|
Alert
|
Default Severity
|
Dismissible
|
Description
|
|
A computer reboot is required to enable Deep Security Agent protection
|
Critical
|
Yes
|
The agent software upgrade was successful, but a computer reboot is required to disable
Windows Defender and enable agent protection.
|
|
A Deep Security Relay cannot download security components
|
Critical
|
No
|
A relay cannot successfully download security components. This might be due to network
connectivity issues or misconfiguration in Server & Workload Protection under . Check your network configurations (for example, the proxy settings of the relay
group) and System Settings then manually initiate an update on the relay using the Download Security Update option on the page.
|
|
Abnormal Restart Detected
|
Warning
|
Yes
|
An abnormal restart was detected on the computer. This condition may be caused by
a variety of conditions. If the agent is suspected as the root cause, then the diagnostics
package (in the Support section of the Computer Details dialog) should be invoked.
This alert indicates that the agent service was restarted abnormally. You can safely
dismiss this alert, or, if the alert reoccurs, create a diagnostics package and open
a case with Technical Support.
|
|
Account Balance Depleted
|
Critical
|
No
|
Your prepaid account balance has been depleted. You can no longer receive updates,
including security updates, until your account is replenished. To ensure your security
is maintained, contact your sales representative to add credit to your account.
|
|
Account Balance Low
|
Warning
|
No
|
Your prepaid account balance is running low. To ensure uninterrupted service, please
contact your sales representative to add more credit to your account.
|
|
Activation Failed
|
Critical
|
No
|
This may indicate a problem with the agent, but it also can occur if agent self-protection
is enabled. In the Workload Security console, go to . In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
|
|
Agent configuration package too large
|
Warning
|
Yes
|
This is usually caused by too many firewall and intrusion prevention rules being assigned.
Run a recommendation scan on the computer to determine if any rules can be safely
unassigned.
|
|
Agent Installation Failed
|
Critical
|
Yes
|
The agent failed to install successfully on one or more computers. Those computers
are currently unprotected. You must reboot the computers which will automatically
restart the agent install program.
This may indicate a problem with the agent, but it also can occur if agent self-protection
is enabled. In the Server & Workload Protection console, go to Computer editor > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
|
|
Agent/Appliance Upgrade Recommended
|
Warning
|
No
|
Server & Workload Protection has detected an older agent version on the computer that does not support all available
features. An upgrade of the agent software is recommended. (Deprecated in 9.5)
|
|
Agent/Appliance Upgrade Recommended (Incompatible Component Update(s))
|
Warning
|
No
|
Server & Workload Protection has detected a computer with a version of the agent that is not compatible with one
or more component updates assigned to it. An upgrade of the agent software is recommended.
|
|
Agent/ApplianceUpgrade Recommended (New Version Available)
|
Warning
|
No
|
Server & Workload Protection has detected one or more computers with a version of the agent that is older than
the latest version in Server & Workload Protection. An upgrade of the agent software is recommended.
|
|
Agent/Appliance Upgrade Required
|
Warning
|
No
|
Server & Workload Protection has detected a computer with a version of the agent that is not compatible with Server & Workload Protection. An upgrade of the agent software is required.
|
|
An update to the Rules is available
|
Warning
|
No
|
Updated rules have been downloaded but not applied to your policies. To apply the
rules, go to Administration > Updates > Component and in the Rule Updates column, click Apply Rules to Policies.
|
|
Anti-Malware Alert
|
Warning
|
Yes
|
A malware scan configuration that is configured for alerting has raised an event on
one or more computers.
|
|
Anti-Malware Component Failure
|
Critical
|
Yes
|
An anti-malware component failed on one or more computers. See the event descriptions
on the individual computers for specific details.
|
|
Anti-Malware Component Update Failed
|
Warning
|
No
|
One or more agent or relay failed to update anti-malware components. See the affected
computers for more information.
|
|
Anti-Malware Engine Offline
|
Critical
|
No
|
The agent has reported that the anti-malware engine is not responding. Please check
the system events for the computer to determine the cause of the failure.
