What's new in Deep Security Agent?

Linux

Deep Security Agent - 20.0.2-1390 (20 LTS Update 2025-01-15)

Release date: January 15, 2025

Build number: 20.0.2-1390

New features

User-based Firewall events: Firewall events now include username whenever possible. This feature is in preview and is only available to certain customers at this time.

Enhancements

Deep Security Agent now queues packets to handle them in sequence, improving performance. DSA-6916

Resolved issues

Deep Security Agent sometimes had connectivity issues when Advanced TLS Traffic Inspection was enabled. DSA-8577

Security updates

This release contains updates to third-party libraries. DSA-7696/DSA-7697/DSA-8042

Deep Security Agent - 20.0.1-25771 (20 LTS Update 2024-12-10)

Release date: December 10, 2024

Build number: 20.0.1-25771

New features

Version Control Policy: Deep Security Agent now supports Version Control Policy, which allows Trend Vision One version control policies to manage agent and component updates for any endpoint with the Trend Micro Endpoint Basecamp (XBC) agent installed. For more information, see Version Control Policies. This is currently in pre-release, and is only supported for Trend Vision One - Server & Workload Protection.

Quarantine auto-cleanup: Deep Security Agent will now automatically purge parts of files in the quarantine folder if its disk space usage exceeds the maximum amount. Max disk space usage (1024 MB by default) is configurable from Computer (or Policy) > Anti-Malware > Advanced > Identified Files. This feature is only available for Cloud One Workload Security at this time.

Enhancements

Deep Security Agent 20.0.1.25771 or later supports FIPS mode for Ubuntu 22.04. DSA-7699
Deep Security Agent now supports Advanced TLS Traffic Inspection for Intrusion Prevention on Apache Tomcat servers running OpenJDK 8 on 64-bit Linux operating systems. DSA-8244
Deep Security SAP Scanner can now report results to SAP applications when it identifies password-protected compressed files attached to an email in Microsoft Outlook Item (MSG) format. SF07873657/PCT-23367/DSA-7716
Anti-Malware's Behavior Monitoring detection level and prevention level can now be configured. DSA-6796
Deep Security Agent now detects if its relay proxy is Trend Vision One Service Gateway Forward Proxy Service, and uses the Service Gateway domain allow list to decide whether the connection should use the relay proxy or not. SF07267852/PCT-29311/DSA-6274
Deep Security Agent now supports additional options to fine-tune detection sensitivity for Anti-Malware, Behavior Monitoring, and Predictive Machine Learning for real-time scan. This enhancement is only available in Trend Cloud One - Endpoint & Workload Security. DSA-6062
Improved detection and protection against malicious processes that can be launched through a memory file descriptor (memfd). DSA-6009

Resolved issues

Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074
Some systems with Anti-Malware enabled encountered a memory leak. DSA-8243
Some systems encountered a memory issue that caused Anti-Malware to stop working. PCT-46330/DSA-8156
Deep Security SAP Scanner would incorrectly report scan failures when two or more files with the same content were included in a compressed file. PCT-38781/DSA-7324
Deep Security Agent had higher than usual CPU usage if Integrity Monitoring was disabled following an Integrity Monitoring scan. SF07991055/PCT-31459/DSA-6195
Rebooting caused some systems to hang if agent self-protection was enabled. PCT-27574/PCT-29800/DSA-6007
When SAP was enabled, duplicate exclude paths were sometimes created and would remain even after SAP was disabled. DSA-7595

Security updates

This release contains updates to third-party libraries. DSA-7124

Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)

Release date: November 13, 2024

Build number: 20.0.1-23340

Enhancements

Deep Security Agent 20.0.1-23340 or later adds additional support for Red Hat Enterprise Linux 9 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-7234
Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314
Connection timeout for the Predictive Machine Learning service was extended to nine seconds to reduce the number of "Census, Good File Reputation, and Predictive Machine Learning Service Disconnected" events (Event ID 945). DSA-5321

Resolved issues

When Deep Security Agent had Advanced TLS Traffic Inspection enabled using Transport Layer Security (TLS) 1.3, some systems encountered a kernel panic crash. PCT-43009/DSA-7787
Some systems running Deep Security Agent encountered an operating system crash caused by retrieving an invalid memory address. PCT-33865/DSA-6335

Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)

Release date: October 16, 2024

Build number: 20.0.1-21510

New features

Red Hat Enterprise Linux 9 (PowerPC little-endian) support: Deep Security Agent 20.0.1-21510 or later supports Anti-Malware, and SAP Scanner for Red Hat Enterprise Linux 9 (PowerPC little-endian). This requires Deep Security Manager 20.0.979 or later.

Enhancements

Advanced Threat Scan Engine has been updated to version 24.5. DSA-7354

Resolved issues

High CPU usage would occur when both Application Control and FIPS were enabled. DSA-6842
When the SAP Scanner library re-established connections to Deep Security Agent, the scan requests sent from the SAP Scanner library would sometimes be rejected. SF08196066/PCT-34824/DSA-7608
Deep Security SAP Scanner would sometimes crash when scanning for files in certain formats, like CSV. PCT-41353/DSA-7609

Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)

Release date: September 18, 2024

Build number: 20.0.1-19250

New features

Ubuntu 24.04 support: Deep Security Agent 20.0.1-19250 or later supports Ubuntu 24.04 including Secure Boot support. This requires Deep Security Manager 20.0.954 or later.

Enhancements

Updated Deep Security Agent to improve compatibility with older versions of the SAP Scanner. SF08196066/PCT-34824/DSA-6819
Deep Security Agent now supports the Alibaba Cloud connector type. DSA-6018

Resolved issues

Deep Security Agent caused high CPU usage on systems with both Application Control and FIPS enabled. DSA-6842
Anti-Malware engine did not start correctly during Deep Security Agent startup on systems using XDR Endpoint Sensor. DSA-7158
An issue detecting the operating system information sometimes prevented Deep Security Agent from installing on Rocky Linux 9. PCT-26151/DSA-5630

Security updates

This release contains updates to third-party libraries. DSA-6156/DSA-6942

Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)

Release date: August 21, 2024

Build number: 20.0.1-17380

Enhancements

Web Reputation Service "Smart Protection Server Disconnected" events now include FQDN or IP address information in the description field. DSA-5408
SAP Scanner now classifies Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages as text files. SF07895338/PCT-24359/DSA-5790
SAP Scanner now associates JavaScript with compatible file extensions. For details, see Supported MIME types. SF08102626/PCT-31518/DSA-6192

Resolved issues

Anti-Malware engine sometimes crashed. DSA-5536
SAP Scanner incorrectly classified valid CSV files if the data was formatted on a single line. SF07967718/PCT-26844/DSA-6102
SAP Scanner sometimes incorrectly identified image files as ASP scripts. SF07764878/PCT-20406/DSA-6122
Kernel Support Package (KSP) did not reload automatically after being imported. DSA-6159
Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
Deep Security Agent failed to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
Deep Security Agent sometimes failed to shut down completely if integrating with Trend Micro Endpoint Basecamp (XBC) agent. SF08143019/PCT-32915/DSA-6347
Deep Security Agent incorrectly created a temporary directory named /opt/ds_agent@tmp during installation. DSA-6412
When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596
When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host crashed. SF05713918/SF05850687/SF07038125/SEG-146660/SEG-148664/SEG-186072/PCT-41910/PCT-5467/DSSEG-7664

Known issues

Deep Security Agent Application Control causes high CPU usage. PCT-36414
Anti-Malware engine is not starting correctly during Deep Security Agent startup on systems using XDR Endpoint Sensor. DSA-7158

Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)

Release date: July 17, 2024

Build number: 20.0.1-14610

New features

SUSE Linux Enterprise Server 15 (AWS ARM-Based Graviton 2) support: Deep Security Agent 20.0.1-14610 or later supports SUSE Linux Enterprise Server 15 (AWS ARM-Based Graviton 2). This requires Deep Security Manager 20.0.926 or later. DSA-4836

Enhancements

SAP Scanner now associates the following MIME types with compatible file extensions. For details, see Integrate with SAP NetWeaver.
- TrueType Font (TTF). SF08102626/PCT-31518/DSA-6049
- Java Archive (JAR). SF08102626/PCT-31518/DSA-6044
- Apple QuickTime File Format (QTFF). SF07967718/SF07840151/PCT-22825/PCT-26844/DSA-5887/DSA-5567
- Microsoft Advanced Systems Format (ASF). SF07967718/PCT-26844/DSA-5886

Resolved issues

Deep Security Agent still tried to test connections for Service Gateways. DSA-5814
A Deep Security Agent restart sometimes caused Application Control to report drift events. SF07813110/PCT-25731/DSA-5798
Deep Security Agent was only able to use the primary IP address for Service Gateway. DSA-4513
Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes caused Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090

Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)

Release date: June 19, 2024

Build number: 20.0.1-12510

Enhancements

Deep Security Agent 20.0.1-12510 or later adds additional support (including SAP Scanner) for Red Hat Enterprise Linux 8.6 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-4835
Advanced TLS Traffic Inspection now supports separate configurations for "Inspect Inbound TLS/SSL Traffic" and "Inspect Outbound TLS/SSL Traffic". For detailed configuration steps, see https://help.deepsecurity.trendmicro.com/20_0/on-premise/intrusion-prevention-ssl-traffic.html#EnableTLS.

Resolved issues

When Anti-Malware had only basic functions, some systems would hang. DSA-4821
When Anti-Malware was enabled, Deep Security Agent sometimes failed to shut down completely. PCT-26090/DSA-5492

Security updates

Security updates are included in this release. For more information about how Trend Micro protects against vulnerabilities, visit Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-12022/DSA-5484

Highest Common Vulnerability Scoring System (CVSS) score: 5.5

Highest severity: Medium

Known issues

There is a performance impact when Inspect Inbound TLS/SSL Traffic and Inspect Outbound TLS/SSL Traffic are enabled at the same time in Advanced TLS Inspection settings. For details, see Performance impact of bi-directional TLS inspection in Deep Security. DSA-5959
Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090
Switching to User Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6104

Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)

Release date: May 16, 2024

Build number: 20.0.1-9400

New features

User mode solution: User mode can now be enabled from the Trend Cloud One - Endpoint & Workload Security or Deep Security Manager UI to provide event generation and protection through basic functions for Anti-Malware on systems that lack kernel support.

