Update Deep Security software

References to Deep Security Virtual Appliance and the Filter Driver apply only to Deep Security software ("on-premises") installations.

To ensure maximum protection, keep your Deep Security Agent and Deep Security Virtual Appliance up to date. You can update the agent software that is installed on computers and virtual appliances, and you can update the virtual appliance software.

All Deep Security Relays must be upgraded before upgrading the Deep Security Agent. Failure to do so may cause the relay upgrade to fail.

Before upgrading the Deep Security Agent on a Linux platform, confirm the OS kernel is supported by the latest version of the agent. See Deep Security Agent Linux kernel support

Before updating software, you need to configure a distribution method for the updates. See Determine how to distribute the software updates .

This is how updates are performed:

  1. Deep Security Manager periodically connects to Trend Micro update servers to check for available updates for the Deep Security Agent, Deep Security Virtual Appliance, Filter Driver, and Deep Security Manager.
  2. The "Trend Micro Download Center" section of the Administration > Updates > Software page indicates whether there are updates available for any of the software you have already imported into Deep Security Manager. Those are the updates that you're most likely to care about. Deep Security Manager will also generate an alert to let you know that software updates are available.

    Deep Security will only inform you of updates to the minor versions of your imported software. For example, if you have agent version 9.5.100, and Trend Micro releases agent version 9.5.200, Deep Security will tell you that updates to your software are available. However, if Trend Micro then releases agent version 9.6.xxx and you don't have any earlier 9.6 agents in your database inventory, you will not receive a notification that updates are available (even though you have a 9.5.100 agent).

    You can also check the Administration > Updates > Software > Download Center page to see all software packages that are available

  3. You import the software updates that you require into Deep Security Manager. This can be done manually or automatically. (See Import software updates into Deep Security Manager .)
  4. The software updates are replicated to your relays or web server.
  5. You upgrade your agents. (See Initiate an upgrade or Upgrade agents following an alert. In rare circumstances, you may need to perform manual upgrades. See Manually upgrade the agent.)
  6. You update your virtual appliances. (See Update the Deep Security Virtual Appliance.)

Determine how to distribute the software updates

Deep Security software updates are normally hosted and distributed by relay-enabled agents. Relays update your agents more quickly, reduce manager load, and save internet connection or WAN bandwidth. For information on how to set up relays, see Configure relays.

Alternatively, if you already have a web server, you can provide software updates via the web server instead of a relay-enabled agent. To do this, you must mirror the software repository of the relay-enabled agent on your web server. For more information on configuring your own software distribution web servers, see Configure a web server to provide software updates.

Import software updates into Deep Security Manager

The Local Software page (Administration > Updates > Software > Local) lists the software that has been imported into Deep Security.

Software must be imported from the Trend Micro Download Center into Deep Security to make it available to the computers on your network. An alert indicates that the software on a computer is out of date when a more recent version of the agent or appliance software has been imported into Deep Security. The check is made against the local inventory, not against what is available on the Download Center. There is a separate alert for new software on the Download Center.

When imported, software is stored in the Deep Security database. Imported software is periodically replicated to relay-enabled agents.

Manually import software updates

Manually import software updates as they become available on the Download Center.

The Deep Security Virtual Appliance uses a Red Hat Enterprise Linux (64 bit) Agent package. For information about which updates are compatible with your appliances, see Update the Deep Security Virtual Appliance.

  1. Go to Administration > Updates > Software.
  2. Check the Trend Micro Download Center section of the page to see whether there are any new software updates available. If no new updates are available, the section will say "All imported software is up to date".
  3. If updates are available, go to Administration > Updates > Software > Download Center, select the packages that you want, and then click Import. You can select multiple packages by pressing Shift+click or Ctrl+click.
    When a green check mark appears in the Imported column, the package has been downloaded into Deep Security Manager. The package will also appear on the Local Software page.
    A popup note indicates when a package cannot be imported directly. For these packages, you must download them from the Trend Micro Download Center website to a local folder, then manually import them on the Administration > Updates > Software > Local page.

Automatically import software updates

You can configure Deep Security Manager to automatically download any updates to software that you've already imported into Deep Security. To enable this feature, go to Administration > System Settings > Updates and select Automatically download updates to imported software.

This setting will download the software to the Deep Security but will not automatically update your agent or appliance software.

Delete a software package from the Deep Security database

The Deep Security database must contain a copy of all software currently installed on managed computers. When a Deep Security Agent is first activated, only those protection modules that are "On" in the security policy being applied are installed on the computer. If you turn on a protection module at a later time, Deep Security will retrieve the plug-in for the new security module from the agent software package in the database to install it on the computer. If that software is missing, the security module plug-in cannot be installed.

To save space, Deep Security will periodically remove unused packages from the Deep Security database. There are two types of packages that can be deleted: agent packages and Kernel support packages.

The Deep Security Virtual Appliance relies on the protection module plug-ins found in the 64-bit Red Hat Enterprise Linux Agent software package. If you have an activated Deep Security Virtual Appliance and try to delete a 64-bit Red Hat Enterprise Linux Agent, you will get an error message telling you the software is in use.

Deleting agent packages in single-tenancy mode

In single tenancy mode, Deep Security automatically deletes agent packages (Agent-platform-version.zip) that are not currently being used by agents. The number of old software packages kept in the database is configured on the System Settings > Storage tab. You can also manually delete unused agent packages. If you try to delete software that is being used on one of your managed computers, you will get a warning and be unable to delete the software.

