The following table provides details on the predefined alerts.
|
Alert
|
Default Severity
|
Dismissible
|
Description
|
|
A computer reboot is required to enable Deep Security Agent protection
|
Critical
|
Yes
|
The agent software upgrade was successful, but a computer reboot is required to disable
Windows Defender and enable agent protection.
|
|
A Deep Security Relay cannot download security components
|
Critical
|
No
|
A relay cannot successfully download security components. This might be due to network
connectivity issues or misconfiguration in Workload Security
under . Check your network configurations (for example,
the proxy settings of the relay group) and System
Settings then manually initiate an update on the
relay using the Download Security Update option on
the page.
|
|
Abnormal Restart Detected
|
Warning
|
Yes
|
An abnormal restart has been detected on the computer. This condition may be caused
by a variety of conditions. If the agent is suspected as the root cause, then the
diagnostics package (in the Support section of the Computer Details dialog) should be invoked.
This alert indicates that the agent service was restarted abnormally. You can safely
dismiss this alert, or, if the alert reoccurs, create a diagnostics package and open
a case with Technical Support.
|
|
Account Balance Depleted
|
Critical
|
No
|
Your prepaid account balance has been depleted. You can no longer receive updates,
including security updates, until your account is replenished. To ensure your security
is maintained, contact your sales representative to add credit to your account.
|
|
Account Balance Low
|
Warning
|
No
|
Your prepaid account balance is running low. To ensure uninterrupted service, contact
your sales representative to add more credit to your account.
|
|
Activation Failed
|
Critical
|
No
|
This may indicate a problem with the agent, but it also can occur if agent self-protection
is enabled. In the Workload Security console, go to . In Agent Self Protection, either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
|
|
Agent configuration package too large
|
Warning
|
Yes
|
This is usually caused by too many firewall and intrusion prevention rules being assigned.
Run a recommendation scan on the computer to determine if any rules can be safely
unassigned.
|
|
Agent Installation Failed
|
Critical
|
Yes
|
The agent failed to install on one or more computers. Those computers are currently
unprotected. You must reboot the computers which will automatically restart the agent
install program.
This may indicate a problem with the agent, but it also can occur if agent self-protection
is enabled. In the Workload Security console, go to Computer editor > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
|
|
Agent/Appliance Upgrade Recommended
|
Warning
|
No
|
Workload Security has detected an older agent version on the computer that does not
support all available features. An upgrade of the agent software is recommended. (Deprecated
in DSA version 9.5)
|
|
Agent/Appliance Upgrade Recommended (Incompatible Security Updates)
|
Warning
|
No
|
Workload Security has detected a computer with a version of the agent that is not
compatible with one or more security updates assigned to it. An upgrade of the agent
software is recommended.
|
|
Agent/Appliance Upgrade Recommended (New Version Available)
|
Warning
|
No
|
Workload Security has detected one or more computers with a version of the agent that
is older than the latest version in Workload Security. An upgrade of the agent software
is recommended.
|
|
Agent/Appliance Upgrade Required
|
Warning
|
No
|
Workload Security has detected a computer with a version of the agent that is not
compatible with Workload Security. An upgrade of the agent software is required.
|
|
An update to the Rules is available
|
Warning
|
No
|
Updated rules have been downloaded but not applied to your policies. To apply the
rules, go to Administration > Updates > Security and in the Rule Updates column, click Apply Rules to Policies.
|
|
Anti-Malware Alert
|
Warning
|
Yes
|
A malware scan configuration that is configured for alerting has raised an event on
one or more computers.
|
|
Anti-Malware Component Failure
|
Critical
|
Yes
|
An anti-malware component failed on one or more computers. See the event descriptions
on the individual computers for specific details.
|
|
Anti-Malware Component Update Failed
|
Warning
|
No
|
One or more agent or relay failed to update anti-malware components. See the affected
computers for more information.
|
|
Anti-Malware Engine Offline
|
Critical
|
No
|
The agent has reported that the anti-malware engine is not responding. Check the system
events for the computer to determine the cause of the failure.
