Deep Security Manager 10 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Archived Deep Security Agent release notes
For release notes from this year, see What's new in Deep Security Agent?.
Linux
For release notes from the long-term support LTS release, Deep Security Agent - Linux 10.0 readme.
Update 1
Issue 1: [DSSEG-952] Network connectivity issues were observed in Amazon Linux (x86_64) machines running Intrusion Prevention System in in-line network engine mode. Solution 1: The logic to handle skb_linearize failure has been fixed and made more robust to avoid such types of network connectivity issues.
Issue 2: [DSSEG-943/SEG-4381] After the Deep Security Agent had been running on a web server for a long time, it would interrupt HTTPS traffic. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-937/377091] When firewall was enabled, the agent logged many 'invalid tcp timestamp' events in some circumstances. Solution 3: The default behavior has been changed to not log those events. It can be still enabled in the Anti- Evasion settings.
Issue 4: [DSSEG-919] Application Control did not support Linux kernel versions 4.6 or higher. Solution 4: With this update, Application Control supports kernel versions 4.6 or higher.
Issue 5: [DSSEG-916/SEG-3395/SEG-4060] When Deep Security Agent anti-malware was enabled in a Red Hat Enterprise Linux 7 environment, the system would reboot due to a kernel panic. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-910/SEG-2762] The Deep Security Agent would crash when the integrity monitoring module scanned a file path containing a "%" character. Solution 6: The issue is fixed in this release
Issue 7: [DSSEG-908] When a file was sent to an SAP server via SMTP attachment and the SAP process stripped the extension from the file (for example, filename.pdf became filename), the file would be blocked with a "BLOCKED_BY_POLICY" error. Solution 7: This issue is fixed in this release.
Issue 8: [DSSEG-891] The Deep Security Agent created temporary files in the temp directory but these files were not removed after use, which resulted in inodes filling up. Solution 8: This issue is fixed in this release.
Issue 9: [DSSEG-855] A custom Log Inspection rule would not work and produced the error: "OSSEC id does not map to DSM id". Solution 9: This issue is fixed in this release.
Issue 10: [DSSEG-847] Application Control failed to download a ruleset when the Deep Security Agent was behind a proxy and the rulesets were hosted on Deep Security Manager. Solution 10: Application Control can now download the ruleset from the manager when the agent is behind a proxy.
Issue 11: [DSSEG-844] Application Control failed to download a ruleset when the Deep Security Agent thread was stuck downloading a ruleset from an older configuration. Solution 11: With this release, application control will download the ruleset.
Issue 12: [DSSEG-839] On a 'Large Send Offload' (LSO) network, a number of firewall events with a reason of "Invalid IP Datagram Length" sometimes occurred. This happened because the firewall driver incorrectly calculated the IP datagram length in an LSO environment. Solution 12: This issue is fixed in this release.
Update 2
Issue 1: [DSSEG-1109] Deep Security file reputation querying to Smart Protection Server was not counted correctly in the Summary of Smart Protection Server. For example, the "Active Users for File Reputation" widget displayed an incorrect number of users. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1090] In some circumstances, the kernel module for a Linux version of the Deep Security Agent could be replaced by an earlier version of the kernel support package. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1081] When connections were reset, they were not removed in the kernel module until the connection timed out. This resulted in the maximum number of TCP connections being reached. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1041/SEG-370] The Deep Security Firewall/Intrusion Prevention driver sometimes did not bind to a specific Network Interface Controller (NIC). When the Deep Security Agent took it as StandbyAdapter, it would cause a Deep Security Agent exception during initialization and fail to generate the firewall/intrusion prevention driver configuration file. Solution 4: The issue is fixed in this release.
Issue 5: [DSSEG-1040/SBM 352560] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Deep Security Agent detects an illegal character, the Deep Security Manager will show the illegal character in an Intrusion Prevention event. However, the Deep Security Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Deep Security Manager. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-1012] If the Deep Security Agent failed to download the Kernel Support Package, the agent would not retry the download. Solution 6: This issue is fixed in this release.
Issue 7: [DSSEG-1138/SEG-5409/00388364] Due to a race condition, a kernel panic would occur when dsa_filter was handling duplicate UDP packets. Solution 7: The issue is fixed in this release.
Issue 8: [DSSEG-1017/SEG-6293/SEG-8827] The Deep Security Virtual Appliance's security update failed or VMs were offline because the Scheduler thread exited abnormally. Solution 8: This issue is fixed in this release.
Update 3
Issue 1: [DSSEG-1242/internal case] A race condition caused an error displayed on a blue screen when the intrusion prevention module handled duplicate UDP packets. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1210/SEG-6284] AWS OpsWorks invokes an ssh that cannot be looked up from AWS Linux kernel. The default action of Deep Security Agent was to block such execution. This caused users to receive an "Operation Not Permitted" error on their OpsWorks deployment. Solution 2: The issue is fixed in this release.
Issue 3: [DSSEG-1198/351879] The Deep Security Agent did not securely generate the SSL Master Secret when the "Client key exchange" and "Certificate verify" handshake records were both in one packet. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1211] On some Linux platforms, if iptables or ip6tables was disabled and a customer installed or restarted the Deep Security Agent, the ds_agent process would start iptables and add a rule to open port 4118. Solution 4: With this release, the ds_agent process will check the iptables/ip6tables status. If it is disabled, it will not be changed. If it is enabled, one rule to allow port 4118 for communication will be added.
Update 4
Enhancement 1: [DSSEG-1360] To support Windows 2016, EPSecLib has been upgraded to version 6.3.3.
Enhancement 2: [DSSEG-1310] This release adds support for kernel 4.11.0-13-generic.
Enhancement 3: [DSSEG-1344] This release of Deep Security Agent supports Linux 4.12 Kernels.
Issue 1: [DSSEG-1407] Kernel panic occurred while adding VMware hotplug cpu or memory resource. Solution 1: RTScan now skips hooking debugfs to avoid kernel crash.
Issue 2: [DSSEG-1367/SF00472245/SEG-10539] When log inspection was enabled, the Deep Security Agent sometimes used more than 50% (and up to 98%) of the CPU for long periods of time. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1364/493112] In previous releases, the "Smart Protection Server Disconnected for Web Reputation" alert could only be cleared manually by a user. Solution 3: In this release, Deep Security Manager will clear the alert automatically when it receives a "Smart Protection Server Connected for Web Reputation" event.
Issue 4: [DSSEG-1363/ VRTS-1121/VRTS-742] Deep Security Virtual Appliance was affected by a vulnerability in the OS layer. Solution 4: This issue is resolved in this release.
Issue 5: [DSSEG-1301] After enabling application control, the system would sometimes enter a disconnected state and could not be accessed via ssh. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-1225/SEG-9966/00415118 /SEG-9503] Filesystem in Userspace (FUSE) conflicts with redirects led to performance issues when the anti-malware module was enabled. Solution 6: This issue is fixed in this release.
Issue 7: [DSSEG-1203/SEG-8048/SF00453864] Smart Scan Agent Pattern updates sometimes failed. Solution 7: This issue is fixed in this release. The iAU module has been upgraded to 1062.
Issue 8: [DSSEG-1305/475444/SEG-9521] In the anti-malware configuration file for Linux (ds_am.ini), the vmpd_log_file_count key and the vmpd_log_file_MB key did not work as expected. Solution 8: With this release, the vmpd_log_file_count can be set with a size of 2 to 1000 files, and vmpd_log_file_MB can be set with a size of 1 to 100 MB.
