Update Deep Security software

To ensure maximum protection, keep your Deep Security Agent and Deep Security Virtual Appliance up to date. You can update the agent software that is installed on computers and virtual appliances, and you can update the virtual appliance itself.

Topics in this article:

• How updates are performed
• Determine how to distribute the software updates
• Import software updates into Deep Security Manager
• Upgrade agents following an alert
• Initiate an upgrade
• Select the agent for newly-activated virtual appliances
• Manually upgrade the agent
• Update the Deep Security Virtual Appliance
• Determine the installed appliance version

How updates are performed

Updates are performed as follows:

1. Deep Security Manager periodically connects to Trend Micro update servers to check for available updates for the Deep Security Agent, Deep Security Virtual Appliance,and Deep Security Manager.

   The "Deep Security" section of the Administration > Updates > Software page indicates when the last check was performed, whether it was successful, and enables you to initiate a check for updates. If you have configured a scheduled task to check for updates, the date and time of the next scheduled check is also listed here. (See Schedule Deep Security to perform tasks.)

2. The "Trend Micro Download Center" section of the Administration > Updates > Software page indicates whether there are updates available for any of the software you have already imported into Deep Security Manager. Those are the updates that you're most likely to care about. Deep Security Manager will also generate an alert to let you know that software updates are available.
   Deep Security will only inform you of updates to the minor versions of your imported software. For example, if you have agent version 9.5.100, and Trend Micro releases agent version 9.5.200, Deep Security will tell you that updates to your software are available. However, if Trend Micro then releases agent version 9.6.xxx and you don't have any earlier 9.6 agents in your database inventory, you will not receive a notification that updates are available (even though you have a 9.5.100 agent).

   You can also check the Administration > Updates > Software > Download Center page to see all software packages that are available.

3. You import the software updates that you require into Deep Security Manager. This can be done manually or automatically. (See Import software updates into Deep Security Manager .)
4. The software updates are replicated to your relays or web server.
5. You upgrade your agents. (See Initiate an upgrade or Upgrade agents following an alert. In rare circumstances, you may need to perform manual upgrades. See Manually upgrade the agent.)
6. You update your virtual appliances. (See Update the Deep Security Virtual Appliance.)

Determine how to distribute the software updates

Deep Security software updates are normally hosted and distributed by relay-enabled agents. Relays update your agents more quickly, reduce manager load, and save internet connection or WAN bandwidth. For information on how to set up relays, see Configure relays.

Alternatively, if you already have a web server, you can provide software updates via the web server instead of a relay-enabled agent. To do this, you must mirror the software repository of the relay-enabled agent on your web server. For more information on configuring your own software distribution web servers, see Use a web server to distribute software updates.

Import software updates into Deep Security Manager

The Local Software page (Administration > Updates > Software > Local) lists the software that has been imported into Deep Security.

Software must be imported from the Trend Micro Download Center into Deep Security to make it available to the computers on your network. An alert indicates that the software on a computer is out of date when a more recent version of the agent or appliance software has been imported into Deep Security. The check is made against the local inventory, not against what is available on the Download Center. There is a separate alert for new software on the Download Center.

When imported, software is stored in the Deep Security database. Imported software is periodically replicated to relay-enabled agents.

Manually import software updates

Manually import software updates as they become available on the Download Center.

The Deep Security Virtual Appliance uses a Red Hat Enterprise Linux (64 bit) Agent package. For information about which updates are compatible with your appliances, see Update the Deep Security Virtual Appliance.

1. Go to Administration > Updates > Software.
2. Check the Trend Micro Download Center section of the page to see whether there are any new software updates available. If no new updates are available, the section will say "All imported software is up to date".
3. If updates are available, go to Administration > Updates > Software > Download Center, select the packages that you want, and then click Import. You can select multiple packages by pressing Shift+click or Ctrl+click.
   When a green check mark appears in the Imported column, the package has been downloaded into Deep Security Manager. The package will also appear on the Local Software page.
   A popup note indicates when a package cannot be imported directly. For these packages, you must download them from the Trend Micro Download Center website to a local folder, then manually import them on the Administration > Updates > Software > Local page.

Automatically import software updates

You can configure Deep Security Manager to automatically download any updates to software that you've already imported into Deep Security. To enable this feature, go to Administration > System Settings > Updates and select Automatically download updates to imported software.

This setting will download the software to the Deep Security but will not automatically update your agent or appliance software.

Delete a software package from the Deep Security database

The Deep Security database must contain a copy of all software currently installed on managed computers. When a Deep Security Agent is first activated, only those protection modules that are "On" in the security policy being applied are installed on the computer. If you turn on a protection module at a later time, Deep Security will retrieve the plug-in for the new security module from the agent software package in the database to install it on the computer. If that software is missing, the security module plug-in cannot be installed.

