You’re offline. This is a read only version of the page.
Online Help Center
Search
Support
For Home
For Business
English (US)
Bahasa Indonesia (Indonesian)
Dansk (Danish)
Deutsch (German)
English (Australia)
English (US)
Español (Spanish)
Français (French)
Français Canadien
(Canadian French)
Italiano (Italian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português - Brasil
(Portuguese - Brazil)
Português - Portugal
(Portuguese - Portugal)
Svenska (Swedish)
ภาษาไทย (Thai)
Tiếng Việt (Vietnamese)
Türkçe (Turkish)
Čeština (Czech)
Ελληνικά (Greek)
Български (Bulgarian)
Русский (Russian)
עברית (Hebrew)
اللغة العربية (Arabic)
日本語 (Japanese)
简体中文
(Simplified Chinese)
繁體中文
(Traditional Chinese)
繁體中文 HK
(Traditional Chinese)
한국어 (Korean)
Cancel
This website uses cookies for website functionality and traffic analytics. Our Cookie Notice provides more information and explains how to amend your cookie settings.
Learn More
Yes, I agree
Table of Contents
The page you're looking for can't be found or is under maintenance
Try again later or go to the home page
Go to home page
Log4j Vulnerability Coverage
About Workload Security
About the Workload Security components
Endpoint Security and Workload Security protection modules
About billing and pricing
Workload Security release strategy and lifecycle policy
Compatibility
System requirements
Agent requirements
Agent platform compatibility
Linux kernel compatibility
Disable optional Linux kernel support package updates
Disable updates on a single computer
Disable updates on multiple computers
Linux file system compatibility
Linux systemd support
Linux Secure Boot support
SELinux support
Supported features by platform
Sizing
Port numbers, URLs, and IP addresses
Agent to Workload Security FQDNs for accounts created before 2020-11-23
Relays to Update Server FQDNs for accounts created before 2020-11-23
Relays to Download Center FQDNs for accounts created before 2020-11-23
Required Workload Security URLs for firewalls without wildcard support
Get started
Try the Workload Security demo
Transitioning from Deep Security as a Service
Migrate from an on-premises Deep Security Manager
Trend Cloud One - Endpoint & Workload Security
Configure Endpoint Security
Check digital signatures on software packages
Check the signature on software ZIP packages
By exporting the ZIP from the manager
By viewing the ZIP's properties file
By using jarsigner
Check the signature on installer files (EXE, MSI, RPM, DEB files)
Check the signature on an EXE or MSI file
Check the signature on an RPM file
First, install GnuPG
Next, import the signing key
Finally, verify the signature on the RPM file
Check the signature on a DEB file
First, install the dpkg-sig utility
Next, import the signing key
Finally, verify the signature on the DEB file
Check relay connectivity
Deploy the agent
Get agent software
Configure Linux Secure Boot for agents
Configure Mobile Device Management on Workload Security for the macOS agent
Install the agent
Manual installation
Install the agent on Windows
Installation on Amazon WorkSpaces
Installation on Windows 2012 Server Core
Install the agent on Red Hat, Amazon, SUSE, Oracle, Alma, Rocky, Miracle, or Cloud Linux
Install the agent on Ubuntu or Debian
Install the agent on Solaris
Install the agent on AIX
Install the agent on macOS
Install the agent on Red Hat OpenShift:
Before you begin
Installing the agent
Install the agent using other methods
Post-installation tasks
Install the agent on Amazon EC2 and WorkSpaces
Add your AWS accounts to Workload Security
Configure the activation type
Open ports
Which ports should be opened?
Deploy agents to your Amazon EC2 instances and WorkSpaces
Verify that the agent was installed and activated
Assign a policy
Install the agent on an AMI or WorkSpace bundle
Add your AWS account to Workload Security
Configure the activation type
Launch a master Amazon EC2 instance or Amazon WorkSpace
Deploy an agent on the master
Verify that the agent was installed and activated properly
Set up policy auto-assignment
Create an AMI or custom WorkSpace bundle based on the master
Use the AMI
Install the agent on Azure VMs
Install the agent on Google Cloud Platform VMs
Activate the agent
Deactivate the agent
Start or stop the agent
Automate
Automate using the API and SDK
API reference
API and SDK - DevOps tools for automation
Send request using the API
About resource property values
About the overrides parameter
Search for resources
API rate limits
Performance tips
Troubleshooting
API cookbook
About the API Cookbook
Set up to use Bash or PowerShell
Bash or PowerShell?
Check your environment
Check your connection to Workload Security
Check your cURL software
Check your PowerShell software
Create an API key
Test your setup
Bash
PowerShell
Final comments
Related resources
Get a List of Computers (Bash and PowerShell)
Search for a policy (Bash and PowerShell)
Before you begin
Bash
PowerShell
Notes
Related resources
Assign a policy to a computer using Bash and PowerShell
Before you begin
Bash
PowerShell
Notes
Related resources
Assign a policy to many computers (Bash and PowerShell)
Before you begin
jq for Bash
Required information
Bash
Bash script details
PowerShell
PowerShell script details
Notes
Related Resources
SDK guides
Python SDK
Prepare to use the Python SDK
Prerequisites
Download and install the Python SDK
Install a Python IDE
Windows
Linux
Add the SDK to a project in PyCharm
Next Steps
SDK version compatibility
Run the code examples
Index of code examples
Deploy Workload Security
Use the API to generate an agent deployment script
General steps
Example
Integrate Workload Security with AWS Services
Workflow pattern
Amazon GuardDuty
Amazon Macie
Amazon Inspector
AWS WAF
AWS Config
Add Computers
Add a Google Cloud Platform Connector
Submit a Synchronization Action for a GCP Connector
Control Access Using Roles
General steps
Example: Create a role
Create and manage API keys
About API Keys
Create an API Key Using Code
Obtain a role ID
Create an API key using an SDK
Create an API key using a username and password
Obtain a session cookie and a request ID
Create an API key using the session cookie and the request ID
Create an API Key using the Workload Security console
Lock out an existing API key
Manage API keys after their creation
Configure Workload Security system settings
Retrieve, modify, or reset a single system setting
Example: Modify a single system setting
List or modify multiple system settings
Example: Modify multiple system settings
Monitor Workload Security events
Configure protection
Create and configure a policy
Create a policy
Assign a policy to a computer
Configure policy and default policy settings
Default setting values and overrides
Policy setting and default policy setting classes
Retrieve the value of a policy setting or default policy setting
List all policy or default policy settings
Configure a single policy or default policy setting
Configure multiple policy and default policy settings
Reset policy overrides
Reset an ID reference
Reset a setting
Reset the status of a security module
Reset a rule
Reset all overrides of a rule
Selectively reset overrides of a rule
Configure Firewall
General steps
Example
Create a firewall rule
Limitations to modifying stateful configurations
Configure Intrusion Prevention
General steps
Example
Create an Intrusion Prevention rule
Configure Anti-Malware
General steps
Example
Create and modify malware scan configurations
General steps for creating malware scan configurations
Example malware scan configuration
Configure Web Reputation
General steps
Example
Configure Device Control
General steps
Example
Create a USB Device Exception
Configure Application Control
Configure Application Control for a policy
Allow or block unrecognized software
Create a shared ruleset
Add global rules
Configure maintenance mode during upgrades
Configure Integrity Monitoring
General steps
Example
Create an Integrity Monitoring rule
Configure Log Inspection
General steps
Example
Create a Log Inspection rule
Create a basic Log Inspection rule
Create a log inspection rule using XML
Create and modify lists
Create and configure schedules
Override policies on a computer
Discover overrides
Configure computer overrides
Configure a single computer setting
Configure settings and protection modules
Rule overrides
Maintain protection
Report on computer status
Discover unprotected computers
Find computers based on agent status
Find computers based on module status
See the state of a virtual machine
Get computer configurations
Discover the Anti-Malware configuration of a computer
Get applied intrusion prevention rules
Patch unprotected computers
Example: Find the Intrusion Prevention rule for a CVE
Example: Find computers that are not protected against a CVE
Example: Add intrusion prevention rules to computers' policies
Assign rules with recommendation scans
Determine when a recommendation scan last ran
Example: Get the date of the last recommendation scan for all computers
Apply recommendations
Maintain protection using scheduled tasks
Related classes
Create a scheduled task
Configure general properties
Create the schedule
Example: Daily schedule
Example: Monthly schedule
Configure the task
Example: Create a scheduled task
Create, run, and delete a scheduled task
Run an existing scheduled task
Settings reference
Use the legacy APIs
Provide access for legacy APIs
Transition from the SOAP API
Use the legacy REST API
Automate using the console
Schedule Workload Security to perform tasks
Automatically perform tasks when a computer is added or changed
AWS Auto Scaling and Workload Security
Preinstall the agent
Install the agent with a deployment script
Delete instances from Workload Security as a result of Auto Scaling
Azure virtual machine scale sets and Workload Security
GCP auto scaling and Workload Security
Preinstall the agent
Install the agent with a deployment script
Delete instances from Workload Security as a result of GCP MIGs
Use deployment scripts to add and protect computers
Generate a deployment script
Troubleshooting and tips
URL format for the agent download
Automatically assign policies using cloud provider tags and labels
Command-line basics
dsa_control
dsa_control options
Agent-initiated activation (dsa_control -a)
Agent-initiated heartbeat command (dsa_control -m)
Activate an agent
Windows
Linux
macOS
Force the agent to contact the manager
Windows
Linux
macOS
Initiate a manual anti-malware scan
Windows
Linux
macOS
Create a diagnostic package
Reset the agent
Windows
Linux
macOS
dsa_query
dsa_query options
Check CPU usage and RAM usage
Windows
Linux
Check that ds_agent processes or services are running
Windows
Linux
Restart an agent on Linux
dsa_scan
dsa_scan options
dsa_scan output
Scan exit codes
Success exit codes
Fatal exit codes
User Guide
Add computers
About adding computers
Add local network computers
Manually add a computer
Set up a data center gateway
Add Active Directory computers
Add a data center gateway
Add an Active Directory
Additional Active Directory options
Remove directory
Synchronize now
Server certificate usage
Keep Active Directory objects synchronized
Disable Active Directory synchronization
Remove computer groups from Active Directory synchronization
Add VMware VMs
Add a VMware vCenter to Workload Security
Add a data center gateway
Add a VMware vCenter
Protect workloads in VMware
Add virtual machines hosted on VMware vCloud
Benefits of adding a vCloud account {What}
Proxy setting for cloud accounts
Create a VMware vCloud Organization account for Workload Security
Import computers from a VMware vCloud Organization Account
Import computers from a VMware vCloud Air data center
Remove a cloud account
Add AWS instances
About adding AWS accounts
What happens when you add an AWS account?
