Views:

Trend Micro Deep Security Agent Support Tool GUI Version

Please run the Trend Micro Deep Security Agent Support Tool for GUI Version with administrator permission.

It is recommended to use the current tool version which has the latest build.
Please note the validity of the version, which will be updated regularly in Solution Center. If it has expired, the UI will display:
"This version of the program is Expired. Please request for newer version."

EXPAND ALL

Data Collection for DSA tab

In this tab, you can view the current DSA status by checking on the UI.

Software: Indicates whether DSA is installed on this computer
Version: Indicates current DSA version number
Services Status: If DSA is installed, this indicates whether the DSA service status is on or off.
Debug Mode: Indicates whether log debug level is enabled
Self-Protection: Indicates whether self-protection is disabled (Some module debug cannot be enabled provided that self-protection is enabled.)
You may also press Other Item button to check the specific module feature status.
For "Debug Items", to enable AMSP debug level is by default. You can also choose more options if necessary.
Then, Enable Debug logging"/"disable Debug logging can be used to control the debug status.
Press button Collect Data to generate a diagnostic package.

After the collection, there will be 3 files/folder under the same path as this tool:

A ZIP file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].zip". This is the collection package, including diagnostic package and other necessary information.
A TXT file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].txt". It contains a SHA256 value, which should match above ZIP file.
A "logs" folder. A folder that stores temp files and tool log(temp files will be removed when finishing the collection).

As best practice, the steps of log collection are:

Enable Debug log.
Reproduce the issue.
Disable Debug log.
Collect Data.

Performance Collection For DSA tab

There are two parts for DSA performance collection. On the left side of this UI is Process Monitor log collection. On the right side of this UI is Windows Performance Recorder log collection.

You may choose automatic collection with a timer(suggested) or manually start/stop the collection.

Process Monitor
For the reason that Microsoft does not allow third-party software to integrate Process Monitor directly, you need to download or select existing Process Monitor manually.
- Use "Download Process Monitor" button to download.
  If the environment can connect to Internet, press Download Process Monitor to download the software. The default downloaded path is the same as the tool path.
  
  After downloading, the tool points to this "Process Monitor" path by default. You can start "Process Monitor" logs collection.
- Select an existing "Process Monitor".
  You can also select an existing "Process Monitor" via "Change Path" option. Then import "Process Monitor" from the specified path.
  
  Whichever method, the tool will judge the signature of the specified "Process Monitor" software. Once passing the verification, tool will run "Process Monitor" in backend according to user's options.
- Change altitude of Process Monitor
  In cases where Process Monitor needs to have higher altitude to collect logs, you may check this option. Please refer to the Microsoft Tech Community article: Change Altitude of Process Monitor (ProcMon).
You may encounter the following error:

"Unable to load Process Monitor device driver."

This error may be the result of an older Windows version not being able to support SHA256.

It is recommended to update Windows as the new version of Process Monitor only supports SHA256.

For further information, refer to this Microsoft article, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

To lessen the events that Process Monitor collects, a local process monitor configuration will be loaded if the file exists in the same path as the tool. The size of the log file will be smaller. To use the Process Monitor:
1. Create a filter for events that are only needed to be monitored.
2. Enable the option “Drop Filtered Events”.
3. In the File menu, choose “Export Configuration..”, and save the file as “ProcmonConfiguration.pmc”.
4. Copy the configuration file to the same folder of the tool and start the process monitoring.
This setting is useful for issues where "file access violation" is not always reproducible and occurs in random.
Windows Performance Recorder
You can check/uncheck corresponding checkbox to choose the option. The tool will run according to the checked option at backend to collect WPR logs.

If there is no WPR being detected as installed in environment, the tool will alert and give a link to guide user to install WPR software.
Automatically compress performance logs
After performance log collection, there will be a performance folder under the same path as tool, which stores original performance logs. At this moment, when user wants to quit the tool, it will pop up (as shown below). You may choose to compress or not compress the original performance log files.
Finally, the tool will help generate a ZIP file and delete original "performance" folder.

This tab lists the top-10 scanned files and top-10 busy processes, which are scanned the most times by AMSP module (only supported by newly released Deep Security 20 version). You may have a quick check to decide whether specific files/processes need to be excluded provided that these are trusted but have affected device performance.

The data on this tab resets when AMSP service restarts.

Network Analysis

There are two main features under Network Analysis: Network Packet Capture and Network Check. These features help users collect and check network related problems.

Background
The tool needs to use a driver to catch network packets. There are two options: WinPCAP and NPCAP. Both cannot coexist.

WinPCAP's advantage is that the tool can help install/uninstall WinPCAP automatically during the collection running time. Although its disadvantage is its poor compatibility as the version is old and not have been updated.

on the other hand, NPCAP has better compatibility, and is updated on a regular basis. Its disadvantage is that it has to be installed manually first, then use tool to catch network packets.

Mechanism

As NPCAP and WinPCAP are enforced to not coexist.
- If tool detects that NPCAP or WinPCAP driver has been installed in environment, tool will call corresponding driver directly.
- If tool detects that neither NPCAP nor WinPCAP driver has been installed in environment, tool will help install and uninstall WinPCAP automatically itself.
Below is an example:
- If you have already installed Wireshark software in your environment (We have known that new version of Wireshark uses NPCAP while the old version uses WinPCAP), our tool will use the existing NPCAP/WinPCAP driver.
- If it is a clear environment, the tool will help install/uninstall the driver. (An alert will be given, as installing a driver is a sensitive procedure.)
Network Packet Capture
You may use a timer or manually start/stop to catch network packets for all computer NICs in "Network Packet Capture" section. The collection logs are printed to indicate the collection status.
Network Check
You can specify the URL or leave it as blank (DSM/C1WS URL by default). After clicking Check, the tool will try to verify the network connection status between DSA client and target URL(DSM/C1WS). Verification results can be checked from the UI.
Automatic compression of network logs
This feature is the same as in Chapter 1.2.3, when collecting network packets and do the check, the original network related logs in folder "Network", tool can help compress the collected network related logs into ZIP file.

Environment Check

Check and Fix

Server & Workload Protection (Trend Vision One Endpoint Security) Pre-check

This feature can help users perform a pre-check on their endpoints, and see if the endpoint can meet Server & Workload Protection environment requirements.

Navigate to Environment Check > Check and Fix > Server & Workload Protection (V1ES) -PreCheck, then press Start.

Fill in the information.
- Proxy information
  If your endpoint does not need a service gateway nor a customized proxy server to connect to the Internet (Trend Vision One backend server), do not check and fill in any proxy information.
  If your endpoint needs a service gateway to connect to Internet (Trend Vision One backend server), fill in the service gateway FQDN or IP (default port is 8080). Also fill in the service gateway API value.
  Tip 1: You can get SG API key from the Trend Vision One portal under Workflow and Automation > Service Gateway Management > Manage API Key.
  
  Tip 2: If your XBC agent has reported to Trend Vision One, you can identify from the check result (basic information) the registered Service Gateway (FPS enabled) for XBC.
  
  If your endpoint needs a customized proxy server to connect to Internet (Trend Vision One backend server), input the proxy FQDN/IP and port. Username and password are optional.
- Region
  Some users' Trend Vision One endpoints and Server & Workload Protection agents do not belong to the same region. For this, user needs to choose correct region information separately.
After setting the correct information, press Start. After a few minutes, you can check the returned results.

If some check points failed to pass the test, you will get alert from the UI.

Refer to the appendix for more check points details.

Server & Workload Protection (Trend Vision One Endpoint Security) Post-check

This feature can help users perform post-check on their endpoints to verify the current module status of the endpoint.

Navigate to Environment Check > Check and Fix >Server & Workload Protection (V1ES) - PostCheck, and press Start.

This feature can help users determine current local status of Trend Vision One agent and Deep Security Agent (DSA) modules. It will be very helpful to provide necessary information when troubleshooting endpoint side issues.

Refer to the appendix for more check points details.

Troubleshooting UMH

When troubleshooting UMH driver related issues, UMH usually needs to be disabled. Make sure to isolate the root cause if there are issues. However, the enable/disable UMH action is difficult for most customers. This feature is introduced to help perform the enable/disable action faster.
Navigate to Environment Check > Check and Fix > Troubleshoot UMH, then press Start.

When current UMH is enabled, the green part can be seen with "Running" status. You may choose the option to disable UMH, as seen below.

When the action is done, you can see the UMH service has been disabled, while AMSP is still running.
When current UMH is disabled, the red part will show "Stopped" status. You may choose to enable UMH.

When the action is done, user can see the UMH service has been enabled, and both AMSP and UMH are running.
For security concerns, if you exit the tool and leave UMH disabled status, it will give an alert.

