|
Alert
|
Default Severity
|
Dismissible
|
Description
|
|
A computer reboot is required to enable Deep Security Agent
protection
|
Critical
|
Yes
|
The agent software upgrade was successful, but a computer
reboot is required to disable Windows Defender and enable agent
protection.
|
|
A Deep Security Relay cannot download security
components
|
Critical
|
No
|
A relay can't successfully download security components. This
might be due to network connectivity issues or misconfigurations
in Server & Workload Protection under . Check your network configurations (for example,
the proxy settings of the relay group) and System
Settings, and then manually initiate an update on the
relay using the Download Security Update option on
the page.
|
|
Abnormal Restart Detected
|
Warning
|
Yes
|
An abnormal restart has been detected on the computer. This
condition may be caused by a variety of conditions. If the agent
is suspected as the root cause, then the diagnostics package
(located in the Support section of the Computer Details dialog)
should be invoked.
This alert indicates that the agent service was restarted
abnormally. You can safely dismiss this alert, or, if the alert
reoccurs, create a diagnostics package and open a case with
Technical Support.
|
|
Account Balance Depleted
|
Critical
|
No
|
Your pre-paid account balance has been depleted. You will no
longer receive updates, including security updates, until your
account is replenished. To ensure your security is maintained,
please contact your sales representative to add credit to your
account.
|
|
Account Balance Low
|
Warning
|
No
|
Your pre-paid account balance is running low. To ensure
uninterrupted service, please contact your sales representative
to add more credit to your account.
|
|
Activation Failed
|
Critical
|
No
|
This may indicate a problem with the agent, but it also can
occur if agent self-protection is enabled. In the Server & Workload Protection console, go to
Computer editor > Settings > General. In
Agent Self Protection, and then either deselect
Prevent local end-users from uninstalling, stopping,
or otherwise modifying the Agent or enter a password
for local override.
|
|
Agent configuration package too large
|
Warning
|
Yes
|
This is usually caused by too many firewall and intrusion
prevention rules being assigned. Run a recommendation scan on
the computer to determine if any rules can be safely
unassigned.
|
|
Agent Installation Failed
|
Critical
|
Yes
|
The agent failed to install successfully on one or more
computers. Those computers are currently unprotected. You must
reboot the computers which will automatically restart the agent
install program.
This may indicate a problem with the agent, but it also can occur
if agent self-protection is enabled. In the Server & Workload Protection console, go to
Computer editor > Settings > General. In
Agent Self Protection, and then either deselect
Prevent local end-users from uninstalling, stopping,
or otherwise modifying the Agent or enter a password
for local override.
|
|
Agent/Appliance Upgrade Recommended
|
Warning
|
No
|
Server & Workload Protection has detected an
older agent version on the computer that does not support all
available features. An upgrade of the agent software is
recommended. (Deprecated in 9.5)
|
|
Agent/Appliance Upgrade Recommended (Incompatible Security
Update(s))
|
Warning
|
No
|
Server & Workload Protection has detected a
computer with a version of the agent that is not compatible with
one or more security updates assigned to it. An upgrade of the
agent software is recommended.
|
|
Agent/ApplianceUpgrade Recommended (New Version
Available)
|
Warning
|
No
|
Server & Workload Protection has detected one
or more computers with a version of the agent that is older than
the latest version in Server & Workload Protection. An upgrade of the agent software is recommended.
|
|
Agent/Appliance Upgrade Required
|
Warning
|
No
|
Server & Workload Protection has detected a
computer with a version of the agent that is not compatible with
Server & Workload Protection. An upgrade of
the agent software is required.
|
|
An update to the Rules is available
|
Warning
|
No
|
Updated rules have been downloaded but not applied to your
policies. To apply the rules, go to Administration
> Updates > Security and in the
Rule Updates column, click Apply Rules to
Policies.
|
|
Anti-Malware Alert
|
Warning
|
Yes
|
A malware scan configuration that is configured for alerting
has raised an event on one or more computers.
|
|
Anti-Malware Component Failure
|
Critical
|
Yes
|
An anti-malware component failed on one or more computers. See
the event descriptions on the individual computers for specific
details.
