What's new?

Below are the major changes in Deep Security 12.0.

Deep Security 12.0 also includes features that were previously delivered in Deep Security 11.3, 11.2 and 11.1.

If you'd prefer, you can watch Deep Security 12 - What's New on YouTube.

Enhanced platform support

Features released in Deep Security 12.0:

Deep Security Agent:

  • Red Hat Enterprise Linux 8 (64-bit)
  • SUSE Linux Enterprise Server 15 (64-bit)
  • Windows 10 version 1903 (64-bit)

Deep Security Manager:

  • Amazon Aurora (PostgreSQL) database support
  • Azure Marketplace (BYOL) for GovCloud

Deep Security Virtual Appliance:

  • Agentless Anti-Malware for NSX-T: Deep Security can perform Anti-Malware protection on VMware virtual machines at the hypervisor level VMware NSX-T. For more information, visit Deploy the appliance (NSX-T).
  • NSX-T Anti-Malware tagging: Deep Security can apply NSX security tags based on Anti-Malware Events on NSX-T. For more information, visit Configure Anti-Malware to apply NSX security tags.
  • New Appliance for UEFI Boot, NSX-T, and NSX-V: The same appliance can be used to deploy an SVM on both NSX-T and NSX-V infrastructures. This appliance can also be deployed in a vSphere which has virtual UEFI or BIOS support. For more information, visit Upgrade the Deep Security Virtual Appliance.

Features originally released in Deep Security 11.3, 11.2 and 11.1:

Deep Security Agent:

  • Windows 10 Embedded (64-bit)
  • Windows 8.1 Embedded (32-bit)
  • Windows 7 Embedded (32-bit).

For important details about Windows Embedded support, see Supported features by platform.

Deep Security Manager:

  • SQL Server 2017 database support
  • PostgreSQL 10.x database support

Improved security

Features released in Deep Security 12.0:

  • TLS 1.2 enhancements:
    • Deep Security has the ability to enforce TLS 1.2 and the use of strong ciphers (ciphers have an Advanced+ (A+) rating, and are listed in this table). For more information, see Enable TLS 1.2 strong cipher suites
    • TLS 1.2 is the default for all new Deep Security deployments. See Use TLS 1.2 with Deep Security for details.
    • The dsm_c command includes a new -action parameter called settlsprotocol. This parameter allows you to set and view the minimum TLS version accepted by Deep Security Manager. See Command-line basics for details.
  • Ensure Anti-Malware stays online with protection in place during an agent upgrade: This feature removes the requirement for a forced restart of Windows servers when agents are upgraded. After an agent upgrade, Anti-Malware protection remains in place (using the Anti-Malware from the existing agent) until such a time that the computer can be rebooted. A reboot is still required to complete the upgrade to the new agent, and this improvement ensures that customers are free to plan this reboot at a future date, or as with common with many Windows servers, simply wait until the next scheduled reboot to complete the upgrade at which point the new anti-malware module will be installed.
  • Signed installer packages: Deep Security Manager blocks the import of Deep Security software if it isn’t digitally signed, or includes a signature that cannot be verified successfully.

If you require Deep Security Agent 9.0 for AIX on Solaris, signed versions are available from the 12.0 tab on the Deep Security Software page.

Features originally released in Deep Security 11.3, 11.2 and 11.1:

  • Improved container traffic scanning: With Deep Security Agent 11.1 and earlier, the Firewall and Intrusion Prevention modules inspect traffic that passes through the host computer's network interface to containers. With Deep Security Agent 11.2 or later, those modules can also inspect traffic between containers. For information on how to enable this feature, see Set up Intrusion Prevention and Set up the Deep Security firewall.
  • Integrity Monitoring - improvements to real-time scans: Real-time file Integrity Monitoring on Linux and Windows server platforms captures information about who made changes to a monitored file. This feature is supported with Deep Security Agent 11.1 or later on Linux and with Deep Security Agent 11.2 or later on Windows server platforms. For details about which platforms support this feature, see Supported features by platform.
  • Inactive agent cleanup: The new inactive agent cleanup feature can automatically remove computers that have been inactive for a specified period of time. For details, see Automate offline computer removal with inactive agent cleanup.
  • Signed installer packages: The installers for the Deep Security Manager, Deep Security Agent, and Deep Security Notifier are digitally signed. See Check digital signatures on software packages.
  • Trend Micro licensing and registration server security improvement: As of Deep Security 11.1, all communication with the Trend Micro licensing and registration server is secured using HTTPS.
  • Smart Protection Server security improvement: The Smart Protection Server CloudFormation Template in AWS now includes an HTTPS URL for the Web Reputation service. For details, see Deploy a Smart Protection Server in AWS.

Improved management and quality

Features released in Deep Security 12.0:

  • Prevent agent installation on incorrect platform: The Deep Security Agent installer checks the installation platform to prevent installation of an agent that does not match the platform. This feature is supported on:
    • Amazon Linux and Amazon Linux 2
    • Red Hat Enterprise Linux 6 and 7
    • CentOS 6 and 7
    • Cloud Linux 7
    • Oracle Linux 6 and 7
    • SUSE Linux Enterprise Server 11 and 12
  • VMWare reliability and scalability improvements: The scalability and reliability of Deep Security Virtual Appliance has been improved for large VMware Horizon VDI environments using VMware's Instant-Clone technology. Improvements have been made to address the dynamic operations of the VDI guest machines.
  • Azure 'Quick' mode removal: In Deep Security 12.0, the Quick mode for adding an Azure cloud account has been removed because it required giving excessive permissions to Deep Security Manager. If you used Quick mode in prior releases, there is no impact to your deployment. All new Azure Cloud accounts must use the advanced method. For more information, visit Add virtual machines from a Microsoft Azure account to Deep Security.

Features originally released in Deep Security 11.3, 11.2 and 11.1:

  • Application Control Improvements:
    • Application Control hash-based rules: With Deep Security Agent 11.1 and later, Application Control rules are based on a software file's SHA-256 has value, and not by file name and/or path. This enhancement greatly improves the coverage of each rule and reduces the operational overhead of creating and managing multiple rules for files with the same hash value. For details, see What does application control detect as a software change? Or, if you are using the Deep Security API to create shared rulesets, see Use the API to create shared and global rulesets.
    • Application Control simplification: The Application Control user interface has been simplified by removing the redundant decision log view. For information on how to reverse an application control decision, see View and change Application Control rulesets.
  • Deep Security API updates:
    • Deep Security 11.1 introduced the new Deep Security Automation Center with helpful information on how to use the Deep Security API's. For more information, see the Deep Security Automation Center.
    • For information on what's been updated in the automation from release to release see the Automation Changelog.
    • Deep Security 11.1 provides a new RESTful API that enables you to automate the provisioning and maintenance of security via Deep Security. Go to the Deep Security Automation Center to download the SDKs in the language of your choice and learn how to use the API.
    • The Deep Security API now includes a Python SDK and the API reference includes Python examples. For more information, visit the Deep Security Automation Center.
  • Automatic Anti-Malware engine update: Malware is constantly evolving, so the Anti-Malware engine that Deep Security uses must be updated regularly. Previously, to update the Anti-Malware engine, you were required to upgrade the Deep Security Agent, sometimes resulting in a reboot of the computer. With this release, you can update the Anti-Malware engine separately from the Deep Security Agent. You can set this update to happen automatically, which keeps your Anti-Malware engine updated without manual intervention and without rebooting the system. For details, see Get and distribute security updates.
  • Upgrade on activation: Deep Security Manager 11.3 and later provides an option that instructs Deep Security Agents to automatically upgrade to the latest compatible version of the agent software when the agent is activated. For details, see Automatically upgrade agents on activation.

    Upgrade on activation is initially supported for Linux platforms only (Windows and UNIX platforms are skipped when the feature is enabled) and is controlled through a global system setting.

  • Seamless appliance upgrade: The Deep Security Virtual Appliance upgrade process has been simplified. You can now automatically upgrade the selected Deep Security Virtual Appliances. The new upgrade process reduces the complex steps required to upgrade manually. See Upgrade the Deep Security Virtual Appliance.
  • Alert improvement: The ‘Relay Update Service Unavailable’ alert has been renamed to ‘A Deep Security Relay cannot download security components’ and now includes a more accurate description and solution.
  • Command improvement: The dsa_query, and dsa_control commands now show the agent version and Deep Security protection module information. See Command-line basics for details.
  • Logging improvement: To help with troubleshooting and to allow for the correlation of events between the Deep Security Manager and the Deep Security Agent, you can now choose to include the time zone in events. See Forward Deep Security events to an external syslog or SIEM server.

For additional information, see the release notes that accompany each software download.