Manually install the Deep Security Agent

For easier agent installation and activation, use a deployment script instead. For more information, see Use deployment scripts to add and protect computers.

Before installing the Deep Security Agent, you must:

After installation, the agent must be activated before it can protect its computer or be converted into a relay. See Activate the agent.

In this topic:

Install a Windows agent

  1. Copy the installer file to the computer.
  2. Double-click the installation file (.MSI file) to run the installer package.

    On Windows Server 2012 R2 Server Core, launch the installer using this command instead: msiexec /i Agent-Core-Windows-12.0.x-xxxx.x86_64.msi
  3. At the Welcome screen, click Next to begin the installation.
  4. End-User License Agreement: If you agree to the terms of the license agreement, select I accept the terms of the license agreement and click Next.
  5. Destination Folder: Select the location where you would like Deep Security Agent to be installed and click Next.
  6. Ready to install Trend Micro Deep Security Agent: Click Install to proceed with the installation.
  7. Completed: when the installation has completed successfully, click Finish.

The Deep Security Agent is now installed and running on this computer, and will start every time the machine boots.

When installing the agent on Windows 2012 Server Core, the notifier will not be included.
During an install, network interfaces will be suspended for a few seconds before being restored. If you are using DHCP, a new request will be generated, potentially resulting in a new IP address for the restored connection.

Installation on Amazon WorkSpaces

  • If you are unable to install Deep Security Agent .msi file due to error code ‘2503’ then you must do one of the following:
    • Edit your C:\Windows\Temp folder and allow the write permission for your user
    • Open the command prompt as an administrator and run the .msi file

Amazon has fixed this issue for newly-deployed Amazon WorkSpaces.

Installation on Windows 2012 Server Core

  • Deep Security does not support switching the Windows 2012 server mode between Server Core and Full (GUI) modes after the Deep Security Agent is installed.
  • If you are using Server Core mode in a Hyper-V environment, you will need to use Hyper-V Manager to remotely manage the Server Core computer from another computer. When the Server Core computer has the Deep Security Agent installed and Firewall enabled, the Firewall will block the remote management connection. To manage the Server Core computer remotely, turn off the Firewall module.
  • Hyper-V provides a migration function used to move a guest VM from one Hyper-V server to another. The Deep Security Firewall module will block the connection between Hyper-V servers, so you will need to turn off the Firewall module to use the migration function.

Install a Red Hat, SUSE, Oracle Linux, or Cloud Linux agent

  1. Copy the installer file to the computer.
  2. Install the agent.

    # sudo rpm -i <package name>

    Preparing... ########################################## [100%]

    1:ds_agent ########################################## [100%]

    Loading ds_filter_im module version ELx.x [ OK ]

    Starting ds_agent: [ OK ]

    To upgrade from a previous install, use "rpm -U" instead. This will preserve your profile settings.

    The Deep Security Agent will start automatically upon installation.

Install an Ubuntu or Debian agent

  1. Go to Administration > Updates > Software > Download Center.
  2. Import the agent package into Deep Security Manager.
  3. , and then export the installer (.deb file).
  4. Copy the installer file to the computer.
  5. Install the agent.

    sudo dpkg -i <installer file>

To start, stop, or reset the agent:

Using SysV init scripts:

  • Start: /etc/init.d/ds_agent start
  • Stop: /etc/init.d/ds_agent stop
  • Reset: /etc/init.d/ds_agent reset
  • Restart: /etc/init.d/ds_agent restart
  • Display status: svcs -a | grep ds_agent

Using systemd commands:

  • Start: systemctl start ds_agent
  • Stop: systemctl stop ds_agent
  • Restart: systemctl restart ds_agent
  • Display status: systemctl status ds_agent

Install a Solaris agent

The Deep Security Agent installation is only supported in the global zone. Non-global zones are not supported.

Solaris requires the following libraries to be installed to support Deep Security Agent:

  • Solaris 10: SUNWgccruntime
  • Solaris 11.0 - 11.3: gcc-45-runtime
  • Solaris 11.4: none; gcc-c-runtime version 7.3 is installed by default
  1. Import the agent installer package to the manager and then export it. If multiple agents are available for your platform, choose the latest one. If you're not sure which agent package to pick, review the mapping table below.
  2. Unzip the ZIP file.
  3. Unzip the GZ file:

    gunzip <agent_GZ_file>

    The agent installer file (P5P or PKG) is now available.

