TRENDsCampus - ADVANCED - Hybrid Cloud Security - Lab Guidev2
TRENDsCampus - ADVANCED - Hybrid Cloud Security - Lab Guidev2
The classroom lab environment is delivered as a virtual application through the Trend Micro
Product Cloud and will be accessed from a Web browser on your computer. Google Chrome is
the preferred browser for this environment, though other browsers may work if the appropriate
plug-ins are enabled and working properly.
Network Settings
The details and login credentials for each virtual machine in the classroom environment are listed
here. Always log into Windows as the local administrator. Logging in as a domain administrator
will display a different desktop and certain exercise files may not be available.
Username: ………………………………….
Password: ………………………………….
In the Product Cloud 2.0 page, List of all trainings Scheduled will be displayed. You can test your
network and enter the training by clicking on this icon
Import the Deep Security Agent software into Deep Security Manager
1. In this exercise, a Deep Security Agent software package will be imported into Deep Security
Manager.
2. Click the VM-SERVER-02 virtual machine in the virtual application, and if prompted, log in
to Windows Server 2016 using the credentials as listed in the network settings page.
NOTE: If an Enable Network Discovery message is displayed when logging into ANY virtual
machine, click Yes.
3. Double-click the Deep Security Manager shortcut on the Windows Server 2016 desktop and
log into the Deep Security Manager Web console with the credentials:
Username: MasterAdmin
Password: trendmicro
4. Click the Administration menu. In the left-hand pane, expand Updates > Software >
Download Center.
Scroll through the list and locate the latest version of the Deep Security Agent for 64-bit
Windows: Agent-Windows-12.0.___.x86_64.zip
NOTE: To limit scrolling in this window, you can type the name of the Agent in the Search field.
For example, type windows to display the Windows Agents at the top of the list.
6. Click to select the file and click the icon in the Import Now column. Alternately, you can right
click the files and click Import from the pop-up menu, or click Import from the menu above
the software list.
8. Under Updates > Software > Local, verify that the Agent software package is listed as having
been imported. A green check mark is displayed in the Is Latest column to indicate that the
latest version has been imported.
In Windows Explorer, locate the following folder to view the Agent package stored on the Deep
Security Manager computer:
2. Still on the Local Software page, right-click the 64-bit Windows software package (Agent-
Windows-12.0.___x64.zip) in the list and click Export Installer.
3. Save the *.msi file for the installer to the Lab Files folder located on the Windows Desktop.
This folder can be accessed from different virtual machines in the environment to simplify
installation.
In this exercise, a Deep Security Agent will be manually installed on the Windows Server 2016
server hosted on the VM-SERVER-01 virtual machine.
1. In the virtual application, click the VM-SERVER-01 virtual machine. If prompted, log in to
Windows Server 2016 using the credentials as listed in the network settings page.
2. In the previous exercise, the Deep Security Agent installer was exported to the Lab Files
folder. A shortcut to this folder has been placed on the desktop of the VM-SERVER-01 image.
Double click the shortcut and locate the installer called Agent-Core-Windows
12.0.____.x64.msi. Double-click to start the installation.
5. If the terms of the license agreement are acceptable, click I accept the terms in the License
Agreement and click next.
7. Click Install & a Deep Security Notifier message should be displayed above the system tray.
In this exercise, a Deep Security Agent will be installed on the Windows Server 2019 computer
on the VMSERVER- 04 virtual machine using a deployment script. Agent-Initiated Activation must
be enabled before the script can be run to insure that the Agent activates properly. In this
example, the resulting script will be executed in Windows Powershell.
1. Return to the the Deep Security Manager Web console and click the Administration menu. In
the left-hand pane, click System Settings and click the Agents tab.
2. Click to enable Allow Agent-Initiated Activation and Allow Agent to specify hostname. In the
Agent activation token field, type a token for Agent activation, for example, secret and click
Save.
