Upgrade the Deep Security Virtual Appliance

Trend Micro provides updates for the Deep Security Virtual Appliance to protect against new vulnerabilities in its operating system.

You have two upgrade options:

See also Upgrade the NSX license to Advanced or Enterprise.

Replace an existing virtual appliance

If you have an older version of the Deep Security Virtual Appliance, Trend Micro recommends that you replace it with the newest version to take advantage of the latest security patches, updates and ongoing support. To replace the Deep Security Virtual Appliance, follow these steps:

Step 1: Import the new virtual appliance packages into the manager

  1. On your Deep Security Manager computer, go to the software page at https://help.deepsecurity.trendmicro.com/software.html.
  2. Download the latest Deep Security Virtual Appliance package to your computer.
  3. On Deep Security Manager, go to Administration > Updates > Software > Local.
  4. Click Import and upload the package to Deep Security Manager.

    When you import the appliance, Deep Security Manager automatically downloads Deep Security Agent software that is compatible with the operating system of the appliance's virtual machine. This agent software appears under Administration > Updates > Software > Local. When you deploy the appliance, the agent software is also deployed.

    It is acceptable to have multiple versions of the Deep Security Virtual Appliance appear under Local Software. The newest version is always selected when you deploy a new Deep Security Virtual Appliance.

  5. Optionally, for guest VMs that run Microsoft Windows, you can also download the Deep Security Notifier. The notifier is a component that displays messages for Deep Security system events in the system tray. For details, see Install the Deep Security Notifier.

Step 2: Review or restore identified files

  1. Review or restore identified files as necessary because quarantined files will be lost when you move your VMs or delete the Deep Security Virtual Appliance.
  2. There is no need to shut down the guest VMs while replacing the virtual appliance.

Step 3: Migrate guest VMs to another ESXi host

If you only have one ESXi host, we assume you will leave your guest VMs in place under the same ESXi server (no migration), and skip directly to Step 4: Replace your old virtual appliance. Note that the unmigrated guest VMs lose protection in the span of time between deleting the old Deep Security Virtual Appliance (described in detail below) and redeploying the new one.

For brevity, this procedure uses these terms:

  • ESXi_A is the ESXi server with the virtual appliance that you want to replace.
  • ESXi_B is the ESXi server where guest VMs are migrated to while the virtual appliance replacement occurs. We assume it is under the same cluster as ESXi_A.

  1. Enable DRS for the cluster and make sure it has an automation level of Fully Automated. See this VMware article for details.
  2. Find ESXi_A and place this ESXi server in maintenance mode.

    When you enter maintenance mode:

    • ESXi_A's guest VMs are migrated automatically (using vMotion) to ESXi_B in your cluster.
    • The Deep Security Virtual Appliance that is protecting ESXi_A is shut down automatically.
    • Your guest VM's can no longer be powered on until the ESXi is out of maintenance mode.

Step 4: Replace your old virtual appliance

  1. Go to VMware vSphere Web Client > Hosts and Clusters.
  2. Find the Deep Security Virtual Appliance that is powered off. It's the one without a green arrow (shown in the following image). The virtual appliance was automatically powered off when you put the corresponding ESXi server into maintenance mode
  3. Right-click the Deep Security Virtual Appliance that is powered off and select Delete from Disk.

  4. If you see a Confirm Delete message, click Yes.

  5. If the deletion fails with this message...

    This operation not allowed in the current state

    Do this:

    1. Right-click the Deep Security Virtual Appliance again, and this time select Remove from Inventory (which appears just above Delete from Disk). This removes the virtual appliance from vCenter but preserves it in the datastore.
    2. In the navigation pane, select the datastore tab and select the datastore where the old virtual appliance resides.
    3. In the main pane, select the Files tab.
    4. Right-click the old virtual appliance folder and select Delete File.

  6. In VMware vSphere Web Client, go to Home > Networking and Security > Installation > Service Deployments.

    You see the following:

    • The deleted Deep Security Virtual Appliance Installation Status column shows Failed.
    • If you are in maintenance mode, the Guest Introspection service also shows as Failed.

  7. Click the Resolve button on the Guest Introspection service if its Installation Status is Failed.

    The Guest Introspection service is powered on and maintenance mode is exited.

    Check that the Failed status changes to Enabling and then to Succeeded.

  8. Click the Resolve button on the Trend Micro Deep Security virtual appliance that is Failed.

    The following occurs:

    • The Deep Security Virtual Appliance is redeployed with the latest software that you loaded into Deep Security Manager.
    • The compatible Deep Security Agent is also installed on the Deep Security Virtual Appliance.
    • The Deep Security Virtual Appliance is activated.

