Predefined alerts

Alert Default Severity Dismissible Description
Abnormal Restart Detected Warning Yes

An abnormal restart has been detected on the computer. This condition may be caused by a variety of conditions. If the agent/appliance is suspected as the root cause then the diagnostics package (located in the Support section of the Computer Details dialog) should be invoked.

This alert indicates that the Deep Security Agent service was restarted abnormally. You can safely dismiss this alert, or, if the alert reoccurs, create a diagnostics package and open a case with Technical Support.

Activation Failed Critical No This may indicate a problem with the agent/appliance, but it also can occur if agent self-protection is enabled. On the Deep Security Manager, go to Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
A Deep Security Relay cannot download security components Critical No A Deep Security Relay can't successfully download security components. This might be due to network connectivity issues or misconfigurations in Deep Security Manager under Administration > System Settings > Updates. Check your network configurations (for example, the proxy settings of the relay group) and System Settings, and then manually initiate an update on the relay using the Download Security Update option on the Administration > Updates > Software page.
Agent configuration package too large Warning Yes This is usually caused by too many firewall and intrusion prevention rules being assigned. Run a recommendation scan on the computer to determine if any rules can be safely unassigned.
Agent Installation Failed Critical Yes

The agent failed to install successfully on one or more computers. Those computers are currently unprotected. You must reboot the computers which will automatically restart the agent install program.

This may indicate a problem with the agent/appliance, but it also can occur if agent self-protection is enabled. On the Deep Security Manager, go to Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.

Agent Upgrade Recommended (Incompatible with Appliance) Warning No Deep Security Manager has detected a computer with a version of the agent that is not compatible with the appliance. The appliance will always filter network traffic in this configuration resulting in redundant protection. (Deprecated in 9.5)
Agent/Appliance Upgrade Recommended Warning No The Deep Security Manager has detected an older agent/appliance version on the computer that does not support all available features. An upgrade of the agent/appliance software is recommended. (Deprecated in 9.5)
Agent/ApplianceUpgrade Recommended (Incompatible Security Update(s)) Warning No Deep Security Manager has detected a computer with a version of the agent/appliance that is not compatible with one or more security updates assigned to it. An upgrade of the agent/appliance software is recommended.
Agent/ApplianceUpgrade Recommended (New Version Available) Warning No Deep Security Manager has detected one or more computers with a version of the agent/appliance that is older than the latest version imported into the manager. An upgrade of the agent/appliance software is recommended.
Agent/Appliance Upgrade Required Warning No Deep Security Manager has detected a computer with a version of the agent/appliance that is not compatible with this version of the manager. An upgrade of the agent/appliance software is required.
An update to the Rules is available Warning No Updated rules have been downloaded but not applied to your policies. To apply the rules, go to Administration > Updates > Security and in the Rule Updates column, click Apply Rules to Policies.
Anti-Malware Alert Warning Yes A malware scan configuration that is configured for alerting has raised an event on one or more computers.
Anti-Malware Component Failure Critical Yes An anti-malware component failed on one or more computers. See the event descriptions on the individual computers for specific details.