NOTE: The Agent activation token insures that only scripts created on this installation of Deep
Security Manager are accepted for activation on this installation.
NOTE: The password required for Agent-initiated activation is automatically added to the
script. Note the entry “token:secret” near the end of the script.
4. Click Save to File and save the resulting AgentDeploymentScript.ps1 file to the Lab Files
folder on the desktop.
7. Open the Lab Files shortcut on the desktop and locate the script file you saved in the previous
step. Right-mouse click the file and click Run with Powershell.
8. Click Open. Since the permissions to allow PowerShell scripts to run automatically are not set
by default, click Y to execute the script.
The script will execute and the Deep Security Agent will be installed and activated.
It may take a couple of minutes for the script to complete since the sleep value in the script will
pause the process to allow the Deep Security Agent setup to complete before activating the
Agent. Wait for the DSA Deployment Finished message to be displayed in the Powershell before
continuing.
In this exercise, participants will install a Deep Security Agent on the VM-SERVER-02 virtual machine. In
the exercise, the Deep Security Agent will be installed using a Microsoft Installer command.
2. Open the Lab Files folder on the desktop and a copy the Agent-Core-Windows-12.____.x86.msi file
to the root of C:\.
3. Open the Windows Command Prompt from the taskbar and change folders to C:\.
4. Type the following command and note the name of the Deep Security Agent *.msi file: dir
Since the /q switch runs a quiet install, no dialog boxes will be displayed during the installation of the
Deep Security Agent, but the Deep Security Notifier icon will appear in the system tray after a few
moments.
Wait until the Notifier icon is displayed in the system tray in the lower right-hand corner of the Windows
screen before closing the Command Prompt and proceeding to the next exercise.
1. In the Deep Security Manager Web console, click the Computers menu.
2. Just above the list of computer, click Columns.
3. In the list of available columns, click to display Tasks and click OK.
4. The new column in displayed. This column will display the tasks in progress, such as when a
policy is being updated, or Recommendation Scans are being performed. Click and drag the
column header to reposition the column in the list, if required.
7. In the right-hand pane, click Add > Add Computer. The New Computer Wizard is launched.
9. The New Computer Wizard displays a notification indicating that it will automatically activate
the Deep Security Agent found on the newly added computer. Click Finish & close.
11. Repeat the Add Computer process for the SERVER-03 computer.
12. The Windows 2016 Server hosted on the VM-SERVER-02 image will also be added to
Computers list using the Discover operation. Click Add > Discover.
In the Discover Computers window, enter the following IP address range:
Range From: 192.168.4.2
Range To: 192.168.4.2
13. The discovery processing is visible in the bottom-left corner of the Deep Security Manager
Web console task bar. The process may take a moment.
14. After the Discovery task completes, the Computers list will refresh and computers with IP
addresses within the identified range will be displayed. Since our range only included one
address, only one computer (SERVER-02.trend.local) will be added to the list.
15. Right-mouse click the discovered computer and click Actions > Activate/Reactivate. Note the
Task column displays Activating.
At this point, the Computers list in Deep Security Manager Web console should appear similar
to this:
The SERVER-04 computer was added and activated automatically through the
deployment script.
Deep Security Agents were installed manually on the SERVER-01 and SERVER-03
computers. The Deep Security Agents on these computers were activated automatically
when the computers were added by hostname.
The Deep Security Agent on SERVER-02 was installed through the command line using
Microsoft Installer and activated manually by clicking Activate/Reactivate.
2. Enter the name for the policy as Classroom. If you want the new policy to inherit its settings
from an existing policy, select a policy from the Inherit from list. Click Next.
3. Select whether you want to base this policy on an existing computer's configuration and then
click Next.
Select a computer to use as the basis for the new policy and click Next.
Specify which protection modules will be enabled for the new policy. If this policy is inheriting
its settings from an existing policy, those settings will be reflected here. Click Next.