Enhancements

SAP Scanner now supports the SCANLOGPATH parameter. For details, see Integrate with SAP NetWeaver. PCT-21958/DSA-4924
Updated Deep Security Agent to improve the priority for configurations using a proxy. DSA-4817/PCT-21750
Deep Security Agent can now retrieve Service Gateway settings from the Trend Micro Endpoint Basecamp (XBC) agent. DSA-4841/V1E-13468

Resolved issues

Deep Security Agent security updates sometimes failed after reconfiguring proxy settings. PCT-18382/DSA-5390
Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
Deep Security Agent Anti-Malware and network drivers were unable to load on systems using Security-Enhanced Linux (SELinux) enforcing mode with its default policies. PCT-14630/DSA-4917
Deep Security Agent was sometimes unable to detect Linux system firewall port settings, which prevented the agent Firewall from allowing ports required for it to function. SF07650853/PCT-16253/DSA-4849
Anti-Malware on-demand scans sometimes used file descriptors incorrectly, which resulted in "Bad file descriptor" log errors. DSA-4051
Anti-Malware engine sometimes crashed. PCT-25789/DSA-4051

Security updates

This release contains updates to third-party libraries. DSA-4187

Known issues

This release excludes the Deep Security Agent package for Oracle Linux 6 (32-bit) as it reports the Anti-Malware Engine status incorrectly. DSA-5557
Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090
Switching to User Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6104

Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)

Release date: April 24, 2024

Build number: 20.0.1-7380

New features

User mode solution: This feature provides basic Anti-Malware functions through Fanotify and eBPF on systems that lack kernel support. Deep Security Agent cannot protect runtime container workloads in this mode.

Enhancements

Deep Security Agent 20.0.1-7380 or later adds additional support (including SAP Scanner) for SUSE Linux Enterprise Server 12 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-2626
Deep Security Agent 20.0.1-7380 or later adds additional support (including SAP Scanner) for SUSE Linux Enterprise Server 15 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-2630
Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
Deep Security Agent can have its proxy configuration set by the Trend Vision One Proxy Manager. V1E-14557

Resolved issues

Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861
When SAP Scanner was enabled, system events for "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" sometimes displayed during Deep Security Agent upgrade. These system event messages were triggered by the restart of Deep Security Agent modules. There was no functional impact. DSA-4603
Deep Security Agent caused high CPU usage on some systems using TLS inspection with the tm_netagent process running. PCT-22031/DSA-4805
After enabling Trend Micro Service Gateway Generic Caching Service (GCS) from Trend Vision One, Deep Security Manager and Trend Cloud One - Endpoint & Workload Security displayed the "Check Status Failed" error when communicating with Deep Security Agent. DSA-4763
The local Smart Protection Server sometimes showed an incorrect number of Deep Security Agents. DSA-3780

Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)

Release date: March 20, 2024

Build number: 20.0.1-4540

New features

CPU Usage Control: This feature provides three predefined modes to throttle CPU usage of Anti-Malware Real-Time Scan (Computer > Settings > General > CPU Usage Control). This is only supported for Trend Cloud One - Endpoint & Workload Security customers at this time. DSA-2465

Enhancements

SAP Scanner is now supported on Deep Security Agent 20.0.1-4540 or later for Red Hat Enterprise Linux 9. DSA-4213
The SAP Scanner status for Deep Security Agent is now displayed in the console. DSA-3329
The Deep Security Agent version is now displayed in the SAP Scanner library. SF07483850/PCT-10077/DSA-3304

Resolved issues

Some systems encountered higher than normal CPU usage and performance issues if Deep Security Agent lost its connection to the Smart Protection Server. SF07552865/PCT-12430/DSA-3784
Deep Security Agent incorrectly classified the MIME type of .dwg files generated by AutoCAD, from AutoCAD 2004 to AutoCAD 2024. SF07027236/SEG-186079/PCT-5797/DSA-2901

Known issues

When SAP Scanner is enabled, system events may cause a message "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" to be displayed temporary during the Deep Security Agent upgrade. This is caused by the restart of Deep Security Agent modules. There is no functional impact. DSA-4572
After enabling Trend Micro Service Gateway Generic Caching Service (GCS) from Trend Vision One, Deep Security Manager and Trend Cloud One - Endpoint & Workload Security display "Check Status Failed" error when communicating with Deep Security Agent. For details, see Deep Security Agent reports "Check Status Failed" after enabling Service Gateway Generic Caching Service. DSA-2756

Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)

Release date: February 29, 2024

Build number: 20.0.1-3180

Enhancements

Deep Security Scanner (SAP) now reports files containing Microsoft Office Macros as Active Content, while previously they were identified as Malware. PCT-5979/DSA-3911

Resolved issues

Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
The expected MIME type for .msg files by the Deep Security Agent SAP Scanner was incorrect. PCT-5797/DSA-4050
Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965
Deep Security Agent could not start because a keyword in its system configuration was incorrectly interpreted. SEG-156447/PCT-8768/DSA-3897
Smart Scan hung during its update because the IPv6 configuration could not be detected automatically. DSA-3287
When Deep Security Agent is installed on a system with Fanotify enabled, the Anti-Malware process restarting or stopping sometimes caused the system to freeze. PCT-6047/SEG-190061/DSA-4474

Known issues

The Application Control Trust Entities block by target trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324

Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)

Release date: January 17, 2024

Build number: 20.0.1-690

New features

Command line scan: Deep Security Agent now supports on-demand scans triggered using dsa_scan from a command line interface.

This is currently only available to Trend Cloud One - Endpoint & Workload Security customers. For more information, see Command-line basics. V1E-6993

Enhancements

From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584.

For details, see Preparedness of DSM/DSA for Supporting 20.0.1 Linux Kernel Support Package (KSP).

Resolved issues

Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564
When FIPS mode was disabled, Deep Security Agent used the OpenSSL configuration specified by the system environment variables rather than the config specified by the agent. PCT-4914/DSA-2651/DSA-2737/DSA-2738
Deep Security Agent would incorrectly log network errors when the SAP scanner was enabled. DSA-3548
Files added to the SAP Scanner allow list without including a file extension were being blocked when they should have been allowed. SF06565062/SEG-170933/DS-77132/DSA-3424
When using Deep Security Agent on a system with Fanotify enabled, quarantining a file sometimes caused the system to freeze. PCT-6047/SEG-190061/DSA-2473

Known issues

Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317
With the release of Deep Security Agent 20.0.1-690, Trend Micro is changing the version number of the Kernel Support Package (KSP) from 20.0.0 to 20.0.1. This may cause issues downloading the latest kernel driver on some agent versions. To maintain kernel support after the KSP revision, it is suggested that users upgrade to Deep Security Agent 20.0.0-8453 or later. For details, see Kernel driver download issues with Deep Security Agent (DSA) Linux. DSA-3588
Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-8453 (20 LTS Update 2024-01-17)

Release date: January 17, 2024

Build number: 20.0.0-8453

Resolved issues

Upgrading to Deep Security Agent 20.0.0-7943, 20.0.0-8137, 20.0.0-8268, or 20.0.0-8438 sometimes failed when Firewall, Web Reputation Service, or Intrusion Prevention System were enabled.

This issue is resolved for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834

Enhancements

Updated Deep Security Agent to support 20.0.1 Kernel Support Packages. In order to continue Linux Kernel support in 2024, upgrade to Deep Security Agent to 20.0.0-8453+. For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release. DSA-1217

Known issues

Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy. DSA-3564

Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)

Release date: December 12, 2023

Build number: 20.0.0-8438

New features

Debian 12 support: Deep Security Agent 20.0.0-8438 or later supports Debian 12 including Secure Boot support. This requires Deep Security Manager 20.0.864 or later. DSA-1408

Enhancements

Remove some file types from the scanning list to avoid high CPU and disk consumption. SF07099651/SEG-188688/DSA-2010
Agent self-protection now protects the Advanced TLS Traffic Inspection process (tm_netagent) preventing local users with administrator privileges from stopping it. DSA-1042/DSA-1043
Telemetry now reports the IPv4 and IPv6 address of all network interfaces. V1E-4543

Resolved issues

When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981
A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.8

Highest severity: Critical

Known issues

Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Upgrading to Deep Security Agent 20.0.0-8438 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.

This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834
Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy. DSA-3564

Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)

Release date: November 21, 2023

Build number: 20.0.0-8268

New Features

Deep Security Agent now supports Trend Micro Service Gateway Generic Caching Service (GCS). DSA-2035
Deep Security Agent now supports FIPS mode for Debian 10 and Debian 11. This requires Deep Security Manager 20.0.854 or later. DSA-1955

Resolved issues

Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
Deep Security Manager displayed the status of the VM protected by the Deep Security Virtual Appliance as Offline, after the Deep Security Virtual Appliance had been upgraded to version 20.0.0-7943 or 20.0.0-8137. The Deep Security Virtual Appliance itself was functioning properly and displayed the status as Managed (Online). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259
Deep Security Agent incorrectly classified MIME type of .xml files generated by Microsoft Word, Excel, PowerPoint, as well as .dwg files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202

Known issues

Linux virtual machines froze when trying to update the Smart Scan pattern. As a workaround, you can add the /opt/ds_agent/lib/libvmpd_scanctrl.so=icrc_try_update=0 key to the ds_am.ini file and restart the DSA service. SF07031242/PCT-5795/DSA-2616
Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Upgrading to Deep Security Agent 20.0.0-8268 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.

This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834

Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)

Release date: October 26, 2023

Build number: 20.0.0-8137

New features

Miracle Linux 9 support: Deep Security Agent 20.0.0-8137 or later supports Miracle Linux 9, including FIPS mode and Secure Boot support. This requires Deep Security Manager 20.0.844 or later.

Known issues

Upgrading to Deep Security Agent 20.0.0-8137 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.

This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834
Deep Security Manager displays the status of guest VMs protected by the Deep Security Virtual Appliance 20.0.0-7943 as Offline or Check Status Failed (Activation Required). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)

Release date: September 26, 2023

Build number: 20.0.0-7943

New features

Red Hat Enterprise Linux 8.6 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943 or later supports only the Anti-Malware on-demand scan feature for Red Hat Enterprise Linux 8.6 (PowerPC little-endian). This requires Deep Security Manager 20.0.817 or later. Security updates are currently unsupported for this platform.

SUSE Linux Enterprise Server 12 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943 or later supports only the Anti-Malware on-demand scan feature for SUSE Linux Enterprise Server 12 (PowerPC little-endian). This requires Deep Security Manager 20.0.817 or later. Security updates are currently unsupported for this platform.

SUSE Linux Enterprise Server 15 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943 or later supports only the Anti-Malware on-demand scan feature for SUSE Linux Enterprise Server 15 (PowerPC little-endian). This requires Deep Security Manager 20.0.817 or later. Security updates are currently unsupported for this platform.

