Trend Deep Security Warning Message ‘Machine was unprotected during move from one esx host to another’


I wanted to post some more information on this Trend DS error message – ‘Machine was unprotected during move from one esx host to another’ as it seems to come up regularly.

The description of the error message is, ‘a virtual machine was moved to an ESX that does not have an activated Deep Security Virtual Appliance.’

In essence this warning message is saying that the ESXi host you vMotioned your VM too is not currently protecting the virtual machine.

This can be because there is no virtual appliance on the target ESXi host, the Trend Virtual Appliance is not offering Anti Malware protection, is not Activated or is Offline.

This error message will not show for unactivated virtual machines — A virtual machine has to be activated to generate this error message.

There is a known bug with this error message too – even though your VM is being protected by the appliance, the error message is always reported as an Agent error. Apparently Trend are working on this.

Back to the error message: When you receive this error message, what is the next step?

Trend is a complicated beast – An appliance can have issues for a number of reasons – whether there is a fault with the appliance or one of its dependencies is what you need to figure out. It could be something as basic as the appliance dropping off the network, losing connectivity back to the DSM or to the vShield Endpoint VMkernel port, or possibly its no  longer activated (not registered as a security appliance in vShield Manager.)

If you get this warning  message, open the virtual appliance that the VM is currently residing on and first ‘Clear Warnings/Errors’  so you remove any old status\error messages and then run ‘Check Status’ to see if there are any new issues. If there are errors reported on the appliance try and resolve them by following the patented ‘Trend DS Virtual Appliance Health Check’ below.

My main bugbear with Trend is that it is too complicated and it does not report its current state accurately and concisely. When I run a Check Status I want to know exactly what is going on. It would be most useful to have a health check screen on the appliance where the health check tests I mention below in the article are run sequentially in full view for the benefit of the administrator. Issue could be highlighted immediately and it would give us confidence that the appliance and its dependencies are all configured correctly, rather than having to check all the different components individually.

For example if you check the status of your appliance and it reports back that it is Managed and Online you would expect it to be managed, online and offering anti malware protection. In my testing after I changed the vShield VMkernel IP address on my ESXi host from 169.254.1.1 to 169.254.1.2, so the appliance could not offer anti malware protection, I ran a Check Status and the virtual appliance would still report that it was managed, online and offering anti malware protection.

On the plus side when I migrated a VM to the ESXi host with the misconfigured VMkernel port, the warning message was still generated that the VM is unprotected. What this shows is this error message is symptomatic of an underlying issue with your virtual appliance or ESXi host. While the issue may not be immediately noticable because the DSM reports that all is well, you should dig deeper following the ‘Trend DS Virtual Appliance Health Check’ below.

Bottom line — You cannot fully trust the DSM when you notice this error message. The only way to verify for sure that the appliance is actually working or not would be to drop the EICAR virus on the VM to confirm whether anti malware protection is working.

‘Trend DS Virtual Appliance Health Check’:

  1. Synchronise your Virtual Center(s) in Trend DSM
  2. Confirm your credentials for VVC and vShield are uptodate
  3. Confirm filter driver is installed on ESXi host via Trend DSM
  4. Confirm vShield driver is installed on ESXi host via vShield Manager
  5. Confirm Trend Appliance is registered as Security VM with vShield Manager
  6. Confirm the appliance is in the correct VLAN
  7. Confirm the appliance network configuration is correct
  8. Confirm you can ping the Appliance from the DSM.
  9. Confirm the VMkernel IP address for vShield Endpoint is correct on ESXi host – 169.254.1.1

and if nothing works follow my last resort:

10. Deactivate and reactivate the appliance

And if that fails…. Follow the blocksandbytes ‘Triple D’ process:

11. Deactivate, Delete and Deploy the appliance.

When I’m being lazy and I know the config hasn’t changed I will Deactivate and reactivate the appliance immediately. What I find with Trend is that as long as your environment is static, Trend will continue to stay Green, but if your environment is fairly dynamic and hosts are being rebooted, VMs are being built and vMotioned, you are performing SRM fail overs and fail backs, etc. it struggles to keep up with environment changes.

Every week I have to try and figure out why virtual machines are unhappy and do not have anti-malware protection. Hopefully this will help others stay on top of Trend DS 8.

Advertisements

9 responses to “Trend Deep Security Warning Message ‘Machine was unprotected during move from one esx host to another’

  1. Thank you for sharing your experiences and resolutions regarding Deep Security. Your posts on Deep Security are much more relevant, clear and helpful than anything I have found in the Trend Communities, Trend website or its documentation.

    • Thanks for the positive feedback Dave. Good to know it makes sense!

      Trend Deep Security makes up such a small part of our environment but consumes a disproportionately large amount of my time! I’ve learnt the hard way through 4x reinstallations, 2x upgrades and countless hours of troubleshooting.

      I think only now I am beginning to get a handle on it. Hopefully with a few more posts others will too.

  2. “changed the vShield VMkernel IP address on my ESXi host from 169.254.1.1 to 169.254.1.2”

    That is not a daily admin operation, so why do that? Certain parameters are required for install and should not be modified.

    Once the Appliance is deployed, operations are quite normal as long as:
    1. Appliance does not vmotion to another host: either with a DRS rule or use local storage.
    2. Set appropriate “VM created” or “VM vmotioned” tasks with Deep Security, to ensure that VMs are protected on the hosts as they move or are created.

    • I changed the IP address to determine what could be causing the deep security warning message, ‘machine was unprotected during move from one esx host to another’. It is not always clear to me why this message has occurred, when I cannot see any obvious health issues with my environment.

      Without knowing all the potential causes of the warning message it would be impossible to try and write a step by step plan to stop the warning message from reocurring.

      While it is not a ‘daily admin operation’, this warning message could be occurring for other Trend administrators immediately after the installation of Trend and they would now hopefully be able to identify this misconfiguration.

    • ‘Once the Appliance is deployed, operations are quite normal’ – This is far from my experience. I wish this were true.

      I currently have three hosts in maintenance mode because I cannot figure out why the Trend appliances stopped offering anti-malware protection. Migrate VMs off the host, they are protected, migrate onto the hosts they are not protected. I have as a last resort deleted, re-deployed and activated the appliances and virtual machines are still not being given anti-malware protection. So I have given up and put the hosts in maintenance mode.

      You need to understand your client base – the majority of your customers are not Trend DS specialists and neither do we want to be Trend DS specialists. All we want is an AV product that offers robust anti-malware protection with minimum fuss and disruption to our enterprise environment. Trend DS doesn’t offer that yet.

  3. Hello,

    i got the same error in my DS Dashboard :

    ” Machine was unprotected during move from one esx host to another ”

    Thanks for the Tip :

    2. Set appropriate “VM created” or “VM vmotioned” tasks with Deep Security, to ensure that VMs are protected on the hosts as they move or are created.

    Sometimes admins have to read the f… manuel to the end ( or Page 577 ) 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s