11. You may opt to resume a suspended VM. A resumed VM is instantly protected with the latest antivirus patterns and DPI rules.

Test requirements

Testing this requires:

• Two instances of a DSM using a shared database
• VMs protected by Deep Security

Test procedure for the High Availability or Failover

1. Check both Deep Security consoles if they display same data from the protected environment.
2. Shut down or disable the network interface on the operating system of one DSM. The second Deep Security console should still function and display data.
3. Start or enable the first DSM again.
4. Shut down or disable the network interface on the operating system of the second DSM. The first Deep Security console should still function and display data.

To check whether the IPS module is working:

1. For Deep Security Agent (DSA) users, make sure that the Trend Micro LightWeight Filter Driver is enabled on the interface you want to protect.
   For agentless protection users, make sure your Deep Security Virtual Appliance (DSVA) is working normally.

   

2. Assign the rule to restrict the download of EICAR file in the IP Rules Assign/Unassign page.
   1. From the DSM console, double-click the protected machine.
   2. Click Intrusion Prevention > Assign/Unassign.
   3. Enable the Rule ID 1005924 Restrict Download of EICAR Test File Over HTTP.

   

3. Download the EICAR file to the protected machine.
4. Check the IPS events to ensure it logs the event for blocking the EICAR file.
   1. From the DSM console, double-click the protected machine.
   2. Go to Intrusion Prevention > Events.
   3. Click Get Events. When you find the detailed events for blocking the EICAR file, it means the IPS module works fine.

Deep Security 10.0 will be a landmark release for the product, and needs to be noticeably different from previous versions. The goal here is to refresh the skin of DS 10.0 with non-risky changes to flow and relative positioning of items in terms of UX (user experience).

1. Set up an agentless protection environment.
2. Install DSA for those protected machine so it runs on combine mode.

   

3. Choose protect setting for AM/WRS/FW/IPS/ IM. The settings are located under Settings > Computer.

   

4. Verify if the module status in Appliance, or whether the agent changed or not.

In Deep Security 10.0, the application control is newly introduced but only supports Linux.

1. Log on to the DSM server and check if application control module is already in the following path:

   C:\Program Files\Trend Micro\Deep Security Manager\plugins (Windows DSM)
   /opt/dsm/plugins (Linux DSM)

   

2. Install the DSA on Linux machine (feature currently not available for Windows) and turn on the application control feature.

   

   

3. Create a test .jar file and execute it. You will find that it is blocked.

       [root@localhost ~]# echo abc > test.jar
       [root@localhost ~]# chmod 777 test.jar
       [root@localhost ~]# ./test.jar
       -bash: ./test.jar: Operation not permitted

4. It will be recorded in application control events.

   

5. Click Allow All and then run the file again. It will turn out successful.

Follow these steps:

1. Install DDA 5.5.  Contact Technical Support and ask for TMCM 6.0 SP1 Hotfix 3310 or above to be installed as well.
2. Register your DDA 5.5 and DS 10 to your TMCM.
3. Go to TMCM Administration > Managed Servers.
4. Select Server Type to Deep Discovery Analyzer and add DDA to TMCM.

   

5. Select Server Type to Deep Security and add DDA to TMCM.
6. After finishing the registration, you should see the following:

   

   

7. Go to DSM Administration > System Settings > Connected Threat Defense and enable the CTD integration settings.

   

   You may get the TMCM API key at the TMCM portal under Administration > Suspicious Objects > Distribution Settings.

   

8. Click Add/Update Certificate first to import the certificate for DDA and TMCM.

   

9. Click Test connection.

   

10. Enable the Advanced Threat Detection and turn on aggressive rule for Real-time scan of your test machine.

    

    

11. Enable document exploit protection and Behavior monitoring.

    

12. In Computer level, go to Anti-Malware > CTD.

    

    Ensure that SandBox Analysis and Suspicious Objects List uses “Inherit (Yes)”.
13. In the Advanced tab, scroll down until you see the Document Exploit Protection Rule Exceptions section. You may add any rules that have raised false alarms, in this section.

    

14. Contact Technical Support for getting test samples.
15. You should see the anti-malware events of the test machine after running samples, as seen below:

    

16. Go to the quarantine files tab, right click and choose Analyze to submit sample to DDA.

    

17. Login DDAN web page and go to Summary > Dashboard Summary > View Suspicious Objects.

    

18. Go to DDA portal “Virtual Analyzer” > Submissions, and you will find that the sample is uploaded to DDA.

    

19. Wait for a minute until the DDA finishes analyzing the sample file. You may see the details once done.

    

20. Wait while DDA uploads the suspicious object to TMCM automatically. Go to TMCM portal under Administrations > Suspicious Objects > Virtual Analyzer Objects.

    

21. You will see a new SO once the object is uploaded to TMCM.

    

22. Click Configure Scan Action and setup “Quarantine” for selected files. Click Apply.

    

23. Double check whether the scan action is set to “Quarantine”.

    

24. Go to the DSM portal under Administration > Updates > Security > Check For Updates and Download....

    

25. Click Send Policies to computers once new updates have been received.

    

26. Go back to the test machine and extract the sample virus again. This time, it should be quarantined as configured if DSM has received the new suspicious objects from TMCM.