|
|
Anti-Malware Component Update Failed
|
Warning
|
No
|
One or more agent or relay failed to update anti-malware
components. See the affected computers for more
information.
|
|
Anti-Malware Engine Offline
|
Critical
|
No
|
The agent has reported that the anti-malware engine is not
responding. Please check the system events for the computer to
determine the cause of the failure.
|
|
Anti-Malware module maximum disk space used to store
identified files exceeded
|
Warning
|
Yes
|
The Anti-Malware module was unable to analyze or quarantine a
file because the maximum disk space used to store identified
files was reached. To change the maximum disk space for
identified files setting, open the computer or policy editor and
go to the Anti-malware > Advanced tab.
|
|
Anti-Malware protection is absent or out of date
|
Warning
|
No
|
The agent on this computer has not received its initial
anti-malware protection package, or its anti-malware protection
is out of date. Make sure a relay is available and that the
agent has been properly configured to communicate with it. To
configure relays and other update options, go to Administration
> System Settings > Updates.
|
|
APIKey Locked Out
|
Warning
|
No
|
API Keys can be locked out manually, or by repeated failed
validation attempts.
|
|
Application Control Engine Offline
|
Critical
|
No
|
The agent has reported that the Application Control engine
failed to initialize. Please check the system events for the
computer to determine the cause of the failure.
|
|
Application Control Ruleset is incompatible with agent
version
|
Critical
|
No
|
An application control ruleset could not be assigned to one or more computers because
the ruleset
is not supported by the installed version of the agent.
Typically, the problem is that a hash-based ruleset (which is
compatible only with agent version 11.0 or newer) has been
assigned to an older agent. Agent version 10.x supports only
file-based rulesets. (For details, see Differences in how 10.x and 11.x agents compare
files.) To fix this issue, upgrade the agent to
version 11.0 or newer. Alternatively, if you are using local
rulesets, reset application control for the agent.
|
|
Application Type Misconfiguration
|
Warning
|
No
|
Misconfiguration of application types may prevent proper
security coverage.
|
|
Application Type Recommendation
|
Warning
|
Yes
|
Server & Workload Protection has determined
that a computer should be assigned an application type. This
could be because an agent was installed on a new computer and
vulnerable applications were detected, or because a new
vulnerability has been discovered in an installed application
that was previously thought to be safe. To assign the
application type to the computer, open the 'Computer Details'
dialog box, click on 'Intrusion Prevention Rules', and assign
the application type.
|
|
AWS Contract License Exceeded
|
Critical
|
No
|
AWS Contract License expired or AWS Contract entitlements have
been exceeded.
|
|
Azure Account Not Authorized to Read Resources
Information
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from
Azure API because the Azure Application is not authorized to
read resources. Please verify that the Reader role has been
assigned to the application.
|
|
Azure Account Password Invalid
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from
Azure API because the Azure Application password is
invalid.
|
|
Azure Account Secret Expired
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from
Azure API because the Azure Application secret key has
expired.
|
|
Microsoft Entra ID Application Not Found
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from Azure API because the
Azure
Application is not found. The application possibly has been
removed from Microsoft Entra ID.
|
|
Microsoft Entra ID Application Need Renew
|
Critical
|
No
|
The Microsoft Entra ID application can not sync the cloud data now. Maybe
the application password is expired or the application is
deleted. Please renew the application via Computers >
Properties (right click on the target group) > Renew
Application Now.
|
|
Azure Key Pair Expired
|
Critical
|
No
|
The key pair for Azure service(s) has expired. You can remove
this alert by updating your key pair on the Azure service's
property page.
|
|
Azure Key Pair Expires Soon
|
Warning
|
No
|
The key pair for Azure service(s) will expire soon. You can
remove this alert by updating your key pair on the Azure
service's property page.
|
|
Azure Subscription Not Found
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from
Azure API because the Azure Subscription cannot be
found.
|
|
Census, Good File Reputation, and Predictive Machine Learning
Service Disconnected
|
Warning
|
Yes
|
Disconnected from Census, Good File Reputation, and Predictive
Machine Learning Service. Please see the event details below for
possible solutions.
