Views:
Alert
Default Severity
Dismissible
Description
A computer reboot is required to enable Deep Security Agent protection
Critical
Yes
The agent software upgrade was successful, but a computer reboot is required to disable Windows Defender and enable agent protection.
A Deep Security Relay cannot download security components
Critical
No
A relay can't successfully download security components. This might be due to network connectivity issues or misconfigurations in Server & Workload Protection under Administration System Settings Updates. Check your network configurations (for example, the proxy settings of the relay group) and System Settings, and then manually initiate an update on the relay using the Download Security Update option on the Administration Updates Software page.
Abnormal Restart Detected
Warning
Yes
An abnormal restart has been detected on the computer. This condition may be caused by a variety of conditions. If the agent is suspected as the root cause, then the diagnostics package (located in the Support section of the Computer Details dialog) should be invoked.
This alert indicates that the agent service was restarted abnormally. You can safely dismiss this alert, or, if the alert reoccurs, create a diagnostics package and open a case with Technical Support.
Account Balance Depleted
Critical
No
Your pre-paid account balance has been depleted. You will no longer receive updates, including security updates, until your account is replenished. To ensure your security is maintained, please contact your sales representative to add credit to your account.
Account Balance Low
Warning
No
Your pre-paid account balance is running low. To ensure uninterrupted service, please contact your sales representative to add more credit to your account.
Activation Failed
Critical
No
This may indicate a problem with the agent, but it also can occur if agent self-protection is enabled. In the Server & Workload Protection console, go to Computer editor > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
Agent configuration package too large
Warning
Yes
This is usually caused by too many firewall and intrusion prevention rules being assigned. Run a recommendation scan on the computer to determine if any rules can be safely unassigned.
Agent Installation Failed
Critical
Yes
The agent failed to install successfully on one or more computers. Those computers are currently unprotected. You must reboot the computers which will automatically restart the agent install program.
This may indicate a problem with the agent, but it also can occur if agent self-protection is enabled. In the Server & Workload Protection console, go to Computer editor > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
Agent/Appliance Upgrade Recommended
Warning
No
Server & Workload Protection has detected an older agent version on the computer that does not support all available features. An upgrade of the agent software is recommended. (Deprecated in 9.5)
Agent/Appliance Upgrade Recommended (Incompatible Security Update(s))
Warning
No
Server & Workload Protection has detected a computer with a version of the agent that is not compatible with one or more security updates assigned to it. An upgrade of the agent software is recommended.
Agent/ApplianceUpgrade Recommended (New Version Available)
Warning
No
Server & Workload Protection has detected one or more computers with a version of the agent that is older than the latest version in Server & Workload Protection. An upgrade of the agent software is recommended.
Agent/Appliance Upgrade Required
Warning
No
Server & Workload Protection has detected a computer with a version of the agent that is not compatible with Server & Workload Protection. An upgrade of the agent software is required.
An update to the Rules is available
Warning
No
Updated rules have been downloaded but not applied to your policies. To apply the rules, go to Administration > Updates > Security and in the Rule Updates column, click Apply Rules to Policies.
Anti-Malware Alert
Warning
Yes
A malware scan configuration that is configured for alerting has raised an event on one or more computers.
Anti-Malware Component Failure
Critical
Yes
An anti-malware component failed on one or more computers. See the event descriptions on the individual computers for specific details.
Anti-Malware Component Update Failed
Warning
No
One or more agent or relay failed to update anti-malware components. See the affected computers for more information.
Anti-Malware Engine Offline
Critical
No
The agent has reported that the anti-malware engine is not responding. Please check the system events for the computer to determine the cause of the failure.
Anti-Malware module maximum disk space used to store identified files exceeded
Warning
Yes
The Anti-Malware module was unable to analyze or quarantine a file because the maximum disk space used to store identified files was reached. To change the maximum disk space for identified files setting, open the computer or policy editor and go to the Anti-malware > Advanced tab.
Anti-Malware protection is absent or out of date
Warning
No
The agent on this computer has not received its initial anti-malware protection package, or its anti-malware protection is out of date. Make sure a relay is available and that the agent has been properly configured to communicate with it. To configure relays and other update options, go to Administration > System Settings > Updates.
