RobBuxton
Enthusiast
Enthusiast

Endpoint and Deep Security Alerts

Hi All,

Anyone out there using Trend Micro's Deep Security and want to compare notes?

I know I should post on the TM site, but it doesn't seem to get much traffic.

On a related note we have installed Deep Security and I've enabled Alerts.

The problem I'm getting is that whenever a VM gets vMotioned I get an alert that it's "cannot be updated" followed by a later alert that it's okay again.

I do have the DSVAs deployed to each host in the cluster and they're all okay.

I've activated the VMs and applied the Anti-Malware policy only at this point.

It just seems that when a VM moves that there's enough of an interruption to trigger the alerts.

It's a pain on one of our clusters as vMotion activity is quite high.

Anyone seeing similar behaviour?

TIA, Rob.

0 Kudos
10 Replies
JonathanG
Enthusiast
Enthusiast

Rob

Reduce the hearbeat setting

Default is 10 minutes

See attached screenshot

Jonathan

RobBuxton
Enthusiast
Enthusiast

Jonathan,

I'm intrigued, I looked at that and thought 10 minutes would be ample time for a vMotion to be completed.

But you've said to reduce it.

I would have thought that reducing it would make it more sensitive to that kind of thing and not less.

I'm obviously missing something.

Happy to try it, any suggested value?

cheers,

Rob.

0 Kudos
JonathanG
Enthusiast
Enthusiast

Rob

Number of minutes is how often the manager will check the virtual agent for information

vMotion may well complete in less than 10 minutes, but the manager won't be updated until 10 minutes have past which is what you are seeing

Jonathan

0 Kudos
JonathanG
Enthusiast
Enthusiast

Also, do you have "event based" tasks in place for vMotion ...

"computer moved" - It allows you to ensure that a VM that is moved is assigned a profile

"computer created" - for a VM that is created perhaps from a template

See attached screenshot

RobBuxton
Enthusiast
Enthusiast

No, I've not set those up as yet.

I've only rolled this into one of the smaller ESXi Clusters and so it was fairly easy to just manually configure things.

But I will certainly set those up soon so that they can be applied as we move forward.

Have you seen any issues where CPU usage incrases when the Enpoint Drivers are installed?

They don't even need to be activated in DS for the increase to appear.

0 Kudos
JonathanG
Enthusiast
Enthusiast

no I have not seen cpu usage spike, perhaps someone from the endpoint team can answer..

0 Kudos
RobBuxton
Enthusiast
Enthusiast

I've dropped the heartbeat from 10 to 2 minutes, but I still get TM DS alerts corresponding to the majority of the vMotion events

It's not just one, you get critical alerts when it loses them and again when it finds them and there seem to be two for each.

I'm getting Protection failed and Update Failed alerts.

I'm not sure the alerts are heartbeat driven, I've a feeling they could be derived from events.

I might try increasing the heartbeat interval to see if that has an impact.

0 Kudos
JonathanG
Enthusiast
Enthusiast

what version are you running - any hotfixes provided by Trend support ?

watch for Service Pack 3 coming end of June which has vmotion fixes incorporated in hotfixes

0 Kudos
RobBuxton
Enthusiast
Enthusiast

We're running 7.5 SP2.

No Hotfixes have been proposed by TM Support as yet.

I'll keep an eye out for SP3 as that seems to be the main area that we're having issues with.

Many thanks,

Rob.

0 Kudos
marclainez
Contributor
Contributor

Has this been resolved already? If still occuring can you post a screenshot?

MacLab Online
0 Kudos