If you prefer to use the CMD version tool, use following parameters.

Scenario	Parameters
To enable TMUMH	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 1}}
To disable TMUMH	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 0}}
Not use this feature	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":0, "enableFix": 0}}

For more details, please refer to Chapter: Trend Micro Deep Security Agent Support Tool for CMD Version.

MS Azure Code Signing Check

According to this KB article, after mid-February 2023 there will be an impact on machines that do not meet the MS operation system requirements. Based on this, the tool has a feature to detect OS version/KB and give alert if the current OS did not meet the MS requirements.

Scenario 1: OS version passed the test
Scenario 2: OS version failed to pass the test

Anti-Malware Test - Eicar

This is a built-in check script. The user can verify if the anti-malware realtime-scan feature has worked normally on the agent side.

When starting this feature, the user needs to choose a specific local path. This is supposed to be monitored by DSA realtime-scan policy(CMD version uses "C:\temp\" by default).

Tool will extract eicar.com file to the path and take action.

Due to support tool being signed by Trend Micro, the behavior of operating eicar.com file will be bypassed. Therefore, the action of eicar.com file is taken by windows scheduled task, which is initialized by the tool.

After waiting for a few seconds, the tool will judge whether "eicar.com" file still exists. If it does not, it means realtime-scan has taken effect and removed "eicar.com" file. User can check the anti-malware events on console. Otherwise, realtime-scan might not work normally.

Please make sure that the chosen path is not in the exclusion list and that the anti-malware realtime-scan is enabled for the correct action.

Refer to the following text examples:

> Scenario 1: No Detection

2022-09-26 13:52:01 Starts Executing [AntiMalware Test - Eicar].
2022-09-26 13:52:01 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
2022-09-26 13:52:01 Waiting for input value of path to write/read EICAR.com . . .
[Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
2022-09-26 13:52:11 Creating scheduled task . . .
2022-09-26 13:52:11 Successfully created a scheduled task named [EicarTestDSA]
2022-09-26 13:52:11 Modifying the scheduled task to run even in battery power mode . . .
2022-09-26 13:52:12 Successfully modify the scheduled task [EicarTestDSA]
2022-09-26 13:52:12 Running the scheduled task . . .
2022-09-26 13:52:12 Successfully run the scheduled task [EicarTestDSA]
2022-09-26 13:52:12 Delete the scheduled task.

[Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
2022-09-26 13:52:22 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during write operation.

[Step 3] Reading the content of C:\Users\Administrator\Desktop\EICAR.com through scheduled task.
2022-09-26 13:52:27 Creating scheduled task . . .
2022-09-26 13:52:28 Successfully created a scheduled task named [EicarTestDSA]
2022-09-26 13:52:28 Modifying the scheduled task to run even in battery power mode . . .
2022-09-26 13:52:28 Successfully modify the scheduled task [EicarTestDSA]
2022-09-26 13:52:28 Running the scheduled task . . .
2022-09-26 13:52:29 Successfully run the scheduled task [EicarTestDSA]
2022-09-26 13:52:29 Delete the scheduled task.

[Step 4] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the read operation.
2022-09-26 13:52:34 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during read operation.

[Cleanup] Remove the test file C:\Users\Administrator\Desktop\EICAR.com.

2022-09-26 13:52:37 Done executing [AntiMalware Test - Eicar].
2022-09-26 13:52:37 Finish Executing all the chosen function(s).

> Scenario 2: Set detection on WRITE

2022-09-26 14:02:19 Starts Executing [AntiMalware Test - Eicar].
2022-09-26 14:02:19 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
2022-09-26 14:02:19 Waiting for input value of path to write/read EICAR.com . . .
[Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
2022-09-26 14:02:22 Creating scheduled task . . .
2022-09-26 14:02:22 Successfully created a scheduled task named [EicarTestDSA]
2022-09-26 14:02:22 Modifying the scheduled task to run even in battery power mode . . .
2022-09-26 14:02:22 Successfully modify the scheduled task [EicarTestDSA]
2022-09-26 14:02:22 Running the scheduled task . . .
2022-09-26 14:02:23 Successfully run the scheduled task [EicarTestDSA]
2022-09-26 14:02:23 Delete the scheduled task.

[Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
2022-09-26 14:02:33 ---> Cannot find C:\Users\Administrator\Desktop\EICAR.com, the AntiMalware might have removed it. Please check the AntiMalware log.

2022-09-26 14:02:33 Done executing [AntiMalware Test - Eicar].
2022-09-26 14:02:33 Finish Executing all the chosen function(s).

> Scenario 3: Set detection on READ

2022-09-26 14:10:47 Starts Executing [AntiMalware Test - Eicar].
2022-09-26 14:10:47 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
2022-09-26 14:10:47 Waiting for input value of path to write/read EICAR.com . . .
[Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
2022-09-26 14:10:49 Creating scheduled task . . .
2022-09-26 14:10:51 Successfully created a scheduled task named [EicarTestDSA]
2022-09-26 14:10:51 Modifying the scheduled task to run even in battery power mode . . .
2022-09-26 14:10:52 Successfully modify the scheduled task [EicarTestDSA]
2022-09-26 14:10:52 Running the scheduled task . . .
2022-09-26 14:10:52 Successfully run the scheduled task [EicarTestDSA]
2022-09-26 14:10:52 Delete the scheduled task.

[Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
2022-09-26 14:11:02 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during write operation.

[Step 3] Reading the content of C:\Users\Administrator\Desktop\EICAR.com through scheduled task.
2022-09-26 14:11:07 Creating scheduled task . . .
2022-09-26 14:11:08 Successfully created a scheduled task named [EicarTestDSA]
2022-09-26 14:11:08 Modifying the scheduled task to run even in battery power mode . . .
2022-09-26 14:11:08 Successfully modify the scheduled task [EicarTestDSA]
2022-09-26 14:11:08 Running the scheduled task . . .
2022-09-26 14:11:08 Successfully run the scheduled task [EicarTestDSA]
2022-09-26 14:11:08 Delete the scheduled task.

[Step 4] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the read operation.
2022-09-26 14:11:14 ----> Cannot find C:\Users\Administrator\Desktop\EICAR.com, the AntiMalware might have removed it. Please check the AntiMalware log.

2022-09-26 14:11:14 Done executing [AntiMalware Test - Eicar].
2022-09-26 14:11:14 Finish Executing all the chosen function(s).

Inspect CA Certificates

This is a built-in check script. A user may prefer this method to verify whether certificates used by Deep Security components have been installed in system. You may refer to the Appendix section - The certificate list that the tool checks. A big part of engine offline issues are due to lack of CA certificates in the OS that Deep Security components cannot be loaded normally.

Please note that DSA may still be able to work normally even when missing some certificates or if certificates expire. However, we still recommend checking and importing all the certificates to avoid some potential issues.

How to Import Certificates in Batches

It is recommended to use the CMD version tool if you prefer to certificates in batches. To do this, enable the feature in configuration file (disable other features). Administrators can deliver CMD version and configuration file to the endpoints then run the tool directly. The CMD version tool will check and import the missing certificates in the background.

Refer to the following "DSTool.json" example:

{
"Log Collection": {
    "enableAMSP": 0,
    "enableUMH": 0,
    "enableEYES": 0,
    "enableAEGIS": 0,
    "timerInSecondDebug": 30,
    "disableDebugAfterTimer": 1,
    "enableLogCollection": 0
},
............

"Check and Fix": {
    "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0},
    "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0}
},

............

"Tool": {
    "PressKeyToEnd": 0
}
}

Please refer to the chapter, Trend Micro Deep Security Agent Support Tool for CMD Version, for more configuration details.

Anti-Malware Status Analysis

This is a built-in check script. When there are errors occurring on DSA that are related to Anti-Malware feature offline, this can help analyze the possible root cause quickly.

Customized script for checking issues

This is a hidden feature for back-end team. When support/RD engineer wants to do some special checks and operations in user's environment, they create a simple Python script and let the customer to put the script in the path such as the sample script. The customer's computer does not require a Python environment.

