Trend Micro Deep Security Agent Support Tool GUI Version
- It is recommended to use the current tool version which has the latest build.
- Please note the validity of the version, which will be updated regularly in Solution Center. If it has expired, the UI will display:
"This version of the program is Expired. Please request for newer version."
In this tab, you can view the current DSA status by checking on the UI.
- Software: Indicates whether DSA is installed on this computer
- Version: Indicates current DSA version number
- Services Status: If DSA is installed, this indicates whether the DSA service status is on or off.
- Debug Mode: Indicates whether log debug level is enabled
- Self-Protection: Indicates whether self-protection is disabled (Some module debug cannot be enabled provided that self-protection is enabled.)
-
You may also press Other Item button to check the specific module feature status.
-
For "Debug Items", to enable AMSP debug level is by default. You can also choose more options if necessary.
- Then, Enable Debug logging"/"disable Debug logging can be used to control the debug status.
- Press button Collect Data to generate a diagnostic package.
After the collection, there will be 3 files/folder under the same path as this tool:
- A ZIP file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].zip". This is the collection package, including diagnostic package and other necessary information.
- A TXT file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].txt". It contains a SHA256 value, which should match above ZIP file.
- A "logs" folder. A folder that stores temp files and tool log(temp files will be removed when finishing the collection).
As best practice, the steps of log collection are:
- Enable Debug log.
- Reproduce the issue.
- Disable Debug log.
- Collect Data.
There are two parts for DSA performance collection. On the left side of this UI is Process Monitor log collection. On the right side of this UI is Windows Performance Recorder log collection.
You may choose automatic collection with a timer(suggested) or manually start/stop the collection.
- Process Monitor
For the reason that Microsoft does not allow third-party software to integrate Process Monitor directly, you need to download or select existing Process Monitor manually.
- Use "Download Process Monitor" button to download.
If the environment can connect to Internet, press Download Process Monitor to download the software. The default downloaded path is the same as the tool path.
After downloading, the tool points to this "Process Monitor" path by default. You can start "Process Monitor" logs collection.
- Select an existing "Process Monitor".
You can also select an existing "Process Monitor" via "Change Path" option. Then import "Process Monitor" from the specified path.
Whichever method, the tool will judge the signature of the specified "Process Monitor" software. Once passing the verification, tool will run "Process Monitor" in backend according to user's options.
- Change altitude of Process Monitor
In cases where Process Monitor needs to have higher altitude to collect logs, you may check this option. Please refer to the Microsoft Tech Community article: Change Altitude of Process Monitor (ProcMon).
You may encounter the following error:
"Unable to load Process Monitor device driver."
This error may be the result of an older Windows version not being able to support SHA256.
It is recommended to update Windows as the new version of Process Monitor only supports SHA256.
For further information, refer to this Microsoft article, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
To lessen the events that Process Monitor collects, a local process monitor configuration will be loaded if the file exists in the same path as the tool. The size of the log file will be smaller. To use the Process Monitor:
- Create a filter for events that are only needed to be monitored.
- Enable the option “Drop Filtered Events”.
- In the File menu, choose “Export Configuration..”, and save the file as “ProcmonConfiguration.pmc”.
- Copy the configuration file to the same folder of the tool and start the process monitoring.
This setting is useful for issues where "file access violation" is not always reproducible and occurs in random.
- Use "Download Process Monitor" button to download.
- Windows Performance Recorder
You can check/uncheck corresponding checkbox to choose the option. The tool will run according to the checked option at backend to collect WPR logs.
If there is no WPR being detected as installed in environment, the tool will alert and give a link to guide user to install WPR software.
- Automatically compress performance logs
After performance log collection, there will be a performance folder under the same path as tool, which stores original performance logs. At this moment, when user wants to quit the tool, it will pop up (as shown below). You may choose to compress or not compress the original performance log files.
Finally, the tool will help generate a ZIP file and delete original "performance" folder.
This tab lists the top-10 scanned files and top-10 busy processes, which are scanned the most times by AMSP module (only supported by newly released Deep Security 20 version). You may have a quick check to decide whether specific files/processes need to be excluded provided that these are trusted but have affected device performance.
The data on this tab resets when AMSP service restarts.
There are two main features under Network Analysis: Network Packet Capture and Network Check. These features help users collect and check network related problems.
- Background
The tool needs to use a driver to catch network packets. There are two options: WinPCAP and NPCAP. Both cannot coexist.