Security updates are not supported on PowerPC platforms at this time. The Advanced Threat Scan Engine (ATSE) status does not display correctly and the following alerts are expected on RHEL 8.6, SUSE 12, and SUSE 15:

Security Update: Security Update Check and Download Failed (Agent/Appliance error)
Status: Out of Date

Enhancements

New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
DSA-864
All Trend Micro public keys that are used to validate kernel module signatures are now included by default in the Deep Security Agent packages. SF06915385/SEG-185980/DSA-1569
In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759 or later. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531

Resolved issues

Deep Security Agent ignored the file if the exclusion list for the file or folder contained an empty path from Deep Security Manager. PCT-1066/DSA-1873

Known issues

Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Upgrading to Deep Security Agent 20.0.0-7943 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.

This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. DSA-3834
Deep Security Manager displays the status of guest VMs protected by the Deep Security Virtual Appliance 20.0.0-7943 as Offline or Check Status Failed (Activation Required). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259

Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)

Release date: August 29, 2023

Build number: 20.0.0-7719

New features

Miracle Linux 8 support: Deep Security Agent 20.0.0-7719 or later now supports Miracle Linux 8, including FIPS mode. This requires Deep Security Manager 20.0.817 or later.

Enhancements

Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. (Agents configured as a Deep Security Relay still download all pattern updates.) DSA-1000
The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
Advanced Threat Scan Engine has been updated to version 22.6. DSA-453

Resolved issues

Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
TLS Inspection Package updates sometimes caused the ds_nuagent service to stop unexpectedly. DSA-1319

Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)

Release date: July 25, 2023

Build number: 20.0.0-7476

Enhancements

Updated the dsa-connect service to improve CPU performance. C1WS-12970
Deep Security Agent 20.0.0-7476 now supports FIPS mode for Red Hat Enterprise Linux 9. DS-77642
Updated Deep Security Agent Scanner (SAP) to accept up to 512 parallel client connections established by SAP NetWeaver. Note that the previous connection limit was 256. SF06983349/SEG-184190/DS-78229

Resolved issues

Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858

Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)

Release date: June 28, 2023

Build number: 20.0.0-7303

New features

Amazon Linux 2023 support: Deep Security Agent 20.0.0-7303 or later now supports Amazon Linux 2023, including FIPS mode. This requires Deep Security Manager 20.0.789 or later.

At time of release, Amazon Linux 2023 is not yet certified for FIPS. See the Amazon Linux 2023 release notes for the latest support information.

Amazon Linux 2023 (AWS ARM-Based Graviton 2): Deep Security Agent 20.0.0-7303 or later now supports Amazon Linux 2023 on AWS Graviton 2. This requires Deep Security Manager 20.0.789 or later.

Advanced TLS Traffic Inspection now supports Oracle Linux 9 (64-bit), Red Hat Enterprise Linux 9 (64-bit), and Ubuntu 22.04 (64-bit).

Enhancements

Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
Web Reputation Service now automatically monitor the ports used by the OS proxy configuration. DS-77233
Removed unnecessary proxy scheduled tasks from the Deep Security Virtual Appliance. This should prevent Timed out waiting for relay to msg and Error creating task... errors in the logs. SF06844880/SEG-179554/DS-77440

Resolved issues

When Secure Boot is enabled but the signing key has not been loaded, the system would crash when Anti-Malware used the fanotify facility. SF06464888/SEG-167771/DS-76161
Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
The Deep Security Agent connection count could overflow under certain conditions. DS-76902
Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709

Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)

Release date: May 29, 2023

Build number: 20.0.0-7119

Enhancements

MQTT connection credentials were entered in the Deep Security Agent log file (ds_agent.log) in certain scenarios. SEG-174560/C1WS-13282
Deep Security Agent crashed some systems when they were out of memory. SF06704797/SEG-175243/DSSEG-7875
Agent self-protection now secures the Advanced TLS inspection process (ds_nuagent), preventing local users with administrator privileges from stopping it. DS-74080

Systems running Red Hat Enterprise Linux 7 (64-bit) with SELinux may require some manual configuration to avoid permission issues following this update. For details, see BPF permission denied for ds_nuagent with RedHat 7 SELinux enforcing mode in Deep Security.
Deep Security Agent now runs within a predefined group and accept outbound traffic. DS-77415

Resolved issues

Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
When Anti-Malware was enabled, Deep Security Agent caused high CPU usage on some systems. DS-77758

Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)

Release date: May 02, 2023

Build number: 20.0.0-6912

New features

Red Hat Enterprise Linux Workstation 7 support: Deep Security Agent 20.0.0-6912 or later now supports Red Hat Enterprise Linux Workstation 7, including Secure Boot support. This requires Deep Security Manager 20.0.759 or later.

AlmaLinux 9 support: Deep Security Agent 20.0.0-6912 or later now supports AlmaLinux 9, including Secure Boot support. This requires Deep Security Manager 20.0.759 or later.

Enhancements

Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to ds_agent.ini. SF06664116/SEG-173848/DS-77182

Example proxy probing line in ds_agent.ini config file:
dsa.proxymanager.ProbeTimeoutInSec=120
Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
Deep Security Agent now includes path and PID (process ID) for Anti-Malware events. SF05682761/SEG-147452/DS-72909

Resolved issues

When connecting through a proxy with FIPS mode enabled, Deep Security Agent sometimes had connectivity issues with IoT devices. SEG-174776/DS-77197
Deep Security Agent's Anti-Malware module sometimes failed to restart following an IPC (inter-process communication) timeout. DS-76889/SEG-169218
A compatibility issue between the Deep Security Agent network driver and some third-party products caused systems to crash. SEG-156743/DS-75377
Deep Security Virtual Appliance sometimes crashed when connecting by HTTPS to a Smart Protection Server. SEG-169451/DS-76968
Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
Files added to the SAP Scanner allow list without including a file extension were being blocked when they should have been allowed. SF06565062/SEG-170933/DS-77132
Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961
Deep Security Agent caused some systems to reboot unexpectedly. SF06584000/SEG-171147/DSSEG-7851

Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)

Release date: March 22, 2023

Build number: 20.0.0-6658

New features

Oracle Linux 9 support: Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.737 or later now supports Oracle Linux 9, including FIPS mode and Secure Boot support.

Service Gateway: Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.741 or later now supports the Service Gateway feature, providing forward proxy functionality.

Enhancements

When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard now applies to all files in any directory matching the rule's path. Note that previously, the globstar (**) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*) wildcard which would only match within the path rule's directory. DS-75133
Web Reputation Service now includes OS platform metadata. DS-75453
Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491
Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
Deep Security Agent now sends full command lines for processes to Deep Security Manager, improving the Recommendation Scan's rule recommendations. Note that previously, the agent only sent the first 2048 characters of each process's command line. C1WS-11728
Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.737 or later now supports Secure Boot for Ubuntu 22.04. DS-73729
Deep Security Agent 20.0.0-6658 or later now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User-Defined Suspicious Object (UDSO). DS-75365
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598

The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
- Debug: Enable the debug log messages. The default value is false.
- Count: Number of log files to generate. The default value is 5.
- Size: Maximum size of each log file in bytes. The default value is 2097152.
Example config file:
```
                            {
                            "Debug": true,
                            "Count": 5,
                            "Size": 2097152
                            }
```
Deep Security Agent can now have a maximum of 1024 process tasks when deployed on RedHat or SUSE. PCT-25908/DSA-5507

Resolved issues

When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
The Deep Security Agent kernel support package download was sometimes interrupted, generating "Agent Integrity Check Failed" warnings and "Kernel Unsupported" errors. SEG-169497/DS-76545
Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
Anti-Malware Behavior Monitoring had a driver issue causing kernel warnings on some systems. SF06254724/SEG-163042/ORCA-762
When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
Deep Security Agent was unable to connect to the Anti-Malware Smart Scan service on some systems. SEG-168468/DS-76433
Deep Security Agent caused performance issues on systems generating a large number of container environment Application Control events. SF06538377/SEG-169605/DS-76594

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

Release date: January 31, 2023

Build number: 20.0.0-6313

New feature

Agent self-protection: This feature helps prevent users on the local system from tampering with the agent. For more information, and help configuring agent self-protection, see Enable or disable agent self-protection in Linux.

Rocky Linux 9 support: Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.716 or later now supports Rocky Linux 9, including FIPS mode and Secure Boot support. DS-73727

Enhancements

Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL/TLS certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676

To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313 or later before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.
With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.716 or later now monitors for suspicious behavior to improve protection against MITRE attack scenarios. DS-73644
Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.711 or later now supports FIPS mode for Oracle Linux 8. DS-73778

Resolved issues

When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
Deep Security Agent crashes and issues connecting with Deep Security Manager caused Anti-Malware Offline events. SF06061098/SEG-154701/DS-74665
With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335
Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
Integrity Monitoring sometimes failed to create events after running certain console commands (for example, passwd or mv commands). 05718251/SEG-148552/DS-72643
Older Application Control events were not being removed from the database as intended, causing the events.db file size to increase indefinitely. SF06172729/SEG-159548/DS-74706
When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470

Known issues

Deep Security Agent is having connectivity issues on some systems, resulting in "Event ID 9012, Smart Protection Server Disconnected for Smart Scan" error messages. For more details including temporary workaround instructions, see Smart Protection Server disconnected messages appear in Deep Security. SF06512673/SEG-168468

Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)

Release date: November 22, 2022

Build number: 20.0.0-5953

New feature

Enhancements

Deep Security Agent 20.0.0-5953 or later with Deep Security Manager 20.0.711 or later now supports FIPS mode for Oracle Linux 8.

Resolved issues

Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
Integrity Monitoring sometimes failed to create events after running certain console commands (for example, passwd or mv commands). 05718251/SEG-148552/DS-72643
Older Application Control events were not being removed from the database as intended, causing the events.db file size to increase indefinitely. SF06172729/SEG-159548/DS-74706
When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470

Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)

Release date: October 21, 2022

Build number: 20.0.0-5761

New feature

Enhanced platform support

SAP Scanner support for Oracle Linux 7: Deep Security Agent for Oracle Linux 7 now supports SAP Scanner. VO-1849

Enhancements

Updated Deep Security Agent to include additional metadata, such as UserAgent and Referrer, for Web Reputation Services. DS-72196
Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
Deep Security Agent now can be deployed without additional dependency on System V packages. DS-73588

Resolved issues

With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
With Advanced TLS traffic inspection enabled, Deep Security Agent had a memory issue that prevented some applications from running. SEG-150631/DS-74039
Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
On RedHat Enterprise Linux computers, Anti-Malware being enabled would sometimes cause a system crash. SEG-155143/DS-74008

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Release date: September 22, 2022

Build number: 20.0.0-5512

Enhancements

Updated Deep Security Agent kernel device module files to comply with Security-Enhanced Linux (SELinux) requirements. DSSEG-7378
Deep Security Agent now reports host information with additional details. DS-72609
Deep Security Agent now reports host metadata for installed software with additional details. DS-72608
Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798
Deep Security Agent with Deep Security Manager 20.0.677 or later now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). DS-72828

Resolved issues

Trust Entities settings were not being re-applied after turning Application Control off and back on again. SF05930535/SEG-152439/DS-73312
When installed on a system that uses secure boot without importing the required sign key, Deep Security Agent generated an Anti-Malware Engine error code with "Reason ID: 13" when it should have generated the code with "Reason ID: 11". For details on Reason IDs, see Warning: Anti-Malware Engine has only Basic Functions. DS-72891
Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.0

Highest severity: High

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

Release date: August 29, 2022

Build number: 20.0.0-5394

New features

Ubuntu 22.04 (AWS ARM-based Graviton 2) support: Deep Security Agent 20.0.0-5394 or later with Deep Security Manager 20.0.677 or later is now supported on Ubuntu 22.04 (AWS ARM-based Graviton 2).