Anti-Malware Component Update Failed Warning No One or more agent or relay failed to update anti-malware components. See the affected computers for more information.
Anti-Malware Engine Offline Critical No The agent or appliance has reported that the anti-malware engine is not responding. Please check the system events for the computer to determine the cause of the failure.
Anti-Malware protection is absent or out of date Warning No The agent on this computer has not received its initial anti-malware protection package, or its anti-malware protection is out of date. Make sure a relay is available and that the agent has been properly configured to communicate with it. To configure relays and other update options, go to Administration > System Settings > Updates.
Anti-malware module maximum disk space used to store identified files exceeded Warning Yes The Anti-Malware module was unable to analyze or quarantine a file because the maximum disk space used to store identified files was reached. To change the maximum disk space for identified files setting, open the computer or policy editor and go to the Anti-malware > Advanced tab.
API Key Locked Out Warning No API Keys can be locked out manually, or by repeated failed validation attempts.
Application Control Engine Offline Critical No The agent has reported that the Application Control engine failed to initialize. Please check the system events for the computer to determine the cause of the failure.
Application Control Ruleset is incompatible with agent version Critical No An application control ruleset could not be assigned to one or more computers because the ruleset is not supported by the installed version of the agent. Typically, the problem is that a hash-based ruleset (which is compatible only with Deep Security Agent 11.0 or newer) has been assigned to an older Deep Security Agent. Deep Security Agent 10.x supports only file-based rulesets. (For details, see Differences in how Deep Security Agent 10 and 11 compare files.) To fix this issue, upgrade the Deep Security Agent to version 11.0 or newer. Alternatively, if you are using local rulesets, reset application control for the agent. Or if you are using a shared ruleset, use a shared ruleset that was created with Deep Security 10.x until all agents using the shared ruleset are upgraded to Deep Security Agent 11.0 or newer.
Application Type Misconfiguration Warning No Misconfiguration of application types may prevent proper security coverage.
Application Type Recommendation Warning Yes Deep Security Manager has determined that a computer should be assigned an application type. This could be because an agent was installed on a new computer and vulnerable applications were detected, or because a new vulnerability has been discovered in an installed application that was previously thought to be safe. To assign the application type to the computer, open the 'Computer Details' dialog box, click on 'Intrusion Prevention Rules', and assign the application type.
AWS Contract License Exceeded Critical No AWS Contract License expired or AWS Contract entitlements have been exceeded.
Azure AD Application Needs Renew Critical No The Azure AD application can not sync the cloud data now. Maybe the application password is expired or the application is deleted. Please renew the application via Computers > Properties (right click on the target group) > Renew Application Now.
Azure AD Application Expires Soon Warning No The Azure AD application password will expire soon. You can remove this alert by renewing the application via Computers > Properties (right click on the target group) > Renew Application Now.
Azure Key Pair Expired Critical No The key pair for Azure service(s) has expired. You can remove this alert by updating your key pair on the Azure service's property page.
Azure Key Pair Expires Soon Warning No The key pair for Azure service(s) will expire soon. You can remove this alert by updating your key pair on the Azure service's property page.
Census, Good File Reputation, and Predictive Machine Learning Service Disconnected Warning Yes

