Table of contents

Frequently asked questions

Architecture

What cloud providers are supported by File Storage Security?

Currently we support Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP).

Which regions are supported?

A full list of supported regions is available:

What permissions do File Storage Security management roles have?

These are the permissions that File Storage Security management roles StorageStackManagementRoleARN and ScannerStackManagementRoleARN will have after File Storage Security has been deployed and configured:

Performance

What kind of performance can I expect?

For details on performance, see Performance and scaling.

How many files can be scanned concurrently?

For information, see Performance and scaling.

Deployment

Can I deploy multiple all-in-one stacks across multiple AWS accounts?

Yes. We support multiple stacks which can all be connected to the File Storage Security console. To deploy stacks, see Add stacks.

Why do I see "The license cannot be updated to the scanner stack" when deploying Azure stacks?

During stack deployment, the File Storage Security backend service configures the license to your scanner stack. This requires Azure permissions that can take up to 30 minutes to take effect according to Azure documentation. If you get this error message, try deploying the stack in the File Storage Security console a few minutes later.

How to deploy if a s3:objectCreated:* event is already in use?

For deployment information, see s3:ObjectCreated:* event in use

How to deploy if I only want to scan a folder/prefix in the bucket?

For more information, see Deploy the all-in-one stack on AWS

Can I deploy a scanner to each of the folder/prefix in the bucket?

Yes, you can.

Can I modify the deployment template and register?

When you deploy from the template, you will need to get the corresponding External ID. If you modify it, the next update will rewrite the old one.

Why is the "KMSKeyARNForQueueSSE" option displayed in the Storage Stack configuration page?

The bucketListener of Storage stacks is the producer of the queue. The producer needs to have the permission of the key to generate the encrypted message for the consumer (Scanner stacks). That is why both the Scanner Stack and the Storage Stack need KMSKeyARNForQueueSSE to make the encrypted process work as expected.

Here are the references to explain the KMS permissions for producers and consumers:

Configure KMS permissions for producers

Configure KMS permissions for consumers

The KMSKeyARNForQueueSSE field has to be filled with the same value for both Scanner and Storage stacks if you want to encrypt the queue message.

It will not work if the KMSKeyARNForQueueSSE field is filled for only one of the Scanner stack or the Storage stack.

Can you provide a list of policies necessary for FSS deployment and operation?

Please use the following link to see the minimum policy required of FSS deployment:

https://dsgithub.trendmicro.com/file-storage-security/cloudformation-templates/blob/integration/recommended-deploy-policy.json

Is it possible to deploy and operate CloudFormation using the service role?

Yes, you can download the template and deploy with a service role. However, you must ensure that you are using the correct external-ID.

What do I do when I get an error tag on the file which says invalid license status.

Please check whether the External ID of the stack's deployment parameter is the same as your Cloud One account. To obtain an external ID. Update the stack if they're not matched.

If you tend to deploy stacks using APIs, we encourage you to refer to our documentation site for detailed steps to use APIs to deploy your stacks.

If you're not deploying stacks by CLI, please deploy the stack on FSS console to ensure the process and parameters are correct. For more information, see Deploy the all-in-one stack.

Sometimes the CloudFormation doesn't create the role properly. This can be due to an AWS service issue: https://github.com/aws/serverless-application-model/issues/213

We have several suggested actions:

Try deploying the stack using another stack name. If the issue persists, export the stack events for the failed "Scanner Stack". (You need to click the "Scanner Stack" resource for getting the events of the Scanner Stack.)

Why did I get a "invalid license status" error?

One common root cause of the error "invalid license status" is, the stacks are deployed on AWS but did not submit to FSS backend to get valid license status for the stacks.

If you have more than one storage stack, every stack's StorageStackManagementRoleARN should be added to FSS backend. For more information, see Add stacks.

Are queues publicly accessible

No, they aren't publicly accessible. You can review ScannerQueuePolicy defined in the scanner stack's template.

To see what AWS recommends, see https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html

Should I enable SSE for queues?

Enabling SSE for queues can be configured through the KMSKeyARNForQueueSSE parameter when deploying the scanner stack's template.

To see what AWS recommends, see https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html

Are there any problems when I change the timeout value by the below procedure? (e.g. Timeout value returns to default value when the stack updated)

If ScannerLambda property needs to be modified in the stack update, the customized memory size will be overwritten. You need to specify the customized memory size in the CFN template when performing the stack update.

