Trend Micro Deep Security 8 \ vShield Endpoint EPSEC and UNC\SMB Scanning


‘Another day another dollar’…. no no that’s not quite right…

‘Another day another Deep Security issue.’

Next up is Deep Security and UNC\SMB Scanning. This isn’t exactly Deep Security’s fault as this is another limitation of the vShield EPSEC driver.

Executables that are accessed via a SMB share will loop and need to be manually killed. This is a known limitation of the EPSEC driver as disccused in Trend Micro KB1059280.

In our case one of our applications was launching an executable from a UNC path which was crashing. We couldn’t figure out why but unmanaging the virtual machine fixed the problem.

It is relatively easy to fix this problem, but it does leave you exposed.

The EPSEC driver does not support exclusions of a particular server name, i.e. \\servername, nor can you exclude a directory on the server nor can you exclude a specific file even if you know the name. The only way to fix this problem is to exclude all UNC paths\SMB scanning, by updating your security policy and adding the exclusion ‘\\’ to your Directory exclusion list.

Even unticking ‘Scan Network Drives’ from within Trend has no effect. This has been raised as an incident and I am yet to hear back from Trend Micro.

I have been assured by VMware this will be resolved in vShield 5.1 released in Q4 2012.

vShield Endpoint Driver BSOD issue


The vShield Endpoint driver is back in the bad books this week.

Looks like it is now causing our virtual machines to blue screen. grrrrr

If its not an issue with Trend Micro Deep Security, its an issue with vShield Endpoint!

This affected our Citrix Xenapp Provisioned Services Servers quite severely. They were blue screening every day. This has only affected one of our standard virtual machines – a file server crashed during the day the other week.

This will affect anyone using the latest officially released vShield driver 5.0.0.1 build-652273 and older versions.

This issue is confirmed by VMware to be fixed in a new version of the vShield Endpoint driver 5.0.0.2 build-813867 — another reason to contact VMware  to get your hands on this driver as it has not been officially released yet.