Command-line basics

You can use the local command-line interface (CLI) to command both Deep Security Agents and the Deep Security Manager to perform many actions. The CLI can also configure some settings, and to display system resource usage.

You can also automate many of the CLI commands below using the Deep Security API. To get started with the API, see the First Steps Toward Deep Security Automation guide in the Deep Security Automation Center.

Below are command syntax and examples.

Deep Security Agent

On Windows, when self-protection is enabled, local users cannot uninstall, update, stop, or otherwise control the agent. They must also supply the authentication password when running CLI commands.

dsa_control

You can use dsa_control to configure some agent settings, and to manually trigger it to perform some actions such as activation, an anti-malware scan, or baseline rebuild.

In Windows:

  • Open a Command Prompt as Administrator
  • cd C:\Program Files\Trend Micro\Deep Security Agent\
  • dsa_control -m "AntiMalwareManualScan:true"

In Linux:

  • sudo /opt/ds_agent/dsa_control -m "AntiMalwareManualScan:true"

Usage

dsa_control [-a <str>] [-b] [-c <str>] [-d] [-g <str>] [-s <num>] [-m] [-p <str>] [-r] [-R <str>] [-t <num>] [-u <str>:<str>] [-w <str>:<str>] [-x dsm_proxy://<str>] [-y relay_proxy://<str>] [--buildBaseline] [--scanForChanges] [Additional keyword:value data to send to manager during activation or heartbeat...]

Parameter Description
-a <str>, --activate=<str>

Activate agent with manager at the specified URL in this format:

dsm://<host>:<port>/

where:

  • <host> could be either the manager's fully qualified domain name (FQDN), IPv4 address, or IPv6 address
  • <port> is the manager's listening port number

Optionally, after the argument, you can also specify some settings such as the description to send during activation. See Agent-initiated heartbeat command ("dsa_control -m"). They must be entered as key:value pairs (with a colon as a separator). There is no limit to the number of key:value pairs that you can enter, but the key:value pairs must be separated from each other by a space. Quotation marks around the key:value pair are required if it includes spaces or special characters.

-b, --bundle Create an update bundle.
-c <str>, --cert=<str> Identify the certificate file.
-d, --diag Generate an agent package. For more detailed instructions, see Create an agent diagnostic package via CLI on a protected computer.
-g <str>, --agent=<str>

Agent URL. Defaults to:

https://localhost:<port>/

where <port> is the manager's listening port number.

-m, --heartbeat Force the agent to contact the manager now.
-p <str> or --passwd=<str>

Authentication password that you might have configured in Deep Security Manager previously. See Configure self-protection through Deep Security Manager for details. If configured, the password must be included with all dsa_control commands except dsa_control -a, dsa_control -x, and dsa_control -y.

Example: dsa_control -m -p MyPa$$w0rd

If you type the password directly into the command line, it is displayed on the screen. To hide the password with asterisks (*) while you type, enter the interactive form of the command, -p *, which prompts you for the password.

Example:

dsa_control -m -p *

-r, --reset Reset the agent's configuration. This will remove the activation information from the agent and deactivate it.
-R <str>, --restore=<str> Restore a quarantined file. On Windows, you can also restore cleaned and deleted files.
-s <num>, --selfprotect=<num>

Enable agent self-protection (1: enable, 0: disable). Self-protection prevents local end-users from uninstalling, stopping, or otherwise controlling the agent. For details, see Enable or disable agent self-protection. This is a Windows-only feature.

Although dsa_control lets you enable self-protection, it does not let you configure an associated authentication password. You'll need Deep Security Manager for that. See Configure self-protection through Deep Security Manager for details. Once configured, the password will need to be entered at the command line using the -p or --passwd= option.

