Trend Micro - IDF

Security Analyst procedure checks for IDF

After logging into the IDF plugin and opening the Intrusion Defense Firewall (IDF)
plug-in, the Dashboard will give you an overall view of all of our endpoints being
managed by the IDF. Alerts and Events are the two different categories that the
security analyst must review on a daily basis. Alerts will show up in the Alert Status
window located in the top left of the dashboard.

Figure 1

Trend Micro - IDF

Reconnaissance Scan Alerts

There can be a lot of false positives showing up in this category. When reviewing
the alert pay attention to which IP launched the scan. External IPs are almost
always a false positive, where an internal IP could be an indicator of a compromised
endpoint in the network.

Figure 2

Figure 2 shows a Xmas scan was directed at AD-6V7HBP1. By drilling into the alert
in the Alert Status box on the top left you will be able to find the IP that launched
the scan.
Key takeaways when reviewing Scan Alerts:

Trend Micro - IDF

Look at the IP address performing the scan Pay extra attention to internal
IPs.
If scanning IP address is internal, verify it is not a vulnerability scanner or an
InfoSec workstation running port scans.
Dismiss alerts after verifying it is a false positive.

Firewall Engine Offline\DPI Rule Engine Offline Alerts

The firewall engine offline alert is usually accompanied by the DPI Rule Engine being
offline and possibly an Update failure alert as well. This alert should be investigated
as soon as possible due to the heightened risk of not having the firewall engine and
the DPI rule engine online. This alert usually presents itself when the IDF server
attempts to push an update to a workstation and fails.
NOTE: Keep in mind that malware often attempts to disable/corrupt installed AV
products.
Verify that the Trend Micro DSA Filter Driver exists at
C:\Windows\System32\drivers\tbimdsa.sys. If not, navigate to: C:\Program Files
(x86)\Trend Micro\IDF Client\tbim and move the tbimdsa.sys file to the drivers
folder.
If this file already exists in the drivers folder, verify that the DSA service is running.
Figure 3 shows you what a correctly configured system will display. Figure 4 shows
you what an incorrectly configured system will display.

Figure 3

Figure 4

RDP to the workstation and under Local Area Connection Properties, click Install >
Service > Have Disk. Browse to C:\Program Files (x86)\Trend Micro\IDF
Client\tbim\nettbimdsa.inf. Check the Network Properties and see if the driver is

Trend Micro - IDF

added to the NIC card(s). Open a command prompt and re-run sc query tbimdsa
to verify the service is now running.
If the above steps failed, use the tbclean tool with the c to clean up after a failed
install.
Key takeaways when reviewing Firewall Engine Offline Alerts:

Check to see if workstation is Online or Offline.

Investigate reason why Firewall Engine or DPI Rule Engine is offline.

Deep Packet Inspection Activity Events

Deep Packet Inspection (DPI) is designed to prevent known exploits and
vulnerabilities. For these reasons, it is important to review the Top 5 prevented DPI
events, the Top 5 source IPs for prevented DPI events, and the Top 5 computers for
prevented DPI events.

Figure 5

Trend Micro - IDF

Key takeaways when reviewing DPI Alerts:

Review to see if which applications may be getting blocked and what their
source IP is.
Identify any false positives that may be caused by applications.