WinPCAP's advantage is that the tool can help install/uninstall WinPCAP automatically during the collection running time. Although its disadvantage is its poor compatibility as the version is old and not have been updated.
on the other hand, NPCAP has better compatibility, and is updated on a regular basis. Its disadvantage is that it has to be installed manually first, then use tool to catch network packets.
MechanismAs NPCAP and WinPCAP are enforced to not coexist.
- If tool detects that NPCAP or WinPCAP driver has been installed in environment, tool will call corresponding driver directly.
- If tool detects that neither NPCAP nor WinPCAP driver has been installed in environment, tool will help install and uninstall WinPCAP automatically itself.
Below is an example:
- If you have already installed Wireshark software in your environment (We have known that new version of Wireshark uses NPCAP while the old version uses WinPCAP), our tool will use the existing NPCAP/WinPCAP driver.
- If it is a clear environment, the tool will help install/uninstall the driver. (An alert will be given, as installing a driver is a sensitive procedure.)
- Network Packet Capture
You may use a timer or manually start/stop to catch network packets for all computer NICs in "Network Packet Capture" section. The collection logs are printed to indicate the collection status.
- Network Check
You can specify the URL or leave it as blank (DSM/C1WS URL by default). After clicking Check, the tool will try to verify the network connection status between DSA client and target URL(DSM/C1WS). Verification results can be checked from the UI.
- Automatic compression of network logs
This feature is the same as in Chapter 1.2.3, when collecting network packets and do the check, the original network related logs in folder "Network", tool can help compress the collected network related logs into ZIP file.
- Check and Fix
Server & Workload Protection (Trend Vision One Endpoint Security) Pre-check
This feature can help users perform a pre-check on their endpoints, and see if the endpoint can meet Server & Workload Protection environment requirements.
Navigate to Environment Check > Check and Fix > Server & Workload Protection (V1ES) -PreCheck, then press Start.
- Fill in the information.
- Proxy information
If your endpoint does not need a service gateway nor a customized proxy server to connect to the Internet (Trend Vision One backend server), do not check and fill in any proxy information.
If your endpoint needs a service gateway to connect to Internet (Trend Vision One backend server), fill in the service gateway FQDN or IP (default port is 8080). Also fill in the service gateway API value.
Tip 1: You can get SG API key from the Trend Vision One portal under Workflow and Automation > Service Gateway Management > Manage API Key.Tip 2: If your XBC agent has reported to Trend Vision One, you can identify from the check result (basic information) the registered Service Gateway (FPS enabled) for XBC.
If your endpoint needs a customized proxy server to connect to Internet (Trend Vision One backend server), input the proxy FQDN/IP and port. Username and password are optional.
- Region
Some users' Trend Vision One endpoints and Server & Workload Protection agents do not belong to the same region. For this, user needs to choose correct region information separately.
- Proxy information
- After setting the correct information, press Start. After a few minutes, you can check the returned results.
If some check points failed to pass the test, you will get alert from the UI.
Refer to the appendix for more check points details.
Server & Workload Protection (Trend Vision One Endpoint Security) Post-check
This feature can help users perform post-check on their endpoints to verify the current module status of the endpoint.
Navigate to Environment Check > Check and Fix >Server & Workload Protection (V1ES) - PostCheck, and press Start.
This feature can help users determine current local status of Trend Vision One agent and Deep Security Agent (DSA) modules. It will be very helpful to provide necessary information when troubleshooting endpoint side issues.
Refer to the appendix for more check points details.
Troubleshooting UMH
When troubleshooting UMH driver related issues, UMH usually needs to be disabled. Make sure to isolate the root cause if there are issues. However, the enable/disable UMH action is difficult for most customers. This feature is introduced to help perform the enable/disable action faster.
Navigate to Environment Check > Check and Fix > Troubleshoot UMH, then press Start.- When current UMH is enabled, the green part can be seen with "Running" status. You may choose the option to disable UMH, as seen below.
When the action is done, you can see the UMH service has been disabled, while AMSP is still running.
- When current UMH is disabled, the red part will show "Stopped" status. You may choose to enable UMH.
When the action is done, user can see the UMH service has been enabled, and both AMSP and UMH are running.
- For security concerns, if you exit the tool and leave UMH disabled status, it will give an alert.
- If you prefer to use the CMD version tool, use following parameters.
Scenario Parameters To enable TMUMH "Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 1}} To disable TMUMH "Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 0}} Not use this feature "Check and Fix": {"Troubleshoot UMH": {"enableCheck":0, "enableFix": 0}} For more details, please refer to Chapter: Trend Micro Deep Security Agent Support Tool for CMD Version.