In Deep Security 9.0 and earlier, this option was -H <num>, --harden=<num>
-t <num>, --retries=<num> If dsa_control cannot contact the agent service to carry out accompanying instructions, this parameter instructs dsa_control to retry <num> number of times. There is a 1 second pause between retries.
-u <user>:<password> If the agent connects through a proxy to the manager, provide the proxy user name and password, separated by a colon (:). To remove the username and password, type an empty string (""). Basic authentication only. Digest and NTLM are not supported.
-w <user>:<password> If the agent connects through a proxy to a relay for security updates and software, provide the proxy user name and password, separated by a colon (:).
-x dsm_proxy://<str>:<num> If the agent connects through a proxy to the manager, provide the proxy's IPv4/IPv6 address or FQDN and port number, separated by a colon (:). To remove the address, instead of a URL, type an empty string (""). Square brackets must surround IPv6 addresses. For example: dsa_control -x "dsm_proxy://[fe80::340a:7671:64e7:14cc]:808/"
-y relay_proxy://<str>:<num> If the agent connects through a proxy to a relay for security updates and software, provide the proxy's IP address or FQDN and port number, separated by a colon (:).
--buildBaseline Build the baseline for integrity monitoring.
--scanForChanges Scan for changes for integrity monitoring.
--max-dsm-retries Number of times to retry an activation. Valid values are 0 to 100, inclusive. The default value is 30.
--dsm-retry-interval Approximate delay in seconds between retrying activations. Valid values are 1 to 3600, inclusive. The default value is 300.

 

Agent-initiated activation ("dsa_control -a")

The agent installed on a computer must be activated before the manager can assign rules and policies to protect the computer. Activation includes the exchange of unique fingerprints between the agent and the manager to authenticate each other for encrypted channels. This ensures that only one manager (or one of the other Deep Security Manager nodes that are connected to the same database) can send instructions to and communicate with the agent.

Activation can be either manager-initiated or agent-initiated (AIA), if enabled. AIA is useful if either a firewall/NAT prevents the manager from initiating the connection to agents, or if you deploy many agents at once, and you want to write a script to automate activation.

  1. On Deep Security Manager, go to Administration > System Settings > Agents.
  2. Select Allow Agent-Initiated Activation.
  3. In your deployment script, after you install Deep Security Agent on the computer, run the activation command, such as:

    dsa_control -a dsm://<host>:<port>/

    where:

    • <host> could be either the manager's fully qualified domain name (FQDN), IPv4 address, or IPv6 address
    • <port> is the agent-to-manager communication port number.)

    For example:

    dsa_control -a dsm://dsm.example.com:4120/ hostname:www12 "description:Long Description With Spaces"

    dsa_control -a dsm://fe80::ad4a:af37:17cf:8937:4120

Optionally, you can also specify some settings such as the description to send during activation. See Agent-initiated heartbeat command ("dsa_control -m").

Agent-initiated activation via proxy

If agents must connect through a proxy to the manager, you can configure agent-initiated communication via a proxy.

  1. On Deep Security Manager, go to Administration > System Settings > Agents.
  2. In the Agent-Initiated Activation area:
    • Select Allow Agent-Initiated Activation.
    • Select Allow Agent to specify hostname.
    • From the If a computer with the same name exists list, select Activate a new Computer with the same name.
  3. Click Save.
  4. In your deployment script, after you install Deep Security Agent on the computer but before you activate it, run the proxy configuration commands, such as:

    dsa_control -x "dsm_proxy://proxy.example.com:808/"
    dsa_control -u "root:Passw0rd!"
    dsa_control -a "dsm://dsm.example.com:4120/"

Agent-initiated heartbeat command ("dsa_control -m")

You can force the agent to immediately send a heartbeat to the manager.

Like activation, the heartbeat command can also send settings to the manager during the connection.

Parameter Description Example Use during Activation Use during Heartbeat
AntiMalwareCancelManualScan

Boolean.

Cancels an on-demand ("manual") scan that is currently occurring on the computer.

"AntiMalwareCancelManualScan:true" no yes
AntiMalwareManualScan

Boolean.

