Deep Security 10.2 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Get and distribute security updates
You must keep your Deep Security deployment up to date with the security updates that Deep Security uses to identify potential threats.
There are two types of security updates:
- Pattern Updates are used by the anti-malware module.
- Rule Updates are used by these modules:
- Firewall
- Intrusion Prevention
- Integrity Monitoring
- Log Inspection Security
Trend Micro releases new rule updates every Tuesday, with additional updates as new threats are discovered. You can get information about the latest updates from the Trend Micro Threat Encyclopedia.
To configure security updates, you will need to:
- Configure a security update source and settings
- Organize your relay-enabled agents into relay groups, assign relay groups to your agents and appliances, and configure relay settings for security and software updates. (See Configure relays.)
- Perform security updates
- Special case: configure updates on a relay-enabled agent in an air-gapped environment
At any time, you can Check your security update status
Configure a security update source and settings
- Go to Administration > System Settings > Updates.
- Set your Primary Security Update Source. By default this will be the Trend Micro Update Server accessed over the internet. Unless your support provider has told you to do otherwise, leave the setting as is. If you were given an alternative source for updates, enter the URL, including "http://" or "https://" in the Other update source box.
- Normally, agents connect to a relay-enabled agent to get security updates. But if you have agents installed on roaming computers that are not always in contact with a Deep Security Manager or relay, you can select Allow Agents/Appliances to download Pattern updates directly from Primary Security Update Source if Relays are not accessible to allow agents to use the update source specified in the previous step when their relay group is not available.
- Normally, the Deep Security Manager instructs agents or appliances to download pattern updates. When Allow Agents/Appliances to download Pattern updates when Deep Security Manager is not accessible is selected, even though an agent cannot communicate with the Deep Security Manager, it will continue to download updates from its configured source.
You may want to deselect this option on computers where you do not want to risk a potentially problematic security update when the computer is not in contact with a manager and therefore possibly far away from any support services.
-
Trend Micro will occasionally issue an update to an existing Deep Security rule. The Automatically apply Rule Updates to Policies setting determines whether updated rules will automatically be applied to Deep Security policies. If this option is not selected, you will have to manually apply downloaded rule updates to policies from the Administration > Updates > Security page by clicking on the Apply Rules to Policies button.
Updates to existing rules are either improvements to the efficiency of the rule or bug fixes. So although it's a good a idea to test new rules (either in detect-only mode or in a test environment) before deploying them to a production environment, automatically applying updates to existing rules is usually a safe option.By default, changes to policies are automatically applied to computers. You can change this behavior by opening a Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General window and changing the Automatically send Policy changes to computers setting in the Send Policy Changes Immediately area.
-
You can configure amount of time that can pass between an instruction to perform a security update being sent and the instruction being carried out before an alert is raised. Click Administration > System Settings > Alerts and change the value for Length of time an Update can be pending before raising an Alert.
Perform security updates
The recommended way to check for security updates is to set up a "Check for Security Updates" scheduled task that performs a check on a regular basis. For details, see Schedule Deep Security to perform tasks
You can also manually initiate security updates:
- To perform security updates on specific agents and appliances, select the agent or appliance from the list of computers on the Computers page, then right-click and select Actions > Download Security Update.
Special case: configure updates on a relay-enabled agent in an air-gapped environment
In a typical environment, at least one relay-enabled agent is configured and able to download updates from the Trend Micro Update Server and the rest of the agents and appliances connect to that relay-enabled agent for update distribution.
However, if your environment requires that the relay-enabled agent cannot to connect to a relay-enabled agent in a relay group at a higher level or to an update server via the internet, there is an alternative method available to import a package of updates to a relay-enabled agent for distribution to other Deep Security software components.
You can use a relay-enabled agent that is able to download the latest updates from the Trend Micro Update Server to generate an exportable package of security updates and then import the package to another air-gapped relay-enabled agent.
- To create a security updates package, from the command line on the relay-enabled agent, enter:
dsa_control -b
The command line output will show the name and location of the .zip file that was generated.