For the Windows and Linux Agent packages, only the in-use package (whose version is the same as the Agent Installer) cannot be deleted.

Deleting agent packages in multi-tenancy mode

In multi-tenancy mode, unused agent packages (Agent-platform-version.zip) are not deleted automatically. For privacy reasons, Deep Security cannot determine whether software is currently in use by your tenants, even though you and your tenants share the same software repository in the Deep Security database. As the primary tenant, Deep Security does not prevent you from deleting software that is not currently running on any of your own account's computers, but before deleting a software package, be very sure that no other tenants are using it.

Deleting Kernel support packages

In both single and multi-tenancy mode, Deep Security automatically deletes unused Kernel support packages (KernelSupport-platform-version.zip). The number of old packages kept in the database is configured on the System Settings > Storage tab. A Kernel support package can be deleted if both of these conditions are true:

  • There is no agent package with the same group identifier.
  • There is another Kernel support package with the same group identifier and a later build number.

You can also manually delete unused Kernel support packages.

For Linux Kernel Support packages, only the latest one cannot be deleted.

Upgrade agents following an alert

When a new agent is available, the following alert appears on the Alerts page:

  1. In the alert, click Show Details and click the link, View all out-of-date computers.
    The Computers page opens with all computers showing a Software Update Status of Out-of-Date.
  2. Follow the instructions for initiating an agent upgrade, below.

Initiate an upgrade

We recommend that you upgrade at time when server demand is low.

The "Computers" section of the Administration > Updates > Software page indicates whether any computers or virtual appliances are running agents for which updates are available. The check is only performed against software that has been imported into Deep Security, not against software available from the Download Center. If any computers are out of date, use one of the following methods to upgrade them:

  • To upgrade all out-of-date computers, click the Upgrade agent/appliance software button.
  • To upgrade a specific agent computer or appliance image, go to the Computers page, select the computers that you want to upgrade, and click Actions > Upgrade Agent Software. You will be prompted to select the Agent Version. We recommend that you select the default Use the latest version for platform (X.Y.Z.NNNN). Depending on your preference, select to Upgrade Now or Use a Schedule for Upgrade and specify the time window when the upgrade will be performed. If you choose to use a schedule, the manager will upgrade the agent to the specified version once; it does not continue to upgrade the agent to future versions.
If you are using anti-malware on a Windows platform, the computer might require a reboot to complete the upgrade. If this is the case, a Reboot Required alert will be triggered, which you must dismiss manually after completing the reboot. You can also check the Agent Software Upgraded event or Virtual Appliance Upgraded event to see if a reboot is necessary. If you are using anti-malware, plan your upgrades during maintenance windows when reboots are possible.
When you activate a virtual appliance on a computer, Deep Security upgrades the Red Hat Agent to the version specified for the Virtual Appliance Deployment option. (See Select the agent for newly-activated virtual appliances.) You cannot delete the latest Red Hat Agent unless you first remove all virtual appliance software packages. You can delete older versions of the Red Hat Agent only if they are not in use.

Select the agent for newly-activated virtual appliances

The Deep Security Virtual Appliance uses the protection module plug-in software packages from an agent for 64-bit Red Hat Enterprise Linux. Use the Virtual Appliance Deployment option to select the version of the Red Hat Enterprise Linux Agent software that is deployed to any newly activated virtual appliances.

When the default item of Latest Available (Recommended) is selected, the software used is the latest version of imported agent software that is compatible with the latest version of the appliance software that is imported.

Versions of the agent software that pre-date the imported appliance do not appear in the list.

Manually upgrade the agent

Applies to on-premise Deep Security software installations only

The occasion may arise where you are not able to upgrade the agent software from the Deep Security Manager because of connectivity restrictions between the manager computer and the agent computer. In such cases, upgrading the agent software on a computer has to be performed manually.

First, you will need to obtain the new agent software. You can go to the Trend Micro Download Center and download the agent software package, or you can download it through the Deep Security Manager and then export it, as described in this procedure:

  1. In the Deep Security Manager, go to Administration > Updates > Software Updates.
  2. Make sure the most recent Deep Security agents have been downloaded to the Deep Security Manager from Trend Micro Download Center.
  3. On the Software Updates tab, click View Imported Software.
  4. Select the required agent software and click Export in the menu bar.
  5. Specify the location to which you want to export the agent software.

Next, you will need run the installer. The way you do this varies by operating system:

Windows

  1. Disable agent self-protection. To do this, on the Deep Security Manager, go to Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
  2. Copy the agent installer to the computer.
  3. Run the agent installer. It will detect the previous agent and perform the upgrade.

Linux

  1. Copy the agent installer to the computer.
  2. Run the following command:

    rpm -U <new agent installer rpm>

(The "-U" argument instructs the installer to perform an upgrade.)

Solaris

  1. Copy the agent installer to the computer.
  2. Unzip the package using gunzip.
  3. Run the following command:
    pkgadd -v -a /opt/ds_agent/ds_agent.admin -d <new agent package>

Update the Deep Security Virtual Appliance

Applies to on-premise Deep Security software installations only

Trend Micro provides updates for the Deep Security Virtual Appliance to protect against new vulnerabilities in the operating system of the appliance's virtual machine.

If you need information about installing appliances, see Deploy the Deep Security Virtual Appliance with NSX Advanced or Enterprise.

To update your appliances, see Upgrade the Deep Security Virtual Appliance.