Write a customized python script.
Write a python script according to the specific scenario. For instructions on how to write a script in detail, please refer to the Appendix: How to write a Support Cases Script. Trend Micro welcomes anyone to provide more useful scripts for common issues.
Choose whether to enable script integrity check and sign the script.
For safety reasons, by default, the tool has an integrity check of the script before running it. Tool only loads script that is from a signed ZIP file. The integrity check can prevent scripts from being maliciously tampered with or exploited. User can contact allofcncorerd@dl.trendmicro.com to sign the script. Trend Micro will sign from SampleCase.py to SignedSampleCase.zip. Afterwards, SignedSampleCase.zip can be used with our tool. User can also disable the integrity check by registry key to use original python file script without integrity check.
To disable, create a key "SOFTWARE\TrendMicro\DSASupportTool" with value "disableMaliciousScriptCheck" as "DWORD" data.
- Data of "1", means disable integrity check.
- Data of "0" or registry key doesn't exist, means integrity check will be enabled upon running the tool.
Put python file or signed ZIP file in the environment.
If tool is located at C:\Users\Administrator\Desktop\DSASupportTool_GUI.exe, the python file should be at C:\Users\Administrator\Desktop\SupportCases\DSA\SampleCase.py
The signed ZIP file should be at C:\Users\Administrator\Desktop\SupportCases\SignedSampleCase.zip or C:\Users\Administrator\Desktop\SupportCases\DSA\SignedSampleCase.zip. Either of the two can be used.
Run the script
After restarting tool, there will be a new option for user to choose.
You may press the button on UI to run the script.

Deep Security Agent Modules CPU Utilization
Agent Modules CPU Utilization allows user to monitor the CPU utilization of DSA modules (only supports DSA later than 20.0.0-3445). When there are performance issues, the problem can be located faster, which is the targeted DS modules. This allows back-end team to narrow down the issue accurately.

This tool uses "sendCommand.cmd --get Metrics" to get original data and filters "ThreadInfo" field in backend and displays the real time data with bar chart.

In the future, more metrics will be added to help users monitor the performance usage of DSA components.

Monitoring for too long may increase and accumulate memory usage. It is recommended to perform monitoring not more than 5 hours. This is a limitation as the tool must constantly refresh data in the background

DSA Metrics

DSA Metrics is a type of data that provides details on how DSA works. The data is stored in local path as a file with json format.

DSA Metrics can be generated by DSA. More precise interval can be used to manually generate and collect data. I will be helpful to troubleshot an issue with detailed metrics data.

This feature is introduced here:

Importing metrics

For importing metrics, the data source should be the file:

C:\ProgramData\Trend Micro\Deep Security Agent\metrics\537bc5e5-4e35-9d89-b209-402a17b0583c.json (generated by DSA)
C:\Users\Administrator\Desktop\DSA_Metrics\20220517-195214\195619_jsonRecords.json (generated by tool)
Select the matched time zone on UI then import the correct metrics file. The tool will display the data on a chart.

This feature can be used to display the below data from the collected metrics:

Count of real-time-scan newly scanned file(s) every iteration
Virtual Memory Reserved (MB) of the anti-malware module
CPU utilization (%) of the anti-malware module

Metrics collection

Metrics data is usually generated every 10 minutes by DSA under "C:\ProgramData\Trend Micro\Deep Security Agent\metrics\". However, it is often not enough to do further research in some cases. More accurate data is necessary for backend team sometimes.

A user can use the tool to do the collection with shorter interval, set the timer to start the metrics collection, and also stop manually during the collection.

Once finishing the collection, user can press Import Metrics and Display As a Chart to make a fast view of the metrics just collected as the charts(The same type of chart as Import Metrics part). After the collection, the tool can help compress the data files into ZIP. If there is a case, it is recommended to provide the collected metrics data ZIP file to support team to make further investigation.

The default password of ZIP file is trend.

Trend Micro Deep Security Agent Support Tool CMD Version

Please run the Trend Micro Deep Security Agent Support Tool for CMD Version with administrator permission.

Administrator: Command Prompt

Run the program via command line. The progress will last several minutes, and you should be able to get the diagnostic package

User needs to configure "DSTool.json" first according to requirements. Without "DSTool.json", the tool will only take log collection action by default.

Example of "DSTool.json"

{
    "Log Collection": {
        "enableAMSP": 1,
        "enableUMH": 0,
        "enableEYES": 0,
        "enableAEGIS": 0,
        "timerInSecondDebug": 30,
        "disableDebugAfterTimer": 1,
        "enableLogCollection": 1
    },
    "Process Monitor": {
        "enableProcMon": 0,
        "enableChangeAltitude": 0,
        "timerInSecondProcMon": 10
    },
    "WPR": {
        "enableWPR": 0,
        "timerInSecondWPR":10,
        "optionsWPR": "-start CPU -start DiskIO  -start FileIO -start Registry -start Network  -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter"
    },
    "Network Packet Capture": {
        "enableNetPCap": 0,
        "timerInSecondNetPCap": 10
    },
    "Network Check": {
        "enableNetCheck": 0,
        "URL2NetCheck": ""
    },

    "Check and Fix": {
        "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0},
        "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0},
 "AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0}
"MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0}  content
    },

    "Metrics": {
        "collectMetrics": 0,
        "MetricsIntervalInSecond": 5,
        "MetricsDurationInSecond": 300
    },

    "Tool": {
        "PressKeyToEnd": 1,

        "enableFeedback": 1
    }
}

Explanation (1: Yes ; 0: No):

"enableAMSP": 1        Whether enable AMSP debug
"enableUMH": 0        Whether enable UMH debug
"enableEYES": 0        Whether enable EYES debug
"enableAEGIS": 0        Whether enable AEGIS debug
"timerInSecondDebug": 30        The duration of enabling debug, units as seconds
"disableDebugAfterTimer": 1        Whether disable debug after enabling debug (not recommend to modify it)
"enableLogCollection": 1        Whether collect logs after enable/disable debug (not recommend to modify it)



## Due to Microsoft policy limitation, tool cannot integrate with Process Monitor, directly. User must put Process Monitor software to the same path as this tool, manually. Otherwise, this collection will be skipped.

## Process Monitor downloaded link: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

"enableProcMon": 0        Whether enable using Process Monitor to collect performance logs
"enableChangeAltitude": 0        Whether enable high priority of Process Monitor
"timerInSecondProcMon": 10        The duration of enabling Process Monitor, units as seconds



"enableWPR": 0        Whether enable using WPR to collect performance logs
"timerInSecondWPR":10        The duration of enabling WPR, units as seconds
"optionsWPR": "-start CPU -start DiskIO -start FileIO -start Registry -start Network -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter"

The backend command that is used to run WPR (not recommend to modify if not familiar with the WPR command)



"enableNetPCap": 0         Whether enable Network Packets Capture
"timerInSecondNetPCap": 10        The duration of enabling Network Packets Capture, units as seconds

"enableNetCheck": 0        Whether enable Network Check
"URL2NetCheck":""        The target URL that need to be checked(empty double quotes means detect the DSM URL)



 "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0}    Whether run "Inspect CA certificates" feature to check environment and whether take action  if finding lacking of CA certificates. The two configurations are based on the specific customized scripts
 "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0}     Whether run "AntiMalware Status Analysis" feature to return checking result.  Currently, "enableFix" is an invalid parameter as this feature has no action to be done.
"AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0}    Whether run "AntiMalware Test - Eicar" feature to return checking result.  Currently, "enableFix" is an invalid parameter as this feature has no action to be done.
"MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0}  content


"collectMetrics": 0         Whether enable to collect Metrics data
"MetricsIntervalInSecond": 5        The interval of collecting Metrics data, units as seconds
"MetricsDurationInSecond": 300       The duration of collecting Metrics data, units as seconds



"PressKeyToEnd": 1        Whether ask "key press" to end the program in command console

"enableFeedback": 1        Whether allow tool collects and transfers usage feedback data

Appendix

About collecting usage feedback data

Starting DSSupportTool_GUI/CMD Build-1.0.0.1160, the tool has enabled collecting usage feedback data by default. Enabling this feature can help Trend Micro know more about tool usage and operation behavior, then further improve the features.

For GUI version, user can uncheck the option on UI to disable this feature. For CMD version, you can set the parameter ["enableFeedback": 1] from 1 to 0 in "DSTool.json" file to disable this feature. Then no data will be collected.