APIKey Locked Out
Warning
No
API Keys can be locked out manually, or by repeated failed validation attempts.
Application Control Engine Offline
Critical
No
The agent has reported that the Application Control engine failed to initialize. Please check the system events for the computer to determine the cause of the failure.
Application Control Ruleset is incompatible with agent version
Critical
No
An application control ruleset could not be assigned to one or more computers because the ruleset is not supported by the installed version of the agent. Typically, the problem is that a hash-based ruleset (which is compatible only with agent version 11.0 or newer) has been assigned to an older agent. Agent version 10.x supports only file-based rulesets. (For details, see Differences in how 10.x and 11.x agents compare files.) To fix this issue, upgrade the agent to version 11.0 or newer. Alternatively, if you are using local rulesets, reset application control for the agent.
Application Type Misconfiguration
Warning
No
Misconfiguration of application types may prevent proper security coverage.
Application Type Recommendation
Warning
Yes
Server & Workload Protection has determined that a computer should be assigned an application type. This could be because an agent was installed on a new computer and vulnerable applications were detected, or because a new vulnerability has been discovered in an installed application that was previously thought to be safe. To assign the application type to the computer, open the 'Computer Details' dialog box, click on 'Intrusion Prevention Rules', and assign the application type.
AWS Contract License Exceeded
Critical
No
AWS Contract License expired or AWS Contract entitlements have been exceeded.
Azure Account Not Authorized to Read Resources Information
Critical
No
Azure Cloud Account can't retrieve resources information from Azure API because the Azure Application is not authorized to read resources. Please verify that the Reader role has been assigned to the application.
Azure Account Password Invalid
Critical
No
Azure Cloud Account can't retrieve resources information from Azure API because the Azure Application password is invalid.
Azure Account Secret Expired
Critical
No
Azure Cloud Account can't retrieve resources information from Azure API because the Azure Application secret key has expired.
Microsoft Entra ID Application Not Found
Critical
No
Azure Cloud Account can't retrieve resources information from Azure API because the Azure Application is not found. The application possibly has been removed from Microsoft Entra ID.
Microsoft Entra ID Application Need Renew
Critical
No
The Microsoft Entra ID application can not sync the cloud data now. Maybe the application password is expired or the application is deleted. Please renew the application via Computers > Properties (right click on the target group) > Renew Application Now.
Azure Key Pair Expired
Critical
No
The key pair for Azure service(s) has expired. You can remove this alert by updating your key pair on the Azure service's property page.
Azure Key Pair Expires Soon
Warning
No
The key pair for Azure service(s) will expire soon. You can remove this alert by updating your key pair on the Azure service's property page.
Azure Subscription Not Found
Critical
No
Azure Cloud Account can't retrieve resources information from Azure API because the Azure Subscription cannot be found.
Census, Good File Reputation, and Predictive Machine Learning Service Disconnected
Warning
Yes
Disconnected from Census, Good File Reputation, and Predictive Machine Learning Service. Please see the event details below for possible solutions.
Clock Change Detected
Warning
Yes
A clock change has been detected on the computer. Unexpected clock changes may indicate a problem on the computer and should be investigated before the alert is dismissed.
Cloud Computer Not Managed as Part of Cloud Account
Warning
Yes
An agent was activated on one or more computers belonging to a cloud account that is not synchronized with Server & Workload Protection. Click the link in the 'Action' field above to add the cloud account to Server & Workload Protection. The computer(s) will be moved into the account, and may be billed at a lower hourly rate.
Communications Problem Detected
Warning
Yes
A communications problem has been detected on the computer. Communications problems indicate that the computer cannot initiate communication with Server & Workload Protection because of network configuration or load reasons. Please check the system events in addition to verifying communications can be established to Server & Workload Protection from the computer. The cause of the issue should be investigated before the alert is dismissed.
Computer Not Receiving Updates
Warning
No
These computer(s) have stopped receiving updates. Manual intervention may be required.
Computer Reboot Required
Critical
Yes
The agent software upgrade was successful, but the computer must be rebooted for the install to be completed. The computer(s) should be manually updated before the alert is dismissed.