Update 5
Enhancement 1: [DSSEG-1494] In this release, Deep Security Virtual Appliance has be improved to gracefully handle local vMotion in VMware's environment.
Enhancement 2: [DSSEG-1462] Real-time anti-malware scans are now supported on Oracle Linux 6 x64 agents and Oracle Linux 7 x64 agents.
Issue 1: [DSSEG-1370] The Deep Security Agent sometimes failed to complete an SSL handshake when the agent was using a proxy to connect to Deep Security Manager. Solution 1: The issue is fixed in this release.
Issue 2: [DSSEG-1247] A race condition when the ds_agent kernel module was handling TCP connections caused an error displayed on a blue screen. Solution 2: The issue is fixed in this release.
Update 5 Critical Patch
Issue 1: [DSSEG-1551] A change made on October 14 to version 2.7 of smBIOS for AWS EC2 instances introduced an incompatibility issue with Deep Security Agents on Linux and Windows. We have seen this issue affecting new instances created in the US-Virginia, Japan, and Singapore regions since October 14, but additional regions will be affected. This issue affects agent activation on any instance with the 2.7 bios and is likely to result in agents entering an unprotected state. Currently running activated agents are not affected. For details, please refer to: https://success.trendmicro.com/solution/1118601 Solution 1: The incompatibility is fixed with this release.
Update 6
Enhancement 1: [DSSEG-1652] The Deep Security Virtual Appliance ds_agent startup script has been enhanced to ensure the necessary kernel module is placed in the correct path and to wake up the vmtoolsd service if it doesn't run.
Enhancement 2: [DSSEG-1568] The Advanced Threat Scan Engine used in Deep Security Agent has been updated to version 10.000.1004.
Issue 1: [DSSEG-1744] Sometimes, after a Deep Security Agent upgrade, anti- malware protection would be absent or out of date. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1714] An EICAR sample was not detected and blocked in a NIC teaming environment. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1602/00598122/SEG-15655] When an Oracle WebLogic Server created cached directories ending with .jar or .war, the application control feature would enter a loop when reading those directories, resulting in high CPU usage. Solution 3: The issue is fixed in this release.
Issue 4: [DSSEG-1493] When the Deep Security Agent lightweight filter driver (tbimdsa.sys) was installed in a Windows environment where NIC teaming was configured as LACP mode, the "Microsoft Network Adapter Multiplexor Driver" device would enter a "Network cable unplugged" state. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-1148/SEG-1206] The default ICRC log level for a Deep Security Agent on Linux is "debug", which causes the ds_am-icrc.log file to grow quickly. Solution 5: Change the default ICRC log level to "warn". For a fresh agent installation, the default ICRC log level will be set to "warn" by default.
Update 7
Enhancement 1: [DSSEG-1754/SEG-17076] The Advanced Threat Scan Engine used in Deep Security Agent has been updated to version 10.200.1006.
Issue 1: [DSSEG-1885/SEG-11876] When SSL inspection was enabled on an SSL server,clients sometimes failed to establish an SSL session and a "Record Layer Message (not ready)" intrusion prevention event would occur. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1837] A spin_lock in dsa_filter caused network performance issues on Linux platforms. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1825/3-1-1493237865/SEG-18925] Anti-Malware scan inclusions and exclusions did not work when the path contained multi-byte characters. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1411] Agentless vMotion sometimes failed when there were more than two vNICs. Solution 4: This issue is fixed in this release.
Update 8
Enhancement 1: [DSSEG-1980] This release adds support for Amazon Linux 2. In order to use this platform, you need Deep Security Manager 10.0 Update 8 or above.
Issue 1: [DSSEG-2017] The Linux syslog received many filp_open failure logs when the ds_agent anti-malware kernel module failed to open files. Solution 1: The issue is fixed in this release.
Issue 2: [DSSEG-1992/SEG-22602] Deep Security Agent incompatibilities with c5 and m5 instance types in AWS Elastic Compute Cloud (EC2) running Linux operating systems caused an issue where computers that failed to be correctly identified were activated outside of an AWS cloud connector, were not assigned EC2 metadata, and may not have been assigned the expected security policy. In these cases, assigning a security policy or relay groups based on EC2 metadata - using Event Based Tasks (EBT's) for example - was incorrect. In addition, consumption- based billing for large instances was incorrect. Existing EC2 instance types that have Deep Security Agents already installed or newly deployed are unaffected. For details, please refer to: https://success.trendmicro.com/solution/1119433 Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1974/SEG-23241/SEG-6472/SEG-6201/SEG-19649] When the kernel module (gsch) in the Deep Security Agent Anti-Malware feature on Linux was loaded and hooked a system call, and then the gsch module was unloaded or the anti-malware feature was disabled, this caused a system crash if another vendor's kernel module was hooking the system call later than the gsch driver. Solution 3: The issue is fixed in this release.
Update 9
Issue 1: [DSSEG-2103/SEG-21286/00684294] Real-time Anti-Malware scans sometimes caused a kernel panic on some specific file systems. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2076/SEG-23938/SEG-23938] SSL/TLS compression was not disabled while initiating SSL context for DSA listening port (4118). Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1958/SEG-20477] A Deep Security Agent's Anti-Malware status sometimes displayed as "offline" after the agent was stopped ungracefully during an OS shutdown. This issue was caused by the shutdown leaving a ds_am pid file in place that pointed to a process that was no longer running. Solution 3: This issue is fixed in this release.
Update 10
Enhancement 1: [DSSEG-2148] With this release of Deep Security Agent, all pattern updates from the Deep Security Relay or Trend Micro Update Server will require the use of the TLS 1.2 protocol.
Issue 1: [DSSEG-2173/SEG-23387] The Deep Security Agent query script, dsa_query.cmd or dsa_query.sh, would sometimes fail. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2068] When Deep Security Agent failed to download new kernel modules of both Anti-Malware and Firewall, it expected to try downloading those modules again. However, if only Anti-Malware kernel module was successfully downloaded, Deep Security Agent sometimes did not retry downloading Firewall kernel module. As the result, the new kernel module was not loaded and could trigger a Firewall engine offline issue on Amazon Linux. Solution 2: The issue is fixed in this release.
Update 11
Enhancement 1: [DSSEG-2161] With this release of Deep Security Agent, all software updates from the Deep Security Relay or Deep Security Manager will require the use of the TLS 1.2 protocol.
Update 12
Enhancement 1: [DSSEG-2201/SEG-21673] When agentless real-time anti-malware scanning is enabled with the "Enable network directory scan" option set to "Off", the Deep Security Virtual Appliance does not request any network file access events from guest machines.
Issue 1: [DSSEG-2333/SEG-26904] When a security event syslog was forwarded directly from the Deep Security Agent to a syslog server, it contained an incorrect IPv6 address in the dvchost field. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2304/00853021/SEG-28060] After upgrading Deep Security Agent from version 9.6 to 10.0 on a Linux platform, the Component Set version was not updated, which caused the Security Update Status to display "Out-of-Date". Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-2248/00822625/SEG-27661] When a user configured a firewall bypass rule with a port range containing port 65535, the Deep Security Agent configuration would fail to compile. Solution 3: This issue is fixed in this release.
