In this tab, you can view the current DSA status by checking on the UI.

• Software: Indicates whether DSA is installed on this computer
• Version: Indicates current DSA version number
• Services Status: If DSA is installed, this indicates whether the DSA service status is on or off.
• Debug Mode: Indicates whether log debug level is enabled
• Self-Protection: Indicates whether self-protection is disabled (Some module debug cannot be enabled provided that self-protection is enabled.)

• You may also press Other Item button to check the specific module feature status.

  

• For "Debug Items", to enable AMSP debug level is by default. You can also choose more options if necessary.

  

  

• Then, Enable Debug logging"/"disable Debug logging can be used to control the debug status.

  

• Press button Collect Data to generate a diagnostic package.

  

After the collection, there will be 3 files/folder under the same path as this tool:

• A ZIP file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].zip". This is the collection package, including diagnostic package and other necessary information.
• A TXT file named like "DSTool-PRODUCT-20211014-112342-[WIN-K2EK8NG8KJF].txt". It contains a SHA256 value, which should match above ZIP file.
• A "logs" folder. A folder that stores temp files and tool log(temp files will be removed when finishing the collection).

As best practice, the steps of log collection are:

1. Enable Debug log.
2. Reproduce the issue.
3. Disable Debug log.
4. Collect Data.

There are two parts for DSA performance collection. On the left side of this UI is Process Monitor log collection. On the right side of this UI is Windows Performance Recorder log collection.

You may choose automatic collection with a timer(suggested) or manually start/stop the collection.

• Process Monitor

  For the reason that Microsoft does not allow third-party software to integrate Process Monitor directly, you need to download or select existing Process Monitor manually.

  • Use "Download Process Monitor" button to download.

    If the environment can connect to Internet, press Download Process Monitor to download the software. The default downloaded path is the same as the tool path.

    After downloading, the tool points to this "Process Monitor" path by default. You can start "Process Monitor" logs collection.

    

  • Select an existing "Process Monitor".

    You can also select an existing "Process Monitor" via "Change Path" option. Then import "Process Monitor" from the specified path.

    

    Whichever method, the tool will judge the signature of the specified "Process Monitor" software. Once passing the verification, tool will run "Process Monitor" in backend according to user's options.

  • Change altitude of Process Monitor

    In cases where Process Monitor needs to have higher altitude to collect logs, you may check this option. Please refer to the Microsoft Tech Community article: Change Altitude of Process Monitor (ProcMon).

  You may encounter the following error:

  "Unable to load Process Monitor device driver."

  This error may be the result of an older Windows version not being able to support SHA256.

  

  It is recommended to update Windows as the new version of Process Monitor only supports SHA256.

  For further information, refer to this Microsoft article, 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

  To lessen the events that Process Monitor collects, a local process monitor configuration will be loaded if the file exists in the same path as the tool. The size of the log file will be smaller. To use the Process Monitor:

  1. Create a filter for events that are only needed to be monitored.
  2. Enable the option “Drop Filtered Events”.
  3. In the File menu, choose “Export Configuration..”, and save the file as “ProcmonConfiguration.pmc”.
  4. Copy the configuration file to the same folder of the tool and start the process monitoring.

  This setting is useful for issues where "file access violation" is not always reproducible and occurs in random.

• Windows Performance Recorder

  You can check/uncheck corresponding checkbox to choose the option. The tool will run according to the checked option at backend to collect WPR logs.

  

  If there is no WPR being detected as installed in environment, the tool will alert and give a link to guide user to install WPR software.

  

• Automatically compress performance logs

  After performance log collection, there will be a performance folder under the same path as tool, which stores original performance logs. At this moment, when user wants to quit the tool, it will pop up (as shown below). You may choose to compress or not compress the original performance log files.
  Finally, the tool will help generate a ZIP file and delete original "performance" folder.

  

  

  

This tab lists the top-10 scanned files and top-10 busy processes, which are scanned the most times by AMSP module (only supported by newly released Deep Security 20 version). You may have a quick check to decide whether specific files/processes need to be excluded provided that these are trusted but have affected device performance.

The data on this tab resets when AMSP service restarts.

There are two main features under Network Analysis: Network Packet Capture and Network Check. These features help users collect and check network related problems.