Refer to Warning: Census, Good File Reputation, and Predictive
Machine Learning Service Disconnected for
troubleshooting tips.
|
|
Clock Change Detected
|
Warning
|
Yes
|
A clock change has been detected on the computer. Unexpected
clock changes may indicate a problem on the computer and should
be investigated before the alert is dismissed.
|
|
Cloud Computer Not Managed as Part of Cloud
Account
|
Warning
|
Yes
|
An agent was activated on one or more computers belonging to a
cloud account that is not synchronized with Server & Workload Protection. Click the link in
the 'Action' field above to add the cloud account to Server & Workload Protection. The computer(s)
will be moved into the account, and may be billed at a lower
hourly rate.
|
|
Communications Problem Detected
|
Warning
|
Yes
|
A communications problem has been detected on the computer.
Communications problems indicate that the computer cannot
initiate communication with Server & Workload Protection because of network
configuration or load reasons. Please check the system events in
addition to verifying communications can be established to Server & Workload Protection from the computer.
The cause of the issue should be investigated before the alert
is dismissed.
|
|
Computer Not Receiving Updates
|
Warning
|
No
|
These computer(s) have stopped receiving updates. Manual
intervention may be required.
|
|
Computer Reboot Required
|
Critical
|
Yes
|
The agent software upgrade was successful, but the computer
must be rebooted for the install to be completed. The
computer(s) should be manually updated before the alert is
dismissed.
|
|
Computer Reboot Required for Activity Monitoring
|
Critical
|
No
|
The Activity Monitoring on Agent has reported that the
computer needs to be rebooted. Please check the system events
for the computer to determine the reason for the
reboot.
|
|
Computer Reboot Required for Anti-Malware
Protection
|
Critical
|
No
|
The anti-malware protection on the agent has reported that the
computer needs to be rebooted. Please check the system events
for the computer to determine the reason for the
reboot.
|
|
Computer Reboot Required for Application Control
Protection
|
Critical
|
No
|
The Application Control protection on Agent has reported that
the computer needs to be rebooted. Please check the system
events for the computer to determine the reason for the
reboot.
|
|
Computer Reboot Required for Integrity Monitoring
Protection
|
Critical
|
No
|
The Integrity Monitoring protection on Agent has reported that
the computer needs to be rebooted. Please check the system
events for the computer to determine the reason for the
reboot.
|
|
Configuration Required
|
Warning
|
No
|
One or more computers are using a policy that defines multiple
interface types where not all interfaces have been
mapped.
|
|
Duplicate Computer Detected
|
Warning
|
Yes
|
A duplicate computer has been activated or imported. Please
remove the duplicate computer and reactivate the original
computer if necessary.
|
|
Empty Relay Group Assigned
|
Critical
|
No
|
These computers have been assigned an empty relay group.
Assign a different relay group to the computers or add relays to
the empty relay group(s).
|
|
Events Suppressed
|
Warning
|
Yes
|
The agent encountered an unexpectedly high volume of events.
As a result, one or more events were not recorded (suppressed)
to prevent a potential denial of service. Check the firewall
events to determine the cause of the suppression.
|
|
Events Truncated
|
Warning
|
Yes
|
Some events were lost because the data file grew too large for
the agent to store. This may have been caused by an unexpected
increase in the number of events being generated, or the
inability of the agent to send the data to Server & Workload Protection. For more
information, see the properties of the "Events Truncated" system
event on the computer.
|
|
Execution of Software Blocked
|
Warning
|
Yes
|
Execution of software was blocked on one or more computers.
See the Application Control Events on the following computers
for more information.
|
|
Failed to Send SNSMessage
|
Critical
|
No
|
Server & Workload Protection was unable to
forward messages to Amazon SNS
|
|
Failed to Send Syslog Message
|
Warning
|
No
|
Server & Workload Protection was unable to
forward messages to one or more Syslog Servers.
|
|
Files could not be scanned for malware
|
Warning
|
No
|
Files could not be scanned for malware because the file path
exceeded the maximum file path length limit or the directory
depth exceeded the maximum directory depth limit. Please check
the system events for the computer to determine the
reason.
|
|
Firewall Engine Offline
|
Critical
|
No
|
The agent has reported that the firewall engine is offline.
