Hi All,
Anyone out there using Trend Micro's Deep Security and want to compare notes?
I know I should post on the TM site, but it doesn't seem to get much traffic.
On a related note we have installed Deep Security and I've enabled Alerts.
The problem I'm getting is that whenever a VM gets vMotioned I get an alert that it's "cannot be updated" followed by a later alert that it's okay again.
I do have the DSVAs deployed to each host in the cluster and they're all okay.
I've activated the VMs and applied the Anti-Malware policy only at this point.
It just seems that when a VM moves that there's enough of an interruption to trigger the alerts.
It's a pain on one of our clusters as vMotion activity is quite high.
Anyone seeing similar behaviour?
TIA, Rob.
Jonathan,
I'm intrigued, I looked at that and thought 10 minutes would be ample time for a vMotion to be completed.
But you've said to reduce it.
I would have thought that reducing it would make it more sensitive to that kind of thing and not less.
I'm obviously missing something.
Happy to try it, any suggested value?
cheers,
Rob.
Rob
Number of minutes is how often the manager will check the virtual agent for information
vMotion may well complete in less than 10 minutes, but the manager won't be updated until 10 minutes have past which is what you are seeing
Jonathan
No, I've not set those up as yet.
I've only rolled this into one of the smaller ESXi Clusters and so it was fairly easy to just manually configure things.
But I will certainly set those up soon so that they can be applied as we move forward.
Have you seen any issues where CPU usage incrases when the Enpoint Drivers are installed?
They don't even need to be activated in DS for the increase to appear.
no I have not seen cpu usage spike, perhaps someone from the endpoint team can answer..
I've dropped the heartbeat from 10 to 2 minutes, but I still get TM DS alerts corresponding to the majority of the vMotion events
It's not just one, you get critical alerts when it loses them and again when it finds them and there seem to be two for each.
I'm getting Protection failed and Update Failed alerts.
I'm not sure the alerts are heartbeat driven, I've a feeling they could be derived from events.
I might try increasing the heartbeat interval to see if that has an impact.
what version are you running - any hotfixes provided by Trend support ?
watch for Service Pack 3 coming end of June which has vmotion fixes incorporated in hotfixes
We're running 7.5 SP2.
No Hotfixes have been proposed by TM Support as yet.
I'll keep an eye out for SP3 as that seems to be the main area that we're having issues with.
Many thanks,
Rob.
Has this been resolved already? If still occuring can you post a screenshot?