Views:
Dynamic software updates on a server can cause thousands of drift events (Action page) and security events (Application Control Events page). This presents a challenge in the use of Application Control, as it is difficult to know what to approve after the fact. To mitigate the situation while using Deep Security Agent 20.0.0.5761 or later, you can create trust rules that allow you to only see atypical drift and security events. This also allows you to put your server in lockdown to prevent any unauthorized software from being executed.
Drift events are aggregated based on the process name and target path. Security events are aggregated based on the SHA256 hash and target path. For example, if the same process creates 10,000 drift items at the same path, the drift would be aggregated to a single trust rule with the processName and paths attributes.
When diagnostics are requested for the agent, the aggregated drift events and security events are stored in a trust rule format in a JSON file and included in the diagnostics. Then the Trust Rule editor can use the JSON file to add the trust rules for the server.

Drift events

A drift event in the JSON format has the following attributes:
{
"time":1615999592250,
"eventType":"ApplicationControl",
"uid":1063,
"gid":1064,
"operationType":"create",
"user":"ribapp",
"group":"ribapp",
"md5":"57579EF7681147B84774F69F44783A67",
"sha256":"90B0418DCB3B29440EE6F69FEE05BD54265CEE3BCFABDA8ED355E257FECC2939",
"processName":"/opt/IBM/WebSphere/AppServer/java/jre/bin/java",
"type":4,
"rdev":0,
"lastModificationTime":1615999090000,
"mode":33188,"size":3984617,
"sha1":"B226BDB9DB39AD38C4BEB6FE4F1C1C7151207848",
"nlink":1,
"procUser":"ribapp",
"isAuthorized":1,
"pid":10223,
"fileExtension":"jar",
"operationDate":1615999591534,
"procUid":1063,
"procGroup":"ribapp",
"path":"/opt/IBM/WebSphere/AppServer/profiles/devmiesAppSrv/installedApps/devdmrhx01-cell02/IESHSRIDEVM.ear/",
"fileName":"DC.jar",
"recordTime":1615999592215,
"fileSystemType":"ext4",
"procGid":1063,
"dev":64775,
"source":4,
"ino":3801778
}
  • processName is the name of the process that created or updated the target file. In the preceding example, it is set to /opt/IBM/WebSphere/AppServer/java/jre/bin/java.
  • path is the location in which the process updated or created the executable file. In the preceding example, it is set to /opt/IBM/WebSphere/AppServer/profiles/devmiesAppSrv/installedApps/devdmrhx01-cell02/IESHSRIDEVM.ear/.

Trust rules for drift events

You can create a trust rule to auto-authorize the drift for an event. A trusted updater can be defined via setting trustType to 1 for this rule, and you are trusting the process to create software in any path listed in paths:
"trustrules": [{
"trustType":"1",
"processName":"/opt/IBM/WebSphere/AppServer/java/jre/bin/java",
"paths":"/opt/IBM/WebSphere/AppServer/profiles/devmiesAppSrv/installedApps/devdmrhx01-cell02/IESHSRIDEVM.ear/"
}]
Processing drift events to create trust rules can be a many-to-one operation. For example, if the process named /opt/IBM/WebSphere/AppServer/java/jre/bin/java creates thousands of JAR files in path /opt/IBM/WebSphere/AppServer/profiles/devmiesAppSrv/installedApps/devdmrhx01-cell02/IESHSRIDEVM.ear/, the preceding trust rule will eliminate drift for all of these JAR files, which makes trust rules efficient at aggregating the drift.
A trust rule consists of an array of rules, with one unique process per rule. Each trust rule can have multiple paths defined in its paths attribute. For example, if a process named process1 has created drift at three distinct locations path1, path2, path3, one trust rule can capture all drift created by process1 at all of these locations:
"trustrules": [{
"trustType":"1",
"processName":"process1",
"paths":"path1;path2;path3"
}]
There is an additional attribute called hitcount whose purpose is a process hit count. You can use this attribute to determine how many times a specific trust rule has been hit.
There is also an extension hit count: extensions are tracked by incrementing each time the process updates a file with a particular extension:
"trustrules": [{
"trustType":"1",
"processName":"process1",
"paths":"path1;path2;path3",
"hitcount":12342,
".jar":1234,
".py":323,
".":456
}]
The preceding example shows a process that has updated JAR files 1234 times, pi files 323 times, and files with no extensions 456 times.