On the next screen, select the properties that you want to carry into the new policy and
click Next. Review the configuration and click Finish.
5. If you selected No in step 3, specify which protection modules will be enabled for the new
policy. If this policy is inheriting its settings from an existing policy, those settings will be
reflected here. Click Finish.
6. Click Close.
The other ways of creating policies like duplicating them we ll be performed in the upcoming
sessions.
The Deep Security Agent on the VM-SERVER-01 virtual machine is already activated. In this
exercise, this Deep Security Agent will be promoted to become a Relay within the Default Relay
Group.
1. Still in the Deep Security Manager Web console, click the Administration menu.
2. In the left-hand pane, expand Updates and click Relay Management.
4. A list of all of the 64-bit Deep Security Agents activated in Deep Security will be displayed.
Click to select the SERVER-01 Deep Security Agent computer in the list and click Enable Relay
and Add to Group.
5. Once the Agent Status is listed as Online, return to the Computers list.
6. The Status column for SERVER-01 will display a message indicating that a security update is
in progress.
This is the Relay retrieving the distributable update components from the Trend Micro
ActiveUpdate Server on the Smart Protection Network. Wait for the message to clear before
continuing.
A Sending Policy status may also be displayed for other computers in the list as they are advised
of the new Relay in their assigned Relay Group.
NOTE: A small red icon will be displayed over the computer icon in the Computers list for any
Agents promoted to Relays.
1. Click the VM-SERVER-02 virtual machine and log into the Deep Security Manager Web
console as MasterAdmin.
2. Click Administration > User Management > API Keys and click New.
3. Create a new API key with the following details and click Next:
Name: Exercise key
Description: Type a description for the key
Role: Full Access
Expires on: Select the date a year from today
This is the only time you will have access to this key.
5. Click Copy to clipboard and paste the key into the API Keys.txt file on the Windows desktop
Save the file.
6. Close the key creation wizard.
1. Still on the VM-SERVER-02 virtual machine, access the Deep Security Automation Center by
clicking the bookmark in the Chrome browser, or enter the following URL in Chrome:
https://automation.deepsecurity.trendmicro.com
The Deep Security Automation Center Web site is displayed.
3. Click the API Reference menu. The Deep Security API-accessible functions are displayed in
the frame on the left-hand side of the Web page.
4. Scroll down and expand Computers. The operations related to the Computers list available
through the API are displayed. Click List Computers.
The parameters related to displaying the Computers list are displayed in the middle frame. Code
samples for Python, Javascript and Java are displayed in the right-hand frame.
3. The API key and API version must be included in the request for the Computers list through
Postman. In Postman, click the Headers tab.
Click in the first row under Key and type the key name of api-secret-key.
Click under Value and paste the value of the secret API key from the API Keys.txt file.
Click in the second row of the list under Key and type the key name of api-version.
Click under Value and type v1.
4. Click Send. Postman will pass the request for the Computers list to Deep Security through an
HTTP request.
1. Return to the API Reference and expand Computer Groups. The operations related to Groups
in Deep Security that are available through the API are displayed. Click Create A Computer
Group.
5. On the Headers tab, add the API key and API version headers as in the previous exercise.
For the API key:
Click in the first row of the list under Key and type the key name of api-secret-key.
Click under Value and paste the value of the secret API key from the API Keys.txt file.
Click in the third row of the list under Key and type the key name Content-Type.
Click under Value and type application/json.
7. When using a POST operation, parameters must be a submitted along with the headers to
provide details to Deep Security, for example, the name and description of the group to be
created.
In the Request Sample section of the API Reference, click Payload. Click Copy to copy the
JSON formatted template data.
9. Modify the pasted template data in the Body to include the name and description for a new
computer group. Replace the string values with the group details, for example:
name: Classroom
description: Demonstration Group for API Lesson
parentGroupID: 0
11. Return to the Deep Security Manager Web console and note that the new group has been
created.