- Copy the .zip file generated by the command-line to the installation directory of the relay-enabled agent in the offline environment. (On Windows the default directory is "C:\Program Files\Trend Micro\Deep Security Agent". On Linux the default directory is "/opt/ds_agent".)
When a security update download is initiated from the Deep Security Manager (either scheduled or manual), if any relay-enabled agent is unable to get the update from the configured update source location, it will automatically check for the presence of a relay updates .zip file in its installation directory. If it finds the zipped updates package, the relay-enabled agent will extract and import the updates.
Configure an update source for an air-gapped relay-enabled agent
Relays periodically try to connect to another relay or Trend Micro Active Update server to request new updates. If your relays are usually disconnected from the internet ("air-gapped") and therefore can't connect to Trend Micro Active Update, the update attempt will fail. To avoid alerts about update failures, you can configure the relay to connect to itself.
- In the Deep Security Manager, go to Administration > System Settings > Updates > Primary Security Update Source.
- In the Security Updates area, select Other Update Source and enter "https://localhost:[port]" where [port] is the configured port number for security updates.
- Click OK.
Check your security update status
The Security Updates Overview page (Administration > Updates > Security) displays the state of your security updates:
- Trend Micro Update Server: Indicates whether relays can connect to the Trend Micro Update Server to check for the latest security updates.
- Deep Security: Indicates when the last successful check and download were performed, and when the next schedule check will be performed.
All Relays are in sync indicates that all relays are distributing the latest successfully downloaded pattern updates. Relays that are out of sync are usually in that state because they cannot communicate with Trend Update Servers. This could be because they are intentionally "air-gapped" and need to be manually updated or because of network connectivity problems. If any relays are out of sync, a link to those relays will be provided.
- Computers: Indicates whether any computers are out of date with respect to the Pattern Updates being stored in the Relays. You can click Send Patterns to Computers to instruct all computers to retrieve the latest pattern updates from their assigned relays.
See details about pattern updates
The Administration > Updates > Security > Patterns page displays a list of the components that make up a pattern update. This page is displayed only when Deep Security has an active relay.
- Component: The type of update component.
- Product Name: The Deep Security product this component is intended for.
- Platform: The operating system for which the update is intended.
- Current Version: The version of the component within the Update currently downloaded from Trend Micro to Deep Security and being distributed by the relays and the Deep Security Manager.
- Last Updated: When the currently downloaded security update was retrieved from Trend Micro.
See details about rule updates
The Administration > Updates > Security > Rules page displays a list of the most recent Intrusion Prevention, Integrity Monitoring, and Log Inspection Rules that have been downloaded to the Deep Security Manager database.
From this page, you can:
- View details about a rule update: Select a rule update and click View to see details, including a list of the specific rules included in the update.
- Roll back a rule update: If a recent rule update has caused problems in your environment, you may want to roll back to a previous rule update. If you roll back to a previous update, all policies affected by the rollback will be immediately updated on all computers using those policies. Select the rule update that you want to roll back to and click Rollback. Deep Security Manager generates a summary of changes that will take place so that you can confirm the changes before finalizing the rollback.
- Reapply the current rule set: indicates that a rule update has been applied. To reapply that rule update to computers being protected by Deep Security, right-click the rule update and click Reapply.
- Import a rule update: Rule updates are automatically imported into Deep Security during the "Check for Security Updates" scheduled task, or when you click Check for Updates and Download on the Administration > Updates > Security page. The only time you might have to manually import a rule update is if your installation has no connectivity to the Trend Micro Update Servers or if you are asked to do so by your support provider.
- Export a rule update: Under normal circumstances you should not have to export a rule update unless asked to do so by your support provider.
- Delete a rule update: Click Delete to remove the selected rule update from the Deep Security Manager database.
You can configure the number of rule updates that are kept in the Deep Security Manager database by going to the Administration > System Settings > Storage tab.
If the relay functionality is enabled for a computer, the Computer editor > Security Updates page displays the components that the relay is currently distributing to the agents and appliances that rely on it for security updates. If the anti-malware module is enabled for a computer, the security updates page also displays the set of patterns that are in effect locally on this computer. From this page, you can also download or roll back security updates.