Computer Reboot Required for Activity Monitoring
Critical
No
The Activity Monitoring on Agent has reported that the computer needs to be rebooted. Please check the system events for the computer to determine the reason for the reboot.
Computer Reboot Required for Anti-Malware Protection
Critical
No
The anti-malware protection on the agent has reported that the computer needs to be rebooted. Please check the system events for the computer to determine the reason for the reboot.
Computer Reboot Required for Application Control Protection
Critical
No
The Application Control protection on Agent has reported that the computer needs to be rebooted. Please check the system events for the computer to determine the reason for the reboot.
Computer Reboot Required for Integrity Monitoring Protection
Critical
No
The Integrity Monitoring protection on Agent has reported that the computer needs to be rebooted. Please check the system events for the computer to determine the reason for the reboot.
Configuration Required
Warning
No
One or more computers are using a policy that defines multiple interface types where not all interfaces have been mapped.
Duplicate Computer Detected
Warning
Yes
A duplicate computer has been activated or imported. Please remove the duplicate computer and reactivate the original computer if necessary.
Empty Relay Group Assigned
Critical
No
These computers have been assigned an empty relay group. Assign a different relay group to the computers or add relays to the empty relay group(s).
Events Suppressed
Warning
Yes
The agent encountered an unexpectedly high volume of events. As a result, one or more events were not recorded (suppressed) to prevent a potential denial of service. Check the firewall events to determine the cause of the suppression.
Events Truncated
Warning
Yes
Some events were lost because the data file grew too large for the agent to store. This may have been caused by an unexpected increase in the number of events being generated, or the inability of the agent to send the data to Server & Workload Protection. For more information, see the properties of the "Events Truncated" system event on the computer.
Execution of Software Blocked
Warning
Yes
Execution of software was blocked on one or more computers. See the Application Control Events on the following computers for more information.
Failed to Send SNSMessage
Critical
No
Server & Workload Protection was unable to forward messages to Amazon SNS
Failed to Send Syslog Message
Warning
No
Server & Workload Protection was unable to forward messages to one or more Syslog Servers.
Files could not be scanned for malware
Warning
No
Files could not be scanned for malware because the file path exceeded the maximum file path length limit or the directory depth exceeded the maximum directory depth limit. Please check the system events for the computer to determine the reason.
Firewall Engine Offline
Critical
No
The agent has reported that the firewall engine is offline. Please check the status of the engine on the agent.
Firewall Rule Alert
Warning
Yes
A firewall rule that is selected for alerting has been encountered on one or more computers.
Firewall Rule Recommendation
Warning
Yes
Server & Workload Protection has determined that a computer on your network should be assigned a firewall rule. This could be because an agent was installed on a new computer and vulnerable applications were detected, or because a new vulnerability has been discovered in an installed application that was previously thought to be safe. To assign the firewall rule to the computer, open the 'Computer Details' dialog box, click on the 'Firewall Rules' node, and assign the firewall rule.
Incompatible Agent/Appliance Version
Error
No
Server & Workload Protection has detected a more recent agent version on the computer that is not compatible with Server & Workload Protection.
Insufficient Disk Space
Warning
Yes
The agent has reported that it was forced to delete an old log file to free up disk space for a new log file. Please immediately free up disk space to prevent loss of intrusion prevention, firewall and agent events. See Warning: Insufficient disk space.
Integrity Monitoring Engine Offline
Critical
No
The agent has reported that the integrity monitoring engine is not responding. Please check the system events for the computer to determine the cause of the failure.
Integrity Monitoring Rule Alert
Warning
Yes
An integrity monitoring rule that is selected for alerting has been encountered on one or more computers.
Integrity Monitoring Rule Compilation Error
Critical
No
An error was encountered compiling an integrity monitoring rule on a computer. This may result in the integrity monitoring rule not operating as expected.
Integrity Monitoring Rule Recommendation
Warning
Yes
Server & Workload Protection has determined that a computer on your network should be assigned an integrity monitoring rule. To assign the integrity monitoring rule to the computer, open the 'Computer Details' dialog box, click on the 'Integrity Monitoring > Integrity Monitoring Rules' node, and assign the integrity monitoring rule.