1. In the virtual application, return to the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as MasterAdmin.
2. In the Deep Security Manager Web console, click the Policies menu. In the left-hand pane,
expand Common Objects > Other and click Malware Scan Configurations. The default
Malware Scan Configurations are displayed in the right-hand pane.
Name: Type a name for this scan configuration, for example Classroom Scan Configuration
Document Exploit Protection: Click to enable Scan documents for exploits and Scan for
exploits against known vulnerabilities only
Spyware/Grayware: Click to Enable spyware/grayware protection
Alerts: Enable to send Alerts when this Malware Scan Configuration logs an event.
Click OK.
5. The Malware Scan Configuration is created and added to Common Objects, but has not
been applied to any policies or computers yet.
1. Still in the Deep Security Manager Web Console, click the Policies menu and in the left-hand
pane, click Policies.
2. Instead of creating a new policy from scratch, we will copy an existing policy and modify
some of its attributes. In the right-hand pane, expand Base Policy and click to select the
Windows policy. From the menu at the top of the list, click Duplicate.
3. Double-click the Windows_2 policy to display the Details Windows. Rename this policy to
Classroom and click Save.
Anti-Malware State: On
Real-Time Scan: De-select Inherited
Malware Scan Configuration: Select the newly created configuration called Classroom
Scan Configuration
Schedule: Select Every Day All Day
Click Save.
1. Still in the console, click the Computers menu to display the computers currently added to
Deep Security Manager.
Since this module was not previously enabled, Deep Security Manager executes the installation
of the Anti-Malware Protection Module and other required components on this Deep Security
Agent.
5. Security updates will also be applied for the Anti-Malware components. Another progress
prompt may be displayed after a moment and the Task column for the computer will change
to Security Update in Progress. The updates may take a moment to download.
NOTE: If the Relay was not properly enabled in the previous lab, the Anti-Malware
component installation will fail.
2. Double-click the Deep Security Notifier in the Windows System Tray. In the Status pane,
confirm that Real Time scanning is enabled for Anti-Malware.
4. In the Download section, click the eicar.com link to attempt to download the test file.
5. A Malware Detected message should be displayed notifying that the Eicar test virus file was
detected.
6. In a Web browser, click the bookmark to access the Detections Web site, or enter the
following URL: http://detection.trend.local
7. Click l1-1.doc in the Deep Discovery Analyzer Sample Submission section to download the
malware sample.
8. The Notifier should display a message indicating that new malware has been encountered.
Cancel the Save operation.
10. To verify the corresponding events, return to the Deep Security Manager Web console in the
VMSERVER- 02 virtual machine. Locate SERVER-03 in the Computers list and double-click to
open Details.
11. Click the Anti-Malware Protection Module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the events were logged. You may need to click Get Events to the refresh
the events list.
6. Double-click the Deep Security Notifier in the Windows System Tray, and click View Events.
Click the Anti-Malware Events tab to view the events.
7. To verify the corresponding events, return to the Deep Security Manager Web console in the
VMSERVER-02 virtual machine. Locate SERVER-03 in the Computers list and double-click to
open Details.
8. Click the Anti-Malware Protection Module in the left-hand frame and click the Anti-Malware
Events tab. Confirm the event was logged. You may need to click Get Events to the refresh
the events list.
1. Still in the Deep Security Manager Web console on the VM-SERVER-02 virtual machine, click
the Policies menu and in the left-hand frame, click Policies.
3. Click the Anti-Malware Protection Module in the left-hand frame. Click Edit for the Malware
Scan Configuration called Classroom Scan Configuration.
5. Click Enable Predictive Machine Learning and click OK. The Classroom policy is updated with
the new Malware Scan Configuration settings and computers using this policy will inherit
these new settings.
7. In a Web browser, click the bookmark to access the Detections Web site, or enter the
following URL http://detection.trend.local
8. Click malware sample in the Predictive Machine Learning Detection section to download the
malware sample.