Update 13
Issue 1: [DSSEG-2518] In previous releases, the Deep Security Agent for Linux dropped ARP packets. This sometimes led to configuration issues. Solution 1: On Linux, the Deep Security Agent logs ARP packets instead of dropping them.
Issue 2: [DSSEG-2382/SEG-29766/SF00875293] When Anti-Malware was enabled, a kernel panic sometimes occurred due to a memory allocation failure. Solution 2: The issue is fixed in this release.
Issue 3: [DSSEG-1687] When Deep Security Agent scanned a SAR file that contained relative paths, those relative paths were not extracted to a temporary directory for scanning. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1686] When messages coming from Deep Security Virus Scan Adapter were too long, it caused a buffer overflow, and the Deep Security Agent would access an invalid memory address. Solution 4: This issue is fixed in this release.
Update 14
Enhancement 1: [DSSEG-2788] The Linux Deep Security Agent fresh install will not download the older version engine from iAU if the Deep Security Agent Anti-Malware module already includes the new engine.
Enhancement 2: [DSSEG-2563] Deep Security Agent now supports Debian 9. This new agent is compatible with Deep Security Manager 10.0 Update 12 or later.
Enhancement 3: [DSSEG-2489] Anti-Malware Scan Engine can be displayed and has the option to enable or disable an Anti-Malware update.
Issue 1: [DSSEG-2736/SEG-34502] When a TCP connection was established with the same tuples as a previously tracked one, the network engine could set the connection track to an incorrect status. This sometimes happened on a busy server where rapid connections reused a recycled connection. The network engine treated it as an "Out of connection" error and dropped the packet. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2542/SEG-31883/SF00958979] An invalid dentry object sometimes caused a kernel panic. Solution 2: The issue is fixed in this release.
Issue 3: [DSSEG-2387/SEG-22509/00695358] In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, Integrity Monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-2329/SEG-29194/SF00866327] Some of the files installed by Deep Security Agent had incorrect permissions. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-2313/SEG-26394/815500] When both Application Control and real-time Anti-Malware scanning were enabled and either one became disabled, a system crash would sometimes occur. This could occur when explicitly disabling either feature or when:
- stopping the Deep Security Agent service,
- upgrading the Deep Security Agent, or
- restarting a Deep Security Agent computer.
Solution 5: This issue is fixed in this release.
Update 15
Enhancement 1: [DSSEG-2827/SEG-34684] Previously, the network engine would sometimes fill the MAC field in event logs with zeros for outgoing packets, to make the logs easier to read. This release removes this behavior to avoid issues in an overlay network environment. In the event logs, the MAC address for outgoing packets may be empty or contain a random number.
Enhancement 2: [DSSEG-2489] Anti-Malware Scan Engine can be displayed and has the option to enable or disable an Anti-Malware update.
Enhancement 3: [DSSEG-2257] The Anti-Malware engine offline error is not reported when the computer is preparing to shutdown.
Enhancement 4: [DSSEG-2746/SF00374619/SF00340345/00425845/00389528/ SF179909/00368352/SF159145/SF318628/00513686/00528775/ 538145/441559/00611107] In this release, the Deep Security Agent installer checks the installation platform to prevent installation of an agent that does not match the platform. This feature is supported on:
- Amazon Linux and Amazon Linux 2
- Red Hat Enterprise Linux 5, 6 and 7
- CentOS 5, 6 and 7
- Cloud Linux 6 and 7
- Oracle iLnux 5, 6 and 7
- SUSE Linux Enterprise Server 11 and 12
Enhancement 5: [DSSEG-2308] The version of OpenSSL used by the Deep Security Agent and Deep Security Relay has been updated to openssl-1.0.2o.
Issue 1: [DSSEG-2857/SEG-33085] An unactivated Deep Security Agent could reach 100% CPU usage when handling a long HTTPS request. Solution 1: The issue is fixed in this release.
Issue 2: [DSSEG-2799/SEG-34463] The Agent operating system could crash when Anti- Malware was enabled or the Agent was stopped. Solution 2: This issue is fixed in this release.
Update 16
Enhancement 1: [DSSEG-3022] The version of zlib used by the Deep Security Agent has been updated to zlib-1.2.11.
Enhancement 2: [DSSEG-2970] The version of curl used by the Deep Security Agent has been updated to curl-7.61.1.
Enhancement 3: [DSSEG-2966] Deep Security Agent has been updated to support PFS cipher suites.
Enhancement 4: [DSSEG-3025/SEG-37605] This release updates the Anti-Malware scan engine to latest version.
Issue 1: [DSSEG-3105/SF01248774/SEG-37651] When real-time Anti-Malware scans were enabled on Linux, a lot of Linux Security Module logs were generated. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3076] Packets were dropped due to an out of memory error when skb_linearize was called to handle fragments. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3004/SF01061186/SEG-33124] The Anti-malware driver has a compatibility issue with a GFS2/GFS cluster environment. Solution 3: GFS2/GFS has been added to the Anti-malware hook exclude list.
Issue 4: [DSSEG-2953/SEG-33407] When Anti-malware real-time driver initialization failed, the operating system sometimes crashed. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-2878/00461478/573707/00386295/SEG-5825/00487753] Users who are not using a local Smart Protection Server (SPS) reported many Dropped Retransmit "rxjammed" events in the Firewall when using Web Reputation Service, which caused the Firewall logs to fill up. Solution 5: Dropped Retransmit "rxjammed" events are no longer recorded in the Firewall log.
Update 17
Issue 1: [DSSEG-3386/SEG-40130] Deep Security Scanner encountered problems when an SAP client program created a large number of scan tasks. Solution 1: Scanner has been improved and can now handle a larger number of scan tasks.
Issue 2: [DSSEG-3336] The Network Filter Driver lacked error handling for some cases when memory allocation failed. This sometimes resulted in a system crash, especially when the system memory was exhausted. Solution 2: This issue has been resolved in this release.
Issue 3: [DSSEG-3309] Deep Security Agent real-time Anti-Malware scans and Application Control didn't work correctly with a Linux 4.18 kernel. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-3262] Deep Security Agent real-time Anti-Malware scans didn't work correctly with a Linux 4.12 kernel. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-3216] When both Anti-Malware real-time scans and SAP scanner were enabled on a Windows computer that had SAP NetWeaver 7.5+ installed, a virus could be detected and quarantined, but the error code returned to SAP NetWeaver was not correct. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-3109] A native firewall could not be turned on/off automatically after the Deep Security Firewall module was enabled or its configuration was changed. Solution 6: This issue is fixed in this release.
Issue 7: [DSSEG-3103] In certain configurations, the Deep Security Agent kernel driver loaded an incorrect configuration, causing an OS crash. Solution 7: This issue is fixed in this release.
Issue 8: [DSSEG-3081/SF01339187/SEG-38497/SEG-33163] An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. Solution 8: This issue is fixed in this release.
Issue 9: [DSSEG-3039/SEG-39670] An Integrity Monitoring rule could be triggered unintentionally when the prefix of its base directory path matched that of another rule. For example, if you had rules that monitored "c:\lab\" and "c:\lab1\", and added a file "c:\lab1\sample.txt", both rules would be triggered. Solution 9: This issue is fixed in this release.