Benefits of adding an AWS account
Supported AWS regions
Modify your AWS security group to allow outbound traffic over port 443
Add an AWS account using the quick setup
Add an AWS account using a cross-account role
First, note the Workload Security account ID
Next, configure the manager instance role
Next, retrieve the external ID
Next, configure an IAM policy for AWS Account A
Next, create a cross-account role for AWS Account A
Next, add AWS Account A to Workload Security
Add the account through the API
Add Amazon WorkSpaces
Protect Amazon WorkSpaces if you already added your AWS account
Protect Amazon WorkSpaces if you have not yet added your AWS account
Manage an AWS account
Edit an AWS account
Remove an AWS account
Synchronize an AWS account
Manage an AWS account external ID
About the external ID
Configure the external ID
Update the external ID
Determine whether you're using a user- or manager-defined external ID
Update the external ID through the Workload Security console
Update the external ID through the Workload Security API
Retrieve the external ID
Through the 'add account' wizard
Through the Workload Security API
Disable retrieval of the external ID
Protect an account running in AWS Outposts
What does the Cloud Formation template do when I add an AWS account?
Add Azure instances
Create an Azure application for Workload Security
Assign the correct roles
Create the Azure application
Record the Azure application ID, Microsoft Entra ID, and password
Record the Subscription IDs
Assign the Azure application a role and connector
Add a Microsoft Azure account to Workload Security
Benefits of adding an Azure account
Supported Azure regions
Add virtual machines from a Microsoft Azure account to Workload Security
Manage Azure classic virtual machines with the Azure Resource Manager connector
Remove an Azure account
Synchronize an Azure account
Why should I upgrade to the new Azure Resource Manager connection?
Add GCP instances
Create a Google Cloud Platform service account
Prerequisite: Enable the Google APIs
Create a GCP service account
Add more projects to the GCP service account
Create multiple GCP service accounts
Add a Google Cloud Platform account
Benefits of adding a GCP account
Configure a proxy setting for the GCP account
Add a GCP account to Workload Security
Remove a GCP account
Synchronize a GCP account
Manually upgrade your AWS account connection
Verify the permissions associated with the AWS role
Migrate to the new cloud connector functionality
Protect Docker containers
Protect Red Hat OpenShift containers
Control CPU usage
Recommendation scans
Enhanced recommendation scan
Classic recommendation scan
Configure policies
Create policies
Create a new policy
Alternative ways to create a policy
Import policies from an XML file
Duplicate an existing policy
Use hypersensitive mode
Create a new policy based on the recommendation scan of a computer
Edit the settings for a policy or individual computer
Assign a policy to a computer
Disable automatic policy updates
Send policy changes manually
Export a policy
Policies, inheritance, and overrides
Detect and configure interfaces available on a computer
Configure a policy for multiple interfaces
Enforce interface isolation
Overview section of the Computer editor
Overview section of the policy editor
Network engine settings
User mode solution
Create a list of User Lists for use in policies
Import and export User Lists
View rules that use an User List
Define rules, lists, and other common objects used by policies
About common objects
Manage role-based access control for common objects
Configure access scope for roles
Roles' access to granted objects
Roles' use of granted objects
Roles with All access scope can import objects
Roles' permission to allow malware exclusions
Create a firewall rule
Configure intrusion prevention rules
The intrusion prevention rules list
Intrusion prevention license types
View information about intrusion prevention rules
General Information
Details
Identification (Trend Micro rules only)
View information about associated vulnerability (Trend Micro rules only)
Assign and unassign rules
Automatically assign core Endpoint & Workload rules
Automatically assign updated required rules
Configure event logging for rules
Generate alerts
Setting configuration options (Trend Micro rules only)
Schedule active times
Exclude from recommendations
Set the context for a rule
Override the behavior mode for a rule
Override rule and application type configurations
Export and import rules
Create an Integrity Monitoring rule
Add a new rule
Enter Integrity Monitoring rule information
Select a rule template and define rule attributes
Registry Value template
File template
Custom template
Configure Trend Micro Integrity Monitoring rules
Configure rule events and alerts
Real-time event monitoring
Alerts
See policies and computers to which a rule is assigned
Export a rule
Delete a rule
Define a Log Inspection rule for use in policies
Create a list of directories for use in policies
Create a list of file extensions for use in policies
Import and export file extension lists
View malware scan configurations that use a file extension list
Create a list of files for use in policies
Create a list of IP addresses for use in policies
Import and export IP lists
View rules that use an IP list
Create a list of ports for use in policies
Import and export port lists
View rules that use a port list
Create a list of MAC addresses for use in policies
Import and export MAC lists
View policies that use a MAC list
Define contexts for use in policies
Configure internet connectivity for the computer
Define a context
Define stateful firewall configurations
Add a stateful configuration
Enter stateful configuration information
Select packet inspection options
IP packet inspection
TCP packet inspection
FTP Options
UDP packet inspection
ICMP packet inspection
Export a stateful configuration
Delete a stateful configuration
View policies and computers with assigned stateful configuration
Define a schedule to apply to rules
Configure protection modules
Configure Intrusion Prevention
About Intrusion Prevention
Set up Intrusion Prevention
Enable Intrusion Prevention in Detect mode
Enable Auto Apply core Endpoint & Workload rules
Test Intrusion Prevention
Apply recommended rules
Check Intrusion Prevention events
Enable fail open for packet or system failures
Switch to Prevent mode
HTTP Protocol Decoding rule
Cross-site scripting and generic SQL injection rules
Configure intrusion prevention rules
The intrusion prevention rules list
Intrusion prevention license types
View information about intrusion prevention rules
General Information
Details
Identification (Trend Micro rules only)
View information about associated vulnerability (Trend Micro rules only)
Assign and unassign rules
Automatically assign core Endpoint & Workload rules
Automatically assign updated required rules
Configure event logging for rules
Generate alerts
Setting configuration options (Trend Micro rules only)
Schedule active times
Exclude from recommendations
Set the context for a rule
Override the behavior mode for a rule
Override rule and application type configurations
Export and import rules
Configure a SQL injection prevention rule
Application types
View a list of application types
General Information
Connection
Configuration
Options
Assigned To
Inspect TLS traffic
TLS inspection support
Manage TLS inspection support package updates
Disable TLS inspection support package updates on a single agent
Disable TLS inspection support package updates by policy
Configure anti-evasion settings
Performance tips for intrusion prevention
Configure Anti-Malware
About Anti-Malware
Set up Anti-Malware
Enable and configure Anti-Malware
Enable the Anti-Malware module
Select the types of scans to perform
Configure scan inclusions
Configure scan exclusions
Configure multiple scan list exclusions or inclusions
Ensure that Workload Security can keep up to date on the latest threats
Configure malware scans
Performance tips for Anti-Malware
Minimize disk usage
Optimize CPU usage
Enable multi-threaded processing
Optimize RAM usage
Configure Deep Security and Microsoft Defender Antivirus for Windows
Detect emerging threats with Predictive Machine Learning
Enable Predictive Machine Learning
Enhanced Anti-Malware and ransomware scanning with behavior monitoring
Enhanced scanning protection
Enable enhanced scanning
What happens when enhanced scanning finds a problem?