|
|
Anti-Malware module maximum disk space used to store identified files exceeded
|
Warning
|
Yes
|
The Anti-Malware module was unable to analyze or quarantine a file because the maximum
disk space used to store identified files was reached. To change the maximum disk
space for identified files setting, open the computer or policy editor and go to the
Anti-malware > Advanced tab.
|
|
Anti-Malware protection is absent or out of date
|
Warning
|
No
|
The agent on this computer has not received its initial anti-malware protection package,
or its anti-malware protection is out of date. Make sure a relay is available and
that the agent has been properly configured to communicate with it. To configure relays
and other update options, go to Administration > System Settings > Updates.
|
|
APIKey Locked Out
|
Warning
|
No
|
API Keys can be locked out manually, or by repeated failed validation attempts.
|
|
Application Control Engine Offline
|
Critical
|
No
|
The agent has reported that the Application Control engine failed to initialize. Please
check the system events for the computer to determine the cause of the failure.
|
|
Application Control Ruleset is incompatible with agent version
|
Critical
|
No
|
An application control ruleset could not be assigned to one or more computers because
the ruleset is not supported by the installed version of the agent. Typically, the
problem is that a hash-based ruleset (which is compatible only with agent version
11.0 or newer) has been assigned to an older agent. Agent version 10.x supports only
file-based rulesets. (For details, see Differences in how 10.x and 11.x agents compare files.) To fix this issue, upgrade the agent to version 11.0 or newer. Alternatively, if
you are using local rulesets, reset application control for the agent.
|
|
Application Type Misconfiguration
|
Warning
|
No
|
Misconfiguration of application types may prevent proper security coverage.
|
|
Application Type Recommendation
|
Warning
|
Yes
|
Server & Workload Protection has determined that a computer should be assigned an application type. This could
be because an agent was installed on a new computer and vulnerable applications were
detected, or because a new vulnerability has been discovered in an installed application
that was previously thought to be safe. To assign the application type to the computer,
open the 'Computer Details' dialog box, click on 'Intrusion Prevention Rules', and
assign the application type.
|
|
AWS Contract License Exceeded
|
Critical
|
No
|
AWS Contract License expired or AWS Contract entitlements have been exceeded.
|
|
Azure Account Not Authorized to Read Resources Information
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from Azure API because the
Azure Application is not authorized to read resources. Please verify that the Reader
role has been assigned to the application.
|
|
Azure Account Password Invalid
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from Azure API because the
Azure Application password is invalid.
|
|
Azure Account Secret Expired
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from Azure API because the
Azure Application secret key has expired.
|
|
Microsoft Entra ID Application Not Found
|
Critical
|
No
|
Azure Cloud Account can't retrieve resources information from Azure API because the
Azure Application is not found. The application possibly has been removed from Microsoft Entra ID.
|
|
Microsoft Entra ID Application Need Renew
|
Critical
|
No
|
The Microsoft Entra ID application can not sync the cloud data now. Maybe the application password is expired
or the application is deleted. Please renew the application via Computers > Properties (right click on the target group) > Renew Application Now.
|
|
Azure Key Pair Expired
|
Critical
|
No
|
The key pair for Azure service(s) has expired. You can remove this alert by updating
your key pair on the Azure service's property page.
|
|
Azure Key Pair Expires Soon
|
Warning
|
No
|
The key pair for Azure service(s) will expire soon. You can remove this alert by updating
your key pair on the Azure service's property page.
|
|
Azure Subscription Not Found
|
Critical
|
No
|
Azure Cloud Account cannot retrieve resources information from Azure API because the
Azure Subscription cannot be found.
|
|
Census, Good File Reputation, and Predictive Machine Learning Service Disconnected
|
Warning
|
Yes
|
Disconnected from Census, Good File Reputation, and Predictive Machine Learning Service.
See the event details for possible solutions.