• Background

  The tool needs to use a driver to catch network packets. There are two options: WinPCAP and NPCAP. Both cannot coexist.

  WinPCAP's advantage is that the tool can help install/uninstall WinPCAP automatically during the collection running time. Although its disadvantage is its poor compatibility as the version is old and not have been updated.

  on the other hand, NPCAP has better compatibility, and is updated on a regular basis. Its disadvantage is that it has to be installed manually first, then use tool to catch network packets.
  
  Mechanism

  As NPCAP and WinPCAP are enforced to not coexist.

  • If tool detects that NPCAP or WinPCAP driver has been installed in environment, tool will call corresponding driver directly.
  • If tool detects that neither NPCAP nor WinPCAP driver has been installed in environment, tool will help install and uninstall WinPCAP automatically itself.

  Below is an example:

  • If you have already installed Wireshark software in your environment (We have known that new version of Wireshark uses NPCAP while the old version uses WinPCAP), our tool will use the existing NPCAP/WinPCAP driver.

    

  • If it is a clear environment, the tool will help install/uninstall the driver. (An alert will be given, as installing a driver is a sensitive procedure.)

    

    

    

• Network Packet Capture

  You may use a timer or manually start/stop to catch network packets for all computer NICs in "Network Packet Capture" section. The collection logs are printed to indicate the collection status.

  

• Network Check

  You can specify the URL or leave it as blank (DSM/C1WS URL by default). After clicking Check, the tool will try to verify the network connection status between DSA client and target URL(DSM/C1WS). Verification results can be checked from the UI.

  

• Automatic compression of network logs

  This feature is the same as in Chapter 1.2.3, when collecting network packets and do the check, the original network related logs in folder "Network", tool can help compress the collected network related logs into ZIP file.

  

  

• Check and Fix

  Server & Workload Protection (Trend Vision One Endpoint Security) Pre-check

  This feature can help users perform a pre-check on their endpoints, and see if the endpoint can meet Server & Workload Protection environment requirements.

  Navigate to Environment Check > Check and Fix > Server & Workload Protection (V1ES) -PreCheck, then press Start.

  

  1. Fill in the information.

     

     • Proxy information
       If your endpoint does not need a service gateway nor a customized proxy server to connect to the Internet (Trend Vision One backend server), do not check and fill in any proxy information.
       If your endpoint needs a service gateway to connect to Internet (Trend Vision One backend server), fill in the service gateway FQDN or IP (default port is 8080). Also fill in the service gateway API value.
       Tip 1: You can get SG API key from the Trend Vision One portal under Workflow and Automation > Service Gateway Management > Manage API Key.

       

       Tip 2: If your XBC agent has reported to Trend Vision One, you can identify from the check result (basic information) the registered Service Gateway (FPS enabled) for XBC.

       

       If your endpoint needs a customized proxy server to connect to Internet (Trend Vision One backend server), input the proxy FQDN/IP and port. Username and password are optional.

     • Region
       Some users' Trend Vision One endpoints and Server & Workload Protection agents do not belong to the same region. For this, user needs to choose correct region information separately.

       

  2. After setting the correct information, press Start. After a few minutes, you can check the returned results.

     

     If some check points failed to pass the test, you will get alert from the UI.

     

  Refer to the appendix for more check points details.

  Server & Workload Protection (Trend Vision One Endpoint Security) Post-check

  This feature can help users perform post-check on their endpoints to verify the current module status of the endpoint.

  Navigate to Environment Check > Check and Fix >Server & Workload Protection (V1ES) - PostCheck, and press Start.

  

  This feature can help users determine current local status of Trend Vision One agent and Deep Security Agent (DSA) modules. It will be very helpful to provide necessary information when troubleshooting endpoint side issues.

  

  Refer to the appendix for more check points details.

  Troubleshooting UMH

  When troubleshooting UMH driver related issues, UMH usually needs to be disabled. Make sure to isolate the root cause if there are issues. However, the enable/disable UMH action is difficult for most customers. This feature is introduced to help perform the enable/disable action faster.
  Navigate to Environment Check > Check and Fix > Troubleshoot UMH, then press Start.

  1. When current UMH is enabled, the green part can be seen with "Running" status. You may choose the option to disable UMH, as seen below.