Please check the status of the engine on the agent.
|
|
Firewall Rule Alert
|
Warning
|
Yes
|
A firewall rule that is selected for alerting has been
encountered on one or more computers.
|
|
Firewall Rule Recommendation
|
Warning
|
Yes
|
Server & Workload Protection has determined
that a computer on your network should be assigned a firewall
rule. This could be because an agent was installed on a new
computer and vulnerable applications were detected, or because a
new vulnerability has been discovered in an installed
application that was previously thought to be safe. To assign
the firewall rule to the computer, open the 'Computer Details'
dialog box, click on the 'Firewall Rules' node, and assign the
firewall rule.
|
|
Incompatible Agent/Appliance Version
|
Error
|
No
|
Server & Workload Protection has detected a
more recent agent version on the computer that is not compatible
with Server & Workload Protection.
|
|
Insufficient Disk Space
|
Warning
|
Yes
|
The agent has reported that it was forced to delete an old log
file to free up disk space for a new log file. Please
immediately free up disk space to prevent loss of intrusion
prevention, firewall and agent events. See Warning: Insufficient disk space.
|
|
Integrity Monitoring Engine Offline
|
Critical
|
No
|
The agent has reported that the integrity monitoring engine is
not responding. Please check the system events for the computer
to determine the cause of the failure.
|
|
Integrity Monitoring Rule Alert
|
Warning
|
Yes
|
An integrity monitoring rule that is selected for alerting has
been encountered on one or more computers.
|
|
Integrity Monitoring Rule Compilation Error
|
Critical
|
No
|
An error was encountered compiling an integrity monitoring
rule on a computer. This may result in the integrity monitoring
rule not operating as expected.
|
|
Integrity Monitoring Rule Recommendation
|
Warning
|
Yes
|
Server & Workload Protection has determined
that a computer on your network should be assigned an integrity
monitoring rule. To assign the integrity monitoring rule to the
computer, open the 'Computer Details' dialog box, click on the
'Integrity Monitoring > Integrity Monitoring Rules' node, and
assign the integrity monitoring rule.
|
|
Integrity Monitoring Rule Requires Configuration
|
Warning
|
No
|
An integrity monitoring rule that requires configuration
before use has been assigned to one or more computers. This rule
will not be sent to the computer(s). Open the integrity
monitoring rule properties and select the Configuration tab for
more information.
|
|
Integrity Monitoring Trusted Platform Module Not
Enabled
|
Warning
|
Yes
|
Trusted platform module not enabled. Please ensure the
hardware is installed and the BIOS setting is
correct.
|
|
Integrity Monitoring Trusted Platform Module Register Value
Changed
|
Warning
|
Yes
|
Trusted platform module register value changed. If you have
not modified the ESXi hypervisor configuration this may
represent an attack.
|
|
Intrusion Prevention Engine Offline
|
Critical
|
No
|
The agent has reported that the intrusion prevention engine is
offline. Please check the status of the engine on the
agent.
|
|
Intrusion Prevention Rule Alert
|
Warning
|
Yes
|
An intrusion prevention rule that is selected for alerting has
been encountered on one or more computers.
|
|
Intrusion Prevention Rule Compilation Failed
|
Critical
|
Yes
|
This is usually caused by a misconfigured IPS Rule. The Rule
name can be found in the Event's Properties window. To resolve
this issue, identify the Rule and unassign it or contact Trend
Micro Support for assistance.
|
|
Intrusion Prevention Rule Requires Configuration
|
Warning
|
No
|
An intrusion prevention rule that requires configuration
before use has been assigned to one or more computers. This rule
will not be sent to the computer(s). Open the intrusion
prevention rule properties and select the Configuration tab for
more information.
|
|
Invalid System Settings Detected
|
Critical
|
No
|
Server & Workload Protection detected invalid
values for one or more system settings.
|
|
License Expired
|
Critical
|
No
|
Your Server & Workload Protection license has
expired. You will no longer receive updates, including security
updates, until your license is renewed. To ensure your security
is maintained, please contact your sales representative to renew
your license.
|
|
License Expiring Soon
|
Warning
|
No
|
Your Server & Workload Protection license will
expire soon. Please contact your sales representative to renew
your license.
