Trend Micro Deep Security 8 \ vShield Endpoint EPSEC and UNC\SMB Scanning

‘Another day another dollar’…. no no that’s not quite right…

‘Another day another Deep Security issue.’

Next up is Deep Security and UNC\SMB Scanning. This isn’t exactly Deep Security’s fault as this is another limitation of the vShield EPSEC driver.

Executables that are accessed via a SMB share will loop and need to be manually killed. This is a known limitation of the EPSEC driver as disccused in Trend Micro KB1059280.

In our case one of our applications was launching an executable from a UNC path which was crashing. We couldn’t figure out why but unmanaging the virtual machine fixed the problem.

It is relatively easy to fix this problem, but it does leave you exposed.

The EPSEC driver does not support exclusions of a particular server name, i.e. \\servername, nor can you exclude a directory on the server nor can you exclude a specific file even if you know the name. The only way to fix this problem is to exclude all UNC paths\SMB scanning, by updating your security policy and adding the exclusion ‘\\’ to your Directory exclusion list.

Even unticking ‘Scan Network Drives’ from within Trend has no effect. This has been raised as an incident and I am yet to hear back from Trend Micro.

I have been assured by VMware this will be resolved in vShield 5.1 released in Q4 2012.

2 responses to “Trend Micro Deep Security 8 \ vShield Endpoint EPSEC and UNC\SMB Scanning

  1. Yes and this is a real rub for us as we are using Vmware Persona Management which must rely on SMB shares for the docs, temp internet files, desktop, etc. where viruses can often be placed. I will say that with the help of Trend support I did update a Deep Security component and re-enabled smb scanning, which was turned off because it broke everything, and things have been working for the last week. It did successfully pick up eicar on the desktop (albeit after a few days), which actually resides on the smb share. Also, I was able to run executables from the SMB share without any issues. I have a lot to learn about this product and am in the renewal period considering if it is worth it.

  2. I am having the same issue even now with vShield 5.1 and DS version 9 with SP1. Your fix is not working for me, because I am not able to add ‘\\’ exclusion to my Directory exclusion list.
    We are doing PoC and this is definitely a “no go” for me!
    Is there any other workaround?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s