When enabling this feature, the following data will be collected and transferred to backed through Google Analytics(www.google-analytics.com):

Data Collected	Description	Example
AgentGuid	Identification number	"AgentGuid:": "42001A42-0C16-67BC-7B0E-FA099177EB00"
ToolVersion	The version of the tool being used	"ToolVersion": "GUI-1.0.0.1155" or "ToolVersion": "CMD-1.0.0.1155"
DSAversion	The version of the DSA being used	"DSAversion": "20.0.1123"
OS version	The version of the OS being used	"OS": "Windows 10.567 AMD64"

Console Location	Data Collected	Example
Data Collection for DSA > Enable Debug Logging	When clicking "Enable Debug Logging" button, the customized debug status will be collected.	{"DebugItems":{"Anti Malware Features":1,"AMSP":1,"EYES":0,"UMH":0,"AEGIS":0}}
Data Collection for DSA > Collect Data Start	When clicking "Collect Data" button, the action data will be collected.	{"CollectData": {"CollectData": "True"}}
Data Collection for DSA > Collect Data Cancel	When clicking "Cancel" button, the action data will be collected.	{"CollectData": {"CollectData": "False"}}
Data Collection for DSA > Other Items	When clicking "Other Items" button, DSA module status will be collected.	{"OtherItems":{"Relay":0,"AM":1,"WRS":1,"Sensor":0,"AC":0,"IM":1,"LI":0,"FW":0,"IP":0,"CCTRL":0,"SAP":0,"iCAP":0,"DC":0}
Data Collection for DSA > Module Debug Status	When clicking "Module Debug Status" button, Debug status will be collected.	{"ModuleDebugStatus":{"AMSP":"ON", "EYES":"OFF", "UMH":"OFF", "AEGIS":"OFF}}
Performance Collection for DSA > Process Monitor> Process Monitor Altitude	When checking/unchecking "change altitude of process monitor" checkbox, this behavior will be collected.	{"ProcessMonitor": {"ProcessMonitorEnableHighAltitude": "False"}
Performance Collection for DSA > Windows Performance Recorder > WPR Option/start	When clicking "start" button in "windows performance recorder" section, the WPR parameters being used will be collected.	{"WPR": {"Option": "-start CPU -start DiskIO -start FileIO -start Registry -start Network"}}
Network Analysis > Network packet Capture > start	When clicking "start" button in "network packet capture" section, whether using WinPcap is collected.	{"NetworkCapture": {"WinPcap": "True"}}
Network Analysis > Network Check >check	When clicking "check" button in "network check" section, whether using WinPcap and target URL are collected.	{"NetworkCheck": {"WinPcap": "True", "URL":"https://192.168.38.116:4120"}}
Environment Check > Check and Fix > start	When clicking "start" button in "Check and Fix" section, which checking script being used is collected.	{"CheckAndFix": {"Inspect CA certificates": "True", "Sample case": "False", "Antimalware Status analysis": "False", "Eicar Test": "False"}}
Environment Check > CPU Utilization > start monitoring	When clicking "start monitoring" button in CPU Utilization section, whether using CPU Utilization is collected.	{"CPUUtilization": {"Start Monitoring": "True"}}
Top N list > start monitoring	When clicking "start monitoring" button in Top N list tab, whether using Top N list is collected.	{"TopN": {"Start Monitoring": "True"}}
DSA Metrics > Import Metrics > Import Metrics and Display to a Chart	When clicking "Import Metrics and Display to a Chart" button in DSA Metrics tab, time zone will be collected.	{"ImportMetrics": {"Timezone": "+0800"}}
DSA Metrics >Metrics Collection > start	When clicking "start" button in DSA Metrics tab, duration and interval of the collection will be collected.	{"MetricsCollection": {"Duration": "5", "Interval": "3"}}
DSA Metrics >Metrics Collection > Display Collected Metrics to a Chart	When clicking "Display Collected Metrics to a Chart" button in DSA Metrics tab, whether using Display Collected Metrics to a Chart will be collected.	{"DisplayCollectedMetricsToAChart": {"DisplayCollectedMetricsToAChart": "True"}}

The certificate list that the tool checks:

Subject CN	Thumbprint
DigiCert Assured ID Root CA	0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
DigiCert Global Root CA	A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
DigiCert Global Root G2	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
DigiCert High Assurance EV Root CA	5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
DigiCert Trusted Root G4	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Microsoft Root Certificate Authority 2010	3B1EFD3A66EA28B16697394703A72CA340A05BD5
Microsoft Root Certificate Authority 2011	8F43288AD272F3103B6FB1428485EA3014C0BCFE
Microsoft Root Certificate Authority	CDD4EEAE6000AC7F40C3802C171E30148030C072
Thawte Timestamping CA	BE36A4562FB2EE05DBB3D32323ADF445084ED656
USERTrust RSA Certification Authority	2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
VeriSign Class 3 Public Primary Certification Authority - G5	4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
VeriSign Universal Root Certification Authority	3679CA35668772304D30A5FB873B0FA77BB70D54
Microsoft Indentity Verification Root Certificate Authority 2020	F40042E2E5F7E8EF8189FED15519AECE42C3BFA2

How to write a Support Cases Script

Below is a sample UI.

Below is a sample code. (Italicized lines can be replaced with your own customized codes)

import sys
import os

from basecase import BaseCase
from Utils.tmlog import TmLog

logger = TmLog.getLogger("DSA_SupportTool")

class SampleCase(BaseCase):

    def __init__(self):
        try:
            super().__init__()
            self.name = "Sample Case"
            self.detail = "Detail: This sample case will pop a question box."
        except Exception as err:
            logger.exception(str(err))

    def __del__(self):
        try:
            pass    
        except Exception as err:
            logger.exception(str(err))
    
    def run(self):
        try:
            #Pop-up a question box. Return value is True or False
            respond = self.askConfirmation("The is sample message.\n" +
                                               "Do you want to continue?")
            
            #Display a message on the tool's UI
            self.displayMessage("You say %s" %(str(respond)))

            #Display a message on the tool's UI with clickable link
            self.displayMessage("%s" % ("https://developer.microsoft.com/en-us/windows/downloads/sdk-archive","Click here to download Windows 8.1 SDK."))
            
            #Write a line to DSA_SupportTool.log log file
            logger.info("Done running")
            return
        except Exception as err:
            logger.error(str(err))
            return

Below is the list of libs that are included. You can choose to import in your customized script.

import cchardet
import codecs
import configparser
import copy
import ctypes
import datetime
import hashlib
import importlib
import inspect
import json
import logging
import mmap
import multiprocessing
import os
import pefile
import platform
import psutil
import pythoncom
import re
import requests
import shutil
import socket
import subprocess
import sys
import telnetlib
import tempfile
import threading
import time
import urllib
import webbrowser
import win32con
import win32event
import win32evtlog
import win32evtlogutil
import winerror
import winreg
import wmi
import xml.etree.ElementTree
import zipfile

Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PreCheck

Name		Description
Basic Information	Operating system	Displays OS version of the machine.
	Hardware	Displays the CPU, memory and free disk size of the machine
	Trend Micro Endpoint Protection	Detects whether DSA/XBC/Apex One agent has existed
	Proxy server	Checks if system proxy has been enabled on the machine
	Detected Vision One Service Gateway (With Forward Proxy feature enabled)	Detects if local registry has record for Trend Vision One Service Gateway (with Forward Proxy feature enabled)
Trend Vision One agent Precheck	Operating system	Checks if the OS version of the machine is supported (2 CPU/512MB MEM/ 3GB Disk)
	SHA-2 code signing support	Checks if the required Microsoft KBs are applied on the current machine Windows 7 and Windows 2008 R2 must have the SHA2 KB installed (Microsoft KB 4474419 and KB 4490628).
	Hardware	Checks if the CPU and memory on this machine meet the requirements to enable Endpoint Sensor
	TLS protocol	Checks if the required protocols meet the requirements to enable Endpoint Sensor
	System certificates	Check if the required certificates meet the requirements to enable Endpoint Sensor Root Certificate: Entrust Root Certification Authority - G2 DigiCert Assured ID Root CA DigiCert Trusted Root G4 USERTrust RSA Certification Authority Intermediate certificate: Entrust Certification Authority - L1K
	Device time	Checks if the date/time on the machine meets the requirements to enable Endpoint Sensor
	Endpoint Basecamp Service Connectivity	Tests if the network connection from the machine to the XBC backend server is available
	Log Receiver Service Connectivity	Tests if the network connection from the machine to the XLog Receiver server is available
	Endpoint Inventory Service Connectivity	Tests if the network connection from the machine to the XDR Endpoint Inventory backend server is available
	Endpoint Basecamp Support Connector Service Connectivity	Tests if the network connection from the machine to the Support Connector backend server is available
Cloud One Agent Precheck	Operating system	Checks if the OS version of the machine is supported
	Hardware	Checks if the CPU and memory on the machine meet the requirements to install DSA RAM 2GB is required Disk 1GB is required CPU 2 is required
	ACS support	Checks if the OS can meet Azure Code Signing requirement.
	Cloud One Server Connectivity	Tests if the network connection from the machine to the Cloud One server is available
	System certificates	Check if the required certificates meet the requirements (Refer to KB article, Updating the VeriSign, DigiCert, USERTrust RSA certificate on Deep Security and Cloud One - Workload Security)

Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PostCheck

Name		Description
Endpoint Basecamp Postcheck	XBC: XBC is detected or not.		Detects if any XBC components exist in the endpoint
	Registry: xdr_device_id		Registry: xdr_device_id
	Detected Trend Vision One Service Gateway (with Forward Proxy feature enabled)		Detects if local registry has record for Trend Vision One Service Gateway (w Forward Proxy feature enabled)
	Service: Trend Micro Endpoint Basecamp		Checks if XBC service is installed
	Service: Trend Micro Cloud Endpoint Telemetry Service		Checks if XBC service is installed
	Process: endpointbasecamp.exe (Trend Micro Endpoint Basecamp)		Checks if XBC process is running
	Process: CETASvc.exe (Trend Micro Cloud Endpoint Telemetry Service)		Checks if XBC process is running
	File: EndpointBasecamp.exe		Checks if XBC executable file exists, if yes, show its file version, which indicates the XBC build version
	File: CETASvc.exe		Checks if XBC executable file exists, if yes, show its file version
	File: WSCommunicator.exe		Checks if XBC executable file exists, if yes, show its file version
	Scheduled Task: Trend Micro Endpoint Basecamp		Checks if XBC scheduled task exists and if the status of the task is normal
Endpoint Sensor Postcheck	XES:XES is not detected.		Detects if any XES components exist in the endpoint
	Cloud Endpoint Service	Service: Cloud Endpoint Service	Checks if XES service is installed
		Process: CloudEndpointService.exe	Checks if XES cloud endpoint process is running
		File: CloudEndpointService.exe	Checks if XES cloud endpoint executable file exists, if yes, show its file version, which indicates the XES build version
	Cloud Endpoint Service	Service: Trend Micro Response Service	Checks if XES response service is installed
		Process: ResponseService.exe	Checks if XES response service process is running
		File: ResponseService.exe	Checks if XES response service executable file exists, if yes, show its file version
	XDR Endpoint Sensor	Driver: Trend Micro LWE Driver	Checks if the LWE driver is running
	Vulnerability Detection	Vulnerability Detection	Checks if DVASSTool is installed
Server & Workload Protection Agent Postcheck	DSA: DSA is (not) detected		Checks if DSA software is installed
	DSA version		Detects current installed DSA version
	DSA service status: DSA service is (not) running		Checks if DSA service is running
	Module status	AMSP (Windows anti-malware) feature status: ON/OFF	Checks if AMSP is ON/OFF status (Only support DSA-20.0.3445+)
	Module status	ACM (Activity Monitoring) feature status: ON/OFF	Checks if ACM is ON/OFF status (Only support DSA-20.0.3445+)
	Self-Protection status: ON/OFF		Checks if Self-Protection is enabled or disabled

Keywords: GUI,CMD,2021,new wersion,debug log collection,download tool,user guide,updated tool,log collection tool

Trend Micro Deep Security Agent Support Tool

Product / Version includes:

Deep SecurityAll

Last updated: 2024/10/14

Solution ID: KA-0012444

Category: Configure , Update

Summary

This article will guide you on how to use the Trend Micro Deep Security Agent Support Tool to collect debug logs of the Deep Security Agent (DSA). This is applicable only for Windows OS. For Linux, you may refer to this KB article .

To download the DSA Support Tool, log in to Trend Micro Business Support Portal and navigate to the Diagnostic Tools tab.

Trend Micro Deep Security Agent Support Tool GUI Version

Please run the Trend Micro Deep Security Agent Support Tool for GUI Version with administrator permission.

It is recommended to use the current tool version which has the latest build.
Please note the validity of the version, which will be updated regularly in Solution Center. If it has expired, the UI will display:
"This version of the program is Expired. Please request for newer version."

EXPAND ALL

Data Collection for DSA tab

In this tab, you can view the current DSA status by checking on the UI.

Software: Indicates whether DSA is installed on this computer
Version: Indicates current DSA version number
Services Status: If DSA is installed, this indicates whether the DSA service status is on or off.
Debug Mode: Indicates whether log debug level is enabled
Self-Protection: Indicates whether self-protection is disabled (Some module debug cannot be enabled provided that self-protection is enabled.)
You may also press Other Item button to check the specific module feature status.
For "Debug Items", to enable AMSP debug level is by default. You can also choose more options if necessary.
Then, Enable Debug logging"/"disable Debug logging can be used to control the debug status.
Press button Collect Data to generate a diagnostic package.

After the collection, there will be 3 files/folder under the same path as this tool:

A ZIP file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].zip". This is the collection package, including diagnostic package and other necessary information.
A TXT file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].txt". It contains a SHA256 value, which should match above ZIP file.
A "logs" folder. A folder that stores temp files and tool log(temp files will be removed when finishing the collection).

As best practice, the steps of log collection are:

Enable Debug log.
Reproduce the issue.
Disable Debug log.
Collect Data.

Performance Collection For DSA tab

There are two parts for DSA performance collection. On the left side of this UI is Process Monitor log collection. On the right side of this UI is Windows Performance Recorder log collection.

You may choose automatic collection with a timer(suggested) or manually start/stop the collection.

Process Monitor
For the reason that Microsoft does not allow third-party software to integrate Process Monitor directly, you need to download or select existing Process Monitor manually.
- Use "Download Process Monitor" button to download.
  If the environment can connect to Internet, press Download Process Monitor to download the software. The default downloaded path is the same as the tool path.
  
  After downloading, the tool points to this "Process Monitor" path by default. You can start "Process Monitor" logs collection.
- Select an existing "Process Monitor".
  You can also select an existing "Process Monitor" via "Change Path" option. Then import "Process Monitor" from the specified path.
  
  Whichever method, the tool will judge the signature of the specified "Process Monitor" software. Once passing the verification, tool will run "Process Monitor" in backend according to user's options.
- Change altitude of Process Monitor
  In cases where Process Monitor needs to have higher altitude to collect logs, you may check this option. Please refer to the Microsoft Tech Community article: Change Altitude of Process Monitor (ProcMon).
You may encounter the following error:

"Unable to load Process Monitor device driver."

This error may be the result of an older Windows version not being able to support SHA256.

It is recommended to update Windows as the new version of Process Monitor only supports SHA256.

For further information, refer to this Microsoft article, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

To lessen the events that Process Monitor collects, a local process monitor configuration will be loaded if the file exists in the same path as the tool. The size of the log file will be smaller. To use the Process Monitor:
1. Create a filter for events that are only needed to be monitored.
2. Enable the option “Drop Filtered Events”.
3. In the File menu, choose “Export Configuration..”, and save the file as “ProcmonConfiguration.pmc”.
4. Copy the configuration file to the same folder of the tool and start the process monitoring.
This setting is useful for issues where "file access violation" is not always reproducible and occurs in random.
Windows Performance Recorder
You can check/uncheck corresponding checkbox to choose the option. The tool will run according to the checked option at backend to collect WPR logs.

If there is no WPR being detected as installed in environment, the tool will alert and give a link to guide user to install WPR software.
Automatically compress performance logs
After performance log collection, there will be a performance folder under the same path as tool, which stores original performance logs. At this moment, when user wants to quit the tool, it will pop up (as shown below). You may choose to compress or not compress the original performance log files.
Finally, the tool will help generate a ZIP file and delete original "performance" folder.

Top-N List tab

The data on this tab resets when AMSP service restarts.

Network Analysis

There are two main features under Network Analysis: Network Packet Capture and Network Check. These features help users collect and check network related problems.

Background
The tool needs to use a driver to catch network packets. There are two options: WinPCAP and NPCAP. Both cannot coexist.

WinPCAP's advantage is that the tool can help install/uninstall WinPCAP automatically during the collection running time. Although its disadvantage is its poor compatibility as the version is old and not have been updated.

on the other hand, NPCAP has better compatibility, and is updated on a regular basis. Its disadvantage is that it has to be installed manually first, then use tool to catch network packets.

Mechanism

As NPCAP and WinPCAP are enforced to not coexist.
- If tool detects that NPCAP or WinPCAP driver has been installed in environment, tool will call corresponding driver directly.
- If tool detects that neither NPCAP nor WinPCAP driver has been installed in environment, tool will help install and uninstall WinPCAP automatically itself.
Below is an example:
- If you have already installed Wireshark software in your environment (We have known that new version of Wireshark uses NPCAP while the old version uses WinPCAP), our tool will use the existing NPCAP/WinPCAP driver.
- If it is a clear environment, the tool will help install/uninstall the driver. (An alert will be given, as installing a driver is a sensitive procedure.)
Network Packet Capture
You may use a timer or manually start/stop to catch network packets for all computer NICs in "Network Packet Capture" section. The collection logs are printed to indicate the collection status.
Network Check
You can specify the URL or leave it as blank (DSM/C1WS URL by default). After clicking Check, the tool will try to verify the network connection status between DSA client and target URL(DSM/C1WS). Verification results can be checked from the UI.
Automatic compression of network logs
This feature is the same as in Chapter 1.2.3, when collecting network packets and do the check, the original network related logs in folder "Network", tool can help compress the collected network related logs into ZIP file.

Environment Check

Check and Fix

Server & Workload Protection (Trend Vision One Endpoint Security) Pre-check

This feature can help users perform a pre-check on their endpoints, and see if the endpoint can meet Server & Workload Protection environment requirements.

Navigate to Environment Check > Check and Fix > Server & Workload Protection (V1ES) -PreCheck, then press Start.

Fill in the information.
- Proxy information
  If your endpoint does not need a service gateway nor a customized proxy server to connect to the Internet (Trend Vision One backend server), do not check and fill in any proxy information.
  If your endpoint needs a service gateway to connect to Internet (Trend Vision One backend server), fill in the service gateway FQDN or IP (default port is 8080). Also fill in the service gateway API value.
  Tip 1: You can get SG API key from the Trend Vision One portal under Workflow and Automation > Service Gateway Management > Manage API Key.
  
  Tip 2: If your XBC agent has reported to Trend Vision One, you can identify from the check result (basic information) the registered Service Gateway (FPS enabled) for XBC.
  
  If your endpoint needs a customized proxy server to connect to Internet (Trend Vision One backend server), input the proxy FQDN/IP and port. Username and password are optional.
- Region
  Some users' Trend Vision One endpoints and Server & Workload Protection agents do not belong to the same region. For this, user needs to choose correct region information separately.
After setting the correct information, press Start. After a few minutes, you can check the returned results.

If some check points failed to pass the test, you will get alert from the UI.

Refer to the appendix for more check points details.

Server & Workload Protection (Trend Vision One Endpoint Security) Post-check

This feature can help users perform post-check on their endpoints to verify the current module status of the endpoint.

Navigate to Environment Check > Check and Fix >Server & Workload Protection (V1ES) - PostCheck, and press Start.

Refer to the appendix for more check points details.

Troubleshooting UMH

When current UMH is enabled, the green part can be seen with "Running" status. You may choose the option to disable UMH, as seen below.

When the action is done, you can see the UMH service has been disabled, while AMSP is still running.
When current UMH is disabled, the red part will show "Stopped" status. You may choose to enable UMH.

When the action is done, user can see the UMH service has been enabled, and both AMSP and UMH are running.
For security concerns, if you exit the tool and leave UMH disabled status, it will give an alert.

If you prefer to use the CMD version tool, use following parameters.

Scenario	Parameters
To enable TMUMH	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 1}}
To disable TMUMH	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 0}}
Not use this feature	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":0, "enableFix": 0}}

For more details, please refer to Chapter: Trend Micro Deep Security Agent Support Tool for CMD Version.

MS Azure Code Signing Check

Scenario 1: OS version passed the test
Scenario 2: OS version failed to pass the test

Anti-Malware Test - Eicar

This is a built-in check script. The user can verify if the anti-malware realtime-scan feature has worked normally on the agent side.

When starting this feature, the user needs to choose a specific local path. This is supposed to be monitored by DSA realtime-scan policy(CMD version uses "C:\temp\" by default).

Tool will extract eicar.com file to the path and take action.

Please make sure that the chosen path is not in the exclusion list and that the anti-malware realtime-scan is enabled for the correct action.

Refer to the following text examples:

> Scenario 1: No Detection

[Cleanup] Remove the test file C:\Users\Administrator\Desktop\EICAR.com.

2022-09-26 13:52:37 Done executing [AntiMalware Test - Eicar].
2022-09-26 13:52:37 Finish Executing all the chosen function(s).

> Scenario 2: Set detection on WRITE

2022-09-26 14:02:19 Starts Executing [AntiMalware Test - Eicar].
2022-09-26 14:02:19 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
2022-09-26 14:02:19 Waiting for input value of path to write/read EICAR.com . . .
[Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
2022-09-26 14:02:22 Creating scheduled task . . .
2022-09-26 14:02:22 Successfully created a scheduled task named [EicarTestDSA]
2022-09-26 14:02:22 Modifying the scheduled task to run even in battery power mode . . .
2022-09-26 14:02:22 Successfully modify the scheduled task [EicarTestDSA]
2022-09-26 14:02:22 Running the scheduled task . . .
2022-09-26 14:02:23 Successfully run the scheduled task [EicarTestDSA]
2022-09-26 14:02:23 Delete the scheduled task.

[Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
2022-09-26 14:02:33 ---> Cannot find C:\Users\Administrator\Desktop\EICAR.com, the AntiMalware might have removed it. Please check the AntiMalware log.

2022-09-26 14:02:33 Done executing [AntiMalware Test - Eicar].
2022-09-26 14:02:33 Finish Executing all the chosen function(s).

> Scenario 3: Set detection on READ

2022-09-26 14:11:14 Done executing [AntiMalware Test - Eicar].
2022-09-26 14:11:14 Finish Executing all the chosen function(s).

Inspect CA Certificates

How to Import Certificates in Batches

Refer to the following "DSTool.json" example:

{
"Log Collection": {
    "enableAMSP": 0,
    "enableUMH": 0,
    "enableEYES": 0,
    "enableAEGIS": 0,
    "timerInSecondDebug": 30,
    "disableDebugAfterTimer": 1,
    "enableLogCollection": 0
},
............

"Check and Fix": {
    "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0},
    "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0}
},

............

"Tool": {
    "PressKeyToEnd": 0
}
}

Please refer to the chapter, Trend Micro Deep Security Agent Support Tool for CMD Version, for more configuration details.

Anti-Malware Status Analysis

This is a built-in check script. When there are errors occurring on DSA that are related to Anti-Malware feature offline, this can help analyze the possible root cause quickly.

Customized script for checking issues

Write a customized python script.
Write a python script according to the specific scenario. For instructions on how to write a script in detail, please refer to the Appendix: How to write a Support Cases Script. Trend Micro welcomes anyone to provide more useful scripts for common issues.
Choose whether to enable script integrity check and sign the script.
For safety reasons, by default, the tool has an integrity check of the script before running it. Tool only loads script that is from a signed ZIP file. The integrity check can prevent scripts from being maliciously tampered with or exploited. User can contact allofcncorerd@dl.trendmicro.com to sign the script. Trend Micro will sign from SampleCase.py to SignedSampleCase.zip. Afterwards, SignedSampleCase.zip can be used with our tool. User can also disable the integrity check by registry key to use original python file script without integrity check.
To disable, create a key "SOFTWARE\TrendMicro\DSASupportTool" with value "disableMaliciousScriptCheck" as "DWORD" data.
- Data of "1", means disable integrity check.
- Data of "0" or registry key doesn't exist, means integrity check will be enabled upon running the tool.
Put python file or signed ZIP file in the environment.
If tool is located at C:\Users\Administrator\Desktop\DSASupportTool_GUI.exe, the python file should be at C:\Users\Administrator\Desktop\SupportCases\DSA\SampleCase.py
The signed ZIP file should be at C:\Users\Administrator\Desktop\SupportCases\SignedSampleCase.zip or C:\Users\Administrator\Desktop\SupportCases\DSA\SignedSampleCase.zip. Either of the two can be used.
Run the script
After restarting tool, there will be a new option for user to choose.
You may press the button on UI to run the script.

Deep Security Agent Modules CPU Utilization
Agent Modules CPU Utilization allows user to monitor the CPU utilization of DSA modules (only supports DSA later than 20.0.0-3445). When there are performance issues, the problem can be located faster, which is the targeted DS modules. This allows back-end team to narrow down the issue accurately.

This tool uses "sendCommand.cmd --get Metrics" to get original data and filters "ThreadInfo" field in backend and displays the real time data with bar chart.

In the future, more metrics will be added to help users monitor the performance usage of DSA components.

Monitoring for too long may increase and accumulate memory usage. It is recommended to perform monitoring not more than 5 hours. This is a limitation as the tool must constantly refresh data in the background

DSA Metrics

DSA Metrics is a type of data that provides details on how DSA works. The data is stored in local path as a file with json format.

DSA Metrics can be generated by DSA. More precise interval can be used to manually generate and collect data. I will be helpful to troubleshot an issue with detailed metrics data.

This feature is introduced here:

Importing metrics

For importing metrics, the data source should be the file:

C:\ProgramData\Trend Micro\Deep Security Agent\metrics\537bc5e5-4e35-9d89-b209-402a17b0583c.json (generated by DSA)
C:\Users\Administrator\Desktop\DSA_Metrics\20220517-195214\195619_jsonRecords.json (generated by tool)
Select the matched time zone on UI then import the correct metrics file. The tool will display the data on a chart.

This feature can be used to display the below data from the collected metrics:

Count of real-time-scan newly scanned file(s) every iteration
Virtual Memory Reserved (MB) of the anti-malware module
CPU utilization (%) of the anti-malware module

Metrics collection

A user can use the tool to do the collection with shorter interval, set the timer to start the metrics collection, and also stop manually during the collection.