|
|
Anti-Malware module maximum disk space used to store identified files exceeded
|
Warning
|
Yes
|
The Anti-Malware module was unable to analyze or quarantine a file because the maximum
disk space used to store identified files was reached. To change the maximum disk
space for identified files setting, open the Computer or Policy editor and select the Anti-malware > Advanced tab.
|
|
Anti-Malware protection is absent or out of date
|
Warning
|
No
|
The agent on this computer has not received its initial anti-malware protection package,
or its anti-malware protection is out of date. Make sure a relay is available and
that the agent has been properly configured to communicate with it. To configure relays
and other update options, go to Administration > System Settings > Updates.
|
|
APIKey Locked Out
|
Warning
|
No
|
API Keys can be locked out manually or by repeated failed validation attempts.
|
|
Application Control Engine Offline
|
Critical
|
No
|
The agent has reported that the Application Control engine failed to initialize. Check
the system events for the computer to determine the cause of the failure.
|
|
Application Control Ruleset is incompatible with agent version
|
Critical
|
No
|
An application control ruleset could not be assigned to one or more computers because
the ruleset is not supported by the installed version of the agent. Typically, the
problem is that a hash-based ruleset (which is compatible only with agent version
11.0 or later) has been assigned to an earlier version agent. Agent version 10.x supports
only file-based rulesets. To fix this issue, upgrade the agent to version 11.0 or
later. Alternatively, if you are using local rulesets, reset application control for
the agent.
|
|
Application Type Misconfiguration
|
Warning
|
No
|
Misconfiguration of application types may prevent proper security coverage.
|
|
Application Type Recommendation
|
Warning
|
Yes
|
Workload Security has determined that a computer should be assigned an application
type. This could be because an agent was installed on a new computer and vulnerable
applications were detected, or because a new vulnerability has been discovered in
an installed application that was previously thought to be safe. To assign the application
type to the computer, open the Computer Details dialog, click Intrusion Prevention Rules, and assign the application type.
|
|
AWS Contract License Exceeded
|
Critical
|
No
|
AWS Contract License expired or AWS Contract entitlements have been exceeded.
|
|
Azure Account Not Authorized to Read Resources Information
|
Critical
|
No
|
Azure Cloud Account cannot retrieve resources information from Azure API because the
Azure Application is not authorized to read resources. Verify that the Reader role
has been assigned to the application.
|
|
Azure Account Password Invalid
|
Critical
|
No
|
Azure Cloud Account cannot retrieve resources information from Azure API because the
Azure Application password is invalid.
|
|
Azure Account Secret Expired
|
Critical
|
No
|
Azure Cloud Account cannot retrieve resources information from Azure API because the
Azure Application secret key has expired.
|
|
Microsoft Entra ID Application Not Found
|
Critical
|
No
|
Azure Cloud Account cannot retrieve resources information from Azure API because the
Azure Application is not found. The application possibly has been removed from Microsoft
Entra ID.
|
|
Microsoft Entra ID Application Need Renew
|
Critical
|
No
|
The Microsoft Entra ID application can not synchronize the cloud data now. It is possible
that the application password has expired or the application has been deleted. Renew
the application via Computers > Properties (right click on the target group) > Renew Application Now.
|
|
Azure Key Pair Expired
|
Critical
|
No
|
The key pair for Azure services has expired. You can remove this alert by updating
your key pair on the Azure service's property page.
|
|
Azure Key Pair Expires Soon
|
Warning
|
No
|
The key pair for Azure services will expire soon. You can remove this alert by updating
your key pair on the Azure service's property page.
|
|
Azure Subscription Not Found
|
Critical
|
No
|
Azure Cloud Account cannot retrieve resources information from Azure API because the
Azure Subscription cannot be found.
|
|
Census, Good File Reputation, and Predictive Machine Learning Service Disconnected
|
Warning
|
Yes
|
Disconnected from Census, Good File Reputation, and Predictive Machine Learning Service.
