Get and distribute security updates

You must keep your Deep Security deployment up to date with the security updates that Deep Security uses to identify potential threats. Security updates for Deep Security Agent 12.0 and later are digitally signed to prove that they came from Trend Micro and to ensure that they were not tampered with in transit to the agent.

There are two types of security updates:

  • Pattern Updates are used by the anti-malware module.
  • Rule Updates are used by these modules:
    • Firewall
    • Intrusion Prevention
    • Integrity Monitoring
    • Log Inspection Security
Before configuring security updates, you must have installed and activated your agents, appliances, and relays. See Manually install the Deep Security Agent.

Trend Micro releases new rule updates every Tuesday, with additional updates as new threats are discovered. You can get information about the latest updates from the Trend Micro Threat Encyclopedia.

To configure security updates, you will need to:

  1. Configure a security update source and settings
  2. Configure Anti-Malware Engine Update
  3. Organize your relay-enabled agents into relay groups, assign relay groups to your agents and appliances, and configure relay settings for security and software updates. (See Distribute security and software updates with relays.)
  4. Perform security updates
  5. Special case: configure updates on a relay-enabled agent in an air-gapped environment

At any time, you can Check your security update status.

 

Alerts are raised if a rule update has been downloaded from Trend Micro and available for more than thirty minutes but computers have yet to be updated.
Alerts are raised if a pattern update has been downloaded from Trend Micro and available for more than an hour but computers have yet to be updated.

Configure a security update source and settings

  1. Go to Administration > System Settings > Updates.
  2. Set your Primary Security Update Source. By default this will be the Trend Micro Update Server accessed over the internet. Unless your support provider has told you to do otherwise, leave the setting as is. If you were given an alternative source for updates, enter the URL, including "http://" or "https://" in the Other update source box.
  3. Set your pattern updates under Secondary Source. Normally, agents connect to a relay-enabled agent to get security updates. But if you have agents installed on roaming computers that are not always in contact with a Deep Security Manager or relay, you can select Allow Agents/Appliances to download security updates directly from Primary Security Update Source if Relays are not accessible to allow agents to use the update source specified in the previous step when their relay group is not available.
  4. Normally, the Deep Security Manager instructs agents or appliances to download pattern updates. When Allow Agents/Appliances to download security updates when Deep Security Manager is not accessible is selected, even though an agent cannot communicate with the Deep Security Manager, it will continue to download updates from its configured source.

    You may want to deselect this option on computers where you do not want to risk a potentially problematic security update when the computer is not in contact with a manager and therefore possibly far away from any support services.

  5. Trend Micro will occasionally issue an update to an existing Deep Security rule. The Automatically apply Rule Updates to Policies setting determines whether updated rules will automatically be applied to Deep Security policies. If this option is not selected, you will have to manually apply downloaded rule updates to policies from the Administration > Updates > Security page by clicking on the Apply Rules to Policies button.
    Updates to existing rules are either improvements to the efficiency of the rule or bug fixes. So although it's a good a idea to test new rules (either in detect-only mode or in a test environment) before deploying them to a production environment, automatically applying updates to existing rules is usually a safe option.
  6. You can configure amount of time that can pass between an instruction to perform a security update being sent and the instruction being carried out before an alert is raised. Click Administration > System Settings > Alerts and change the value for Length of time an Update can be pending before raising an Alert.

Configure Anti-Malware Engine Update

You can choose to automatically update the Anti-Malware engine separately from the Deep Security Agent for more secure protection. By default, this setting is turned off and appears as N/A in the Is Latest section on Computer Details > Updates > Advanced Threat Scan Engine.

To turn the Anti-Malware engine update on:

  1. Go to Computers or Policies and double-click the computer or policy you want to update.
  2. Go to Settings > Engine Update. Next to Automatically update anti-malware engine, select Yes from the drop-down menu.
Relays always receive the latest Anti-Malware engine updates in order to keep the relay's local protection and engine update source for the same relay group up-to-date. Therefore, you cannot enable or disable engine updates directly on a relay.