10. To verify the corresponding events, return the Deep Security Manager Web console in the
VMSERVER- 02 virtual machine. Locate SERVER-03 in the Computers list and double-click to
open Details.
12. To view malware events for the entire system, click Events & Reports. In the left-hand frame,
expand Events, then click Anti-Malware Events. All the malware-related events for all
computers will be displayed. At this point in our exercises, the only malware events that have
occurred have been on the SERVER-03 computer.
1. In the virtual application, click the VM-SERVER-02 virtual machine, and sign in to the Deep
Security Manager Web console as the Master Admin.
2. In the Deep Security Manager Web console, click the Policies menu. Locate and double-click
the Classroom policy to open the Details windows.
3. Click the Web Reputation Protection Module in the left-hand frame and set the following
General tab
Advanced tab:
• Alert: Yes
5. Deep Security Manager will now deploy the Web Reputation Protection Module to Deep
Security Agents using this policy. This may take a few moments. While the installation is in
progress, the Task column for SERVER-03 (a computer using the Classroom policy) will display
Sending Policy. Once the Task column clears, proceed to the next step.
6. Click the Events & Reports menu. Expand Events and click System Events in the left-hand
pane and note the entries for the update of the Deep Security Agent on SERVER-03. Double-
click the entry to view the Details.
2. Open a Web browser IE (do not use Goggle chrome) on the SERVER-03 computer, and
attempt to access the following links:
wrs91.winshipway.com (should be allowed)
4. Still on the VM-SERVER-03 computer, double-click the Deep Security Notifier and open the
console. Click View Events. Click the Web Reputation Events tab to display the web
reputation events for the web sites you accessed earlier.
5. Back in the Deep Security Manager Web console, click the Computers tab, and locate and
double click the SERVER-03 computer.
1. In the virtual application, click the VM-SERVER-02 virtual machine, and log in to the Deep
Security Manager Web console.
2. Click the Computers menu. Locate and double-click the SERVER-01 computer to open the
Details window.
3. Click the Firewall Protection Module from left-hand pane and click the General tab. Click Scan
For Open Ports.
4. Once the task is complete, open the computer Details to view the results.
Take note of the open ports that are found. Port 4118 is identified as open. This port is used
by Deep Security Manager to communicate with Deep Security Agents and is enabled by
default during setup.
1. Still on the Details page for the SERVER-01 computer in the Deep Security Manager Web
Console, click the Firewall Protection Module and set the Configuration to On. Click Save
and Close.
2. Since this module was not already enabled, Deep Security Manager installs the Firewall
module for this Deep Security Agent. The Task column for the computer will display Sending
Policy.
Wait for the Firewall module installation to complete and the Task column to clear.
3. On the SERVER-02 computer, open the Command Prompt and type the following telnet
command to connect to port 80 on the SERVER-01 computer: telnet 192.168.4.1 80
The connection should be accepted and a blinking cursor will be displayed as no rules are
blocking the connection at this point.
1. Back in the Deep Security Manager Web console, click the Computers menu. Locate and
double click the SERVER-01 computer to display the Details page.
2. Click the Firewall Protection Module. On the General tab, click Assign/Unassign in the
Assigned Firewall Rules section.
Click Ok.
7. From the SERVER-02 computer, attempt the telnet command once again to the SERVER-01
on port 80. The connection should fail as the Firewall rule is blocking the connection.
1. On the Details page for the SERVER-01 computer in the Deep Security Manager Web
console, click the Firewall Protection Module. On the General tab, click Assign/Unassign.
4. Wait for the Task column to clear then attempt to telnet to port 80 on the SERVER-01
computer once again. The connection should be allowed once again.
5. Before proceeding to the next lab, disable the Firewall Protection Module on SERVER-01.
6. Once the Task column clears, click Preview for the SERVER-01 computer and confirm that
Firewall protection is off.