To save space, Deep Security will periodically remove unused packages from the Deep Security database. There are two types of packages that can be deleted: agent packages and Kernel support packages.

Deleting agent packages in single-tenancy mode

In single tenancy mode, Deep Security automatically deletes agent packages (Agent-platform-version.zip) that are not currently being used by agents. The number of old software packages kept in the database is configured on the System Settings > Storage tab. You can also manually delete unused agent packages. If you try to delete software that is being used on one of your managed computers, you will get a warning and be unable to delete the software.

Deleting agent packages in multi-tenancy mode

In multi-tenancy mode, unused agent packages (Agent-platform-version.zip) are not deleted automatically. For privacy reasons, Deep Security cannot determine whether software is currently in use by your tenants, even though you and your tenants share the same software repository in the Deep Security database. As the primary tenant, Deep Security does not prevent you from deleting software that is not currently running on any of your own account's computers, but before deleting a software package, be very sure that no other tenants are using it.

Deleting Kernel support packages

In both single and multi-tenancy mode, Deep Security automatically deletes unused Kernel support packages (KernelSupport-platform-version.zip). The number of old packages kept in the database is configured on the System Settings > Storage tab. A Kernel support package can be deleted if both of these conditions are true:

• There is no agent package with the same group identifier.
• There is another Kernel support package with the same group identifier and a later build number.

You can also manually delete unused Kernel support packages.

Upgrade agents following an alert

When a new agent is available, the following alert appears on the Alerts page:

1. In the alert, click Show Details and click the link, View all out-of-date computers.
   The Computers page opens with all computers showing a Software Update Status of Out-of-Date.
2. Follow the instructions for initiating an agent upgrade, below.

Initiate an upgrade

We recommend that you upgrade at time when server demand is low.

The "Computers" section of the Administration > Updates > Software page indicates whether any computers or virtual appliances are running agents for which updates are available. The check is only performed against software that has been imported into Deep Security, not against software available from the Download Center. If any computers are out of date, use one of the following methods to upgrade them:

• To upgrade all out-of-date computers, click the Upgrade Agent / Appliance Software button.
• To upgrade a specific agent computer or appliance image, go to the Computers page, select the computers that you want to upgrade, and click Actions > Upgrade Agent Software. You will be prompted to select the Agent Version. We recommend that you select the default Use the latest version for platform (X.Y.Z.NNNN). Depending on your preference, select to Upgrade Now or Use a Schedule for Upgrade and specify the time window when the upgrade will be performed. If you choose to use a schedule, the manager will upgrade the agent to the specified version once; it does not continue to upgrade the agent to future versions.

Select the agent for newly-activated virtual appliances

The Deep Security Virtual Appliance uses the protection module plug-in software packages from an agent for 64-bit Red Hat Enterprise Linux. Use the Virtual Appliance Deployment option to select the version of the Red Hat Enterprise Linux Agent software that is deployed to any newly activated virtual appliances.

Different versions of the virtual appliance software are compatible with different versions of RedHat. Therefore, the virtual appliance software that has been imported into Deep Security Manager determines which versions of the agent software appear in the list:

• Appliance-ESX-10.2.0.340.x86_64.zip: Only the versions of agent for RedHat 7 appear.
• Appliance-ESX-9.5.2-2022.x86_64.zip: Only the versions of agent for RedHat 6 appear.
• Both appliance versions: Only the versions of agent for RedHat 7 appear.

When the default item of Latest Available (Recommended) is selected, the software used is the latest version of imported agent software that is compatible with the latest version of the appliance software that is imported.

Versions of the agent software that pre-date the imported appliance do not appear in the list.

Manually upgrade the agent

The occasion may arise where you are not able to upgrade the agent software from the Deep Security Manager because of connectivity restrictions between the manager computer and the agent computer. In such cases, upgrading the agent software on a computer has to be performed manually.

First, you will need to obtain the new agent software. You can go to the Trend Micro Download Center and download the agent software package, or you can download it through the Deep Security Manager and then export it, as described in this procedure:

1. In the Deep Security Manager, go to Administration > Updates > Software Updates.
2. Make sure the most recent Deep Security agents have been downloaded to the Deep Security Manager from Trend Micro Download Center.
3. On the Software Updates tab, click View Imported Software.
4. Select the required agent software and click Export in the menu bar.
5. Specify the location to which you want to export the agent software.

Next, you will need run the installer. The way you do this varies by operating system:

Windows

1. Disable agent self-protection. To do this, on the Deep Security Manager, go to Computer editorTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
2. Copy the agent installer to the computer.
3. Run the agent installer. It will detect the previous agent and perform the upgrade.

Linux

1. Copy the agent installer to the computer.
2. Run the following command:
   
   rpm -U <new agent installer rpm>

(The "-U" argument instructs the installer to perform an upgrade.)

Solaris

1. Copy the agent installer to the computer.
2. Unzip the package using gunzip.
3. Run the following command:
   pkgadd -v -a /opt/ds_agent/ds_agent.admin -d <new agent package>

Update the Deep Security Virtual Appliance

Trend Micro provides updates for the Deep Security Virtual Appliance to protect against new vulnerabilities in its operating system.

To update the Deep Security Virtual Appliance, you must upgrade the Deep Security Agent that is embedded on the Deep Security Virtual Appliance, and also apply a patch to the appliance, if one is available. The two tasks (upgrading and patching) must be done together.

For example, you can upgrade from...

9.5 Deep Security Virtual Appliance + 9.5 Deep Security Agent

to...

9.5 Deep Security Virtual Appliance + 10.2 Deep Security Agent + 9.5 appliance patch

To upgrade Deep Security Virtual Appliance itself from 9.5 to 10.2 (not just the embedded agent), you must remove the appliance completely and then re-deploy it. For uninstallation instructions, see Uninstall Deep Security from your NSX environment. For deployment instructions, see Deploy the Deep Security Virtual Appliance with NSX Advanced or Enterprise.

To upgrade the agent on the appliance, and apply a patch at the same time:

1. Determine the installed appliance version. You'll need this information to complete the remaining steps in this procedure.
2. Import appliance patches, if they exist (failure to do so generates system event 740 to indicate that the patch was not imported):
   1. Log in to Deep Security Manager.
   2. On the left, expand Updates > Software > Download Center.
   3. In the main pane, enter Agent-DSVA in the search bar on the top-right and press Enter.
      One or more patches appear with the name Agent-DSVA-CentOS<version>-<patch-version>-<date>.x86_64.zip.
   4. Select a patch that is compatible with your Deep Security Virtual Appliance. Consult the compatibility table that follows for guidance. If you don't see a compatible patch, it's because it doesn't exist, and no patch needs to be installed.
   5. Click the button in the Import Now column to import the patch into Deep Security Manager.
   6. On the left, click Local Software to verify that the patch was imported successfully.
   7. Repeat for any additional patches.
3. Import the compatible agent:
   1. Still in Deep Security Manager, on the left, expand Updates > Software > Download Center.
   2. Select the agent software that is compatible with your Deep Security Virtual Appliance. Consult the compatibility table that follows for guidance.
   3. Click the button in the Import Now column to import the agent into Deep Security Manager.
   4. On the left, click Local Software to verify that the agent was imported successfully.

   You have now imported the patches and Deep Security Agent that are compatible with your appliance version. You are ready to upgrade the agent on the appliance and apply the patches.

4. Upgrade the agent on the appliance and apply the patches:
   1. Click Computers and double-click your appliance computer.
   2. Click Actions > Upgrade Appliance.
   3. Select the agent version to install on the appliance. This is the agent you just imported.
   4. Click OK.
5. Click Events & Reports and search on 710 to find the report about the installation of the update file.

You have now upgraded the agent on the appliance and installed one or more patches (if they existed).

If you upgraded the Deep Security Agent before importing the patch for the Deep Security Virtual Appliance, you will see system event 740. To fix this problem, use the following procedure.

1. Import the appliance patches for the version of the appliance that you are updating. See above in this section for instructions. The appliance patches appear on the Local Software page in Deep Security Manager.
2. Go to the Computers page.
3. Right-click the virtual machine where you want to update the appliance and click Send Policy. The appliance downloads and installs the patches.

If the appliance fails to download the patches, it could be that the relay hasn’t received the patch files yet. Wait until the relay receives the files and then click Send Policy. For information on relays, see Configure relays.

Compatibility table: appliance, agent, and patch

Appliance version	Image OS	Compatible agent software	Compatible appliance patch (if it exists)
Appliance-ESX-9.5.2.2022	CentOS 6.4	Agent-RedHat_EL6-<version>.x86_64.zip	Agent-DSVA_CENTOS6.4-<patch-version>-<date-stamp>.x86_64.zip
Appliance-ESX-10.2.0.340	CentOS 7	Agent-RedHat_EL7-<version>.x86_64.zip	Agent-DSVA_CENTOS7.0-<patch-version>-<date-stamp>.x86_64.zip

Determine the installed appliance version

See the version of the appliance that is installed to determine whether you need to install the latest update. The computer details provides information about the installed appliance software (click Computers, select the virtual machine and click Details > General):

• The Virtual Appliance Version property indicates the version of the Deep Security Agent that is deployed on the appliance's OS.
• The Appliance OS Version property indicates the version of the Deep Security Virtual Appliance that is installed.