Manage and run recommendation scans

Deep Security can run recommendation scans on computers to identify known vulnerabilities. The operation scans the operating system but also installed applications. Based on what is detected, Deep Security will recommend security rules that should be applied.

During a recommendation scan, Deep Security Agents scan:

  • the operating system
  • installed applications
  • the Windows registry
  • open ports
  • the directory listing
  • the file system
  • running processes and services
  • users
For large deployments, Trend Micro recommends managing recommendations at the policy level. That is, all computers that are to be scanned should already have a policy assigned to them. This way, you can make all your rule assignments from a single source (the policy) rather than having to manage individual rules on individual computers.

Recommendation scans can be initiated manually or you can create a scheduled task to periodically run scans on specified computers.

In this topic:

Recommendation scan limitations

On Linux, the recommendation scan engine might have trouble detecting applications that have been installed with kernel or software libraries not supported by the application being installed. Applications installed using standard package managers will not be a problem.

The Deep Security Virtual Appliance (not available for Deep Security as a Service) can perform agentless recommendation scans on virtual machines but only on Windows platforms and is limited to scanning:

  • the operating system
  • installed applications
  • the Windows registry
  • the file system

Manually run a recommendation scan

  1. In the Deep Security Manager, go to the Computers page.
  2. Select the computer or computers you want to scan.
  3. Right-click the selection and choose Actions > Scan for Recommendations.

Create a schedule to run a recommendation scan on a regular basis

  1. In the Deep Security Manager, go to the Administration > Scheduled Tasks page.
  2. Click New on the toolbar and select New Scheduled Task to display the New Scheduled Task wizard.
  3. Select Scan Computers for Recommendations from the Type menu and select how often you want the scan to occur. Click Next.
  4. The next page will let you be more specific about the scan frequency, depending on your choice in step 3. Make your selection and click Next.
  5. Now select which computer(s) will be scanned and click Next.
    For large deployments it's best to perform all actions through policies.
  6. Give a name to your new scheduled task, select whether or not to Run Task on 'Finish', click Finish.

Cancel a recommendation scan

You can cancel a recommendation scan before it starts running.

  1. In the Deep Security Manager, go to the Computers page.
  2. Select the computer or computers where you want to cancel the scans.
  3. Click Actions > Cancel Recommendation Scan.

Manage the recommendation scan results

Deep Security can be configured to automatically implement recommendation scan results when it is appropriate to do so. Not all recommendations can be implemented automatically. The exceptions are:

  • Rules that require configuration before they can be applied.
  • Rules that have been automatically assigned or unassigned based on a previous recommendation scan but which a user has overridden. For example, if Deep Security automatically assigns a rule and you subsequently unassign it, the rule will not get reassigned after the next recommendation scan.
  • Rules that have been assigned at a higher level in the policy hierarchy cannot be unassigned at a lower level. A rule assigned to a computer at the policy level must be unassigned at the policy level.
  • Rules that Trend Micro has issued but which may pose a risk of producing false positives. (This will be addressed in the rule description.)

The results of the latest recommendation scan are displayed on the General tab of the protection module in the Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)..

Once a recommendation scan is complete, open the policy that is assigned to the computers you have just scanned. Navigate to Intrusion Prevention > General. Click Assign/Unassign to open the rule assignment window. Sort the rules By Application Type and select Show Recommended for Assignment from the display filter menu:

All the recommendations made for all the computers included in the policy will be listed.

There are two kinds of green flags. Full flags () and partial flags (). Recommended rules always have a full flag. Application types may have a full or partial flag. If the flag is full, it signifies that all the rules that are part of this application type have been recommended for assignment. If the flag is partial, it signifies that only some of the rules that are part of this application type have been recommended.

Trend Micro recommends assigning all the recommended rules to all the computers covered by the policy. This can mean that some rules are assigned to computers on which they are not required. However, the minimal effect on performance is outweighed by the ease of management that results from working through policies.

Remember that a recommendation scan will make recommendations for intrusion prevention rules, log inspection rules, and integrity monitoring rules.

Once a recommendation scan has run, alerts will be raised on the all computers for which recommendations have been made.

The results of a recommendation scan can also include recommendations to unassign rules. This can occur if applications are uninstalled, if security patches from a manufacturer are applied, or if unnecessary rules have been applied manually. To view rules that are recommended for unassignment, select "Show Recommended for Unassignment" from the display filter menu.

Configure recommended rules

Some rules require configuration before they can be applied. For example, some log inspection rules require that you specify the location of the log files to be inspected for change. If this is the case, an alert will be raised on the computer on which the recommendation has been made. The text of the alert will contain the information required to configure the rule.

Troubleshooting: Recommendation Scan Failure

If you are receiving a Recommendation Scan Failure on your server, follow the steps below to resolve the issue. If the issue continues to persist after troubleshooting, create a diagnostic package from the agent and contact support.

Communication

Typically for communication issues "protocol error" will appear in the body of the error message.

If you don't have open inbound firewall ports from the Deep Security Manger to the agent, open the ports or switch to agent-initiated communication. For more information, see Use agent-initiated communication with cloud accounts.

Server resources

Monitor the CPU and memory resources on the server. If the memory or CPU is becoming exhausted during the scan, increase the resources.

Timeout values

Increase the timeout values for the recommendation scan.

  1. Open the command prompt and navigate to the Deep Security manager installation folder.
  2. Type the command below:
  3. dsm_c -action changesetting -name settings.configuration.agentSocketTimeoutOverride -value 1200

    dsm_c -action changesetting -name settings.configuration.defaultSocketChannelTimeout -value 1200000

    dsm_c -action changesetting -name settings.configuration.recoScanKeepAliveTimeInterval -value 180000

  1. If there is a multi-tenant environment, add the tenant name as well.