Choose agentless vs. combined mode protection
If you are protecting virtual machines (VMs) you can install Deep Security Agent, just as you would for other types of computers. But in Deep Security 9.6 or later, there are two other ways to protect VMs:
- Agentlessly (via virtual appliance), or
- Mixture of agent-based and agentless ("combined mode")
Agentless protection
Anti-malware and Integrity Monitoring protection can be provided without installing Deep Security Agent. Instead, the VMware Tools driver installed on the VM can offload security processing to a Deep Security Virtual Appliance.
On Linux VMs, Deep Security Agent provides anti-malware protection, not the Deep Security Virtual Appliance.
Because agentless protection requires fast connectivity between the appliance and the computer you want to protect, don't use agentless if the computer is far from the appliance, on a remote ESXi server or another data center.
Combined mode
You can watch Deep Security 12 - Agentless to Agent Based Migration on YouTube to review some of the steps needed to migrate from an agentless protected environment to agent-based protection.
If you require other protection features that Deep Security Virtual Appliance doesn't support, you must install the Deep Security Agent on each of your VMs, but you can still use the Deep Security Virtual Appliance to provide some of the protection, which can improve performance. Both the appliance and agent used together is known as "combined mode".
With combined mode, the appliance provides the anti-malware and integrity monitoring. The Deep Security Agent provides other features.
Conversion of coordinated approach to combined mode
- Coordinated approach — In Deep Security 9.5, if the agent on a VM was offline, protection features would be provided by the Deep Security Virtual Appliance instead as an alternative. However, it could not be configured separately for each feature.
- Combined mode — In Deep Security 9.6, each protection feature was configurable to use either the agent or appliance. However, if the preferred protection source was offline, the computer didn't use the other alternative.
In Deep Security 10.0 and later, its "protection source" settings provide both behaviors:
- whether each feature is provided by the agent or appliance
- whether to use the agent or appliance alternative if the preferred protection is not available
So if you need behavior like the old coordinated approach, you might want to avoid upgrading to Deep Security 9.6, and instead upgrade from Deep Security 9.5 to Deep Security 10.0 and then to 12.0.
Choose and agent or appliance for each protection feature
If a computer could be protected by either an appliance or agent, you can select which will provide each protection feature.
To configure the protection source, import a VMware vCenter into Deep Security Manager, then in the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Settings > General.
For each protection module or group of protection modules, select either:
-
Appliance Only: Only the Deep Security Virtual Appliance will provide protection, even if there is an agent on the VM and the appliance is deactivated or removed.
Don't use the appliance if you require the scanner (SAP). It requires Deep Security Agent anti-malware.When anti-malware is enabled on the agent, the agent downloads the Anti-malware Solution Platform (AMSP) and starts it as a service. If you do not want this, then from Anti-Malware, select Appliance Only. That way, even if the appliance is deactivated, the agent won't start the AMSP service. - Appliance Preferred: If there is an activated appliance on the ESXi server, it will provide the protection. But if the appliance is deactivated or removed, then the agent will provide protection instead.
- Agent Only:Only the agent will provide protection, even if there is an activated appliance available.
- Agent Preferred: If there is an activated agent on the VM, it will provide the protection. But if there is no activated agent, then the appliance will provide protection instead.
Enable combined mode in a vCloud Director environment with agent-initiated activation
When the hostname of a vCloud Director virtual machine is not resolvable from Deep Security Manager, use agent-initiated activation to enable combined mode. To enable combined mode on a vCloud Director virtual machine:
- Go to Computers, right-click on the target vCloud Director computer, and select Activate.
- Double-click the target vCloud Director computer, and select Settings > General in the pop-up window. Change the Communication Direction to Agent/Appliance Initiated.
- Install Deep Security Agent on the target vCloud Director computer, and activate the agent.