Security events

A security event in the JSON format has the following attributes:
{
"time":1492100772165,
"eventType":"ApplicationControl",
"sha1":"066A02D230F3B16439396B049DC912DB376B96CE",
"fileName":"svchost.exe",
"operationType":"detectOnly",
"blockReason":2,
"size":311544,
"sha256":"62EFB22F6853D73374761A0B8ED2CE40BF09AA401EC7D4AAAA0CE4D5C3380EEA",
"type":1,
"path":"C:\\Windows\\System32\\",
"pid":1832,
"operationDate":1492100772149,
"processName":"\\device\\harddiskvolume2\\windows\\system32\\cmd.exe",
"md5":"5F7B8544F7A20800069107FC93384F0E"
},
{
"time":1492100772165,
"eventType":"ApplicationControl",
"blockReason":2,
"sha256":"62EFB22F6853D73374761A0B8ED2CE40BF09AA401EC7D4AAAA0CE4D5C3380EEA",
"size":311544,
"processName":"\\device\\harddiskvolume2\\windows\\system32\\cmd.exe",
"sha1":"066A02D230F3B16439396B049DC912DB376B96CE",
"operationType":"detectOnly",
"pid":1832,
"md5":"5F7B8544F7A20800069107FC93384F0E",
"path":"C:\\Program Files\\Trend Micro\\Deep Security Agent\\",
"operationDate":149210077
}
In the preceding example, sha256 is set to 62EFB22F6853D73374761A0B8ED2CE40BF09AA401EC7D4AAAA0CE4D5C3380EEA and path is set to C:\Windows\System32\.

Trust rules for security events

You can create a trust rule to auto-authorize the drift for a security event. A trusted target can be defined via setting trustType to 2 for this rule, based on SHA256 hash, in any path listed in paths:
"trustrules": [{
"trustType":"2",
"sha256":"62EFB22F6853D73374761A0B8ED2CE40BF09AA401EC7D4AAAA0CE4D5C3380EEA",
"paths":"C:\\Windows\\System32\\"
}]
Processing security events to create trust rules is a complex operation. A trust rule consists of an array of rules with one unique SHA256 per rule. Each trust rule can have multiple paths defined in its paths attribute. For example, if a file is executed with a sha256 content hash AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDD from distinct locations, path1, path2, and path3, one trust rule can represent this as follows:
"trustrules": [{
"trustType":"2",
"sha256":"AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDD",
"paths":"path1;path2;path3"
}]
There is an additional attribute called hitcount whose purpose is a SHA256 hit count. You can use this attribute to determine how many times a specific trust rule has been hit.
There is also a file name hit count: files with different names can have the same SHA256 content hash. You can use this attribute to count the number of times a file with a specific name has been used to execute the same SHA256. In the following example, SHA256 AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE has been executed 12342 times, filename1 has been used 2342 times, and filename2 has been used 10000 times. Both filename1 and filename2 have the same content hash.
Since processes with different names can execute the same target with the same SHA256 content hash, you can also count the number of times that the process name was used to execute the same SHA256. In the following example, SHA256 AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE has been executed 12342 times, filename1 has been used 2342 times, and filename2 has been used 10000 times. Both filename1 and filename2 have the same content hash. Process name /opt/process1 was used to execute the target 12000 times and /opt/process2 was used to execute the target 342 times.
"trustrules": [{
"trustType":"2",
"sha256":"AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE",
"paths":"path1;path2;path3",
"hitcount":12342,
"filename1":2342,
"filename2":10000
"/opt/process1":12000,
"/opt/process2":342
}]
Note that a process is represented with a full path, while the file name is included in a relative path to one of the paths.