MS Azure Code Signing Check
According to this KB article, after mid-February 2023 there will be an impact on machines that do not meet the MS operation system requirements. Based on this, the tool has a feature to detect OS version/KB and give alert if the current OS did not meet the MS requirements.
Anti-Malware Test - Eicar
This is a built-in check script. The user can verify if the anti-malware realtime-scan feature has worked normally on the agent side.
When starting this feature, the user needs to choose a specific local path. This is supposed to be monitored by DSA realtime-scan policy(CMD version uses "C:\temp\" by default).
Tool will extract eicar.com file to the path and take action.
Due to support tool being signed by Trend Micro, the behavior of operating eicar.com file will be bypassed. Therefore, the action of eicar.com file is taken by windows scheduled task, which is initialized by the tool.After waiting for a few seconds, the tool will judge whether "eicar.com" file still exists. If it does not, it means realtime-scan has taken effect and removed "eicar.com" file. User can check the anti-malware events on console. Otherwise, realtime-scan might not work normally.
Please make sure that the chosen path is not in the exclusion list and that the anti-malware realtime-scan is enabled for the correct action.
Refer to the following text examples:
2022-09-26 13:52:01 Starts Executing [AntiMalware Test - Eicar]. 2022-09-26 13:52:01 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path. 2022-09-26 13:52:01 Waiting for input value of path to write/read EICAR.com . . . [Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task. 2022-09-26 13:52:11 Creating scheduled task . . . 2022-09-26 13:52:11 Successfully created a scheduled task named [EicarTestDSA] 2022-09-26 13:52:11 Modifying the scheduled task to run even in battery power mode . . . 2022-09-26 13:52:12 Successfully modify the scheduled task [EicarTestDSA] 2022-09-26 13:52:12 Running the scheduled task . . . 2022-09-26 13:52:12 Successfully run the scheduled task [EicarTestDSA] 2022-09-26 13:52:12 Delete the scheduled task. [Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation. 2022-09-26 13:52:22 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during write operation. [Step 3] Reading the content of C:\Users\Administrator\Desktop\EICAR.com through scheduled task. 2022-09-26 13:52:27 Creating scheduled task . . . 2022-09-26 13:52:28 Successfully created a scheduled task named [EicarTestDSA] 2022-09-26 13:52:28 Modifying the scheduled task to run even in battery power mode . . . 2022-09-26 13:52:28 Successfully modify the scheduled task [EicarTestDSA] 2022-09-26 13:52:28 Running the scheduled task . . . 2022-09-26 13:52:29 Successfully run the scheduled task [EicarTestDSA] 2022-09-26 13:52:29 Delete the scheduled task. [Step 4] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the read operation. 2022-09-26 13:52:34 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during read operation. [Cleanup] Remove the test file C:\Users\Administrator\Desktop\EICAR.com. 2022-09-26 13:52:37 Done executing [AntiMalware Test - Eicar]. 2022-09-26 13:52:37 Finish Executing all the chosen function(s).
2022-09-26 14:02:19 Starts Executing [AntiMalware Test - Eicar]. 2022-09-26 14:02:19 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path. 2022-09-26 14:02:19 Waiting for input value of path to write/read EICAR.com . . . [Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task. 2022-09-26 14:02:22 Creating scheduled task . . . 2022-09-26 14:02:22 Successfully created a scheduled task named [EicarTestDSA] 2022-09-26 14:02:22 Modifying the scheduled task to run even in battery power mode . . . 2022-09-26 14:02:22 Successfully modify the scheduled task [EicarTestDSA] 2022-09-26 14:02:22 Running the scheduled task . . . 2022-09-26 14:02:23 Successfully run the scheduled task [EicarTestDSA] 2022-09-26 14:02:23 Delete the scheduled task. [Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation. 2022-09-26 14:02:33 ---> Cannot find C:\Users\Administrator\Desktop\EICAR.com, the AntiMalware might have removed it. Please check the AntiMalware log. 2022-09-26 14:02:33 Done executing [AntiMalware Test - Eicar]. 2022-09-26 14:02:33 Finish Executing all the chosen function(s).