See the event details for possible solutions.
Refer to Warning: Census, Good File Reputation, and Predictive Machine Learning Service Disconnected for troubleshooting tips.
|
|
Clock Change Detected
|
Warning
|
Yes
|
A clock change has been detected on the computer. Unexpected clock changes may indicate
a problem on the computer and should be investigated before the alert is dismissed.
|
|
Cloud Computer Not Managed as Part of Cloud Account
|
Warning
|
Yes
|
An agent was activated on one or more computers belonging to a cloud account that
is not synchronized with Workload Security. Click the Action to add the cloud account to Workload Security. The computers will be moved into the
account and may be billed at a lower hourly rate.
|
|
Communications Problem Detected
|
Warning
|
Yes
|
A communications problem has been detected on the computer. Communications problems
indicate that the computer cannot initiate communication with Workload Security because
of network configuration or load reasons. Check the system events in addition to verifying
communications can be established to Workload Security from the computer. The cause
of the issue should be investigated before the alert is dismissed.
|
|
Computer Not Receiving Updates
|
Warning
|
No
|
These computers have stopped receiving updates. Manual intervention may be required.
|
|
Computer Reboot Required
|
Critical
|
Yes
|
The agent software upgrade was successful, but the computer must be rebooted for the
installation to be completed. The computers should be manually updated before the
alert is dismissed.
|
|
Computer Reboot Required for Activity Monitoring
|
Critical
|
No
|
The Activity Monitoring on Agent has reported that the computer needs to be rebooted.
Check the system events for the computer to determine the reason for the reboot.
|
|
Computer Reboot Required for Anti-Malware Protection
|
Critical
|
No
|
The anti-malware protection on the agent has reported that the computer needs to be
rebooted. Check the system events for the computer to determine the reason for the
reboot.
|
|
Computer Reboot Required for Application Control Protection
|
Critical
|
No
|
The Application Control protection on Agent has reported that the computer needs to
be rebooted. Check the system events for the computer to determine the reason for
the reboot.
|
|
Computer Reboot Required for Integrity Monitoring Protection
|
Critical
|
No
|
The Integrity Monitoring protection on Agent has reported that the computer needs
to be rebooted. Check the system events for the computer to determine the reason for
the reboot.
|
|
Configuration Required
|
Warning
|
No
|
One or more computers are using a policy that defines multiple interface types where
not all interfaces have been mapped.
|
|
Duplicate Computer Detected
|
Warning
|
Yes
|
A duplicate computer has been activated or imported. Remove the duplicate computer
and reactivate the original computer if necessary.
|
|
Empty Relay Group Assigned
|
Critical
|
No
|
These computers have been assigned an empty relay group. Assign a different relay
group to the computers or add relays to the empty relay groups.
|
|
Events Suppressed
|
Warning
|
Yes
|
The agent encountered an unexpectedly high volume of events. As a result, one or more
events were not recorded (suppressed) to prevent a potential denial of service. Check
the firewall events to determine the cause of the suppression.
|
|
Events Truncated
|
Warning
|
Yes
|
Some events were lost because the data file grew too large for the agent to store.
This may have been caused by an unexpected increase in the number of events being
generated, or the inability of the agent to send the data to Workload Security. For
more information, see the properties of the Events Truncated system event on the computer.
|
|
Execution of Software Blocked
|
Warning
|
Yes
|
Execution of software was blocked on one or more computers. See the Application Control
Events on the computers for more information.
|
|
Failed to Send SNSMessage
|
Critical
|
No
|
Workload Security was unable to forward messages to Amazon SNS.
|
|
Failed to Send Syslog Message
|
Warning
|
No
|
Workload Security was unable to forward messages to one or more Syslog Servers.
|
|
Files could not be scanned for malware
|
Warning
|
No
|
Files could not be scanned for malware because the file path exceeded the maximum
file path length limit or the directory depth exceeded the maximum directory depth
limit. Check the system events for the computer to determine the reason.