Disconnected from Census, Good File Reputation, and Predictive Machine Learning Service. Please see the event details below for possible solutions.

Refer to Warning: Census, Good File Reputation, and Predictive Machine Learning Service Disconnected for troubleshooting tips.

Certified Safe Software Service Offline Warning No A Deep Security Manager node cannot connect to the Trend Micro Certified Safe Software Service to perform file signature comparisons for the integrity monitoring module. A locally cached database will be used until connectivity is restored. Make sure the manager node has internet connectivity and that proxy settings (if any) are correct.
Clock Change Detected Warning Yes A clock change has been detected on the computer. Unexpected clock changes may indicate a problem on the computer and should be investigated before the alert is dismissed.
Cloud Computer Not Managed as Part of Cloud Account Warning Yes An agent was activated on one or more Amazon WorkSpace but WorkSpaces are not enabled for your AWS account. To enable WorkSpaces, click 'Edit AWS Account' above, and select the 'Include Amazon WorkSpaces' check box. Your WorkSpace(s) are moved into the WorkSpaces folder of the AWS Account.
Communications Problem Detected Warning Yes A communications problem has been detected on the computer. Communications problems indicate that the computer cannot initiate communication with the Deep Security Manager(s) because of network configuration or load reasons. Please check the system events in addition to verifying communications can be established to the Deep Security Manager(s) from the computer. The cause of the issue should be investigated before the alert is dismissed.
Computer Not Receiving Updates Warning No These computer(s) have stopped receiving updates. Manual intervention may be required.
Computer Reboot Required Critical Yes The agent software upgrade was successful, but the computer must be rebooted for the install to be completed. The computer(s) should be manually updated before the alert is dismissed.
Computer Reboot Required for Anti-Malware Protection Critical No The anti-malware protection on the agent has reported that the computer needs to be rebooted. Please check the system events for the computer to determine the reason for the reboot.
Computer Reboot Required for Application Control Protection Critical No The Application Control protection on Agent has reported that the computer needs to be rebooted. Please check the system events for the computer to determine the reason for the reboot.
Computer Reboot Required for Integrity Monitoring Protection Critical No The Integrity Monitoring protection on Agent has reported that the computer needs to be rebooted. Please check the system events for the computer to determine the reason for the reboot.
Configuration Required Warning No One or more computers are using a policy that defines multiple interface types where not all interfaces have been mapped.
Connection to Filter Driver Failure Critical No An appliance has reported a failure connecting to the filter driver. This may indicate a configuration issue with the filter driver running on the ESXi or with the appliance. The appliance must be able to connect to the filter driver in order to protect guests. The cause of the issue should be investigated and resolved.
CPU Critical Threshold Exceeded Critical No The CPU critical threshold has been exceeded.
CPU Warning Threshold Exceeded Warning No The CPU warning threshold has been exceeded.
Duplicate Computer Detected Warning Yes A duplicate computer has been activated or imported. Please remove the duplicate computer and reactivate the original computer if necessary.
Duplicate Unique Identifiers Detected Warning No Duplicate UUIDs have been detected. Please remove the duplicate UUID.
Empty Relay Group Assigned Critical No These computers have been assigned an empty relay group. Assign a different relay group to the computers or add relays to the empty relay group(s).
Events Suppressed Warning Yes The agent/appliance encountered an unexpectedly high volume of events. As a result, one or more events were not recorded (suppressed) to prevent a potential denial of service. Check the firewall events to determine the cause of the suppression.
Events Truncated Warning Yes Some events were lost because the data file grew too large for the agent/appliance to store. This may have been caused by an unexpected increase in the number of events being generated, or the inability of the agent/appliance to send the data to the Deep Security Manager. For more information, see the properties of the "Events Truncated" system event on the computer.
Execution of Software Blocked Warning Yes Execution of software was blocked on one or more computers. See the Application Control Events on the following computers for more information.
Failed to Send SNS Message Critical No The Deep Security Manager was unable to forward messages to Amazon SNS
Failed to Send Syslog Message Warning No The Deep Security Manager was unable to forward messages to one or more Syslog Servers.