|
|
Log Inspection Engine Offline
|
Critical
|
No
|
The agent has reported that the log inspection engine has
failed to initialize. Please check the system events for the
computer to determine the cause of the failure.
|
|
Log Inspection Rule Alert
|
Warning
|
Yes
|
A log inspection rule that is selected for alerting has been
encountered on one or more computers.
|
|
Log Inspection Rule Recommendation
|
Warning
|
Yes
|
Server & Workload Protection has determined
that a computer on your network should be assigned a log
inspection rule. To assign the log inspection rule to the
computer, open the 'Computer Details' dialog box, click on the
'Log Inspection > Log Inspection Rules' node, and assign the
log inspection rule.
|
|
Log Inspection Rule Requires Configuration
|
Warning
|
No
|
A log inspection rule that requires configuration before use
has been assigned to one or more computers. This rule will not
be sent to the computer(s). Open the Log Inspection Rule
properties and select the Configuration tab for more
information.
|
|
Maintenance Mode On
|
Warning
|
No
|
Maintenance mode is currently active for application
control on one or more computers. While this mode is active,
application control continues to enforce block rules (if you
selected Block unrecognized software until it is
explicitly allowed), but will allow software updates,
and automatically add them to the inventory part of the ruleset.
When the software update is finished for each computer, disable
maintenance mode so that unauthorized software is not
accidentally added to the ruleset.
|
|
MQTT Connection Configuration Failed
|
Warning
|
No
|
Failed to configure agent for MQTT connection.
|
|
MQTT Connection Offline
|
Warning
|
No
|
The agent is unable to connect to the MQTT endpoint.
|
|
Network Engine Mode Incompatibility
|
Warning
|
No
|
Setting "Network Engine Mode" to "Tap" is only available on
agent versions 5.2 or higher. Review and update the agent's
configuration or upgrade the agent to resolve the
incompatibility.
|
|
New Pattern Update is Downloaded and Available
|
Warning
|
No
|
New patterns are available as part of a security update. The
patterns have been downloaded to Server & Workload Protection but have not yet
been applied to your computers. To apply the update to your
computers, go to the Administration > Updates > Security
page.
|
|
New Rule Update is Downloaded and Available
|
Warning
|
No
|
New rules are available as part of a security update. The
rules have been downloaded to Server & Workload Protection but have not yet
been applied to policies and sent to your computers. To apply
the update and send the updated policies to your computers, go
to the Administration > Updates > Security
page.
|
|
Newer Versions of Software Available
|
Warning
|
No
|
New software is available. Software can be downloaded from the
Download Center.
|
|
Recommendation
|
Warning
|
Yes
|
Server & Workload Protection has determined
that the security configuration of one of your computers should
be updated. To see what changes are recommended, open the
Computer editor and look through the module pages for warnings
of unresolved recommendations. In the Assigned Rules area, click
Assign/Unassign to display the list of
available rules and then filter them using the "Show Recommended
for Assignment" viewing filter option. (Select "Show Recommended
for Unassignment" to display rules that can safely be
unassigned.)
|
|
Reconnaissance Detected: Computer OS Fingerprint
Probe
|
Warning
|
Yes
|
The agent detected an attempt to identify the computer
operating system via a "fingerprint" probe. Such activity is
often a precursor to an attack that targets specific
vulnerabilities. Check the computer's events to see the details
of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: Network or Port Scan
|
Warning
|
Yes
|
The agent detected network activity typical of a network or
port scan. Such activity is often a precursor to an attack that
targets specific vulnerabilities. Check the computer's events to
see the details of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP Null Scan
|
Warning
|
Yes
|
The agent detected a TCP "Null" scan. Such activity is often a
precursor to an attack that targets specific vulnerabilities.
Check the computer's events to see the details of the probe and
see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP SYNFIN Scan
|
Warning
|
Yes
|
The agent detected a TCP "SYNFIN" scan. Such activity is often
a precursor to an attack that targets specific vulnerabilities.
Check the computer's events to see the details of the probe and
see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP Xmas Scan
|
Warning
|
Yes
|
The agent detected a TCP "Xmas" scan. Such activity is often a
precursor to an attack that targets specific vulnerabilities.