|
|
Firewall Engine Offline
|
Critical
|
No
|
The agent reported that the firewall engine is offline. Check the status of the engine
on the agent.
|
|
Firewall Rule Alert
|
Warning
|
Yes
|
A firewall rule that is selected for alerting was encountered on one or more computers.
|
|
Firewall Rule Recommendation
|
Warning
|
Yes
|
Workload Security has determined that a computer on your network should be assigned
a firewall rule. This could be because an agent was installed on a new computer and
vulnerable applications were detected, or because a new vulnerability has been discovered
in an installed application that was previously thought to be safe. To assign the
firewall rule to the computer, open the Computer Details dialog, click on the Firewall Rules node, and assign the firewall rule.
This alert is not supported for enhanced recommendation scan.
|
|
Incompatible Agent/Appliance Version
|
Error
|
No
|
Workload Security has detected a more recent agent version on the computer that is
not compatible with Workload Security.
|
|
Insufficient Disk Space
|
Warning
|
Yes
|
The agent reported that it was forced to delete an old log file to free up disk space
for a new log file. You need to immediately free up disk space to prevent loss of
intrusion prevention, firewall and agent events. See Warning: Insufficient disk space.
|
|
Integrity Monitoring Engine Offline
|
Critical
|
No
|
The agent reported that the integrity monitoring engine is not responding. Check the
system events for the computer to determine the cause of the failure.
|
|
Integrity Monitoring Rule Alert
|
Warning
|
Yes
|
An integrity monitoring rule that is selected for alerting was encountered on one
or more computers.
|
|
Integrity Monitoring Rule Compilation Error
|
Critical
|
No
|
An error was encountered compiling an integrity monitoring rule on a computer. This
may result in the integrity monitoring rule not operating as expected.
|
|
Integrity Monitoring Rule Recommendation
|
Warning
|
Yes
|
Workload Security has determined that a computer on your network should be assigned
an integrity monitoring rule. To assign the integrity monitoring rule to the computer,
open Computer Details and select .
This alert is not supported for enhanced recommendation scan.
|
|
Integrity Monitoring Rule Requires Configuration
|
Warning
|
No
|
An integrity monitoring rule that requires configuration before use has been assigned
to one or more computers. This rule will not be sent to the computers. Open the integrity
monitoring rule properties and select the Configuration tab for more information.
|
|
Intrusion Prevention Engine Offline
|
Critical
|
No
|
The agent has reported that the intrusion prevention engine is offline. Check the
status of the engine on the agent.
|
|
Intrusion Prevention Rule Alert
|
Warning
|
Yes
|
An intrusion prevention rule that is selected for alerting has been encountered on
one or more computers.
|
|
Intrusion Prevention Rule Compilation Failed
|
Critical
|
Yes
|
This is usually caused by a misconfigured IPS Rule. The Rule name can be found in
the Event's Properties window. To resolve this issue, identify the Rule and unassign it or contact Trend
Micro Support for assistance.
|
|
Intrusion Prevention Rule Requires Configuration
|
Warning
|
No
|
An intrusion prevention rule that requires configuration before use has been assigned
to one or more computers. This rule will not be sent to the computers. Open the intrusion
prevention rule properties and select the Configuration tab for more information.
|
|
Invalid System Settings Detected
|
Critical
|
No
|
Workload Security detected invalid values for one or more system settings.
|
|
License Expired
|
Critical
|
No
|
Your Workload Security license has expired. You can no longer receive updates, including
security updates, until your license is renewed. To ensure your security is maintained,
contact your sales representative to renew your license.
|
|
License Expiring Soon
|
Warning
|
No
|
Your Workload Security license will expire soon. Contact your sales representative
to renew your license.
|
|
Log Inspection Engine Offline
|
Critical
|
No
|
The agent has reported that the log inspection engine has failed to initialize. Check
the system events for the computer to determine the cause of the failure.
