When a new Linux kernel version is released, Trend Micro releases a new kernel support
package
for the agent. If a computer's kernel version is not currently supported, then the
Activity
Monitoring engine can provide only basic protection. Normal protection resumes when
the agent
receives the update to support the new kernel version. To prevent this problem, verify
that the
new kernel version is supported before you upgrade it.
Basic functions
|
Module
|
Category
|
Feature name
|
Supported
|
Comment
|
|
Activity Monitoring
|
Telemetry
|
File Create Event
|
No
|
No support in container
|
|
File Open Event
|
No
|
No support in container
|
||
|
Process Create Event
|
Yes
|
|||
|
Process Terminate Event
|
Yes
|
|||
|
DNS Query Event
|
No
|
|||
|
Network Inbound Connection Event
|
Yes
|
|||
|
Network Outbound Event
|
Yes
|
|||
|
UDSO
|
Logging action for IP address, domain, file SHA-1, and file SHA-256
|
No
|
Cannot log all DNS query events.
For more information, see Suspicious Object Management.
|
|
|
Quarantine or block action for file SHA-1 and file SHA-256
|
Yes
|
For more information, see Suspicious Object Management.
|
||
|
Response
|
Remote Shell
|
Yes
|
||
|
File Collection
|
Yes
|
|||
|
Custom Script
|
Yes
|
|||
|
Network Isolation
|
Yes
|
|||
|
Memory Dump
|
Yes
|
Reason IDs
To restore full functionality when the agent is providing only basic protection, you
must
resolve the cause of the warning based on the reason ID:
-
Reason ID 7:
-
Find out if the latest Kernel Support Package (KSP) for that particular kernel is available.
-
File a case to request KSP support.
-
- Other reason ID:
-
Contact your support provider
The reason ID is included in events forwarded to an external Syslog, SIEM server,
or Amazon
SNS. Also the event description for the Anti-Malware Engine Offline or Anti-Malware
Engine with
Basic Functions agent displays the reason ID.
|
Reason ID
|
Event reason
|
Description
|
|
7
|
Unavailable kernel version
|
No driver is available for the Linux kernel version. This causes a driver offline
error.
|
|
8
|
Failed driver loading
|
Loading the driver (tmhook/bmhook) into the kernel failed. This causes a driver offline
error.
|
|
9
|
Failed driver unloading
|
Unloading a driver from the kernel failed. This causes a driver offline error.
|
|
14
|
Configuration file disable driver
|
Agent is set to not load the driver by configuration INI file. This causes a driver
offline state.
|
|
15
|
Policy disable driver
|
Agent is set to not load the driver by Deep Security Manager or Workload Security
policy.
This causes a driver offline state.
|