     

     When the action is done, you can see the UMH service has been disabled, while AMSP is still running.

     

  2. When current UMH is disabled, the red part will show "Stopped" status. You may choose to enable UMH.

     

     When the action is done, user can see the UMH service has been enabled, and both AMSP and UMH are running.

     

  3. For security concerns, if you exit the tool and leave UMH disabled status, it will give an alert.

     

  4. If you prefer to use the CMD version tool, use following parameters.

     Scenario	Parameters
     To enable TMUMH	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 1}}
     To disable TMUMH	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":1, "enableFix": 0}}
     Not use this feature	"Check and Fix": {"Troubleshoot UMH": {"enableCheck":0, "enableFix": 0}}

     For more details, please refer to Chapter: Trend Micro Deep Security Agent Support Tool for CMD Version.

  MS Azure Code Signing Check

  According to this KB article, after mid-February 2023 there will be an impact on machines that do not meet the MS operation system requirements. Based on this, the tool has a feature to detect OS version/KB and give alert if the current OS did not meet the MS requirements.

  • Scenario 1: OS version passed the test

    

  • Scenario 2: OS version failed to pass the test

    

  Anti-Malware Test - Eicar

  This is a built-in check script. The user can verify if the anti-malware realtime-scan feature has worked normally on the agent side.

  When starting this feature, the user needs to choose a specific local path. This is supposed to be monitored by DSA realtime-scan policy(CMD version uses "C:\temp\" by default).

  Tool will extract eicar.com file to the path and take action.

   

  Due to support tool being signed by Trend Micro, the behavior of operating eicar.com file will be bypassed. Therefore, the action of eicar.com file is taken by windows scheduled task, which is initialized by the tool.

   

  After waiting for a few seconds, the tool will judge whether "eicar.com" file still exists. If it does not, it means realtime-scan has taken effect and removed "eicar.com" file. User can check the anti-malware events on console. Otherwise, realtime-scan might not work normally.

  

  Please make sure that the chosen path is not in the exclusion list and that the anti-malware realtime-scan is enabled for the correct action.

  

  Refer to the following text examples:

  > Scenario 1: No Detection

  2022-09-26 13:52:01 Starts Executing [AntiMalware Test - Eicar].
  2022-09-26 13:52:01 Detail: Performing Anti Malware test using Eicar test file by writing/reading EICAR.COM at local path.
  2022-09-26 13:52:01 Waiting for input value of path to write/read EICAR.com . . .
  [Step 1] Writing EICAR.com at path [C:\Users\Administrator\Desktop] through scheduled task.
  2022-09-26 13:52:11 Creating scheduled task . . .
  2022-09-26 13:52:11 Successfully created a scheduled task named [EicarTestDSA]
  2022-09-26 13:52:11 Modifying the scheduled task to run even in battery power mode . . .
  2022-09-26 13:52:12 Successfully modify the scheduled task [EicarTestDSA]
  2022-09-26 13:52:12 Running the scheduled task . . .
  2022-09-26 13:52:12 Successfully run the scheduled task [EicarTestDSA]
  2022-09-26 13:52:12 Delete the scheduled task.
  
  [Step 2] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the write operation.
  2022-09-26 13:52:22 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during write operation.
  
  [Step 3] Reading the content of C:\Users\Administrator\Desktop\EICAR.com through scheduled task.
  2022-09-26 13:52:27 Creating scheduled task . . .
  2022-09-26 13:52:28 Successfully created a scheduled task named [EicarTestDSA]
  2022-09-26 13:52:28 Modifying the scheduled task to run even in battery power mode . . .
  2022-09-26 13:52:28 Successfully modify the scheduled task [EicarTestDSA]
  2022-09-26 13:52:28 Running the scheduled task . . .
  2022-09-26 13:52:29 Successfully run the scheduled task [EicarTestDSA]
  2022-09-26 13:52:29 Delete the scheduled task.
  
  [Step 4] Checking if C:\Users\Administrator\Desktop\EICAR.com still exists after the read operation.
  2022-09-26 13:52:34 ---> C:\Users\Administrator\Desktop\EICAR.com still exists. The AntiMalware module might not be configured to take action during read operation.
  
  [Cleanup] Remove the test