1. In the virtual application, click the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as the Master Administrator.
2. Click the Computers menu. Locate and double-click the SERVER-04 computer.
3. In the left-hand frame, click the Intrusion Prevention Protection Module. On the General tab
in the Recommendations section, set Automatically implement Intrusion Prevention
Recommendations (when possible) to Yes and Save. Click Scan For Recommendations.
5. While the scan is running, click Settings in the left-hand frame of the Details window. On the
General tab, set Perform Ongoing Recommendation Scans to Yes and the Ongoing Scan
Interval to 3 Days and click Save.
This list will be refreshed based on the assigned Ongoing Scan Interval setting. Any new rules
released by Trend Micro will be applied to the machine when the scan is run again and any
rules no longer needed (for example, if the vendor patches the vulnerable operating system
or application) will be flagged for removal. You can view these by selecting the
Recommended for Un-assignment list and deselecting the items displayed.
Note that the recommended rules are not yet being enforced since the Protection Module
Configuration is not yet enabled.
1. Still on the General tab for the Intrusion Prevention Protection Module, click Assign/Unassign
and locate rule 1005924 - Restrict Download of EICAR Test File Over HTTP.
3. On the General tab, set the Configuration to On and the Intrusion Prevention Behavior to
Prevent. Click Save, and Close.
The Protection Module is installed on the SERVER-04 computer.
1. Still logged into the Deep Security Manager Web console, click Computers and hover your
mouse over the SERVER-04 computer. Click Preview and confirm that the Intrusion Prevention
Protection Module is On and enforcing the rules.
3. In a Web browser on the Windows Server 2019 computer, type the following URL to access
the EICAR web site: https://www.eicar.org/?page_id=3950
4. In the Download section, click the eicar.com link to attempt to download the test file.
5. Return to the VM-SERVER-02 virtual machine. In the Deep Security Manager Web Console,
return to the Computers list and double-click the SERVER-04 computer to display its Details.
6. Click the Intrusion Prevention Protection Module in the left-hand frame and click the Intrusion
Prevention Events tab.
7. Events related to the EICAR test file download being blocked should be displayed. You may
need to click Get Events.
1. Open to the VM-SERVER-02 virtual machine, and log into the Deep Security Manager Web
console.
2. Click the Policies menu and locate and double-click the Classroom policy to open Details.
3. Click the Intrusion Prevention Protection Module. On the General tab, set the Intrusion
Prevention State to On and click Save.
4. Click Assign/Unassign in the Assigned Intrusion Prevention Rules section. In the IPS Rules list,
click Application Traffic from the first drop-down list to filter the list.
Click Close.
NOTE: By default, the mode for this rule is set to Detect Only. Initially, traffic will not be
blocked, just logged.
7. The Task column for the SERVER-03 computer (which uses the Classroom policy) displays
Sending Policy.
8. Once the Task column clears, switch to the VM-SERVER-03 virtual machine.
9. Open Internet Explorer on SERVER-03 and attempt to visit the following Web site:
wrs71.winshipway.com
What is the result? _________________________________________________________
11. Return to the VM-SERVER-02 virtual machine. Back in the Policy details for Classroom and
click the Intrusion Prevention Protection Module in the left-hand frame. Right-click the
Internet Explorer rule and select Properties. This will modify the properties for this instance
of the rule.
13. Once the security update is complete and the Task column for the computer clears, return
to the VM-SERVER-03 virtual machine.
Open Internet Explorer and attempt to visit the same Web site as in the previous step. What
is the behavior this time? ______________________________________________
Open a different browser and attempt to access the Web site. What is the behavior this time?
_________________________________________________________
15. As you may want to use Internet Explorer on this Windows 2012 Server later in the course,
disable the Internet Explorer rule from the Classroom policy.
NOTE: By prefixing the rule name with a numerical value such as 1000000, it will appear at the
top of the Integrity Monitoring Rules list.
