Overview section of the computer editor

The computer editor Overview page has the following tabbed sections:

General tab

  • Hostname: Appears in the Name column on the Computers page. The name must be either the IP address of the computer or the hostname of the computer. Either a fully qualified hostname or a relative hostname can be used if a hostname is used instead of an IP address. You have to specify a hostname that can be resolved or a valid IP address that the Deep Security Manager can access. This is because the communication between the Deep Security Manager and the agent computers are based on the hostname. For relay-enabled agents, all of the computers within the relay group should be able to reach the specified IP address or hostname. If the Deep Security Manager cannot access the target computer the communication direction should be set to Agent/Appliance Initiated (Settings > Computer).
  • (Last IP Used: <IP_address>): The last IP used by the computer. Last IP Used may not always show the IP address of the Deep Security Agent's host. Instead, it could be the IP address of a proxy, load balancer, elastic load balancer (ELB), etc., that the agent uses to communicate with Deep Security Manager.
  • Display Name: Appears in the Display Name column and in brackets next to the Hostname value.
  • Description: a description of the computer.
  • Platform: Details of the computer's OS will appear here.
  • Group: The computer group to which the computer belongs appears in the list. You can reassign the computer to any other existing computer group.
  • Policy: The policy (if any) that has been assigned to this computer.
    Keep in mind that if you unassign a policy from a computer, rules may still be in effect on the computer if they were assigned independently of the policy.
  • Asset Importance: Deep Security Manager uses a ranking system to quantify the importance of security events. Rules are assigned a severity level (high, medium, low, etc.), and assets (computers) are assigned an "asset importance" level. These levels have numerical values. When a rule is triggered on a computer the asset importance value and the severity level value are multiplied together. This produces a score which is used to sort events by importance. (Event ranking can be seen in the Events pages.) Use this Asset Importance list to assign an asset importance level to this computer. (To edit the numerical values associated with severity and importance levels, go to Administration > System Settings > Ranking.)
  • Download Security Updates From: Use the dropdown list to select which relay group the agent/appliance on this computer will download security updates from. (not displayed if agent is acting as a relay.)

Computer status

The Status area displays the latest available information about the computer and the protection modules in effect on it. Whether the computer is protected by an agent or an appliance (or both in the case of combined mode) is displayed in the top row.

  • Status:
    • When the computer is unmanaged the status represents the state of the agent or appliance with respect to activation. The status will display either "Discovered" or "New" followed by the agent or appliance state in brackets ("No Agent/Appliance", "Unknown", "Reactivation Required", "Activation Required", or "Deactivation Required").
    • When the computer is managed and no computer errors are present, the status will display "Managed" followed by the state of the agent or appliance in brackets ("Online" or "Offline").
    • When the computer is managed and the agent or appliance is in the process of performing an action (e.g. "Integrity Scan in Progress", "Upgrading Agent (Install Program Sent)", etc.) the task status will be displayed.
    • When there are errors on the computer (e.g., "Offline", "Update Failed", etc.) the status will display the error. When more than one error is present, the status will display "Multiple Errors" and each error will be listed beneath.

Protection module status

With Deep Security 9.5 and later, protection modules are deployed to agents on an as-needed basis. Only core functionality is included when an agent is first installed.

The Status area provides information about the state of the Deep Security modules. The status reflects the state of a module on the agent as well as its configuration in Deep Security Manager. A status of "On" indicates that the module is configured in Deep Security Manager and is installed and operating on the Deep Security Agent.

A green status light is displayed for a module when it is "On" and working. In addition, modules that allow individual rule assignment must have at least one rule assigned before they will display a green light.