Smart Protection in Workload Security
Anti-Malware and Smart Protection
Benefits of Smart Scan
Enable Smart Scan
Smart Protection Server for File Reputation Service
Web Reputation and Smart Protection
Smart Feedback
Disable Smart Feedback
Handle malware
View and restore identified malware
See a list of identified files
Working with identified files
Search for an identified file
Restore identified files
Create a scan exclusion for the file
Restore the file
Create Anti-Malware exceptions
Increase debug logging for Anti-Malware in protected Linux instances
Configure Firewall
About Firewall
Set up the Workload Security firewall
Create a firewall rule
Allow trusted traffic to bypass the firewall
Firewall rule actions and priorities
Firewall rule actions
Allow rules
Bypass rules
Default Bypass rule for Workload Security traffic
Force Allow rules
Firewall rule sequence
Logging
Firewall rules working together
Rule action
Rule priority
Putting rule action and priority together
Firewall settings
General
Firewall
Firewall Stateful Configurations
Assigned Firewall Rules
Interface Isolation
Interface Patterns
Reconnaissance
Advanced
Events
Firewall Events
Define stateful firewall configurations
Add a stateful configuration
Enter stateful configuration information
Select packet inspection options
IP packet inspection
TCP packet inspection
FTP Options
UDP packet inspection
ICMP packet inspection
Export a stateful configuration
Delete a stateful configuration
View policies and computers with assigned stateful configuration
Container firewall rules
Manage Container Protection
Apply real-time scan
Apply your firewall settings
Apply your intrusion prevention settings
Configure Web Reputation
Enable the Web Reputation module
Enable the Trend Micro Toolbar
Install the toolbar for macOS
Install the toolbar for Windows
Switch between inline and tap mode
Enforce the security level
Configure the security level
Create exceptions
Create URL exceptions
Configure the Smart Protection Server
Smart Protection Server connection warning
Edit advanced settings
Blocking Page
Alert
Ports
Test Web Reputation
Configure Device Control
Configure Integrity Monitoring
About Integrity Monitoring
Set up Integrity Monitoring
Enable Integrity Monitoring
Turn on Integrity Monitoring
Run a recommendation scan
Disable real-time scanning
Apply the Integrity Monitoring rules
Build a baseline for the computer
Periodically scan for changes
Test Integrity Monitoring
Improve Integrity Monitoring scan performance
Limit resource usage
Change the content hash algorithm
Integrity Monitoring event tagging
Create an Integrity Monitoring rule
Add a new rule
Enter Integrity Monitoring rule information
Select a rule template and define rule attributes
Registry Value template
File template
Custom template
Configure Trend Micro Integrity Monitoring rules
Configure rule events and alerts
Real-time event monitoring
Alerts
See policies and computers to which a rule is assigned
Export a rule
Delete a rule
Integrity Monitoring rules language
About the Integrity Monitoring rules language
DirectorySet
FileSet
GroupSet
InstalledSoftwareSet
PortSet
ProcessSet
RegistryKeySet
RegistryValueSet
ServiceSet
UserSet
WQLSet
Configure Log Inspection
About Log Inspection
Set up Log Inspection
Turn on the log inspection module
Run a recommendation scan
Apply the recommended log inspection rules
Test Log Inspection
Configure log inspection event forwarding and storage
Define a Log Inspection rule for use in policies
Configure Application Control
About Application Control
Key software ruleset concepts
How do Application Control software rulesets work?
The Application Control interface
Application Control: Software Changes (Actions)
Application Control Software Rulesets
Security Events
Application Control Trust Entities
What does Application Control detect as a software change?
Set up Application Control
Turn on Application Control
Monitor new and changed software
Tips for handling changes
Turn on maintenance mode when making planned changes
Application Control tips and considerations
Verify that Application Control is enabled
Monitor Application Control events
Choose which Application Control events to log
View Application Control event logs
Interpret aggregated security events
Monitor Application Control alerts
View and change Application Control software rulesets
View Application Control software rulesets
Security Events
Change the action for an Application Control rule
Delete an individual Application Control rule
Delete an Application Control ruleset
Application Control Trust Entities
Trust rulesets
Create a trust ruleset
Assign or unassign a trust ruleset
To assign a trust ruleset:
To unassign a trust ruleset:
Delete a trust ruleset
Trust rules
Types of trust rules
Create a trust rule
Change trust rule properties
Delete a trust rule
Types of trust rule properties
Process Name
Paths
SHA-256
From Windows PowerShell (for source or target):
From Workload Security (for target only):
Vendor
From File Explorer:
From Workload Security:
Product Name
From file properties:
From File Explorer:
From Workload Security:
Signer Name
Issuer Common Name
Issuer Organizational Unit
Issuer Organization
Issuer Locality
Issuer State or Province
Issuer Country
Application Control event aggregation and analysis
Drift events
Trust rules for drift events
Security events
Trust rules for security events
Event analysis output
Debug trust rules
Consult metrics
View signer information
Trust rule property limitations for Linux
Reset Application Control after too much software change
Use the API to create shared and global rulesets
Create a shared ruleset
Change from shared to computer-specific allow and block rules
Configure events and alerts
Workload Security event logging
Log and event storage
Limit log file sizes
Event logging tips
Anti-Malware scan failures and cancellations
Apply tags to identify and group events
Manual tagging
Auto-tagging
Set the precedence for an auto-tagging rule
Auto-tagging log inspection events
Trusted source tagging
Local trusted computer
How does Workload Security determine whether an event on a target computer matches an event on a trusted source computer?
Tag events based on a local trusted computer
Tag events based on the Trend Micro Certified Safe Software Service
Tag events based on a trusted common baseline
Delete a tag
Reduce the number of logged events
Rank events to quantify their importance
Forward events to a Syslog or SIEM server
Forward Workload Security events to a Syslog or SIEM server
Allow event-forwarding network traffic
Define a Syslog configuration
Forward system events
Forward security events
Troubleshoot event forwarding
Failed to Send Syslog Message alert
Cannot edit Syslog configurations
Syslog not transferred due to an expired certificate
Syslog not delivered due to an expired or changed server certificate
Syslog configuration produced an invalid private key
Compatibility
Syslog message formats
Configure Red Hat Enterprise Linux to receive event logs
Set up a Syslog on Red Hat Enterprise Linux 8
Set up a Syslog on Red Hat Enterprise Linux 6 or 7
Set up a Syslog on Red Hat Enterprise Linux 5
Access events with Amazon SNS
Set up Amazon SNS
Create an AWS user
Create an Amazon SNS topic
Enable SNS
Create subscriptions
SNS configuration in JSON format
Events in JSON format
Configure alerts
View alerts in the Workload Security console
Configure alert settings
Set up email notification for alerts
Turn on or off alert emails
Configure an individual user to receive alert emails
Configure recipients for all alert emails
Generate reports about alerts and other activity
Set up a single report
Set up a scheduled report
Troubleshoot: Scheduled report sending failed
About attack reports
Lists of events and alerts
Predefined alerts
Agent events
System events
Application Control events
Anti-Malware events
Device Control events
Firewall events
Intrusion prevention events
Integrity Monitoring events
Log inspection events
Web Reputation events
Troubleshoot common events, alerts, and errors
Why am I seeing firewall events when the Firewall module is off?
Troubleshoot event ID 771 Contact by Unrecognized Client
Troubleshoot Smart Protection Server Disconnected errors
Error: Activation Failed
Error: Agent version not supported
Error: Anti-Malware Engine Offline
Agent on Windows
Agent on Linux
Warning: Anti-Malware Engine has only Basic Functions
Error: Activity Monitoring Engine Offline
Warning: Activity Monitoring Engine has only Basic Functions
Error: Device Control Engine Offline
If your agent is on Windows
Error: Check Status Failed
Error: Installation of Feature 'dpi' failed: Not available: Filter
Error: Intrusion Prevention Rule Compilation Failed
Apply Intrusion Prevention best practices
Manage rules
Unassign application types from a single port
Error: Log Inspection Rules Require Log Files
If the file location is required
If the files listed do not exist on the protected machine
Error: Module installation failed (Linux)
Error: MQTT Connection Offline
Error: There are one or more application type conflicts on this computer
Resolution
Consolidate ports
Disable the inherit option
Error: Unable to connect to the cloud account
Error: Unable to resolve instance hostname
Alert: Integrity Monitoring information collection has been delayed
Event: Max TCP connections
Warning: Census, Good File Reputation, and Predictive Machine Learning Service Disconnected
Warning: Insufficient disk space
Warning: Reconnaissance Detected
Configure proxies
Configure proxies
Proxy settings
Enable OS proxy
Enable OS proxy on the server console
Enable OS proxy from the endpoint
Configuration on agent side
Troubleshooting
Configure relays
About relays
Deploy more relays
Plan the number and location of relays
Create relay groups
Enable relays
Assign agents to a relay group
Connect agents to a relay's private IP address
Remove relay functionality from agent
Manage agents (protected computers)
Computer and agent statuses
Configure agent version control
Configure teamed NICs
Communication between Workload Security and Deep Security Agent
Heartbeat alerts
Communication directionality
Supported cipher suites for communication
Agent version 9.5 cipher suites
Agent version 9.6 cipher suites
Agent version 10.0 cipher suites
Agent version 11.0 cipher suites
Agent version 12.0 and agent version 20 cipher suites
Configure agents that have no Internet access
Activate and protect agents using agent-initiated activation and communication
Enable agent-initiated activation
Create or modify policies with agent-initiated communication enabled
Enable agent-initiated activation
Assign the policy to agents
Use a deployment script to activate the agents
Automatically upgrade agents on activation
Using the agent with iptables
Enable Managed Detection and Response
Enable or disable agent self-protection
Configure self-protection through the Workload Security console
Configure self-protection using the command line
Known issues for Linux
Troubleshooting the Linux agent
Are Offline agents still protected by Workload Security?