The default password of ZIP file is trend.

Trend Micro Deep Security Agent Support Tool CMD Version

Please run the Trend Micro Deep Security Agent Support Tool for CMD Version with administrator permission.

Administrator: Command Prompt

Run the program via command line. The progress will last several minutes, and you should be able to get the diagnostic package

User needs to configure "DSTool.json" first according to requirements. Without "DSTool.json", the tool will only take log collection action by default.

Example of "DSTool.json"

{
    "Log Collection": {
        "enableAMSP": 1,
        "enableUMH": 0,
        "enableEYES": 0,
        "enableAEGIS": 0,
        "timerInSecondDebug": 30,
        "disableDebugAfterTimer": 1,
        "enableLogCollection": 1
    },
    "Process Monitor": {
        "enableProcMon": 0,
        "enableChangeAltitude": 0,
        "timerInSecondProcMon": 10
    },
    "WPR": {
        "enableWPR": 0,
        "timerInSecondWPR":10,
        "optionsWPR": "-start CPU -start DiskIO  -start FileIO -start Registry -start Network  -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter"
    },
    "Network Packet Capture": {
        "enableNetPCap": 0,
        "timerInSecondNetPCap": 10
    },
    "Network Check": {
        "enableNetCheck": 0,
        "URL2NetCheck": ""
    },

    "Check and Fix": {
        "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0},
        "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0},
 "AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0}
"MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0}  content
    },

    "Metrics": {
        "collectMetrics": 0,
        "MetricsIntervalInSecond": 5,
        "MetricsDurationInSecond": 300
    },

    "Tool": {
        "PressKeyToEnd": 1,

        "enableFeedback": 1
    }
}

Explanation (1: Yes ; 0: No):

"enableAMSP": 1        Whether enable AMSP debug
"enableUMH": 0        Whether enable UMH debug
"enableEYES": 0        Whether enable EYES debug
"enableAEGIS": 0        Whether enable AEGIS debug
"timerInSecondDebug": 30        The duration of enabling debug, units as seconds
"disableDebugAfterTimer": 1        Whether disable debug after enabling debug (not recommend to modify it)
"enableLogCollection": 1        Whether collect logs after enable/disable debug (not recommend to modify it)



## Due to Microsoft policy limitation, tool cannot integrate with Process Monitor, directly. User must put Process Monitor software to the same path as this tool, manually. Otherwise, this collection will be skipped.

## Process Monitor downloaded link: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

"enableProcMon": 0        Whether enable using Process Monitor to collect performance logs
"enableChangeAltitude": 0        Whether enable high priority of Process Monitor
"timerInSecondProcMon": 10        The duration of enabling Process Monitor, units as seconds



"enableWPR": 0        Whether enable using WPR to collect performance logs
"timerInSecondWPR":10        The duration of enabling WPR, units as seconds
"optionsWPR": "-start CPU -start DiskIO -start FileIO -start Registry -start Network -start Heap -start Pool -start VirtualAllocation -start Handle -start Minifilter"

The backend command that is used to run WPR (not recommend to modify if not familiar with the WPR command)



"enableNetPCap": 0         Whether enable Network Packets Capture
"timerInSecondNetPCap": 10        The duration of enabling Network Packets Capture, units as seconds

"enableNetCheck": 0        Whether enable Network Check
"URL2NetCheck":""        The target URL that need to be checked(empty double quotes means detect the DSM URL)



 "Inspect CA certificates": {"enableCheck": 0, "enableFix": 0}    Whether run "Inspect CA certificates" feature to check environment and whether take action  if finding lacking of CA certificates. The two configurations are based on the specific customized scripts
 "AntiMalware Status Analysis": {"enableCheck": 1, "enableFix": 0}     Whether run "AntiMalware Status Analysis" feature to return checking result.  Currently, "enableFix" is an invalid parameter as this feature has no action to be done.
"AntiMalware Test - Eicar": {"enableCheck": 0, "enableFix": 0}    Whether run "AntiMalware Test - Eicar" feature to return checking result.  Currently, "enableFix" is an invalid parameter as this feature has no action to be done.
"MS Azure Code Signing Check": {"enableCheck": 0, "enableFix": 0}  content


"collectMetrics": 0         Whether enable to collect Metrics data
"MetricsIntervalInSecond": 5        The interval of collecting Metrics data, units as seconds
"MetricsDurationInSecond": 300       The duration of collecting Metrics data, units as seconds



"PressKeyToEnd": 1        Whether ask "key press" to end the program in command console

"enableFeedback": 1        Whether allow tool collects and transfers usage feedback data

Appendix

About collecting usage feedback data

When enabling this feature, the following data will be collected and transferred to backed through Google Analytics(www.google-analytics.com):

Data Collected	Description	Example
AgentGuid	Identification number	"AgentGuid:": "42001A42-0C16-67BC-7B0E-FA099177EB00"
ToolVersion	The version of the tool being used	"ToolVersion": "GUI-1.0.0.1155" or "ToolVersion": "CMD-1.0.0.1155"
DSAversion	The version of the DSA being used	"DSAversion": "20.0.1123"
OS version	The version of the OS being used	"OS": "Windows 10.567 AMD64"

Console Location	Data Collected	Example
Data Collection for DSA > Enable Debug Logging	When clicking "Enable Debug Logging" button, the customized debug status will be collected.	{"DebugItems":{"Anti Malware Features":1,"AMSP":1,"EYES":0,"UMH":0,"AEGIS":0}}
Data Collection for DSA > Collect Data Start	When clicking "Collect Data" button, the action data will be collected.	{"CollectData": {"CollectData": "True"}}
Data Collection for DSA > Collect Data Cancel	When clicking "Cancel" button, the action data will be collected.	{"CollectData": {"CollectData": "False"}}
Data Collection for DSA > Other Items	When clicking "Other Items" button, DSA module status will be collected.	{"OtherItems":{"Relay":0,"AM":1,"WRS":1,"Sensor":0,"AC":0,"IM":1,"LI":0,"FW":0,"IP":0,"CCTRL":0,"SAP":0,"iCAP":0,"DC":0}
Data Collection for DSA > Module Debug Status	When clicking "Module Debug Status" button, Debug status will be collected.	{"ModuleDebugStatus":{"AMSP":"ON", "EYES":"OFF", "UMH":"OFF", "AEGIS":"OFF}}
Performance Collection for DSA > Process Monitor> Process Monitor Altitude	When checking/unchecking "change altitude of process monitor" checkbox, this behavior will be collected.	{"ProcessMonitor": {"ProcessMonitorEnableHighAltitude": "False"}
Performance Collection for DSA > Windows Performance Recorder > WPR Option/start	When clicking "start" button in "windows performance recorder" section, the WPR parameters being used will be collected.	{"WPR": {"Option": "-start CPU -start DiskIO -start FileIO -start Registry -start Network"}}
Network Analysis > Network packet Capture > start	When clicking "start" button in "network packet capture" section, whether using WinPcap is collected.	{"NetworkCapture": {"WinPcap": "True"}}
Network Analysis > Network Check >check	When clicking "check" button in "network check" section, whether using WinPcap and target URL are collected.	{"NetworkCheck": {"WinPcap": "True", "URL":"https://192.168.38.116:4120"}}
Environment Check > Check and Fix > start	When clicking "start" button in "Check and Fix" section, which checking script being used is collected.	{"CheckAndFix": {"Inspect CA certificates": "True", "Sample case": "False", "Antimalware Status analysis": "False", "Eicar Test": "False"}}
Environment Check > CPU Utilization > start monitoring	When clicking "start monitoring" button in CPU Utilization section, whether using CPU Utilization is collected.	{"CPUUtilization": {"Start Monitoring": "True"}}
Top N list > start monitoring	When clicking "start monitoring" button in Top N list tab, whether using Top N list is collected.	{"TopN": {"Start Monitoring": "True"}}
DSA Metrics > Import Metrics > Import Metrics and Display to a Chart	When clicking "Import Metrics and Display to a Chart" button in DSA Metrics tab, time zone will be collected.	{"ImportMetrics": {"Timezone": "+0800"}}
DSA Metrics >Metrics Collection > start	When clicking "start" button in DSA Metrics tab, duration and interval of the collection will be collected.	{"MetricsCollection": {"Duration": "5", "Interval": "3"}}
DSA Metrics >Metrics Collection > Display Collected Metrics to a Chart	When clicking "Display Collected Metrics to a Chart" button in DSA Metrics tab, whether using Display Collected Metrics to a Chart will be collected.	{"DisplayCollectedMetricsToAChart": {"DisplayCollectedMetricsToAChart": "True"}}

The certificate list that the tool checks:

Subject CN	Thumbprint
DigiCert Assured ID Root CA	0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
DigiCert Global Root CA	A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
DigiCert Global Root G2	DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
DigiCert High Assurance EV Root CA	5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
DigiCert Trusted Root G4	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Microsoft Root Certificate Authority 2010	3B1EFD3A66EA28B16697394703A72CA340A05BD5
Microsoft Root Certificate Authority 2011	8F43288AD272F3103B6FB1428485EA3014C0BCFE
Microsoft Root Certificate Authority	CDD4EEAE6000AC7F40C3802C171E30148030C072
Thawte Timestamping CA	BE36A4562FB2EE05DBB3D32323ADF445084ED656
USERTrust RSA Certification Authority	2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
VeriSign Class 3 Public Primary Certification Authority - G5	4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
VeriSign Universal Root Certification Authority	3679CA35668772304D30A5FB873B0FA77BB70D54
Microsoft Indentity Verification Root Certificate Authority 2020	F40042E2E5F7E8EF8189FED15519AECE42C3BFA2

How to write a Support Cases Script

Below is a sample UI.