Refer to Warning: Census, Good File Reputation, and Predictive Machine Learning Service Disconnected for troubleshooting tips.
|
|
Clock Change Detected
|
Warning
|
Yes
|
A clock change was detected on the computer. Unexpected clock changes may indicate
a problem on the computer and should be investigated before dismissing the alert.
|
|
Cloud Computer Not Managed as Part of Cloud Account
|
Warning
|
Yes
|
An agent was activated on one or more computers belonging to a cloud account that
is not synchronized with Server & Workload Protection. Click the Action to add the cloud account. The computers will be moved into the account, and may be
billed at a lower hourly rate.
|
|
Communications Problem Detected
|
Warning
|
Yes
|
A communications problem was detected on the computer. The computer cannot initiate
communication with Server & Workload Protection because of network configuration or load reasons. Check the system events in addition
to verifying communications can be established from the computer to Server & Workload Protection. The cause of the issue should be investigated before dismissing the alert.
|
|
Computer Not Receiving Updates
|
Warning
|
No
|
These computer(s) have stopped receiving updates. Manual intervention may be required.
|
|
Computer Reboot Required
|
Critical
|
Yes
|
The agent software upgrade was successful, but you must reboot the computer to complete
the install. Manually update the computer(s) before dismissing the alert.
|
|
Computer Reboot Required for Activity Monitoring
|
Critical
|
No
|
The Activity Monitoring on the agent reported that the computer needs to be rebooted.
Check the system events for the computer to determine the reason for the reboot.
|
|
Computer Reboot Required for Anti-Malware Protection
|
Critical
|
No
|
The anti-malware protection on the agent reported that the computer needs to be rebooted.
Check the system events for the computer to determine the reason for the reboot.
|
|
Computer Reboot Required for Application Control Protection
|
Critical
|
No
|
The Application Control protection on the agent reported that the computer needs to
be rebooted. Check the system events for the computer to determine the reason for
the reboot.
|
|
Computer Reboot Required for Integrity Monitoring Protection
|
Critical
|
No
|
The Integrity Monitoring protection on the agent reported that the computer needs
to be rebooted. Check the system events for the computer to determine the reason for
the reboot.
|
|
Configuration Required
|
Warning
|
No
|
One or more computers are using a policy that defines multiple interface types where
not all interfaces have been mapped.
|
|
Duplicate Computer Detected
|
Warning
|
Yes
|
A duplicate computer was activated or imported. Remove the duplicate computer and
reactivate the original computer if necessary.
|
|
Empty Relay Group Assigned
|
Critical
|
No
|
These computers were assigned an empty relay group. Assign a different relay group
to the computers or add relays to the empty relay group(s).
|
|
Events Suppressed
|
Warning
|
Yes
|
The agent encountered an unexpectedly high volume of events. As a result, one or more
events were not recorded (suppressed) to prevent a potential denial of service. Check
the firewall events to determine the cause of the suppression.
|
|
Events Truncated
|
Warning
|
Yes
|
Some events were lost because the data file grew too large for the agent to store.
This may have been caused by an unexpected increase in the number of events generated,
or the inability of the agent to send the data to Server & Workload Protection. For more information, see the properties of the Events Truncated system event on the computer.
|
|
Execution of Software Blocked
|
Warning
|
Yes
|
Execution of software was blocked on one or more computers. See the Application Control
Events on the following computers for more information.
|
|
Failed to Send SNSMessage
|
Critical
|
No
|
Server & Workload Protection was unable to forward messages to Amazon Simple Notification Service (SNS)
|
|
Failed to Send Syslog Message
|
Warning
|
No
|
Server & Workload Protection was unable to forward messages to one or more syslog servers.
|
|
Files could not be scanned for malware
|
Warning
|
No
|
Files could not be scanned for malware because the file path exceeded the maximum
file path length limit or the directory depth exceeded the maximum directory depth
limit. Check the system events for the computer to determine the reason.
|
|
Firewall Engine Offline
|
Critical
|
No
|
The agent reported that the firewall engine is offline. Check the status of the engine
on the agent.
|
|
Firewall Rule Alert
|
Warning
|
Yes
|
A firewall rule that is selected for alerting was encountered on one or more computers.
|
|
Firewall Rule Recommendation
|
Warning
|
Yes
|
Server & Workload Protection determined that a computer on your network should be assigned a firewall rule. This
could be because an agent was installed on a new computer and vulnerable applications
were detected, or because a new vulnerability was discovered in an installed application
that was previously thought to be safe. To assign the firewall rule to the computer,
open Computer Details and click Firewall Rules.
