Manually install the Deep Security Agent

For easier agent installation and activation, use a deployment script instead. For more information, see Use deployment scripts to add and protect computers.

Before installing the Deep Security Agent, you must:

After installation, the agent must be activated before it can protect its computer or be converted into a relay. See Activate the agent.

In this topic:

Install a Windows agent

  1. Copy the installer file to the computer.
  2. Double-click the installation file (.MSI file) to run the installer package.

    On Windows Server 2012 R2 Server Core, launch the installer using this command instead: msiexec /i Agent-Core-Windows-11.0.x-xxxx.x86_64.msi
  3. At the Welcome screen, click Next to begin the installation.
  4. End-User License Agreement: If you agree to the terms of the license agreement, select I accept the terms of the license agreement and click Next.
  5. Destination Folder: Select the location where you would like Deep Security Agent to be installed and click Next.
  6. Ready to install Trend Micro Deep Security Agent: Click Install to proceed with the installation.
  7. Completed: when the installation has completed successfully, click Finish.

The Deep Security Agent is now installed and running on this computer, and will start every time the machine boots.

When installing the agent on Windows 2012 Server Core, the notifier will not be included.
During an install, network interfaces will be suspended for a few seconds before being restored. If you are using DHCP, a new request will be generated, potentially resulting in a new IP address for the restored connection.

Installation on Amazon WorkSpaces

  • If you are unable to install Deep Security Agent .msi file due to error code ‘2503’ then you must do one of the following:
    • Edit your C:\Windows\Temp folder and allow the write permission for your user
    • Open the command prompt as an administrator and run the .msi file

Amazon has fixed this issue for newly-deployed Amazon WorkSpaces.

Installation on Windows 2012 Server Core

  • Deep Security does not support switching the Windows 2012 server mode between Server Core and Full (GUI) modes after the Deep Security Agent is installed.
  • If you are using Server Core mode in a Hyper-V environment, you will need to use Hyper-V Manager to remotely manage the Server Core computer from another computer. When the Server Core computer has the Deep Security Agent installed and Firewall enabled, the Firewall will block the remote management connection. To manage the Server Core computer remotely, turn off the Firewall module.
  • Hyper-V provides a migration function used to move a guest VM from one Hyper-V server to another. The Deep Security Firewall module will block the connection between Hyper-V servers, so you will need to turn off the Firewall module to use the migration function.

Install a Red Hat, SUSE, Oracle Linux, or Cloud Linux agent

  1. Copy the installer file to the computer.
  2. Install the agent.

    # sudo rpm -i <package name>

    Preparing... ########################################## [100%]

    1:ds_agent ########################################## [100%]

    Loading ds_filter_im module version ELx.x [ OK ]

    Starting ds_agent: [ OK ]

    To upgrade from a previous install, use "rpm -U" instead. This will preserve your profile settings.

    The Deep Security Agent will start automatically upon installation.

Install an Ubuntu or Debian agent

  1. Go to Administration > Updates > Software > Download Center.
  2. Import the agent package into Deep Security Manager.
  3. , and then export the installer (.deb file).
  4. Copy the installer file to the computer.
  5. Install the agent.

    sudo dpkg -i <installer file>

To start, stop, or reset the agent:

Using SysV init scripts:

  • Start: : /etc/init.d/ds_agent start
  • Stop: /etc/init.d/ds_agent stop
  • Reset: /etc/init.d/ds_agent reset
  • Restart: /etc/init.d/ds_agent restart
  • Display status: svcs -a | grep ds_agent

Using systemd commands:

  • Start: systemctl start ds_agent
  • Stop: systemctl stop ds_agent
  • Restart: systemctl restart ds_agent
  • Display status: systemctl status ds_agent

Install a Solaris agent

The Deep Security Agent installation is only supported in the global zone and the kernel zone. Installation in non-global zones is not supported. See How does agent protection work for Solaris zones? for more information on how Deep Security features work between zones.

For easier agent installation and activation, use a deployment script instead. For more information, see Use deployment scripts to add and protect computers.

Solaris requires the following libraries to be installed to support Deep Security Agent:

  • Solaris 10: SUNWgccruntime
  • Solaris 11.0 - 11.3: gcc-45-runtime
  • Solaris 11.4: none; gcc-c-runtime version 7.3 is installed by default
  1. Import the agent installer package to the manager and then export it. If multiple agents are available for your platform, choose the latest one. If you're not sure which agent package to pick, review the mapping table below.
  2. Unzip the ZIP file.
  3. Unzip the GZ file:

    gunzip <agent_GZ_file>

    The agent installer file (P5P or PKG) is now available.