Enhancements

The Deep Security Agent process now restarts automatically if the file descriptor count is abnormally high, and a counter was added to track how many times this event occurs. SF05212995/SEG-130431/DS-72616
Application Control now detects software changes for executables with non executable extensions. DS-70805
Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
Anti-Malware would sometimes leak file descriptors. SF05212995/SEG-130431/DS-72979
When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
Patched third-party libraries. Before patch, the Deep Security Virtual Appliance agent would sometimes crash. SF05559993/SEG-140234/DS-72510

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

Release date: July 26, 2022

Build number: 20.0.0-5137

New features

Advanced TLS Traffic Inspection: Deep Security Agent 20.0.0-5137 or later adds Advanced TLS Traffic Inspection support to platforms that run system updates or package updates. Note that this feature is currently only supported for Trend Cloud One - Workload Security. Support for Deep Security Manager (On-Premise) will be added later.

Red Hat 9 support: Deep Security Agent 20.0.0-5137 or later with Deep Security Manager 20.0.651 or later now supports Red Hat 9.

Amazon Linux 2 support: Deep Security Agent 20.0.0-5137 or later with Deep Security Manager 20.0.651 or later now supports Amazon Linux 2 for AWS Graviton 3.

Enhancements

Updated Deep Security Agent to add Anti-Malware support for Red Hat OpenShift. DS-72368
Updated Deep Security Agent to reduce CPU usage and improve container performance for real-time Anti-Malware scanning. Previously, all files were scanned during read/write. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-65581
Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders no longer work and need to be changed to use a globstar \*\*. DS-71817

Resolved issues

Deep Security Agent Scanner (SAP) sometimes displayed duplicate Anti-Malware events for .SAR file types. DS-71879
Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
Deep Security Agent had connectivity issues on some systems. DS-72219

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Release date: July 4, 2022

Build number: 20.0.0-4959

New features

Ubuntu 22.04: Deep Security Agent 20.0.0-4959 or later now supports Ubuntu 22.04. This requires Deep Security Manager 20.0.651 or later.

FIPS mode on Ubuntu 20.04: Deep Security Agent 20.0.0-4959 or later now supports FIPS mode for Ubuntu 20.04.

Enhancements

Deep Security Agent 20.0.0-4959 or later with Deep Security Manager 20.0.0-414 or later now has improved Anti-Malware support on systems using Fanotify. Previously, "Anti-Malware Engine Offline" events interrupted Anti-Malware function on these systems. Now, an Anti-Malware with basic functions event is recorded and users maintain basic file scanning function, but not advanced scan mechanisms such as Predictive Machine Learning. DS-68552

Resolved issues

Deep Security Agent Scanner (SAP) had a connectivity issue preventing it from loading the correct libraries on some systems. DS-71623
Deep Security Agent Scanner library sometimes caused SAP applications to crash. DS-71849
Anti-Malware was unable to remove immutable or append-only files on some systems. VRTS-7110/DS-52383
Using the command line (dsa_control -b), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600
With Log Inspection enabled, upgrades to Deep Security Agents 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
When Anti-Malware is enabled alongside Integrity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Release date: May 31, 2022

Build number: 20.0.0-4726

Enhancements

Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763

Resolved issues

Trust Entities "allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
Deep Security Agent Scanner library didn't work properly with highly-interrupted SAP applications on Linux systems. This resulted in files were scanned, but results might be unable to report to the SAP applications. SF05390384/SEG-136659/DS-71251
Following an upgrade, Deep Security Agent would send continuous "Security update in progress" reports to Deep Security Manager. SF05253107/SEG-131983/DS-69747
Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
Secondary DNS setting from IP pool was not configured when Appliance was deployed. SF05215036/SEG-134844/DSSEG-7535

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Release date: April 28, 2022

Build number: 20.0.0-4416

Enhancements

Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515

Resolved issues

With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

Release date: April 6, 2022

Build number: 20.0.0-4185

New features

Advanced TLS traffic inspection: Advanced TLS traffic inspection adds the capability for inspecting TLS traffic encrypted with modern ciphers, including Perfect Forward Secrecy (PFS). It also enhances virtual patching for HTTPS servers to help protect against vulnerabilities such as Log4j.

Resolved issues

Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. Note that an upgrade should not have triggered these events. DS-69888
Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
Deep Security Agent had SSL connectivity issues when Web Reputation Service was enabled. DS-67675
Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

Release date: March 1, 2022

Build number: 20.0.0-3964

New features

Threat Intelligence: Threat Intelligence (formerly known as Connected Threat Defense) provides enhanced malware protection for new and emerging threats. For more information, see Detect emerging threats using Threat Intelligence.

Enhanced platform support

Deep Security Agent 20.0.0-3964 or later is now supported on these platforms:

Red Hat 8 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.605+)
Debian 11 (requires Deep Security Manager 20.0.605+)

Enhancements

Updated Deep Security Agent to exclude suspicious characters, such as $, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Resolved issues

With real-time Integrity Monitoring enabled, Integrity Monitoring delete events were not being generated after editing a file and then deleting it. DS-69057
Deep Security Agent caused high CPU usage for systems protecting containers. Container protection can now be enabled or disabled in Deep Security Manager (from Computer (or Policy) > Settings > Container Protection). SEG-115751/DSSEG-7334

Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)

Release date: January 24, 2022

Build number: 20.0.0-3770

New features

Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Linux platforms, beginning with Trend Micro Cloud One - Workload Security customers.

CRI-O support: A Deep Security Agent's "CRI-O engine version" is now displayed in Deep Security Manager, as well as Anti-Malware event information for containers. Note that CRI-O is currently only supported for Deep Security Manager (On-Premise). Support for Trend Micro - Cloud One Workload Security will be added later.

Enhancements

Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
Updated Deep Security Agent to correctly display the host's IP address in the "LastIpUsed" field. Previously, the field displayed the load balancer or proxy IP in environments using one of those. SF05283977/SEG-133073

Resolved issues

A Deep Security Agent conflict with network interface controllers (NICs) caused systems with multiple NICs to crash. 05048124/SEG-126094/DS-68730
When an Integrity Monitoring scan timed out, it sometimes generated false "create" or "delete" events for "user" or "group" entities. SEG-117739/DS-66885
Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
A Deep Security Agent parsing issue was causing "Anti-Malware Engine Offline" errors. SF05171312/SEG-129367/DSSEG-7428

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.1

Highest severity: High

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

Release date: November 24, 2021

Build number: 20.0.0-3445

New features

Collection of the agent metrics in the on-premise environment: You can now collect the agent metrics on-premises for SEG troubleshooting purposes. These metrics are stored as ZIP files on Windows in the C:\ProgramData\Trend Micro\Deep Security Agent\metrics directory and on Linux, AIX, and Solaris in the /var/opt/ds_agent/metrics directory. The ZIP files are rotated periodically on the local file system. Each ZIP file is approximately 1 MB in size and contains up to 100 files. The metrics are collected along with the diagnostic package.

Enhancements

Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
Deep Security Agent was upgraded to use locally installed kernel modules when new ones can't be fetched from the Deep Security Relay. DS-66599
Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

Insufficient file access permission for the Deep Security Relay sometimes caused the agent installer to fail. DS-67278
Deep Security Agent sometimes showed an incorrect "No such file or directory" error message during installation. DS-67317
Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
Deep Security Agent sometimes could not start after an upgrade. SF04943063/SEG-123155/DS-67475
Deep Security Agent sometimes changed the access time of files during the on-demand Anti-Malware scan. DS-67119
The Deep Security Agent and MQTT connection would sometimes go offline, requiring an agent restart. DS-67487
Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
With Anti-Malware real-time scan enabled, Deep Security Agent would sometimes scan unchanged files. DS-67806
Deep Security Agent sometimes caused the system to crash. SEG-123338/DS-67445

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

Release date: October 28, 2021

Build number: 20.0.0-3288

New features

Kernel support package updates: You can now choose when to perform kernel support package updates, using the new "Automatically update kernel package when agent restarts" option in the computer or policy editor.

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:

Agent size requirements have increased, including a slightly larger installer package on most platforms.
All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Enhanced platform support

Deep Security Agent 20.0.0-3288 or later now supports these platforms:

AlmaLinux 8 (requires Deep Security Manager 20.0.503+)
Rocky Linux 8 (requires Deep Security Manager 20.0.543+)
Ubuntu 20.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.503+)
Ubuntu 18.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.482+)

Secure boot support: Deep Security Agent now supports Oracle Linux 7 (in both UEK-R5 and UEK-R6) and Oracle Linux 8 with Secure Boot enabled.

Enhancements

Deep Security Agent 10.0 to 20.0 upgrades now keep their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
You can now exclude container file events from the kernel module. DS-65547

Resolved issues

Anti-Malware updates sometimes failed, resulting in "Security Update: Pattern Update on Agents/Appliances Failed" errors. 04763356/SEG-119138/DS-66569
The Deep Security Agent Scanner library sometimes couldn't be loaded by SAP NetWeaver. DS-67530
With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Release date: October 08, 2021

Build number: 20.0.0-3165

Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it is not available on the Deep Security Agent software download page or released to customers using Deep Security Manager.

New features

AlmaLinux 8 support: Deep Security Agent is now supported on AlmaLinux 8.
Ubuntu 18.04 (AWS ARM-Based Graviton 2) support: Deep Security Agent is now supported on Ubuntu 18.04 (AWS ARM-Based Graviton 2).
Oracle Linux 7 support: Deep Security Agent is now supported on Oracle Linux 7 with Secure Boot (in both uek-R5 and uek-R6).
Kernel support package updates: You can now choose when to perform kernel support package updates, using the new Automatically update kernel package when agent restarts option in the computer or policy editor.
Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Enhancements

Updated Deep Security Agent to prevent agents upgraded from version 10.0 to 20.0 from losing their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
You can now exclude container file events from the kernel module. DS-65547

Resolved issues

Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2971 (20 LTS Update 2021-09-08)

Release date: September 08, 2021

Build number: 20.0.0-2971

New features

FIPS mode on Red Hat Enterprise Linux 8: Deep Security Agent 20.0.0-2971 or later now supports FIPS mode for Red Hat Enterprise Linux 8.