This alert is not supported for enhanced recommendation scan.
|
|
Incompatible Agent/Appliance Version
|
Error
|
No
|
Server & Workload Protection detected a more recent agent version on the computer that is not compatible with
Server & Workload Protection.
|
|
Insufficient Disk Space
|
Warning
|
Yes
|
The agent reported that it was forced to delete an old log file to free up disk space
for a new log file. Immediately free up disk space to prevent loss of intrusion prevention,
firewall and agent events. See Warning: Insufficient disk space.
|
|
Integrity Monitoring Engine Offline
|
Critical
|
No
|
The agent reported that the integrity monitoring engine is not responding. Check the
system events for the computer to determine the cause of the failure.
|
|
Integrity Monitoring Rule Alert
|
Warning
|
Yes
|
An integrity monitoring rule that is selected for alerting was encountered on one
or more computers.
|
|
Integrity Monitoring Rule Compilation Error
|
Critical
|
No
|
An error was encountered compiling an integrity monitoring rule on a computer. This
may result in the integrity monitoring rule not operating as expected.
|
|
Integrity Monitoring Rule Recommendation
|
Warning
|
Yes
|
Server & Workload Protection determined that a computer on your network should be assigned an integrity monitoring
rule. To assign the integrity monitoring rule to the computer, open Computer Details and select .
This alert is not supported for enhanced recommendation scan.
|
|
Integrity Monitoring Rule Requires Configuration
|
Warning
|
No
|
An integrity monitoring rule that requires configuration before use was assigned to
one or more computers. This rule will not be sent to the computer(s). Open the integrity
monitoring rule properties and select the Configuration tab for more information.
|
|
Integrity Monitoring Trusted Platform Module Not Enabled
|
Warning
|
Yes
|
Trusted platform module not enabled. Ensure the hardware is installed and the BIOS
setting is correct.
|
|
Integrity Monitoring Trusted Platform Module Register Value Changed
|
Warning
|
Yes
|
Trusted platform module register value changed. If you have not modified the ESXi
hypervisor configuration this may represent an attack.
|
|
Intrusion Prevention Engine Offline
|
Critical
|
No
|
The agent reported that the intrusion prevention engine is offline. Check the status
of the engine on the agent.
|
|
Intrusion Prevention Rule Alert
|
Warning
|
Yes
|
An intrusion prevention rule that is selected for alerting was encountered on one
or more computers.
|
|
Intrusion Prevention Rule Compilation Failed
|
Critical
|
Yes
|
This is usually caused by a misconfigured IPS Rule. The Rule name can be found in
the Event's Properties window. To resolve this issue, identify the Rule and unassign
it or contact Trend Micro Support for assistance.
|
|
Intrusion Prevention Rule Requires Configuration
|
Warning
|
No
|
An intrusion prevention rule that requires configuration before use was assigned to
one or more computers. This rule will not be sent to the computer(s). Open the intrusion
prevention rule properties and select the Configuration tab for more information.
|
|
Invalid System Settings Detected
|
Critical
|
No
|
Server & Workload Protection detected invalid values for one or more system settings.
|
|
License Expired
|
Critical
|
No
|
Your Server & Workload Protection license has expired. You will no longer receive updates, including security updates,
until your license is renewed. To ensure your security is maintained, contact your
sales representative to renew your license.
|
|
License Expiring Soon
|
Warning
|
No
|
Your Server & Workload Protection license will expire soon. Contact your sales representative to renew your license.
|
|
Log Inspection Engine Offline
|
Critical
|
No
|
The agent reported that the log inspection engine has failed to initialize. Check
the system events for the computer to determine the cause of the failure.
|
|
Log Inspection Rule Alert
|
Warning
|
Yes
|
A log inspection rule that is selected for alerting was encountered on one or more
computers.
|
|
Log Inspection Rule Recommendation
|
Warning
|
Yes
|
Server & Workload Protection determined that a computer on your network should be assigned a log inspection rule.