  4. Install the agent. Method varies by version and zones. File name varies by SPARC vs. x86.
    • Solaris 11, one zone (run in the global zone):  

      x86: pkg install -g file:///mnt/Agent-Solaris_5.11-xx.x.x-xxx.x86_64/Agent-Core-Solaris_5.11-xx.x.x-xxx.x86_64.p5p pkg:/security/ds-agent

      SPARC: pkg install -g file:///mnt/Agent-Solaris_5.11-xx.x.x-xxx.sparc/Agent-Core-Solaris_5.11-xx.x.x-xxx.sparc.p5p pkg:/security/ds-agent

    • Solaris 11, multiple zones (run in the global zone):

      mkdir <path>

      pkgrepo create <path>

      pkgrecv -s file://<path_to_agent_p5p_file> -d <path> '*'

      pkg set-publisher -g <path> trendmicro

      pkg install pkg://trendmicro/security/ds-agent

      pkg unset-publisher trendmicro

      rm -rf <path>

    • Solaris 10:

      x86: pkgadd -G -d Agent-Core-Solaris_5.10_Ux-xx.x.x-xxx.x86_64.pkg 

      SPARC: pkgadd -G -d Agent-Core-Solaris_5.10_Ux-xx.x.x-xxx.sparc.pkg

Solaris-version-to-agent-package mapping table

If you're installing the agent on... Use this agent package... Help Center option
Solaris 10 Updates 4-6 (64-bit, SPARC or x86)



Solaris 10 Updates 7-11 (64-bit, SPARC or x86)


Solaris 11.0 (1111)-11.3 (64-bit, SPARC or x86)


Solaris 11.4 (64-bit, SPARC or x86) Agent-Solaris_5.11_U4-xx.x.x-xxx.<sparc|.x86_64>.zip Solaris_5.11_U4


  • The Help Center option column shows you which option to select from the Agent drop-down list on the Help Center's 'Deep Security Software' page, if that's how you've chosen to obtain the package.
  • is the build number of the agent. For example: 11.0.0-1075
  • <sparc|.x86_64> is one of sparc or .x86_64, depending on the Solaris processor.

To start, stop, or reset the agent:

  • Start: svcadm enable ds_agent
  • Stop: svcadm disable ds_agent
  • Reset: /opt/ds_agent/dsa_control -r
  • Restart: svcadm restart ds_agent
  • Display status: svcs -a | grep ds_agent

To uninstall the agent on Solaris 11:

pkg uninstall pkg:/security/ds-agent

To uninstall the agent on Solaris 10:

pkgrm -v ds-agent

Install an AIX agent

  1. Log in as Root.
  2. Copy the installer file to the computer.
  3. Copy the package to a temporary folder such as /tmp.
  4. Unzip the installer package.

    /tmp> gunzip <installer package>

  5. Install the agent.

    /tmp> installp -a -d /tmp/Agent-AIX_x.x-x.x.x-xxxx.powerpc.bff ds_agent

To start, stop, load, or unload the driver for the agent:

  • Start: startsrc -s ds_agent
  • Stop: stopsrc -s ds_agent
  • Load the driver: /opt/ds_agent/ds_fctrl load
  • Unload the driver: /opt/ds_agent/ds_fctrl unload

Install the agent on a Microsoft Azure VM

To start Deep Security protecting your Microsoft Azure virtual machines, you need to deploy Deep Security Agents to them. You can do this in multiple ways:

Generate and run a deployment script

You can generate Deep Security deployment scripts for automatically deploying agents using deployment tools such as RightScale, Chef, Puppet, and SSH.

For more information on how to do so, see Use deployment scripts to add and protect computers.

Add a custom script extension to an existing virtual machine

You can also add a custom script extension to an existing virtual machine to deploy and activate the Deep Security Agent. To do this, navigate to your existing virtual machine in the Azure management portal and follow the steps below to upload and execute the deployment script on your Azure VM.

  1. Log in to the Azure portal.
  2. Switch to the preview portal, and then click the virtual machine that you want to add the custom script to.
  3. In the Settings blade, click Extensions, in the Extensions blade, click Add extension, in the New Resource blade, select Custom Script, and then click Create.
  4. In the Add Extension blade under Script File (required), click upload, select the saved .ps1 deployment script, and then click OK.

Upload custom script to Azure