2022-09-26 14:10:47 Starts Executing [AntiMalware Test - Eicar]. 2022-09-26 14:10:47 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path. 2022-09-26 14:10:47 Waiting for input value of path to write/read EICAR.com . . . [Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task. 2022-09-26 14:10:49 Creating scheduled task . . . 2022-09-26 14:10:51 Successfully created a scheduled task named [EicarTestDSA] 2022-09-26 14:10:51 Modifying the scheduled task to run even in battery power mode . . . 2022-09-26 14:10:52 Successfully modify the scheduled task [EicarTestDSA] 2022-09-26 14:10:52 Running the scheduled task . . . 2022-09-26 14:10:52 Successfully run the scheduled task [EicarTestDSA] 2022-09-26 14:10:52 Delete the scheduled task. [Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation. 2022-09-26 14:11:02 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during write operation. [Step 3] Reading the content of C:\Users\Administrator\Desktop\EICAR.com through scheduled task. 2022-09-26 14:11:07 Creating scheduled task . . . 2022-09-26 14:11:08 Successfully created a scheduled task named [EicarTestDSA] 2022-09-26 14:11:08 Modifying the scheduled task to run even in battery power mode . . . 2022-09-26 14:11:08 Successfully modify the scheduled task [EicarTestDSA] 2022-09-26 14:11:08 Running the scheduled task . . . 2022-09-26 14:11:08 Successfully run the scheduled task [EicarTestDSA] 2022-09-26 14:11:08 Delete the scheduled task. [Step 4] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the read operation. 2022-09-26 14:11:14 ----> Cannot find C:\Users\Administrator\Desktop\EICAR.com, the AntiMalware might have removed it. Please check the AntiMalware log. 2022-09-26 14:11:14 Done executing [AntiMalware Test - Eicar]. 2022-09-26 14:11:14 Finish Executing all the chosen function(s).
Inspect CA Certificates
This is a built-in check script. A user may prefer this method to verify whether certificates used by Deep Security components have been installed in system. You may refer to the Appendix section - The certificate list that the tool checks. A big part of engine offline issues are due to lack of CA certificates in the OS that Deep Security components cannot be loaded normally.
Please note that DSA may still be able to work normally even when missing some certificates or if certificates expire. However, we still recommend checking and importing all the certificates to avoid some potential issues.
How to Import Certificates in Batches
It is recommended to use the CMD version tool if you prefer to certificates in batches. To do this, enable the feature in configuration file (disable other features). Administrators can deliver CMD version and configuration file to the endpoints then run the tool directly. The CMD version tool will check and import the missing certificates in the background.
Refer to the following "DSTool.json" example:
{ "Log Collection": { "enableAMSP": 0, "enableUMH": 0, "enableEYES": 0, "enableAEGIS": 0, "timerInSecondDebug": 30, "disableDebugAfterTimer": 1, "enableLogCollection": 0 }, ............ "Check and Fix": { "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0}, "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0} }, ............ "Tool": { "PressKeyToEnd": 0 } }
Please refer to the chapter, Trend Micro Deep Security Agent Support Tool for CMD Version, for more configuration details.
Anti-Malware Status Analysis
This is a built-in check script. When there are errors occurring on DSA that are related to Anti-Malware feature offline, this can help analyze the possible root cause quickly.
Customized script for checking issues
This is a hidden feature for back-end team. When support/RD engineer wants to do some special checks and operations in user's environment, they create a simple Python script and let the customer to put the script in the path such as the sample script. The customer's computer does not require a Python environment.
- Write a customized python script.
Write a python script according to the specific scenario. For instructions on how to write a script in detail, please refer to the Appendix: How to write a Support Cases Script. Trend Micro welcomes anyone to provide more useful scripts for common issues.
- Choose whether to enable script integrity check and sign the script.
For safety reasons, by default, the tool has an integrity check of the script before running it. Tool only loads script that is from a signed ZIP file. The integrity check can prevent scripts from being maliciously tampered with or exploited. User can contact allofcncorerd@dl.trendmicro.com to sign the script. Trend Micro will sign from SampleCase.py to SignedSampleCase.zip. Afterwards, SignedSampleCase.zip can be used with our tool. User can also disable the integrity check by registry key to use original python file script without integrity check.
To disable, create a key "SOFTWARE\TrendMicro\DSASupportTool" with value "disableMaliciousScriptCheck" as "DWORD" data.
- Data of "1", means disable integrity check.
- Data of "0" or registry key doesn't exist, means integrity check will be enabled upon running the tool. - Put python file or signed ZIP file in the environment.
If tool is located at C:\Users\Administrator\Desktop\DSASupportTool_GUI.exe, the python file should be at C:\Users\Administrator\Desktop\SupportCases\DSA\SampleCase.py
The signed ZIP file should be at C:\Users\Administrator\Desktop\SupportCases\SignedSampleCase.zip or C:\Users\Administrator\Desktop\SupportCases\DSA\SignedSampleCase.zip. Either of the two can be used. - Run the script
After restarting tool, there will be a new option for user to choose.