Files Could Not Be Scanned for Malware Warning No Files could not be scanned for malware because the file path exceeded the maximum file path length limit or the directory depth exceeded the maximum directory depth limit. Please check the system events for the computer to determine the reason.
Firewall Engine Offline Critical No The agent/appliance has reported that the firewall engine is offline. Please check the status of the engine on the agent/appliance.
Firewall Rule Alert Warning Yes A firewall rule that is selected for alerting has been encountered on one or more computers.
Firewall Rule Recommendation Warning Yes Deep Security Manager has determined that a computer on your network should be assigned a firewall rule. This could be because an agent was installed on a new computer and vulnerable applications were detected, or because a new vulnerability has been discovered in an installed application that was previously thought to be safe. To assign the firewall rule to the computer, open the 'Computer Details' dialog box, click on the 'Firewall Rules' node, and assign the firewall rule.
Heartbeat Server Failed Warning No The heartbeat server failed to start properly. This may be due to a port number conflict. Agents/appliances will not be able to contact the manager until this problem is resolved. To resolve this problem ensure that another service is not using the port number reserved for use by the heartbeat server and Restart the Deep Security Manager service. If you do not wish to use the heartbeat you can turn this alert off in the Alert Configuration section.
Incompatible Agent/Appliance Version Warning No Deep Security Manager has detected a more recent agent/appliance version on the computer that is not compatible with this version of the manager. An upgrade of the manager software is recommended.
Insufficient Disk Space Warning Yes The agent/appliance has reported that it was forced to delete an old log file to free up disk space for a new log file. Please immediately free up disk space to prevent loss of intrusion prevention, firewall and agent/appliance events. See Warning: Insufficient disk space.
Integrity Monitoring Engine Offline Critical No The agent/appliance has reported that the integrity monitoring engine is not responding. Please check the system events for the computer to determine the cause of the failure.
Integrity Monitoring information collection has been delayed Warning No The rate at which integrity monitoring information is collected has been temporarily delayed due to an increased amount of integrity monitoring data. During this time the baseline and integrity event views may not be current for some computers. This alert will be dismissed automatically once integrity monitoring data is no longer being delayed.
Integrity Monitoring Rule Alert Warning Yes An integrity monitoring rule that is selected for alerting has been encountered on one or more computers.
Integrity Monitoring Rule Compilation Error Critical No An error was encountered compiling an integrity monitoring rule on a computer. This may result in the integrity monitoring rule not operating as expected.
Integrity Monitoring Rule Recommendation Warning Yes Deep Security Manager has determined that a computer on your network should be assigned an integrity monitoring rule. To assign the integrity monitoring rule to the computer, open the 'Computer Details' dialog box, click on the 'Integrity Monitoring > Integrity Monitoring Rules' node, and assign the integrity monitoring rule.
Integrity Monitoring Rule Requires Configuration Warning No An integrity monitoring rule that requires configuration before use has been assigned to one or more computers. This rule will not be sent to the computer(s). Open the integrity monitoring rule properties and select the Configuration tab for more information.
Integrity Monitoring Trusted Platform Module Not Enabled Warning Yes Trusted platform module not enabled. Please ensure the hardware is installed and the BIOS setting is correct.
Integrity Monitoring Trusted Platform Module Register Value Changed Warning Yes Trusted platform module register value changed. If you have not modified the ESXi hypervisor configuration this may represent an attack.
Intrusion Prevention Engine Offline Critical No The agent/appliance has reported that the intrusion prevention engine is offline. Please check the status of the engine on the agent/appliance.
Intrusion Prevention Rule Alert Warning Yes An intrusion prevention rule that is selected for alerting has been encountered on one or more computers.
Intrusion Prevention Rule Compilation Failed Critical Yes This is usually caused by a misconfigured IPS Rule. The Rule name can be found in the Event's Properties window. To resolve this issue, identify the Rule and unassign it or contact Trend Micro Support for assistance.
Intrusion Prevention Rule Requires Configuration Warning No An intrusion prevention rule that requires configuration before use has been assigned to one or more computers. This rule will not be sent to the computer(s). Open the intrusion prevention rule properties and select the Configuration tab for more information.
Invalid System Settings Detected Critical No The Deep Security Manager detected invalid values for one or more system settings
Legacy Agent Software Detected Warning Yes

We have detected software whose version is less than 9.5, and is no longer supported. Please import the latest software to replace it.

For details, see Get Deep Security Agent software.

Log Inspection Engine Offline Critical No The agent/appliance has reported that the log inspection engine has failed to initialize. Please check the system events for the computer to determine the cause of the failure.
Log Inspection Rule Alert Warning Yes A log inspection rule that is selected for alerting has been encountered on one or more computers.
Log Inspection Rule Recommendation Warning Yes Deep Security Manager has determined that a computer on your network should be assigned a log inspection rule. To assign the log inspection rule to the computer, open the 'Computer Details' dialog box, click on the 'Log Inspection > Log Inspection Rules' node, and assign the log inspection rule.
Log Inspection Rule Requires Configuration Warning No A log inspection rule that requires configuration before use has been assigned to one or more computers. This rule will not be sent to the computer(s). Open the Log Inspection Rule properties and select the Configuration tab for more information.
Low Disk Space Warning No A Deep Security Manager Node has less than 10% remaining disk space. Please free space by deleting old or unnecessary files, or add more storage capacity.
Maintenance Mode Active Warning No Maintenance mode is currently active for application control on one or more computers. While this mode is active, application control continues to enforce block rules (if you selected Block unrecognized software until it is explicitly allowed), but will allow software updates, and automatically add them to the inventory part of the ruleset. When the software update is finished for each computer, disable maintenance mode so that unauthorized software is not accidentally added to the ruleset.
Manager Offline Warning No A Deep Security Manager node is offline. It is possible the computer has a hardware or software problem, or has simply lost network connectivity. Please check the status of the manager's computer.
Manager Time Out of Sync Critical No The clock on each manager node must be synchronized with the clock on the database. If the clocks are too far out of sync (more than 30 seconds) the manager node will not perform its tasks correctly. Synchronize the clock on your manager node with the clock on the database.
Memory Critical Threshold Exceeded Critical No The memory critical threshold has been exceeded.
Memory Warning Threshold Exceeded Warning No The memory warning threshold has been exceeded.
Multiple Activated Appliances Detected Warning Yes The appliance has reported that multiple connections have been made to the filter driver on the same ESXi. This indicates that there may be multiple activated Appliances running on the same ESXi, which is not supported. The cause of the issue should be investigated before the alert is dismissed.
Network Engine Mode Incompatibility Warning No Setting "Network Engine Mode" to "Tap" is only available on agent versions 5.2 or higher. Review and update the agent's configuration or upgrade the agent to resolve the incompatibility.
New Pattern Update is Downloaded and Available Warning No New patterns are available as part of a security update. The patterns have been downloaded to Deep Security but have not yet been applied to your computers. To apply the update to your computers, go to the Administration > Updates > Security page.
New Rule Update is Downloaded and Available Warning No New rules are available as part of a security update. The rules have been downloaded to Deep Security but have not yet been applied to policies and sent to your computers. To apply the update and send the updated policies to your computers, go to the Administration > Updates > Security page.
Newer Version of Deep Security Manager is Available Warning No A new version of the Deep Security Manager is available. Download the latest version from the Trend Micro Download Center at http://downloadcenter.trendmicro.com/
Newer Versions of Software Available Warning No New software is available. Software can be downloaded from the Download Center.
Number of Computers exceeds database limit Warning No The number of activated computers has exceeded the recommended limit for an embedded database. Performance will degrade rapidly if more computers are added and it is strongly suggested that another database option (Oracle or SQL Server) be considered at this point. Please contact Trend Micro for more information on upgrading your database.
Protection Module Licensing Expired Warning Yes The protection module license has expired.
Protection Module Licensing Expires Soon Warning No The protection module licensing will expire soon. You can remove this alert by changing your license on the Administration > Licenses page.
Recommendation Warning Yes Deep Security Manager has determined that the security configuration of one of your computers should be updated. To see what changes are recommended, open the Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and look through the module pages for warnings of unresolved recommendations. In the Assigned Rules area, click Assign/Unassign to display the list of available rules and then filter them using the "Show Recommended for Assignment" viewing filter option. (Select "Show Recommended for Unassignment" to display rules that can safely be unassigned.)
Reconnaissance Detected: Computer OS Fingerprint Probe Warning Yes The agent or appliance detected an attempt to identify the computer operating system via a "fingerprint" probe. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: Network or Port Scan Warning Yes The agent or appliance detected network activity typical of a network or port scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: TCP Null Scan Warning Yes The agent or appliance detected a TCP "Null" scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: TCP SYNFIN Scan Warning Yes The agent or appliance detected a TCP "SYNFIN" scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: TCP Xmas Scan Warning Yes The agent or appliance detected a TCP "Xmas" scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
SAML Identity Provider Certificate expired Critical No One or more SAML Identity Provider Certificate(s) expired.
SAML Identity Provider Certificate expires soon Warning No One or more SAML Identity Provider Certificate(s) expire soon.
Scheduled Malware Scan Missed Warning No Scheduled malware scan tasks were initiated on computers that already had pending scan tasks. This may indicate a scanning frequency that is too high. Consider lowering the scanning frequency, or selecting fewer computers to scan during each scheduled scan job.
Send Policy Failed Critical No Inability to send policy may indicate a problem with the agent/appliance. Please check the affected computers.
Smart Protection Server Connection Failed Warning Yes Failed to connect to a Smart Protection Server. This could be due to a configuration issue, or due to network connectivity.
Software Package Not Found Critical No An agent software package is required for the proper operation of one or more virtual appliance(s). Please import a Red Hat Enterprise Linux 6 (64 bit) agent software package with the correct version for each appliance. If the required version is not available then please import the latest package and upgrade the appliance to match.
Software Updates Available for Import Warning No New software is available. To import new software to Deep Security, go to Administration > Updates > Software > Download Center.
Unable to communicate Critical No Deep Security Manager has been unable to query the agent/appliance for its status within the configured period. Please check your network configuration and the affected computer's connectivity.
Unable to Upgrade the Agent Software Warning Yes

Deep Security Manager was unable to upgrade the agent software on the computer.

This may indicate a problem with the agent/appliance, but it also can occur if agent self-protection is enabled. On the Deep Security Manager, go to Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.

Software Changes Detected Warning No During ongoing file system monitoring, application control detected that new software had been installed, and it did not match any configured allow or block rule. If your system administrators did not install the software, and no other users have permissions to install software, this could indicate a security compromise. If the software tries to launch, depending on your lockdown configuration at that time, it may or may not be allowed to execute.
Unresolved software change limit reached Critical No Software changes detected on the file system exceeded the maximum amount. Application control will continue to enforce existing rules, but will not record any more changes, and it will stop displaying any of that computer's software changes. You must resolve and prevent excessive software change.
Upgrade of the Deep Security Manager Software Recommended (Incompatible Security Update(s)) Warning No Deep Security Manager has detected a computer that is using security updates that are not compatible with the current version of Deep Security Manager. An upgrade of Deep Security Manager software is recommended.
Upgrade of the Filter Driver Recommended (New Version Available) Warning No Deep Security Manager has detected one or more ESXi Servers with a version of the filter driver that does not match the latest version available. An upgrade of the filter driver is recommended.
User Locked Out Warning No Users can be locked out manually, by repeated incorrect sign-in attempts, if their password expires, or if they have been imported but not yet unlocked.
User Password Expires Soon Warning No The password expiry setting is enabled and one or more users have passwords that will expire within the next 7 days.
Virtual Appliance is Incompatible With Filter Driver Warning No The appliance is incompatible with the filter driver. Please ensure both are upgraded to their latest versions.
Virtual Machine Interfaces Out of Sync Warning No One or more of the virtual machines monitored by a Deep Security Virtual Appliance has reported that its interfaces are out of sync with the filter driver. This means that the appliance may not be properly monitoring the virtual machine's interfaces. The virtual machine may require manual intervention such as a configuration change, or a restart, to correct the issue.
Virtual Machine Moved to Unprotected ESXi Server Warning Yes A virtual machine was moved to an ESXi Server that does not have an activated Deep Security Virtual Appliance.
Virtual Machine Unprotected after move to another ESXi Warning Yes A virtual machine that was appliance-protected has been unprotected during or after it was moved to another ESXi. This may be due to an appliance reboot or power off during the move, or it may indicate a configuration issue. The cause of the issue should be investigated before the alert is dismissed.
VMware Tools Not Installed Critical Yes A protected virtual machine in an NSX environment does not have VMware Tools installed. VMware Tools is required to protect virtual machines in an NSX environment.
Web Reputation Event Alert Warning Yes A web reputation event has been encountered on one or more computers that are selected for alerting.
WorkSpaces Disabled for AWS Account Warning Yes An agent was activated on one or more Amazon WorkSpaces but WorkSpaces are not enabled for your AWS account. To enable WorkSpaces, click 'Edit AWS Account' above, and select the 'Include Amazon WorkSpaces' check box. Your WorkSpace(s) will be moved into the WorkSpaces folder of the AWS account.