Automate offline computer removal with inactive agent cleanup
Enable inactive agent cleanup
Keep offline computers protected
Prevent computers from being removed
Check the audit trail for removed computers
Search system events
System event details
2953 - Inactive Agent Cleanup Completed Successfully
251 - Computer Deleted
716 - Reactivation Attempted by Unknown Agent
Agent settings
Custom network configuration
Add a custom network configuration
JSON parameter configuration examples
User mode solution
Notifier application
About the notifier
Trigger a manual scan
Windows
macOS
Implement SAML single sign-on (SSO)
About SAML single sign-on (SSO)
Configure SAML single sign-on
Prerequisites
Configure SAML in Workload Security
Import your identity provider's SAML metadata document
Create Workload Security roles for SAML users
Provide information to your identity provider administrator
Download the Workload Security service provider SAML metadata document
Send URNs and the Workload Security SAML metadata document to the identity provider administrator
SAML claims structure
Workload Security username (required)
Workload Security user role (required)
Maximum session duration (optional)
Preferred language (optional)
Test SAML single sign-on
Service and identity provider settings
Configure SAML single sign-on with Microsoft Entra ID
Roles and contacts for accounts
Define roles for users
Add contacts - users who can only receive reports
Add or edit a contact
Delete a contact
Navigate and customize the Workload Security console
Customize the dashboard
Group computers dynamically with smart folders
Customize advanced system settings
Work faster with the Notification Service
Harden Workload Security
About Workload Security hardening
Manage trusted certificates
Import trusted certificates
View trusted certificates
Remove trusted certificates
SSL implementation and credential provisioning
Protect the agent
If I have disabled the connection to the Smart Protection Network, is any other information sent to Trend Micro?
Upgrade Workload Security
About upgrades
Apply security updates
Configure the security update source
Initiate security updates
Check your security update status
View details about pattern updates
Revert, import, or view details about rule updates
Configure security updates
Enable automatic patches for rules
Enable automatic Anti-Malware engine updates
Change the alert threshold for late security updates
Disable emails for New Pattern Update alerts
Use a web server to distribute software updates
Web server requirements
Copy the folder structure
Configure agents to use the new software repository
Upgrade a relay
Upgrade a relay from Workload Security
Upgrade a relay by running the installer manually
Upgrade the agent
Before you begin
Upgrade the agent starting from an alert
Upgrade multiple agents at once
Upgrade the agent from the Computers page
Upgrade the agent on activation
Upgrade the agent from a Scheduled Task
Upgrade the agent manually
Upgrade the agent on Windows
Upgrade the agent on Linux
Upgrade the agent on Solaris
Upgrade the agent on AIX
Best practices for agent upgrade
Install Trend Vision One Endpoint Security Agent via Deep Security Agent
Install Trend Vision One Endpoint Security Agent
Schedule a task
Use Trend Vision One Endpoint Sensor
Uninstall the agent
Uninstall an agent on Windows
Uninstall an agent on Linux
Uninstall an agent on Solaris 10
Uninstall an agent on Solaris 11
Uninstall an agent on AIX
Uninstall an agent on macOS
Uninstall an agent on Red Hat OpenShift
Uninstall the notifier
Evaluate Trend Vision One
Prerequisite: Foundation Services and Endpoint Protection
Export policies and configurations
Import policies and configurations
Configure proxy settings
Deactivate the agent in Trend Cloud One - Endpoint & Workload Security
Reactivate the agent in Trend Vision One
Revert agents to Trend Cloud One - Endpoint & Workload Security
Integrations
Integrate with AWS Control Tower
Integrate with AWS Control Tower
Upgrade AWS Control Tower integration
Remove AWS Control Tower integration
Integrate with AWS Systems Manager Distributor
Create an IAM policy
Create a role and assign the policy
Create parameters
Create association
Protect your computers
Integrate with SAP NetWeaver
Integrate with Apex Central
Integrate with Trend Vision One
Integrate Workload Security with Trend Vision One
Register with Trend Vision One using the Product Instance app XDR
Register with Trend Vision One using the Product Connector app XDR
Forward security events to Trend Vision One XDR
Enable Activity Monitoring
Enable Trend Vision One SSO to Trend Cloud One
Enable single sign-on
Trend Vision One extended detection and response (XDR) file collection
Requirements
Collect objects using file collection
Trigger file collection
Create a File Collection Task
Monitor task status
Download sample file
Troubleshoot common issues
Trend Vision One settings
Security module settings for your computers
Trend Vision One extended detection and response (XDR) network isolation
Requirements
Isolate endpoints using network isolation
Trigger network isolation
Create an Isolate Endpoint Task
Monitor task status
Restore connection to an endpoint
Troubleshoot common issues
Trend Vision One settings
Security module settings for your computers
Trend Vision One extended detection and response (XDR) remote shell
Trend Vision One Threat Intelligence - User Defined Suspicious Object
Trend Vision One extended detection and response (XDR) custom script
Run a remote custom script task
Trigger a custom script using Remote Shell
Integrate with Service Gateway
Integrate Trend Vision One Service Gateway
Integrate the Service Gateway Forward Proxy
Integrate the Service Gateway ActiveUpdate service
Enable the ActiveUpdate services
Get Trend Cloud One - Endpoint & Workload Security ActiveUpdate source URL
Configure the ActiveUpdate service
Configure update source on Trend Cloud One - Endpoint & Workload Security
Integrate the Service Gateway Smart Protection service
Enable Smart Protection services
Configure local File Reputation service on Trend Cloud One - Endpoint & Workload Security Policy
Configure local Web Reputation service on Trend Cloud One - Endpoint & Workload Security Policy
Unregister Trend Cloud One - Endpoint & Workload Security from Trend Vision One
Use the Trend Vision One product connectors
Use Postman and an HTTP API
FAQs
Why does my Windows machine lose network connectivity when I enable protection?
Agent protection for Solaris zones
Can Workload Security protect AWS GovCloud or Azure Government workloads?
How the agent uses Amazon Instance Metadata Service
Why can't I add my Azure server using the Azure cloud connector?
Why can't I view all of the VMs in an Azure subscription in Workload Security?
Troubleshooting
Offline agent
Causes
Verify that the agent is running
Verify DNS
Ensure that the DNS service is reliable
Allow outbound ports (agent-initiated heartbeat)
Allow ICMP on Amazon AWS EC2 instances
Fix the upgrade issue on Solaris 11
High CPU usage
Diagnose problems with agent deployment on Windows
Anti-Malware Windows platform update failed
An incompatible Anti-Malware component from another Trend Micro product
An incompatible Anti-Malware component from a third-party product
Other/unknown Error
Security update connectivity
Network Engine Status (Windows)
Network Engine Status warnings
Verify the driver status in Windows
Disable Network Engine Status warnings
Prevent MTU-related agent communication issues across Amazon Virtual Private Clouds (VPC)
Issues adding your AWS account to Workload Security
AWS is taking longer than expected
Resource is not supported in this region
Template validation issue
Workload Security was unable to add your AWS account
Create a diagnostic package and logs
Agent diagnostics
Create an agent diagnostic package via Workload Security
Create an agent diagnostic package via CLI on a protected computer
Collect debug logs with DebugView (Windows)
Collect debug logs with DebugView (macOS)
Removal of older software versions
Troubleshoot SELinux alerts
SELinux blocks the Deep Security Agent service
Berkeley Packet Filter (BPF) operations blocked
Troubleshoot Azure Code Signing
Trust and compliance information
About compliance
Agent package integrity check
Meet PCI DSS requirements with Workload Security
GDPR
Set up AWS Config Rules
Bypass vulnerability management scan traffic in Workload Security
Create a new IP list from the vulnerability scan provider IP range or addresses
Create firewall rules for incoming and outbound scan traffic
Assign new firewall rules to a policy to bypass vulnerability scans
Use TLS 1.2 with Workload Security
TLS architecture
Enable the TLS 1.2 architecture
Next steps: deploy new agents and relays
Guidelines for using deployment scripts
Privacy and personal data collection disclosure
Release notes and scheduled maintenance
Maintenance
What's new in Workload Security?