FIPS mode on Amazon Linux 2: Deep Security Agent 20.0.0-2971 or later now supports FIPS mode for Amazon Linux 2.

Enhancements

Updated Deep Security Agent to improve performance and compatibility by using a unified driver for file, process, and network events. DS-61784
Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

Deep Security Agent sometimes caused performance issues on systems with folders in NFS format. SF04816680/SEG-118993/DS-66280
With Integrity Monitoring enabled, Deep Security Agent sometimes caused high CPU usage. DS-65986
Deep Security Agent 20.0.0-2740 fr Linux was causing performance and third-party compatibility issues on some systems. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent (DSA) Build 20.0.0-2740 for Linux from Download Center.
Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057
Deep Security Agent was sometimes unable to create or manage tasks on RPM-based platforms due to a SystemD (Linux service manager) process limitation. SF04543580/SEG-113833/DS-65550
Deep Security Agent Anti-Malware Real-Time Scan exclusions sometimes failed within container environments. DS-65528
Deep Security Agent Anti-Malware Real-Time Scan directory exclusions sometimes failed if filenames were not in UTF-8 format. SEG-115198/DS-65495
With Anti-Malware enabled, Deep Security Agent encountered an "Insufficient Disk Space" alert which sometimes crashed the agent or stopped other programs from working properly. SF04584157/SEG-113377/DS-64405
Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
Deep Security Agent upgrade (Administration > Updates > Software) sometimes failed if a previous (RPM package) upgrade was triggered using console commands. SF04586071/SEG-113583/DS-64978
With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855
With Integrity Monitoring real-time scan enabled, Deep Security Agent sometimes prevented files on network drives from being deleted. SEG-108636/C1WS-1787

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Release date: July 01, 2021

Build number: 20.0.0-2593

New feature

FIPS mode on Ubuntu 18.04: Deep Security Agent 20.0.0-2593 or later now supports FIPS mode for Ubuntu 18.04.

Resolved issues

Integrity Monitoring alerts sometimes triggered but did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)

Release date: May 24, 2021

Build number: 20.0.0-2395

New features

Enhanced platform support

Application Control and Integrity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Application Control and Integrity Monitoring for Amazon Linux 2 on AWS Graviton 2. DS-62775

Enhancements

Deep Security Agent 20.0.0-2395 or later now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates expire on 2022/07/09. After that date, only Deep Security Agent 20.0.0-2395 or later will have the latest Anti-Malware Smart Scan protection. DS-63010
Updated Deep Security Agent to add Predictive Machine Learning support for Malware Scan on Linux platforms. DS-62857
Updated Deep Security Agent's Anti-Malware default configuration to monitor file access from the local host only, improving compatibility for some file systems. DS-62222

Resolved issues

Anti-Malware Real-Time Scan sometimes didn't detect files properly with the "During read" setting selected (Computers > Details > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Edit > Advanced > Real-Time Scan). SEG-104496/DS-61836
Deep Security Agent was unable to install in some environments because it misidentified the OS. DSSEG-2915/DS-28321
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
Anti-Malware Real-Time Scan sometimes caused high CPU usage. 04331007/SEG-107814/DS-62593
Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
Anti-Malware Real-Time Scan caused unintentional file changes under some configurations. DS-62412
Deep Security Agent sometimes could not successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692
Anti-Malware kernel modules sometimes did not bypass file activity on remote shared storages when Network Directory Scan was disabled. DS-62985

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

Release date: April 12, 2021

Build number: 20.0.0-2204

New feature

Enhanced platform support

Anti-Malware and Log Inspection support for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent 20.0.0-2204 or later now supports the Anti-Malware, Firewall, Intrusion Prevention, Log Inspection, and Web Reputation protection modules. Note that Advanced Threat Scan Engine (ATSE) update is not currently supported for Amazon Linux 2 on AWS Graviton 2, but will be added in a future release.

Resolved issues

With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (that is, processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
When Integrity Monitoring real-time scan was enabled, sometimes directories on NFS volumes couldn't be removed. SF03977538/SEG-98656/DS-61062
When Intrusion Prevention was enabled, the system would crash under some configurations. SF04286712/SEG-103971/DS-61274
A proxy server issue sometimes caused connectivity issues with Deep Security Agents after registering with Trend Micro Vision One (XDR). SF04318864/SEG-104847/DS-61516

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Release date: March 08, 2021

Build number: 20.0.0-2009

Enhancements

Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011

Resolved issues

The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
When Firewall, Intrusion Prevention, and Web Reputation were enabled, the system sometimes crashed. SF03992370/SEG-100828/DS-60589
After restarting Deep Security Virtual Appliance, protected VMs sometimes became inaccessible. SEG-94723/SF03949466/DS-58962

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Release date: February 08, 2021

Build number: 20.0.0-1876

Resolved issues

The Deep Security Agent was sometimes unable to establish an SSL connection to the web server. DS-59893

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

New features

Enhanced platform support

Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Amazon Linux 2 on AWS Graviton 2. The agent currently supports the Firewall, Intrusion Prevention, and Web Reputation protection modules. Other protection modules are coming soon.

Behavior Monitoring for Linux: This release adds support for Behavior Monitoring on the Linux platform.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

Resolved issues

A driver conflict was causing the Deep Security Agent to hang and require a reboot. SEG-94278/SF03941184/DS-59020
If an error related to Secure Boot occurs, the user is no longer blocked from installing the plugins and receive a "Secure Boot" error message on Deep Security Manager. Instead, an "Engine is offline" error message is displayed. Users can check "Secure Boot" entries in ds_agent.log for error details. DS-58374
In the SecureBoot environment, the SUSE15 SP2 kernel module load failed with kernel version 5.3.18-24.37-default or later. SEG-93737/DS-58373
Anti-Malware would sometimes restart before fully loading a new driver, causing the AM engine to be offline. DS-58475

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This resolves issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Enhanced memory usage to improve performance. DS-53012
Anti-Malware on-demand scans did not function as expected. DS-58346

Resolved issues

Deep Security Agent didn't detect Secure Boot state correctly. SEG-89042/03730368 /DS-57014
The error "scheduling while atomic" occurred because the dsa_filter caused kernel panic. DS-56514
Anti-Malware events didn't include file hashes in certain scenarios. SEG-91779/SF03818756/DS-57453
The Anti-Malware driver showed warning messages during the initialization. SEG-92204/03784490/DS-57605
After upgrading to Deep Security Agent 20.0.0-1194, the "Intrusion Prevention Rules Failed to Compile" and "Security Update Failed" errors sometimes incorrectly occurred. SEG-90503/03789013/DS-56904
When Anti-Malware real-time scans were enabled, Rancher Kubernetes pods sometimes couldn't be terminated gracefully. SEG-87824/SF03695639/DS-58220
When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Notice

In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0-1337

Resolved issues

When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because of a compatibility issue with third-party security software. SF03700563/SEG-88135/DS-54799
Secure boot appeared active when it was not. SEG-85550/DS-55052

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Release date: October 21, 2020

Build number: 20.0.0-1304

Enhancements

Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

For agentless protected VMs, the settings under Policies > Intrusion Prevention > General > Recommendation were greyed out. DS-56665
When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
Real-time Anti-Malware with filesystem hooking enabled did not work on older kernel versions. SEG-82411/DS-54271
Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
The dsa_query command didn't display Anti-Malware patterns correctly. DS-55389
The Anti-Malware driver did not check compatibility before loading into the kernel. SEG-88135

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

Release date: October 5, 2020

Build number: 20.0.0-1194

New features

Improved performance for real-time Anti-Malware scanning on Linux: Real-time Anti-Malware scans have been improved for Deep Security Agent on Linux, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write. Now, Anti-Malware scanning is more efficient and file scanning during write is deferred (the file is added to a queue and scanned in the background).

Differentiated platforms: Deep Security Manager can now distinguish between Red Hat and CentOS platforms and operations. DS-52682

Continued network scans: After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's network scans now continue where they left off, without delay. This feature only applies if you are using NSX-T Data Center and guest machines are using a policy without network feature overrides. DS-50482

Enhancements

Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
Ceph is now excluded from file system kernel hooking to prevent kernel panic. SEG-75664/SF03131718/DS-50298
Recommendation Scans and Integrity Monitoring are now enabled for NSX-T environments. DS-50478
Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800

Resolved issues

Secure boot appeared active when it was not. DS-55052
Deep Security Agent could not install any plugins with UEFI Secure Boot enabled. DS-54041
After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
The Anti-Malware engine on Deep Security Virtual Appliance went offline when the signer field in the Census server reply was empty. DS-49807
Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
Deep Security Agent on Linux would sometimes crash. SEG-76460/SF03218198/DS-50852
Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
The Deep Security Virtual appliance did not detect the EICAR test file. SEG-71955/SF02955546/DS-49387
Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocking in lock down mode. DS-50696
The Anti-Malware driver caused a system hang on Linux platforms where autofs was used. DS-51926
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
There was an upgrade issue with Deep Security Agent which would sometimes prevent the agent from going online if Integrity Monitoring or Log Inspection were enabled. DS-50672
Kernel Panic occurred when Web Reputation, Firewall, or Intrusion Prevention were enabled. SEG-80201/DSSEG-5846/DS-52975
When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. SEG-73893/DSSEG-5866/DS-53144
When Deep Security real-time Anti-Malware was enabled on a Linux system, it caused a high amount of CPU usage. SEG-75739/DS-52976

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Enhanced platform support

Ubuntu 20.04 (64-bit)
Cloud Linux 8 (64-bit)
Debian Linux 10 (64-bit)
Oracle Linux 8 (64-bit)
SUSE Linux Enterprise Server 15 (64-bit)
Red Hat Enterprise Linux 8 (64-bit)
CentOS 8 (64-bit)

SystemD support: SystemD is a Linux service manager that allows services to declare dependencies, which can enforce load and unload sequences of kernel modules and other services. See Linux systemd support for information about which platforms are supported. DS-37395

Secure Boot support: Deep Security Agent supports additional Linux operating systems with Secure Boot enabled. For details, see Linux Secure Boot support.

Improved security

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Protect VMs in NSX-T environments: The latest VMware Service Insertion and Guest Introspection technologies have been integrated. This enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.

Seamless network protection: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.

SELinux Support: Security-Enhanced Linux (SELinux) enforcing mode is supported on Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Deep Security Agent is compatible with the default SELinux policies. Anti-Malware software such as ds_agent is required to run in an unconfined domain in order to protect the system. Any additional SELinux policy customization or configuration might be block blocked or fail because of ds_agent.

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Continuous Anti-Malware protection: Deep Security Manager now sends guest VMs' Anti-Malware real-time configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the Anti-Malware real-time feature during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments.

Improved management and quality

Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.

NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), the network throughput has been made three times faster when compared with prior technology.

Upgrade to supported paths: The Upgrade on activation feature only upgrades the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the Upgrade on activation feature detects the newer version and complete the upgrade to the designated release.

Protection for AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, the computer is now created outside of the account and the agent is allowed to activate.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported in this release. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been cancelled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Improved process exceptions: The process exception experience has been improved in the following ways:

Information about why process exclusion items are not functioning correctly is provided, enabling you to troubleshoot the issue and know which actions to take to resolve it.
The process exception configuration workflow has been improved to make it more robust.

Enhancements

Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
Improved the Deep Security Agent activation experience in the following ways:

Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.

After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans now continue where they left off, without delay. This feature only applies to NSX-T environments.
Increased the scan engine's URI path length limitation.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Enhanced Linux real-time Anti-Malware performance when executing a Docker pull command.
Improved the time it takes to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment. This feature requires Deep Security Manager FR 2019-12-12 or newer releases.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Enhanced the Malware Scan Failure event description to indicate the possible reason.
Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
Added the ability to retrieve process and container information for Intrusion Prevention events, including process name, container ID, container name, image name, image digest and pod ID.

Resolved issues

When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
When Deep Security real-time Anti-Malware was enabled in Linux, it caused a high amount of CPU system usage. SEG-75739/SF03036857/DS-52976
Ceph caused kernel panic. SEG-75664/SF03131718/DS-50298
Deep Security Agent sometimes crashed. SEG-76460/SF03218198/DS-50852
Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
The Deep Security Virtual Appliance did not detect an Eicar file. SEG-71955/SF02955546/DS-49387
Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocked in lock down mode. SEG-73174/DS-50696
Deep Security Virtual Appliance sometimes went offline. SEG-53294/DS-46728
The interface isolation feature was still on when Firewall was turned off. SEG-32926/DS-27099
In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, Integrity Monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. SEG-22509/DS-25250
Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
Anti-Malware events displayed a blank file path with invalid Unicode encoding. SEG-46912/DS-34011
Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. SF01423970/SEG-43481/DS-34436
Kernel panic occurred when dsa_filter.ko was obtaining network device's information. SEG-50480/DS-35192
An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. SF01339187/SEG-38497/SEG-33163/DS-31330
Kernel panic occurred because of redirfs. SF01137463/SEG-34751/DS-32182
Deep Security Anti-Malware caused the fusermount process to fail when mounting the filesystem. SF01531697/SEG-43146/DS-32753
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. SF01704358/SEG-45004/DS-32077
Deep Security Agent GSCH driver had an issue with another third-party file system. SF01248702/SEG-44565/DS-33155)
The Environment Variable Overrides for Deep Security Anti-Malware did not work in Linux. SEG-43362/DS-31328
Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. SF01745654/SEG-45832/DS-33007
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
The Send Policy action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
Deep Security Agent failed to install on Ubuntu 18.04. SF01593513/SEG-43300/DS-37359
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
The agent operating system would sometimes crash when Firewall interface ignores were set. SF01775560/SEG-49866/DS-39339
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
Too many file open events were being processed in user mode, resulting in high cpu usage. SF02179544/SEG-55745/DS-39638
The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. SF02042265/SEG-52088/DS-39890
Linux kernel logs were flooded by Deep Security Anti-Malware driver. SF02299406/SEG-57561/DS-41589
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
Deep Security Agent real-time Anti-Malware scans didn't work with Debian 10 64-bit.
When a guest VM was migrated between ESXi hosts frequently (using vMotion), sometimes the VM couldn't save the state file. This caused the guest to lose the protection of the Deep Security Virtual Appliance for several minutes after migration, until the VM was reactivated by Deep Security Manager automatically under the new ESXi server. DSSEG-4341/DS-38221
When uninstalling Deep Security Agent in Linux, the uninstall log included a typo. DSSEG-4139/DS-34504
Deep Security Anti-Malware detected sample malware files but did not automatically delete them. SF02230778/SEG-55891/DS-40687
When the Deep Security Agent connected through a proxy to the Deep Security Manager on Deep Security as a Service, Identified Files could not be deleted. SF01979829/SEG-51013/DS-37252
After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. SEG-60728/DSSEG-5094
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DSSEG-4995

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest Severity: High

Updated NGINX to 1.16.1 (DSSEG-4600)
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Kernel support

To see which Linux kernels are currently supported, see Linux kernel compatibility.

To view the Linux kernel support release history, see the Readme for Trend Micro (TM) Deep Security Agent 20.0 for Linux.

Known issues

Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints are unmounted successfully. SEG-58841

Windows

Deep Security Agent - 20.0.2-1390 (20 LTS Update 2025-01-15)

Release date: January 15, 2025

Build number: 20.0.2-1390

New features

Windows Server 2025 support: Deep Security Agent 20.0.2-1390 or later now supports Windows Server 2025, including FIPS mode support. This requires Deep Security Manager 20.0.1017 or later.

User-based Firewall events: Firewall events now include username whenever possible. This feature is in preview and is only available to certain customers at this time.

Enhancements

Deep Security Agent now queues packets to handle them in sequence, improving performance. DSA-6916
Updated Deep Security Agent to improve spyware prevention. PCT-18199/DSA-5889

Resolved issues

Deep Security Agent sometimes had connectivity issues when Advanced TLS Traffic Inspection was enabled. DSA-8577

Security updates

This release contains updates to third-party libraries. DSA-7695/DSA-8042

Deep Security Agent - 20.0.1-25770 (20 LTS Update 2024-12-10)

Release date: December 10, 2024

Build number: 20.0.1-25770

New features

Enhancements

Updated Deep Security Agent to reduce the duration of on-demand scans when the CPU Usage is set to Medium (Computer or Policy > Settings > General > CPU Usage Control). DSA-8171
Deep Security SAP Scanner can now report results to SAP applications when it identifies password-protected compressed files attached to an email in Microsoft Outlook Item (MSG) format. SF07873657/PCT-23367/DSA-7562
Deep Security Agent now detects if its relay proxy is Trend Vision One Service Gateway Forward Proxy Service, and uses the Service Gateway domain allow list to decide whether the connection should use the relay proxy or not. SF07267852/PCT-29311/DSA-6274
Deep Security Agent can now add existing detections (by malware name, or rule ID for Anti-Malware or Behavior Monitoring) to the Rule Exceptions list from Computer or Policy > Anti-Malware > Advanced. DSA-6318
Deep Security Agent now supports additional options to fine-tune detection sensitivity for Anti-Malware, Behavior Monitoring, Predictive Machine Learning, Process Memory Scan, and the Windows Antimalware Scan Interface for real-time scan. This enhancement is only available in Trend Cloud One - Endpoint & Workload Security. DSA-6062

Resolved issues

Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074
Deep Security Agent had higher than usual CPU usage if Integrity Monitoring was disabled following an Integrity Monitoring scan. SF07991055/PCT-31459/DSA-6195
Anti-Malware manual scans of files or folders with special characters sometimes failed. PCT-43895/DSA-8126
The Trend Micro Windows Filtering Platform (TBIMWFP) driver caused a memory leak on some systems, which led to higher than normal memory usage. DSA-7968
Deep Security SAP Scanner would incorrectly report scan failures when two or more files with the same content were included in a compressed file. PCT-38781/DSA-7557
The Anti-Malware Solution Platform (AMSP) service was crashing on some systems. PCT-41566/DSA-7952

Security updates

This release contains updates to third-party libraries. DSA-7124

Security updates are included in this release. For more information about Trend Micro protection against vulnerabilities, see Vulnerability Response. Note that in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details are only available for select security updates once patches are available for all impacted releases. VRTS-13016/DSA-7645

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)

Release date: November 13, 2024

Build number: 20.0.1-23340

New features

Windows 11, version 24H2 support: Deep Security Agent 20.0.1-23340 or later supports Windows 11, version 24H2.

Enhancements

Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314
Advanced Transport Layer Security (TLS) inspection can now support Windows Local Security Authority (LSA) protection. DSA-5642

Resolved issues

Deep Security Agent sometimes caused a file handle leak when performing an Anti-Malware manual scan. DSA-7676

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, Common Vulnerabilities and Exposures (CVE) details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-13428//VRTS-13017/DSA-7666/DSA-7646

Highest Common Vulnerability Scoring System (CVSS) score: 6.7

Highest severity: Medium

Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)

Release date: October 16, 2024

Build number: 20.0.1-21510

Enhancements

Add a failsafe to help prevent the Firewall driver causing systems to be stuck in a Blue Screen (BSoD) loop. DSA-7448
Add new Windows events to logs when the Firewall driver is initialized. Events include Windows Base Filtering Engine State changes and the results registered by the tbimwfp driver. DSA-7547

Resolved issues

High CPU usage would occur when both Application Control and FIPS were enabled. DSA-6842
Deep Security Agent would crash the system if the Windows Base Filtering Engine Service was not running. PCT-38921/DSA-7334
When the SAP Scanner library re-established connections to Deep Security Agent, the scan requests sent from the SAP Scanner library would sometimes be rejected. SF08196066/PCT-34824/DSA-7608
Deep Security SAP Scanner would sometimes crash when scanning for files in certain formats, like CSV. PCT-41353/DSA-7609

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 8.0

Highest severity: High

Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)

Release date: September 18, 2024

Build number: 20.0.1-19250

Enhancements

Updated Deep Security Agent to improve compatibility with older versions of the SAP Scanner. SF08196066/PCT-34824/DSA-6819
Deep Security Agent now supports the Alibaba Cloud connector type. DSA-6018
Web Reputation Service can now provide protection when using HTTPS in Mozilla Firefox on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. DSA-6770

Resolved issues

Deep Security Agent caused high CPU usage on systems with both Application Control and FIPS enabled. DSA-6842

Security updates

This release contains updates to third-party libraries. DSA-6156/DSA-6942

Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)

Release date: August 21, 2024

Build number: 20.0.1-17380

Enhancements

Web Reputation Service "Smart Protection Server Disconnected" events now include FQDN or IP address information in the description field. DSA-5408
SAP Scanner now classifies Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages as text files. SF07895338/PCT-24359/DSA-5790
SAP Scanner now associates JavaScript with compatible file extensions. For details, see Supported MIME types. SF08102626/PCT-31518/DSA-6192
uAgentWscHandler.exe is a new process that supports Windows Anti-Malware Protected Process Light technology and integrates with Windows Security Center on Windows 10 or Windows 11. DSA-5138
Advanced Threat Scan Engine has been updated to version 24.550. DSA-5968