You may press the button on UI to run the script.
- Fill in the information.
- Deep Security Agent Modules CPU Utilization
Agent Modules CPU Utilization allows user to monitor the CPU utilization of DSA modules (only supports DSA later than 20.0.0-3445). When there are performance issues, the problem can be located faster, which is the targeted DS modules. This allows back-end team to narrow down the issue accurately.
This tool uses "sendCommand.cmd --get Metrics" to get original data and filters "ThreadInfo" field in backend and displays the real time data with bar chart.
In the future, more metrics will be added to help users monitor the performance usage of DSA components.
Monitoring for too long may increase and accumulate memory usage. It is recommended to perform monitoring not more than 5 hours. This is a limitation as the tool must constantly refresh data in the background
DSA Metrics is a type of data that provides details on how DSA works. The data is stored in local path as a file with json format.
DSA Metrics can be generated by DSA. More precise interval can be used to manually generate and collect data. I will be helpful to troubleshot an issue with detailed metrics data.
This feature is introduced here:
Importing metrics
For importing metrics, the data source should be the file:
- C:\ProgramData\Trend Micro\Deep Security Agent\metrics\537bc5e5-4e35-9d89-b209-402a17b0583c.json (generated by DSA)
- C:\Users\Administrator\Desktop\DSA_Metrics\20220517-195214\195619_jsonRecords.json (generated by tool)
Select the matched time zone on UI then import the correct metrics file. The tool will display the data on a chart.
This feature can be used to display the below data from the collected metrics:
- Count of real-time-scan newly scanned file(s) every iteration
- Virtual Memory Reserved (MB) of the anti-malware module
- CPU utilization (%) of the anti-malware module
Metrics collection
Metrics data is usually generated every 10 minutes by DSA under "C:\ProgramData\Trend Micro\Deep Security Agent\metrics\". However, it is often not enough to do further research in some cases. More accurate data is necessary for backend team sometimes.
A user can use the tool to do the collection with shorter interval, set the timer to start the metrics collection, and also stop manually during the collection.
Once finishing the collection, user can press Import Metrics and Display As a Chart to make a fast view of the metrics just collected as the charts(The same type of chart as Import Metrics part). After the collection, the tool can help compress the data files into ZIP. If there is a case, it is recommended to provide the collected metrics data ZIP file to support team to make further investigation.
The default password of ZIP file is trend.
Trend Micro Deep Security Agent Support Tool CMD Version
Run the program via command line. The progress will last several minutes, and you should be able to get the diagnostic package
User needs to configure "DSTool.json" first according to requirements. Without "DSTool.json", the tool will only take log collection action by default.
Example of "DSTool.json"
{ "Log Collection": { "enableAMSP": 1, "enableUMH": 0, "enableEYES": 0, "enableAEGIS": 0, "timerInSecondDebug": 30, "disableDebugAfterTimer": 1, "enableLogCollection": 1 }, "Process Monitor": { "enableProcMon": 0, "enableChangeAltitude": 0, "timerInSecondProcMon": 10 }, "WPR": { "enableWPR": 0, "timerInSecondWPR":10, "optionsWPR": "-start CPU -start DiskIO -start FileIO -start Registry -start Network -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter" }, "Network Packet Capture": { "enableNetPCap": 0, "timerInSecondNetPCap": 10 }, "Network Check": { "enableNetCheck": 0, "URL2NetCheck": "" }, "Check and Fix": { "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0}, "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0}, "AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0} "MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0} content }, "Metrics": { "collectMetrics": 0, "MetricsIntervalInSecond": 5, "MetricsDurationInSecond": 300 }, "Tool": { "PressKeyToEnd": 1, "enableFeedback": 1 } }
Explanation (1: Yes ; 0: No):
"enableAMSP": 1 Whether enable AMSP debug "enableUMH": 0 Whether enable UMH debug "enableEYES": 0 Whether enable EYES debug "enableAEGIS": 0 Whether enable AEGIS debug "timerInSecondDebug": 30 The duration of enabling debug, units as seconds "disableDebugAfterTimer": 1 Whether disable debug after enabling debug (not recommend to modify it) "enableLogCollection": 1 Whether collect logs after enable/disable debug (not recommend to modify it) ## Due to Microsoft policy limitation, tool cannot integrate with Process Monitor, directly. User must put Process Monitor software to the same path as this tool, manually. Otherwise, this collection will be skipped. ## Process Monitor downloaded link: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon "enableProcMon": 0 Whether enable using Process Monitor to collect performance logs "enableChangeAltitude": 0 Whether enable high priority of Process Monitor "timerInSecondProcMon": 10 The duration of enabling