|
|
Log Inspection Rule Alert
|
Warning
|
Yes
|
A log inspection rule that is selected for alerting has been encountered on one or
more computers.
|
|
Log Inspection Rule Recommendation
|
Warning
|
Yes
|
Workload Security has determined that a computer on your network should be assigned
a log inspection rule. To assign the log inspection rule to the computer, open the
Computer Details dialog, click the Log Inspection > Log Inspection Rules node, and assign the log inspection rule.
|
|
Log Inspection Rule Requires Configuration
|
Warning
|
No
|
A log inspection rule that requires configuration before use has been assigned to
one or more computers. This rule will not be sent to the computers. Open the Log Inspection Rule properties and select the Configuration tab for more information.
This alert is not supported for enhanced recommendation scan.
|
| Maintenance Mode On |
Warning
|
No
|
Maintenance mode is currently active for application control on one or more computers. While this
mode is active, application control continues to enforce block rules (if you selected
Block unrecognized software until it is explicitly allowed), but will allow software updates, and automatically add them to the inventory part
of the ruleset. When the software update is finished for each computer, disable maintenance
mode so that unauthorized software is not accidentally added to the ruleset.
|
|
MQTT Connection Configuration Failed
|
Warning
|
No
|
Failed to configure agent for MQTT connection.
This alert is not supported for enhanced recommendation scan.
|
|
MQTT Connection Offline
|
Warning
|
No
|
The agent is unable to connect to the MQTT endpoint.
|
|
Network Engine Mode Incompatibility
|
Warning
|
No
|
Setting Network Engine Mode to Tap is only available on agent versions 5.2 or later. Review and update the agent's
configuration or upgrade the agent to resolve the incompatibility.
|
|
New Pattern Update is Downloaded and Available
|
Warning
|
No
|
New patterns are available as part of a security update. The patterns have been downloaded
to Workload Security but have not yet been applied to your computers. To apply the
update to your computers, go to the Administration > Updates > Security page.
|
|
New Rule Update is Downloaded and Available
|
Warning
|
No
|
New rules are available as part of a security update. The rules have been downloaded
to Workload Security, but have not yet been applied to policies and sent to your computers.
To apply the update and send the updated policies to your computers, go to the Administration > Updates > Security page.
|
|
Newer Versions of Software Available
|
Warning
|
No
|
New software is available. It can be downloaded from the Download Center.
|
|
Recommendation
|
Warning
|
Yes
|
Workload Security has determined that the security configuration of one of your computers
should be updated. To see what changes are recommended, open the Computer editor and look through the module pages for warnings of unresolved recommendations.
In the Assigned Rules area, click >Assign/Unassign to display the list of available rules and then filter them using the Show Recommended for Assignment viewing filter option. That is, select Show Recommended for Unassignment to display rules that can safely be unassigned.
|
|
Reconnaissance Detected: Computer OS Fingerprint Probe
|
Warning
|
Yes
|
The agent detected an attempt to identify the computer operating system via a fingerprint
probe. Such activity is often a precursor to an attack that targets specific vulnerabilities.
Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: Network or Port Scan
|
Warning
|
Yes
|
The agent detected network activity typical of a network or port scan. Such activity
is often a precursor to an attack that targets specific vulnerabilities. Check the
computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP Null Scan
|
Warning
|
Yes
|
The agent detected a TCP Null scan. Such activity is often a precursor to an attack
that targets specific vulnerabilities. Check the computer's events to see the details
of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP SYNFIN Scan
|
Warning
|
Yes
|
The agent detected a TCP SYNFIN scan. Such activity is often a precursor to an attack
that targets specific vulnerabilities. Check the computer's events to see the details
of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP Xmas Scan
|
Warning
|
Yes
|
The agent detected a TCP Xmas scan. Such activity is often a precursor to an attack
that targets specific vulnerabilities. Check the computer's events to see the details
of the probe and see Warning: Reconnaissance Detected.
|
|
Relay Upgrade Required For Agent Integrity Check
|
Warning
|
No
|
To enable Agent Integrity Check, upgrade relay.
