What's new in Deep Security Agent?
Deep Security Agent - 20.0.1-25771 (20 LTS Update 2024-12-10)
Release date: December 10, 2024
Build number: 20.0.1-25771
New features
Version Control Policy: Deep Security Agent now supports Version Control Policy, which allows Trend Vision One version control policies to manage agent and component updates for any endpoint with the Trend Micro Endpoint Basecamp (XBC) agent installed. For more information, see Version Control Policies. This is currently in pre-release, and is only supported for Trend Vision One - Server & Workload Protection.
Quarantine auto-cleanup: Deep Security Agent will now automatically purge parts of files in the quarantine folder if its disk space usage exceeds the maximum amount. Max disk space usage (1024 MB by default) is configurable from Computer (or Policy) > Anti-Malware > Advanced > Identified Files. This feature is only available for Cloud One Workload Security at this time.
Enhancements
- Deep Security Agent 20.0.1.25771 or later supports FIPS mode for Ubuntu 22.04. DSA-7699
- Deep Security Agent now supports Advanced TLS Traffic Inspection for Intrusion Prevention on Apache Tomcat servers running OpenJDK 8 on 64-bit Linux operating systems. DSA-8244
- Deep Security SAP Scanner can now report results to SAP applications when it identifies password-protected compressed files attached to an email in Microsoft Outlook Item (MSG) format. SF07873657/PCT-23367/DSA-7716
- Deep Security Agent can now trigger the installation of Endpoint Basecamp from Trend Cloud One - Endpoint & Workload Security. DSA-7532
- Anti-Malware's Behavior Monitoring detection level and prevention level can now be configured. DSA-6796
- Deep Security Agent now detects if its relay proxy is Trend Vision One Service Gateway Forward Proxy Service, and uses the Service Gateway domain allow list to decide whether the connection should use the relay proxy or not. SF07267852/PCT-29311/DSA-6274
- Deep Security Agent now supports additional options to fine tune detection sensitivity for Anti-Malware, Behavior Monitoring, Predictive Machine Learning, Process Memory Scan, and the Windows Antimalware Scan Interface (for real-time scan only). DSA-6062
- Improved detection and protection against malicious processes that can be launched through a memory file descriptor (memfd). DSA-6009
Resolved issues
- Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074
- Some systems with Anti-Malware enabled encountered a memory leak. DSA-8243
- Some systems encountered a memory issue that caused Anti-Malware to stop working. PCT-46330/DSA-8156
- Deep Security SAP Scanner would incorrectly report scan failures when two or more files with the same content were included in a compressed file. PCT-38781/DSA-7324
- Deep Security Agent had higher than usual CPU usage if Integrity Monitoring was disabled following an Integrity Monitoring scan. SF07991055/PCT-31459/DSA-6195
- Rebooting caused some systems to hang if agent self-protection was enabled. PCT-27574/PCT-29800/DSA-6007
- When SAP was enabled, duplicate exclude paths were sometimes created and would remain even after SAP was disabled. DSA-7595
Security updates
This release contains updates to third-party libraries. DSA-7124
Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)
Release date: November 13, 2024
Build number: 20.0.1-23340
Enhancements
- Deep Security Agent 20.0.1-23340 or later adds additional support for Red Hat Enterprise Linux 9 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-7234
- Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314
- Connection timeout for the Predictive Machine Learning service was extended to nine seconds to reduce the number of "Census, Good File Reputation, and Predictive Machine Learning Service Disconnected" events (Event ID 945). DSA-5321
Resolved issues
- When Deep Security Agent had Advanced TLS Traffic Inspection enabled using Transport Layer Security (TLS) 1.3, some systems encountered a kernel panic crash. PCT-43009/DSA-7787
- Some systems running Deep Security Agent encountered an operating system crash caused by retrieving an invalid memory address. PCT-33865/DSA-6335
Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)
Release date: October 16, 2024
Build number: 20.0.1-21510
New features
Red Hat Enterprise Linux 9 (PowerPC little-endian) support: Deep Security Agent 20.0.1-21510 or later supports Anti-Malware, Activity Monitoring, and SAP Scanner for Red Hat Enterprise Linux 9 (PowerPC little-endian). This requires Deep Security Manager 20.0.979 or later.
Enhancements
- Advanced Threat Scan Engine has been updated to version 24.5. DSA-7354
Resolved issues
- High CPU usage would occur when both Application Control and FIPS were enabled. DSA-6842
- When the SAP Scanner library re-established connections to Deep Security Agent, the scan requests sent from the SAP Scanner library would sometimes be rejected. SF08196066/PCT-34824/DSA-7608
- Deep Security SAP Scanner would sometimes crash when scanning for files in certain formats, like CSV. PCT-41353/DSA-7609
Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)
Release date: September 18, 2024
Build number: 20.0.1-19250
New features
Ubuntu 24.04 support: Deep Security Agent 20.0.1-19250 or later supports Ubuntu 24.04 including Secure Boot support. This requires Deep Security Manager 20.0.954 or later.
Enhancements
- Updated Deep Security Agent to improve compatibility with older versions of the SAP Scanner. SF08196066/PCT-34824/DSA-6819
- Deep Security Agent now supports the Alibaba Cloud connector type. DSA-6018
Resolved issues
- Deep Security Agent caused high CPU usage on systems with both Application Control and FIPS enabled. DSA-6842
- Anti-Malware engine did not start correctly during Deep Security Agent startup on systems using XDR Endpoint Sensor. DSA-7158
- An issue detecting the operating system information sometimes prevented Deep Security Agent from installing on Rocky Linux 9. PCT-26151/DSA-5630
Security updates
This release contains updates to third-party libraries. DSA-6156/DSA-6942
Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)
Release date: August 21, 2024
Build number: 20.0.1-17380
Enhancements
- Web Reputation Service "Smart Protection Server Disconnected" events now include FQDN or IP address information in the description field. DSA-5408
- SAP Scanner now classifies Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages as text files. SF07895338/PCT-24359/DSA-5790
- SAP Scanner now associates JavaScript with compatible file extensions. For details, see Supported MIME types. SF08102626/PCT-31518/DSA-6192
Resolved issues
- Anti-Malware engine sometimes crashed. DSA-5536
- SAP Scanner incorrectly classified valid CSV files if the data was formatted on a single line. SF07967718/PCT-26844/DSA-6102
- SAP Scanner sometimes incorrectly identified image files as ASP scripts. SF07764878/PCT-20406/DSA-6122
- Kernel Support Package (KSP) did not reload automatically after being imported. DSA-6159
- Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
- Deep Security Agent failed to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
- Deep Security Agent sometimes failed to shut down completely if integrating with Trend Micro Endpoint Basecamp (XBC) agent. SF08143019/PCT-32915/DSA-6347
- Deep Security Agent incorrectly created a temporary directory named
/opt/ds_agent@tmp
during installation. DSA-6412 - When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596
- When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host crashed. SF05713918/SF05850687/SF07038125/SEG-146660/SEG-148664/SEG-186072/PCT-41910/PCT-5467/DSSEG-7664
Known issues
- Deep Security Agent Application Control causes high CPU usage. PCT-36414
- Anti-Malware engine is not starting correctly during Deep Security Agent startup on systems using XDR Endpoint Sensor. DSA-7158
Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)
Release date: July 17, 2024
Build number: 20.0.1-14610
New features
SUSE Linux Enterprise Server 15 (AWS ARM-Based Graviton 2) support: Deep Security Agent 20.0.1-14610 or later supports SUSE Linux Enterprise Server 15 (AWS ARM-Based Graviton 2). This requires Deep Security Manager 20.0.926 or later. DSA-4836
Enhancements
- SAP Scanner now associates the following MIME types with compatible file extensions. For details, see Integrate with SAP NetWeaver.
- TrueType Font (TTF). SF08102626/PCT-31518/DSA-6049
- Java Archive (JAR). SF08102626/PCT-31518/DSA-6044
- Apple QuickTime File Format (QTFF). SF07967718/SF07840151/PCT-22825/PCT-26844/DSA-5887/DSA-5567
- Microsoft Advanced Systems Format (ASF). SF07967718/PCT-26844/DSA-5886
Resolved issues
- Deep Security Agent still tried to test connections for Service Gateways. DSA-5814
- A Deep Security Agent restart sometimes caused Application Control to report drift events. SF07813110/PCT-25731/DSA-5798
- Deep Security Agent was only able to use the primary IP address for Service Gateway. DSA-4513
- Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
- Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes caused Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090
Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)
Release date: June 19, 2024
Build number: 20.0.1-12510
Enhancements
- Deep Security Agent 20.0.1-12510 or later adds additional support (including SAP Scanner) for Red Hat Enterprise Linux 8.6 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-4835
- Advanced TLS Traffic Inspection now supports separate configurations for "Inspect Inbound TLS/SSL Traffic" and "Inspect Outbound TLS/SSL Traffic". For detailed configuration steps, see https://help.deepsecurity.trendmicro.com/20_0/on-premise/intrusion-prevention-ssl-traffic.html#EnableTLS.
Resolved issues
- When Anti-Malware had only basic functions, some systems would hang. DSA-4821
- When Anti-Malware was enabled, Deep Security Agent sometimes failed to shut down completely. PCT-26090/DSA-5492
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-12022/DSA-5484
Highest Common Vulnerability Scoring System (CVSS) score: 5.5
Highest severity: Medium
Known issues
- There is a performance impact when Inspect Inbound TLS/SSL Traffic and Inspect Outbound TLS/SSL Traffic are enabled at the same time in Advanced TLS Inspection settings. For details, see Performance impact of bi-directional TLS inspection in Deep Security. DSA-5959
- Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090
- Switching to User Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6104
Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)
Release date: May 16, 2024
Build number: 20.0.1-9400
New features
User mode solution: User mode can now be enabled from the Trend Cloud One - Endpoint & Workload Security or Deep Security Manager UI to provide event generation and protection through basic functions for Activity Monitoring and Anti-Malware on systems that lack kernel support.
Enhancements
- SAP Scanner now supports the
SCANLOGPATH
parameter. For details, see Integrate with SAP NetWeaver. PCT-21958/DSA-4924 - Updated Deep Security Agent to improve the priority for configurations using a proxy. DSA-4817/PCT-21750
- Deep Security Agent can now retrieve Service Gateway settings from the Trend Micro Endpoint Basecamp (XBC) agent. DSA-4841/V1E-13468
Resolved issues
- Deep Security Agent security updates sometimes failed after reconfiguring proxy settings. PCT-18382/DSA-5390
- Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
- Deep Security Agent Anti-Malware and network drivers were unable to load on systems using Security-Enhanced Linux (SELinux) enforcing mode with its default policies. PCT-14630/DSA-4917
- Deep Security Agent was sometimes unable to detect Linux system firewall port settings, which prevented the agent Firewall from allowing ports required for it to function. SF07650853/PCT-16253/DSA-4849
- Anti-Malware on-demand scans sometimes used file descriptors incorrectly, which resulted in "Bad file descriptor" log errors. DSA-4051
- Anti-Malware engine sometimes crashed. PCT-25789/DSA-4051
Security updates
This release contains updates to third-party libraries. DSA-4187
Known issues
- This release excludes the Deep Security Agent package for Oracle Linux 6 (32-bit) as it reports the Anti-Malware Engine status incorrectly. DSA-5557
- Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090
- Switching to User Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6104
Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)
Release date: April 24, 2024
Build number: 20.0.1-7380
New features
User mode solution: This feature provides basic Activity Monitoring and Anti-Malware functions through Fanotify and eBPF on systems that lack kernel support. Deep Security Agent cannot protect runtime container workloads in this mode.
Enhancements
- Deep Security Agent 20.0.1-7380 or later adds additional support (including SAP Scanner) for SUSE Linux Enterprise Server 12 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-2626
- Deep Security Agent 20.0.1-7380 or later adds additional support (including SAP Scanner) for SUSE Linux Enterprise Server 15 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-2630
- Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
- Deep Security Agent can have its proxy configuration set by the Trend Vision One Proxy Manager. V1E-14557
Resolved issues
- Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861
- When SAP Scanner was enabled, system events for "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" sometimes displayed during Deep Security Agent upgrade. These system event messages were triggered by the restart of Deep Security Agent modules. There was no functional impact. DSA-4603
- Deep Security Agent caused high CPU usage on some systems using TLS inspection with the
tm_netagent
process running. PCT-22031/DSA-4805 - After enabling Trend Micro Service Gateway Generic Caching Service (GCS) from Trend Vision One, Deep Security Manager and Trend Cloud One - Endpoint & Workload Security displayed the "Check Status Failed" error when communicating with Deep Security Agent. DSA-4763
- The local Smart Protection Server sometimes showed an incorrect number of Deep Security Agents. DSA-3780
Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)
Release date: March 20, 2024
Build number: 20.0.1-4540
New features
CPU Usage Control: This feature provides 3 predefined modes to throttle CPU usage of Anti-Malware Real-Time Scan and Activity Monitoring (Computer > Settings > General > CPU Usage Control). This is only supported for Trend Cloud One - Endpoint & Workload Security customers at this time. DSA-2465
Enhancements
- SAP Scanner is now supported on Deep Security Agent 20.0.1-4540 or later for Red Hat Enterprise Linux 9. DSA-4213
- The SAP Scanner status for Deep Security Agent is now displayed in the console. DSA-3329
- The Deep Security Agent version is now displayed in the SAP Scanner library. SF07483850/PCT-10077/DSA-3304
Resolved issues
- Some systems encountered higher than normal CPU usage and performance issues if Deep Security Agent lost its connection to the Smart Protection Server. SF07552865/PCT-12430/DSA-3784
- Deep Security Agent incorrectly classified the MIME type of
.dwg
files generated by AutoCAD, from AutoCAD 2004 to AutoCAD 2024. SF07027236/SEG-186079/PCT-5797/DSA-2901
Known issues
- When SAP Scanner is enabled, system events may cause a message "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" to be displayed temporary during the Deep Security Agent upgrade. This is caused by the restart of Deep Security Agent modules. There is no functional impact. DSA-4572
- After enabling Trend Micro Service Gateway Generic Caching Service (GCS) from Trend Vision One, Deep Security Manager and Trend Cloud One - Endpoint & Workload Security display "Check Status Failed" error when communicating with Deep Security Agent. For details, see Deep Security Agent reports "Check Status Failed" after enabling Service Gateway Generic Caching Service. DSA-2756
Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)
Release date: February 29, 2024
Build number: 20.0.1-3180
Enhancements
- Deep Security Scanner (SAP) now reports files containing Microsoft Office Macros as Active Content, while previously they were identified as Malware. PCT-5979/DSA-3911
Resolved issues
- Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
- The expected MIME type for
.msg
files by the Deep Security Agent SAP Scanner was incorrect. PCT-5797/DSA-4050 - Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965
- Deep Security Agent could not start because a keyword in its system configuration was incorrectly interpreted. SEG-156447/PCT-8768/DSA-3897
- Smart Scan hung during its update because the IPv6 configuration could not be detected automatically. DSA-3287
- When Deep Security Agent is installed on a system with Fanotify enabled, the Anti-Malware process restarting or stopping sometimes caused the system to freeze. PCT-6047/SEG-190061/DSA-4474
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-11708/DSA-3702
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Known issues
- The Application Control Trust Entities block by target trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324
Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)
Release date: January 17, 2024
Build number: 20.0.1-690
New features
Command line scan: Deep Security Agent now supports on-demand scans triggered using dsa_scan
from a command line interface.
This is currently only available to Trend Cloud One - Endpoint & Workload Security customers. For more information, see Command-line basics. V1E-6993
Enhancements
- From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584.
For details, see Preparedness of DSM/DSA for Supporting 20.0.1 Linux Kernel Support Package (KSP).
Resolved issues
- Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564
- When FIPS mode was disabled, Deep Security Agent used the OpenSSL configuration specified by the system environment variables rather than the config specified by the agent. PCT-4914/DSA-2651/DSA-2737/DSA-2738
- Deep Security Agent would incorrectly log network errors when the SAP scanner was enabled. DSA-3548
- Files added to the SAP Scanner allow list without including a file extension were being blocked when they should have been allowed. SF06565062/SEG-170933/DS-77132/DSA-3424
- When using Deep Security Agent on a system with Fanotify enabled, quarantining a file sometimes caused the system to freeze. PCT-6047/SEG-190061/DSA-2473
Known issues
- Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317
- With the release of Deep Security Agent 20.0.1-690, Trend Micro is changing the version number of the Kernel Support Package (KSP) from 20.0.0 to 20.0.1. This may cause issues downloading the latest kernel driver on some agent versions. To maintain kernel support after the KSP revision, it is suggested that users upgrade to Deep Security Agent 20.0.0-8453 or later. For details, see Kernel driver download issues with Deep Security Agent (DSA) Linux. DSA-3588
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Deep Security Agent - 20.0.0-8453 (20 LTS Update 2024-01-17)
Release date: January 17, 2024
Build number: 20.0.0-8453
Resolved issues
- Upgrading to Deep Security Agent 20.0.0-7943, 20.0.0-8137, 20.0.0-8268, or 20.0.0-8438 sometimes failed when Firewall, Web Reputation Service, or Intrusion Prevention System were enabled.
