Deep Security 11.1
Below are the major changes in Deep Security 11.1, which is a feature release (see Feature releases for details about feature release support).
- New RESTful API: Deep Security 11.1 provides a new RESTful API that enables you to automate the provisioning and maintenance of security via Deep Security. Go to the Deep Security Automation Center to download the SDKs in the language of your choice and learn how to use the API.
The focus of the new API, which is continuously updated with new features and improvements, is on improving the functionality that exists in the SOAP API. When you start new automation projects, you should use the new API to benefit from continued support and maintenance in the long term.
The REST and SOAP APIs that were provided before Deep Security 11.1 have not changed. They are still provided and function as usual. Support also has not changed for the older APIs. For details, see Use the Deep Security API to automate tasks.
- Application control hash-based rules: With Deep Security Agent 11.1, application control rules are based on a software file's SHA-256 has value, and not by file name and/or path. This enhancement greatly improves the coverage of each rule and reduces the operational overhead of creating and managing multiple rules for files with the same hash value. For example, if a file with a particular hash executes repeatedly on a machine but with a different file name each time, a single hash-based allow or block rule controls its execution. Previously, rules also evaluated the file name and file path, so a new rule would be needed each time the software was executed. For details, see What does application control detect as a software change? Or, if you are using the Deep Security API to create shared rulesets, see Use the API to create shared and global rulesets .
- Application control simplification: The application control user interface has been simplified by removing the redundant decision log view. For information on how to reverse an application control decision, see View and change application control rulesets.
- Alert improvement: The ‘Relay Update Service Unavailable’ alert has been renamed to ‘A Deep Security Relay cannot download security components’ and now includes a more accurate description and solution.
- Command improvement: The dsa_query, and dsa_control commands now show the agent version and Deep Security protection module information. See Command-line basics for details.
- Smart Protection Server security improvement: The Smart Protection Server CloudFormation Template in AWS now includes an HTTPS URL for the web reputation service. For details, see Deploy a Smart Protection Server in AWS.
- TLS 1.2 change: TLS 1.2 is now the default for all new Deep Security 11.1 deployments. If third-party applications or agents that do not support TLS 1.2 are used you'll need to re-enable TLS 1.0 to allow those applications to connect to Deep Security Manager. For backward compatibility, use of TLS 1.0 will be preserved on upgrades to Deep Security 11.1. See Use TLS 1.2 with Deep Security for details.
- TLS 1.2 command addition: The dsm_c command includes a new -action parameter called settlsprotocol. This parameter allows you to set and view the minimum TLS version accepted by Deep Security Manager. See Command-line basics for details.
- Trend Micro licensing and registration server security improvement: As of Deep Security 11.1, all communication with the Trend Micro licensing and registration server must be secured using HTTPS. This will be the only supported configuration from this release forward. If you currently use HTTP, you must move to HTTPS as soon as possible.
The Deep Security Agent for AIX and Solaris have not been tested for use with this feature release. The AIX and Solaris platforms continue to be fully supported using Deep Security Manager 11.0 and will continue to be supported in the next major release (Deep Security 12.0). If you have AIX and/or Solaris platforms in your deployment, please continue to use Deep Security Manager 11.0.