Integrity Monitoring Rule Requires Configuration
Warning
No
An integrity monitoring rule that requires configuration before use has been assigned to one or more computers. This rule will not be sent to the computer(s). Open the integrity monitoring rule properties and select the Configuration tab for more information.
Integrity Monitoring Trusted Platform Module Not Enabled
Warning
Yes
Trusted platform module not enabled. Please ensure the hardware is installed and the BIOS setting is correct.
Integrity Monitoring Trusted Platform Module Register Value Changed
Warning
Yes
Trusted platform module register value changed. If you have not modified the ESXi hypervisor configuration this may represent an attack.
Intrusion Prevention Engine Offline
Critical
No
The agent has reported that the intrusion prevention engine is offline. Please check the status of the engine on the agent.
Intrusion Prevention Rule Alert
Warning
Yes
An intrusion prevention rule that is selected for alerting has been encountered on one or more computers.
Intrusion Prevention Rule Compilation Failed
Critical
Yes
This is usually caused by a misconfigured IPS Rule. The Rule name can be found in the Event's Properties window. To resolve this issue, identify the Rule and unassign it or contact Trend Micro Support for assistance.
Intrusion Prevention Rule Requires Configuration
Warning
No
An intrusion prevention rule that requires configuration before use has been assigned to one or more computers. This rule will not be sent to the computer(s). Open the intrusion prevention rule properties and select the Configuration tab for more information.
Invalid System Settings Detected
Critical
No
Server & Workload Protection detected invalid values for one or more system settings.
License Expired
Critical
No
Your Server & Workload Protection license has expired. You will no longer receive updates, including security updates, until your license is renewed. To ensure your security is maintained, please contact your sales representative to renew your license.
License Expiring Soon
Warning
No
Your Server & Workload Protection license will expire soon. Please contact your sales representative to renew your license.
Log Inspection Engine Offline
Critical
No
The agent has reported that the log inspection engine has failed to initialize. Please check the system events for the computer to determine the cause of the failure.
Log Inspection Rule Alert
Warning
Yes
A log inspection rule that is selected for alerting has been encountered on one or more computers.
Log Inspection Rule Recommendation
Warning
Yes
Server & Workload Protection has determined that a computer on your network should be assigned a log inspection rule. To assign the log inspection rule to the computer, open the 'Computer Details' dialog box, click on the 'Log Inspection > Log Inspection Rules' node, and assign the log inspection rule.
Log Inspection Rule Requires Configuration
Warning
No
A log inspection rule that requires configuration before use has been assigned to one or more computers. This rule will not be sent to the computer(s). Open the Log Inspection Rule properties and select the Configuration tab for more information.
Maintenance Mode On
Warning
No
Maintenance mode is currently active for application control on one or more computers. While this mode is active, application control continues to enforce block rules (if you selected Block unrecognized software until it is explicitly allowed), but will allow software updates, and automatically add them to the inventory part of the ruleset. When the software update is finished for each computer, disable maintenance mode so that unauthorized software is not accidentally added to the ruleset.
MQTT Connection Configuration Failed
Warning
No
Failed to configure agent for MQTT connection.
MQTT Connection Offline
Warning
No
The agent is unable to connect to the MQTT endpoint.
Network Engine Mode Incompatibility
Warning
No
Setting "Network Engine Mode" to "Tap" is only available on agent versions 5.2 or higher. Review and update the agent's configuration or upgrade the agent to resolve the incompatibility.
New Pattern Update is Downloaded and Available
Warning
No
New patterns are available as part of a security update. The patterns have been downloaded to Server & Workload Protection but have not yet been applied to your computers. To apply the update to your computers, go to the Administration > Updates > Security page.
New Rule Update is Downloaded and Available
Warning
No
New rules are available as part of a security update. The rules have been downloaded to Server & Workload Protection but have not yet been applied to policies and sent to your computers. To apply the update and send the updated policies to your computers, go to the Administration > Updates > Security page.
Newer Versions of Software Available
Warning
No
New software is available. Software can be downloaded from the Download Center.
Recommendation
Warning
Yes
Server & Workload Protection has determined that the security configuration of one of your computers should be updated. To see what changes are recommended, open the Computer editor and look through the module pages for warnings of unresolved recommendations. In the Assigned Rules area, click Assign/Unassign to display the list of available rules and then filter them using the "Show Recommended for Assignment" viewing filter option. (Select "Show Recommended for Unassignment" to display rules that can safely be unassigned.)