What's new in Deep Security Agent for macOS
API changelog
Use the legacy APIs
Related information
Provide access for legacy APIs
Transition from the SOAP API
Use the legacy REST API
Table of Contents
Log4j Vulnerability Coverage
About Workload Security
About the Workload Security components
Endpoint Security and Workload Security protection modules
About billing and pricing
Workload Security release strategy and lifecycle policy
Compatibility
System requirements
Agent requirements
Agent platform compatibility
Linux kernel compatibility
Disable optional Linux kernel support package updates
Disable updates on a single computer
Disable updates on multiple computers
Linux file system compatibility
Linux systemd support
Linux Secure Boot support
SELinux support
Supported features by platform
Sizing
Port numbers, URLs, and IP addresses
Agent to Workload Security FQDNs for accounts created before 2020-11-23
Relays to Update Server FQDNs for accounts created before 2020-11-23
Relays to Download Center FQDNs for accounts created before 2020-11-23
Required Workload Security URLs for firewalls without wildcard support
Get started
Try the Workload Security demo
Transitioning from Deep Security as a Service
Migrate from an on-premises Deep Security Manager
Trend Cloud One - Endpoint & Workload Security
Configure Endpoint Security
Check digital signatures on software packages
Check the signature on software ZIP packages
By exporting the ZIP from the manager
By viewing the ZIP's properties file
By using jarsigner
Check the signature on installer files (EXE, MSI, RPM, DEB files)
Check the signature on an EXE or MSI file
Check the signature on an RPM file
First, install GnuPG
Next, import the signing key
Finally, verify the signature on the RPM file
Check the signature on a DEB file
First, install the dpkg-sig utility
Next, import the signing key
Finally, verify the signature on the DEB file
Check relay connectivity
Deploy the agent
Get agent software
Configure Linux Secure Boot for agents
Configure Mobile Device Management on Workload Security for the macOS agent
Install the agent
Manual installation
Install the agent on Windows
Installation on Amazon WorkSpaces
Installation on Windows 2012 Server Core
Install the agent on Red Hat, Amazon, SUSE, Oracle, Alma, Rocky, Miracle, or Cloud Linux
Install the agent on Ubuntu or Debian
Install the agent on Solaris
Install the agent on AIX
Install the agent on macOS
Install the agent on Red Hat OpenShift:
Before you begin
Installing the agent
Install the agent using other methods
Post-installation tasks
Install the agent on Amazon EC2 and WorkSpaces
Add your AWS accounts to Workload Security
Configure the activation type
Open ports
Which ports should be opened?
Deploy agents to your Amazon EC2 instances and WorkSpaces
Verify that the agent was installed and activated
Assign a policy
Install the agent on an AMI or WorkSpace bundle
Add your AWS account to Workload Security
Configure the activation type
Launch a master Amazon EC2 instance or Amazon WorkSpace
Deploy an agent on the master
Verify that the agent was installed and activated properly
Set up policy auto-assignment
Create an AMI or custom WorkSpace bundle based on the master
Use the AMI
Install the agent on Azure VMs
Install the agent on Google Cloud Platform VMs
Activate the agent
Deactivate the agent
Start or stop the agent
Automate
Automate using the API and SDK
API reference
API and SDK - DevOps tools for automation
Send request using the API
About resource property values
About the overrides parameter
Search for resources
API rate limits
Performance tips
Troubleshooting
API cookbook
About the API Cookbook
Set up to use Bash or PowerShell
Bash or PowerShell?
Check your environment
Check your connection to Workload Security
Check your cURL software
Check your PowerShell software
Create an API key
Test your setup
Bash
PowerShell
Final comments
Related resources
Get a List of Computers (Bash and PowerShell)
Search for a policy (Bash and PowerShell)
Before you begin
Bash
PowerShell
Notes
Related resources
Assign a policy to a computer using Bash and PowerShell
Before you begin
Bash
PowerShell
Notes
Related resources
Assign a policy to many computers (Bash and PowerShell)
Before you begin
jq for Bash
Required information
Bash
Bash script details
PowerShell
PowerShell script details
Notes
Related Resources
SDK guides
Python SDK
Prepare to use the Python SDK
Prerequisites
Download and install the Python SDK
Install a Python IDE
Windows
Linux
Add the SDK to a project in PyCharm
Next Steps
SDK version compatibility
Run the code examples
Index of code examples
Deploy Workload Security
Use the API to generate an agent deployment script
General steps
Example
Integrate Workload Security with AWS Services
Workflow pattern
Amazon GuardDuty
Amazon Macie
Amazon Inspector
AWS WAF
AWS Config
Add Computers
Add a Google Cloud Platform Connector
Submit a Synchronization Action for a GCP Connector
Control Access Using Roles
General steps
Example: Create a role
Create and manage API keys
About API Keys
Create an API Key Using Code
Obtain a role ID
Create an API key using an SDK
Create an API key using a username and password
Obtain a session cookie and a request ID
Create an API key using the session cookie and the request ID
Create an API Key using the Workload Security console
Lock out an existing API key
Manage API keys after their creation
Configure Workload Security system settings
Retrieve, modify, or reset a single system setting
Example: Modify a single system setting
List or modify multiple system settings
Example: Modify multiple system settings
Monitor Workload Security events
Configure protection
Create and configure a policy
Create a policy
Assign a policy to a computer
Configure policy and default policy settings
Default setting values and overrides
Policy setting and default policy setting classes
Retrieve the value of a policy setting or default policy setting
List all policy or default policy settings
Configure a single policy or default policy setting
Configure multiple policy and default policy settings
Reset policy overrides
Reset an ID reference
Reset a setting
Reset the status of a security module
Reset a rule
Reset all overrides of a rule
Selectively reset overrides of a rule
Configure Firewall
General steps
Example
Create a firewall rule
Limitations to modifying stateful configurations
Configure Intrusion Prevention
General steps
Example
Create an Intrusion Prevention rule
Configure Anti-Malware
General steps
Example
Create and modify malware scan configurations
General steps for creating malware scan configurations
Example malware scan configuration
Configure Web Reputation
General steps
Example
Configure Device Control
General steps
Example
Create a USB Device Exception
Configure Application Control
Configure Application Control for a policy
Allow or block unrecognized software
Create a shared ruleset
Add global rules
Configure maintenance mode during upgrades
Configure Integrity Monitoring
General steps
Example
Create an Integrity Monitoring rule
Configure Log Inspection
General steps
Example
Create a Log Inspection rule
Create a basic Log Inspection rule
Create a log inspection rule using XML
Create and modify lists
Create and configure schedules
Override policies on a computer
Discover overrides
Configure computer overrides
Configure a single computer setting
Configure settings and protection modules
Rule overrides
Maintain protection
Report on computer status
Discover unprotected computers
Find computers based on agent status
Find computers based on module status
See the state of a virtual machine
Get computer configurations
Discover the Anti-Malware configuration of a computer
Get applied intrusion prevention rules
Patch unprotected computers
Example: Find the Intrusion Prevention rule for a CVE
Example: Find computers that are not protected against a CVE
Example: Add intrusion prevention rules to computers' policies
Assign rules with recommendation scans
Determine when a recommendation scan last ran
Example: Get the date of the last recommendation scan for all computers
Apply recommendations
Maintain protection using scheduled tasks
Related classes
Create a scheduled task
Configure general properties
Create the schedule
Example: Daily schedule
Example: Monthly schedule
Configure the task
Example: Create a scheduled task
Create, run, and delete a scheduled task
Run an existing scheduled task
Settings reference
Use the legacy APIs
Provide access for legacy APIs
Transition from the SOAP API
Use the legacy REST API
Automate using the console
Schedule Workload Security to perform tasks
Automatically perform tasks when a computer is added or changed
AWS Auto Scaling and Workload Security
Preinstall the agent
Install the agent with a deployment script
Delete instances from Workload Security as a result of Auto Scaling
Azure virtual machine scale sets and Workload Security
GCP auto scaling and Workload Security
Preinstall the agent
Install the agent with a deployment script
Delete instances from Workload Security as a result of GCP MIGs
Use deployment scripts to add and protect computers
Generate a deployment script
Troubleshooting and tips
URL format for the agent download
Automatically assign policies using cloud provider tags and labels
Command-line basics
dsa_control
dsa_control options
Agent-initiated activation (dsa_control -a)
Agent-initiated heartbeat command (dsa_control -m)
Activate an agent
Windows
Linux
macOS
Force the agent to contact the manager
Windows
Linux
macOS
Initiate a manual anti-malware scan
Windows
Linux
macOS
Create a diagnostic package
Reset the agent
Windows
Linux
macOS
dsa_query
dsa_query options
Check CPU usage and RAM usage
Windows
Linux
Check that ds_agent processes or services are running
Windows
Linux
Restart an agent on Linux
dsa_scan
dsa_scan options
dsa_scan output
Scan exit codes
Success exit codes
Fatal exit codes
User Guide
Add computers
About adding computers
Add local network computers
Manually add a computer
Set up a data center gateway
Add Active Directory computers
Add a data center gateway
Add an Active Directory
Additional Active Directory options
Remove directory
Synchronize now
Server certificate usage
Keep Active Directory objects synchronized
Disable Active Directory synchronization
Remove computer groups from Active Directory synchronization
Add VMware VMs
Add a VMware vCenter to Workload Security
Add a data center gateway
Add a VMware vCenter
Protect workloads in VMware
Add virtual machines hosted on VMware vCloud
Benefits of adding a vCloud account {What}
Proxy setting for cloud accounts
Create a VMware vCloud Organization account for Workload Security
Import computers from a VMware vCloud Organization Account
Import computers from a VMware vCloud Air data center
Remove a cloud account
Add AWS instances
About adding AWS accounts
What happens when you add an AWS account?