To assign the log inspection rule to the computer, open Computer Details and select .
This alert is not supported for enhanced recommendation scan.
|
|
Log Inspection Rule Requires Configuration
|
Warning
|
No
|
A log inspection rule that requires configuration before use was assigned to one or
more computers. This rule will not be sent to the computer(s). Open the Log Inspection
Rule properties and select the Configuration tab for more information.
|
|
Maintenance Mode On
|
Warning
|
No
|
Maintenance mode is currently active for application control on one or more computers. While this
mode is active, application control continues to enforce block rules (if you selected
Block unrecognized software until it is explicitly allowed), but will allow software updates, and automatically add them to the inventory part
of the ruleset. When the software update is finished for each computer, disable maintenance
mode so that unauthorized software is not accidentally added to the ruleset.
|
|
MQTT Connection Configuration Failed
|
Warning
|
No
|
Failed to configure agent for MQTT connection.
|
|
MQTT Connection Offline
|
Warning
|
No
|
The agent is unable to connect to the MQTT endpoint.
|
|
Network Engine Mode Incompatibility
|
Warning
|
No
|
Setting "Network Engine Mode" to "Tap" is only available on agent versions 5.2 or
higher. Review and update the agent's configuration or upgrade the agent to resolve
the incompatibility.
|
|
New Pattern Update is Downloaded and Available
|
Warning
|
No
|
New patterns are available as part of a security update. The patterns have been downloaded
to Server & Workload Protection but have not yet been applied to your computers. To apply the update to your computers,
go to the Administration > Updates > Security page.
|
|
New Rule Update is Downloaded and Available
|
Warning
|
No
|
New rules are available as part of a security update. The rules have been downloaded
to Server & Workload Protection but have not yet been applied to policies and sent to your computers. To apply the
update and send the updated policies to your computers, go to the Administration >
Updates > Security page.
|
|
Newer Versions of Software Available
|
Warning
|
No
|
New software is available. Software can be downloaded from the Download Center.
|
|
Recommendation
|
Warning
|
Yes
|
Server & Workload Protection determined that the security configuration of one of your computers should be updated.
To see recommended changes, open the Computer editor and look through the module pages for warnings of unresolved recommendations.
Under Assigned Rules, click Assign/Unassign and select Show Recommended for Assignment. For rules that you can safely unassign, select Show Recommended for Unassignment.
|
|
Reconnaissance Detected: Computer OS Fingerprint Probe
|
Warning
|
Yes
|
The agent detected an attempt to identify the computer operating system via a "fingerprint"
probe. Such activity is often a precursor to an attack that targets specific vulnerabilities.
Check the computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: Network or Port Scan
|
Warning
|
Yes
|
The agent detected network activity typical of a network or port scan. Such activity
is often a precursor to an attack that targets specific vulnerabilities. Check the
computer's events to see the details of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP Null Scan
|
Warning
|
Yes
|
The agent detected a TCP "Null" scan. Such activity is often a precursor to an attack
that targets specific vulnerabilities. Check the computer's events to see the details
of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP SYNFIN Scan
|
Warning
|
Yes
|
The agent detected a TCP "SYNFIN" scan. Such activity is often a precursor to an attack
that targets specific vulnerabilities. Check the computer's events to see the details
of the probe and see Warning: Reconnaissance Detected.
|
|
Reconnaissance Detected: TCP Xmas Scan
|
Warning
|
Yes
|
The agent detected a TCP "Xmas" scan. Such activity is often a precursor to an attack
that targets specific vulnerabilities. Check the computer's events to see the details
of the probe and see Warning: Reconnaissance Detected.