  4. Install the agent. Method varies by version and zones. File name varies by SPARC vs. x86.
    • Solaris 11, one zone (run in the global zone):

      x86: pkg install -g file:///mnt/Agent-Solaris_5.11-xx.x.x-xxx.x86_64/Agent-Core-Solaris_5.11-xx.x.x-xxx.x86_64.p5p pkg:/security/ds-agent

      SPARC: pkg install -g file:///mnt/Agent-Solaris_5.11-xx.x.x-xxx.sparc/Agent-Core-Solaris_5.11-xx.x.x-xxx.sparc.p5p pkg:/security/ds-agent

    • Solaris 11, multiple zones (run in the global zone):

      mkdir <path>

      pkgrepo create <path>

      pkgrecv -s file://<path_to_agent_p5p_file> -d <path> '*'

      pkg set-publisher -g <path> trendmicro

      pkg install pkg://trendmicro/security/ds-agent

      pkg unset-publisher trendmicro

      rm -rf <path>

    • Solaris 10:

      x86: pkgadd -G -d Agent-Core-Solaris_5.10_Ux-xx.x.x-xxx.x86_64.pkg

      SPARC: pkgadd -G -d Agent-Core-Solaris_5.10_Ux-xx.x.x-xxx.sparc.pkg

  5. Solaris-version-to-agent-package mapping table

    If you're installing the agent on...Use this agent package... Help Center option
    Solaris 10 Updates 4-6 (64-bit, SPARC or x86)



    Solaris 10 Updates 7-11 (64-bit, SPARC or x86)


    Solaris 11.0 (1111)-11.3 (64-bit, SPARC or x86)


    Solaris 11.4 (64-bit, SPARC or x86)Agent-Solaris_5.11_U4-xx.x.x-xxx.<sparc|.x86_64>.zipSolaris_5.11_U4


    • The Help Center option column shows you which option to select from the Agent drop-down list on the Help Center's 'Deep Security Software' page, if that's how you've chosen to obtain the package.
    • is the build number of the agent. For example: 12.0.0-682
    • <sparc|.x86_64> is one of sparc or .x86_64, depending on the Solaris processor.

To start, stop, or reset the agent:

  • Start: svcadm enable ds_agent
  • Stop: svcadm disable ds_agent
  • Reset: /opt/ds_agent/dsa_control -r
  • Restart: svcadm restart ds_agent
  • Display status: svcs -a | grep ds_agent

To uninstall the agent on Solaris 11:

pkg uninstall pkg:/security/ds-agent

To uninstall the agent on Solaris 10:

pkgrm -v ds-agent

Install an AIX agent

  1. Go to Administration > Updates > Software > Download Center.
  2. Import the Deep Security Agent for AIX package (ZIP file) into Deep Security Manager. The agent package has the following naming format:
    • Deep Security Agent 12 for AIX: Agent-AIX-<agent_release>-<build> Example:
    • Deep Security Agent 9.0 for AIX: Agent-AIX_<AIX_version>-<agent_release>-<build> Example:

    For details on which agent you'll need for the version of AIX you're using, see Deep Security Agent platforms.

  3. Extract the ZIP file. A GZ file becomes available.
  4. Move the GZ file to another location.
  5. Extract the GZ file using gunzip. A BFF file becomes available. This is the installer file.
  6. Copy the BFF file to the AIX computer.
  7. Place the BFF file in a temporary folder such as /tmp.
  8. Install the agent.

    /tmp> installp -a -d /tmp/<agent_BFF_file_name> ds_agent

    where <agent_BFF_file_name> is replaced with the name of the BFF installer file you extracted.

To start, stop, load, or unload the driver for the agent:

  • Start: startsrc -s ds_agent
  • Stop: stopsrc -s ds_agent
  • Load the driver: /opt/ds_agent/ds_fctrl load
  • Unload the driver: /opt/ds_agent/ds_fctrl unload

Install the agent on a Microsoft Azure VM

To install the agent on VM instances running in the Microsoft Azure cloud, you need to deploy Deep Security Agents to them. You can do this in multiple ways:

Generate and run a deployment script

You can generate Deep Security deployment scripts for automatically deploying agents using deployment tools such as RightScale, Chef, Puppet, and SSH.

For more information on how to do so, see Use deployment scripts to add and protect computers.

Add a custom script extension to an existing virtual machine

You can also add a custom script extension to an existing virtual machine to deploy and activate the Deep Security Agent. To do this, navigate to your existing virtual machine in the Azure management portal and follow the steps below to upload and execute the deployment script on your Azure VM.

  1. Log in to the Azure portal.
  2. Switch to the preview portal, and then click the virtual machine that you want to add the custom script to.
  3. In the Settings blade, click Extensions, in the Extensions blade, click Add extension, in the New Resource blade, select Custom Script, and then click Create.
  4. In the Add Extension blade under Script File (required), click upload, select the saved .ps1 deployment script, and then click OK.

Upload custom script to Azure