Benefits of adding an AWS account
Supported AWS regions
Modify your AWS security group to allow outbound traffic over port 443
Add an AWS account using the quick setup
Add an AWS account using a cross-account role
First, note the Workload Security account ID
Next, configure the manager instance role
Next, retrieve the external ID
Next, configure an IAM policy for AWS Account A
Next, create a cross-account role for AWS Account A
Next, add AWS Account A to Workload Security
Add the account through the API
Add Amazon WorkSpaces
Protect Amazon WorkSpaces if you already added your AWS account
Protect Amazon WorkSpaces if you have not yet added your AWS account
Manage an AWS account
Edit an AWS account
Remove an AWS account
Synchronize an AWS account
Manage an AWS account external ID
About the external ID
Configure the external ID
Update the external ID
Determine whether you're using a user- or manager-defined external ID
Update the external ID through the Workload Security console
Update the external ID through the Workload Security API
Retrieve the external ID
Through the 'add account' wizard
Through the Workload Security API
Disable retrieval of the external ID
Protect an account running in AWS Outposts
What does the Cloud Formation template do when I add an AWS account?
Add Azure instances
Create an Azure application for Workload Security
Assign the correct roles
Create the Azure application
Record the Azure application ID, Microsoft Entra ID, and password
Record the Subscription IDs
Assign the Azure application a role and connector
Add a Microsoft Azure account to Workload Security
Benefits of adding an Azure account
Supported Azure regions
Add virtual machines from a Microsoft Azure account to Workload Security
Manage Azure classic virtual machines with the Azure Resource Manager connector
Remove an Azure account
Synchronize an Azure account
Why should I upgrade to the new Azure Resource Manager connection?
Add GCP instances
Create a Google Cloud Platform service account
Prerequisite: Enable the Google APIs
Create a GCP service account
Add more projects to the GCP service account
Create multiple GCP service accounts
Add a Google Cloud Platform account
Benefits of adding a GCP account
Configure a proxy setting for the GCP account
Add a GCP account to Workload Security
Remove a GCP account
Synchronize a GCP account
Manually upgrade your AWS account connection
Verify the permissions associated with the AWS role
Migrate to the new cloud connector functionality
Protect Docker containers
Protect Red Hat OpenShift containers
Control CPU usage
Recommendation scans
Enhanced recommendation scan
Classic recommendation scan
Configure policies
Create policies
Create a new policy
Alternative ways to create a policy
Import policies from an XML file
Duplicate an existing policy
Use hypersensitive mode
Create a new policy based on the recommendation scan of a computer
Edit the settings for a policy or individual computer
Assign a policy to a computer
Disable automatic policy updates
Send policy changes manually
Export a policy
Policies, inheritance, and overrides
Detect and configure interfaces available on a computer
Configure a policy for multiple interfaces
Enforce interface isolation
Overview section of the Computer editor
Overview section of the policy editor
Network engine settings
User mode solution
Create a list of User Lists for use in policies
Import and export User Lists
View rules that use an User List
Define rules, lists, and other common objects used by policies
About common objects
Manage role-based access control for common objects
Configure access scope for roles
Roles' access to granted objects
Roles' use of granted objects
Roles with All access scope can import objects
Roles' permission to allow malware exclusions
Create a firewall rule
Configure intrusion prevention rules
The intrusion prevention rules list
Intrusion prevention license types
View information about intrusion prevention rules
General Information
Details
Identification (Trend Micro rules only)
View information about associated vulnerability (Trend Micro rules only)
Assign and unassign rules
Automatically assign core Endpoint & Workload rules
Automatically assign updated required rules
Configure event logging for rules
Generate alerts
Setting configuration options (Trend Micro rules only)
Schedule active times
Exclude from recommendations
Set the context for a rule
Override the behavior mode for a rule
Override rule and application type configurations
Export and import rules
Create an Integrity Monitoring rule
Add a new rule
Enter Integrity Monitoring rule information
Select a rule template and define rule attributes
Registry Value template
File template
Custom template
Configure Trend Micro Integrity Monitoring rules
Configure rule events and alerts
Real-time event monitoring
Alerts
See policies and computers to which a rule is assigned
Export a rule
Delete a rule
Define a Log Inspection rule for use in policies
Create a list of directories for use in policies
Create a list of file extensions for use in policies
Import and export file extension lists
View malware scan configurations that use a file extension list
Create a list of files for use in policies
Create a list of IP addresses for use in policies
Import and export IP lists
View rules that use an IP list
Create a list of ports for use in policies
Import and export port lists
View rules that use a port list
Create a list of MAC addresses for use in policies
Import and export MAC lists
View policies that use a MAC list
Define contexts for use in policies
Configure internet connectivity for the computer
Define a context
Define stateful firewall configurations
Add a stateful configuration
Enter stateful configuration information
Select packet inspection options
IP packet inspection
TCP packet inspection
FTP Options
UDP packet inspection
ICMP packet inspection
Export a stateful configuration
Delete a stateful configuration
View policies and computers with assigned stateful configuration
Define a schedule to apply to rules
Configure protection modules
Configure Intrusion Prevention
About Intrusion Prevention
Set up Intrusion Prevention
Enable Intrusion Prevention in Detect mode
Enable Auto Apply core Endpoint & Workload rules
Test Intrusion Prevention
Apply recommended rules
Check Intrusion Prevention events
Enable fail open for packet or system failures
Switch to Prevent mode
HTTP Protocol Decoding rule
Cross-site scripting and generic SQL injection rules
Configure intrusion prevention rules
The intrusion prevention rules list
Intrusion prevention license types
View information about intrusion prevention rules
General Information
Details
Identification (Trend Micro rules only)
View information about associated vulnerability (Trend Micro rules only)
Assign and unassign rules
Automatically assign core Endpoint & Workload rules
Automatically assign updated required rules
Configure event logging for rules
Generate alerts
Setting configuration options (Trend Micro rules only)
Schedule active times
Exclude from recommendations
Set the context for a rule
Override the behavior mode for a rule
Override rule and application type configurations
Export and import rules
Configure a SQL injection prevention rule
Application types
View a list of application types
General Information
Connection
Configuration
Options
Assigned To
Inspect TLS traffic
TLS inspection support
Manage TLS inspection support package updates
Disable TLS inspection support package updates on a single agent
Disable TLS inspection support package updates by policy
Configure anti-evasion settings
Performance tips for intrusion prevention
Configure Anti-Malware
About Anti-Malware
Set up Anti-Malware
Enable and configure Anti-Malware
Enable the Anti-Malware module
Select the types of scans to perform
Configure scan inclusions
Configure scan exclusions
Configure multiple scan list exclusions or inclusions
Ensure that Workload Security can keep up to date on the latest threats
Configure malware scans
Performance tips for Anti-Malware
Minimize disk usage
Optimize CPU usage
Enable multi-threaded processing
Optimize RAM usage
Configure Deep Security and Microsoft Defender Antivirus for Windows
Detect emerging threats with Predictive Machine Learning
Enable Predictive Machine Learning
Enhanced Anti-Malware and ransomware scanning with behavior monitoring
Enhanced scanning protection
Enable enhanced scanning
What happens when enhanced scanning finds a problem?