Process Monitor, units as seconds "enableWPR": 0 Whether enable using WPR to collect performance logs "timerInSecondWPR":10 The duration of enabling WPR, units as seconds "optionsWPR": "-start CPU -start DiskIO -start FileIO -start Registry -start Network -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter" The backend command that is used to run WPR (not recommend to modify if not familiar with the WPR command) "enableNetPCap": 0 Whether enable Network Packets Capture "timerInSecondNetPCap": 10 The duration of enabling Network Packets Capture, units as seconds "enableNetCheck": 0 Whether enable Network Check "URL2NetCheck":"" The target URL that need to be checked(empty double quotes means detect the DSM URL) "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0} Whether run "Inspect CA certificates" feature to check environment and whether take action if finding lacking of CA certificates. The two configurations are based on the specific customized scripts "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0} Whether run "AntiMalware Status Analysis" feature to return checking result. Currently, "enableFix" is an invalid parameter as this feature has no action to be done. "AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0} Whether run "AntiMalware Test - Eicar" feature to return checking result. Currently, "enableFix" is an invalid parameter as this feature has no action to be done. "MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0} content "collectMetrics": 0 Whether enable to collect Metrics data "MetricsIntervalInSecond": 5 The interval of collecting Metrics data, units as seconds "MetricsDurationInSecond": 300 The duration of collecting Metrics data, units as seconds "PressKeyToEnd": 1 Whether ask "key press" to end the program in command console "enableFeedback": 1 Whether allow tool collects and transfers usage feedback data
Appendix
- About collecting usage feedback data
Starting DSSupportTool_GUI/CMD Build-1.0.0.1160, the tool has enabled collecting usage feedback data by default. Enabling this feature can help Trend Micro know more about tool usage and operation behavior, then further improve the features.
For GUI version, user can uncheck the option on UI to disable this feature. For CMD version, you can set the parameter ["enableFeedback": 1] from 1 to 0 in "DSTool.json" file to disable this feature. Then no data will be collected.
When enabling this feature, the following data will be collected and transferred to backed through Google Analytics(www.google-analytics.com):
Data Collected Description Example AgentGuid Identification number "AgentGuid:": "42001A42-0C16-67BC-7B0E-FA099177EB00" ToolVersion The version of the tool being used "ToolVersion": "GUI-1.0.0.1155" or "ToolVersion": "CMD-1.0.0.1155" DSAversion The version of the DSA being used "DSAversion": "20.0.1123" OS version The version of the OS being used "OS": "Windows 10.567 AMD64" Console Location Data Collected Example Data Collection for DSA > Enable Debug Logging When clicking "Enable Debug Logging" button, the customized debug status will be collected. {"DebugItems":{"Anti Malware Features":1,"AMSP":1,"EYES":0,"UMH":0,"AEGIS":0}} Data Collection for DSA > Collect Data Start When clicking "Collect Data" button, the action data will be collected. {"CollectData": {"CollectData": "True"}} Data Collection for DSA > Collect Data Cancel When clicking "Cancel" button, the action data will be collected. {"CollectData": {"CollectData": "False"}} Data Collection for DSA > Other Items When clicking "Other Items" button, DSA module status will be collected. {"OtherItems":{"Relay":0,"AM":1,"WRS":1,"Sensor":0,"AC":0,"IM":1,"LI":0,"FW":0,"IP":0,"CCTRL":0,"SAP":0,"iCAP":0,"DC":0} Data Collection for DSA > Module Debug Status When clicking "Module Debug Status" button, Debug status will be collected. {"ModuleDebugStatus":{"AMSP":"ON", "EYES":"OFF", "UMH":"OFF", "AEGIS":"OFF}} Performance Collection for DSA > Process Monitor> Process Monitor Altitude When checking/unchecking "change altitude of process monitor" checkbox, this behavior will be collected. {"ProcessMonitor": {"ProcessMonitorEnableHighAltitude": "False"} Performance Collection for DSA > Windows Performance Recorder > WPR Option/start When clicking "start" button in "windows performance recorder" section, the WPR parameters being used will be collected. {"WPR": {"Option": "-start CPU -start DiskIO -start FileIO -start Registry -start Network"}} Network Analysis > Network packet Capture > start When clicking "start" button in "network packet capture" section, whether using WinPcap is collected. {"NetworkCapture": {"WinPcap": "True"}} Network Analysis > Network Check >check When clicking "check" button in "network check" section, whether using WinPcap and target URL are collected. {"NetworkCheck": {"WinPcap": "True", "URL":"https://192.168.38.116:4120"}} Environment Check > Check and Fix > start When clicking "start" button in "Check and Fix" section, which checking script being used is collected. {"CheckAndFix": {"Inspect CA certificates": "True", "Sample case": "False", "Antimalware Status analysis": "False", "Eicar