Get Deep Security Agent software

To install Deep Security Agent, you must download the agent installer and load packages for the agent's protection modules into Deep Security Manager. To view a list of software that has been imported into Deep Security Manager, go to Administration > Updates > Software > Local.

Deep Security is modular. Initially, Deep Security Agent only has core functionality. When you enable a protection module, then the agent downloads that plug-in and installs it. So before you activate any agents, first download the agent software packages into Deep Security Manager's database("import" them) so that they will be available to the agents and relays.

Even if you use a third party deployment system, you must import all installed Deep Security Agent software into the Deep Security Manager's database. When a Deep Security Agent is first activated, it only installs protection modules that are currently enabled in the security policy. If you enable a new protection module later, Deep Security Agent will try to download its plug-in from Deep Security Manager. If that software is missing, the agent may not be able to install the protection module.

Once you import the agent installer package, depending on your preferred deployment method, you can then export and load the installers into a third party deployment system such as Ansible, Chef, or Puppet which will install it on your computers.

Download agent software packages into Deep Security Manager

Even if you don't use Deep Security Manager to deploy agent updates, you should still import the software into the Deep Security Manager's database. You can do this manually or automatically.

Automatically import software updates

You can configure Deep Security Manager to automatically download any updates to software that you've already imported into Deep Security. To enable this feature, go to Administration > System Settings > Updates and select Automatically download updates to imported software.

This setting will download the software to the Deep Security but will not automatically update your agent software. Continue with Update the Deep Security Agent.

Manually import software updates

You can manually import software updates as they become available on the Download Center.

  1. In Deep Security Manager, go to Administration > Updates > Software > Download Center.

    The Trend Micro Download Center displays the latest versions of agent software.

  2. To download your agent software package to the manager's local storage, select the installer from the list, and then click Import .

    Deep Security Manager connects to the internet to download the software from Trend Micro. When the manager has finished, a green check mark will appear in the Imported column for that agent. Software packages will appear on Administration > Updates > Software > Local.

    If a package cannot be imported directly, a popup note will indicate that. For these packages, download them from the Trend Micro Download Center website to a local folder, then go to Administration > Updates > Software > Local and manually import them.

    Alternatively, if your Deep Security Manager is "air-gapped" (not connected to the Internet) and cannot connect directly to the Download Center web site, you can load them indirectly. Download the ZIP packages to your management computer first, and then log into the Deep Security Manager and upload them.

Export the agent installer

You can download the agent installer from Deep Security Manager.

  1. In Deep Security Manager, go to Administration > Updates > Software > Local.
  2. Select your agent from the list.
  3. Click Export > Export Installer.

    If you have older versions, the latest version of the software will have a green check mark in the Is Latest column.

  4. Save the agent installer. If you will install the agent manually, save it on the computer where you want to install Deep Security Agent. Otherwise, if you use a third party deployment system (such as Ansible, Chef, Puppet, PowerShell, or others), load the agent installer into that system.
To install Deep Security Agent, only use the exported agent installer (the .msi or the .rpm file) - not the full agent ZIP package. If you run the agent installer from the same folder that holds the other zipped agent components, all protection modules will be installed, even if you haven't enabled them on the computer. This consumes extra disk space. (For comparison, if you use the .msi or .rpm file, the agent will download and install protection modules only if your configuration requires them.)
Installing an agent, activating it, and applying protection with a security policy can be done using a command line script. For more information, see Use deployment scripts to add and protect computers.

Delete a software package from the Deep Security database

To save disk space, Deep Security Manager will periodically remove unused packages from the Deep Security database. To configure the maximum number of old packages kept, go to System Settings > Storage.

Deep Security Virtual Appliance uses protection module plug-ins in the 64-bit Red Hat Enterprise Linux Agent software package. Therefore if you have an activated Deep Security Virtual Appliance, and try to delete the 64-bit Red Hat Enterprise Linux Agent software package from the database, an error message will tell you that the software is in use.

There are two types of packages that can be deleted:

  • agent
  • kernel support

Deleting agent packages in single-tenancy mode

In single tenancy mode, Deep Security automatically deletes agent packages ( that are not currently being used by agents. Alternatively, you can manually delete unused agent packages. Only unused software packages can be deleted.

For the Windows and Linux agent packages, only the currently used package (whose version is the same as the agent installer) cannot be deleted.

Deleting agent packages in multi-tenancy mode

In multi-tenancy mode, unused agent packages ( are not deleted automatically. For privacy reasons, Deep Security cannot determine whether software is currently in use by your tenants, even though you and your tenants share the same software repository in the Deep Security database. As the primary tenant, Deep Security does not prevent you from deleting software that is not currently running on any of your own account's computers, but before deleting a software package, be very sure that no other tenants are using it.

Deleting kernel support packages

In both single and multi-tenancy mode, Deep Security automatically deletes unused kernel support packages ( A kernel support package can be deleted if both of these conditions are true:

  • No agent package has the same group identifier.
  • Another kernel support package has the same group identifier and a later build number.

You can also manually delete unused kernel support packages. For Linux kernel support packages, only the latest one cannot be deleted.