|
|
SAML Identity Provider Certificate expired
|
Critical
|
No
|
One or more SAML Identity Provider Certificates expired.
|
|
SAML Identity Provider Certificate expires soon
|
Warning
|
No
|
One or more SAML Identity Provider Certificates expire soon.
|
|
SAP Virus Scan Adapter is not installed
|
Critical
|
No
|
The agent has reported that the SAPVirus Scan Adapter is not installed. Check the
system events for the computer to determine the cause of the failure.
|
|
SAP Virus Scan Adapter is not up to date
|
Critical
|
No
|
The agent has reported that the SAP Virus Scan Adapter is not up to date. Check the
system events for the computer to determine the cause of the failure.
|
|
SAP Virus Scan service is not working correctly
|
Critical
|
No
|
The SAP Virus Scan service is not functioning properly. Check the system events for
the computer to determine the cause of the failure.
|
|
Scheduled Malware Scan Missed
|
Warning
|
No
|
Scheduled malware scan tasks were initiated on computers that already had pending
scan tasks. This may indicate a scanning frequency that is too high. Consider reducing
the scanning frequency or selecting fewer computers to scan during each scheduled
scan job.
|
|
Send Policy Failed
|
Critical
|
No
|
Inability to send policy may indicate a problem with the agent. Check the affected
computers.
|
|
Smart Protection Server Connection Failed
|
Warning
|
Yes
|
Failed to connect to a Smart Protection Server. This could be due to a configuration
issue or due to network connectivity.
|
|
Software Changes Detected
|
Warning
|
No
|
During ongoing file system monitoring, application control detected that new software
had been installed, and it did not match any configured allow or block rule. If your
system administrators did not install the software, and no other users have permissions
to install software, this could indicate a security compromise. If the software tries
to launch, depending on your lockdown configuration at that time, it may or may not
be allowed to execute.
|
|
Software Package Not Found
|
Critical
|
No
|
An Agent Software Package is required for the proper operation of one or more virtual
appliance(s). Import a Red Hat Enterprise 6 (64-bit) Agent Software Package with the
correct version for each Appliance. If the required version is not available then
import the latest package and upgrade the appliance to match.
|
|
Unable to communicate
|
Critical
|
No
|
Workload Security has been unable to query the agent for its status within the configured
period. Check your network configuration and the affected computer's connectivity.
|
|
Unable to Upgrade the Agent Software
|
Warning
|
Yes
|
Workload Security was unable to upgrade the agent software on the computer.
This may indicate a problem with the agent, but it also can occur if agent self-protection
is enabled. In the Workload Security console, go to Computer editor > Settings > General. In Agent Self Protection, either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
|
|
Unresolved software change limit reached
|
Critical
|
No
|
Software changes detected on the file system exceeded the maximum amount. Application
control will continue to enforce existing rules, but will not record any more changes,
and it will stop displaying any of that computer's software changes. You must resolve
and prevent excessive software change.
|
|
User Locked Out
|
Warning
|
No
|
Users can be locked out manually by repeated incorrect sign-in attempts, if their
password expires, or if they have been imported but not yet unlocked.
|
|
User Password Expires Soon
|
Warning
|
No
|
The password expiry setting is enabled and one or more users have passwords that will
expire within the next 7 days.
This alert is only applicable to legacy Trend Cloud One - Endpoint & Workload Security
accounts.
|
|
Web Reputation Event Alert
|
Warning
|
Yes
|
A web reputation event has been encountered on one or more computers that are selected
for alerting.
|
|
WorkSpaces Disabled for AWS Account
|
Warning
|
Yes
|
An agent was activated on one or more Amazon WorkSpaces, but WorkSpaces are not enabled
for your AWS account. To enable WorkSpaces, click Edit AWS Account and select Include
Amazon WorkSpaces. Your WorkSpaces will be moved into the WorkSpaces folder of the
AWS account and billed at a lower hourly rate, if you are using hourly billing.
|