RobBuxton
Enthusiast
Enthusiast

Endpoint Anti-Malware not working

Hi All,

We're impementing Trend Micro's Deep Security.

The problem I'm having (and I've logged a call with TM) is that I cannot get the Anti_malware component to work.

So, if anyone has already been down this path I'm just trying to determine if what I see at the VMWare vShield EndPoint level matches what they see. Plus a query on one of the vShield docs.

The vShield 410U1 QuickStart has an "Important" note on pg 27 that states that by default when creating a VM that a SCSI Controller is not created. Now either I'm missing something here or that's wrong. I just created a test server accepting all defaults (except OS changes to W2K3) and it created a server with a SCSI Controller showing as an LSI Logic Parallel controller. So that leads to the first question, is there something that needs to be done to a standard server?

What I'm seeing is that from the vShield manager perspective the Endpoint has been deployed to the ESXi host.

So after drilling down to the server, under Summary it shows Endpoint 3.0.8-308978 has been installed. When you then go to the Endpoint Tab it shows "0" for all entries. Is that what others see?

I've installed the TM Deep Security Manager and deployed the TM Deep Security Appliance to an ESXi host. The TM deep Security Manager shows the ESXi host as "Prepared" , but Anti-Malware Ready as "No".

I've migrated guests to this prepared host, installed the VMWare ThinAgent, and the drivers seem to be there (using cmd driverquery), rebooted etc. but I cannot get the Anti-Malware to be recognised. The VMs show as Anti-Malware Not Capable.

Anyone been here, done that and done anything that triggered anything?

All SW the very latest except for vCenter - doesn't have U1 installed yet.

vCenter - 4.1.0

VMWare Thin Agents - 1.0.0-402356 - checked that the 64bit version was installed on the 64 bit server etc.

VMware vShield Manager - 4.1.0-310451

TM DS Mgr - 7.5.6323 x64

TM Filter Driver - 7.5.0-5435

TM Appliance - 7.5.0-5534 (7.5 SP2 versions)

ESXi - 4.1.0 Build 348481

Many Thanks,

Rob.

0 Kudos
8 Replies
JonathanG
Enthusiast
Enthusiast

Rob,

A few items to check:

1. Ensure DNS resolution between all components: ESX, Trendmicro Deep Security Manager, vshield manager; no firewalls blocking ports 4118/4119/4120.

2. SCSI controller is required, note Buslogic is not supported. See VMware Endpoint docs for more info

3. Login to vshield manager and endpoint status should show 100% green. Each VM with the thin agent installed should show up under endpoint status as "normal"

4. Use a SQLServer or Oracle database

5. Installation guide http://support.trendmicro.com.cn/TM-Product/Product/Deep%20Security/7.5_SP2/7.5_SP2_Documents/Deep%2...

0 Kudos
RobBuxton
Enthusiast
Enthusiast

Thanks for the response.

1 The host is ESXi, not ESX. There doesn't seem to be any options to enable ports 4118, 4119 or 4120 on the ESXi host, but I've not seen anything that suggests that. Otherwise no firewalls are involved. Not sure what firewall ports are on the vShield Manager as it's just an appliance and I can't see any commands to check that.

2 I understand a SCSI Controller is required, what confused me is the statement that they're not created by default, which I think they are. That's what's leading me to think I need something. There is a SCSI Controller on the servers that have the ThinAgent installed. It's an LSI not BusLogic.

3 That's the main thing I'm not seeing, there are no Hosts or VMs listed under the Endpoint Tab, all categories show zero.

Did you install vShield Zones? I was told that was not required for EndPoint, but it's placement in the Installation guide almost suggests it is a pre-requisite.

4. Yep - we have an external SQL Database.

5. Thanks, I've got the TM Guide.

0 Kudos
JonathanG
Enthusiast
Enthusiast

Zones is not required for Endpoint

Looks like the thin agent driver on the VM is not communicating with the Endpoint installed on ESx nor the DeepSecurity Virtual Appliance (DSVA).... Check all networking, do ping and telnet tests

From VM with thin agent

ping esx, vshield manager; telnet deep security manager on port 4120

from DeepSecurity Manager:

ping VM, vshield manager, telnet dsva on port 4118

Try the TM forums: http://community.trendmicro.com/t5/Business-Security-Forum/bd-p/businessprod

RobBuxton
Enthusiast
Enthusiast

Again, Thanks,

I can do most of the tests above, just not sure what kind of response I should see from the telnet commands.

Telnet to the DSM produces some unreadable text, Telnet to the DSVA seems to connect and then get dropped.

In both cases there seems to be a connection rather than getting denied.

I've been asked by support if I can ping the DSVA. I can't, from anywhere.

Thanks for the link to the TM Forum, I've joined that and found someone with the same issue.

But no solution was listed on the thread.

0 Kudos
JonathanG
Enthusiast
Enthusiast

dsva should not respond to ping, but to telnet on 4118; should show connected (usually cursor flashes in top left corner) and remain that way not drop.

0 Kudos
RobBuxton
Enthusiast
Enthusiast

Jonathan,

Thanks, just confirmed, that is the behaviour, I was being a bit quick on hitting a key to generate a response.

If I just telnet and leave it, it behaves as you've described.

Thanks for the feedback on ping. It does look as though the dsva is very restricted on what it will reply to.

That's not a criticism, just an observation, and it's probably a good thing.

cheers,

Rob.

0 Kudos
JonathanG
Enthusiast
Enthusiast

Rob

To investigate further via this forum is not really practical, I have provided several general troubleshooting guidelines which I hope have helped.

I suggest your local sales support or the general Trend support team

(4 months to the rugby world cup Smiley Happy !)

RobBuxton
Enthusiast
Enthusiast

Jonathan,

Finally resolved it, user error!

I was pointing the TM DS Manager back at itself and not to the Vmware vShield Manager.

I did a complete reinstall and then realised the earlier mistake.

All working now, just need to plan the roll out to live.

Thanks for you advice.

Rob.

0 Kudos