  • Anti-Malware: Whether Anti-Malware protection is on or off and whether it is configured for real-time or on-demand scans.
  • Web Reputation: Whether Web Reputation is on or off.
  • Device Control: Whether Device Control is on or off.
  • Firewall: Whether the Firewall is on or off and how many rules are in effect.
  • Intrusion Prevention: Whether Intrusion Prevention is on or off and how many rules are in effect.
  • Integrity Monitoring: Whether Integrity Monitoring is on or off and how many rules are in effect.
  • Log Inspection: Whether Log Inspection is on or off and how many rules are in effect.
  • Application Control: Whether Application Control is on or off.
  • Scanner (SAP): Status of the Deep Security Scanner SAP feature.
  • Online: Indicates whether the manager can currently communicate with the agent or appliance.
  • Last Communication: The last time the manager successfully communicated with the agent or appliance on this computer.
  • Check Status: This button allows you to force the manager to perform an immediate heartbeat operation to check the status of the agent or appliance. Check Status will not perform a security update of the agent or appliance. When manager to agent or appliance communications is set to "Agent/Appliance Initiated" the Check Status button is disabled. Checking status will not update the logs for this computer. To update the logs for this computer, go to the Actions tab.
  • Clear Warnings/Errors: Dismisses any alerts or errors on this computer.
  • ESXi server: If the computer is a virtual machine protected by a virtual appliance, the ESXi server that hosts them is displayed.
  • Appliance: If the computer is a virtual machine protected by a virtual appliance, the protecting appliance is displayed.
  • ESXi Version: If the computer is an ESXi server, the ESXi version number is displayed.
  • Filter Driver version: If the computer is an ESXi server, the filter driver version number is displayed. If you are using Deep Security Virtual Appliance 10.0 or later with ESXi 6.0 or later, "N/A" will be displayed because no filter driver is in use.
  • Guests: If the computer is an ESXi server, the virtual appliance and guests are displayed.
  • Appliance Version: If the computer is a virtual appliance, the appliance version number is displayed.
  • Protected Guests On: If the computer is a virtual appliance, the IP of the ESXi server and the protected guest are displayed.

VMware virtual machine summary

This section displays a summary of hardware and software configuration information about the virtual machine on which the agent or appliance is running (VMware virtual machines only).

Actions tab

Activation

A newly installed Deep Security agent or appliance needs to be "activated" by the Deep Security Manager before policies, rules, requests for event logs, etc. can be sent to it. The activation procedure includes the exchange of SSL keys which uniquely identify a manager (or one of its nodes) and an agent/appliance to each other. Once activated by a Deep Security Manager, an agent/appliance will only accept instructions or communicate with the Deep Security Manager which activated it (or one of its nodes).

An unactivated agent or appliance can be activated by any Deep Security Manager.

Agents and appliances can only be deactivated locally on the computer or from the Deep Security Manager which activated it. If an agent or appliance is already activated, the button in this area will read Reactivate rather than Activate. Reactivation has the same effect as activation. A reactivation will reset the agent or appliance to the state it was in after first being installed and initiate the exchange of a new set of SSL keys.

Policy

When you change the configuration of an agent or appliance on a computer using the Deep Security Manager (apply a new Intrusion Prevention rule, change logging settings, etc.) the Deep Security Manager has to send the new information to the agent or appliance. This is a "Send Policy" instruction. Policy updates usually happen immediately but you can force an update by clicking the Send Policy button.

Agent Software

This displays the version of the agent or appliance currently running on the computer. If a newer version of the agent or appliance is available for the computer's platform you can click the Upgrade Agent or Upgrade Appliance button to remotely upgrade the agent or appliance from the Deep Security Manager. You can configure the Deep Security Manager to trigger an alert if new versions of the agent or appliance software running on any of your computers by going to the Administration > System Settings > Updates tab.

Before updating or uninstalling a Deep Security Agent or Relay on Windows, you must disable agent self-protection. To do this, on the Deep Security Manager, go to Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.

Support

The Create Diagnostic Package button creates a snapshot of the state of the agent or appliance on the computer. Your support provider may request this for troubleshooting purposes.

If you have lost communication with the computer, a diagnostics package can be created locally. For more information, see Create a diagnostic package and logs.

TPM tab

The TPM tab will appear in place of the Actions tab for ESXi servers.

A Trusted Platform Module (TPM) is a type of chip that is used for hardware authentication. VMware uses the TPM with its ESXi hypervisors. During the boot sequence, an ESXi writes a SHA-1 hash of each hypervisor component to a set of registers as it loads. An unexpected change in these values from one boot sequence to the next can indicate a possible security issue worth investigating. Deep Security can monitor the TPM on an ESXi after every boot and raise an Alert if it detects any changes. If you select the option to enable TPM monitoring on an ESXi that doesn't support it, the option will be automatically disabled.

Enable TPM Monitoring: Select to enable Trusted Platform Module monitoring.

Raise an alert when TPM Monitoring fails to obtain valid register values: Select to have Deep Security raise an alert if the Trusted Platform Module fails to obtain valid register values for the hypervisor components during the ESXi boot sequence.

TPM Register Data Imported: Indicates whether the Trusted Protection Module data has been imported.

TPM Last Checked: Indicates when the Trusted Protection Module was last checked. You can click Check Now to start a check of the Trusted Platform Module.

The minimum requirements for TPM monitoring are
  • TPM/TXT installed and enabled on the ESXi (consult your VMware documentation for details)
  • The Deep Security Integrity Monitoring and Application Control modules must be properly licensed.

System Events tab

For information about events, see System events.

Exceptions tab

USB Device Exception rule count limitation

The current supported USB device exception rule count for each computer is 1000.