7. Click OK again to close the rules window. Ensure that the 1000000 - IM file test rule is enabled
and close Details.
9. Click Preview for SERVER-03 and ensure that Integrity Monitoring is on and one rule is in
place.
1. Return to the VM-SERVER-03 virtual machine and locate the file created earlier: C:\IM
Test.txt
2. Open the file and make a change to the content. Save and close the file.
3. Return to the Deep Security Manager Web console on the VM-SERVER-02 virtual machine
and click the Computers menu.
4. Locate and double-click the SERVER-03 computer to open the Details screen. Click Integrity
Monitoring from the left-hand pane.
5. Click the Integrity Monitoring Events tab and click Get Events to refresh the list. Deep Security
Manager will contact the Deep Security Agent on this computer to retrieve Events. Events
related to the changes to the monitored file should be displayed.
1. Still in the Deep Security Manager Web console, return to the Details for the SERVER-03
computer.
4. The Task column for SERVER-03 displays Sending Policy and Baseline Rebuild In Progress.
2. Click Start > Administrative Tools > Services. In Windows Services, stop the Print Spooler
service.
3. Return to the VM-SERVER-02 virtual machine and in Deep Security Manager Web console
click the Computers menu. Locate and double-click the SERVER-03 computer to open its
Details.
1. In the virtual application, click the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as MasterAdmin.
2. Click the Computers menu and double-click the SERVER-04 computer to open its Details.
Click Application Control in the left-hand frame and set the following:
5. Hover the mouse over the SERVER-04 computer in the list and click Preview to confirm that
Application Control is being applied.
2. Open the Lab Files folder on the Windows Server 2019 desktop and locate the file called
WinMD5.exe. Drag the file to the Windows Server 2019 desktop.
Click OK if prompted with a warning message.
NOTE: The WinMD5.exe file must be dragged from the Shared folder to the Windows Server
2019 desktop. Application Control will not block files that are executed from a remote folder
or other removable media like a USB stick.
5. Return to the VM-SERVER-02 virtual machine and in the Deep Security Manager Web console,
click the Computers menu. Locate and double-click the SERVER-04 computer to open its
Details.
6. Click Application Control in the left-hand frame and click the Application Control Events tab.
Click Get Events.
7. An Execution of Unrecognized Software Blocked entry should be displayed in the list. Double
click to view the details of the event, then close the viewer window.
8. In the list of Application Control Events, click Change rules in the Rules column.
10. The ruleset for this computer is updated and the Tasks column displays Application Control
Ruleset Update in Progress. Wait until this message clears before proceeding.
11. Return to the VM-SERVER-04 virtual machine and attempt to launch the WinMD5.exe
application once again. Since the ruleset was changed to allow the new application, it should
start. Click Exit to close the application.
1. In the virtual application, click the VM-SERVER-02 virtual machine, and log into the Deep
Security Manager Web console as MasterAdmin.
2. Click the Policies menu. Locate and double click the Classroom policy to open its Details.
3. In left-hand menu, click Log Inspection. On the General tab, set the Log Inspection State to
On and click Save.
4. Click Assign/Unassign and use the search to locate the Log Inspection rule called 1002795 -
Microsoft Windows Events. Click to enable the rule then click OK.
7. The Task column for the computers using the Classroom policy will display Sending Policy.
5. The Security log is cleared and will display a single log entry containing details of the log
being cleared.
7. Return to the Deep Security Manager Web console on the VM-SERVER-02 virtual machine.
Locate and double-click the SERVER-03 computer to open its Details.
8. From the left-hand pane, click Log Inspection Protection Module and click the Log Inspection
Events tab. An event related to the Security log being cleared is displayed.
If the events are not displayed, click Get Events and wait for the Deep Security Manager to
contact the Agent to retrieve events.
