Deep Security 11.3 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Configure agents that have no Internet access
If your agents or relays don't have access to the Internet (also called "air-gapped agents"), then they won't be able to access several of the security services provided by the Trend Micro Smart Protection Network. These security services are necessary for the full and successful operation of the Deep Security anti-malware and web reputation features.
These Trend Micro security services are:
Service name | Required for these features |
Smart Scan Service | Smart Scan |
Web Reputation Service | web reputation |
Global Census Service | behavior monitoring, predictive machine learning |
Good File Reputation Service | behavior monitoring, predictive machine learning, process memory scans |
Predictive Machine Learning Service (Trend X) | predictive machine learning |
If the above services can't be reached by the agent or relay-enabled agent, you have several solutions, described below.
Solutions
- Solution 1: Use a proxy
- Solution 2: Install a Smart Protection Server locally
- Solution 3: Install a relay and supporting components in your DMZ or Internet-ready area
- Solution 4: Disable the features that use Trend Micro security services
Use a proxy
If your agents or relay-enabled agents can't connect to the Internet, you can install a proxy that can. Your Deep Security Agents and relays connect to the proxy, and the proxy then connects outbound to the Trend Micro security services in the Smart Protection Network.
With a proxy, each Smart Scan or web reputation request goes out over the Internet to the Smart Protection Network. Consider instead using a Smart Protection Server inside your LAN to keep these requests within your network and reduce extranet bandwidth usage.
To use a proxy, see Connect agents behind a proxy
Install a Smart Protection Server locally
If your agents and relay-enabled agents can't connect to the Internet, you can install a Smart Protection Server in your local area network (LAN) to which they can connect. The local Smart Protection Server periodically connects outbound over the Internet to the Smart Protection Network to retrieve the latest Smart Scan anti-malware patterns and web reputation information. This information is cached on the Smart Protection Server and disseminated to your agents and relay-enabled agents.
If you decide to use this solution, remember that:
- Only the Smart Scan and web reputation features are supported with a local Smart Protection Server.
- Use the proxy solution if you need the behavior monitoring, predictive machine learning, and process memory scanning features. See Use a proxy above for details. If you decide not to use these features, you must disable them to prevent a query failure and to improve performance. For instructions on disabling these features, see Disable the features that use Trend Micro security services
To deploy a Smart Protection Server:
- install it manually. See the Smart Protection Server documentation for details.
OR - if your agents or relay-enabled agents are inside AWS, install it using an AWS CloudFormation template created by Trend Micro. See Deploy a Smart Protection Server in AWS for details.
Install a relay and supporting components in your DMZ or Internet-ready area
If your agents or relay-enabled agents can't connect to the Internet, you can install a relay-enabled Deep Security Agent, Deep Security Manager, and Deep Security Manager's database in your demilitarized zone (DMZ) or another area of your network where Internet access is available. These Deep Security components must be installed in addition to your existing air-gapped components.
Once all the components are installed, the relay-enabled agent automatically obtains the latest malware scan updates from the Update Server in the Smart Protection Network. These updates must be extracted to a .zip file, and then manually copied to your air-gapped relay or directly to your air-gapped agents, if you do not have an air-gapped relay. (Detailed instructions follow.)
If you decide to use this solution, remember that:
- The .zip file contains traditional (large) malware patterns, which give you basic anti-malware capabilities.
- The following advanced anti-malware features are not available: Smart Scan, behavior monitoring, predictive machine learning, process memory scans, and web reputation. These features all require access to Trend Micro security services.
- You should disable the advanced anti-malware features (Solution 4) since they cannot be used.
- You should have a plan in place to periodically update the .zip file on your air-gapped relay to ensure you always have the latest malware patterns.
To deploy this solution, follow these steps:
- Install a Deep Security Manager and its associated database in your DMZ. We'll call these Internet-facing components the 'DMZ manager' and 'DMZ database'.
- Install a Deep Security Agent in your DMZ and configure it as a relay. We'll call this agent the 'DMZ relay'. For information on setting up relays, see Distribute security and software updates with relays.
The following items are now installed:- a DMZ manager
- a DMZ database
- a DMZ relay
- an air-gapped manager
- an air-gapped database
- an air-gapped relay
- multiple air-gapped agents
- On the DMZ relay, create a .zip file containing the latest malware patterns by running this command:
- Copy the .zip file to the air-gapped relay, or, if you are not using an air-gapped relay, copy the .zip directly to each of your air-gapped agents. Place the file in the relay or agent's installation directory.
- On Windows the default directory is C:\Program Files\Trend Micro\Deep Security Agent.
- On Linux the default directory is /opt/ds_agent.
- Do not rename the .zip file.
- On the air-gapped manager, initiate a security update download:
- Click Computers at the top.
- In the list of computers, find your air-gapped relay or agent where you copied the .zip file, right-click it and select Download Security Update.
The air-gapped relay or agent checks its configured update source (typically the Update Server in the Trend Micro Smart Protection Network on the Internet). Since it can't connect to this server, it checks the .zip file in its installation directory. When it finds the .zip file, it extracts it and imports the updates. If an air-gapped relay is used, the updates are then disseminated to the air-gapped agents that are configured to connect to the relay. - Delete the .zip file after the updates are imported to the air-gapped agent or relay.
- Configure the air-gapped relay to connect to itself instead of the Trend Micro Update Server (to prevent connection error alerts):
- Log in to the air-gapped manager.
- Click Administration on the top.
- On the left, click System Settings.
- In the main pane, click the Updates tab.
- Under Primary Security Update Source, select Other update source and enter https://localhost:[port] where [port] is the configured port number for security updates, by default 4122.
- Click OK.
The air-gapped relay no longer tries to connect to the Update Server in the Trend Micro Smart Protection Network.
- (Optional but recommended.) To improve performance, Disable the features that use Trend Micro security services.
- On a periodic basis, download the latest updates to your DMZ relay, zip them up, copy them to your air-gapped relay or agents, and initiate a security update download on the relay (if you're using one).
dsa_control -b
The command line output shows the name and location of the .zip file that was generated.
You have now deployed a Deep Security Manager, associated database and relay in your DMZ from which to obtain malware scan updates.
Disable the features that use Trend Micro security services
You can disable the features that use Trend Micro security services. Doing so improves performance because the air-gapped agent no longer tries (and fails) to query the services.
- Without Trend Micro security services, your malware detection is downgraded significantly, ransomware is not detected at all, and process memory scans are also affected. It is therefore strongly recommended that you use one of the other solutions to allow access to Trend Micro security services. If this is impossible, only then should you disable features to realize performance gains.
- To disable Smart Scans:
- Open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). .
- On the left, click Anti-Malware.
- In the main pane, click Smart Protection.
- Under Smart Scan, deselect Inherited (if it is selected) and then select Off.
- Click Save.
- To disable web reputation:
- Open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)..
- On the left, click Web Reputation.
- In the main pane, make sure the General tab is selected.
- From the Configuration drop-down list, select Off.
- Click Save.
- To disable Smart Feedback:
- In Deep Security Manager, click Administration at the top.
- Click System Settings on the left.
- In the main pane, click the Smart Feedback tab.
- Deselect Enable Trend Micro Smart Feedback (recommended).
- Click Save.
- To disable process memory scans:
- In Deep Security Manager, click Policies at the top.
- On the left, expand Common Objects > Other and then click Malware Scan Configurations.
- Double-click a malware scan configuration with a SCAN TYPE of Real-Time.
- On the General tab, under Process Memory Scan, deselect Scan process memory for malware.
- Click OK.
- To disable predictive machine learning:
- Make sure you still have a real-time malware scan configuration open.
- On the General tab, under Predictive Machine Learning, deselect Enable Predictive Machine Learning.
- Click OK.
- To disable behavior monitoring:
- Make sure you still have a real-time malware scan configuration open.
- On the General tab, under Behavior Monitoring, deselect both options, namely, Detect suspicious activity and unauthorized changes (incl. ransomware) and Back up and restore ransomware-encrypted files.
- Click OK.
Also disable the census and grid queries if you want performance gains. If you leave them enabled, a lot of unnecessary background processing takes place. To disable these queries:
- Disable the census query:
dsm_c -action changesetting -name settings.configuration.enableCensusQuery -value false
- Disable the grid query:
dsm_c -action changesetting -name settings.configuration.enableGridQuery -value false