Perform security updates

The recommended way to check for security updates is to set up a "Check for Security Updates" scheduled task that performs a check on a regular basis. For details, see Schedule Deep Security to perform tasks

You can also manually initiate security updates:

  • For a system-wide update, go to Administration > Updates > Security, and click the Check For Updates and Download button.
  • To perform security updates on specific agents and appliances, go to Computers, select the agent or appliance, then right-click and select Actions > Download Security Update.

Special case: configure updates on a relay-enabled agent in an air-gapped environment

In a typical environment, at least one relay-enabled agent is configured and able to download updates from the Trend Micro Update Server and the rest of the agents and appliances connect to that relay-enabled agent for update distribution. However, if your relay-enabled agent cannot to connect to the Update Server over the Internet, you'll need to set up a relay in your demilitarized zone (DMZ) that can obtain the security updates, which you can then copy to your air-gapped relays. For details, see Configure agents that have no internet access.

Check your security update status

The Security Updates Overview page (Administration > Updates > Security) displays the state of your security updates:

  • Trend Micro Update Server: Indicates whether relays can connect to the Trend Micro Update Server to check for the latest security updates.
  • Deep Security: Indicates when the last successful check and download were performed, and when the next schedule check will be performed.

    All Relays are in sync indicates that all relays are distributing the latest successfully downloaded pattern updates. Relays that are out of sync are usually in that state because they cannot communicate with Trend Update Servers. This could be because they are intentionally "air-gapped" and need to be manually updated or because of network connectivity problems. If any relays are out of sync, a link to those relays will be provided.

  • Computers: Indicates whether any computers are out of date with respect to the Pattern Updates being stored in the Relays. You can click Send Patterns to Computers to instruct all computers to retrieve the latest pattern updates from their assigned relays.

See details about pattern updates

The Administration > Updates > Security > Patterns page displays a list of the components that make up a pattern update. This page is displayed only when Deep Security has an active relay.

  • Component: The type of update component.
  • Product Name: The Deep Security product this component is intended for.
  • Platform: The operating system for which the update is intended.
  • Current Version: The version of the component within the Update currently downloaded from Trend Micro to Deep Security and being distributed by the relays and the Deep Security Manager.
  • Last Updated: When the currently downloaded security update was retrieved from Trend Micro.
You can find the version numbers of the security update components in effect on a specific computer on Computer Editor > Updates.

See details about rule updates

The Administration > Updates > Security > Rules page displays a list of the most recent Intrusion Prevention, Integrity Monitoring, and Log Inspection Rules that have been downloaded to the Deep Security Manager database.

From this page, you can:

  • View details about a rule update: Select a rule update and click View to see details, including a list of the specific rules included in the update.
  • Roll back a rule update: If a recent rule update has caused problems in your environment, you may want to roll back to a previous rule update. If you roll back to a previous update, all policies affected by the rollback will be immediately updated on all computers using those policies. Select the rule update that you want to roll back to and click Rollback. Deep Security Manager generates a summary of changes that will take place so that you can confirm the changes before finalizing the rollback.
  • Reapply the current rule set: indicates that a rule update has been applied. To reapply that rule update to computers being protected by Deep Security, right-click the rule update and click Reapply.
  • Import a rule update: Rule updates are automatically imported into Deep Security during the "Check for Security Updates" scheduled task, or when you click Check for Updates and Download on the Administration > Updates > Security page. The only time you might have to manually import a rule update is if your installation has no connectivity to the Trend Micro Update Servers or if you are asked to do so by your support provider.
  • Export a rule update: Under normal circumstances you should not have to export a rule update unless asked to do so by your support provider.
  • Delete a rule update: Click Delete to remove the selected rule update from the Deep Security Manager database.

You can configure the number of rule updates that are kept in the Deep Security Manager database by going to the Administration > System Settings > Storage tab.

If the relay functionality is enabled for a computer, the Computer editor > Security Updates page displays the components that the relay is currently distributing to the agents and appliances that rely on it for security updates. If the anti-malware module is enabled for a computer, the security updates page also displays the set of patterns that are in effect locally on this computer. From this page, you can also download or roll back security updates.