Resolved issues

SAP Scanner would incorrectly classify valid CSV files if the data was formatted on a single line. SF07967718/PCT-26844/DSA-6102
SAP Scanner sometimes incorrectly identified image files as ASP scripts. SF07764878/PCT-20406/DSA-6122
Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
Deep Security Agent would fail to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
Deep Security Agent would sometimes cause an Operating System crash if Advanced TLS inspection was enabled. PCT-34149/DSA-6346
When Anti-Malware was enabled, some Citrix Virtual Desktop Infrastructure (VDI) environments encountered a blue screen (BSoD) error. PCT-26799/DSA-6036
When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Known issues

Deep Security Agent Application Control causes high CPU usage. PCT-36414

Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)

Release date: July 17, 2024

Build number: 20.0.1-14610

Enhancements

SAP Scanner now associates the following MIME types with compatible file extensions. For details, see Integrate with SAP NetWeaver.
- TrueType Font (TTF). SF08102626/PCT-31518/DSA-6049
- Java Archive (JAR). SF08102626/PCT-31518/DSA-6044
- Apple QuickTime File Format (QTFF). SF07967718/SF07840151/PCT-22825/PCT-26844/DSA-5887/DSA-5567
- Microsoft Advanced Systems Format (ASF). SF07967718/PCT-26844/DSA-5886

Resolved issues

Deep Security Agent would still try to test connections for Service Gateways. DSA-5814
A Deep Security Agent restart sometimes caused Application Control to report drift events. SF07813110/PCT-25731/DSA-5798
Deep Security Agent was only able to use the primary IP address for Service Gateway. DSA-4513
Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
The Anti-Malware configuration file size was impacting SAP Scanner performance on some systems. SF08057009/PCT-30380/DSA-5987

Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)

Release date: June 19, 2024

Build number: 20.0.1-12510

Enhancements

Advanced TLS Traffic Inspection now supports separate configurations for "Inspect Inbound TLS/SSL Traffic" and "Inspect Outbound TLS/SSL Traffic". For detailed configuration steps, see https://help.deepsecurity.trendmicro.com/20_0/on-premise/intrusion-prevention-ssl-traffic.html#EnableTLS.

Resolved issues

Web Reputation Service might cause high CPU usage in VDI environments. PCT-24431/PCT-28543/PCT-29364/PCT-29712/PCT-30043/PCT-30401/PCT-30669/DSA-5766
Edge Relay couldn't use the operating system proxy configuration without IoT features enabled. PCT-16603/DSA-5422

Known issues

There is a performance impact when Inspect Inbound TLS/SSL Traffic and Inspect Outbound TLS/SSL Traffic are enabled at the same time in Advanced TLS Inspection settings. For details, see Performance impact of bi-directional TLS inspection in Deep Security. DSA-5959

Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)

Release date: May 16, 2024

Build number: 20.0.1-9400

Enhancements

SAP Scanner now supports the SCANLOGPATH parameter. For details, see Integrate with SAP NetWeaver. PCT-21958/DSA-4924
Updated Deep Security Agent to improve the priority for configurations using a proxy. DSA-4817/PCT-21750
Deep Security Agent can now retrieve Service Gateway settings from the Trend Micro Endpoint Basecamp (XBC) agent. DSA-4841/V1E-13468
Web Reputation Service now supports HTTPS protection for Google Chrome browser's Incognito mode and Microsoft Edge browser's InPrivate mode on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. DSA-4296

Resolved issues

Deep Security Agent security updates sometimes failed after reconfiguring proxy settings. PCT-18382/DSA-5390
Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
Using multiple Smart Protection Servers sometimes generated "Smart Protection Server Disconnected for Smart Scan" warnings, even if Smart Scan was still connected. PCT-13313/DSA-4488
Deep Security Agent security updates sometimes failed after an agent update was applied. PCT-23614/DSA-5371

Security updates

This release contains updates to third-party libraries. DSA-4187

Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)

Release date: April 24, 2024

Build number: 20.0.1-7380

Enhancements

Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
Deep Security Agent can have its proxy configuration set by the Trend Vision One Proxy Manager. V1E-14557
Deep Security Agent now supports custom actions "ActiveAction" or "Pass" for the Process Memory Scan. This is only supported for Trend Cloud One - Endpoint & Workload Security users on Windows platforms at this time. DSA-3621

Resolved issues

Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861
When SAP Scanner was enabled, system events for "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" sometimes displayed during Deep Security Agent upgrade. These system event messages were triggered by the restart of Deep Security Agent modules. There was no functional impact. DSA-4603

Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)

Release date: March 20, 2024

Build number: 20.0.1-4540

Enhancements

The SAP Scanner status for Deep Security Agent is now displayed in the console. DSA-3329
The Deep Security Agent version is now displayed in the SAP Scanner library. SF07483850/PCT-10077/DSA-3304
Stopping a Deep Security Agent managed by Trend Cloud One - Endpoint & Workload Security now takes less time. DSA-4208
Anti-Malware events (Events & Reports > Anti-Malware Events) now display the date and time that files or folders were created and modified. SF07199253/PCT-1378/DSA-3578

Resolved issues

Deep Security Agent incorrectly classified the MIME type of .dwg files generated by AutoCAD, from AutoCAD 2004 to AutoCAD 2024. SF07027236/SEG-186079/PCT-5797/DSA-2901

Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)

Release date: February 29, 2024

Build number: 20.0.1-3180

New features

Anti-Malware now supports Advanced Process Memory Scan by default in Trend Cloud One. Process Memory Scan is now available for Manual Scan and Scheduled Scan configurations (this is in addition to the Real Time Scan configuration). The Action to Take option in Process Memory Scan is available in Real Time Scan, Manual Scan, and Scheduled Scan configurations. DSA-4242

Enhancements

Deep Security Scanner (SAP) now reports files containing Microsoft Office Macros as Active Content, while previously they were identified as Malware. PCT-5979/DSA-3911

Resolved issues

Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
Remote Desktop Services on Windows Server 2008 R2 was blocked by the TLS inspection process (tm_netagent). PCT-12049/PCT-12172/PCT-13878/DSA-3944
Behavior Monitoring exclusions sometimes failed to apply because they were case sensitive. PCT-16168/PCT-16005/PCT-16476/CTSKA-27/DSA-4116
The expected MIME type for .msg files by the Deep Security Agent SAP Scanner was incorrect. PCT-5797/DSA-4050
Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965
When a password is required for a local override, the password was checked after the Deep Security Agent self-protection was locally disabled. PCT-10861/DSA-3293
Uninstalling Deep Security Agent did not remove all folders associated with Deep Security Agent. DSA-2460

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Known issues

The Application Control Trust Entities "block by target" trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324

Deep Security Agent - 20.0.1-700 (20 LTS Update 2024-04-17)

Release date: April 17, 2024

Build number: 20.0.1-700

Enhancements

Updated Deep Security Agent to improve the priority for configurations using a proxy. This is only supported for Trend Cloud One - Endpoint & Workload Security customers on Windows x64 platforms at this time. DSA-4817/PCT-21750

Known issues

Updating to Deep Security Agent 20.0.1.700 fails on some 20.0.0 versions when using Deep Security Relay. For more details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1. DSA-3317
Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For more details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)

Release date: January 17, 2024

Build number: 20.0.1-690

New features

Enhancements

From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584

For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release.

Resolved issues

Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564
Deep Security Agent could have memory leaks on some systems while trying to route to Domain Controllers. DSA-3266
Deep Security Agent sometimes froze at launch if Windows APIs were verifying digital signatures for portable executable (PE) files. DSA-3626
When FIPS mode was disabled, Deep Security Agent used the OpenSSL configuration specified by the system environment variables rather than the config specified by the agent. PCT-4914/DSA-2651/DSA-2737/DSA-2738

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.8

Highest severity: Critical

Known issues

Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317
Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)

Release date: December 12, 2023

Build number: 20.0.0-8438

New features

Windows 11, version 23H2 support: Deep Security Agent 20.0.0-8438 or later support Windows 11, version 23H2. DSA-2255

Enhancements

Remove some file types from the scanning list to avoid high CPU and disk consumption. SF07099651/SEG-188688/DSA-2010
Agent self-protection now protects the Advanced TLS Traffic Inspection process (tm_netagent) preventing local users with administrator privileges from stopping it. DSA-1042/DSA-1043

Resolved issues

When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981
Anti-Malware scan mode would sometimes not match the policy configuration. SF07117203/SEG-191043/PCT-7856/DSA-2561
A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Known issues

Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy DSA-3564

Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)

Release date: November 21, 2023

Build number: 20.0.0-8268

Resolved issues

Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
Deep Security Agent incorrectly classified MIME type of .xml files generated by Microsoft Word, Excel, PowerPoint, as well as .dwg files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202

Known issues

Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)

Release date: October 26, 2023

Build number: 20.0.0-8137

New features

Process Memory Scan: Anti-Malware manual and scheduled scans now support the process memory scan which scans the memory of running processes. This requires Deep Security Manager 20.0.844 or later.
This feature will be disabled in the November release of Deep Security Manager and in Trend Cloud One - Workload Security. For more information, see High Memory Usage for random process when using Deep Security Agent 20.0.0-8137

Resolved issues

When Intrusion Prevention System was enabled on a machine with Windows Network Load Balancing (NLB) installed and Unicast Mode configured, Network Load Balancing performance was sometimes affected. SF06426122/SEG-169878/DSSEG-7852
When agent self-protection was enabled for Deep Security Agent 20.0.0-7719, access violation errors would sometimes appear in the Windows System Log. DSA-1962

Known issues

Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)

Release date: September 26, 2023

Build number: 20.0.0-7943

Enhancements

In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759+. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531
New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true. DSA-864
Web Reputation Service now supports the "Trend Micro Toolbar for Enterprise" browser extension for Microsoft Edge on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019 and Windows Server 2022. DSA-1565

Resolved issues

When Log Inspection was enabled, Deep Security Agent sometimes crashed on Windows Server 2019 systems. DS-77766

Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)

Release date: August 29, 2023

Build number: 20.0.0-7719

New features

New language support: Deep Security Agent now supports Polish and Czech.

Enhancements

Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. Note that agents configured as a Deep Security Relay still download all pattern updates. DSA-1000
The blocking page Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
Deep Security Agent now triggers a security update automatically when the Anti-Malware Solution Platform (AMSP) service is ready. Previously, security updates could fail if triggered before the AMSP was ready, causing "Anti-Malware Engine Offline" and "Pattern Update on Agents/Appliances Failed" errors. DSA-1020

Resolved issues

Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
When Anti-Malware was enabled, Deep Security Agent impacted the performance of some third-party applications. SEG-182065/DSA-790
Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
Device Control blocked Windows Server Storage Area Network (SAN) drives that should have been allowed. SEG-178278/V1E-3895
Network drivers failed to bind to the network interface automatically on some Azure VMs. DSA-1040

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)

Release date: July 25, 2023

Build number: 20.0.0-7476

New features

Deep Security Agent Right-Click Scan: Deep Security Agent now allows users to trigger a manual scan from Windows File Explorer by right-clicking a file or folder and selecting Scan. Note that this feature is only available to Trend Vision One Endpoint users and Trend Cloud One - Endpoint & Workload users at this time.