Initiates an on-demand ("manual") anti-malware scan on the computer.

"AntiMalwareManualScan:true" no yes
description

String.

Sets the computer's description. Maximum length 2000 characters.

"description:Extra information about the host" yes yes
displayname

String.

Sets the display name shown in parentheses next to the hostname on Computers. Maximum length 2000 characters.

"displayname:the_name" yes yes
externalid

Integer.

Sets the externalid value. This value can be used to uniquely identify an agent. The value can be accessed using the legacy SOAP web service API.

"externalid:123" yes yes
group

String.

Sets which group the computer belongs to on Computers. Maximum length 254 characters per group name per hierarchy level.

The forward slash ("/") indicates a group hierarchy. The group parameter can read or create a hierarchy of groups.
This parameter can only be used to add computers to standard groups under the main "Computers" root branch. It cannot be used to add computers to groups belonging to directories (Microsoft Active Directory), VMware vCenters, or cloud provider accounts.

"group:Zone A web servers" yes yes
groupid

Integer.

"groupid:33" yes yes
hostname

String.

Maximum length 254 characters.

The hostname can specify an IP address, hostname or FQDN that the manager can use to connect to the agent.

"hostname:www1" yes no
IntegrityScan

Boolean.

Initiates an integrity scan on the computer.

"IntegrityScan:true" no yes
policy

String.

Maximum length 254 characters.

The policy name is a case-insensitive match to the policy list. If the policy is not found, no policy will be assigned.

A policy assigned by an event-based task will override a policy assigned during agent-initiated activation.

"policy:Policy Name"
yes yes
policyid

Integer.

"policyid:12" yes yes
relaygroup

String.

Links the computer to a specific relay group. Maximum length 254 characters.

The relay group name is a case-insensitive match to existing relay group names. If the relay group is not found, the default relay group will be used.

This does not affect relay groups assigned during event-based tasks. Use either this option or event-based tasks, not both.

"relaygroup:Custom Relay Group"
yes yes
relaygroupid

Integer.

"relaygroupid:123" yes yes
relayid

Integer.

"relayid:123" yes yes
tenantIDand token

String.

If using agent-initiated activation as a tenant, both tenantID and token are required. The tenantID and token can be obtained from the deployment script generation tool.

"tenantID:12651ADC-D4D5"

and

"token:8601626D-56EE"
yes yes
RecommendationScan

Boolean.

Initiate a recommendation scan on the computer.

"RecommendationScan:true" no yes
UpdateComponent

Boolean.

Instructs Deep Security Manager to perform a security update.

"UpdateComponent:true" no yes
RebuildBaseline

Boolean.

Rebuilds the integrity monitoring baseline on the computer.

"RebuildBaseline:true" no yes
UpdateConfiguration

Boolean.

Instructs Deep Security Manager to perform a "Send Policy" operation.

"UpdateConfiguration:true" no yes

Activate an agent

To activate an agent from the command line, you need to know the tenant ID and password. You can get them from the deployment script.

  1. In the top right corner of Deep Security Manager, click Support > Deployment Scripts.
  2. Select your platform.
  3. Select Activate Agent automatically after installation.
  4. In the deployment script, locate the strings for tenantID and token.

Windows

In PowerShell:

& $Env:ProgramFiles"\Trend Micro\Deep Security Agent\dsa_control" -a <manager URL> <tenant ID> <token>

In cmd.exe:

C:\Windows\system32>"\Program Files\Trend Micro\Deep Security Agent\dsa_control" -a <manager URL> <tenant ID> <token>

Linux

/opt/ds_agent/dsa_control -a <manager URL> <tenant ID> <token>

Configure a proxy for anti-malware and rule updates

If the agent must connect to its relay through a proxy, you must configure the proxy connection.