The setting won't change if there is no specific change on Lambda's setting in our template, otherwise, the setting will be overwritten.

We recommend setting the customized settings like memory, or timeout, in the template before doing the stack update.

Why did I get a "delivery failed" event when objects are dropped in the Monitored blob storage container after successfully deploying an All-in-Stack?

The Azure resources sometimes take time to update. For example, the role assignment sometimes may take at most 30 minutes to take effect. During that period, the blob listener cannot send scanning messages and will return an error. If this is the scenario that you encountered, please wait for a while and try uploading the files again.

Scanner

Can I configure scan exclusions or inclusions?

No. Our current design does not allow you to configure files to be excluded from (or included in) scans.

How should I monitor performance and results?

AWS provides some default metrics that should be enough for monitoring the performance. Please try following the AWS documents to monitor SQS and Lambda used by FSS:

Monitoring Amazon SQS queues using CloudWatch

Working with AWS Lambda function metrics

Create a CloudWatch alarm based on a static threshold

Can I set DLQ on BucketListenerLambda?

Lambda DLQ is not related to a scanning timeout issue. It is used for storing the messages that have failed to process due to a function code error or service error (like Lambda throttling). However, this type of error can already be monitored by CloudWatch metrics. 

How do I find the cause of a timeout and how do I respond?

First, you can check the ScannerQueue's metrics in SQS page.

"Approximate Age Of Oldest Message" and "Approximate Number Of Messages Not Visible" indicate whether the messages are processed smoothly. If the numbers keep in high volume, it may be related to throttles on ScannerLambda.

If message volume continues to be high, continue to check the ScannerLambda's metrics

If any throttles are observed, try following [Best practices for working with AWS Lambda functions] (https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html) to make sure ScannerLambda has enough concurrency to process messages.

You can also check the log groups of ScannerLambda and ScannerDeadLetterLambda to see if there is any error log.

What anti-malware patterns are used to scan files? Are the patterns updated?

File Storage Security uses Smart Scan Agent Pattern, IntelliTrap Exception Pattern and IntelliTrap Pattern.

Smart Scan Agent Pattern (icrc$oth.XXX) is used for Heuristic/Generic detection, too. It can also detect known ransomware such like RANSOM_HPLOCKY.SM4.

What is being passed to the scanner stack? Is it the whole file?

Only a partial download is done on the file when scanning.

what kind of information would be sent to iCRC backend during the scanning of files?

The Smart Scan (iCRC) only uses and encrypts the input hash value that is received from the scan engine. This value is not calculated from the whole file content.

Why are there no tags set to the uploaded blobs on Azure?

The functions in the deployed stacks require certain permissions to retrieve scanning events and publish scan results. These permissions can take up to 30 minutes to take effect according to Azure documentation. To mitigate the issue, try uploading the files and monitoring the scan results a few minutes later.

Are file contents sent to the Trend Micro Global Smart Protection Server?

No. Only identification information is sent to the Trend Micro Global Smart Protection Server.

Can File Storage Security scan encrypted files?

File Storage Security can scan SSE-KMS but cannot scan client-side encrypted files.

Can an encrypted PDF file be scanned successfully or is the scan actually skipped?

ATSE can scan password protected PDF files. Successful scan results for those files are returned.

Can File Storage Security detect ransomware?

Yes.

When does a network module related error occur?

Every networking error regarding to retrieving the file via a presigned URL results in a network module related error.

What causes the scanner to get a 403 error?

In the scanner's logs, we can detected scan messages that in the scanner queue for more than 1 hour:

The SAS tokens for the scanner to retrieve files are available for 1 hour only. The scanner got a 403 error when attempting to get the file because the SAS token had expired.

The default instance count for the scanner function app is 1. When large amounts of messages are uploaded to the scanner in a short time period, delays in processing the messages may occur. To mitigate the issue, go to the Scale out (App Service plan) page in the function app, and follow the Azure Functions Premium plan to increase Maximum Burst of Plan Scale out setting. The maximum is 20. It can reduce the time that the messages stay in the queue.

It may help to examine our basic performance test regarding of the setting: Azure performance and scaling

In some rare cases, there might be networking issue in the cloud environment that causes the scan to fail. We suggest that you retry such failed scans by subscribing to the scan result topic with a post scan action function. The function can filter all successful scans and send scan messages for all scan failed files to the scanner queue to trigger the scan.

To parse the scan result, please refer to Scan result format. The BlobListener function in the storage stack can be used to send scan messages to the scanner queue.

