Why am I getting "Unrecognized Client" events?

You may see System Events in the Deep Security as a Service console indicating "Unrecognized Client". One way this can occur if you manually create a new computer within Deep Security, activate it, then delete it from the console. The Deep Security agent on the endpoint will continue to try to heartbeat into the console, generating this "Unrecognized Client" events.

There are two ways to resolve this:

1. We have a feature that attempts to re-activate these instances and bring them into the console. If you go to Administration->System Settings->Agent-Initiated Activation->"Allow reactivation of unknown VMs". If you enable this, we should add in new computer records for these instances as they attempt to contact the console, and from there you can decide to deactivate them from the console if you no longer wish to protect them. They'll stop calling home to Deep Security at this point. This is the preferred approach.
2. Manually identify which rogue instances are running, and manually perform a "dsa_control -r" to reset, or a "rpm -e ds_agent" to uninstall the agents from each of the instances. The events indicate the IPs of the endpoints, but they're likely the Load Balancer IPs, so may be of limited use. I mention this solution only for completeness sake, as there may be times when re-activation is not possible.

© Trend Micro, 2015