Smart Protection in Workload Security
Anti-Malware and Smart Protection
Benefits of Smart Scan
Enable Smart Scan
Smart Protection Server for File Reputation Service
Web Reputation and Smart Protection
Smart Feedback
Disable Smart Feedback
Handle malware
View and restore identified malware
See a list of identified files
Working with identified files
Search for an identified file
Restore identified files
Create a scan exclusion for the file
Restore the file
Create Anti-Malware exceptions
Increase debug logging for Anti-Malware in protected Linux instances
Configure Firewall
About Firewall
Set up the Workload Security firewall
Create a firewall rule
Allow trusted traffic to bypass the firewall
Firewall rule actions and priorities
Firewall rule actions
Allow rules
Bypass rules
Default Bypass rule for Workload Security traffic
Force Allow rules
Firewall rule sequence
Logging
Firewall rules working together
Rule action
Rule priority
Putting rule action and priority together
Firewall settings
General
Firewall
Firewall Stateful Configurations
Assigned Firewall Rules
Interface Isolation
Interface Patterns
Reconnaissance
Advanced
Events
Firewall Events
Define stateful firewall configurations
Add a stateful configuration
Enter stateful configuration information
Select packet inspection options
IP packet inspection
TCP packet inspection
FTP Options
UDP packet inspection
ICMP packet inspection
Export a stateful configuration
Delete a stateful configuration
View policies and computers with assigned stateful configuration
Container firewall rules
Manage Container Protection
Apply real-time scan
Apply your firewall settings
Apply your intrusion prevention settings
Configure Web Reputation
Enable the Web Reputation module
Enable the Trend Micro Toolbar
Install the toolbar for macOS
Install the toolbar for Windows
Switch between inline and tap mode
Enforce the security level
Configure the security level
Create exceptions
Create URL exceptions
Configure the Smart Protection Server
Smart Protection Server connection warning
Edit advanced settings
Blocking Page
Alert
Ports
Test Web Reputation
Configure Device Control
Configure Integrity Monitoring
About Integrity Monitoring
Set up Integrity Monitoring
Enable Integrity Monitoring
Turn on Integrity Monitoring
Run a recommendation scan
Disable real-time scanning
Apply the Integrity Monitoring rules
Build a baseline for the computer
Periodically scan for changes
Test Integrity Monitoring
Improve Integrity Monitoring scan performance
Limit resource usage
Change the content hash algorithm
Integrity Monitoring event tagging
Create an Integrity Monitoring rule
Add a new rule
Enter Integrity Monitoring rule information
Select a rule template and define rule attributes
Registry Value template
File template
Custom template
Configure Trend Micro Integrity Monitoring rules
Configure rule events and alerts
Real-time event monitoring
Alerts
See policies and computers to which a rule is assigned
Export a rule
Delete a rule
Integrity Monitoring rules language
About the Integrity Monitoring rules language
DirectorySet
FileSet
GroupSet
InstalledSoftwareSet
PortSet
ProcessSet
RegistryKeySet
RegistryValueSet
ServiceSet
UserSet
WQLSet
Configure Log Inspection
About Log Inspection
Set up Log Inspection
Turn on the log inspection module
Run a recommendation scan
Apply the recommended log inspection rules
Test Log Inspection
Configure log inspection event forwarding and storage
Define a Log Inspection rule for use in policies
Configure Application Control
About Application Control
Key software ruleset concepts
How do Application Control software rulesets work?
The Application Control interface
Application Control: Software Changes (Actions)
Application Control Software Rulesets
Security Events
Application Control Trust Entities
What does Application Control detect as a software change?
Set up Application Control
Turn on Application Control
Monitor new and changed software
Tips for handling changes
Turn on maintenance mode when making planned changes
Application Control tips and considerations
Verify that Application Control is enabled
Monitor Application Control events
Choose which Application Control events to log
View Application Control event logs
Interpret aggregated security events
Monitor Application Control alerts
View and change Application Control software rulesets
View Application Control software rulesets
Security Events
Change the action for an Application Control rule
Delete an individual Application Control rule
Delete an Application Control ruleset
Application Control Trust Entities
Trust rulesets
Create a trust ruleset
Assign or unassign a trust ruleset
To assign a trust ruleset:
To unassign a trust ruleset:
Delete a trust ruleset
Trust rules
Types of trust rules
Create a trust rule
Change trust rule properties
Delete a trust rule
Types of trust rule properties
Process Name
Paths
SHA-256
From Windows PowerShell (for source or target):
From Workload Security (for target only):
Vendor
From File Explorer:
From Workload Security:
Product Name
From file properties:
From File Explorer:
From Workload Security:
Signer Name
Issuer Common Name
Issuer Organizational Unit
Issuer Organization
Issuer Locality
Issuer State or Province
Issuer Country
Application Control event aggregation and analysis
Drift events
Trust rules for drift events
Security events
Trust rules for security events
Event analysis output
Debug trust rules
Consult metrics
View signer information
Trust rule property limitations for Linux
Reset Application Control after too much software change
Use the API to create shared and global rulesets
Create a shared ruleset
Change from shared to computer-specific allow and block rules
Configure events and alerts
Workload Security event logging
Log and event storage
Limit log file sizes
Event logging tips
Anti-Malware scan failures and cancellations
Apply tags to identify and group events
Manual tagging
Auto-tagging
Set the precedence for an auto-tagging rule
Auto-tagging log inspection events
Trusted source tagging
Local trusted computer
How does Workload Security determine whether an event on a target computer matches an event on a trusted source computer?
Tag events based on a local trusted computer
Tag events based on the Trend Micro Certified Safe Software Service
Tag events based on a trusted common baseline
Delete a tag
Reduce the number of logged events
Rank events to quantify their importance
Forward events to a Syslog or SIEM server
Forward Workload Security events to a Syslog or SIEM server
Allow event-forwarding network traffic
Define a Syslog configuration
Forward system events
Forward security events
Troubleshoot event forwarding
Failed to Send Syslog Message alert
Cannot edit Syslog configurations
Syslog not transferred due to an expired certificate
Syslog not delivered due to an expired or changed server certificate
Syslog configuration produced an invalid private key
Compatibility
Syslog message formats
Configure Red Hat Enterprise Linux to receive event logs
Set up a Syslog on Red Hat Enterprise Linux 8
Set up a Syslog on Red Hat Enterprise Linux 6 or 7
Set up a Syslog on Red Hat Enterprise Linux 5
Access events with Amazon SNS
Set up Amazon SNS
Create an AWS user
Create an Amazon SNS topic
Enable SNS
Create subscriptions
SNS configuration in JSON format
Events in JSON format
Configure alerts
View alerts in the Workload Security console
Configure alert settings
Set up email notification for alerts
Turn on or off alert emails
Configure an individual user to receive alert emails
Configure recipients for all alert emails
Generate reports about alerts and other activity
Set up a single report
Set up a scheduled report
Troubleshoot: Scheduled report sending failed
About attack reports
Lists of events and alerts
Predefined alerts
Agent events
System events
Application Control events
Anti-Malware events
Device Control events
Firewall events
Intrusion prevention events
Integrity Monitoring events
Log inspection events
Web Reputation events
Troubleshoot common events, alerts, and errors
Why am I seeing firewall events when the Firewall module is off?
Troubleshoot event ID 771 Contact by Unrecognized Client
Troubleshoot Smart Protection Server Disconnected errors
Error: Activation Failed
Error: Agent version not supported
Error: Anti-Malware Engine Offline
Agent on Windows
Agent on Linux
Warning: Anti-Malware Engine has only Basic Functions
Error: Activity Monitoring Engine Offline
Warning: Activity Monitoring Engine has only Basic Functions
Error: Device Control Engine Offline
If your agent is on Windows
Error: Check Status Failed
Error: Installation of Feature 'dpi' failed: Not available: Filter
Error: Intrusion Prevention Rule Compilation Failed
Apply Intrusion Prevention best practices
Manage rules
Unassign application types from a single port
Error: Log Inspection Rules Require Log Files
If the file location is required
If the files listed do not exist on the protected machine
Error: Module installation failed (Linux)
Error: MQTT Connection Offline
Error: There are one or more application type conflicts on this computer
Resolution
Consolidate ports
Disable the inherit option
Error: Unable to connect to the cloud account
Error: Unable to resolve instance hostname
Alert: Integrity Monitoring information collection has been delayed
Event: Max TCP connections
Warning: Census, Good File Reputation, and Predictive Machine Learning Service Disconnected
Warning: Insufficient disk space
Warning: Reconnaissance Detected
Configure proxies
Configure proxies
Proxy settings
Enable OS proxy
Enable OS proxy on the server console
Enable OS proxy from the endpoint
Configuration on agent side
Troubleshooting
Configure relays
About relays
Deploy more relays
Plan the number and location of relays
Create relay groups
Enable relays
Assign agents to a relay group
Connect agents to a relay's private IP address
Remove relay functionality from agent
Manage agents (protected computers)
Computer and agent statuses
Configure agent version control
Configure teamed NICs
Communication between Workload Security and Deep Security Agent
Heartbeat alerts
Communication directionality
Supported cipher suites for communication
Agent version 9.5 cipher suites
Agent version 9.6 cipher suites
Agent version 10.0 cipher suites
Agent version 11.0 cipher suites
Agent version 12.0 and agent version 20 cipher suites
Configure agents that have no Internet access
Activate and protect agents using agent-initiated activation and communication
Enable agent-initiated activation
Create or modify policies with agent-initiated communication enabled
Enable agent-initiated activation
Assign the policy to agents
Use a deployment script to activate the agents
Automatically upgrade agents on activation
Using the agent with iptables
Enable Managed Detection and Response
Enable or disable agent self-protection
Configure self-protection through the Workload Security console
Configure self-protection using the command line
Known issues for Linux
Troubleshooting the Linux agent
Are Offline agents still protected by Workload Security?
