Get Deep Security Agent software

To install Deep Security Agent, you must download the agent installer and load packages for the agent's protection modules into Deep Security Manager.

Even if you use a third party deployment system, you must import all installed Deep Security Agent software into the Deep Security Manager's database. When a Deep Security Agent is first activated, it only installs protection modules that are currently enabled in the security policy. If you enable a new protection module later, Deep Security Agent will try to download its plug-in from Deep Security Manager. If that software is missing, the agent may not be able to install the protection module.

In this topic:

View agent software available for download

To view a complete list of software that's available for import into Deep Security Manager, you can start from Deep Security Manager or you can start from the Help Center.

Starting from Deep Security Manager:

  1. In Deep Security Manager, go to Administration > Updates > Software > Download Center. The Download Center lists all available software that is supported with the Deep Security Manager you're using.
  2. (Optional) Organize the list of software by version or platform (OS) by selecting Version or Platform from the drop-down list at the top.
  3. (Optional) Search the software by entering a search string in the search box at the top-right.

Starting from the Help Center:

  1. In the Deep Security Help Center, click Software on the left. The Deep Security Software page appears.
  2. Click the Major Releases (LTS) tab for long-term support releases, and Feature Releases (FR) tab for feature releases. For details on these release types, see Deep Security 20 release strategy and life cycle policy.

View a list of imported agent software

To view a list of software that you have imported into Deep Security Manager:

  1. In Deep Security Manager, go to Administration > Updates > Software > Local. All your imported software appears.
  2. (Optional) Organize the list of software by version or platform (OS) by selecting Version or Platform from the drop-down list at the top.

Import agent software

Even if you don't use Deep Security Manager to deploy agent updates, you must still import the software into the Deep Security Manager. There are a few import methods:

Import agent software directly, from the Download Center

  1. Make sure your Deep Security Manager computer has Internet access. If not, see instead Import agent software indirectly, from the Help Center.
  2. In Deep Security Manager, go to Administration > Updates > Software > Download Center.

    The Trend Micro Download Center displays all versions of available software.

  3. From the drop-down list at the top, select Platform.
  4. Expand a platform to view the agents available for it.
  5. Under the VERSION field, look for the version you want and click the import icon. Follow these guidelines:

    Deep Security Manager connects to the Internet to download the software from Trend Micro Download Center. The manager then checks the digital signature on the software package. When the manager has finished, a green check mark appears in the IMPORTED column for that agent. Software packages now appear on Administration > Updates > Software > Local.

    If a package cannot be imported, you can try importing it indirectly instead.

Import agent software indirectly, from the Help Center

If your Deep Security Manager is "air-gapped" (not connected to the Internet), or if a direct import didn't work, you can try importing the agent software indirectly:

  1. On a computer that has access to the Internet, go to the Deep Security Help Center.
  2. On the left, click Software. The Deep Security Software page appears.
  3. Download the software ZIP you want. For details on long-term support (LTS) releases and feature releases, see Deep Security 20 release strategy and life cycle policy.
  4. Move the software ZIP to the Deep Security Manager computer.
  5. In Deep Security Manager, go to Administration > Updates > Software > Local.
  6. In the main pane, click Import to import the ZIP file. The manager checks the digital signature on the ZIP file, and if it's good, allows the import to occur.

Import agent software updates automatically

You can have Deep Security Manager look for newer software on the Download Center and import it to your local inventory automatically. Deep Security Manager only imports updates to already-imported software.

An 'update' is a build in which only the last set of numbers changes.

For example, if you already imported agent version, then these versions...

...would be imported automatically, because they are update builds of

However, these versions...

...would not.

To have Deep Security Manager auto-import agent update builds to your local inventory:

  1. In Deep Security Manager, go to Administration > System Settings > Updates.
  2. Select Automatically download updates to imported software.
  3. Click Save.

    This setting imports the software to Deep Security Manager but will not automatically update your agent or appliance software. Continue with Upgrade Deep Security Agent.

Export the agent installer

You can download the agent installer from Deep Security Manager.

  1. In Deep Security Manager, go to Administration > Updates > Software > Local.
  2. Select your agent from the list. If you have imported multiple versions of the same agent, the latest version of the software will have a green check mark in the Is Latest column.

    If you're looking for a Solaris agent, see Solaris-version-to-agent-package mapping table for information on which agent to choose.

  3. Click Export > Export Installer.

    The manager then checks the digital signature on the software package. If the signature is good, the export proceeds.

  4. Save the agent installer. If you will install the agent manually, save it on the computer where you want to install Deep Security Agent.
To install Deep Security Agent, only use the exported agent installer (the .msi, .rpm, .pkg, .p5p, or .bff file depending on the platform) not the full agent ZIP package. If you run the agent installer from the same folder that holds the other zipped agent components, all protection modules will be installed, even if you haven't enabled them on the computer. This consumes extra disk space. (For comparison, if you use the .msi, .rpm, .pkg, .p5p, or .bff file, the agent will download and install protection modules only if your configuration requires them.)
Installing an agent, activating it, and applying protection with a security policy can be done using a command line script. For more information, see Use deployment scripts to add and protect computers.
You can generate deployment scripts to automate the agent installation using the Deep Security API. For more information, see Generate an agent deployment script.

Solaris-version-to-agent-package mapping table

If you're not sure which agent package to pick when importing and exporting the agent, review the mapping table below.

Solaris-version-to-agent-package mapping table 

If you're installing the agent on... Choose this agent package... Help Center option
Solaris 10 Updates 4-6 (64-bit, SPARC or x86)



Solaris 10 Updates 7-11 (64-bit, SPARC or x86)


Solaris 11.0 (1111)-11.3 (64-bit, SPARC or x86)


Solaris 11.4 (64-bit, SPARC or x86) Agent-Solaris_5.11_U4-xx.x.x-xxx.<sparc|.x86_64>.zip Solaris_5.11_U4


  • The Help Center option column shows you which option to select from the Agent drop-down list on the Help Center's 'Deep Security Software' page, if that's how you've chosen to obtain the package.
  • is the build number of the agent. For example: 12.0.0-682
  • <sparc|.x86_64> is one of sparc or .x86_64, depending on the Solaris processor.

AIX agent package naming format

The naming format is different depending on the agent version:

  • Deep Security Agent 12 for AIX: Agent-AIX-<agent_release>-<agent_build> Example:
  • Deep Security Agent 9.0 for AIX: Agent-AIX_<AIX_version>-<agent_release>-<build> Example:

For details on which agent you'll need for the version of AIX you're using, see Deep Security Agent platforms.

Delete a software package from the Deep Security database

To save disk space, Deep Security Manager will periodically remove unused packages from the Deep Security database. To configure the maximum number of old packages kept, go to System Settings > Storage.

Deep Security Virtual Appliance uses the same protection modules as Deep Security Agent for 64-bit Red Hat Enterprise Linux. Therefore if you have an activated Deep Security Virtual Appliance, and try to delete the 64-bit Red Hat Enterprise Linux Agent software package from the database, an error message will tell you that the software is in use.

There are two types of packages that can be deleted:

  • agent
  • kernel support

Deleting agent packages in single-tenancy mode

In single tenancy mode, Deep Security automatically deletes agent packages ( that are not currently being used by agents. Alternatively, you can manually delete unused agent packages. Only unused software packages can be deleted.

For the Windows and Linux agent packages, only the currently used package (whose version is the same as the agent installer) cannot be deleted.

Deleting agent packages in multi-tenancy mode

In multi-tenancy mode, unused agent packages ( are not deleted automatically. For privacy reasons, Deep Security cannot determine whether software is currently in use by your tenants, even though you and your tenants share the same software repository in the Deep Security database. As the primary tenant, Deep Security does not prevent you from deleting software that is not currently running on any of your own account's computers, but before deleting a software package, be very sure that no other tenants are using it.

Deleting kernel support packages

In both single and multi-tenancy mode, Deep Security automatically deletes unused kernel support packages ( A kernel support package can be deleted if both of these conditions are true:

  • No agent package has the same group identifier.
  • Another kernel support package has the same group identifier and a later build number.

You can also manually delete unused kernel support packages. For Linux kernel support packages, only the latest one cannot be deleted.