    Check that the Failed status changes to Enabling and then to Succeeded.

Step 5: Check that maintenance mode was turned off

Step 6: Check that the new virtual appliance is activated

  1. In Deep Security Manager, at the top, click Computers.
  2. Find the Deep Security Virtual Appliance in the list and double-click it.
  3. Check the following:
    1. Check that the status is set to Managed (Online). This indicates that the agent was successfully activated.
    2. Check that the Virtual Appliance Version is set to the version of the embedded Deep Security Agent. This version should match the version of the agent found under Administration > Updates > Software > Local.
    3. Check that the Appliance OS Version is set to the version of the Deep Security Virtual Appliance that you just deployed.

You have now replaced your old virtual appliance with a new one.

Step 7: Final step

  1. Repeat all the steps in this section, starting at Step 2: Review or restore identified files and ending at Step 6: Check that the new virtual appliance is activated for each virtual appliance that needs to be replaced.

Guest VMs are activated according to how you set up activation when you deployed your old Deep Security Virtual Appliance.

Update your existing virtual appliance

Although Trend Micro recommends that you replace your virtual appliance with the latest version, we understand that this might not be possible. In such a case, you can update the virtual appliance's underlying components without redeploying it.

There are two tasks involved in an update, and one or both may be required depending on what you have installed:

  • Update the virtual appliance's OS
  • Update the agent that's embedded on the appliance

Follow these instructions to complete the update.

  1. Determine the installed appliance version. You'll need this information to complete the remaining steps in this procedure.
  2. Import appliance patches, if they exist (failure to do so generates system event 740 to indicate that the patch was not imported):
    1. Log in to Deep Security Manager.
    2. On the left, expand Updates > Software > Download Center.
    3. In the main pane, enter Agent-DSVA in the search bar on the top-right and press Enter.
      One or more patches appear with the name Agent-DSVA-CentOS<version>-<patch-version>-<date>.x86_64.zip.
    4. Select a patch that is compatible with your Deep Security Virtual Appliance. Consult the compatibility table that follows for guidance. If you don't see a compatible patch, it's because it doesn't exist, and no patch needs to be installed.
    5. Click the button in the Import Now column to import the patch into Deep Security Manager.
    6. On the left, click Local Software to verify that the patch was imported successfully.
    7. Repeat for any additional patches.
  3. Import the compatible agent:
    1. Still in Deep Security Manager, on the left, expand Updates > Software > Download Center.
    2. Select the agent software that is compatible with your Deep Security Virtual Appliance. Consult the compatibility table that follows for guidance.
    3. Click the button in the Import Now column to import the agent into Deep Security Manager.
    4. On the left, click Local Software to verify that the agent was imported successfully.

    You have now imported the patches and Deep Security Agent that are compatible with your appliance version. You are ready to upgrade the agent on the appliance and apply the patches.

  4. Upgrade the agent on the appliance and apply the patches:
    1. Click Computers and double-click your appliance computer.
    2. Click Actions > Upgrade Appliance.
    3. Select the agent version to install on the appliance. This is the agent you just imported.
    4. Click OK.
  5. Click Events & Reports and search on 710 to find the report about the installation of the update file.

You have now upgraded the agent on the appliance and installed one or more OS patches (if they existed).

If you upgraded the Deep Security Agent before importing the OS patch for the Deep Security Virtual Appliance, you will see system event 740. To fix this problem, use the following procedure.

  1. Import the appliance patches for the version of the appliance that you are updating. See above in this section for instructions. The appliance patches appear on the Local Software page in Deep Security Manager.
  2. Go to the Computers page.
  3. Right-click the virtual machine where you want to update the appliance and click Send Policy. The appliance downloads and installs the patches.

If the appliance fails to download the patches, it could be that the relay hasn’t received the patch files yet. Wait until the relay receives the files and then click Send Policy. For information on relays, see Distribute security and software updates with relays.

Compatibility table: appliance, agent, and patch

Appliance version Image OS Compatible agent software Compatible appliance patch (if it exists)
Appliance-ESX-10.0 or higher CentOS 7 Agent-RedHat_EL7-<version>.x86_64.zip Agent-DSVA_CENTOS7.0-<patch-version>-<date-stamp>.x86_64.zip

Determine the installed appliance version

See the version of the appliance that is installed to determine whether you need to install the latest update. The computer details provides information about the installed appliance software (click Computers, select the virtual machine and click Details > General):

  • The Virtual Appliance Version property indicates the version of the Deep Security Agent that is deployed on the appliance's OS.
  • The Appliance OS Version property indicates the version of the Deep Security Virtual Appliance that is installed.