Update 18
Issue 1: [DSSEG-3556/SF01800170/SEG-46936] When Web Reputation was enabled, the tbimdsa engine caused a system crash due to an unexpected system memory allocation failure. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3551/SEG-46918/01770086] Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app. " error message in ds_agent.log. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3505/SEG-45832/01745654] Deep Security Agent sometimes crashed when detailed SSL message logging was enabled and executed. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-3475/SEG-44111] Scan Engine sometimes failed while re-compressing extracted files into archive files. Therefore, Deep Security Manager incorrectly reported archive files as cleaned. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-3430] Deep Security Agent real-time Anti-Malware scans didn't work correctly with a Linux 4.19 kernel. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-3158] Deep Security Agent sometimes crashed due to defects in Lua 5.2.1. Solution 6: Lua has been upgraded to version 5.2.4.
Update 19
Issue 1: [DSSEG-3831/SEG-34751/SF01137463] Kernel panic occurred because of redirfs. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3718/SEG-43481/SF01423970] Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3715] Using a default system language to set the locale on a Linux computer sometimes caused Anti-Malware to not function correctly. Solution 3: This issue is fixed in this release..
Issue 4: [DSSEG-3706/SEG-48947/01929085] The ds_agent process in Deep Security Virtual Appliance sometimes crashed during vMotion due to a race condition. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-3654/SEG-46912/01746052] Anti-Malware events displayed a blank file path with invalid Unicode encoding. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-3620] An invalid printf() format when printing logs indicated that a hash calculation was skipped due to the file size being over the maximum hash calculation size. Solution 6: The printf() format has been updated.
Issue 7: [DSSEG-3594/SEG-47425/SF01804378] Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. Solution 7: This issue is fixed in this release.
Update 20
Issue 1: [DSSEG-4026/SEG-52195/SF01954511] The heartbeat thread crashed due to a SQLite exception when getting Log Inspection events. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3926/02023336/SEG-51309] The files under system paths (e.g., "/sys" or "/dev") were caught by Anti-Malware real-time scans for file scanning. However, by design, those files should not be scanned because they are basically system files, and most of them are unchangeable and unreadable. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3898/01903269/SEG-48538] The logs under /var/opt/ds_agent/diag/dsva/ on Deep Security Virtual Appliance were not rotated. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-3738/SF01775560/SEG-49866] The agent operating system would sometimes crash when bypassing the cluster network interface on ds_filter. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-3520/SEG-42919/SF01415702] When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. Solution 5: The issue is fixed in this release.
Issue 6: [DSSEG-3886] A security update was triggered every time a policy was sent to Deep Security Virtual Appliance. Solution 6: This issue is fixed in this release.
Update 21
Issue 1: [DSSEG-4221] When Anti-Malware real-time scans were enabled on Linux, the ds_am process caused CPU soft lockup. Solution 1: This issue is fixed in this release.
Update 23
Issue 1: [DSSEG-4647/SEG-60379/SEG-32679/1033963/SEG-61158] Deep Security Agent logged "Error on SIOCETHTOOL: (error 95: Operation not supported)" every minute. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-4312/SEG-49232/01830825] VMs went offline after a vMotion because the database was locked. Solution 2: This issue is fixed in this release.
Update 24
Enhancement 1: [DSSEG-4886/SEG-50838] Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
Enhancement 2: [DSSEG-4807/SEG-61584] Increased the maximum size of the Log Inspection database.
Enhancement 3: [SF02650803/DSSEG-4959/SEG-65127] Excluded AWS Lustre from file system kernel hooking to prevent kernel panic.
Issue 1: [DSSEG-4765/SEG-62073/02479683] The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-4642/SEG-57527] Anti-Malware did not quarantine some files as expected. Solution 2: This issue is fixed in this release.
Issue 3: [SF02689631/DSSEG-4981/SEG-65408] When the Anti-Malware real-time scans configuration was re-deployed, it sometimes caused kernel-mode stack overflow if there was a third-party kernel hooking module. Solution 3: The issue is fixed in this release.
Unix
For release notes from the long-term support LTS release, Deep Security Agent - Unix 10.0 readme.
Update 1
Issue 1: [DSSEG-943/SEG-4381] After the Deep Security Agent had been running on a web server for a long time, it would interrupt HTTPS traffic. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-910/SEG-2762] The Deep Security Agent would crash when the integrity monitoring module scanned a file path containing a "%" character. Solution 2: The issue is fixed in this release
Issue 3: [DSSEG-891] The Deep Security Agent created temporary files in the temp directory but these files were not removed after use, which resulted in inodes filling up. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-855] A custom Log Inspection rule would not workand produced the error: "OSSEC id does not map to DSM id". Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-839] On a 'Large Send Offload' (LSO) network, a number of firewall events with a reason of "Invalid IP Datagram Length" sometimes occurred. This happened because the firewall driver incorrectly calculated the IP datagram length in an LSO environment. Solution 5: This issue is fixed in this release.
Update 2
Issue 1: [DSSEG-1109] Deep Security file reputation querying to Smart Protection Server was not counted correctly in the Summary of Smart Protection Server. For example, the "Active Users for File Reputation" widget displayed an incorrect number of users. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1090] In some circumstances, the kernel module for a Linux version of the Deep Security Agent could be replaced by an earlier version of the kernel support package. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1081] When connections were reset, they were not removed in the kernel module until the connection timed out. This resulted in the maximum number of TCP connections being reached. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1041/SEG-370] The Deep Security firewall/intrusion prevention driver sometimes did not bind to a specific Network Interface Controller (NIC). When the Deep Security Agent took it as StandbyAdapter, it would cause a Deep Security Agent exception during initialization and fail to generate the firewall/intrusion prevention driver configuration file. Solution 4: The issue is fixed in this release.
Issue 5: [DSSEG-1040/SBM 352560] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Deep Security Agent detects an illegal character, the Deep Security Manager will show the illegal character in an Intrusion Prevention event. However, the Deep Security Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Deep Security Manager. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-1012] If the Deep Security Agent failed to download the Kernel Support Package, the agent would not retry the download. Solution 6: This issue is fixed in this release.
Issue 7: [DSSEG-1138/SEG-5409/00388364] Due to a race condition, a kernel panic would occur when dsa_filter was handling duplicate UDP packets. Solution 7: The issue is fixed in this release.
Update 3
Issue 1: [DSSEG-1242/internal case] A race condition caused an error displayed on a blue screen when the intrusion prevention module handled duplicate UDP packets. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1198/351879] The Deep Security Agent did not securely generate the SSL Master Secret when the "Client key exchange" and "Certificate verify" handshake records were both in one packet. Solution 2: This issue is fixed in this release.
Update 4
Issue 1: [DSSEG-1367/SF00472245/SEG-10539] When log inspection was enabled, the Deep Security Agent sometimes used more than 50% (and up to 98%) of the CPU for long periods of time. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1364/493112] In previous releases, the "Smart Protection Server Disconnected for Web Reputation" alert could only be cleared manually by a user. Solution 2: In this release, Deep Security Manager will clear the alert automatically when it receives a "Smart Protection Server Connected for Web Reputation" event.
Issue 3: [DSSEG-1203/SEG-8048/SF00453864] Smart scan pattern updates sometimes failed. Solution 3: This issue is fixed in this release. The iAU module has been upgraded to 1062.
Update 5
Issue 1: [DSSEG-1370] The Deep Security Agent sometimes failed to complete an SSL handshake when the agent was using a proxy to connect to Deep Security Manager. Solution 1: The issue is fixed in this release.
Issue 2: [DSSEG-1247] A race condition when the ds_agent kernel module was handling TCP connections caused an error displayed on a blue screen. Solution 2: The issue is fixed in this release.
Update 6
Issue 1: [DSSEG-1744] Sometimes, after a Deep Security Agent upgrade, anti- malware protection would be absent or out of date. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1714] An EICAR sample was not detected and blocked in a NIC teaming environment. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1602/00598122/SEG-15655] When an Oracle WebLogic Server created cached directories ending with .jar or .war, the application control feature would enter a loop when reading those directories, resulting in high CPU usage. Solution 3: The issue is fixed in this release.
Issue 4: [DSSEG-1493] When the Deep Security Agent lightweight filter driver (tbimdsa.sys) was installed in a Windows environment where NIC teaming was configured as LACP mode, the "Microsoft Network Adapter Multiplexor Driver" device would enter a "Network cable unplugged" state. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-1148/SEG-1206] The default ICRC log level for a Deep Security Agent on Linux is "debug", which causes the ds_am-icrc.log file to grow quickly. Solution 5: Change the default ICRC log level to "warn". For a fresh agent installation, the default ICRC log level will be set to "warn" by default.
Update 7
Enhancement 1: [DSSEG-1754/SEG-17076] The Advanced Threat Scan Engine used in Deep Security Agent has been updated to version 10.200.1006.
Issue 1: [DSSEG-1885/SEG-11876] When SSL inspection was enabled on an SSL server, clients sometimes failed to establish an SSL session and a "Record Layer Message (not ready)" intrusion prevention event would occur. Solution 1: This issue is fixed in this release.
Update 9
Issue 1: [DSSEG-2076/SEG-23938/SEG-23938] SSL/TLS compression was not disabled while initiating SSL context for DSA listening port (4118). Solution 1: This issue is fixed in this release.
Update 10
Enhancement 1: [DSSEG-2148] With this release of Deep Security Agent, all pattern updates from the Deep Security Relay or Trend Micro Update Server will require the use of the TLS 1.2 protocol.
Issue 1: [DSSEG-2173/SEG-23387] The Deep Security Agent query script, dsa_query.cmd or dsa_query.sh, would sometimes fail. Solution 1: This issue is fixed in this release.
Update 11
Enhancement 1: [DSSEG-2161] With this release of Deep Security Agent, all software updates from the Deep Security Relay or Deep Security Manager will require the use of the TLS 1.2 protocol.
Update 12
Issue 1: [DSSEG-2333/SEG-26904] When a security event syslog was forwarded directly from the Deep Security Agent to a syslog server, it contained an incorrect IPv6 address in the dvchost field. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2248/00822625/SEG-27661] When a user configured a firewall bypass rule with a port range containing port 65535, the Deep Security Agent configuration would fail to compile. Solution 2: This issue is fixed in this release.
Update 13
Issue 1: [DSSEG-2502/SEG-30378] Deep Security Agent crashed when it received a SIGPIPE signal in a Solaris environment. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2094/SEG-21449] When the Deep Security Agent was deployed on a computer running Solaris, memory usage increased, sometimes using more than 8 GB of RAM. Solution 2: This issue is fixed in this release.
Update 14
Enhancement 1: [DSSEG-2489] Anti-Malware Scan Engine can be displayed and has the option to enable or disable an Anti-Malware update.
Issue 1: [DSSEG-2736/SEG-34502] When a TCP connection was established with the same tuples as a previously tracked one, the network engine could set the connection track to an incorrect status. This sometimes happened on a busy server where rapid connections reused a recycled connection. The network engine treated it as an "Out of connection" error and dropped the packet. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2640/SEG-27659/SF00754510] After successfully installing Deep Security Agent on a Solaris 10 Sparc machine, the ds_agent process was not running. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-2329/SEG-29194/SF00866327] Some of the files installed by Deep Security Agent had incorrect permissions. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-2313/SEG-26394/815500] When both Application Control and real-time Anti- Malware scanning were enabled and either one became disabled, a system crash would sometimes occur. This could occur when explicitly disabling either feature or when:
- stopping the Deep Security Agent service,
- upgrading the Deep Security Agent, or
- restarting a Deep Security Agent computer.
Solution 4: This issue is fixed in this release.
Update 15
Enhancement 1: [DSSEG-2257] The Anti-Malware engine offline error is not reported when the computer is preparing to shutdown.
Enhancement 2: [DSSEG-2308] The version of OpenSSL used by the Deep Security Agent and Deep Security Relay has been updated to openssl-1.0.2o.
Issue 1: [DSSEG-2857/SEG-33085] An unactivated Deep Security Agent could reach 100% CPU usage when handling a long HTTPS request. Solution 1: The issue is fixed in this release.
Update 16
Enhancement 1: [DSSEG-3022] The version of zlib used by the Deep Security Agent has been updated to zlib-1.2.11.
Enhancement 2: [DSSEG-2970] The version of curl used by the Deep Security Agent has been updated to curl-7.61.1.
Enhancement 3: [DSSEG-2966] Deep Security Agent has been updated to support PFS cipher suites.
Enhancement 4: [DSSEG-3025/SEG-37605] This release updates the Anti-Malware scan engine to latest version.
Issue 1: [DSSEG-2878/00461478/573707/00386295/SEG-5825/00487753] Users who are not using a local Smart Protection Server (SPS) reported many Dropped Retransmit "rxjammed" events in the Firewall when using Web Reputation Service, which caused the Firewall logs to fill up. Solution 1: Dropped Retransmit "rxjammed" events are no longer recorded in the Firewall log.
Update 17
Issue 1: [DSSEG-3336] The Network Filter Driver lacked error handling for some cases when memory allocation failed. This sometimes resulted in a system crash, especially when the system memory was exhausted. Solution 1: This issue has been resolved in this release.
Issue 2: [DSSEG-3178/SEG-32973/01021938] Deep Security Agent on Solaris had a memory leak when writing the debug log. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3109] A native firewall could not be turned on/off automatically after the Deep Security Firewall module was enabled or its configuration was changed. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-3039/SEG-39670] An Integrity Monitoring rule could be triggered unintentionally when the prefix of its base directory path matched that of another rule. For example, if you had rules that monitored "c:\lab\" and "c:\lab1\", and added a file "c:\lab1\sample.txt", both rules would be triggered. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-2898/01190643/SEG-35814] Solaris InfiniBand interfaces are not supported in any version of Deep Security Agent. If such interfaces are present, Deep Security Manager displays a 'Get Interface Failed' status for the relevant computer(s), and also generates many unwanted firewall events from these interfaces. Solution 5: Deep Security Agent ignores all the traffic on InifiniBand interfaces, and also these interfaces do not appear in Deep Security Manager > agent's Computer details > Interfaces page.
Update 18
Issue 1: [DSSEG-3556/SF01800170/SEG-46936] When Web Reputation was enabled, the tbimdsa engine caused a system crash due to an unexpected system memory allocation failure. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3551/SEG-46918/01770086] Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app. " error message in ds_agent.log. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3505/SEG-45832/01745654] Deep Security Agent sometimes crashed when detailed SSL message logging was enabled and executed. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-3379/01556670/SEG-43289] Solaris Deep Security Agent service fails to start after an OS reboot. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-3158] Deep Security Agent sometimes crashed due to defects in Lua 5.2.1. Solution 5: Lua has been upgraded to version 5.2.4.
Update 19
Issue 1: [DSSEG-3718/SEG-43481/SF01423970] Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. Solution 1: The code has been modified to address the premature data structure clean up.
Issue 2: [DSSEG-3706/SEG-48947/01929085] The ds_agent process in Deep Security Virtual Appliance sometimes crashed during vMotion due to a race condition. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3594/SEG-47425/SF01804378] Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. Solution 3: This issue is fixed in this release.
Update 20
Issue 1: [DSSEG-3892/SEG-50228/01967095] Deep Security Agent failed to cleanly terminate some threads when it exits. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3520/SEG-42919/SF01415702] When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. Solution 2: The issue is fixed in this release.
Windows
For release notes from the long-term support LTS release, Deep Security Agent - Windows 10.0 readme.
Update 1
Enhancement 1: [DSSEG-934] When a user had privileges to add specific keys to the Windows registry, the user was able to inject code to control the Deep Security Agent.
Enhancement 2: [DSSEG-960] This release of Deep Security Agent adds support for Windows 10 RS2.
Issue 1: [DSSEG-970] When documents with long file path names were encrypted by ransomware, they sometimes could not be restored. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-943/SEG-4381] After the Deep Security Agent had been running on a web server for a long time, it would interrupt HTTPS traffic. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-937/377091] When firewall was enabled, the agent logged many 'invalid tcp timestamp' events in some circumstances. Solution 3: The default behavior has been changed to not log those events. It can be still enabled in the Anti- Evasion settings.
Issue 4: [DSSEG-910/SEG-2762] The Deep Security Agent would crash when the integrity monitoring module scanned a file path containing a "%" character. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-891] The Deep Security Agent created temporary files in the temp directory but these files were not removed after use, which resulted in inodes filling up. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-855] A custom Log Inspection rule would not work and produced the error: "OSSEC id does not map to DSM id". Solution 6: This issue is fixed in this release.
Issue 7: [DSSEG-844] Application control failed to download a ruleset when the Deep Security Agent thread was stuck downloading a ruleset from an older configuration. Solution 7: With this release, application control will download the ruleset.
Issue 8: [DSSEG-839] On a 'Large Send Offload' (LSO) network, a number of firewall events with a reason of "Invalid IP Datagram Length" sometimes occurred. This happened because the firewall driver incorrectly calculated the IP datagram length in an LSO environment. Solution 8: This issue is fixed in this release.
Update 2
Issue 1: [DSSEG-1138/SEG-5409/00388364] Due to a race condition, a kernel panic would occur when dsa_filter was handling duplicate UDP packets. Solution 1: The issue is fixed in this release.
Issue 2: [DSSEG-1109] Deep Security file reputation querying to Smart Protection Server was not counted correctly in the Summary of Smart Protection Server. For example, the "Active Users for File Reputation" widget displayed an incorrect number of users. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1090] In some circumstances, the kernel module for a Linux version of the Deep Security Agent could be replaced by an earlier version of the kernel support package. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1081] When connections were reset, they were not removed in the kernel module until the connection timed out. This resulted in the maximum number of TCP connections being reached. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-1041/SEG-370] The Deep Security firewall/intrusion prevention driver sometimes did not bind to a specific Network Interface Controller (NIC). When the Deep Security Agent took it as StandbyAdapter, it would cause a Deep Security Agent exception during initialization and fail to generate the firewall/intrusion prevention driver configuration file. Solution 5: The issue is fixed in this release.
Issue 6: [DSSEG-1040/SBM 352560] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Deep Security Agent detects an illegal character, the Deep Security Manager will show the illegal character in an Intrusion Prevention event. However, the Deep Security Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Deep Security Manager. Solution 6: This issue is fixed in this release.
Issue 7: [DSSEG-1012] If the Deep Security Agent failed to download the Kernel Support Package, the agent would not retry the download. Solution 7: This issue is fixed in this release.
Issue 8: [DSSEG-975] The Threat Tracing pattern number in Deep Security Agent on Windows was incorrectly set to a large number and could not be updated because the latest ActiveUpdate pattern number was smaller. Solution 8: This release resets the pattern number to 0 during Agent upgrade. The pattern number will then be set to the latest number when the next security update is performed (either manually or using a scheduled task).
Issue 9: [DSSEG-947] When the anti-malware engine encountered a problem during update, it displayed an error code in the endpoint event. Solution 9: An error message is now displayed instead of a code.
Issue 10: [DSSEG-1089/SEG-875] In some environments, the Anti-Malware Solution Platform (AMSP) could cause high disk input/output when the common scan cache was on. Solution 10: By default, the AMSP common scan cache is on. To disable it, open a Windows command prompt on the Deep Security Manager computer, go to the Deep Security Manager root folder, and run this command: dsm_c -action changesetting -name settings.configuration.disableAmspCommonScanCache -value true
Issue 11: [DS-13501] AMSP CoreServiceShell.exe could cause large memory usage. In Task Manager, the CoreServiceShell.exe process showed a large commit size. Solution 11: This issue is fixed this release.
Update 3
Issue 1: [DSSEG-1279/00474128/SEG-9606] A heap corruption in li.dll caused Deep Security Agent to crash. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1242/internal case] A race condition caused an error displayed on a blue screen when the intrusion prevention module handled duplicate UDP packets. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1198/351879] The Deep Security Agent did not securely generate the SSL Master Secret when the "Client key exchange" and "Certificate verify" handshake records were both in one packet. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1234/SEG-9610/483717] In some environments, the query engine used by Deep Security received different error responses. Certain errors were not handled properly, which caused system slow down. Solution 4: This issue is fixed in this release.
Update 4
Enhancement 1: [DSSEG-1264/511146/SEG-11066] Deep Security Agent 10.0 Update 4 or later no longer needs the Microsoft Visual C++ 2005 Redistributable Package. It will not be installed unless you are upgrading from a Deep Security 9.x Agent. If you are upgrading from an earlier Deep Security 10.x Agent, you may be required to reboot.
Issue 1: [DSSEG-1367/SF00472245/SEG-10539] When log inspection was enabled, the Deep Security Agent sometimes used more than 50% (and up to 98%) of the CPU for long periods of time. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1364/493112] In previous releases, the "Smart Protection Server Disconnected for Web Reputation" alert could only be cleared manually by a user. Solution 2: In this release, Deep Security Manager will clear the alert automatically when it receives a "Smart Protection Server Connected for Web Reputation" event.
Issue 3: [DSSEG-1361/SEG-12002] A copy or rename operation to a large file (over 3MB) from client computer was sometimes delayed if the file was put on a shared folder on a remote server and SMB v3.0 was used. This issue occurred when the Deep Security Agent was installed on the remote file server and anti-malware real-time scanning was enabled. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1313] A security update occurred every time the Deep Security Agent received an updated policy. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-1239] Deep Security Notifier did not display any information because the ds_agent service's relevant thread exited abnormally. Solution 5: This issue is fixed in this release.
Issue 6: [DSSEG-1203/SEG-8048/SF00453864] Smart scan pattern updates sometimes failed. Solution 6: This issue is fixed in this release. The iAU module has been upgraded to 1062.
