Computer

Communication Direction

Bidirectional: By default, communications are bidirectional. This means that the Agent/Appliance normally initiates the heartbeat but still listens on the Agent port for Manager connections. The Manager is still free to contact the Agent/Appliance in order to perform operations as required. This allows the Manager to apply changes to the security configuration to the Agent/Appliance as they occur.
The Deep Security Virtual Appliance can only operate in bidirectional mode. Changing this setting to any other mode for a Virtual Appliance will disrupt functionality.
Manager Initiated: With this option selected, all Manager to Agent/Appliance communications are initiated by the Manager. This includes security configuration updates, heartbeat operations, and requests for Event logs.
Agent/Appliance Initiated: With this option selected, the Agent/Appliance does not listen on port 4118. Instead it contacts the Manager on the heartbeat port (4120 by default) as dictated by the heartbeat settings. Once the Agent/Appliance has established a TCP connection with the Manager all normal communication takes place: the Manager first asks the Agent/Appliance for its status and for any events. (This is the heartbeat operation). If there are outstanding operations that need to be performed on the computer (e.g., the Policy needs to be updated), these operations are performed before the connection is closed. In this mode, communications between the Manager and the Agent/Appliance only occur on every heartbeat. If an Agent/Appliance's security configuration has changed, it will not be updated until the next heartbeat.
Before configuring an Agent/Appliance for Agent/Appliance initiated communication, ensure that the Manager URL and heartbeat port can be reached by the Agent/Appliance. If the Agent/Appliance is unable to resolve the Manager URL or is unable to reach the IP and port, Agent/Appliance initiated communications will fail for this Agent/Appliance. The Manager URL and the heartbeat port are listed in the System Details area in the Administration > System Information page.

Agents/Appliances look for the Vulnerability ProtectionDeep Security Manager on the network by the Manager's hostname. Therefore the Manager's hostname must be in your local DNS for Agent/Appliance initiated or bidirectional communication to work.

To enable communications between the Manager and the Agents/Appliances, the Manager automatically implements a (hidden) Firewall Rule (priority four, Bypass) which opens port 4118 on the Agents/Appliances to incoming TCP/IP traffic. The default settings open the port to any IP address and any MAC address. You can restrict incoming traffic on this port by creating a new priority 4, Force Allow or Bypass Firewall Rule, which only allows incoming TCP/IP traffic from specific IP and/or MAC addresses. This new Firewall Rule will replace the hidden Firewall Rule if the settings match the following:

action: force allow or bypass
priority: 4 - highest
packet's direction: incoming
frame type: IP
protocol: TCP
packet's destination port: 4118 (or a list or range that includes 4118)

As long as these settings are in effect, the new rule will replace the hidden rule. You can then type Packet Source information for IP and/or MAC addresses to restrict traffic to the computer.

Heartbeat

Heartbeat Interval (in minutes): How much time passes between heartbeats.
Number of Heartbeats that can be missed before an Alert is raised: This setting determines how many missed heartbeats are allowed to go by before the Manager triggers an Alert. (For example, entering three will cause the Manager to trigger an Alert on the fourth missed heartbeat.)
If the computer is a server, too many missed heartbeats in a row may indicate a problem with the Agent/Appliance or the computer itself. However if the computer is a laptop or any other system that is likely to experience a sustained loss of connectivity, this setting should be set to "unlimited".
Maximum change (in minutes) of the local system time on the computer between heartbeats before an Alert is raised: For Agents that are capable of detecting changes to the system clock (Windows Agents) these events are reported to the Manager as Agent Event 5004. If the change exceeds the clock change listed here then an Alert is triggered. For Agents that do not support this capability (non-Windows Agents), the Manager monitors the system time reported by the Agent at each heartbeat operation and will trigger an Alert if it detects a change greater than the permissible change specified in this setting. Changes to the system clock are reported to the Manager as Agent Event 5004. If the change exceeds the clock change listed here, an Alert is triggered.
Once a Computer-Clock-Changed Alert is triggered, it must be dismissed manually.
Raise Offline Errors For Inactive Virtual Machines: Sets whether an Offline error is raised if the virtual machine is stopped or paused.