1. Return to the Computers menu and double-click the SERVER-03 computer to open its Details
once again.
3. The scan will be initiated on the SERVER-03 computer. The Task column for the computer
will display Scanning for Recommendations. This process may take a few minutes to
complete.
To apply any of the recommended rules, click to enable the rules from the list. Click Cancel
without applying any of the recommendations, and close Details.
1. Open the VM-SERVER-02 virtual machine and open the Apex Central Web Management
console by typing the following URL, or by clicking the bookmark on the browser toolbar:
https://server-03.trend.local:4343/WebApp/Login.html
4. Select Deep Security from the Server Type list and click Add a product.
1. Still in the Apex Central Web Management console, click Administration > Managed Servers
> Server Registration.
2. Select Deep Discovery Analyzer from the Server Type list and click Add a product.
3. Type the details of the Deep Discovery Analyzer device as follows and click Save.
Server: https://192.168.4.5
Display name: Analyzer
User name: Admin
Password: Admin1234!
1. In the Apex Central Web Management console, click Directories > Products and click
Directory Management.
4. Expand the New Entity folder. Drag Analyzer from the New Entity folder to the newly created
Trend Micro Servers folder.
6. Drag the Deep Security device from New Entity folder to the Trend Micro Servers folder.
When prompted, click OK to acknowledge the move.
Deep Discovery Analyzer and Deep Security should be displayed in the Trend Micro Servers
folder.
1. Return to the Deep Security Manager Web console, click the Administration menu. In the left-
hand pane, expand System Settings and click the Connected Threat Defense tab. In the
Connected Threat Defense section, click Enable submission of suspicious file to Deep
Discovery Analyzer.
NOTE: Automatic Submission to Deep Discovery Analyzer occurs every 15 minutes and will
submit a maximum of 100 files per submission.
Click Use the Deep Discovery Analyzer associated with the Apex Central that Deep Security is
registered with.
2. Click Add/Update Certificate to update to the correct Deep Discovery Analyzer certificate.
Click Close.
5. Click Add/Update Certificate to update to the correct Apex Central certificate. Click Close.
7. Click Save.
Create a Malware Scan Configuration & submit a file to Deep Discovery for
Analysis
In this exercise, a malware scan configuration will be modified to allow Deep Security to submit
suspicious objects to Deep Discovery Analyzer for further analysis.
1. In Deep Security Manager, click the Policies menu. In the left-hand pane, expand Other >
Common Objects > Malware Scan Configurations.
3. Still in the Deep Security Manager Web console, click the Policies menu and double-click the
Classroom policy.
4. Click the Anti-Malware protection module and click the Connected Threat Defense tab.
Ensure that Submit files identified as suspicious... and Use Apex Central’s Suspicious Object
List are both set to Yes.
6. Click the Anti-Malware protection module in the left-hand pane, then click the Identified Files
tab.
7. Locate l1-1.doc file that was captured as malware in a previous lesson. Click the entry to
highlight and click Analyze.
8. Follow the steps in the wizard by clicking Next & Submission of the file will be confirmed.
9. Log into the Deep Discovery Analyzer Web Management console by entering the following
URL in a web browser, or by clicking the bookmark in the browser: https://192.168.4.5
11. Verify that the file has been submitted by the Deep Security by clicking Virtual Analyzer
>Submitters. Deep Security should be displayed as the submitter of the object.
12. Click Virtual Analyzer > Submissions. On the Processing tab, verify that the l1-1 [1].doc file is
being processed by the Analyzer under today's date. There will be some delay before the
file is forwarded from Deep Security Manager and processing of the file by Deep Discovery
Analyzer begins.
14. Click Virtual Analyzer > Suspicious Objects and verify the object it is now visible in the list. To
uniquely identify the object, the hash will be displayed instead of the file name.
16. Click to select the object in the list and click Configure Scan Action.
18. When prompted, confirm the application of the scan action. Click Apply Scan Action.