Upgrade the Deep Security Agent

Software upgrades can be initiated through Deep Security Manager, manually, or a third-party deployment system.

If your environment includes Deep Security Agents installed on Linux computers, you can choose to automatically upgrade those agents to the latest software version that's compatible with your Deep Security Manager when the agent is activated or reactivated. For details, see Automatically upgrade agents on activation.

All Deep Security Relays must be upgraded before upgrading the Deep Security Agent. If you do not upgrade your relays first, security component upgrades and software upgrades may fail. See Upgrade the Deep Security Relay for details.

Before upgrading the Deep Security Agent on a Linux platform, confirm the OS kernel is supported by the latest version of the agent. See Deep Security Agent Linux kernel support

In this topic:

Upgrade the agent starting from an alert

When a new agent software version is available, a message appears on Alerts.

  1. In the alert, click Show Details and then click View all out-of-date computers.
    Computers opens with all computers showing a Software Update Status of Out-of-Date.
  2. Continue with Initiate an agent upgrade or Manually upgrade the agent.

Initiate an agent upgrade

Upgrade when the server is less busy.

On Solaris 11 computers, the trendmicro publisher may have been left set as a result of previous upgrades. To avoid the upgrade failing, run the following command before upgrading agents on Solaris 11:
pkg unset-publisher trendmicro
rm -rf /var/opt/ds_agent/ips_repo

On Administration > Updates > Software, the "Computers" section indicates whether any computers or virtual appliances are running agents for which upgrades are available. The check is only performed against software that has been imported into Deep Security, not against software available from the Download Center. If any computers are out of date, either:

  • To upgrade all out-of-date computers, click Upgrade Agent / Appliance Software.
  • To upgrade a specific agent computer or appliance image:
    1. Go to Computers , select the computers that you want to upgrade, and click Actions > Upgrade Agent Software.

      You must upgrade your relays before your agents to prevent failures. Learn more. To identify a relay, look for the relay icon ().

    2. In the dialog box that appears, select the Agent Version. We recommend that you select the default Use the latest version for platform (X.Y.Z.NNNN). Click Next.

When you activate a virtual appliance on a computer, Deep Security upgrades the Red Hat Agent to the version specified for the Virtual Appliance Deployment option. (See Select the agent for newly-activated virtual appliances.) You cannot delete the latest Red Hat Agent unless you first remove all virtual appliance software packages. You can delete older versions of the Red Hat Agent only if they are not in use.

An upgrade on Solaris may take five minutes or longer to complete in some cases.

Select the agent for newly-activated virtual appliances

For more information on upgrading the Deep Security Virtual Appliance, see Upgrade the Deep Security Virtual Appliance.

The Deep Security Virtual Appliance uses the protection module plug-in software packages from an agent for 64-bit Red Hat Enterprise Linux. Use the Virtual Appliance Deployment option to select the version of the Red Hat Enterprise Linux Agent software that is deployed to any newly activated virtual appliances.

When the default item of Latest Available (Recommended) is selected, the software used is the latest version of imported agent software that is compatible with the latest version of the appliance software that is imported.

Versions of the agent software that pre-date the imported appliance do not appear in the list.

Manually upgrade the agent

Sometimes you may not be able to upgrade the agent software from the Deep Security Manager because of connectivity restrictions, or you may prefer to deploy upgrades using a third-party system. If so, you can upgrade the agent software using an installer that you have copied to the computer.

Download the new agent software either from the Download Center, or by exporting it from the Deep Security Manager (see Get Deep Security Agent software). Then run the installer. Method varies by operating system.

You must upgrade your relays before your agents to prevent failures. Learn more. To identify a relay, look for the relay icon ().

Manually upgrade the agent on Windows

  1. Disable agent self-protection. To do this, on the Deep Security Manager, go to Computer editorClosedTo open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General. In Agent Self Protection, and then either deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for local override.
  2. Copy the agent installer to the computer.
  3. Run the agent installer. It will detect the previous agent and perform the upgrade.

Manually upgrade the agent on Linux

  1. Copy the agent installer to the computer.
  2. Run the following command:
    rpm -U <new agent installer rpm>

(The "-U" argument instructs the installer to perform an upgrade.)

Manually upgrade the agent on Solaris

On Solaris 11, if you are upgrading from Deep Security Agent 9.0, you must first upgrade to Deep Security Agent 9.0.0-5616 or a later 9.0 agent, and from there, upgrade to Deep Security Agent 11.0. If you upgrade from an earlier build, the agent may fail to start. If this problem occurs, see Fix the upgrade issue on Solaris 11.

Due to the critical nature of workloads running on many Solaris servers, we recommend that you follow these best practices when upgrading:

  • Test the upgrade procedure first in a staging environment before upgrading production servers.
  • When upgrading production servers, upgrade one server at a time for the first few servers. Allow a soak period in between each server upgrade.
  • After individually upgrading a number of production servers for a given Solaris version and Application Role (for example, Reverse Proxy, Web Server, Middleware, and so on), upgrade the remaining servers of that version and Application Role in groups.

To manually upgrade the agent on Solaris:

  • Solaris 11, one zone (run in the global zone):

    x86: pkg update -g file:///mnt/Agent-Solaris_5.11-9.x.x-xxxx.x86_64/Agent-Core-Solaris_5.11-9.x.x-xxxx.x86_64.p5p pkg:/security/ds-agent

    SPARC: pkg update -g file:///mnt/Agent-Solaris_5.11-9.x.x-xxxx.x86_64/Agent-Solaris_5.11-9.x.x-xxxx.sparc.p5p pkg:/security/ds-agent

  • Solaris 11, multiple zones (run in the global zone):

    pkg unset-publisher trendmicro

    rm -rf <path>

    mkdir <path>

    pkgrepo create <path>

    pkgrecv -s file://<dsa core p5p file location> -d <path> '*'

    pkg set-publisher -g <path> trendmicro

    pkg update pkg://trendmicro/security/ds-agent

    pkg unset-publisher trendmicro

    rm -rf <path>

  • Solaris 10: Create an installation configuration file named ds_adm.file with the following content, and then save it in the root directory. Next, run this command to install the package:

    pkgadd -G -v -a /root/ds_adm.file -d Agent-Core-Solaris_5.10_U7-10.0.0-1783.x86_64.pkg

Content of ds_adm.file

mail=

instance=overwrite

partial=nocheck

runlevel=quit

idepend=nocheck

rdepend=quit

space=quit

setuid=nocheck

conflict=quit

action=nocheck

proxy=

basedir=default

Manually upgrade the agent on AIX

Due to the critical nature of workloads running on many AIX servers, we recommend that you follow these best practices when upgrading:

  • Test the upgrade procedure first in a staging environment before upgrading production servers.
  • When upgrading production servers, upgrade one server at a time for the first few servers. Allow a soak period in between each server upgrade.
  • After individually upgrading a number of production servers for a given AIX version and Application Role (for example, Reverse Proxy, Web Server, Middleware, and so on), upgrade the remaining servers of that version and Application Role in groups.

To manually upgrade the agent on AIX:

  1. Copy the latest AIX agent installer file (BFF file) to a temporary folder such as /tmp on the AIX computer. For detailed instructions, see Install an AIX agent.
  2. Upgrade the agent. Use these commands:

    /tmp> rm -f ./.toc

    /tmp> installp -a -d /tmp/<agent_BFF_file_name> ds_agent

    where <agent_BFF_file_name> is replaced with the name of the BFF installer file you extracted.