Event analysis output

The Application Control event analysis output is directed to a file called ac_event_analysis.txt. This file has a trust rule format with additional hit count attributes and extension hit count attributes:
"trustrules": [{
"trustType":"1",
"processName":"process1",
"paths":"path11;path12;path13",
"hitcount":12342,
".jar":12342
},
{
"trustType":"1",
"processName":"process2",
"paths":"path21;path22;path23",
"hitcount":23232,
".py":23232
},
{
"trustType":"1",
"processName":"process3",
"paths":"path31;path32;path33",
"hitcount":34332,
".exe":34322
},
{
"trustType":"1",
"processName":"process4",
"paths":"path41;path42;path43",
"hitcount":12312,
".":12312
}]
The file locations are as follows:
  • On Windows: C:\ProgramData\Trend Micro\Deep Security Agent\diag\ac_event_analysis.txt
  • On Linux: /var/opt/ds_agent/diag/ac_event_analysis.txt
  • In the diagnostics: agent/ac/ac_event_analysis.txt
The analysis is loaded from this file on restart so that the state is maintained after an agent restart. The analysis is cleared when Application Control is enabled after having been disabled. To view the ac_event_analysis.txt file, either use JQ or an online JSON formatter.

Debug trust rules

You can debug trust rules as follows:
  1. Apply new trust rules to Deep Security Manager.
  2. Stop Deep Security Agent.
  3. Delete the ac_event_analysis.txt file.
  4. Start Deep Security Agent.
  5. Wait a few minutes to see if the ac_event_analysis.txt file reappears:
    • If the file no longer appears, then the trust rules are working and suppressing the event generation.
    • If the file still appears, inspect the ac_event_analysis.txt file for the new event information and add new trust rules accordingly. Trust type 1 rules are Allow by source rules for auto-approving drift events, whereas trust type 2 rules are Allow by target rules to allow execution of the target file.
  6. To configure new trust rules, repeat the procedure starting from step 1.
To see how often the trust rules are being hit, execute sendCommand on the agent, as follows:
  • Linux: /opt/ds_agent/sendCommand --get TrustRules
  • Windows: \program files\trend micro\deep security agent\sendCommand --get TrustRules

Consult metrics

The drift analysis and event analysis are added to the Application Control metrics, where top ten processes with the highest hit counts are included in the drift_analysis object and the top ten SHA256 with the highest counts are stored in the event_analysis object:
"AC": {
"eventReportInQueue":"0",
"evtPreCreateProcessHandled":"17",
"acProcessHashCount":"0",
"acProcessBlockUnrecognized":"0",
"engFlushDbBufferError":"0",
"acFileProcessImgPath":"0",
"evtFilePostClose":"249",
"acFileErrorHash":"0",
"acFileAllowImportingRuleset":"0",
"evtFilePreCreateFromContainer":"0",
"evtFilePostChmodFromContainer":"0",
"engStopError":"0",
"evtFilePreCreateHandled":"0",
"ctrlInterpreterMatched":"0",
"importCount":"0",
"inventoryAdsVisited":"0",
"engGetInventory":"1",
"acFileAllow":"5",
"acFileAllowBuilding":"0",
"engSetConfigError":"0",
"ctrlMsiInstallationMatched":"0",
"ctrlDropProcessEvtReportQueueFull":"0",
"importFail":"0",
"eventReportDropped":"0",
"evtFilePostChmod":"3",
"acFileBlock":"0",
"acFileDrift":"3",
"engGetMetricsError":"0",
"ctrlDropFileEvtReportQueueFull":"0",
"inventoryFolderVisited":"0",
"engStartError":"0",
"evtFileCloudFileIgnore":"0",
"engSetConfig":"1",
"engFlushDbBuffer":"0",
"engPurgeDbError":"0",
"inventoryBytesInventoried":"433695822",
"evtPreCreateProcessWithCmdLine":"0",
"inventoryDriveVisited":"0",
"importSuccess":"0",
"engSetRuleset":"0",
"eventReportSent":"3",
"drift_analysis": [{
"trusttype":"1",
"processName":"/usr/bin/bash",
"paths":"/im1"
},
{
"trusttype":"1",
"processName":"/usr/bin/cp",
"hitcount":1,
"paths":"/im1"
}],
"event_analysis": [{
"trusttype":"2",
"sha256":"AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEE",
"hitcount":2,
"paths":"/im1"
},
{
"trusttype":"2",
"sha256":"EEEEEEEEEDDDDDDDDDCCCCCCCCBBBBBBBBAAAAAAAA",
"hitcount":1,
"paths":"/im1"
}]
}

View signer information

When trust rules are enabled, both the file signer information and process signer information are included in trust rules for the drift events analysis. For security event analysis, the file signer information is included. Trust rules are enabled (the file signer information along with the process signer information is visible in the ac_event_analysis.txt file) when a trust entity ruleset is applied to the host.