Windows
  1. Open a command prompt (cmd.exe) as Administrator.
  2. Enter these commands:

    cd C:\Program Files\Trend Micro\Deep Security Agent\

    dsa_control -w myUserName:MTPassw0rd

    dsa_control -y relay_proxy://squid.example.com:443

Linux

/opt/ds_agent/dsa_control -w myUserName:MTPassw0rd

/opt/ds_agent/dsa_control -y relay_proxy://squid.example.com:443

Configure a proxy for connections to the manager

If the agent must connect to its manager through a proxy, you must configure the proxy connection.

Windows
  1. Open a command prompt (cmd.exe) as Administrator.
  2. Enter these commands:

    cd C:\Program Files\Trend Micro\Deep Security Agent\

    dsa_control -u myUserName:MTPassw0rd

    dsa_control -x dsm_proxy://squid.example.com:443

Linux

/opt/ds_agent/dsa_control -u myUserName:MTPassw0rd

/opt/ds_agent/dsa_control -x dsm_proxy://squid.example.com:443

Force the agent to contact the manager

Windows

In PowerShell:

& "\Program Files\Trend Micro\Deep Security Agent\dsa_control" -m

In cmd.exe:

C:\Windows\system32>"\Program Files\Trend Micro\Deep Security Agent\dsa_control" -m

Linux

/opt/ds_agent/dsa_control -m

Initiate a manual anti-malware scan

Windows
  1. Open a command prompt (cmd.exe) as Administrator.
  2. Enter these commands:

    cd C:\Program Files\Trend Micro\Deep Security Agent\

    dsa_control -m "AntiMalwareManualScan:true"

Linux

/opt/ds_agent/dsa_control -m "AntiMalwareManualScan:true"

Create a diagnostic package

If you need to troubleshoot a Deep Security Agent issue, your support provider might ask you to create and send a diagnostic package from the computer. For more detailed instructions, see Create an agent diagnostic package via CLI on a protected computer.

You can produce a diagnostic package for a Deep Security Agent computer through the Deep Security Manager but if the agent computer is configured to use Agent/Appliance Initiated communication, then the manager cannot collect all the required logs. So when Technical Support asks for a diagnostic package, you need to run the command directly on the agent computer.

Reset the agent

This command will remove the activation information from the target agent and deactivate it.

Windows

In PowerShell:

& "\Program Files\Trend Micro\Deep Security Agent\dsa_control" -r

In cmd.exe:

C:\Windows\system32>"\Program Files\Trend Micro\Deep Security Agent\dsa_control" -r

Linux

/opt/ds_agent/dsa_control -r

dsa_query

You can use the dsa_query command to display agent information:

  • License-status of each component
  • Scan progress
  • Version information of security update components

Usage

dsa_query [-c <str>] [-p <str>] [-r <str]

Parameter Description
-p,--passwd <string>

Authentication password used with the optional agent self-protection feature. Required if you specified a password when enabling self-protection.

For some query-commands, authentication can be bypassed directly, in such case, password is not required.

-c,--cmd <string>

Execute query-command against the agent. The following commands are supported:

  • "GetHostInfo": to query which identity is returned to the manager during a heartbeat
  • "GetAgentStatus": to query which protection modules are enabled and other miscellaneous information
  • "GetComponentInfo": to query version information of anti-malware patterns and engines
  • "GetPluginVersion": to query version information of the agent and protection modules

-r,--raw <string> Returns the same query-command information as "-c" but in raw data format for third party software interpretation.
pattern

Wild card pattern to filter result. Optional.

Example:
dsa_query -c "GetComponentInfo" -r "au" "AM*"

 

Check CPU usage and RAM usage

Windows

Use the Task Manager or procmon.

Linux

top

Check that ds_agent processes or services are running

Windows

Use the Task Manager or procmon.

Linux

ps -ef|grep ds_agent

Restart an agent on Linux

service ds_agent restart

or

/etc/init.d/ds_agent restart

Some actions require either a -tenantname parameter or a -tenantid parameter. If execution problems occur when you use the tenant name, try the command using the associated tenant ID.