Below is a sample code. (Italicized lines can be replaced with your own customized codes)

import sys
import os

from basecase import BaseCase
from Utils.tmlog import TmLog

logger = TmLog.getLogger("DSA_SupportTool")

class SampleCase(BaseCase):

    def __init__(self):
        try:
            super().__init__()
            self.name = "Sample Case"
            self.detail = "Detail: This sample case will pop a question box."
        except Exception as err:
            logger.exception(str(err))

    def __del__(self):
        try:
            pass    
        except Exception as err:
            logger.exception(str(err))
    
    def run(self):
        try:
            #Pop-up a question box. Return value is True or False
            respond = self.askConfirmation("The is sample message.\n" +
                                               "Do you want to continue?")
            
            #Display a message on the tool's UI
            self.displayMessage("You say %s" %(str(respond)))

            #Display a message on the tool's UI with clickable link
            self.displayMessage("%s" % ("https://developer.microsoft.com/en-us/windows/downloads/sdk-archive","Click here to download Windows 8.1 SDK."))
            
            #Write a line to DSA_SupportTool.log log file
            logger.info("Done running")
            return
        except Exception as err:
            logger.error(str(err))
            return

Below is the list of libs that are included. You can choose to import in your customized script.

import cchardet
import codecs
import configparser
import copy
import ctypes
import datetime
import hashlib
import importlib
import inspect
import json
import logging
import mmap
import multiprocessing
import os
import pefile
import platform
import psutil
import pythoncom
import re
import requests
import shutil
import socket
import subprocess
import sys
import telnetlib
import tempfile
import threading
import time
import urllib
import webbrowser
import win32con
import win32event
import win32evtlog
import win32evtlogutil
import winerror
import winreg
import wmi
import xml.etree.ElementTree
import zipfile

Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PreCheck

Name		Description
Basic Information	Operating system	Displays OS version of the machine.
	Hardware	Displays the CPU, memory and free disk size of the machine
	Trend Micro Endpoint Protection	Detects whether DSA/XBC/Apex One agent has existed
	Proxy server	Checks if system proxy has been enabled on the machine
	Detected Vision One Service Gateway (With Forward Proxy feature enabled)	Detects if local registry has record for Trend Vision One Service Gateway (with Forward Proxy feature enabled)
Trend Vision One agent Precheck	Operating system	Checks if the OS version of the machine is supported (2 CPU/512MB MEM/ 3GB Disk)
	SHA-2 code signing support	Checks if the required Microsoft KBs are applied on the current machine Windows 7 and Windows 2008 R2 must have the SHA2 KB installed (Microsoft KB 4474419 and KB 4490628).
	Hardware	Checks if the CPU and memory on this machine meet the requirements to enable Endpoint Sensor
	TLS protocol	Checks if the required protocols meet the requirements to enable Endpoint Sensor
	System certificates	Check if the required certificates meet the requirements to enable Endpoint Sensor Root Certificate: Entrust Root Certification Authority - G2 DigiCert Assured ID Root CA DigiCert Trusted Root G4 USERTrust RSA Certification Authority Intermediate certificate: Entrust Certification Authority - L1K
	Device time	Checks if the date/time on the machine meets the requirements to enable Endpoint Sensor
	Endpoint Basecamp Service Connectivity	Tests if the network connection from the machine to the XBC backend server is available
	Log Receiver Service Connectivity	Tests if the network connection from the machine to the XLog Receiver server is available
	Endpoint Inventory Service Connectivity	Tests if the network connection from the machine to the XDR Endpoint Inventory backend server is available
	Endpoint Basecamp Support Connector Service Connectivity	Tests if the network connection from the machine to the Support Connector backend server is available
Cloud One Agent Precheck	Operating system	Checks if the OS version of the machine is supported
	Hardware	Checks if the CPU and memory on the machine meet the requirements to install DSA RAM 2GB is required Disk 1GB is required CPU 2 is required
	ACS support	Checks if the OS can meet Azure Code Signing requirement.
	Cloud One Server Connectivity	Tests if the network connection from the machine to the Cloud One server is available
	System certificates	Check if the required certificates meet the requirements (Refer to KB article, Updating the VeriSign, DigiCert, USERTrust RSA certificate on Deep Security and Cloud One - Workload Security)

Checkpoint list of Server & Workload Protection (Trend Vision One Endpoint Security) -PostCheck

Name		Description
Endpoint Basecamp Postcheck	XBC: XBC is detected or not.		Detects if any XBC components exist in the endpoint
	Registry: xdr_device_id		Registry: xdr_device_id
	Detected Trend Vision One Service Gateway (with Forward Proxy feature enabled)		Detects if local registry has record for Trend Vision One Service Gateway (w Forward Proxy feature enabled)
	Service: Trend Micro Endpoint Basecamp		Checks if XBC service is installed
	Service: Trend Micro Cloud Endpoint Telemetry Service		Checks if XBC service is installed
	Process: endpointbasecamp.exe (Trend Micro Endpoint Basecamp)		Checks if XBC process is running
	Process: CETASvc.exe (Trend Micro Cloud Endpoint Telemetry Service)		Checks if XBC process is running
	File: EndpointBasecamp.exe		Checks if XBC executable file exists, if yes, show its file version, which indicates the XBC build version
	File: CETASvc.exe		Checks if XBC executable file exists, if yes, show its file version
	File: WSCommunicator.exe		Checks if XBC executable file exists, if yes, show its file version
	Scheduled Task: Trend Micro Endpoint Basecamp		Checks if XBC scheduled task exists and if the status of the task is normal
Endpoint Sensor Postcheck	XES:XES is not detected.		Detects if any XES components exist in the endpoint
	Cloud Endpoint Service	Service: Cloud Endpoint Service	Checks if XES service is installed
		Process: CloudEndpointService.exe	Checks if XES cloud endpoint process is running
		File: CloudEndpointService.exe	Checks if XES cloud endpoint executable file exists, if yes, show its file version, which indicates the XES build version
	Cloud Endpoint Service	Service: Trend Micro Response Service	Checks if XES response service is installed
		Process: ResponseService.exe	Checks if XES response service process is running
		File: ResponseService.exe	Checks if XES response service executable file exists, if yes, show its file version
	XDR Endpoint Sensor	Driver: Trend Micro LWE Driver	Checks if the LWE driver is running
	Vulnerability Detection	Vulnerability Detection	Checks if DVASSTool is installed
Server & Workload Protection Agent Postcheck	DSA: DSA is (not) detected		Checks if DSA software is installed
	DSA version		Detects current installed DSA version
	DSA service status: DSA service is (not) running		Checks if DSA service is running
	Module status	AMSP (Windows anti-malware) feature status: ON/OFF	Checks if AMSP is ON/OFF status (Only support DSA-20.0.3445+)
	Module status	ACM (Activity Monitoring) feature status: ON/OFF	Checks if ACM is ON/OFF status (Only support DSA-20.0.3445+)
	Self-Protection status: ON/OFF		Checks if Self-Protection is enabled or disabled

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Trend Micro Deep Security Agent Support Tool

Data Collection for DSA tab

Performance Collection For DSA tab

Top-N List tab

Network Analysis

Environment Check

> Scenario 1: No Detection

> Scenario 2: Set detection on WRITE

> Scenario 3: Set detection on READ

DSA Metrics

Administrator: Command Prompt

Appendix

Trend Micro Deep Security Agent Support Tool

Product / Version includes:

Summary

Data Collection for DSA tab

Performance Collection For DSA tab

Top-N List tab

Network Analysis

Environment Check

> Scenario 1: No Detection

> Scenario 2: Set detection on WRITE

> Scenario 3: Set detection on READ

DSA Metrics

Administrator: Command Prompt

Appendix