We use presigned put URLs to upload files to our AWS S3 buckets. Can we see if the uploaded file is malicious in the result of the file upload request?

No, the design of AWS S3 does not allow you to determine from the result of an upload request whether an uploaded file is malicious.

Is the result of the file upload returned before the scan takes place?

The result is available to you after the scan is finished.

How do we prevent our application storing a file's data for a malicious file?

We recommended that you implement a Post Scan Action to move the malicious file to a quarantine bucket for this case. For more information, see https://github.com/trendmicro/cloudone-filestorage-plugins/tree/master/post-scan-actions/

Will the S3 "fss-scan-result" tag show "failure" if FSS console shows "Scan Error"? In other words, is S3 "fss-scan-result" tag: "failure" the same as FSS console: "Scan Error"?

Yes, you are correct. S3 "fss-scan-result" tag: "failure" = FSS console: "Scan Error". Yes, the S3 "fss-scan-result" tag: "failure" is equivalent to the FSS console: "Scan Error". The "Scan Error" on FSS web console comes from the results of List scan statistics API (the "failed" key in API response). A file that was scanned and has the tag “fss-scan-result” : “failure” will be included in the number of failed scans.

For the failed scans, please refer to "scanner_status and scanner_status_message" section in FSS online docs. 

Post Scan actions

Can I modify the actions taken on malicious files?

Yes. Out-of-box, File Storage Security tags a malicious file with a malicious tag, and no further action is taken. After that you can create actions based on the tag assigned to the file.

See the post-scan action sample code GitHub page for actions that can be taken after the scan.

What happens if a file is found to be malicious?

When a file is scanned and found to be malicious, File Storage Security tags it as malicious and returns it to the S3 bucket to scan. For details on tagging, see View tags.

What do I do if I find a malicious file that is not detected by FSS?

Please help us by submitting a new ticket to AM team by leveraging the Threat Investigation Portal (TIP)

Why is the FSS scan error count higher than my internal scan error count?

The count may not match because ScannerLambda will retry a failed scan once. This means that if the Lambda failed to scan the first time, it will retry the scan the second time.

The Lambda publishes a message about scan failure after both attempts have failed. However, every invocation of ScannerLambda will report the scan result to the FSS backend once.

Updates and Upgrades

How often can I expect updates?

The Trend Micro backend service pushes malware patterns, the license, and Lambda code updates.

  • Malware patterns are updated daily
  • The license is updated weekly
  • Lambda code is updated whenever the code is patched; the Lambda code change is published in What's New
How often are the patterns updated and how large are they?

Patterns can be updated multiple times a day. The patterns, which are updated as Lambda layers, are about 30 to 40MB in size.

How can I tell when a stack template was last updated, and what was changed in its update?

To see the revision history for a template, go to our repository on GitHub.com and click the Blame button to see that view.

If there is a change that requires a stack update, by what date do users need to update it?

Stacks have no expiration date, but we strongly recommend that you use the latest version.

How do I upgrade my stacks to the latest version?

For upgrade instructions, see Update stacks.

The Lambda functions for my File Storage Security stacks were updated recently. What was updated?

Currently, there are three kinds of updates:

  • Lambda code. Currently, there are three Lambda functions in scanner and storage stacks to update. File Storage Security backend updates BucketListenerLambda and PostScanActionTagLambda in storage stacks, and ScannerLambda in scanner stacks as well. The Lambda code change is published in What's New.
  • Malware patterns in Lambda layer. File Storage Security backend pushes the latest malware pattern to your ScannerLambda.
  • Scanner license. File Storage Security backend updates the license residing in ScannerLambda every week. If you remove your scanner stack from the File Storage Security console, the license will expire and fail to scan four weeks later.
Can I continue to use a Stack without updating it?

Using a Stack that has not been updated may result in update failures, data inconsistency occurrences, support expiration, and other problems.

Is there a possibility that scanning will stop during the Stack update?

No, Lambda's memory settings and log retention period are within the scope of Stack Update.

Can I modify the Lambda function code?

If the Lambda is deployed by FSS (for example, PostScanActionTagLambda, or BucketListenerLambda), it will be automatically updated by FSS backend. The update might relate to bug-fixing, or some new features. So it cannot be avoided.

We recommend that you do not modify the code of any Lambda functions in the scanner or storage stacks. For more information, see Customizing AWS stacks.

Once a stack has been updated, can the stack update be rolled back?

No, you cannot roll back a stack update.