This issue is resolved for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834
Enhancements
- Updated Deep Security Agent to support 20.0.1 Kernel Support Packages. In order to continue Linux Kernel support in 2024, upgrade to Deep Security Agent to 20.0.0-8453+. For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release. DSA-1217
Known issues
- Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy. DSA-3564
Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)
Release date: December 12, 2023
Build number: 20.0.0-8438
New features
Debian 12 support: Deep Security Agent 20.0.0-8438 or later supports Debian 12 including Secure Boot support. This requires Deep Security Manager 20.0.864 or later. DSA-1408
Enhancements
- Remove some file types from the scanning list to avoid high CPU and disk consumption. SF07099651/SEG-188688/DSA-2010
- Agent self-protection now protects the Advanced TLS Traffic Inspection process (tm_netagent) preventing local users with administrator privileges from stopping it. DSA-1042/DSA-1043
- Add the ability to configure target CPU usage of Activity Monitoring. Choose between unlimited, low, and extremely low in the Trend Cloud One - Endpoint & Workload Security console. V1E-6246
- Telemetry now reports the IPv4 and IPv6 address of all network interfaces. V1E-4543
Resolved issues
- When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981
- A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DSA-2722
Highest Common Vulnerability Scoring System (CVSS) score: 9.8
Highest severity: Critical
Known issues
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773 - Upgrading to Deep Security Agent 20.0.0-8438 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.
This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834 - Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy. DSA-3564
Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)
Release date: November 21, 2023
Build number: 20.0.0-8268
New Features
- Deep Security Agent now supports Trend Micro Service Gateway Generic Caching Service (GCS). DSA-2035
- Deep Security Agent now supports FIPS mode for Debian 10 and Debian 11. This requires Deep Security Manager 20.0.854 or later. DSA-1955
Resolved issues
- Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
- Deep Security Manager displayed the status of the VM protected by the Deep Security Virtual Appliance as Offline, after the Deep Security Virtual Appliance had been upgraded to version 20.0.0-7943 or 20.0.0-8137. The Deep Security Virtual Appliance itself was functioning properly and displayed the status as Managed (Online). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259
- Deep Security Agent incorrectly classified MIME type of
.xml
files generated by Microsoft Word, Excel, PowerPoint, as well as.dwg
files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202
Known issues
- Linux virtual machines froze when trying to update the Smart Scan pattern. As a workaround, you can add the
/opt/ds_agent/lib/libvmpd_scanctrl.so=icrc_try_update=0
key to theds_am.ini
file and restart the DSA service. SF07031242/PCT-5795/DSA-2616 - Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773 - Upgrading to Deep Security Agent 20.0.0-8268 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.
This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834
Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)
Release date: October 26, 2023
Build number: 20.0.0-8137
New features
Miracle Linux 9 support: Deep Security Agent 20.0.0-8137 or later supports Miracle Linux 9, including FIPS mode and Secure Boot support. This requires Deep Security Manager 20.0.844 or later.
Known issues
- Upgrading to Deep Security Agent 20.0.0-8137 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.
This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834 - Deep Security Manager displays the status of guest VMs protected by the Deep Security Virtual Appliance 20.0.0-7943 as Offline or Check Status Failed (Activation Required). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259
Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)
Release date: September 26, 2023
Build number: 20.0.0-7943
New features
Red Hat Enterprise Linux 8.6 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943 or later supports only the Anti-Malware on-demand scan feature for Red Hat Enterprise Linux 8.6 (PowerPC little-endian). This requires Deep Security Manager 20.0.817 or later. Security updates are currently unsupported for this platform.
SUSE Linux Enterprise Server 12 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943 or later supports only the Anti-Malware on-demand scan feature for SUSE Linux Enterprise Server 12 (PowerPC little-endian). This requires Deep Security Manager 20.0.817 or later. Security updates are currently unsupported for this platform.
SUSE Linux Enterprise Server 15 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943 or later supports only the Anti-Malware on-demand scan feature for SUSE Linux Enterprise Server 15 (PowerPC little-endian). This requires Deep Security Manager 20.0.817 or later. Security updates are currently unsupported for this platform.
Security updates are not supported on PowerPC platforms at this time. The Advanced Threat Scan Engine (ATSE) status does not display correctly and the following alerts are expected on RHEL 8.6, SUSE 12, and SUSE 15:
- Security Update: Security Update Check and Download Failed (Agent/Appliance error)
- Status: Out of Date
Enhancements
- New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
DSA-864 - All Trend Micro public keys that are used to validate kernel module signatures are now included by default in the Deep Security Agent packages. SF06915385/SEG-185980/DSA-1569
- In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759 or later. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531
Resolved issues
- When Activity Monitoring was enabled, some systems encountered a memory leak. DS-78200
- Deep Security Agent ignored the file if the exclusion list for the file or folder contained an empty path from Deep Security Manager. PCT-1066/DSA-1873
Known issues
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773 - Upgrading to Deep Security Agent 20.0.0-7943 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.
This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. DSA-3834 - Deep Security Manager displays the status of guest VMs protected by the Deep Security Virtual Appliance 20.0.0-7943 as Offline or Check Status Failed (Activation Required). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259
Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)
Release date: August 29, 2023
Build number: 20.0.0-7719
New features
Miracle Linux 8 support: Deep Security Agent 20.0.0-7719 or later now supports Miracle Linux 8, including FIPS mode. This requires Deep Security Manager 20.0.817 or later.
Enhancements
- Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
- Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. (Agents configured as a Deep Security Relay still download all pattern updates.) DSA-1000
- The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
- Advanced Threat Scan Engine has been updated to version 22.6. DSA-453
Resolved issues
- Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
- Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
- Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
- TLS Inspection Package updates sometimes caused the
ds_nuagent
service to stop unexpectedly. DSA-1319
Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)
Release date: July 25, 2023
Build number: 20.0.0-7476
Enhancements
- Updated the dsa-connect service to improve CPU performance. C1WS-12970
- Deep Security Agent 20.0.0-7476 now supports FIPS mode for Red Hat Enterprise Linux 9. DS-77642
- Updated Deep Security Agent Scanner (SAP) to accept up to 512 parallel client connections established by SAP NetWeaver. Note that the previous connection limit was 256. SF06983349/SEG-184190/DS-78229
Resolved issues
- Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858
Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)
Release date: June 28, 2023
Build number: 20.0.0-7303
New features
Amazon Linux 2023 support: Deep Security Agent 20.0.0-7303 or later now supports Amazon Linux 2023, including FIPS mode. This requires Deep Security Manager 20.0.789 or later.
At time of release, Amazon Linux 2023 is not yet certified for FIPS. See the Amazon Linux 2023 release notes for the latest support information.
Amazon Linux 2023 (AWS ARM-Based Graviton 2): Deep Security Agent 20.0.0-7303 or later now supports Amazon Linux 2023 on AWS Graviton 2. This requires Deep Security Manager 20.0.789 or later.
Advanced TLS Traffic Inspection now supports Oracle Linux 9 (64-bit), Red Hat Enterprise Linux 9 (64-bit), and Ubuntu 22.04 (64-bit).
Enhancements
- Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
- Activity Monitoring events now display the FQDN instead of the hostname. SF06709374/SEG-179186/C1WS-14644
- Web Reputation Service now automatically monitor the ports used by the OS proxy configuration. DS-77233
- Removed unnecessary proxy scheduled tasks from the Deep Security Virtual Appliance. This should prevent
Timed out waiting for relay to msg
andError creating task...
errors in the logs. SF06844880/SEG-179554/DS-77440
Resolved issues
- When Secure Boot is enabled but the signing key has not been loaded, the system would crash when Anti-Malware used the fanotify facility. SF06464888/SEG-167771/DS-76161
- Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
- The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
- Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
- The Deep Security Agent connection count could overflow under certain conditions. DS-76902
- Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709
Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)
Release date: May 29, 2023
Build number: 20.0.0-7119
Enhancements
- MQTT connection credentials were entered in the Deep Security Agent log file (
ds_agent.log
) in certain scenarios. SEG-174560/C1WS-13282 - Updated Deep Security Agent to reduce the amount of redundant data sent when Activity Monitoring is enabled. DS-77657
- Deep Security Agent crashed some systems when they were out of memory. SF06704797/SEG-175243/DSSEG-7875
- Agent self-protection now secures the Advanced TLS inspection process (
ds_nuagent
), preventing local users with administrator privileges from stopping it. DS-74080
Systems running Red Hat Enterprise Linux 7 (64-bit) with SELinux may require some manual configuration to avoid permission issues following this update. For details, see BPF permission denied for ds_nuagent with RedHat 7 SELinux enforcing mode in Deep Security. - Deep Security Agent now runs within a predefined group and accept outbound traffic. DS-77415
Resolved issues
- Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
- After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
- When Anti-Malware was enabled, Deep Security Agent caused high CPU usage on some systems. DS-77758
Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)
Release date: May 02, 2023
Build number: 20.0.0-6912
New features
Red Hat Enterprise Linux Workstation 7 support: Deep Security Agent 20.0.0-6912 or later now supports Red Hat Enterprise Linux Workstation 7, including Secure Boot support. This requires Deep Security Manager 20.0.759 or later.
AlmaLinux 9 support: Deep Security Agent 20.0.0-6912 or later now supports AlmaLinux 9, including Secure Boot support. This requires Deep Security Manager 20.0.759 or later.
Enhancements
- Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to
ds_agent.ini
. SF06664116/SEG-173848/DS-77182
Example proxy probing line inds_agent.ini
config file:dsa.proxymanager.ProbeTimeoutInSec=120
- Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
- Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
- Deep Security Agent now includes path and PID (process ID) for Anti-Malware events. SF05682761/SEG-147452/DS-72909
Resolved issues
- When connecting through a proxy with FIPS mode enabled, Deep Security Agent sometimes had connectivity issues with IoT devices. SEG-174776/DS-77197
- Deep Security Agent's Anti-Malware module sometimes failed to restart following an IPC (inter-process communication) timeout. DS-76889/SEG-169218
- A compatibility issue between the Deep Security Agent network driver and some third-party products caused systems to crash. SEG-156743/DS-75377
- Deep Security Virtual Appliance sometimes crashed when connecting by HTTPS to a Smart Protection Server. SEG-169451/DS-76968
- Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
- When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
- Files added to the SAP Scanner allow list without including a file extension were being blocked when they should have been allowed. SF06565062/SEG-170933/DS-77132
- Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961
- Deep Security Agent caused some systems to reboot unexpectedly. SF06584000/SEG-171147/DSSEG-7851
Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)
Release date: March 22, 2023
Build number: 20.0.0-6658
New features
Oracle Linux 9 support: Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.737 or later now supports Oracle Linux 9, including FIPS mode and Secure Boot support.
Service Gateway: Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.741 or later now supports the Service Gateway feature, providing forward proxy functionality.
Enhancements
- When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard now applies to all files in any directory matching the rule's path. Note that previously, the globstar (
**
) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*
) wildcard which would only match within the path rule's directory. DS-75133 - Web Reputation Service now includes OS platform metadata. DS-75453
- Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491
- Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
- Deep Security Agent now sends full command lines for processes to Deep Security Manager, improving the Recommendation Scan's rule recommendations. Note that previously, the agent only sent the first 2048 characters of each process's command line. C1WS-11728
- Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.737 or later now supports Secure Boot for Ubuntu 22.04. DS-73729
- Deep Security Agent 20.0.0-6658 or later now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User-Defined Suspicious Object (UDSO). DS-75365
-
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (
dsa-connect-X.log
) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598The logger supports an on-demand JSON config file (either
dsa-connect.ini
ordsa-connect.conf
) with the following configurable options:- Debug: Enable the debug log messages. The default value is false.
- Count: Number of log files to generate. The default value is 5.
- Size: Maximum size of each log file in bytes. The default value is 2097152.
Example config file:
{ "Debug": true, "Count": 5, "Size": 2097152 }
- Deep Security Agent can now have a maximum of 1024 process tasks when deployed on RedHat or SUSE. PCT-25908/DSA-5507
Resolved issues
- When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
- The Deep Security Agent kernel support package download was sometimes interrupted, generating "Agent Integrity Check Failed" warnings and "Kernel Unsupported" errors. SEG-169497/DS-76545
- Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
- Anti-Malware Behavior Monitoring had a driver issue causing kernel warnings on some systems. SF06254724/SEG-163042/ORCA-762
- When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
- Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
- A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
- When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
- Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
- Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
- Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
- Deep Security Agent was unable to connect to the Anti-Malware Smart Scan service on some systems. SEG-168468/DS-76433
- Deep Security Agent caused performance issues on systems generating a large number of container environment Application Control events. SF06538377/SEG-169605/DS-76594
Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)
Release date: January 31, 2023
Build number: 20.0.0-6313
New feature
Agent self-protection: This feature helps prevent users on the local system from tampering with the agent. For more information, and help configuring agent self-protection, see Enable or disable agent self-protection in Linux.
Rocky Linux 9 support: Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.716 or later now supports Rocky Linux 9, including FIPS mode and Secure Boot support. DS-73727
Enhancements
-
Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL/TLS certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313 or later before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm. - With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.716 or later now monitors for suspicious behavior to improve protection against MITRE attack scenarios. DS-73644
- Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.711 or later now supports FIPS mode for Oracle Linux 8. DS-73778
Resolved issues
- When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
- For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
- Deep Security Agent crashes and issues connecting with Deep Security Manager caused Anti-Malware Offline events. SF06061098/SEG-154701/DS-74665
- With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (
_
) entered in a command was replaced with a dash (-
), and an uppercase Z was replaced with a lowercase z. DS-74335 - With Activity Monitoring enabled, a connectivity issue caused Deep Security agents to appear offline for some Trend Micro Cloud One - Workload Security customers. The agent introducing this issue is no longer available. For more details, see Removal of Deep Security Agent 20.0.0-5953 for Linux. SEG-161456
- With Activity Monitoring enabled, the internal MQTT channel sometimes became inaccessible. This caused high CPU usage and Deep Security Agent errors (
MQTT offline
,hub is busy
,cannot connect to dsa-connect
) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638/DS-75367/DS-75193 - Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
- Integrity Monitoring sometimes failed to create events after running certain console commands (for example,
passwd
ormv
commands). 05718251/SEG-148552/DS-72643 - Older Application Control events were not being removed from the database as intended, causing the
events.db
file size to increase indefinitely. SF06172729/SEG-159548/DS-74706 - When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470
Known issues
- Deep Security Agent is having connectivity issues on some systems, resulting in "Event ID 9012, Smart Protection Server Disconnected for Smart Scan" error messages. For more details including temporary workaround instructions, see Smart Protection Server disconnected messages appear in Deep Security. SF06512673/SEG-168468
Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)
Release date: November 22, 2022
Build number: 20.0.0-5953
New feature
Agent self-protection: This feature helps prevent users on the local system from tampering with the agent. For more information, and help configuring agent self-protection, see Enable or disable agent self-protection in Linux.
Enhancements
- Deep Security Agent 20.0.0-5953 or later with Deep Security Manager 20.0.711 or later now supports FIPS mode for Oracle Linux 8.
Resolved issues
- With Activity Monitoring enabled, the internal MQTT channel sometimes became inaccessible. This caused Deep Security Agent errors (
MQTT offline
,hub is busy
,cannot connect to dsa-connect
) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638 - Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
- Integrity Monitoring sometimes failed to create events after running certain console commands (for example,
passwd
ormv
commands). 05718251/SEG-148552/DS-72643 - Older Application Control events were not being removed from the database as intended, causing the
events.db
file size to increase indefinitely. SF06172729/SEG-159548/DS-74706 - When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470
Known issues
dsa-connect
or ds_agent
services. For more details, see Removal of Deep Security Agent 20.0.0-5953 for Linux. SEG-161456Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)
Release date: October 21, 2022
Build number: 20.0.0-5761
New feature
Enhanced platform support
- SAP Scanner support for Oracle Linux 7: Deep Security Agent for Oracle Linux 7 now supports SAP Scanner. VO-1849
Enhancements
- Updated Deep Security Agent to include additional metadata, such as
UserAgent
andReferrer
, for Web Reputation Services. DS-72196 - Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
- Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
- Deep Security Agent now can be deployed without additional dependency on System V packages. DS-73588
Resolved issues
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
- With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
- If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
- With Advanced TLS traffic inspection enabled, Deep Security Agent had a memory issue that prevented some applications from running. SEG-150631/DS-74039
- Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
- Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
- The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
- On RedHat Enterprise Linux computers, Anti-Malware being enabled would sometimes cause a system crash. SEG-155143/DS-74008
Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)
Release date: September 22, 2022
Build number: 20.0.0-5512
Enhancements
- Updated Deep Security Agent kernel device module files to comply with Security-Enhanced Linux (SELinux) requirements. DSSEG-7378
- Deep Security Agent now reports host information with additional details. DS-72609
- Deep Security Agent now reports host metadata for installed software with additional details. DS-72608
- Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798
- Deep Security Agent with Deep Security Manager 20.0.677 or later now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). DS-72828
Resolved issues
- Trust Entities settings were not being re-applied after turning Application Control off and back on again. SF05930535/SEG-152439/DS-73312
- When installed on a system that uses secure boot without importing the required sign key, Deep Security Agent generated an Anti-Malware Engine error code with "Reason ID: 13" when it should have generated the code with "Reason ID: 11". For details on Reason IDs, see Warning: Anti-Malware Engine has only Basic Functions. DS-72891
- Deep Security Agent reported host metadata in an unexpected format. DS-73411
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8100/VRTS-8101/DS-73087/DS-72528
Highest Common Vulnerability Scoring System (CVSS) score: 7.0
Highest severity: High
Known issues
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)
Release date: August 29, 2022
Build number: 20.0.0-5394
New features
Ubuntu 22.04 (AWS ARM-based Graviton 2) support: Deep Security Agent 20.0.0-5394 or later with Deep Security Manager 20.0.677 or later is now supported on Ubuntu 22.04 (AWS ARM-based Graviton 2).
Enhancements
- The Deep Security Agent process now restarts automatically if the file descriptor count is abnormally high, and a counter was added to track how many times this event occurs. SF05212995/SEG-130431/DS-72616
- Application Control now detects software changes for executables with non executable extensions. DS-70805
- Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
- Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833
Resolved issues
- When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
- Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
- Anti-Malware would sometimes leak file descriptors. SF05212995/SEG-130431/DS-72979
- When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
- Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
- When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
- Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
- Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
- Patched third-party libraries. Before patch, the Deep Security Virtual Appliance agent would sometimes crash. SF05559993/SEG-140234/DS-72510
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699
Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)
Release date: July 26, 2022
Build number: 20.0.0-5137
New features
Advanced TLS Traffic Inspection: Deep Security Agent 20.0.0-5137 or later adds Advanced TLS Traffic Inspection support to platforms that run system updates or package updates. Note that this feature is currently only supported for Trend Cloud One - Workload Security. Support for Deep Security Manager (On-Premise) will be added later.
Red Hat 9 support: Deep Security Agent 20.0.0-5137 or later with Deep Security Manager 20.0.651 or later now supports Red Hat 9.
Amazon Linux 2 support: Deep Security Agent 20.0.0-5137 or later with Deep Security Manager 20.0.651 or later now supports Amazon Linux 2 for AWS Graviton 3.
Enhancements
- Updated Deep Security Agent to add Anti-Malware support for Red Hat OpenShift. DS-72368
- Updated Deep Security Agent to reduce CPU usage and improve container performance for real-time Anti-Malware scanning. Previously, all files were scanned during read/write. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-65581
- Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
- Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
- Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar
\*\*
which matches many sub directories. Single star\*
now only matches within your current directory. Existing rules that used a single star\*
to match many folders no longer work and need to be changed to use a globstar\*\*
. DS-71817
Resolved issues
- Deep Security Agent Scanner (SAP) sometimes displayed duplicate Anti-Malware events for .SAR file types. DS-71879
- Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
- Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
- Deep Security Agent had connectivity issues on some systems. DS-72219
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7102/VRTS-7070/VRTS-7041/VRTS-7039/DSSEG-7636
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699
Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)
Release date: July 4, 2022
Build number: 20.0.0-4959
New features
Ubuntu 22.04: Deep Security Agent 20.0.0-4959 or later now supports Ubuntu 22.04. This requires Deep Security Manager 20.0.651 or later.
FIPS mode on Ubuntu 20.04: Deep Security Agent 20.0.0-4959 or later now supports FIPS mode for Ubuntu 20.04.
Enhancements
- Deep Security Agent 20.0.0-4959 or later with Deep Security Manager 20.0.0-414 or later now has improved Anti-Malware support on systems using Fanotify. Previously, "Anti-Malware Engine Offline" events interrupted Anti-Malware function on these systems. Now, an Anti-Malware with basic functions event is recorded and users maintain basic file scanning function, but not advanced scan mechanisms such as Predictive Machine Learning. DS-68552
Resolved issues
- Deep Security Agent Scanner (SAP) had a connectivity issue preventing it from loading the correct libraries on some systems. DS-71623
- Deep Security Agent Scanner library sometimes caused SAP applications to crash. DS-71849
- Anti-Malware was unable to remove immutable or append-only files on some systems. VRTS-7110/DS-52383
- Using the command line (
dsa_control -b
), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600 - With Log Inspection enabled, upgrades to Deep Security Agents 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
- When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
- With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
- Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
- Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866
Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)
Release date: May 31, 2022
Build number: 20.0.0-4726
Enhancements
- Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763
Resolved issues
- Trust Entities "allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
- Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
- With Activity Monitoring enabled, Deep Security Agent had high system CPU usage when events were being generated rapidly. 05107582/SEG-128170/DS-71486
- Deep Security Agent Scanner library didn't work properly with highly-interrupted SAP applications on Linux systems. This resulted in files were scanned, but results might be unable to report to the SAP applications. SF05390384/SEG-136659/DS-71251
- Following an upgrade, Deep Security Agent would send continuous "Security update in progress" reports to Deep Security Manager. SF05253107/SEG-131983/DS-69747
- Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
- Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
- An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
- Secondary DNS setting from IP pool was not configured when Appliance was deployed. SF05215036/SEG-134844/DSSEG-7535
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DS-52329
Highest Common Vulnerability Scoring System (CVSS) score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)
Release date: April 28, 2022
Build number: 20.0.0-4416
Enhancements
- Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
Resolved issues
- With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7132/DS-70518
Highest Common Vulnerability Scoring System (CVSS) score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)
Release date: April 6, 2022
Build number: 20.0.0-4185
New features
Advanced TLS traffic inspection: Advanced TLS traffic inspection adds the capability for inspecting TLS traffic encrypted with modern ciphers, including Perfect Forward Secrecy (PFS). It also enhances virtual patching for HTTPS servers to help protect against vulnerabilities such as Log4j.
Resolved issues
- Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
- Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. Note that an upgrade should not have triggered these events. DS-69888
- Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
- Deep Security Agent had SSL connectivity issues when Web Reputation Service was enabled. DS-67675
- Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810
Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)
Release date: March 1, 2022
Build number: 20.0.0-3964
New features
Threat Intelligence: Threat Intelligence (formerly known as Connected Threat Defense) provides enhanced malware protection for new and emerging threats. For more information, see Detect emerging threats using Threat Intelligence.
Enhanced platform support
- Deep Security Agent 20.0.0-3964 or later is now supported on these platforms:
- Red Hat 8 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.605+)
- Debian 11 (requires Deep Security Manager 20.0.605+)
Enhancements
- Updated Deep Security Agent to exclude suspicious characters, such as
$
, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989
Resolved issues
- With real-time Integrity Monitoring enabled, Integrity Monitoring delete events were not being generated after editing a file and then deleting it. DS-69057
- Deep Security Agent caused high CPU usage for systems protecting containers. Container protection can now be enabled or disabled in Deep Security Manager (from Computer (or Policy) > Settings > Container Protection). SEG-115751/DSSEG-7334
Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)
Release date: January 24, 2022
Build number: 20.0.0-3770
New features
Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Linux platforms, beginning with Trend Micro Cloud One - Workload Security customers.
CRI-O support: A Deep Security Agent's "CRI-O engine version" is now displayed in Deep Security Manager, as well as Anti-Malware event information for containers. Note that CRI-O is currently only supported for Deep Security Manager (On-Premise). Support for Trend Micro - Cloud One Workload Security will be added later.
Enhancements
- Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
- Updated Deep Security Agent to correctly display the host's IP address in the "LastIpUsed" field. Previously, the field displayed the load balancer or proxy IP in environments using one of those. SF05283977/SEG-133073
Resolved issues
- A Deep Security Agent conflict with network interface controllers (NICs) caused systems with multiple NICs to crash. 05048124/SEG-126094/DS-68730
- When an Integrity Monitoring scan timed out, it sometimes generated false "create" or "delete" events for "user" or "group" entities. SEG-117739/DS-66885
- Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
- With Activity Monitoring enabled, Deep Security Agent caused high CPU usage. DS-62849
- A Deep Security Agent parsing issue was causing "Anti-Malware Engine Offline" errors. SF05171312/SEG-129367/DSSEG-7428
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DS-68180
Highest Common Vulnerability Scoring System (CVSS) score: 9.1
Highest severity: High
Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)
Release date: November 24, 2021
Build number: 20.0.0-3445
New features
Collection of the agent metrics in the on-premise environment: You can now collect the agent metrics on-premises for SEG troubleshooting purposes. These metrics are stored as ZIP files on Windows in the C:\ProgramData\Trend Micro\Deep Security Agent\metrics
directory and on Linux, AIX, and Solaris in the /var/opt/ds_agent/metrics
directory. The ZIP files are rotated periodically on the local file system. Each ZIP file is approximately 1 MB in size and contains up to 100 files. The metrics are collected along with the diagnostic package.
Enhancements
- Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
- Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
- Deep Security Agent was upgraded to use locally installed kernel modules when new ones can't be fetched from the Deep Security Relay. DS-66599
- Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
- Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347
Resolved issues
- Insufficient file access permission for the Deep Security Relay sometimes caused the agent installer to fail. DS-67278
- Deep Security Agent sometimes showed an incorrect "No such file or directory" error message during installation. DS-67317
- Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
- Deep Security Agent sometimes could not start after an upgrade. SF04943063/SEG-123155/DS-67475
- Deep Security Agent sometimes changed the access time of files during the on-demand Anti-Malware scan. DS-67119
- The Deep Security Agent and MQTT connection would sometimes go offline, requiring an agent restart. DS-67487
- Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
- With Anti-Malware real-time scan enabled, Deep Security Agent would sometimes scan unchanged files. DS-67806
- Deep Security Agent sometimes caused the system to crash. SEG-123338/DS-67445
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6489/DSSEG-7210/DS-65113/DS-67367
Highest Common Vulnerability Scoring System (CVSS) score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)
Release date: October 28, 2021
Build number: 20.0.0-3288
New features
Kernel support package updates: You can now choose when to perform kernel support package updates, using the new "Automatically update kernel package when agent restarts" option in the computer or policy editor.
Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Enhanced platform support
- Deep Security Agent 20.0.0-3288 or later now supports these platforms:
- AlmaLinux 8 (requires Deep Security Manager 20.0.503+)
- Rocky Linux 8 (requires Deep Security Manager 20.0.543+)
- Ubuntu 20.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.503+)
- Ubuntu 18.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.482+)
- Secure boot support: Deep Security Agent now supports Oracle Linux 7 (in both UEK-R5 and UEK-R6) and Oracle Linux 8 with Secure Boot enabled.
Enhancements
- Deep Security Agent 10.0 to 20.0 upgrades now keep their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
- You can now exclude container file events from the kernel module. DS-65547
Resolved issues
- Anti-Malware updates sometimes failed, resulting in "Security Update: Pattern Update on Agents/Appliances Failed" errors. 04763356/SEG-119138/DS-66569
- The Deep Security Agent Scanner library sometimes couldn't be loaded by SAP NetWeaver. DS-67530
- With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
- With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
- Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DS-46018/DSSEG-7210/DSSEG-7217
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)
Release date: October 08, 2021
Build number: 20.0.0-3165
Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it is not available on the Deep Security Agent software download page or released to customers using Deep Security Manager.
New features
- AlmaLinux 8 support: Deep Security Agent is now supported on AlmaLinux 8.
- Ubuntu 18.04 (AWS ARM-Based Graviton 2) support: Deep Security Agent is now supported on Ubuntu 18.04 (AWS ARM-Based Graviton 2).
- Oracle Linux 7 support: Deep Security Agent is now supported on Oracle Linux 7 with Secure Boot (in both uek-R5 and uek-R6).
- Kernel support package updates: You can now choose when to perform kernel support package updates, using the new Automatically update kernel package when agent restarts option in the computer or policy editor.
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Enhancements
- Updated Deep Security Agent to prevent agents upgraded from version 10.0 to 20.0 from losing their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
- You can now exclude container file events from the kernel module. DS-65547
Resolved issues
- Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7210/DSSEG-7217
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2971 (20 LTS Update 2021-09-08)
Release date: September 08, 2021
Build number: 20.0.0-2971
New features
FIPS mode on Red Hat Enterprise Linux 8: Deep Security Agent 20.0.0-2971 or later now supports FIPS mode for Red Hat Enterprise Linux 8.
FIPS mode on Amazon Linux 2: Deep Security Agent 20.0.0-2971 or later now supports FIPS mode for Amazon Linux 2.
Enhancements
- Updated Deep Security Agent to improve performance and compatibility by using a unified driver for file, process, and network events. DS-61784
- Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
- Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547
Resolved issues
- Deep Security Agent sometimes caused performance issues on systems with folders in NFS format. SF04816680/SEG-118993/DS-66280
- With Integrity Monitoring enabled, Deep Security Agent sometimes caused high CPU usage. DS-65986
- Deep Security Agent 20.0.0-2740 fr Linux was causing performance and third-party compatibility issues on some systems. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent (DSA) Build 20.0.0-2740 for Linux from Download Center.
- Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
- Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057
- Deep Security Agent was sometimes unable to create or manage tasks on RPM-based platforms due to a SystemD (Linux service manager) process limitation. SF04543580/SEG-113833/DS-65550
- Deep Security Agent Anti-Malware Real-Time Scan exclusions sometimes failed within container environments. DS-65528
- Deep Security Agent Anti-Malware Real-Time Scan directory exclusions sometimes failed if filenames were not in UTF-8 format. SEG-115198/DS-65495
- With Anti-Malware enabled, Deep Security Agent encountered an "Insufficient Disk Space" alert which sometimes crashed the agent or stopped other programs from working properly. SF04584157/SEG-113377/DS-64405
- Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
- Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
- Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
- Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
- Deep Security Agent upgrade (Administration > Updates > Software) sometimes failed if a previous (RPM package) upgrade was triggered using console commands. SF04586071/SEG-113583/DS-64978
- With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
- With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855
- With Integrity Monitoring real-time scan enabled, Deep Security Agent sometimes prevented files on network drives from being deleted. SEG-108636/C1WS-1787
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. SF04613197/SEG-113566/DS-64050
Highest Common Vulnerability Scoring System (CVSS) score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)
Release date: July 01, 2021
Build number: 20.0.0-2593
New feature
FIPS mode on Ubuntu 18.04: Deep Security Agent 20.0.0-2593 or later now supports FIPS mode for Ubuntu 18.04.
Resolved issues
- Integrity Monitoring alerts sometimes triggered but did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
- Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
- The MQTT connection sometimes went offline when Deep Security Agent had Activity Monitoring enabled. SF04216172/SEG-101691/DS-63458
- Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-5850/DS-54705
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)
Release date: May 24, 2021
Build number: 20.0.0-2395
New features
Enhanced platform support
- Application Control and Integrity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Application Control and Integrity Monitoring for Amazon Linux 2 on AWS Graviton 2. DS-62775
- Activity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Activity Monitoring for Amazon Linux 2 on AWS Graviton 2.
Enhancements
- Deep Security Agent 20.0.0-2395 or later now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates expire on 2022/07/09. After that date, only Deep Security Agent 20.0.0-2395 or later will have the latest Anti-Malware Smart Scan protection. DS-63010
- Updated Deep Security Agent to add Predictive Machine Learning support for Malware Scan on Linux platforms. DS-62857
- Updated Deep Security Agent's Anti-Malware default configuration to monitor file access from the local host only, improving compatibility for some file systems. DS-62222
Resolved issues
- Anti-Malware Real-Time Scan sometimes didn't detect files properly with the "During read" setting selected (Computers > Details > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Edit > Advanced > Real-Time Scan). SEG-104496/DS-61836
- Deep Security Agent was unable to install in some environments because it misidentified the OS. DSSEG-2915/DS-28321
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
- Anti-Malware Real-Time Scan sometimes caused high CPU usage. 04331007/SEG-107814/DS-62593
- Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
- Anti-Malware Real-Time Scan caused unintentional file changes under some configurations. DS-62412
- Deep Security Agent sometimes could not successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692
- Anti-Malware kernel modules sometimes did not bypass file activity on remote shared storages when Network Directory Scan was disabled. DS-62985
Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)
Release date: April 12, 2021
Build number: 20.0.0-2204
New feature
Enhanced platform support
- Anti-Malware and Log Inspection support for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent 20.0.0-2204 or later now supports the Anti-Malware, Firewall, Intrusion Prevention, Log Inspection, and Web Reputation protection modules. Note that Advanced Threat Scan Engine (ATSE) update is not currently supported for Amazon Linux 2 on AWS Graviton 2, but will be added in a future release.
Resolved issues
- With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (that is, processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
- When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
- When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
- When Integrity Monitoring real-time scan was enabled, sometimes directories on NFS volumes couldn't be removed. SF03977538/SEG-98656/DS-61062
- When Intrusion Prevention was enabled, the system would crash under some configurations. SF04286712/SEG-103971/DS-61274
- A proxy server issue sometimes caused connectivity issues with Deep Security Agents after registering with Trend Micro Vision One (XDR). SF04318864/SEG-104847/DS-61516
Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)
Release date: March 08, 2021
Build number: 20.0.0-2009
Enhancements
- Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011
Resolved issues
- The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
- When Firewall, Intrusion Prevention, and Web Reputation were enabled, the system sometimes crashed. SF03992370/SEG-100828/DS-60589
- After restarting Deep Security Virtual Appliance, protected VMs sometimes became inaccessible. SEG-94723/SF03949466/DS-58962
Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)
Release date: February 08, 2021
Build number: 20.0.0-1876
Resolved issues
- The Deep Security Agent was sometimes unable to establish an SSL connection to the web server. DS-59893
- Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519
Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)
Release date: January 20, 2021
Build number: 20.0.0-1822
New features
Enhanced platform support
- Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Amazon Linux 2 on AWS Graviton 2. The agent currently supports the Firewall, Intrusion Prevention, and Web Reputation protection modules. Other protection modules are coming soon.
Behavior Monitoring for Linux: This release adds support for Behavior Monitoring on the Linux platform.
Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)
Release date: January 04, 2021
Build number: 20.0.0-1681
Resolved issues
- A driver conflict was causing the Deep Security Agent to hang and require a reboot. SEG-94278/SF03941184/DS-59020
- If an error related to Secure Boot occurs, the user is no longer blocked from installing the plugins and receive a "Secure Boot" error message on Deep Security Manager. Instead, an "Engine is offline" error message is displayed. Users can check "Secure Boot" entries in ds_agent.log for error details. DS-58374
- In the SecureBoot environment, the SUSE15 SP2 kernel module load failed with kernel version 5.3.18-24.37-default or later. SEG-93737/DS-58373
- Anti-Malware would sometimes restart before fully loading a new driver, causing the AM engine to be offline. DS-58475
Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)
Release date: December 07, 2020
Build number: 20.0.0-1559
New features
TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This resolves issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.
Enhancements
- Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
- Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
- Enhanced memory usage to improve performance. DS-53012
- Anti-Malware on-demand scans did not function as expected. DS-58346
Resolved issues
- Deep Security Agent didn't detect Secure Boot state correctly. SEG-89042/03730368 /DS-57014
- The error "scheduling while atomic" occurred because the dsa_filter caused kernel panic. DS-56514
- Anti-Malware events didn't include file hashes in certain scenarios. SEG-91779/SF03818756/DS-57453
- The Anti-Malware driver showed warning messages during the initialization. SEG-92204/03784490/DS-57605
- After upgrading to Deep Security Agent 20.0.0-1194, the "Intrusion Prevention Rules Failed to Compile" and "Security Update Failed" errors sometimes incorrectly occurred. SEG-90503/03789013/DS-56904
- When Anti-Malware real-time scans were enabled, Rancher Kubernetes pods sometimes couldn't be terminated gracefully. SEG-87824/SF03695639/DS-58220
- When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
- Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
- Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688
Notice
In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.
Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)
Release date: October 28, 2020
Build number: 20.0.0-1337
Resolved issues
- When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because of a compatibility issue with third-party security software. SF03700563/SEG-88135/DS-54799
- Secure boot appeared active when it was not. SEG-85550/DS-55052
Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)
Release date: October 21, 2020
Build number: 20.0.0-1304
Enhancements
- Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680
Resolved issues
- For agentless protected VMs, the settings under Policies > Intrusion Prevention > General > Recommendation were greyed out. DS-56665
- When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
- Real-time Anti-Malware with filesystem hooking enabled did not work on older kernel versions. SEG-82411/DS-54271
- Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
- Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
- The dsa_query command didn't display Anti-Malware patterns correctly. DS-55389
- The Anti-Malware driver did not check compatibility before loading into the kernel. SEG-88135
Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security
This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1304 or later by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1304 or later, Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.
Deep Security Agent 20.0.0-1304 or later uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.
Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)
Release date: October 5, 2020
Build number: 20.0.0-1194
New features
Improved performance for real-time Anti-Malware scanning on Linux: Real-time Anti-Malware scans have been improved for Deep Security Agent on Linux, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write. Now, Anti-Malware scanning is more efficient and file scanning during write is deferred (the file is added to a queue and scanned in the background).
Differentiated platforms: Deep Security Manager can now distinguish between Red Hat and CentOS platforms and operations. DS-52682
Continued network scans: After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's network scans now continue where they left off, without delay. This feature only applies if you are using NSX-T Data Center and guest machines are using a policy without network feature overrides. DS-50482
Enhancements
- Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
- Ceph is now excluded from file system kernel hooking to prevent kernel panic. SEG-75664/SF03131718/DS-50298
- Recommendation Scans and Integrity Monitoring are now enabled for NSX-T environments. DS-50478
- Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
Resolved issues
- Secure boot appeared active when it was not. DS-55052
- Deep Security Agent could not install any plugins with UEFI Secure Boot enabled. DS-54041
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
- The Anti-Malware engine on Deep Security Virtual Appliance went offline when the signer field in the Census server reply was empty. DS-49807
- Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
- Deep Security Agent on Linux would sometimes crash. SEG-76460/SF03218198/DS-50852
- Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
- The Deep Security Virtual appliance did not detect the EICAR test file. SEG-71955/SF02955546/DS-49387
- Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocking in lock down mode. DS-50696
- The Anti-Malware driver caused a system hang on Linux platforms where autofs was used. DS-51926
- When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
- There was an upgrade issue with Deep Security Agent which would sometimes prevent the agent from going online if Integrity Monitoring or Log Inspection were enabled. DS-50672
- Kernel Panic occurred when Web Reputation, Firewall, or Intrusion Prevention were enabled. SEG-80201/DSSEG-5846/DS-52975
- When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
- When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. SEG-73893/DSSEG-5866/DS-53144
- When Deep Security real-time Anti-Malware was enabled on a Linux system, it caused a high amount of CPU usage. SEG-75739/DS-52976
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/DS-41233
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Deep Security Agent 20 (long-term support release)
Release date: July 30, 2020
Build number: 20.0.0.877
New features
Enhanced platform support
- Ubuntu 20.04 (64-bit)
- Cloud Linux 8 (64-bit)
- Debian Linux 10 (64-bit)
- Oracle Linux 8 (64-bit)
- SUSE Linux Enterprise Server 15 (64-bit)
- Red Hat Enterprise Linux 8 (64-bit)
- CentOS 8 (64-bit)
SystemD support: SystemD is a Linux service manager that allows services to declare dependencies, which can enforce load and unload sequences of kernel modules and other services. See Linux systemd support for information about which platforms are supported. DS-37395
Secure Boot support: Deep Security Agent supports additional Linux operating systems with Secure Boot enabled. For details, see Linux Secure Boot support.
Improved security
Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.
Protect VMs in NSX-T environments: The latest VMware Service Insertion and Guest Introspection technologies have been integrated. This enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.
Seamless network protection: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.
SELinux Support: Security-Enhanced Linux (SELinux) enforcing mode is supported on Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Deep Security Agent is compatible with the default SELinux policies. Anti-Malware software such as ds_agent is required to run in an unconfined domain in order to protect the system. Any additional SELinux policy customization or configuration might be block blocked or fail because of ds_agent.
SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.
Continuous Anti-Malware protection: Deep Security Manager now sends guest VMs' Anti-Malware real-time configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the Anti-Malware real-time feature during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments.
Improved management and quality
Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.
NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), the network throughput has been made three times faster when compared with prior technology.
Upgrade to supported paths: The Upgrade on activation feature only upgrades the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the Upgrade on activation feature detects the newer version and complete the upgrade to the designated release.
Protection for AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, the computer is now created outside of the account and the agent is allowed to activate.
Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported in this release. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?
Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been cancelled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.
Improved process exceptions: The process exception experience has been improved in the following ways:
- Information about why process exclusion items are not functioning correctly is provided, enabling you to troubleshoot the issue and know which actions to take to resolve it.
- The process exception configuration workflow has been improved to make it more robust.
Enhancements
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
- Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
- Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
- Improved the Deep Security Agent activation experience in the following ways:
- Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
- After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans now continue where they left off, without delay. This feature only applies to NSX-T environments.
- Increased the scan engine's URI path length limitation.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
- Enhanced Linux real-time Anti-Malware performance when executing a Docker pull command.
- Improved the time it takes to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment. This feature requires Deep Security Manager FR 2019-12-12 or newer releases.
- Streamlined event management for improved agent performance.
- Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
- Enhanced the Malware Scan Failure event description to indicate the possible reason.
- Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
- Added the ability to retrieve process and container information for Intrusion Prevention events, including process name, container ID, container name, image name, image digest and pod ID.
Resolved issues
- When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
- When Deep Security real-time Anti-Malware was enabled in Linux, it caused a high amount of CPU system usage. SEG-75739/SF03036857/DS-52976
- Ceph caused kernel panic. SEG-75664/SF03131718/DS-50298
- Deep Security Agent sometimes crashed. SEG-76460/SF03218198/DS-50852
- Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
- The Deep Security Virtual Appliance did not detect an Eicar file. SEG-71955/SF02955546/DS-49387
- Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocked in lock down mode. SEG-73174/DS-50696
- Deep Security Virtual Appliance sometimes went offline. SEG-53294/DS-46728
- The interface isolation feature was still on when Firewall was turned off. SEG-32926/DS-27099
- In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, Integrity Monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. SEG-22509/DS-25250
- Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
- Anti-Malware events displayed a blank file path with invalid Unicode encoding. SEG-46912/DS-34011
- Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. SF01423970/SEG-43481/DS-34436
- Kernel panic occurred when dsa_filter.ko was obtaining network device's information. SEG-50480/DS-35192
- An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. SF01339187/SEG-38497/SEG-33163/DS-31330
- Kernel panic occurred because of redirfs. SF01137463/SEG-34751/DS-32182
- Deep Security Anti-Malware caused the fusermount process to fail when mounting the filesystem. SF01531697/SEG-43146/DS-32753
- Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
- For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. SF01704358/SEG-45004/DS-32077
- Deep Security Agent GSCH driver had an issue with another third-party file system. SF01248702/SEG-44565/DS-33155)
- The Environment Variable Overrides for Deep Security Anti-Malware did not work in Linux. SEG-43362/DS-31328
- Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. SF01745654/SEG-45832/DS-33007
- When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
- The Send Policy action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
- The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
- Deep Security Agent failed to install on Ubuntu 18.04. SF01593513/SEG-43300/DS-37359
- The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
- Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
- The agent operating system would sometimes crash when Firewall interface ignores were set. SF01775560/SEG-49866/DS-39339
- Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
- Too many file open events were being processed in user mode, resulting in high cpu usage. SF02179544/SEG-55745/DS-39638
- The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. SF02042265/SEG-52088/DS-39890
- Linux kernel logs were flooded by Deep Security Anti-Malware driver. SF02299406/SEG-57561/DS-41589
- Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
- High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
- Deep Security Agent real-time Anti-Malware scans didn't work with Debian 10 64-bit.
- When a guest VM was migrated between ESXi hosts frequently (using vMotion), sometimes the VM couldn't save the state file. This caused the guest to lose the protection of the Deep Security Virtual Appliance for several minutes after migration, until the VM was reactivated by Deep Security Manager automatically under the new ESXi server. DSSEG-4341/DS-38221
- When uninstalling Deep Security Agent in Linux, the uninstall log included a typo. DSSEG-4139/DS-34504
- Deep Security Anti-Malware detected sample malware files but did not automatically delete them. SF02230778/SEG-55891/DS-40687
- When the Deep Security Agent connected through a proxy to the Deep Security Manager on Deep Security as a Service, Identified Files could not be deleted. SF01979829/SEG-51013/DS-37252
- After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. SEG-60728/DSSEG-5094
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DSSEG-4995
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/VRTS-3176
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest Severity: High
- Updated NGINX to 1.16.1 (DSSEG-4600)
- Updated to curl 7.67.0.
- Updated to openssl-1.0.2t.
- Updated JRE to the latest Java Update (8.0.241/8.43.0.6).
Kernel support
To see which Linux kernels are currently supported, see Linux kernel compatibility.
To view the Linux kernel support release history, see the Readme for Trend Micro (TM) Deep Security Agent 20.0 for Linux.
Known issues
- Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints are unmounted successfully. SEG-58841
Deep Security Agent - 20.0.1-25770 (20 LTS Update 2024-12-10)
Release date: December 10, 2024
Build number: 20.0.1-25770
New features
Version Control Policy: Deep Security Agent now supports Version Control Policy, which allows Trend Vision One version control policies to manage agent and component updates for any endpoint with the Trend Micro Endpoint Basecamp (XBC) agent installed. For more information, see Version Control Policies. This is currently in pre-release, and is only supported for Trend Vision One - Server & Workload Protection.
Enhancements
- Deep Security Agent can now trigger the installation of Endpoint Basecamp from Trend Cloud One - Endpoint & Workload Security. DSA-7532
- Updated Deep Security Agent to reduce the duration of on-demand scans when the CPU Usage is set to Medium (Computer or Policy > Settings > General > CPU Usage Control). DSA-8171
- Deep Security Agent for Windows platforms now supports wildcard
*
use in Anti-Malware process path exclusions. PCT-36703/DSA-7768 - Deep Security SAP Scanner can now report results to SAP applications when it identifies password-protected compressed files attached to an email in Microsoft Outlook Item (MSG) format. SF07873657/PCT-23367/DSA-7562
- Deep Security Agent now detects if its relay proxy is Trend Vision One Service Gateway Forward Proxy Service, and uses the Service Gateway domain allow list to decide whether the connection should use the relay proxy or not. SF07267852/PCT-29311/DSA-6274
- Deep Security Agent can now add existing detections (by malware name, or rule ID for Anti-Malware or Behavior Monitoring) to the Rule Exceptions list from Computer or Policy > Anti-Malware > Advanced. DSA-6318
- Deep Security Agent now supports additional options to fine tune detection sensitivity for Anti-Malware, Behavior Monitoring, Predictive Machine Learning, Process Memory Scan, and the Windows Antimalware Scan Interface (for real-time scan only). DSA-6062
Resolved issues
- Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074
- Deep Security Agent had higher than usual CPU usage if Integrity Monitoring was disabled following an Integrity Monitoring scan. SF07991055/PCT-31459/DSA-6195
- Anti-Malware manual scans of files or folders with special characters sometimes failed. PCT-43895/DSA-8126
- The Trend Micro Windows Filtering Platform (TBIMWFP) driver caused a memory leak on some systems, which led to higher than normal memory usage. DSA-7968
- Deep Security SAP Scanner would incorrectly report scan failures when two or more files with the same content were included in a compressed file. PCT-38781/DSA-7557
- The Anti-Malware Solution Platform (AMSP) service was crashing on some systems. PCT-41566/DSA-7952
Security updates
This release contains updates to third-party libraries. DSA-7124
Security updates are included in this release. For more information about Trend Micro protection against vulnerabilities, see Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details are only available for select security updates once patches are available for all impacted releases. VRTS-13016/DSA-7645
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)
Release date: November 13, 2024
Build number: 20.0.1-23340
New features
Windows 11, version 24H2 support: Deep Security Agent 20.0.1-23340 or later supports Windows 11, version 24H2.