Automate offline computer removal with inactive agent cleanup
Enable inactive agent cleanup
Keep offline computers protected
Prevent computers from being removed
Check the audit trail for removed computers
Search system events
System event details
2953 - Inactive Agent Cleanup Completed Successfully
251 - Computer Deleted
716 - Reactivation Attempted by Unknown Agent
Agent settings
Custom network configuration
Add a custom network configuration
JSON parameter configuration examples
User mode solution
Notifier application
About the notifier
Trigger a manual scan
Windows
macOS
Implement SAML single sign-on (SSO)
About SAML single sign-on (SSO)
Configure SAML single sign-on
Prerequisites
Configure SAML in Workload Security
Import your identity provider's SAML metadata document
Create Workload Security roles for SAML users
Provide information to your identity provider administrator
Download the Workload Security service provider SAML metadata document
Send URNs and the Workload Security SAML metadata document to the identity provider administrator
SAML claims structure
Workload Security username (required)
Workload Security user role (required)
Maximum session duration (optional)
Preferred language (optional)
Test SAML single sign-on
Service and identity provider settings
Configure SAML single sign-on with Microsoft Entra ID
Roles and contacts for accounts
Define roles for users
Add contacts - users who can only receive reports
Add or edit a contact
Delete a contact
Navigate and customize the Workload Security console
Customize the dashboard
Group computers dynamically with smart folders
Customize advanced system settings
Work faster with the Notification Service
Harden Workload Security
About Workload Security hardening
Manage trusted certificates
Import trusted certificates
View trusted certificates
Remove trusted certificates
SSL implementation and credential provisioning
Protect the agent
If I have disabled the connection to the Smart Protection Network, is any other information sent to Trend Micro?
Upgrade Workload Security
About upgrades
Apply security updates
Configure the security update source
Initiate security updates
Check your security update status
View details about pattern updates
Revert, import, or view details about rule updates
Configure security updates
Enable automatic patches for rules
Enable automatic Anti-Malware engine updates
Change the alert threshold for late security updates
Disable emails for New Pattern Update alerts
Use a web server to distribute software updates
Web server requirements
Copy the folder structure
Configure agents to use the new software repository
Upgrade a relay
Upgrade a relay from Workload Security
Upgrade a relay by running the installer manually
Upgrade the agent
Before you begin
Upgrade the agent starting from an alert
Upgrade multiple agents at once
Upgrade the agent from the Computers page
Upgrade the agent on activation
Upgrade the agent from a Scheduled Task
Upgrade the agent manually
Upgrade the agent on Windows
Upgrade the agent on Linux
Upgrade the agent on Solaris
Upgrade the agent on AIX
Best practices for agent upgrade
Install Trend Vision One Endpoint Security Agent via Deep Security Agent
Install Trend Vision One Endpoint Security Agent
Schedule a task
Use Trend Vision One Endpoint Sensor
Uninstall the agent
Uninstall an agent on Windows
Uninstall an agent on Linux
Uninstall an agent on Solaris 10
Uninstall an agent on Solaris 11
Uninstall an agent on AIX
Uninstall an agent on macOS
Uninstall an agent on Red Hat OpenShift
Uninstall the notifier
Evaluate Trend Vision One
Prerequisite: Foundation Services and Endpoint Protection
Export policies and configurations
Import policies and configurations
Configure proxy settings
Deactivate the agent in Trend Cloud One - Endpoint & Workload Security
Reactivate the agent in Trend Vision One
Revert agents to Trend Cloud One - Endpoint & Workload Security
Integrations
Integrate with AWS Control Tower
Integrate with AWS Control Tower
Upgrade AWS Control Tower integration
Remove AWS Control Tower integration
Integrate with AWS Systems Manager Distributor
Create an IAM policy
Create a role and assign the policy
Create parameters
Create association
Protect your computers
Integrate with SAP NetWeaver
Integrate with Apex Central
Integrate with Trend Vision One
Integrate Workload Security with Trend Vision One
Register with Trend Vision One using the Product Instance app XDR
Register with Trend Vision One using the Product Connector app XDR
Forward security events to Trend Vision One XDR
Enable Activity Monitoring
Enable Trend Vision One SSO to Trend Cloud One
Enable single sign-on
Trend Vision One extended detection and response (XDR) file collection
Requirements
Collect objects using file collection
Trigger file collection
Create a File Collection Task
Monitor task status
Download sample file
Troubleshoot common issues
Trend Vision One settings
Security module settings for your computers
Trend Vision One extended detection and response (XDR) network isolation
Requirements
Isolate endpoints using network isolation
Trigger network isolation
Create an Isolate Endpoint Task
Monitor task status
Restore connection to an endpoint
Troubleshoot common issues
Trend Vision One settings
Security module settings for your computers
Trend Vision One extended detection and response (XDR) remote shell
Trend Vision One Threat Intelligence - User Defined Suspicious Object
Trend Vision One extended detection and response (XDR) custom script
Run a remote custom script task
Trigger a custom script using Remote Shell
Integrate with Service Gateway
Integrate Trend Vision One Service Gateway
Integrate the Service Gateway Forward Proxy
Integrate the Service Gateway ActiveUpdate service
Enable the ActiveUpdate services
Get Trend Cloud One - Endpoint & Workload Security ActiveUpdate source URL
Configure the ActiveUpdate service
Configure update source on Trend Cloud One - Endpoint & Workload Security
Integrate the Service Gateway Smart Protection service
Enable Smart Protection services
Configure local File Reputation service on Trend Cloud One - Endpoint & Workload Security Policy
Configure local Web Reputation service on Trend Cloud One - Endpoint & Workload Security Policy
Unregister Trend Cloud One - Endpoint & Workload Security from Trend Vision One
Use the Trend Vision One product connectors
Use Postman and an HTTP API
FAQs
Why does my Windows machine lose network connectivity when I enable protection?
Agent protection for Solaris zones
Can Workload Security protect AWS GovCloud or Azure Government workloads?
How the agent uses Amazon Instance Metadata Service
Why can't I add my Azure server using the Azure cloud connector?
Why can't I view all of the VMs in an Azure subscription in Workload Security?
Troubleshooting
Offline agent
Causes
Verify that the agent is running
Verify DNS
Ensure that the DNS service is reliable
Allow outbound ports (agent-initiated heartbeat)
Allow ICMP on Amazon AWS EC2 instances
Fix the upgrade issue on Solaris 11
High CPU usage
Diagnose problems with agent deployment on Windows
Anti-Malware Windows platform update failed
An incompatible Anti-Malware component from another Trend Micro product
An incompatible Anti-Malware component from a third-party product
Other/unknown Error
Security update connectivity
Network Engine Status (Windows)
Network Engine Status warnings
Verify the driver status in Windows
Disable Network Engine Status warnings
Prevent MTU-related agent communication issues across Amazon Virtual Private Clouds (VPC)
Issues adding your AWS account to Workload Security
AWS is taking longer than expected
Resource is not supported in this region
Template validation issue
Workload Security was unable to add your AWS account
Create a diagnostic package and logs
Agent diagnostics
Create an agent diagnostic package via Workload Security
Create an agent diagnostic package via CLI on a protected computer
Collect debug logs with DebugView (Windows)
Collect debug logs with DebugView (macOS)
Removal of older software versions
Troubleshoot SELinux alerts
SELinux blocks the Deep Security Agent service
Berkeley Packet Filter (BPF) operations blocked
Troubleshoot Azure Code Signing
Trust and compliance information
About compliance
Agent package integrity check
Meet PCI DSS requirements with Workload Security
GDPR
Set up AWS Config Rules
Bypass vulnerability management scan traffic in Workload Security
Create a new IP list from the vulnerability scan provider IP range or addresses
Create firewall rules for incoming and outbound scan traffic
Assign new firewall rules to a policy to bypass vulnerability scans
Use TLS 1.2 with Workload Security
TLS architecture
Enable the TLS 1.2 architecture
Next steps: deploy new agents and relays
Guidelines for using deployment scripts
Privacy and personal data collection disclosure
Release notes and scheduled maintenance
Maintenance
What's new in Workload Security?
What's new in Deep Security Agent for macOS
API changelog