Check the computer's events to see the details of the probe and
see Warning: Reconnaissance Detected.
|
|
Relay Upgrade Required For Agent Integrity Check
|
Warning
|
No
|
To enable Agent Integrity Check, please upgrade
relay.
|
|
SAML Identity Provider Certificate expired
|
Critical
|
No
|
One or more SAML Identity Provider Certificate(s)
expired.
|
|
SAML Identity Provider Certificate expires soon
|
Warning
|
No
|
One or more SAML Identity Provider Certificate(s) expire
soon.
|
|
SAP Virus Scan Adapter is not installed
|
Critical
|
No
|
The agent has reported that the SAPVirus Scan Adapter is
not installed. Check the system events for the computer to
determine the cause of the failure.
|
|
SAP Virus Scan Adapter is not up to date
|
Critical
|
No
|
The agent has reported that the SAP Virus Scan Adapter is not
up to date. Check the system events for the computer to
determine the cause of the failure.
|
|
Scheduled Malware Scan Missed
|
Warning
|
No
|
Scheduled malware scan tasks were initiated on computers that
already had pending scan tasks. This may indicate a scanning
frequency that is too high. Consider lowering the scanning
frequency, or selecting fewer computers to scan during each
scheduled scan job.
|
|
Send Policy Failed
|
Critical
|
No
|
Inability to send policy may indicate a problem with the
agent. Please check the affected computers.
|
|
Smart Protection Server Connection Failed
|
Warning
|
Yes
|
Failed to connect to a Smart Protection Server. This could be
due to a configuration issue, or due to network
connectivity.
|
|
Software Changes Detected
|
Warning
|
No
|
During ongoing file system monitoring, application control
detected that new software had been installed, and it did not
match any configured allow or block rule. If your system
administrators did not install the software, and no other users
have permissions to install software, this could indicate a
security compromise. If the software tries to launch, depending
on your lockdown configuration at that time, it may or may not
be allowed to execute.
|
|
Software Package Not Found
|
Critical
|
No
|
An Agent Software Package is required for the proper operation
of one or more Virtual Appliance(s). Please import a Red Hat
Enterprise 6 (64-bit) Agent Software Package with the correct
version for each Appliance. If the required version is not
available then please import the latest package and upgrade the
Appliance to match.
|
|
Unable to communicate
|
Critical
|
No
|
Server & Workload Protection has been unable
to query the agent for its status within the configured period.
Please check your network configuration and the affected
computer's connectivity.
|
|
Unable to Upgrade the Agent Software
|
Warning
|
Yes
|
Server & Workload Protection was unable to
upgrade the agent software on the computer.
This may indicate a problem with the agent, but it also can occur
if agent self-protection is enabled. In the Server & Workload Protection console, go to
Computer editor > Settings > General. In
Agent Self Protection, and then either deselect
Prevent local end-users from uninstalling, stopping,
or otherwise modifying the Agent or enter a password
for local override.
|
|
Unresolved software change limit reached
|
Critical
|
No
|
Software changes detected on the file system exceeded the
maximum amount. Application control will continue to enforce
existing rules, but will not record any more changes, and it
will stop displaying any of that computer's software changes.
You must resolve and prevent excessive software
change.
|
|
User Locked Out
|
Warning
|
No
|
Users can be locked out manually, by repeated incorrect
sign-in attempts, if their password expires, or if they have
been imported but not yet unlocked.
|
|
User Password Expires Soon
|
Warning
|
No
|
The password expiry setting is enabled and one or more users
have passwords that will expire within the next 7
days.
|
|
Web Reputation Event Alert
|
Warning
|
Yes
|
A web reputation event has been encountered on one or more
computers that are selected for alerting.
|
|
WorkSpaces Disabled for AWS Account
|
Warning
|
Yes
|
An agent was activated on one or more Amazon WorkSpaces but
WorkSpaces are not enabled for your AWS account. To enable
WorkSpaces, click 'Edit AWS Account' above, and select the
'Include Amazon WorkSpaces' check box. Your WorkSpace(s) will be
moved into the WorkSpaces folder of the AWS account, and billed
at a lower hourly rate, if you are using hourly
billing.
|
Views: