Update Deep Security software

To ensure maximum protection, keep your Deep Security Agent up to date.

Topics in this article:

How updates are performed

Updates are performed as follows:

  1. Deep Security Manager periodically connects to Trend Micro update servers to check for available updates for the Deep Security Agent, and Deep Security Manager.

    The "Deep Security" section of the Administration > Updates > Software page indicates when the last check was performed, whether it was successful, and enables you to initiate a check for updates. If you have configured a scheduled task to check for updates, the date and time of the next scheduled check is also listed here. (See Schedule Deep Security to perform tasks.)

  2. The "Trend Micro Download Center" section of the Administration > Updates > Software page indicates whether there are updates available for any of the software you have already imported into Deep Security Manager. Those are the updates that you're most likely to care about. Deep Security Manager will also generate an alert to let you know that software updates are available.
    Deep Security will only inform you of updates to the minor versions of your imported software. For example, if you have agent version 9.5.100, and Trend Micro releases agent version 9.5.200, Deep Security will tell you that updates to your software are available. However, if Trend Micro then releases agent version 9.6.xxx and you don't have any earlier 9.6 agents in your database inventory, you will not receive a notification that updates are available (even though you have a 9.5.100 agent).

    You can also check the Administration > Updates > Software > Download Center page to see all software packages that are available.

  3. You import the software updates that you require into Deep Security Manager. This can be done manually or automatically. (See Import software updates into Deep Security Manager .)
  4. The software updates are replicated to your relays or web server.
  5. You upgrade your agents. (See Initiate an upgrade or Upgrade agents following an alert. )

Determine how to distribute the software updates

Deep Security software updates are normally hosted and distributed by relay-enabled agents. Relays update your agents more quickly, reduce manager load, and save internet connection or WAN bandwidth. For information on how to set up relays, see Configure relays.

Alternatively, if you already have a web server, you can provide software updates via the web server instead of a relay-enabled agent. To do this, you must mirror the software repository of the relay-enabled agent on your web server. For more information on configuring your own software distribution web servers, see Use a web server to distribute software updates.

Import software updates into Deep Security Manager

The Local Software page (Administration > Updates > Software > Local) lists the software that has been imported into Deep Security.

Software must be imported from the Trend Micro Download Center into Deep Security to make it available to the computers on your network. An alert indicates that the software on a computer is out of date when a more recent version of the agent or appliance software has been imported into Deep Security. The check is made against the local inventory, not against what is available on the Download Center. There is a separate alert for new software on the Download Center.

When imported, software is stored in the Deep Security database. Imported software is periodically replicated to relay-enabled agents.

Manually import software updates

Manually import software updates as they become available on the Download Center.

  1. Go to Administration > Updates > Software.
  2. Check the Trend Micro Download Center section of the page to see whether there are any new software updates available. If no new updates are available, the section will say "All imported software is up to date".
  3. If updates are available, go to Administration > Updates > Software > Download Center, select the packages that you want, and then click Import. You can select multiple packages by pressing Shift+click or Ctrl+click.
    When a green check mark appears in the Imported column, the package has been downloaded into Deep Security Manager. The package will also appear on the Local Software page.
    A popup note indicates when a package cannot be imported directly. For these packages, you must download them from the Trend Micro Download Center website to a local folder, then manually import them on the Administration > Updates > Software > Local page.

Automatically import software updates

You can configure Deep Security Manager to automatically download any updates to software that you've already imported into Deep Security. To enable this feature, go to Administration > System Settings > Updates and select Automatically download updates to imported software.

This setting will download the software to the Deep Security but will not automatically update your agent software.

Delete a software package from the Deep Security database

The Deep Security database must contain a copy of all software currently installed on managed computers. When a Deep Security Agent is first activated, only those protection modules that are "On" in the security policy being applied are installed on the computer. If you turn on a protection module at a later time, Deep Security will retrieve the plug-in for the new security module from the agent software package in the database to install it on the computer. If that software is missing, the security module plug-in cannot be installed.

To save space, Deep Security will periodically remove unused packages from the Deep Security database. There are two types of packages that can be deleted: agent packages and Kernel support packages.

The Deep Security Virtual Appliance relies on the protection module plug-ins found in the 64-bit Red Hat Enterprise Linux Agent software package. If you have an activated Deep Security Virtual Appliance and try to delete a 64-bit Red Hat Enterprise Linux Agent, you will get an error message telling you the software is in use.

Deleting agent packages in single-tenancy mode

In single tenancy mode, Deep Security automatically deletes agent packages (Agent-platform-version.zip) that are not currently being used by agents. The number of old software packages kept in the database is configured on the System Settings > Storage tab. You can also manually delete unused agent packages. If you try to delete software that is being used on one of your managed computers, you will get a warning and be unable to delete the software.

For the Windows and Linux Agent packages, only the in-use package (whose version is the same as the Agent Installer) cannot be deleted.

Deleting agent packages in multi-tenancy mode

In multi-tenancy mode, unused agent packages (Agent-platform-version.zip) are not deleted automatically. For privacy reasons, Deep Security cannot determine whether software is currently in use by your tenants, even though you and your tenants share the same software repository in the Deep Security database. As the primary tenant, Deep Security does not prevent you from deleting software that is not currently running on any of your own account's computers, but before deleting a software package, be very sure that no other tenants are using it.

Deleting Kernel support packages

In both single and multi-tenancy mode, Deep Security automatically deletes unused Kernel support packages (KernelSupport-platform-version.zip). The number of old packages kept in the database is configured on the System Settings > Storage tab. A Kernel support package can be deleted if both of these conditions are true:

  • There is no agent package with the same group identifier.
  • There is another Kernel support package with the same group identifier and a later build number.

You can also manually delete unused Kernel support packages.

For Linux Kernel Support packages, only the latest one cannot be deleted.

Upgrade agents following an alert

When a new agent is available, the following alert appears on the Alerts page:

  1. In the alert, click Show Details and click the link, View all out-of-date computers.
    The Computers page opens with all computers showing a Software Update Status of Out-of-Date.
  2. Follow the instructions for initiating an agent upgrade, below.

Initiate an upgrade

We recommend that you upgrade at time when server demand is low.

The "Computers" section of the Administration > Updates > Software page indicates whether any computers are running agents for which updates are available. The check is only performed against software that has been imported into Deep Security, not against software available from the Download Center. If any computers are out of date, use one of the following methods to upgrade them:

  • To upgrade all out-of-date computers, click the Upgrade Agent / Appliance Software button.
  • To upgrade a specific agent computer or appliance image, go to the Computers page, select the computers that you want to upgrade, and click Actions > Upgrade Agent Software. You will be prompted to select the Agent Version. We recommend that you select the default Use the latest version for platform (X.Y.Z.NNNN). Depending on your preference, select to Upgrade Now or Use a Schedule for Upgrade and specify the time window when the upgrade will be performed. If you choose to use a schedule, the manager will upgrade the agent to the specified version once; it does not continue to upgrade the agent to future versions.
In rare circumstances, the computer may require a reboot to complete the upgrade. If this is the case, an alert will be triggered. To find out right away whether a reboot is required, check the text of the Agent Software Upgraded event to see if the platform installer indicated that a reboot is required. The Reboot Required alert must be dismissed manually, it will not be dismissed automatically.