Test": "False"}} Environment Check > CPU Utilization > start monitoring When clicking "start monitoring" button in CPU Utilization section, whether using CPU Utilization is collected. {"CPUUtilization": {"Start Monitoring": "True"}} Top N list > start monitoring When clicking "start monitoring" button in Top N list tab, whether using Top N list is collected. {"TopN": {"Start Monitoring": "True"}} DSA Metrics > Import Metrics > Import Metrics and Display to a Chart When clicking "Import Metrics and Display to a Chart" button in DSA Metrics tab, time zone will be collected. {"ImportMetrics": {"Timezone": "+0800"}} DSA Metrics >Metrics Collection > start When clicking "start" button in DSA Metrics tab, duration and interval of the collection will be collected. {"MetricsCollection": {"Duration": "5", "Interval": "3"}} DSA Metrics >Metrics Collection > Display Collected Metrics to a Chart When clicking "Display Collected Metrics to a Chart" button in DSA Metrics tab, whether using Display Collected Metrics to a Chart will be collected. {"DisplayCollectedMetricsToAChart": {"DisplayCollectedMetricsToAChart": "True"}} - The certificate list that the tool checks:
Subject CN Thumbprint DigiCert Assured ID Root CA 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DigiCert Global Root CA A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 DigiCert Global Root G2 DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 DigiCert High Assurance EV Root CA 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 DigiCert Trusted Root G4 DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Microsoft Root Certificate Authority 2010 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Microsoft Root Certificate Authority 2011 8F43288AD272F3103B6FB1428485EA3014C0BCFE Microsoft Root Certificate Authority CDD4EEAE6000AC7F40C3802C171E30148030C072 Thawte Timestamping CA BE36A4562FB2EE05DBB3D32323ADF445084ED656 USERTrust RSA Certification Authority 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E VeriSign Class 3 Public Primary Certification Authority - G5 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 VeriSign Universal Root Certification Authority 3679CA35668772304D30A5FB873B0FA77BB70D54 Microsoft Indentity Verification Root Certificate Authority 2020 F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 - How to write a Support Cases Script
Below is a sample UI.
Below is a sample code. (Italicized lines can be replaced with your own customized codes)
import sys import os from basecase import BaseCase from Utils.tmlog import TmLog logger = TmLog.getLogger("DSA_SupportTool") class SampleCase(BaseCase): def __init__(self): try: super().__init__() self.name = "Sample Case" self.detail = "Detail: This sample case will pop a question box." except Exception as err: logger.exception(str(err)) def __del__(self): try: pass except Exception as err: logger.exception(str(err)) def run(self): try: #Pop-up a question box. Return value is True or False respond = self.askConfirmation("The is sample message.\n" + "Do you want to continue?") #Display a message on the tool's UI self.displayMessage("You say %s" %(str(respond))) #Display a message on the tool's UI with clickable link self.displayMessage("%s" % ("https://developer.microsoft.com/en-us/windows/downloads/sdk-archive","Click here to download Windows 8.1 SDK.")) #Write a line to DSA_SupportTool.log log file logger.info("Done running") return except Exception as err: logger.error(str(err)) return
Below is the list of libs that are included. You can choose to import in your customized script.
- import cchardet
- import codecs
- import configparser
- import copy
- import ctypes
- import datetime
- import hashlib
- import importlib
- import inspect
- import json
- import logging
- import mmap
- import multiprocessing
- import os
- import pefile
- import platform
- import psutil
- import pythoncom
- import re
- import requests
- import shutil
- import socket
- import subprocess
- import sys
- import telnetlib
- import tempfile
- import threading
- import time
- import urllib
- import webbrowser
- import win32con
- import win32event
- import win32evtlog
- import win32evtlogutil
- import winerror
- import winreg
- import wmi
- import xml.etree.ElementTree
- import zipfile
- Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PreCheck
Name Description Basic Information Operating system Displays OS version of the machine. Hardware Displays the CPU, memory and free disk size of the machine Trend Micro Endpoint Protection Detects whether DSA/XBC/Apex One agent has existed Proxy server Checks if system proxy has been enabled on the machine Detected Vision One Service Gateway (With Forward Proxy feature enabled) Detects if local registry has record for Trend Vision One Service Gateway (with Forward Proxy feature enabled) Trend Vision One agent Precheck Operating system Checks if the OS version of the machine is supported (2 CPU/512MB MEM/ 3GB Disk) SHA-2 code signing support Checks if the required Microsoft KBs are applied on the current machine - Windows 7 and Windows 2008 R2 must have the SHA2 KB installed (Microsoft KB 4474419 and KB 4490628).