Send Policy Changes Immediately

By default, the value for the Automatically send Policy changes to computers setting is "Yes". This means that any changes to a security policy are automatically applied to the computers that use the policy. If you change this setting to "No", you will need find affected computers on the Computers page, right-click them, and choose "Send Policy" from the context menu.

Troubleshooting

You can increase the granularity of the logging level and record more events for troubleshooting purposes, however you should exercise caution when using this option since this can significantly increase the total size of your Event logs.

Choose whether to inherit the logging override settings from the policy assigned to this computer ("Inherited"), to not override logging settings ("Do Not Override"), to log all triggered Firewall Rules ("Full Firewall Event Logging"), to log all triggered Intrusion Prevention Rules ("Full Intrusion Prevention Event Logging"), or to log all triggered rules ("Full Logging").

Agent Self-Protection

The Agent Self-Protection feature is available only with Windows Agents.

Use these settings to prevent local users from interfering with Agent functionality.

Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent: This will prevent local users from uninstalling the Agent, stopping the Agent service, modifying Agent-related Windows Registry entries, or modifying Agent-related files. These restrictions can be overridden by issuing local instructions from the command line. (See Command-Line Utilities.) When Agent Self-Protection is enabled, attempts to make modfications to the Agent via the local operating system graphical user interface will be met with a message similar to "Removal or modification of this application is prohibited by its security settings".
- Local override requires password: It is possible that a Vulnerability ProtectionDeep Security Manager loses the ability to communicate with an Agent. In such cases you will have to interact with the Agent locally using the Agent's command-line interface. Enter a password here to password-protect the local command-line functionality. (Recommended.)
  Store this password in a safe location. If you lose or forget the password you will have to contact your support provider for assistance in overriding this protection.

Anti-Malware protection must be "On" to prevent the following:

Stopping the Agent service
Modifying Agent-related Windows Registry entries
Modifying Agent related files

Anti-Malware protection is not required to prevent local users from uninstalling the Agent.

To turn Agent Self-Protection off or on from the command line:

Log in to the local computer as an Administrator
Run a command prompt from the Agent's (or Relay's) installation directory
Enter the following command (where "password" is the password set using the Local override requires password setting):
- to turn Self-Protection off:
  dsa_control --selfprotect=0 --passwd=password
- to turn Self-Protection on
  dsa_control --selfprotect=1 --passwd=password
If no password was set, omit the "--passwd" parameter.

In Deep Security 9.0 and earlier, this option was --harden=<num>

Alternatively, you can use the reset parameter which will reset the Agent and disable Agent Self-Protection:

dsa_control --reset

Environment Variable Overrides

Environment variables are used by the Integrity Monitoring module to represent some standard locations in the directory system of the Windows operating system. For example, the Microsoft Windows - 'Hosts' file modified Integrity Monitoring rule, which monitors changes to the Windows hosts file, looks for that file in the C:\WINDOWS\system32\drivers\etc folder. However not all Windows installations use the C:\WINDOWS\ directory, so the Integrity Monitoring rule uses the WINDIR environment variable and represents the directory this way as %WINDIR%\system32\drivers\etc.

Environment variables are used primarily by the Virtual Appliance when performing Agentless Integrity Monitoring on a virtual machine. This is because the Virtual Appliance has no way of knowing if the operating system on a particular virtual machine is using standard directory locations.

The following are the default environment variables used by the Integrity Monitoring module:

Name	Value
ALLUSERSPROFILE	C:\ProgramData
COMMONPROGRAMFILES	C:\Program Files\Common Files
PROGRAMFILES	C:\Program Files
SYSTEMDRIVE	C:
SYSTEMROOT	C:\Windows
WINDIR	C:\Windows

To override any of these environment variables:

Click the View Environment Variables... button to display the Environment Variable Overrides page.
Click New in the menu bar and enter a new name/value pair (for example, WINDIR and D:\Windows) and click OK.