Update 5
Enhancement 1: [DSSEG-1404/TT 353335] A new policy setting (Computer/Policy editor > Settings > General > Suppress all pop-up notifications on host) enables you to hide all pop-up windows on hosts.
Issue 1: [DSSEG-1497] A brief network disconnection occurred during the installation of the Trend Micro Lightweight Filter Driver. This network disconnection would result in the following issues: 1) DNS record disappears in the dual-AD server environment 2) Windows Fail-Over Cluster out-of-sync 3) Windows Network Load Balancing servers out-of-sync. Solution 1: On Windows 2012 R2 or later, network will remain connected even when doing a filter hook/unhook and during installation. During upgrade, a reboot is needed for the Filter Driver's FilterRunType transition. For Windows Network Load Balancing, a few firewall rules are needed in addition to this fix. For details, please see: [https://success.trendmicro.com/solution/1118512]
Issue 2: [DSSEG-1370] The Deep Security Agent sometimes failed to complete an SSL handshake when the agent was using a proxy to connect to Deep Security Manager. Solution 2: The issue is fixed in this release.
Issue 3: [DSSEG-1271/SEG-10957] A stop error was reported on Windows Servers in an IPv6 environment with vLAN tagging. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1247] A race condition when the ds_agent kernel module was handling TCP connections caused an error displayed on a blue screen. Solution 4: The issue is fixed in this release.
Issue 5: [DSSEG-1508/SEG-8557/464768] A driver used by AMSP caused increased kernel memory usage due to a token leak. Solution 5: The issue is fixed in this release.
Issue 6: [DSSEG-1509/SEG-12733/00474128] The TMUFE engine caused the Deep Security Agent process to crash, due to malformed DNS responses. Solution 6: The issue is fixed in this release.
Issue 7: [DSSEG-1528/00425793/SEG-7652] The anti-malware engine went offline on a Windows 2012 server. Solution 7: This issue is fixed in this release.
Update 5 Critical Patch
Issue 1: [DSSEG-1551] A change made on October 14 to version 2.7 of smBIOS for AWS EC2 instances introduced an incompatibility issue with Deep Security Agents on Linux and Windows. We have seen this issue affecting new instances created in the US-Virginia, Japan, and Singapore regions since October 14, but additional regions will be affected. This issue affects agent activation on any instance with the 2.7 bios and is likely to result in agents entering an unprotected state. Currently running activated agents are not affected. For details, please refer to: https://success.trendmicro.com/solution/1118601 Solution 1: The incompatibility is fixed with this release.
Update 6
Enhancement 1: [DSSEG-1566] The Trend Micro Solution Platform used in the Deep Security Agent has been updated to version 3.9.1198.
Issue 1: [DSSEG-1744] Sometimes, after a Deep Security Agent upgrade, anti- malware protection would be absent or out of date. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-1714] An EICAR sample was not detected and blocked in a NIC teaming environment. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1692] When event logs were aggregated, the Mac address for an aggregated firewall or intrusion prevention event could be incorrect. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1602/00598122/SEG-15655] When an Oracle WebLogic Server created cached directories ending with .jar or .war, the application control feature would enter a loop when reading those directories, resulting in high CPU usage. Solution 4: The issue is fixed in this release.
Issue 5: [DSSEG-1493] When the Deep Security Agent lightweight filter driver (tbimdsa.sys) was installed in a Windows environment where NIC teaming was configured as LACP mode, the "Microsoft Network Adapter Multiplexor Driver" device would enter a "Network cable unplugged" state. Solution 5: This issue is fixed in this release.
Update 6 Critical Patch
Enhancement 1: [DSSEG-1873] Microsoft requested that anti-virus vendors set a registry key that will allow a critical system patch for Microsoft Windows. The Deep Security Agent now sets the required registry key upon installation. For details, see https://success.trendmicro.com/solution/1119183
Update 7
Issue 1: [DSSEG-1885/SEG-11876] When SSL inspection was enabled on an SSL server, clients sometimes failed to establish an SSL session and a "Record Layer Message (not ready)" intrusion prevention event would occur. Solution 1: This issue is fixed in this release.
Update 8
Enhancement 1: [DSSEG-1710/SEG-17076/SEG-20229/SEG-13878/SEG-17217/ SEG-20808/DSSEG-1950] The Anti-Malware Solution Platform (AMSP) module has been upgraded to version 3.9.1209, which includes these fixes:
- The ATSE engine detected some normal files as malicious files. This issues has been fixed.
- The AEGIS engine has been enhanced to catch more high profile malware. It also fixes a problem where AEGIS would sometimes crash when filling the feedback event tuple for a registry event.
- When anti-malware real-time scanning was enabled, it sometimes took a few minutes for the client computer to extract an archive file. This happened when the AMSP module received a file event containing a file name with a short file path to a Windows shared folder on a network-attached storage server. This issue has been fixed.
- The eye driver "path normalization function" sometimes had performance issues on certain machines. The symptoms varied depending on the environment, but could include high CPU usage, high memory usage, or a system hang. The eye driver has implemented "BypassReparsePointMapping" to prevent these issues. If you are experiencing this issue, follow these steps to enable "BypassReparsePointMapping" on your Deep Security Agent computers:
1. Disable Deep Security Agent self-protection if it is enabled. For instructions, see https://success.trendmicro.com/solution/1060690
2. Stop the AMSP service and the Deep Security Agent service.
3. Add this registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmevtmgr\Parameters] DWORD BypassReparsePointMapping = 1
4. With administrator permission, run the following commands to stop and restart the Trend eye drivers:
sc stop tmactmon
sc stop tmevtmgr
sc stop tmcomm
sc start tmcomm
sc start tmevtmgr
sc start tmactmon
5. Start the AMSP service and the Deep Security Agent
service.
Update 9
Issue 1: [DSSEG-2076/SEG-23938/SEG-23938] SSL/TLS compression was not disabled while initiating SSL context for DSA listening port (4118). Solution 1: This issue is fixed in this release.
Update 10
Enhancement 1: [DSSEG-2148] With this release of Deep Security Agent, all pattern updates from the Deep Security Relay or Trend Micro Update Server will require the use of the TLS 1.2 protocol.
Issue 1: [DSSEG-2173/SEG-23387] The Deep Security Agent query script, dsa_query.cmd or dsa_query.sh, would sometimes fail. Solution 1: This issue is fixed in this release.
Update 11
Enhancement 1: [DSSEG-2161] With this release of Deep Security Agent, all software updates from the Deep Security Relay or Deep Security Manager will require the use of the TLS 1.2 protocol.
Issue 1: [DSSEG-2228/SEG-23148/SF00700687] The anti-malware module validates each process by querying the file's signature information, but the query may take a long time in certain environments, causing the computer to slow down. Solution 1: This issue is fixed in this release. To prevent the computer from slowing down, there is a new timeout value for the signature query.
Issue 2: [DSSEG-2184/SEG-24555]/SF00745590/SEG-24082] When the anti-malware module attempts to remove files or folders but encounters an error, it adds a registry entry indicating that the files should be removed the next time the computer reboots. However, the anti- malware module sometimes created a registry entry when attempting to remove temp files, which might no longer exist. This caused third-party applications to sometimes prompt users to reboot unnecessarily. Solution 2: This issue is fixed in this release.
Update 12
Enhancement 1: [DSSEG-2242/VRTS-2470/VRTS-2473/VRTS-2469] This release improves protection by adding checks when agent self-protection is enabled.