|
|
Relay Upgrade Required For Agent Integrity Check
|
Warning
|
No
|
To enable Agent Integrity Check, upgrade the relay.
|
|
SAML Identity Provider Certificate expired
|
Critical
|
No
|
One or more Security Assertion Markup Language (SAML) Identity Provider Certificate(s)
expired.
|
|
SAML Identity Provider Certificate expires soon
|
Warning
|
No
|
One or more SAML Identity Provider Certificate(s) expire soon.
|
|
SAP Virus Scan Adapter is not installed
|
Critical
|
No
|
The agent reported that the SAP Virus Scan Adapter is not installed. Check the system
events for the computer to determine the cause of the failure.
|
|
SAP Virus Scan Adapter is not up to date
|
Critical
|
No
|
The agent reported that the SAP Virus Scan Adapter is not up to date. Check the system
events for the computer to determine the cause of the failure.
|
|
SAP Virus Scan service is not working correctly
|
Critical
|
No
|
The SAP Virus Scan service is not functioning properly. Check the system events for
the computer to determine the cause of the failure.
|
|
Scheduled Malware Scan Missed
|
Warning
|
No
|
Scheduled malware scan tasks were initiated on computers that already had pending
scan tasks. This may indicate a scanning frequency that is too high. Consider lowering
the scanning frequency, or selecting fewer computers to scan during each scheduled
scan job.
|
|
Send Policy Failed
|
Critical
|
No
|
Inability to send policy may indicate a problem with the agent. Check the affected
computers.
|
|
Smart Protection Server Connection Failed
|
Warning
|
Yes
|
Failed to connect to a Smart Protection Server. This could be due to a configuration
issue or due to network connectivity.
|
|
Software Changes Detected
|
Warning
|
No
|
During ongoing file system monitoring, application control detected that new software
was installed, which did not match any configured allow or block rule. If your system
administrators did not install the software and no other users have permissions to
install software, this could indicate a security compromise. Depending on your lockdown
configuration, the software may be allowed to execute.
|
|
Software Package Not Found
|
Critical
|
No
|
An Agent Software Package is required for the proper operation of one or more virtual
appliance(s). Import a Red Hat Enterprise 6 (64-bit) Agent Software Package with the
correct version for each Appliance. If the required version is not available then
import the latest package and upgrade the appliance to match.
|
|
Unable to communicate
|
Critical
|
No
|
Server & Workload Protection could not query the agent status in the configured period. Check your network configuration
and the connectivity of the affected computer.
|
|
Unable to Upgrade the Agent Software
|
Warning
|
Yes
|
Server & Workload Protection could not upgrade the agent software on the computer.
This may indicate a problem with the agent, but can also occur if agent self-protection
is enabled. In Server & Workload Protection, select . In Agent Self Protection, deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
|
|
Unresolved software change limit reached
|
Critical
|
No
|
Software changes detected on the file system exceeded the maximum amount. Application
control continues to enforce existing rules, but without recording further changes,
and no longer displays that computer's software changes. You must resolve and prevent
excessive software change.
|
|
User Locked Out
|
Warning
|
No
|
Users can be locked out manually, by repeated incorrect sign-in attempts when their
password expires, or if the accounts have been imported but not yet unlocked.
|
|
User Password Expires Soon
|
Warning
|
No
|
The password expiry setting is enabled and one or more users have passwords that will
expire within the next seven days.
|
|
Web Reputation Event Alert
|
Warning
|
Yes
|
A web reputation event was encountered on one or more computers selected for alerting.
|
|
WorkSpaces Disabled for AWS Account
|
Warning
|
Yes
|
An agent was activated on one or more Amazon WorkSpaces, but WorkSpaces are not enabled
for your AWS account. To enable WorkSpaces, click Edit AWS Account and select Include Amazon WorkSpaces. Your WorkSpaces will be moved into the WorkSpaces folder of the AWS account and
billed at a lower hourly rate, if you are using hourly billing.
|
Views: