Upgrade Deep Security Agent

Software upgrades can be initiated through Deep Security Manager or a third-party deployment system.

Prerequisites

Before you begin an agent upgrade:

  1. Check that you are upgrading from a supported version. You can upgrade to Deep Security 20 from the following versions:
    • Deep Security 11 LTS (GA version or LTS updates)
    • Deep Security 11 Feature Releases
    • Deep Security 12 LTS (GA version or LTS updates)
    • Deep Security 12 Feature Releases

    Note that Deep Security Agent with network features enabled (Firewall, Web Reputation, Intrusion Prevention) cannot be upgraded directly from version 20.0.0-3771 or earlier to version 20.0.3-8030 or later. It is recommended to perform a two-step upgrade:

    • Upgrade to any version between 20.0.0-3964 and 20.0.3-5660 inclusively.
    • Upgrade to the target version, such as 20.0.3-8030 or later.

  2. Back up the agent computers that you plan to upgrade. Make a system restore point or VM snapshot of each agent.
  3. Import the new agent package into the manager. See Import agent software.
  4. Upgrade all Deep Security Relays. See Upgrade Deep Security Relay.

    You must upgrade all relays before you begin upgrading agents, otherwise, upgrades may fail.

When you upgrade Deep Security Agent, Deep Security verifies your signature on Deep Security Agent to ensure that the software files have not changed since the time of signing. For more information, see Agent package integrity check.

Review the following platform-specific notes and complete any advised tasks:

Before upgrading the Deep Security Agent on a Linux platform, confirm the OS kernel is supported by the latest version of the agent. See Linux kernel compatibility

Immediately after upgrading Deep Security Agent 12 or later on Windows with Anti-Malware enabled, be aware that the Anti-Malware engine may appear as Offline. The engine returns to the Online state after the first heartbeat following the upgrade.

  • On Solaris 11, if you are upgrading from Deep Security Agent 9.0, you must first upgrade to Deep Security Agent 9.0.0-5616 or a later 9.0 agent, and from there, upgrade to Deep Security Agent 11.0. If you upgrade from an earlier build, the agent may fail to start. If this problem occurs, see Fix the upgrade issue on Solaris 11.
  • An upgrade on Solaris may take five minutes or longer to complete in some cases.

You are now ready to upgrade your agent using any of the provided methods.

Upgrade the agent starting from an alert

When a new agent software version is available, a message appears on Alerts.

  1. In the alert, click Show Details, and then click View all out-of-date computers.
    Computers appears, displaying all computers where Software Update Status is Out-of-Date. What is considered out-of-date is determined by version control rules you have configured. For details, see Configure agent version control.
  2. Continue with Upgrade the agent from the Computers page or Upgrade the agent manually.

Upgrade multiple agents at the same time

  1. In Deep Security Manager, go to Administration > Updates > Software.
  2. In the main pane, look under the Computers section to check if any computers or virtual appliances are running agents for which upgrades are available. The check is only performed against software that has been imported into Deep Security, not against software available from the Download Center.
  3. Click Upgrade Agent / Appliance Software to upgrade all out-of-date computers. What is considered out-of-date is determined by version control rules you have configured. For details, see Configure agent version control.

Upgrade the agent from the Computers page

  1. In Deep Security Manager, go to Computers, and then:
    • Right-click the computers that you want to upgrade, then select Actions > Upgrade Agent Software.

      Or

    • Select the computers that you want to upgrade, click Actions near the top, and select Upgrade Agent Software.

      Or

    • Double-click a computer that you want to upgrade and on the Computer details dialog, click Upgrade Agent.

    You must upgrade your relays before your agents to prevent failures. Learn more. To identify a relay, look for the relay icon ().

  2. In the dialog that appears, select Agent Version. You should select the default option Use the latest version for platform (X.Y.Z.NNNN).
  3. Click Next.

Upgrade the agent on activation

If Deep Security Agent is installed on Linux or Windows, you can automatically upgrade the agent to the newest software version compatible with your Deep Security Manager when the agent is activated or reactivated. For details, see Automatically upgrade agents on activation.

 

Upgrade the agent from a scheduled task

You can create a Scheduled Task to upgrade a group of agents on a set schedule. For details, see Scheduled Agent Upgrade Task.

Upgrade the agent manually

Sometimes you may not be able to upgrade the agent software from the Deep Security Manager. Reasons may include the following:

  • There are connectivity restrictions between the manager and agent computers.
  • Your agent software is too old, and the manager does not support upgrading it anymore.
  • You prefer to deploy upgrades using a third-party system.

If any of the preceding scenarios describe your situation, you can upgrade the agent by running the installer manually. The method varies by operating system.

  1. Disable agent self-protection to allow the installer to make modifications to the agent. To disable self-protection:
    1. In the Deep Security Manager, go to Computer editorClosed To open the Computer editor, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General.
    2. In Agent Self Protection, deselect Prevent local end-users from uninstalling, stopping, or otherwise modifying the Agent or enter a password for a local override.
  2. Export the new agent ZIP from the manager. See Export the agent installer for instructions. If multiple new agents are available for your platform, choose the latest one.
  3. Copy the ZIP to the agent computer and extract it.
  4. Double-click the MSI file in the root of the ZIP file. The installer detects the previous agent and performs the upgrade.
  1. Disable agent self-protection to allow the installer to make modifications to the agent.
  2. Export the new agent ZIP file from the manager. See Export the agent installer for instructions. If multiple new agents are available for your platform, select the latest one.
  3. Copy the ZIP file to the agent computer and extract it.
  4. If the computer uses the RPM package manager (Red Hat, CentOS, Amazon Linux, Cloud Linux, SUSE), run the following command:

    rpm -U <new agent installer rpm>

    The -U argument instructs the installer to perform an upgrade.

    If the computer uses the dpkg package manager (Debian or Ubuntu), enter the command:

    dpkg -i <new agent installer dpkg>

  1. Export the new agent ZIP from the manager. See Export the agent installer for instructions. If multiple new agents are available for your platform, choose the latest one.
  2. Copy the ZIP to the agent computer and extract it.
  3. Run the installer:

  • Solaris 11, one zone (run in the global zone):

    x86: pkg update -g file:///mnt/Agent-Solaris_5.11-9.x.x-xxxx.x86_64/Agent-Core-Solaris_5.11-9.x.x-xxxx.x86_64.p5p pkg:/security/ds-agent

    SPARC: pkg update -g file:///mnt/Agent-Solaris_5.11-9.x.x-xxxx.x86_64/Agent-Solaris_5.11-9.x.x-xxxx.sparc.p5p pkg:/security/ds-agent

  • Solaris 11, multiple zones (run in the global zone):

    mkdir <path>

    pkgrepo create <path>

    pkgrecv -s file://<dsa core p5p file location> -d <path> '*'

    pkg set-publisher -g <path> trendmicro

    pkg update pkg://trendmicro/security/ds-agent

    pkg unset-publisher trendmicro

    rm -rf <path>

  • Solaris 10: Create an installation configuration file named ds_adm.file with the following content, and then save it in the root directory. Next, run this command to install the package:

    pkgadd -G -v -a /root/ds_adm.file -d Agent-Core-Solaris_5.10_U7-10.0.0-1783.x86_64.pkg

Content of ds_adm.file

mail=

instance=overwrite

partial=nocheck

runlevel=quit

idepend=nocheck

rdepend=quit

space=quit

setuid=nocheck

conflict=quit

action=nocheck

proxy=

basedir=default\

  1. Export the new agent ZIP from the manager. See Export the agent installer for instructions. If multiple new agents are available for your platform, choose the latest one.
  2. Copy the ZIP to the agent computer and extract it. A BFF file becomes available.
  3. Copy the BFF file to a temporary folder such as /tmp on the AIX computer. For detailed instructions, see Install the agent manually.
  4. Upgrade the agent. Use these commands:

    /tmp> rm -f ./.toc

    /tmp> installp -a -d /tmp/<agent_BFF_file_name> ds_agent

    where <agent_BFF_file_name> is replaced with the name of the BFF installer file you extracted.

 

Upgrade the agent embedded on the virtual appliance automatically

The Deep Security Virtual Appliance includes an embedded Deep Security Agent. You can configure Deep Security to upgrade this agent automatically to the latest version during the virtual appliance's deployment into NSX.

If you have already deployed the virtual appliance into NSX, you should upgrade the embedded agent following these alternative instructions: Upgrade the agent embedded on the appliance SVM.

To configure auto-upgrade of the embedded agent during the virtual appliance deployment into NSX, do the following:

  1. In Deep Security Manager, import the latest virtual appliance package. See Deploy the appliance (NSX-T 3.x), or Deploy the appliance (NSX-V)
  2. Import the correct virtual appliance patches and agent. See Upgrade the agent embedded on the appliance SVM. In these instructions, ignore the last instructions to upgrade the embedded agent since it hasn't been deployed yet.
  3. Go to Administration > System Settings > Updates.
  4. In the main pane, find the Virtual Appliance Deployment heading, near the bottom.
  5. From the Upon deployment, update Deep Security Virtual Appliances to drop-down list, select the latest agent version or keep the default of Latest Available (Recommended).

    Versions of the agent software that pre-date the imported appliance do not appear in the list.

  6. Click Save.

    The agent that's embedded on the virtual appliance will now be upgraded automatically when you deploy the virtual appliance into NSX. For deployment instructions, see Deploy the appliance (NSX-T 3.x) or Deploy the appliance (NSX-V).

Upgrade best practices for agents

If you have critical workloads running on your agent servers, follow these best practices when upgrading:

  • Upgrade when the computers are less busy.
  • Test the upgrade procedure first in a staging environment before upgrading production servers.
  • When upgrading production servers, upgrade one server at a time for the first few servers. Allow a soak period in between each server upgrade.
  • After individually upgrading a number of production servers for a given OS version (and application role, on Solaris or AIX), upgrade the remaining servers in groups.
  • Also review the Best practices for upgrades.