Reconnaissance Detected: Computer OS Fingerprint Probe
Warning
Yes
The agent detected an attempt to identify the computer operating system via a "fingerprint" probe. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: Network or Port Scan
Warning
Yes
The agent detected network activity typical of a network or port scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: TCP Null Scan
Warning
Yes
The agent detected a TCP "Null" scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: TCP SYNFIN Scan
Warning
Yes
The agent detected a TCP "SYNFIN" scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Reconnaissance Detected: TCP Xmas Scan
Warning
Yes
The agent detected a TCP "Xmas" scan. Such activity is often a precursor to an attack that targets specific vulnerabilities. Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
Relay Upgrade Required For Agent Integrity Check
Warning
No
To enable Agent Integrity Check, please upgrade relay.
SAML Identity Provider Certificate expired
Critical
No
One or more SAML Identity Provider Certificate(s) expired.
SAML Identity Provider Certificate expires soon
Warning
No
One or more SAML Identity Provider Certificate(s) expire soon.
SAP Virus Scan Adapter is not installed
Critical
No
The agent has reported that the SAPVirus Scan Adapter is not installed. Check the system events for the computer to determine the cause of the failure.
SAP Virus Scan Adapter is not up to date
Critical
No
The agent has reported that the SAP Virus Scan Adapter is not up to date. Check the system events for the computer to determine the cause of the failure.
Scheduled Malware Scan Missed
Warning
No
Scheduled malware scan tasks were initiated on computers that already had pending scan tasks. This may indicate a scanning frequency that is too high. Consider lowering the scanning frequency, or selecting fewer computers to scan during each scheduled scan job.
Send Policy Failed
Critical
No
Inability to send policy may indicate a problem with the agent. Please check the affected computers.
Smart Protection Server Connection Failed
Warning
Yes
Failed to connect to a Smart Protection Server. This could be due to a configuration issue, or due to network connectivity.
Software Changes Detected
Warning
No
During ongoing file system monitoring, application control detected that new software had been installed, and it did not match any configured allow or block rule. If your system administrators did not install the software, and no other users have permissions to install software, this could indicate a security compromise. If the software tries to launch, depending on your lockdown configuration at that time, it may or may not be allowed to execute.
Software Package Not Found
Critical
No
An Agent Software Package is required for the proper operation of one or more Virtual Appliance(s). Please import a Red Hat Enterprise 6 (64-bit) Agent Software Package with the correct version for each Appliance. If the required version is not available then please import the latest package and upgrade the Appliance to match.
Unable to communicate
Critical
No
Server & Workload Protection has been unable to query the agent for its status within the configured period. Please check your network configuration and the affected computer's connectivity.
Unable to Upgrade the Agent Software
Warning
Yes
Server & Workload Protection was unable to upgrade the agent software on the computer.
This may indicate a problem with the agent, but it also can occur if agent self-protection is enabled. In the Server & Workload Protection console, go to Computer editor > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
Unresolved software change limit reached
Critical
No
Software changes detected on the file system exceeded the maximum amount. Application control will continue to enforce existing rules, but will not record any more changes, and it will stop displaying any of that computer's software changes. You must resolve and prevent excessive software change.
User Locked Out
Warning
No
Users can be locked out manually, by repeated incorrect sign-in attempts, if their password expires, or if they have been imported but not yet unlocked.
User Password Expires Soon
Warning
No
The password expiry setting is enabled and one or more users have passwords that will expire within the next 7 days.
Web Reputation Event Alert
Warning
Yes
A web reputation event has been encountered on one or more computers that are selected for alerting.
WorkSpaces Disabled for AWS Account
Warning
Yes
An agent was activated on one or more Amazon WorkSpaces but WorkSpaces are not enabled for your AWS account. To enable WorkSpaces, click 'Edit AWS Account' above, and select the 'Include Amazon WorkSpaces' check box. Your WorkSpace(s) will be moved into the WorkSpaces folder of the AWS account, and billed at a lower hourly rate, if you are using hourly billing.