Issue 1: [DSSEG-2333/SEG-26904] When a security event syslog was forwarded directly from the Deep Security Agent to a syslog server, it contained an incorrect IPv6 address in the dvchost field. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2248/00822625/SEG-27661] When a user configured a firewall bypass rule with a port range containing port 65535, the Deep Security Agent configuration would fail to compile. Solution 2: This issue is fixed in this release.
Update 13
Enhancement 1: [DSSEG-2594] Diagnostic package can collect AMSP logs during uninstall.
Enhancement 2: [DSSEG-2510/SF00908235/SEG-30932] When a cookie is detected as spyware, the related anti-malware event now contains the file path of the cookie. To see this information, double-click the event on the "Anti-Malware Events" page and go to "Spyware Items". The path of the cookie is displayed in the "Object" field.
Issue 1: [DSSEG-2484/SF00600663/SEG-16112] When a malware scan configuration included a "Process Image File List" scan exclusion, and that list included an item on a network drive, all entries in the list were not applied correctly. Solution 1: The anti-malware module has been improved. When a "Process Image File List" contains an item on a network drive, that entry is ignored, but other valid entries are applied successfully.
Issue 2: [DSSEG-2414/SEG-27607/SF00811737] During a component update, the Anti-malware service sometimes got stuck while purging the cache, so the Deep Security Agent status shown in Deep Security Manager would remain as "Security Update in Progress" for a long time. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-1687] When Deep Security Agent scanned a SAR file that contained relative paths, those relative paths were not extracted to a temporary directory for scanning. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-1686] When messages coming from Deep Security Virus Scan Adapter were too long, it caused a buffer overflow, and the Deep Security Agent would access an invalid memory address. Solution 4: This issue is fixed in this release.
Update 14
Enhancement 1: [DSSEG-2489] Anti-Malware scan engine can be displayed and has the option to enable or disable an Anti-Malware update.
Enhancement 2: [DSSEG-2321] The Deep Security Agent installer no longer installs all feature modules when the module plug-in files are located in the same folder as the installer. The required plug-in files are downloaded from a Deep Security Relay when a policy is applied to a protected computer.
Enhancement 3: [DSSEG-2256/SEG-27831] Set the correct installation and upgrade status of Windows Anti-Malware.
Issue 1: [DSSEG-2736/SEG-34502] When a TCP connection was established with the same tuples as a previously tracked one, the network engine could set the connection track to an incorrect status. This sometimes happened on a busy server where rapid connections reused a recycled connection. The network engine treated it as an "Out of connection" error and dropped the packet. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2588] When the Anti-Malware or Firewall features were enabled, Deep Security Agent was not registered to the Windows Security Center on Windows 10 version 1803 (April 2018 Update). This caused the status of anti- malware and firewall to be incorrect in the Windows Security Center and Windows Defender Security Center. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-2407/SEG-29750/SF00874980] When Deep Security Agent was installed on a virtual machine (VM) and the VM was reverted to an earlier state, Log Inspection event data was not synchronized properly between the Deep Security Agent and Deep Security Manager. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-2313/SEG-26394/815500] When both Application Control and real-time Anti- Malware scanning were enabled and either one became disabled, a system crash would sometimes occur. This could occur when explicitly disabling either feature or when:
- stopping the Deep Security Agent service,
- upgrading the Deep Security Agent, or
- restarting a Deep Security Agent computer.
Solution 4: This issue is fixed in this release.
Update 15
Enhancement 1: [DSSEG-2489] Anti-Malware Scan Engine can be displayed and has the option to enable or disable an Anti-Malware update
Enhancement 2: [DSSEG-2257] The Anti-Malware engine offline error is not reported when the computer is preparing to shutdown.
Enhancement 3: [DSSEG-2308] The version of OpenSSL used by the Deep Security Agent and Deep Security Relay has been updated to openssl-1.0.2o.
Issue 1: [DSSEG-2867/SEG-36902/SF01197096] The Deep Security Agent could not be installed properly on Windows XP and Windows 2003. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-2857/SEG-33085] An unactivated Deep Security Agent could reach 100% CPU usage when handling a long HTTPS request. Solution 2: The issue is fixed in this release.
Update 16
Enhancement 1: [DSSEG-3022] The version of zlib used by the Deep Security Agent has been updated to zlib-1.2.11.
Enhancement 2: [DSSEG-2970] The version of curl used by the Deep Security Agent has been updated to curl-7.61.1.
Enhancement 3: [DSSEG-2966] Deep Security Agent has been updated to support PFS cipher suites.
Enhancement 4: [DSSEG-2677] The URL for the Trend Micro corporate site has changed from http://www.trendmicro.co.jp/ to https://www.trendmicro.com/. Deep Security has been updated to point to the new URL where necessary.
Enhancement 5: [DSSEG-3005/SEG-37605] This release updates the Anti-Malware scan engine to latest version.
Issue 1: [DSSEG-2878/00461478/573707/00386295/SEG-5825/00487753] Users who are not using a local Smart Protection Server (SPS) reported many Dropped Retransmit "rxjammed" events in the Firewall when using Web Reputation Service, which caused the Firewall logs to fill up. Solution 1: Dropped Retransmit "rxjammed" events are no longer recorded in the Firewall log.
Update 18
Issue 1: [DSSEG-3556/SF01800170/SEG-46936] When Web Reputation was enabled, the tbimdsa engine caused a system crash due to an unexpected system memory allocation failure. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3551/SEG-46918/01770086] Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app. " error message in ds_agent.log. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3505/SEG-45832/01745654] Deep Security Agent sometimes crashed when detailed SSL message logging was enabled and executed. Solution 3: This issue is fixed in this release.
Issue 4: [DSSEG-3502/SF01709187/SEG-45192/SEG-45025/SEG-45779] The Blue Screen of Death occurred on Windows 2003 when Deep Security Firewall or Intrusion Prevention were enabled. Solution 4: This issue is fixed in this release.
Issue 5: [DSSEG-3158] Deep Security Agent sometimes crashed due to defects in Lua 5.2.1. Solution 5: Lua has been upgraded to version 5.2.4.
Update 19
Issue 1: [DSSEG-3718/SEG-43481/SF01423970] Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3706/SEG-48947/01929085] The ds_agent process in Deep Security Virtual Appliance sometimes crashed during vMotion due to a race condition. Solution 2: This issue is fixed in this release.
Issue 3: [DSSEG-3594/SEG-47425/SF01804378] Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. Solution 3: This issue is fixed in this release.
Update 20
Issue 1: [DSSEG-3946/SEG-50709/SF01990859] In some cases, the Deep Security Agent network driver (Tbimdsa) driver did not correctly release spinlock, causing the system to hang. Solution 1: This issue is fixed in this release.
Issue 2: [DSSEG-3520/SEG-42919/SF01415702] When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. Solution 2: The issue is fixed in this release.
Update 21
Enhancement 1: [DSSEG-2704] A report is created when Windows Anti-Malware encounters an install/upgrade fail or error because of an interop or timing issue.
Update 24
Enhancement 1: [DSSEG-4807/SEG-61584] Increased the maximum size of the Log Inspection database.
Issue 1: [DSSEG-4509] An incorrect reboot request event sometimes occurred. Solution 1: This issue is fixed in this release.