Enhancements
- Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314
Resolved issues
- Deep Security Agent sometimes caused a file handle leak when performing an Anti-Malware manual scan. DSA-7676
- Deep Security Agent was sometimes unable to quarantine files detected as malware. PCT-18199/DSA-5889
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-13428//VRTS-13017/DSA-7666/DSA-7646
Highest Common Vulnerability Scoring System (CVSS) score: 6.7
Highest severity: Medium
Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)
Release date: October 16, 2024
Build number: 20.0.1-21510
Enhancements
- Add a failsafe to help prevent the Firewall driver causing systems to be stuck in a Blue Screen (BSoD) loop. DSA-7448
- Add new Windows events to logs when the Firewall driver is initialized. Events include Windows Base Filtering Engine State changes and the results registered by the tbimwfp driver. DSA-7547
Resolved issues
- High CPU usage would occur when both Application Control and FIPS were enabled. DSA-6842
- Deep Security Agent would crash the system if the Windows Base Filtering Engine Service was not running. PCT-38921/DSA-7334
- When the SAP Scanner library re-established connections to Deep Security Agent, the scan requests sent from the SAP Scanner library would sometimes be rejected. SF08196066/PCT-34824/DSA-7608
- Deep Security SAP Scanner would sometimes crash when scanning for files in certain formats, like CSV. PCT-41353/DSA-7609
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-12953/DSA-7559
Highest Common Vulnerability Scoring System (CVSS) score: 8.0
Highest severity: High
Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)
Release date: September 18, 2024
Build number: 20.0.1-19250
Enhancements
- Updated Deep Security Agent to improve compatibility with older versions of the SAP Scanner. SF08196066/PCT-34824/DSA-6819
- Deep Security Agent now supports the Alibaba Cloud connector type. DSA-6018
- Web Reputation Service can now provide protection when using HTTPS in Mozilla Firefox on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. DSA-6770
Resolved issues
- Deep Security Agent caused high CPU usage on systems with both Application Control and FIPS enabled. DSA-6842
Security updates
This release contains updates to third-party libraries. DSA-6156/DSA-6942
Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)
Release date: August 21, 2024
Build number: 20.0.1-17380
Enhancements
- Web Reputation Service "Smart Protection Server Disconnected" events now include FQDN or IP address information in the description field. DSA-5408
- SAP Scanner now classifies Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages as text files. SF07895338/PCT-24359/DSA-5790
- SAP Scanner now associates JavaScript with compatible file extensions. For details, see Supported MIME types. SF08102626/PCT-31518/DSA-6192
- uAgentWscHandler.exe is a new process that supports Windows Anti-Malware Protected Process Light technology and integrates with Windows Security Center on Windows 10 or Windows 11. DSA-5138
- Advanced Threat Scan Engine has been updated to version 24.550. DSA-5968
Resolved issues
- SAP Scanner would incorrectly classify valid CSV files if the data was formatted on a single line. SF07967718/PCT-26844/DSA-6102
- SAP Scanner sometimes incorrectly identified image files as ASP scripts. SF07764878/PCT-20406/DSA-6122
- Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
- Deep Security Agent would fail to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
- Deep Security Agent would sometimes cause an Operating System crash if Advanced TLS inspection was enabled. PCT-34149/DSA-6346
- When Anti-Malware was enabled, some Citrix Virtual Desktop Infrastructure (VDI) environments encountered a blue screen (BSoD) error. PCT-26799/DSA-6036
- When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-12301/DSA-5967/DSA-6150
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Known issues
- Deep Security Agent Application Control causes high CPU usage. PCT-36414
Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)
Release date: July 17, 2024
Build number: 20.0.1-14610
Enhancements
- SAP Scanner now associates the following MIME types with compatible file extensions. For details, see Integrate with SAP NetWeaver.
- TrueType Font (TTF). SF08102626/PCT-31518/DSA-6049
- Java Archive (JAR). SF08102626/PCT-31518/DSA-6044
- Apple QuickTime File Format (QTFF). SF07967718/SF07840151/PCT-22825/PCT-26844/DSA-5887/DSA-5567
- Microsoft Advanced Systems Format (ASF). SF07967718/PCT-26844/DSA-5886
Resolved issues
- Deep Security Agent would still try to test connections for Service Gateways. DSA-5814
- A Deep Security Agent restart sometimes caused Application Control to report drift events. SF07813110/PCT-25731/DSA-5798
- Deep Security Agent was only able to use the primary IP address for Service Gateway. DSA-4513
- Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
- The Anti-Malware configuration file size was impacting SAP Scanner performance on some systems. SF08057009/PCT-30380/DSA-5987
Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)
Release date: June 19, 2024
Build number: 20.0.1-12510
Enhancements
- Advanced TLS Traffic Inspection now supports separate configurations for "Inspect Inbound TLS/SSL Traffic" and "Inspect Outbound TLS/SSL Traffic". For detailed configuration steps, see https://help.deepsecurity.trendmicro.com/20_0/on-premise/intrusion-prevention-ssl-traffic.html#EnableTLS.
Resolved issues
- Web Reputation Service might cause high CPU usage in VDI environments. PCT-24431/PCT-28543/PCT-29364/PCT-29712/PCT-30043/PCT-30401/PCT-30669/DSA-5766
- Edge Relay couldn't use the operating system proxy configuration without IoT features enabled. PCT-16603/DSA-5422
Known issues
- There is a performance impact when Inspect Inbound TLS/SSL Traffic and Inspect Outbound TLS/SSL Traffic are enabled at the same time in Advanced TLS Inspection settings. For details, see Performance impact of bi-directional TLS inspection in Deep Security. DSA-5959
Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)
Release date: May 16, 2024
Build number: 20.0.1-9400
Enhancements
- SAP Scanner now supports the
SCANLOGPATH
parameter. For details, see Integrate with SAP NetWeaver. PCT-21958/DSA-4924 - Updated Deep Security Agent to improve the priority for configurations using a proxy. DSA-4817/PCT-21750
- Deep Security Agent can now retrieve Service Gateway settings from the Trend Micro Endpoint Basecamp (XBC) agent. DSA-4841/V1E-13468
- Web Reputation Service now supports HTTPS protection for Google Chrome browser's Incognito mode and Microsoft Edge browser's InPrivate mode on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. DSA-4296
Resolved issues
- Deep Security Agent security updates sometimes failed after reconfiguring proxy settings. PCT-18382/DSA-5390
- Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
- Using multiple Smart Protection Servers sometimes generated "Smart Protection Server Disconnected for Smart Scan" warnings, even if Smart Scan was still connected. PCT-13313/DSA-4488
- Deep Security Agent security updates sometimes failed after an agent update was applied. PCT-23614/DSA-5371
Security updates
This release contains updates to third-party libraries. DSA-4187
Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)
Release date: April 24, 2024
Build number: 20.0.1-7380
Enhancements
- Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
- Deep Security Agent can have its proxy configuration set by the Trend Vision One Proxy Manager. V1E-14557
- Deep Security Agent now supports custom actions "ActiveAction" or "Pass" for the Process Memory Scan. This is only supported for Trend Cloud One - Endpoint & Workload Security users on Windows platforms at this time. DSA-3621
Resolved issues
- Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861
- When SAP Scanner was enabled, system events for "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" sometimes displayed during Deep Security Agent upgrade. These system event messages were triggered by the restart of Deep Security Agent modules. There was no functional impact. DSA-4603
Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)
Release date: March 20, 2024
Build number: 20.0.1-4540
Enhancements
- The SAP Scanner status for Deep Security Agent is now displayed in the console. DSA-3329
- The Deep Security Agent version is now displayed in the SAP Scanner library. SF07483850/PCT-10077/DSA-3304
- Stopping a Deep Security Agent managed by Trend Cloud One - Endpoint & Workload Security now takes less time. DSA-4208
- Anti-Malware events (Events & Reports > Anti-Malware Events) now display the date and time that files or folders were created and modified. SF07199253/PCT-1378/DSA-3578
Resolved issues
- Deep Security Agent incorrectly classified the MIME type of
.dwg
files generated by AutoCAD, from AutoCAD 2004 to AutoCAD 2024. SF07027236/SEG-186079/PCT-5797/DSA-2901
Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)
Release date: February 29, 2024
Build number: 20.0.1-3180
New features
- Anti-Malware now supports Advanced Process Memory Scan by default for Trend Cloud One customers. DSA-4242
Enhancements
- Deep Security Scanner (SAP) now reports files containing Microsoft Office Macros as Active Content, while previously they were identified as Malware. PCT-5979/DSA-3911
Resolved issues
- Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
- Remote Desktop Services on Windows Server 2008 R2 was blocked by the TLS inspection process (tm_netagent). PCT-12049/PCT-12172/PCT-13878/DSA-3944
- Behavior Monitoring exclusions sometimes failed to apply because they were case sensitive. PCT-16168/PCT-16005/PCT-16476/CTSKA-27/DSA-4116
- The expected MIME type for
.msg
files by the Deep Security Agent SAP Scanner was incorrect. PCT-5797/DSA-4050 - Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965
- When a password is required for a local override, the password was checked after the Deep Security Agent self-protection was locally disabled. PCT-10861/DSA-3293
- Uninstalling Deep Security Agent did not remove all folders associated with Deep Security Agent. DSA-2460
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-11708/DSA-3702
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Known issues
- The Application Control Trust Entities "block by target" trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324
Deep Security Agent - 20.0.1-700 (20 LTS Update 2024-04-17)
Release date: April 17, 2024
Build number: 20.0.1-700
Enhancements
- Updated Deep Security Agent to improve the priority for configurations using a proxy. This is only supported for Trend Cloud One - Endpoint & Workload Security customers on Windows x64 platforms at this time. DSA-4817/PCT-21750
Known issues
- Updating to Deep Security Agent 20.0.1.700 fails on some 20.0.0 versions when using Deep Security Relay. For more details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1. DSA-3317
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For more details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)
Release date: January 17, 2024
Build number: 20.0.1-690
New features
Command line scan: Deep Security Agent now supports on-demand scans triggered using dsa_scan
from a command line interface.
This is currently only available to Trend Cloud One - Endpoint & Workload Security customers. For more information, see Command-line basics. V1E-6993
Enhancements
- From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584
For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release.
Resolved issues
- Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564
- Deep Security Agent could have memory leaks on some systems while trying to route to Domain Controllers. DSA-3266
- Deep Security Agent sometimes froze at launch if Windows APIs were verifying digital signatures for portable executable (PE) files. DSA-3626
- When FIPS mode was disabled, Deep Security Agent used the OpenSSL configuration specified by the system environment variables rather than the config specified by the agent. PCT-4914/DSA-2651/DSA-2737/DSA-2738
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. V1E-10952
Highest Common Vulnerability Scoring System (CVSS) score: 9.8
Highest severity: Critical
Known issues
- Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)
Release date: December 12, 2023
Build number: 20.0.0-8438
New features
Windows 11, version 23H2 support: Deep Security Agent 20.0.0-8438 or later support Windows 11, version 23H2. DSA-2255
Enhancements
- Remove some file types from the scanning list to avoid high CPU and disk consumption. SF07099651/SEG-188688/DSA-2010
- Agent self-protection now protects the Advanced TLS Traffic Inspection process (tm_netagent) preventing local users with administrator privileges from stopping it. DSA-1042/DSA-1043
Resolved issues
- When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981
- Anti-Malware scan mode would sometimes not match the policy configuration. SF07117203/SEG-191043/PCT-7856/DSA-2561
- A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-11015/DSA-2156
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Known issues
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773 - Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy DSA-3564
Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)
Release date: November 21, 2023
Build number: 20.0.0-8268
Resolved issues
- Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
- Deep Security Agent incorrectly classified MIME type of
.xml
files generated by Microsoft Word, Excel, PowerPoint, as well as.dwg
files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202
Known issues
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)
Release date: October 26, 2023
Build number: 20.0.0-8137
New features
- Process Memory Scan: Anti-Malware manual and scheduled scans now support the process memory scan which scans the memory of running processes. This requires Deep Security Manager 20.0.844 or later.
This feature will be disabled in the November release of Deep Security Manager and in Trend Cloud One - Workload Security. For more information, see High Memory Usage for random process when using Deep Security Agent 20.0.0-8137
Resolved issues
- When Intrusion Prevention System was enabled on a machine with Windows Network Load Balancing (NLB) installed and Unicast Mode configured, Network Load Balancing performance was sometimes affected. SF06426122/SEG-169878/DSSEG-7852
- When agent self-protection was enabled for Deep Security Agent 20.0.0-7719, access violation errors would sometimes appear in the Windows System Log. DSA-1962
Known issues
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (
tm_netagent
) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)
Release date: September 26, 2023
Build number: 20.0.0-7943
Enhancements
- In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759+. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531
- New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
. DSA-864 - Web Reputation Service now supports the "Trend Micro Toolbar for Enterprise" browser extension for Microsoft Edge on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019 and Windows Server 2022. DSA-1565
Resolved issues
- When Log Inspection was enabled, Deep Security Agent sometimes crashed on Windows Server 2019 systems. DS-77766
Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)
Release date: August 29, 2023
Build number: 20.0.0-7719
New features
New language support: Deep Security Agent now supports Polish and Czech.
Enhancements
- Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
- Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. Note that agents configured as a Deep Security Relay still download all pattern updates. DSA-1000
- The blocking page Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
- Deep Security Agent now triggers a security update automatically when the Anti-Malware Solution Platform (AMSP) service is ready. Previously, security updates could fail if triggered before the AMSP was ready, causing "Anti-Malware Engine Offline" and "Pattern Update on Agents/Appliances Failed" errors. DSA-1020
- Activity Monitoring now includes hypersensitive mode to provide improved MITRE coverage. DS-76971/DS-76972/DSA-797
Resolved issues
- Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
- Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
- When Anti-Malware was enabled, Deep Security Agent impacted the performance of some third-party applications. SEG-182065/DSA-790
- Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
- Device Control blocked Windows Server Storage Area Network (SAN) drives that should have been allowed. SEG-178278/V1E-3895
- Network drivers failed to bind to the network interface automatically on some Azure VMs. DSA-1040
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7976/DSA-1386
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)
Release date: July 25, 2023
Build number: 20.0.0-7476
New features
Deep Security Agent Right-Click Scan: Deep Security Agent now allows users to trigger a manual scan from Windows File Explorer by right-clicking a file or folder and selecting Scan. Note that this feature is only available to Trend Vision One Endpoint users and Trend Cloud One - Endpoint & Workload users at this time.
Enhancements
- If anti-malware is offline because AMSP service was not installed correctly, Deep Security Agent now tries to reinstall AMSP when the agent service launches. DSSEG-7903/SEG-181443
- Updated the dsa-connect service to improve CPU performance. C1WS-12970
- Updated Deep Security Agent to support the Notifier Anti-Malware Protected Process Light (AM-PPL) service for Windows 10 desktop platforms. This requires Deep Security Manager 20.0.789 - 20.0.833. DS-77160
- Improved Advanced TLS Traffic Inspection coverage for Windows Server 2012 R2, 2016, and 2019. SEG-182585/DSA-583
Resolved issues
- Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858
- The system sometimes crashed when Intrusion Prevention was enabled. SF06983729/SEG-184423/DSSEG-7907
- Deep Security Agent upgrades triggered from the Deep Security Manager console would fail on some system configurations, returning MSI error code 1601: Windows installer is not accessible. SEG-177789/DS-78084
- Deep Security Agent sometimes reported that the network module was disabled (Event ID 1013, Trend Micro LightWeight Driver failed to bind on all network interfaces) even if the module was enabled. SEG-184701/SEG-182649/DSA-686
- Updated Deep Security Agent to support systems using Dell MAC Address Passthrough. SEG-177651/DSA-455
Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)
Release date: June 28, 2023
Build number: 20.0.0-7303
Enhancements
- Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
- Activity Monitoring events now display the FQDN instead of the hostname. SF06709374/SEG-179186/C1WS-14644
- Web Reputation Service now automatically monitor the ports used by the OS proxy configuration. DS-77233
- When a specific process is sending backup packets through an unencrypted connection, Intrusion Prevention optimizes the scan flow to reduce CPU impact. SF06456142/SEG-166877/DS-76500
Resolved issues
- The Windows Malicious Software Removal Tool (MSRT) installation could fail while Application Control is in maintenance mode. SF06446534/SEG-172729/DS-77094
- Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
- The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
- The Deep Security Agent upgrade would fail when specific features were enabled. SF06794868/SEG-177789/DS-78008
- Deep Security Agent sometimes crashed when it was unable to connect to Deep Security Manager using a proxy. DS-77786
- When Application Control was enabled, MSI file installations failed on some versions of Windows. SF06509811/SEG-170485/DS-76906
- Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
- Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709
Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)
Release date: May 29, 2023
Build number: 20.0.0-7119
Enhancements
- Updated Deep Security Agent to reduce data usage when generating Activity Monitoring events or when operating while integrated with Trend Micro Vision One. DS-77622
- When Application Control is enabled, MSI file installations fail on some systems. SF06509811/SEG-170485/DS-76906
- Agent self-protection now secures the Advanced TLS inspection process (
ds_nuagent
), preventing local users with administrator privileges from stopping it. DS-74080 - Deep Security Agent 20.0.0-7119 or later now supports FIPS mode for the
dsa-connect
service for Workload Security customers on Windows platforms that support FIPS mode as detailed here: Supported features by platform. C1WS-7467
Resolved issues
- Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
- After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
- If Advanced TLS traffic inspection was enabled, rebooting the operating system sometimes caused Deep Security Agent to get stuck on the "stopping services" screen. SF06494167/SEG-170082/DS-76880
- The Deep Security Notifier service (
ds_notifier
) caused a memory leak during agent updates on some systems. SF06454240/SEG-167684/DSSEG-7863
Known issues
- Upgrading to Deep Security Agent version 20.0.0-6860, 20.0.0-6690, or 20.0.0-7119 using the Deep Security Manager console sometimes results in upgrade failure. After the upgrade failure, the Deep Security Agent service stops and may show "Agent Offline" from the manager console. SEG-177789, SEG-177748, SEG-178496, SEG-178742, SEG-177423, SEG-178470, SEG-178940, SEG-178956
Deep Security Agent - 20.0.0-6860 (20 LTS Update 2023-04-25)
Release date: April 25, 2023
Build number: 20.0.0-6860
Enhancements
- Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to
ds_agent.ini
. SF06664116/SEG-173848/DS-77182
Example proxy probing line inds_agent.ini
config file:dsa.proxymanager.ProbeTimeoutInSec=120
- Made improvements to Deep Security Agent to prevent it incorrectly sending "MQTT Connection Offline" warnings when the connection is online. SEG-171358/C1WS-12979
- Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
- Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
- Error messages from the Trend Micro Deep Security Notifier now provide more details when the on-demand scans fail. VO-2132
Resolved issues
- Deep Security Agent was unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. DS-75176
- Deep Security Agent would sometimes freeze on system startup, which caused the Windows Service Control Manager service to generate "service hung on starting" events (Event ID 7022). DS-77212
- When Anti-Malware Predictive Machine Learning was enabled, file operations initiated by Powershell sometimes encountered sharing violations. SF05904706/SEG-150738/DSSEG-7695
- When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
- Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8320/DSSEG-7865
Highest Common Vulnerability Scoring System (CVSS) score: 2.9
Highest severity: Low
Deep Security Agent - 20.0.0-6690 (20 LTS Update 2023-03-29)
Release date: March 29, 2023
Build number: 20.0.0-6690
New features
Service Gateway: Deep Security Agent 20.0.0-6690 or later with Deep Security Manager 20.0.741 or later now supports the Service Gateway feature, providing forward proxy functionality.
Enhancements
- Deep Security Agent installation now performs a pre-check to verify if its operating system meets Azure Code Signing (ACS) requirements. For more information, see Trend Micro Server and Endpoint Protection Agent Minimum Windows Version Requirements. DS-75552
- Application Control now checks the execution of Microsoft Windows Control Panel Applet (.CPL) files. DS-74587
- Application Control now checks the execution of Microsoft Compiled HTML help (.CHM) files. DS-74828
- When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard now applies to all files in any directory matching the rule's path. Note that previously, the globstar (
**
) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*
) wildcard which would only match within the path rule's directory. DS-75133 - Web Reputation Service now includes OS platform metadata. DS-75453
- Deep Security Agent 20.0.0-6690 or later now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User Defined Suspicious Object (UDSO). DS-75365
- Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (
dsa-connect-X.log
) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598
The logger supports an on-demand JSON config file (eitherdsa-connect.ini
ordsa-connect.conf
) with the following configurable options:- Debug: Enable the debug log messages. The default value is false.
- Count: Number of log files to generate. The default value is 5.
- Size: Maximum size of each log file in bytes. The default value is 2097152.
Example config file:
{ "Debug": true, "Count": 5, "Size": 2097152 }
- The Web Reputation Service's Browser Extension now allows Trend Micro Toolbar for Chrome browser to inspect URLs for content scripts in all frames. DS-75387
- Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491
Resolved issues
- Deep Security Agent events and module status changes sometimes failed to appear in the console. DS-46344/SEG-67100/SEG-101719/SEG-112311
- When Anti-Malware's "Enable network directory scan" option was enabled (Computer or Policy > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Advanced > Network Directory Scan)), malware was detected but a corresponding event was not recorded in some cases. SF06198579/SEG-160763/DSSEG-7786
- When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
- Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
- When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
- Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
- Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
- Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
- Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
- When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
- Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
- Deep Security Agent Scanner (SAP) couldn't generate reports for files with one or more trailing dots
.
in their file name. SF06181341/SEG-166326/DS-76404
Known issues
- Deep Security Agent 20.0.0-6313 or later is currently unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. If you need these three features on a Windows 2008 system, refrain from upgrading your agent. DS-75176
- Updating Deep Security Agent causes Deep Security Manager to show an unknown error event (ID: 740) on some systems. A future Deep Security Manager release will address this issue. For more details, see Unrecognized Agent / Appliance Error Event in Deep Security Manager (Event ID 1010 - 1013). DS-76813
Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)
Release date: January 31, 2023
Build number: 20.0.0-6313
New features
Windows 10 22H2 support: Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.716 or later now supports Windows 10 22H2.
Enhancements
-
Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313 or later before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent offline when OpenSSL 3 rejects certificate with SHA-1 algorithm. - With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent now monitors for suspicious behavior to improve protection against MITRE attack scenarios. This functionality requires Deep Security Manager 20.0.711+. DS-73644
- Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise" Chrome browser extension, improving HTTPS protection for Web Reputation Service. DS-74870
Resolved issues
- When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
- An issue with the TLS protocol record layer in Deep Security Agent caused some systems to crash. SF06297487/SEG-162236/DSSEG-7774
- Deep Security Agent sometimes caused file handle leaks when communicating with Deep Security Manager or agent command-line tools. DS-75111
- For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
- With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (
_
) entered in a command was replaced with a dash (-
), and an uppercase Z was replaced with a lowercase z. DS-74335
Deep Security Agent - 20.0.0-5995 (20 LTS Update 2022-11-28)
Release date: November 28, 2022
Build number: 20.0.0-5995
New features
Windows 11 22H2 support: Deep Security Agent 20.0.0-5995 or later with Deep Security Manager 20.0.711 or later now supports Windows 11 22H2.
Enhancements
- Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise," a Chrome browser extension that extends HTTPS protection for Web Reputation Service. This is only supported for Trend Micro Cloud One - Workload Security customers at this time. DS-74568
- Updated the Web Reputation Service to support multi-thread processing on the web browser extension, improving the query rate. DS-74098
- Updated Deep Security Agent to include the details of command line Behavior Monitoring violations in the console under Events and Reports > Events > Anti-Malware Events. DS-72866
Resolved issues
- A file handle leak in the Deep Security notifier (
notifier.exe
) caused high system memory usage. DS-74325 - In Workload Security, enabling OS proxy (by setting Allow agents to apply OS proxy or direct connect when the configured proxy is inaccessible to Yes from Administration > System Settings > Proxies) would cause Deep Security Agent to crash if the proxy data the agent needed was missing on the operating system side. SEG-158968/DS-75034
- With Activity Monitoring enabled, high message volume sometimes made the internal MQTT channel inaccessible. This caused Deep Security Agent errors (
MQTT offline
,hub is busy
,cannot connect to dsa-connect
) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638 - While running Application Control in maintenance mode, executable files that should have been accessible were sometimes blocked due to a sharing violation. SF04922652/SEG-131710/DS-74592
- Application Control was unable to block scripts executed using GitBash shell (
sh.exe
). DS-73827 - With Activity Monitoring enabled, Deep Security Agent caused file handle leaks on some systems. DS-74301
- Deep Security Agent caused an outdated "Early Launch Anti-Malware Pattern" component to appear on the Security Updates page, causing the Security Update Status to be "Out-of-Date". This pattern was unused, which is why it always appeared as an outdated component. SEG-158345/DSSEG-7745
- Deep Security Agent sometimes allowed a higher access level than the one set by a user's group. For example, the "Users" group was able to modify files even if it had read-only access. SEG-157530/DSSEG-7737
- With Anti-Malware enabled, a Deep Security Agent driver caused some systems running Windows Server 2008 to crash. SF05926337/SEG-157388/DSSEG-7739
Deep Security Agent - 20.0.0-5810 (20 LTS Update 2022-10-27)
Release date: October 27, 2022
Build number: 20.0.0-5810
New features
Installed software reporting: Deep Security Agent now reports installed software with additional details from the Microsoft Windows Installer. This is currently only available to Trend Micro Cloud One Workload Security customers.
Enhancements
- Updated Deep Security Agent to include additional metadata, such as
UserAgent
andReferrer
, for Web Reputation Services. DS-72196 - Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
- Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
Resolved issues
- With Anti-Malware Behavior Monitoring enabled, uninstalling or upgrading from Deep Security Agent 20.0.0-5761 caused some systems to crash. For more details see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74322
- With Activity Monitoring enabled, Deep Security Agent caused file handle leaks on some systems. DS-74301
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
- With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
- If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
- Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
- Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
- The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
- While an Application Control inventory build is in progress, the agent would sometimes appear offline. DS-72189
Known issues
- After upgrading the Deep Security Agent 20.0.0-5761 to 20.0.0-5810 on Windows, a reboot is required to solve an issue that causes computers to crash. For details including steps to work around the issue, see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74383
Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)
Release date: September 22, 2022
Build number: 20.0.0-5512
Enhancements
- Deep Security Agent now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). This requires Deep Security Manager 20.0.677 or later. DS-72828
Resolved issues
- Integrity Monitoring events (Events and Reports > Integrity Monitoring) were created with N/A displayed in the KEY and TYPE columns. SF05533287/SEG-139293/DS-71899
- Updating Deep Security Agent and removing the expired TLS session key caused some systems to crash. SF06007238/SEG-153175/DS-73404
- With Anti-Malware enabled, some computers froze in a "Security Update In Progress" state. SF05106626/SEG-129777/DSSEG-7500
- With Deep Security Agent self-protection enabled, enabling or disabling Advanced TLS inspection service caused "Event ID 7006" in the Windows Service Control Manager. DS-73305
- Deep Security Agent reported host metadata in an unexpected format. DS-73411
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8100/VRTS-8101/DS-73087/DS-72528
Highest Common Vulnerability Scoring System (CVSS) score: 7.0
Highest severity: High
Known issues
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)
Release date: August 29, 2022
Build number: 20.0.0-5394
Enhancements
- Application Control now detects software changes for executables with non executable extensions. DS-70805
- Added SYSTEM user network drives and mount points for Windows to the information collected when generating a diagnostics package. DS-71816
- Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
- Updated Deep Security Agent so Application Control automatically authorizes test PowerShell scripts created by AppLocker. DS-71762
- Behavior Monitoring exclusions now support wildcard characters. DS-71976
- Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833
Resolved issues
- When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
- Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
- When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
- When Behavior Monitoring is enabled, Deep Security Agent would sometimes prevent Docker on Windows from starting. SF05709278/SEG-146323/DSSEG-7660
- Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
- When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
- Deep Security Agent would sometimes retrieve incorrect PID information on Windows for connection metrics and log events. DS-72526
- Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
- Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
- When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host would crash. SF05713918/SF05850687/SEG-146660/SEG-148664/DSSEG-7664
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699
- Deep Security Agent 20.0.0-5137 or later is unable to load the third-party libraries needed for Activity Monitoring on Windows 2008 platform. If you need Activity Monitoring for a Windows 2008 system, refrain from upgrading your agent. Note that this issue will be fixed in a future release. DS-72573
Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)
Release date: July 26, 2022
Build number: 20.0.0-5137
New features
Advanced TLS Traffic Inspection: Deep Security Agent 20.0.0-5137 or later adds Advanced TLS Traffic Inspection support to platforms that run system updates or package updates. Note that this feature is currently only supported for Trend Micro – Cloud One Workload Security. Support for Deep Security Manager (On-Premise) will be added later.
Enhancements
- Deep Security Agent 20.0.5137 or later for Windows uses an additional certificate: "Microsoft Identity Verification Root Certificate Authority 2020". For details see Updating the VeriSign, DigiCert, USERTrust RSA certificate on Deep Security and Trend Cloud One - Endpoint & Workload Security. DS-72711
- Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
- Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
- Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar
\*\*
which matches many sub directories. Single star\*
now only matches within your current directory. Existing rules that used a single star\*
to match many folders no longer work and need to be changed to use a globstar\*\*
. DS-71817
Resolved issues
- With Anti-Malware enabled, Deep Security Agent had a driver conflict causing some third-party applications to freeze. SF05570686/SEG-140749/DSSEG-7650
- Deep Security Agent's Scanner (SAP) library install sometimes failed because required certificates on hosts were outdated. DS-71917
- Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
- Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7102/VRTS-7070/VRTS-7041/VRTS-7039/DSSEG-7636
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699
- Deep Security Agent 20.0.0-5137 is unable to load the third-party libraries needed for Activity Monitoring on Windows 2008. If you need Activity Monitoring for a Windows 2008 system, refrain from upgrading to Deep Security Agent 20.0.0-5137. Note that this issue will be fixed in a future release. DS-72573
Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)
Release date: July 4, 2022
Build number: 20.0.0-4959
Resolved issues
- Deep Security Agent caused increased CPU usage for systems running the WMI provider service (WmiPrvSE.exe). 05528968/SEG-142736/DS-71626
- Deep Security Agent Scanner (SAP) reports displayed .SAR files in the wrong order. DS-71651
- Deep Security Agent had a conflict preventing TMUMH drivers from loading (on Windows 11 and Windows 2022), and in some cases causing a system crash (affecting all Windows platforms). SEG-143164/DSSEG-7596
- Using the command line (
dsa_control -b
), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600 - With Log Inspection enabled, updates to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
- When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
- With Anti-Malware enabled, Deep Security Agent generated "Anti-Malware Engine Offline" errors caused by service restarts following a software upgrade. SF05521775/SEG-144639/DSSEG-7615
- With Anti-Malware enabled, Deep Security Agent sometimes caused a system crash or high system memory usage, or failed to deliver event reports. SF05475742/SEG-142632/DSSEG-7626
- Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
- Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7633/DS-71687
Highest Common Vulnerability Scoring System (CVSS) score: 6.2
Highest severity: Medium
Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)
Release date: May 31, 2022
Build number: 20.0.0-4726
Enhancements
- Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763
Resolved issues
- Trust Entities "Allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
- Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
- Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
- Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
- An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
- With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7090/DSSEG-7541/DS-52329
Highest Common Vulnerability Scoring System (CVSS) score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)
Release date: April 28, 2022
Build number: 20.0.0-4416
Enhancements
- Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
- Updated Deep Security Agent to support enabling the Anti-Malware module while Windows Defender is running in passive mode under some system configurations DS-69161. Currently this is only supported on systems running the following versions:
- Defender (AM) product / engine versions:
- AMProductVersion: 4.18.2202.4
- AMEngineVersion: 1.1.18900.3
- Windows server and desktop versions:
- Windows Server 2016 and newer
- Windows 10 x64 RS5 and newer
- Deep Security Agent 20.0.0-4416+
Resolved issues
- Deep Security Agent generated multiple "Anti-malware Engine Offline" events during agent upgrades under some system configurations. SF04500910/SEG-129316/DSSEG-7458
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7132/DS-70518
Highest Common Vulnerability Scoring System (CVSS) score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)
Release date: April 6, 2022
Build number: 20.0.0-4185
New features
Advanced TLS traffic inspection: Advanced TLS traffic inspection adds the capability for inspecting TLS traffic encrypted with modern ciphers, including Perfect Forward Secrecy (PFS). It also enhances virtual patching for HTTPS servers to help protect against vulnerabilities such as Log4j.
Enhancements
- Updated Deep Security Agent to properly execute Application Control settings for software changes made during a Windows upgrade. Previously, trust rules auto-authorizing software changes associated with a Windows upgrade would fail if Application Control was in lock down mode. DS-69579
- When certificates are missing for an Anti-Malware installation, Deep Security Agent now forwards the certificate details to Deep Security Manager. The specific certificates missing will appear in the manager under Events and Reports > System Events. DS-69074
Resolved issues
- Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
- Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. Note that an upgrade should not have triggered these events. DS-69888
- Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
- Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810
Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)
Release date: March 1, 2022
Build number: 20.0.0-3964
New features
Threat Intelligence: Threat Intelligence (formerly known as Connected Threat Defense) provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.
Enhancements
- Updated Deep Security Agent to exclude suspicious characters, such as
$
, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989
Resolved issues
- Deep Security Agent accepted policy change parameters even if the self-protection password verification did not pass. SF05177188/SEG-129643/DS-69293
- Deep Security Agent sometimes went offline unexpectedly after activation. SEG-130280
- With Intrusion Prevention enabled, issues establishing an SSL connection caused "Unsupported SSL Version" events. SF04955719/SEG-127437/DS-68689
- Deep Security Agent was generating unexpected "Log File Delete Error" system events. DS-69641
- Deep Security Agent sometimes created unnecessary User (Created/Deleted) or Group (Added/Removed/Updated) events. DS-62413
Deep Security Agent - 20.0.0-3771 (20 LTS Update 2022-01-24)
Release date: January 26, 2022
Build number: 20.0.0-3771
New features
Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Windows platforms, beginning with Trend Micro Cloud One - Workload Security customers.
Windows 21H2 support: Deep Security Agent 20.0.0-3771 or later now supports Windows 21H2.
Enhancements
- Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
Resolved issues
- Pairing Deep Security Agent with a proxy failed on Windows 11 when the "http://" prefix was unexpectedly added to the proxy address. The prefix was added if the address was accessed from the LAN settings window (Control Panel > Network and Internet > Internet Options > Connections > LAN settings), and then the window was closed by selecting OK. DS-68568
- Deep Security Agent security update would fail and generate "AMSP" events if Anti-Malware was offline during the update. SF04696674/SEG-120215/DSSEG-7287
- Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
- Updated Deep Security Agent to enable "Write Defer Scan" by default for real-time Anti-Malware scanning, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write by default. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-66344
- With Smart Scan enabled, Deep Security Agent was downloading the full size pattern update file, instead of the incremental one it was expected to, during security updates SEG-124937/DSSEG-7317
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6187/DS-65070/DS-68180
Highest Common Vulnerability Scoring System (CVSS) score: 9.1
Highest severity: High
Deep Security Agent - 20.0.0-3530 (20 LTS Update 2021-12-15)
Release date: December 15, 2021
Build number: 20.0.0-3530
New features
- OS proxy support: Deep Security Agent 20.0.0-3530 or later for Windows can now apply proxy settings from the computer's OS to automatically connect to Trend Micro Cloud One - Workload Security, Deep Security Relay, and other Trend Micro backend services if the default agent-configured proxy loses its connection. This feature is only available to certain Workload Security customers at this time.
Important Notes
- Pairing Deep Security Agent with a proxy currently fails on Windows 11 when the "http://" prefix is unexpectedly added to the proxy address after accessing it (under Control Panel > Network and Internet > Internet Options > Connections > LAN settings) and then selecting OK to close the window. This issue will be fixed in a future release. DS-68568
Resolved issues
- With Smart Scan enabled, Deep Security Agent downloaded the full size pattern update file instead of the incremental one it was expected to during security updates. DSSEG-7317
Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)
Release date: November 24, 2021
Build number: 20.0.0-3445
New features
- Anti-Malware offline scheduled scan: Deep Security Agent 20.0.0-3445 or later adds the offline scheduled scan feature, enabling Anti-Malware scheduled scans to run while an agent is not connected to Cloud One Workload Security. This feature is only available to certain Cloud One Workload Security customers at this time.
- Windows 11 support: Deep Security Agent 20.0.0-3445 or later now supports Windows 11.
- Windows Server 2022 support: Deep Security Agent 20.0.0-3445 or later now supports Windows Server 2022.
Enhancements
- Updated Deep Security Agent allow the Deep Security Notifier to be locked on (when installed through the command prompt using
msiexec /I "Notifier's installer name" LockAppSettingsDefault=1
), preventing users from hiding notifications. DS-64527 - Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
- Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
- Updated Deep Security Agent to support using the "process name" property in "Ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
- Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347
Resolved issues
- With Anti-Malware enabled, Deep Security Agent caused connectivity issues for third-party software on some systems. SF04087024/SEG-125579/DSSEG-7321
- Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
- When an expired certificate was removed from the host, the Anti-Malware plug-in update would fail, creating "Anti-Malware Component Update" events. SEG-117871/DS-66139
- If an Anti-Malware scan began before the module had completed its installation on Deep Security Agent, it could cause a system crash and "Anti-Malware Engine Offline" errors after a reboot. SEG-108355/DS-63721
- With Activity Monitoring enabled, Deep Security Agent sometimes crashed due to an issue with SQLite. 04958386/SEG-123752/DSSEG-7300
- Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
- When Integrity Monitoring rules using "UserSet" or "GroupSet" were enabled for a Deep Security Agent on Windows Active Directory Domain Controllers, excessive CPU and memory consumption would sometimes occur. Deep Security Agent 20.0.0-3445 blocks these types of Integrity Monitoring rules on Windows Active Directory domain controllers and generates an "Inapplicable Integrity Monitoring Rule" event. DS-65965
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6489/DSSEG-7210/DS-65113/VRTS-6207/DSSEG-7026
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)
Release date: October 28, 2021
Build number: 20.0.0-3288
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- On Deep Security Agent 20.0.0-3165, "Anti-Malware Component Update Failed"events were sometimes generated when computers performed security updates. This defect is now fixed in Deep Security Agent 20.0.0-3288. SF04937346/SEG-122765/DSSEG-7268
- With Intrusion Protection enabled, Deep Security Agent sometimes caused high CPU usage and sometimes caused the system to crash. DS-65902
- With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
- With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
- Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
- CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component. DSSEG-7222
- Deep Security Agent did not always check that metadata was ready before initializing connection with the manager. DS-51103
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DS-46018/DSSEG-7210/DSSEG-7217
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)
Release date: October 08, 2021
Build number: 20.0.0-3165
Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it is not available on the Deep Security Agent software download page or released to customers using Deep Security Manager.
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
- CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component DSSEG-7222
- Deep Security Agent did always check that metadata was ready before initializing connection with the manager. DS-51103
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7210/DSSEG-7217
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)
Release date: August 30, 2021
Build number: 20.0.0-2921
New features
Census feedback: Deep Security Agent 20.0.0-2921 or later can now send census file feedback to the Smart Protection Network (SPN) if Trend Micro Smart Feedback is enabled (System Settings > Smart Feedback).
Enhancements
- Updated Deep Security Agent to detect the "HiveNightmare" exploit. DS-65217
Resolved issues
- With Application Control enabled, Deep Security Agent sometimes crashed when a .MSI file was launched. SF04647983/SEG-114894/DSSEG-7032
- Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
- Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7046/DS-65668
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)
Release date: July 29, 2021
Build number: 20.0.0-2740
Enhancements
- Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
- Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547
Resolved issues
- With Application Control enabled, files with '.tmp" extensions were creating a large number of "Application Control Software Changes Detected" events in the Deep Security Manager console. 04671615/SEG-115017/DS-65043
- Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
- Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
- Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
- Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
- With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. SF04613197/SEG-113566/DS-64050
Highest Common Vulnerability Scoring System (CVSS) score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)
Release date: July 01, 2021
Build number: 20.0.0-2593
Resolved issues
- Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
- The MQTT connection sometimes went offline when Deep Security Agent had Activity Monitoring enabled. SF04216172/SEG-101691/DS-63458
- Anti-Malware sometimes went offline after enabling Application Control on Deep Security Agent. SF04532752/SEG-110572/DS-63406
- Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
- Citrix Virtual App or Desktop users sometimes encountered a grey screen (with error code 1003/1005) when Anti-Malware was enabled for Deep Security Agent. DS-64318
- Anti-Malware sometimes caused high system CPU usage when the Windows WMI service accessed files repeatedly. SEG-109271/DSSEG-6983
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-5850/DS-54705
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Deep Security Agent - 20.0.0-2419 (20 LTS Update 2021-06-02)
Release date: June 02, 2021
Build number: 20.0.0-2419
Resolved issues
- Deep Security Agent 20.0.0-2395 for Windows always displayed an "Out-of-Date" Security Update Status. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent 20.0.0-2395 for Windows. SF04537047/SEG-110737/DS-63424
- Integrity Monitoring alerts sometimes triggered but then did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
- Items queued for Anti-Malware scan sometimes caused higher than normal Deep Security Agent CPU usage. DS-63106
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
- Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
- Deep Security Agent sometimes could not successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692
Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)
Release date: April 12, 2021
Build number: 20.0.0-2204
Resolved issues
- When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
- When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
- When Anti-Malware self-protection was enabled, sometimes third-party software could not be installed. SEG-101840/DSSEG-6694
- Behavior Monitoring exceptions sometimes did not work properly. SF03775351/SEG-89899/DSSEG-6718
- With Anti-Malware enabled, network transfer speeds slowed down significantly on some systems. SF04299217/SEG-103986/DSSEG-6780
- Anti-Malware Behavior Monitoring exceptions sometimes did not work properly. SF04259521/SEG-102792/DSSEG-6714
Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)
Release date: March 08, 2021
Build number: 20.0.0-2009
Enhancements
- Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011
Resolved issues
- The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
- Behavior Monitoring sometimes blocked a program without generating an event. SF03604820/SEG-86752/DS-60526
- When Anti-Malware was enabled, a high amount of CPU was used. SF04106889/SEG-99034/DS-60526
- Deep Security Agent sometimes crashed during an Anti-Malware manual scan. SEG-100231/DSSEG-6664
Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)
Release date: February 08, 2021
Build number: 20.0.0-1876
Resolved issues
- The Deep Security Agent sometimes crashed when running Intrusion Prevention in passive mode. DS-57497
- Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519
Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)
Release date: January 20, 2021
Build number: 20.0.0-1822
Resolved issues
- After a Windows update occurred, "Maintenance mode" for Application Control turned off automatically. SF03905860/SEG-93631/DS-58413
Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)
Release date: January 04, 2021
Build number: 20.0.0-1681
This release contains general improvements.
Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)
Release date: December 07, 2020
Build number: 20.0.0-1559
New features
Enhanced platform support
- Windows 10 20H2
Improved security
TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This resolves issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.
Enhancements
- Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
- Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
- Enhanced memory usage to improve performance. DS-53012
- Deep Security Agent now supports custom actions for Behavior Monitoring and Predictive Machine Learning. DS-48081
Resolved issues
- When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
- Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
- Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688
Notice
In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.
Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)
Release date: October 28, 2020
Build number: 20.0.0.1337
New features
Upgrade to supported paths: The Upgrade on activation feature only upgrades the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the Upgrade on activation feature detects the newer version and complete the upgrade to the designated release.
Enhancements
- Added various executable files as trusted installers so they are automatically recognized by Application Control. SF03568205/SEG-85141/DS-54884
- Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800/DS-51879
- Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
- Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680
Resolved issues
- In combined mode with agent-only and agent-preferred settings enabled, Deep Security Notifier sometimes turned the Antivirus status in the Windows action center on and off, which caused high CPU. DS-54799
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
- The Behavior Monitoring feature of Anti-Malware sometimes raised false alarms. DS-44974
- When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
- When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
- Deep Security Agent crashed unexpectedly because it was unable to detect the Docker engine version on Windows Servers. DS-29590
- Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
- There were detection issues with real-time Anti-Malware scans. DS-50286
- Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
- When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. DS-53144
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/DS-41233
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security
This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1337 or later by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1337 or later, Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.
Deep Security Agent 20.0.0-1337 or later uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.
Known issues
While the Deep Security Relay is upgrading co-located or independent relays, the alerts "Anti-Malware protection is absent or out of date" and "Security Update: Security Update Check and Download Failed (Agent/Appliance error)" might occur for up to 20 minutes or longer before they're automatically resolved and the respective alerts cleared. For any subsequent Deep Security Agent upgrades to succeed, wait for the Deep Security Relay alerts to clear automatically. DS-54056
Deep Security Agent 20 (long-term support release)
Release date: July 30, 2020
Build number: 20.0.0.877
New features
Improved security
Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.
Protect AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, the computer is now created outside of the account and the agent is allowed to activate.
SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.
Improved quality and management
Reboot requirement removed for agent upgrade: Previously, there were several situations where a Windows server would require a reboot for a new agent to complete the upgrade. The need to reboot when upgrading from Deep Security Agent 11.0, 12.0, or 20.0 on any Windows Operating System has been completely removed, enabling the application to not be impacted as result of upgrading Deep Security Agent.
Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.
Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Manager FR 2020-04-30. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?
Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been canceled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.
Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time scan. This provides a starting point for performance evaluating and tuning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:
- By the command dsa_control --AmTopNScan
- By the diagnostic service
Improved process exceptions: The process exception experience has been improved in the following ways:
- Information about why process exclusion items are not functioning correctly is now provided, so you can troubleshoot the issue and know which actions to take to resolve it.
- The process exception configuration workflow has been improved to make it more robust.
Windows Event Channel for Log Inspection: Windows Event Channel logging provides a new option for tracking OS and Application logging for Windows platforms newer than Windows Vista. Event channels can be used to collect Log Inspection events which you can view later.
Enhancements
- Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
- Removed Integrity Monitoring and Application Control's dependency on Anti-Malware, so they no longer require Anti-Malware to be installed to function.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
- Added support for agentless mode on vCloud connector for version 9.5 or later.
- Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
- Enhanced the Malware Scan Failure event description to indicate the possible reason.
- Streamlined event management for improved agent performance.
- Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
- Added support for Deep Security Agent delayed upgrade to reduce the Anti-Malware offline issue after triggering an upgrade.
Resolved issues
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
- Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
- Deep Security Agent restarted unexpectedly because of the way Log Inspection was accessing the SQLite database. DS-48395
- The interface isolation feature stayed active when Firewall was turned off. SEG-32926/DS-27099
- Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. DS-48916
- Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
- The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. SF02092464/SEG-53938/DS-38578
- Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
- For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. SF01704358/SEG-45004/DS-32077
- Deep Security's Notifier.exe process caused high CPU usage. SF01716752/SEG-45507/DS-33645
- The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. SF1609675/SEG-43574/DS-32947
- In some cases, the Windows driver did not correctly release spinlock, causing the system to hang. SF01990859/SEG-50709/DS-36066
- Deep Security Agent process sometimes crashed when the detailed logging of SSL message was enabled and outputted. SF01745654/SEG-45832/DS-33007
- When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
- The Send Policy action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
- The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
- The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
- Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app." error message in ds_agent.log. SEG-21208/DS-33134/DS-21352
- When the system region format is "Chinese (Traditional, Hong Kong SAR)", Deep Security Notifier displayed simplified Chinese instead of traditional Chinese. SEG-48075/DS-34778
- Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
- Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
- Too many file open events were being processed in user mode resulting in high CPU usage. SF02179544/SEG-55745/DS-39638
- The Type attribute was not displayed in Integrity Monitoring events when the default STANDARD attribute was set to monitor registry value changes. SF02412251/SEG-59848/DS-41118
- Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
- High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
- The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. SF02092464/SEG-53938/DS-39981
- Deep Security failed to download security updates because of an outdated user agent string. SF02043400/SEG-52069/DS-41316
- When machines wrote document files to a file server, Anti-Malware needed to scan the files frequently, which caused other machines to fail to write the file because the file was being scanned. SF01949194/SEG-49854/DS-40100
- When Deep Security Agent scanned large files for viruses, it consumed a large amount of memory. SF01572110/SEG-48704/DS-43114
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/VRTS-3176
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
- Updated NGINX to 1.16.1. DSSEG-4600
- Updated to curl 7.67.0.
- Updated to openssl-1.0.2t.
- Updated JRE to the latest Java Update (8.0.241/8.43.0.6).
Known issues
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error may occur. To work around this issue, right-click the affected computer and select Actions > Clear Warnings/Errors, then Send Policy.
- After upgrading the Deep Security Agent on Windows 2008, Anti-Malware may go offline. If this occurs, fully uninstall Deep Security Agent, reboot your server, then reinstall the agent.
Upgrade notice
- If you have Application Control enabled, there may be a temporary performance impact while your software inventory is automatically rebuilding. DS-41775
Deep Security Agent - 20.0.1-25771 (20 LTS Update 2024-12-10)
Release date: December 10, 2024
Build number: 20.0.1-25771
Resolved issues
- Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074
Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)
Release date: November 13, 2024
Build number: 20.0.1-23340
Enhancements
- Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314
Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)
Release date: October 16, 2024
Build number: 20.0.1-21510
This release contains general improvements.
Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)
Release date: September 18, 2024
Build number: 20.0.1-19250
This release contains general improvements.
Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)
Release date: August 21, 2024
Build number: 20.0.1-17380
Resolved issues
- Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
- Deep Security Agent would fail to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
- When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596
Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)
Release date: July 17, 2024
Build number: 20.0.1-14610
Resolved issues
- Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
- Deep Security Agent for AIX platforms was sometimes unable to start without configuring a supported locale. DSA-5876
Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)
Release date: June 19, 2024
Build number: 20.0.1-12510
Resolved issues
- When Anti-Malware was enabled, Deep Security Agent sometimes failed to shut down completely. PCT-26090/DSA-5492
Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)
Release date: May 16, 2024
Build number: 20.0.1-9400
Resolved issues
- Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
- The Anti-Malware Scheduled Scan on AIX platforms was including Network File System (NFS) contents, which should have been excluded. PCT-13912/DSA-4098
Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)
Release date: April 24, 2024
Build number: 20.0.1-7380
Enhancements
- Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
- Updated Deep Security Agent for AIX platforms to increase the pre-remove script timeout to 120 seconds. PCT-19843/DSA-4839
Resolved issues
- Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861
Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)
Release date: March 20, 2024
Build number: 20.0.1-4540
This release contains general improvements.
Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)
Release date: February 29, 2024
Build number: 20.0.1-3180
Resolved issues
- Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
- Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-11708/DSA-3702
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Known issues
- The Application Control Trust Entities "block by target" trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324
Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)
Release date: January 17, 2024
Build number: 20.0.1-690
Enhancements
- From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584.
For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release.
Resolved issues
- Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564
Known issues
- Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317
Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)
Release date: December 12, 2023
Build number: 20.0.0-8438
Resolved issues
- When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DSA-2722
Highest Common Vulnerability Scoring System (CVSS) score: 9.8
Highest severity: Critical
Known issues
- Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent connection issues with Smart Protection Server when using proxy DSA-3564
Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)
Release date: November 21, 2023
Build number: 20.0.0-8268
Resolved issues
- Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
- Deep Security Agent incorrectly classified MIME type of
.xml
files generated by Microsoft Word, Excel, PowerPoint, as well as.dwg
files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202 - A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370
Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)
Release date: October 26, 2023
Build number: 20.0.0-8137
This release contains general improvements.
Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)
Release date: September 26, 2023
Build number: 20.0.0-7943
Enhancements
- New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
DSA-864 - In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759 or later. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531
Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)
Release date: August 29, 2023
Build number: 20.0.0-7719
Enhancements
- Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
- Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. Note that agents configured as a Deep Security Relay still download all pattern updates. DSA-1000
- The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
- Intrusion Prevention can now limit how many bytes are scanned for connections with a dynamic port number between 10001-65535. DS-78036
- Advanced Threat Scan Engine has been updated to version 22.6. DSA-453
Resolved issues
- Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
- Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
- Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)
Release date: July 25, 2023
Build number: 20.0.0-7476
Enhancements
- Updated the dsa-connect service to improve CPU performance. C1WS-12970
Resolved issues
- Deep Security Agent upgrades from 20.0.0.6313 to a newer version would sometimes fail, generating an "Abnormal Restart Detected" warning. SF06897730/SEG-180989/DS-78063
Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)
Release date: June 28, 2023
Build number: 20.0.0-7303
Enhancements
- Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
- Activity Monitoring events now display the FQDN instead of the hostname. SF06709374/SEG-179186/C1WS-14644
- Web Reputation Service now automatically monitors the ports used by the OS proxy configuration. DS-77233
Resolved issues
- Deep Security Agents on AIX would sometimes crash when trying to upgrade to a new version. SF06643647/SEG-173140/DS-77359
- Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
- The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
- Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709
Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)
Release date: May 29, 2023
Build number: 20.0.0-7119
Enhancements
- Updated Deep Security Agent for Solaris to add an option to enable collecting interface latency metrics on Azure Data Explorer dashboards. DS-77025
Resolved issues
- MQTT connection credentials were entered in the Deep Security Agent log file (
ds_agent.log
) in certain scenarios. SEG-174560/C1WS-13282 - Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
- After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)
Release date: May 02, 2023
Build number: 20.0.0-6912
Enhancements
- Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to
ds_agent.ini
. SF06664116/SEG-173848/DS-77182
Example proxy probing line inds_agent.ini
config file:dsa.proxymanager.ProbeTimeoutInSec=120
- Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
Resolved issues
- Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
- When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
- Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961
Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)
Release date: March 22, 2023
Build number: 20.0.0-6658
New features
Service Gateway: Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.741 or later now supports the Service Gateway feature, providing forward proxy functionality.
Enhancements
- Web Reputation Service now includes OS platform metadata. DS-75453
- Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (
dsa-connect-X.log
) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598
The logger supports an on-demand JSON config file (eitherdsa-connect.ini
ordsa-connect.conf
) with the following configurable options:- Debug: Enable the debug log messages. The default value is false.
- Count: Number of log files to generate. The default value is 5.
- Size: Maximum size of each log file in bytes. The default value is 2097152.
Example config file:
{ "Debug": true, "Count": 5, "Size": 2097152 }
Resolved issues
- When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
- Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
- When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
- Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
- A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
- When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
- Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
- Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
- Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)
Release date: January 31, 2023
Build number: 20.0.0-6313
Enhancements
-
Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313 or later before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.
Resolved issues
- Updated Deep Security Agent for AIX platforms to support Advanced Threat Scan Engine (ATSE) version 21.600. DS-75323
- For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
- The Deep Security Agent log file (
ds-agent.log
) sometimes failed to rotate, causing it to use more disk space than intended. SF05306459/SEG-137003/DS-72899 - With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (
_
) entered in a command was replaced with a dash (-
), and an uppercase Z was replaced with a lowercase z. DS-74335
Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)
Release date: November 22, 2022
Build number: 20.0.0-5953
This release contains general improvements. Note that this release only includes an agent for Solaris platforms.
Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)
Release date: October 21, 2022
Build number: 20.0.0-5761
Enhancements
- Updated Deep Security Agent to include additional metadata, such as
UserAgent
andReferrer
, for Web Reputation Services. DS-72196 - Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
- Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
Resolved issues
- With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
- Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an Offline (Activation required) status. SEG-153050/DS-73807
Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)
Release date: September 22, 2022
Build number: 20.0.0-5512
Enhancements
- Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798
Resolved issues
- Deep Security Agent reported host metadata in an unexpected format. DS-73411
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8100/VRTS-8101/DS-73087/DS-72528
Highest Common Vulnerability Scoring System (CVSS) score: 7.0
Highest severity: High
Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)
Release date: August 29, 2022
Build number: 20.0.0-5394
New features
AIX7.3 support: Deep Security Agent 20.0.0-5394 or later with Deep Security Manager 20.0.677 or later now supports AIX 7.3.
Enhancements
- Application Control now detects software changes for executables with non executable extensions. DS-70805
- Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
- Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833
Resolved issues
- When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
- Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
- When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
- Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
- When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
- Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
- Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699
Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)
Release date: July 26, 2022
Build number: 20.0.0-5137
Enhancements
- Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar
\*\*
which matches many sub directories. Single star\*
now only matches within your current directory. Existing rules that used a single star\*
to match many folders no longer work and need to be changed to use a globstar\*\*
. DS-71817
Resolved issues
- Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7102/VRTS-7070/VRTS-7041/VRTS-7039/DSSEG-7636
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699
Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)
Release date: July 4, 2022
Build number: 20.0.0-4959
Resolved issues
- With Log Inspection enabled, upgrades to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
- When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
- With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
- Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866
Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)
Release date: May 31, 2022
Build number: 20.0.0-4726
Resolved issues
- On AIX servers, when the
LIBPATH
orLD_LIBRARY_PATH
environment variables for the system are defined, Deep Security Agent sometimes would not start. DS-70882 - Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
- Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
- An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DS-52329
Highest Common Vulnerability Scoring System (CVSS) score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)
Release date: April 28, 2022
Build number: 20.0.0-4416
Enhancements
- Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
Resolved issues
- With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7132/DS-70518
Highest Common Vulnerability Scoring System (CVSS) score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)
Release date: April 6, 2022
Build number: 20.0.0-4185
Resolved issues
- Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
- Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
- Log Inspection was unable to parse system logs containing a single digit date format. SF04562942/SEG-115435/DS-69757
Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)
Release date: March 1, 2022
Build number: 20.0.0-3964
New features
Threat Intelligence: Threat Intelligence (formerly known as Connected Threat Defense) provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.
Enhancements
- Updated Deep Security Agent to exclude suspicious characters, such as
$
, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989
Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)
Release date: January 24, 2022
Build number: 20.0.0-3770
Enhancements
- Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
Resolved issues
- Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DS-68180
Highest Common Vulnerability Scoring System (CVSS) score: 9.1
Highest severity: High
Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)
Release date: November 24, 2021
Build number: 20.0.0-3445
Enhancements
- Updated Deep Security Agent to use TLS 1.2 strong cipher suite by default to improve security. The agent previously used the CBC cipher suite by default. DS-67204
- Updated Deep Security Agent to support using the "process name" property in "Ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
- Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347
Resolved issues
- Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
- Deep Security Agent sometimes caused connectivity issues, high CPU usage, or the system to crash. SEG-120758/SEG-123885/DS-67291
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6489/DSSEG-7210/DS-65113
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)
Release date: October 28, 2021
Build number: 20.0.0-3288
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
- Some customers encountered an issue when the run-time CPU number was larger than expected, which led to crashes. DS-65757
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DS-46018/DSSEG-7210/DSSEG-7217
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)
Release date: October 08, 2021
Build number: 20.0.0-3165
Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it is not available on the Deep Security Agent software download page or released to customers using Deep Security Manager.
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
- Some customers encountered an issue when the run-time CPU number was larger than expected, led to crashes. DS-65757
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7210/DSSEG-7217
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)
Release date: August 30, 2021
Build number: 20.0.0-2921
Resolved issues
- Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
- Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057
Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)
Release date: July 29, 2021
Build number: 20.0.0-2740
Enhancements
- Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547
Resolved issues
- Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
- Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
- Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
- Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
- With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
- With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. SF04613197/SEG-113566/DS-64050
Highest Common Vulnerability Scoring System (CVSS) score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)
Release date: July 01, 2021
Build number: 20.0.0-2593
Resolved issues
- Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
- Integrity Monitoring alerts sometimes triggered but did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
- Deep Security Agent failed to detect the correct platform under some configurations. 03804296/SEG-90864/DS-57809
- Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-5850/DS-54705
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)
Release date: May 24, 2021
Build number: 20.0.0-2395
Enhancement
- Deep Security Agent 20.0.0-2395 or later now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates expire on 2022/07/09. After that date, only Deep Security Agent 20.0.0-2395 or later will have the latest Anti-Malware Smart Scan protection. DS-63010
Resolved issues
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)
Release date: April 12, 2021
Build number: 20.0.0-2204
New feature
Enhanced platform support
- Anti-Malware support for AIX: Deep Security Agent 20.0.0-2204 or later now supports Anti-Malware for AIX 6.1, AIX 7.1, and AIX 7.2.
Resolved issues
- With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (that is, processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
- When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
- When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)
Release date: March 08, 2021
Build number: 20.0.0-2009
Resolved issues
- The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)
Release date: February 08, 2021
Build number: 20.0.0-1876
Resolved issues
- Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519
Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)
Release date: January 20, 2021
Build number: 20.0.0-1822
New feature
Anti-Malware support for AIX: Deep Security Agent 20.0.0-1822 or later now supports Anti-Malware for AIX 7.1 and 7.2.
Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)
Release date: January 04, 2021
Build number: 20.0.0-1681
This release contains general improvements.
Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)
Release date: December 07, 2020
Build number: 20.0.0-1559
New features
TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This resolves issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.
Enhancements
- Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
- Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
- Enhanced memory usage to improve performance. DS-53012
Resolved issues
- On Solaris servers where Integrity Monitoring was enabled and the rule: "Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)" was assigned, a rule compile error was generated that referenced an "Unsupported Feature in Integrity Monitoring Rule". DS-55884
- When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
- Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
- Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688
Notice
In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.
Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)
Release date: October 28, 2020
Build number: 20.0.0.1337
Resolved issues
- When using Deep Security Agent on Solaris, the Integrity Monitoring port scanning feature did not work because the agent did not have access to information on the user ID under which a given port was opened. This prevented storage of any listening port information. The port scanning feature on Solaris agents has been modified to store the string "n/a" for the userid. This allows the remaining port information to be stored and used in the port scanning function. However, exclusions and inclusions based on User ID still do not function correctly because this information is not available. DS-53922
Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)
Release date: October 21, 2020
Build number: 20.0.0.1304
Enhancements
- Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680
Resolved issues
- Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
- Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)
Release date: October 5, 2020
Build number: 20.0.0.1194
Enhancements
- Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
Resolved issues
- Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
- Deep Security Agent crashed on Solaris 10 during upgrades. SEG-72634/SF02975849/DS-49295
- When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/DS-41233
Highest Common Vulnerability Scoring System (CVSS) score: 4.4
Highest severity: Medium
Deep Security Agent 20 (long-term support release)
Release date: July 30, 2020
Build number: 20.0.0.877
New features
Improved security
SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.
Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.
Improved quality and management
Upgrade to supported paths: The Upgrade on activation feature only upgrades the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the Upgrade on activation feature will detect the newer version and complete the upgrade to the designated release.
Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been canceled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.
Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time scan. This provides a starting point for performance evaluating and tuning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:
- By the command dsa_control --AmTopNScan
- By the diagnostic service
Improved process exceptions: The process exception experience has been improved in the following ways:
- Information about why process exclusion items are not functioning correctly is now provided, so you can troubleshoot the issue and know which actions to take to resolve it.
- The process exception configuration workflow has been improved to make it more robust.
Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.
Enhancements
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
- Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
- Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
- Increased the scan engine's URI path length limitation.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
- Streamlined event management for improved agent performance.
- Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Resolved issues
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
- Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
- The displayed packet header data contained redundant payload data. DS-45792
- Memory leaked during SSL decryption because of a flaw in the SSL processing. SEG-68263/DS-44360
- On specific Deep Security Agent servers the CPU usage spiked to 100% and pattern merges failed during the active update process. SEG-66210/02711299/DS-46429
- When a security update was triggered before Anti-Malware was ready, the security updates failed. DS-36952
- When real-time Integrity Monitoring was enabled with the rule "1002875: Unix Add/Remove Software" applied, the RPM database potentially locked. SEG-67275/SF02663756/DS-48524
- Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. SEG-71825/SF03021819/DS-48916
- Incorrect linking of certain libraries could lead to Deep Security Agent instability. SEG-72958/03071960/DS-49324
- Anti-Malware directory exclusion with wildcard didn't match subdirectories correctly. SF03131855/SEG-74892/DS-50245
- High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
- Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
- Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
- Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
- The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
- The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
- The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
- When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
- For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
- Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
- Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
- The interface isolation feature was still on when Firewall was turned off. SEG-32926/DS-27099
- After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. SEG-60728/DS-42332
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SEG-48728/SF01919585/DS-34022
- On Solaris servers with clusters, the Deep Security Intrusion Prevention module would come under heavy load while inspecting the clusters' private traffic. The extra load caused latency issues, node evictions, and loss of synchronization events.
You can now configure the Packet Processing Engine on the agent to bypass traffic inspection on a specified interface. Where a specific interface on a computer is dedicated to cluster private traffic, this configuration can be used to bypass inspection of packets sent to and received from this interface. This results in faster packet processing on the bypassed interface and other interfaces.
Use of this configuration to bypass traffic inspection is a security risk. It is up to you to determine if the benefit of reduced latency outweighs the risk involved. It is also up to you to determine whether only the nodes in the cluster have access to the subnet whose interface is being bypassed.
To implement the bypass, do the following:
- Upgrade the Deep Security Agent to the latest build containing this fix.
- Create a file under /etc directory named "ds_filter.conf".
- Open the /etc/ds_filter.conf file.
- Add the MAC addresses of all NIC cards used for cluster communication, as follows:
- Save.
- Wait 60 seconds for your changes to take effect.
MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX
In the /etc/ds_filter.conf file:
- The MAC_EXCLUSIVE_LIST line must be the first line in the file.
- All letters in the MAC address must be uppercase.
- Leading zeros in each byte must be included.
Valid MAC_EXCLUSIVE_LIST:
MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E
MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E,6A:23:F0:0F:AB:34
Invalid MAC_EXCLUSIVE_LIST:
MAC_EXCLUSIVE_LIST=B:3A;12:F8:32:5E
MAC_EXCLUSIVE_LIST=0b:3a;12:F8:32:5e,6a:23:F0:0F:ab:34
MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E
If the MAC address is not valid, the interface is not bypassed. If the exact string "MAC_EXCLUSIVE_LIST=" is not present at the beginning of the line, no interfaces are bypassed. DSSEG-4055
Security updates
Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/VRTS-3176
Highest Common Vulnerability Scoring System (CVSS) score: 7.8
Highest severity: High
- Updated NGINX to 1.16.1. DSSEG-4600
- Updated to curl 7.67.0.
- Updated to openssl-1.0.2t.
- Updated JRE to the latest Java Update (8.0.241/8.43.0.6).