Hardware Checks if the CPU and memory on this machine meet the requirements to enable Endpoint Sensor TLS protocol Checks if the required protocols meet the requirements to enable Endpoint Sensor System certificates Check if the required certificates meet the requirements to enable Endpoint Sensor
Root Certificate:- Entrust Root Certification Authority - G2
- DigiCert Assured ID Root CA
- DigiCert Trusted Root G4
- USERTrust RSA Certification Authority
Intermediate certificate:- Entrust Certification Authority - L1K
Device time Checks if the date/time on the machine meets the requirements to enable Endpoint Sensor Endpoint Basecamp Service Connectivity Tests if the network connection from the machine to the XBC backend server is available Log Receiver Service Connectivity Tests if the network connection from the machine to the XLog Receiver server is available Endpoint Inventory Service Connectivity Tests if the network connection from the machine to the XDR Endpoint Inventory backend server is available Endpoint Basecamp Support Connector Service Connectivity Tests if the network connection from the machine to the Support Connector backend server is available Cloud One Agent Precheck Operating system Checks if the OS version of the machine is supported Hardware Checks if the CPU and memory on the machine meet the requirements to install DSA - RAM 2GB is required
- Disk 1GB is required
- CPU 2 is required
ACS support Checks if the OS can meet Azure Code Signing requirement. Cloud One Server Connectivity Tests if the network connection from the machine to the Cloud One server is available System certificates Check if the required certificates meet the requirements (Refer to KB article, Updating the VeriSign, DigiCert, USERTrust RSA certificate on Deep Security and Cloud One - Workload Security) - Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PostCheck
Name Description Endpoint Basecamp Postcheck XBC: XBC is detected or not. Detects if any XBC components exist in the endpoint Registry: xdr_device_id Registry: xdr_device_id Detected Trend Vision One Service Gateway (with Forward Proxy feature enabled) Detects if local registry has record for Trend Vision One Service Gateway (w Forward Proxy feature enabled) Service: Trend Micro Endpoint Basecamp Checks if XBC service is installed Service: Trend Micro Cloud Endpoint Telemetry Service Checks if XBC service is installed Process: endpointbasecamp.exe (Trend Micro Endpoint Basecamp) Checks if XBC process is running Process: CETASvc.exe (Trend Micro Cloud Endpoint Telemetry Service) Checks if XBC process is running File: EndpointBasecamp.exe Checks if XBC executable file exists, if yes, show its file version, which indicates the XBC build version File: CETASvc.exe Checks if XBC executable file exists, if yes, show its file version File: WSCommunicator.exe Checks if XBC executable file exists, if yes, show its file version Scheduled Task: Trend Micro Endpoint Basecamp Checks if XBC scheduled task exists and if the status of the task is normal Endpoint Sensor Postcheck XES:XES is not detected. Detects if any XES components exist in the endpoint Cloud Endpoint Service Service: Cloud Endpoint Service Checks if XES service is installed Process: CloudEndpointService.exe Checks if XES cloud endpoint process is running File: CloudEndpointService.exe Checks if XES cloud endpoint executable file exists, if yes, show its file version, which indicates the XES build version Cloud Endpoint Service Service: Trend Micro Response Service Checks if XES response service is installed Process: ResponseService.exe Checks if XES response service process is running File: ResponseService.exe Checks if XES response service executable file exists, if yes, show its file version XDR Endpoint Sensor Driver: Trend Micro LWE Driver Checks if the LWE driver is running Vulnerability Detection Vulnerability Detection Checks if DVASSTool is installed Server & Workload Protection Agent Postcheck DSA: DSA is (not) detected Checks if DSA software is installed DSA version Detects current installed DSA version DSA service status: DSA service is (not) running Checks if DSA service is running Module status AMSP (Windows anti-malware) feature status: ON/OFF Checks if AMSP is ON/OFF status (Only support DSA-20.0.3445+) ACM (Activity Monitoring) feature status: ON/OFF Checks if ACM is ON/OFF status (Only support DSA-20.0.3445+) Self-Protection status: ON/OFF Checks if Self-Protection is enabled or disabled