Protect Deep Security Agent

If you have enabled manager-initiated communication (see Agent-manager communicationfor details), and by extension, manager-initiated activation, it is highly recommended that you bind the agent to a specific manager during this activation. For details, see the section below.

Bind Deep Security Agent to a specific Deep Security Manager

If manager-initiated activation is enabled between Deep Security Agent and Deep Security Manager, Trend Micro strongly recommends that you protect the agent by allowing it to only be contacted by a known and specific manager during the activation. This configuration should be used if you are in an environment that might include malicious Deep Security Managers.

To bind the agent to a manager, you'll need to export the SSL certificate that is used for securing agent-manager communication, and then add it to the agent computer. Follow these instructions:

  1. On the Deep Security Manager, export the Deep Security Manager SSL certificate by running this command:

dsm_c -action exportdsmcert -output ds_agent_dsm.crt

where:

  • ds_agent_dsm.crt must be specified exactly as shown (you cannot use another name). It is the name of the Deep Security Manager SSL certificate that is used to secure the communication between the agent and manager.
  1. On the computer where the agent that you want to activate is installed, put the ds_agent_dsm.crt file in one of these locations:
  • Windows: %ProgramData%\Trend Micro\Deep Security Agent\dsa_core
  • Linux: /var/opt/ds_agent/dsa_core

You have now added the Deep Security Manager certificate to the agent. The agent now only accepts activations from the Deep Security Manager that owns the certificate.

After completing these steps, the agent enters a 'pre-activated' state. While in this state, operations initiated by other Deep Security Managers or by the agent's local dsa_control utility do not work properly, by design. After the agent is fully activated, all normal operation resumes.

After resetting or deactivating an agent, the Deep Security Manager certificate is cleared, so the above steps must be re-applied.