Enhancements

If anti-malware is offline because AMSP service was not installed correctly, Deep Security Agent now tries to reinstall AMSP when the agent service launches. DSSEG-7903/SEG-181443
Updated the dsa-connect service to improve CPU performance. C1WS-12970
Updated Deep Security Agent to support the Notifier Anti-Malware Protected Process Light (AM-PPL) service for Windows 10 desktop platforms. This requires Deep Security Manager 20.0.789 - 20.0.833. DS-77160
Improved Advanced TLS Traffic Inspection coverage for Windows Server 2012 R2, 2016, and 2019. SEG-182585/DSA-583

Resolved issues

Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858
The system sometimes crashed when Intrusion Prevention was enabled. SF06983729/SEG-184423/DSSEG-7907
Deep Security Agent upgrades triggered from the Deep Security Manager console would fail on some system configurations, returning MSI error code 1601: Windows installer is not accessible. SEG-177789/DS-78084
Deep Security Agent sometimes reported that the network module was disabled (Event ID 1013, Trend Micro LightWeight Driver failed to bind on all network interfaces) even if the module was enabled. SEG-184701/SEG-182649/DSA-686
Updated Deep Security Agent to support systems using Dell MAC Address Passthrough. SEG-177651/DSA-455

Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)

Release date: June 28, 2023

Build number: 20.0.0-7303

Enhancements

Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
Web Reputation Service now automatically monitor the ports used by the OS proxy configuration. DS-77233
When a specific process is sending backup packets through an unencrypted connection, Intrusion Prevention optimizes the scan flow to reduce CPU impact. SF06456142/SEG-166877/DS-76500

Resolved issues

The Windows Malicious Software Removal Tool (MSRT) installation could fail while Application Control is in maintenance mode. SF06446534/SEG-172729/DS-77094
Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
The Deep Security Agent upgrade would fail when specific features were enabled. SF06794868/SEG-177789/DS-78008
Deep Security Agent sometimes crashed when it was unable to connect to Deep Security Manager using a proxy. DS-77786
When Application Control was enabled, MSI file installations failed on some versions of Windows. SF06509811/SEG-170485/DS-76906
Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709

Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)

Release date: May 29, 2023

Build number: 20.0.0-7119

Enhancements

When Application Control is enabled, MSI file installations fail on some systems. SF06509811/SEG-170485/DS-76906
Agent self-protection now secures the Advanced TLS inspection process (ds_nuagent), preventing local users with administrator privileges from stopping it. DS-74080
Deep Security Agent 20.0.0-7119 or later now supports FIPS mode for the dsa-connect service for Workload Security customers on Windows platforms that support FIPS mode as detailed here: Supported features by platform. C1WS-7467

Resolved issues

Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
If Advanced TLS traffic inspection was enabled, rebooting the operating system sometimes caused Deep Security Agent to get stuck on the "stopping services" screen. SF06494167/SEG-170082/DS-76880
The Deep Security Notifier service (ds_notifier) caused a memory leak during agent updates on some systems. SF06454240/SEG-167684/DSSEG-7863

Known issues

Upgrading to Deep Security Agent version 20.0.0-6860, 20.0.0-6690, or 20.0.0-7119 using the Deep Security Manager console sometimes results in upgrade failure. After the upgrade failure, the Deep Security Agent service stops and may show "Agent Offline" from the manager console. SEG-177789, SEG-177748, SEG-178496, SEG-178742, SEG-177423, SEG-178470, SEG-178940, SEG-178956

Deep Security Agent - 20.0.0-6860 (20 LTS Update 2023-04-25)

Release date: April 25, 2023

Build number: 20.0.0-6860

Enhancements

Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to ds_agent.ini. SF06664116/SEG-173848/DS-77182

Example proxy probing line in ds_agent.ini config file:
dsa.proxymanager.ProbeTimeoutInSec=120
Made improvements to Deep Security Agent to prevent it incorrectly sending "MQTT Connection Offline" warnings when the connection is online. SEG-171358/C1WS-12979
Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
Error messages from the Trend Micro Deep Security Notifier now provide more details when the on-demand scans fail. VO-2132

Resolved issues

Deep Security Agent was unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. DS-75176
Deep Security Agent would sometimes freeze on system startup, which caused the Windows Service Control Manager service to generate "service hung on starting" events (Event ID 7022). DS-77212
When Anti-Malware Predictive Machine Learning was enabled, file operations initiated by Powershell sometimes encountered sharing violations. SF05904706/SEG-150738/DSSEG-7695
When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 2.9

Highest severity: Low

Deep Security Agent - 20.0.0-6690 (20 LTS Update 2023-03-29)

Release date: March 29, 2023

Build number: 20.0.0-6690

New features

Service Gateway: Deep Security Agent 20.0.0-6690 or later with Deep Security Manager 20.0.741 or later now supports the Service Gateway feature, providing forward proxy functionality.

Enhancements

Deep Security Agent installation now performs a pre-check to verify if its operating system meets Azure Code Signing (ACS) requirements. For more information, see Trend Micro Server and Endpoint Protection Agent Minimum Windows Version Requirements. DS-75552
Application Control now checks the execution of Microsoft Windows Control Panel Applet (.CPL) files. DS-74587
Application Control now checks the execution of Microsoft Compiled HTML help (.CHM) files. DS-74828
When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard now applies to all files in any directory matching the rule's path. Note that previously, the globstar (**) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*) wildcard which would only match within the path rule's directory. DS-75133
Web Reputation Service now includes OS platform metadata. DS-75453
Deep Security Agent 20.0.0-6690 or later now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User Defined Suspicious Object (UDSO). DS-75365
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598

The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
- Debug: Enable the debug log messages. The default value is false.
- Count: Number of log files to generate. The default value is 5.
- Size: Maximum size of each log file in bytes. The default value is 2097152.
Example config file:
```
                            {
                            "Debug": true,
                            "Count": 5,
                            "Size": 2097152
                            }
```
The Web Reputation Service's Browser Extension now allows Trend Micro Toolbar for Chrome browser to inspect URLs for content scripts in all frames. DS-75387
Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491

Resolved issues

Deep Security Agent events and module status changes sometimes failed to appear in the console. DS-46344/SEG-67100/SEG-101719/SEG-112311
When Anti-Malware's "Enable network directory scan" option was enabled (Computer or Policy > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Advanced > Network Directory Scan)), malware was detected but a corresponding event was not recorded in some cases. SF06198579/SEG-160763/DSSEG-7786
When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
Deep Security Agent Scanner (SAP) couldn't generate reports for files with one or more trailing dots . in their file name. SF06181341/SEG-166326/DS-76404

Known issues

Deep Security Agent 20.0.0-6313 or later is currently unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. If you need these three features on a Windows 2008 system, refrain from upgrading your agent. DS-75176
Updating Deep Security Agent causes Deep Security Manager to show an unknown error event (ID: 740) on some systems. A future Deep Security Manager release will address this issue. For more details, see Unrecognized Agent / Appliance Error Event in Deep Security Manager (Event ID 1010 - 1013). DS-76813

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

Release date: January 31, 2023

Build number: 20.0.0-6313

New features

Windows 10 22H2 support: Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.716 or later now supports Windows 10 22H2.

Enhancements

Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676

To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313 or later before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.
With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent now monitors for suspicious behavior to improve protection against MITRE attack scenarios. This functionality requires Deep Security Manager 20.0.711+. DS-73644
Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise" Chrome browser extension, improving HTTPS protection for Web Reputation Service. DS-74870

Resolved issues

When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
An issue with the TLS protocol record layer in Deep Security Agent caused some systems to crash. SF06297487/SEG-162236/DSSEG-7774
Deep Security Agent sometimes caused file handle leaks when communicating with Deep Security Manager or agent command-line tools. DS-75111
For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335

Deep Security Agent - 20.0.0-5995 (20 LTS Update 2022-11-28)

Release date: November 28, 2022

Build number: 20.0.0-5995

New features

Windows 11 22H2 support: Deep Security Agent 20.0.0-5995 or later with Deep Security Manager 20.0.711 or later now supports Windows 11 22H2.

Enhancements

Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise," a Chrome browser extension that extends HTTPS protection for Web Reputation Service. This is only supported for Trend Micro Cloud One - Workload Security customers at this time. DS-74568
Updated the Web Reputation Service to support multi-thread processing on the web browser extension, improving the query rate. DS-74098
Updated Deep Security Agent to include the details of command line Behavior Monitoring violations in the console under Events and Reports > Events > Anti-Malware Events. DS-72866

Resolved issues

A file handle leak in the Deep Security notifier (notifier.exe) caused high system memory usage. DS-74325
In Workload Security, enabling OS proxy (by setting Allow agents to apply OS proxy or direct connect when the configured proxy is inaccessible to Yes from Administration > System Settings > Proxies) would cause Deep Security Agent to crash if the proxy data the agent needed was missing on the operating system side. SEG-158968/DS-75034
While running Application Control in maintenance mode, executable files that should have been accessible were sometimes blocked due to a sharing violation. SF04922652/SEG-131710/DS-74592
Application Control was unable to block scripts executed using GitBash shell (sh.exe). DS-73827
Deep Security Agent caused an outdated "Early Launch Anti-Malware Pattern" component to appear on the Security Updates page, causing the Security Update Status to be "Out-of-Date". This pattern was unused, which is why it always appeared as an outdated component. SEG-158345/DSSEG-7745
Deep Security Agent sometimes allowed a higher access level than the one set by a user's group. For example, the "Users" group was able to modify files even if it had read-only access. SEG-157530/DSSEG-7737
With Anti-Malware enabled, a Deep Security Agent driver caused some systems running Windows Server 2008 to crash. SF05926337/SEG-157388/DSSEG-7739

Deep Security Agent - 20.0.0-5810 (20 LTS Update 2022-10-27)

Release date: October 27, 2022

Build number: 20.0.0-5810

New features

Installed software reporting: Deep Security Agent now reports installed software with additional details from the Microsoft Windows Installer. This is currently only available to Trend Micro Cloud One Workload Security customers.

Enhancements

Updated Deep Security Agent to include additional metadata, such as UserAgent and Referrer, for Web Reputation Services. DS-72196
Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085

Resolved issues

With Anti-Malware Behavior Monitoring enabled, uninstalling or upgrading from Deep Security Agent 20.0.0-5761 caused some systems to crash. For more details see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74322
With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
While an Application Control inventory build is in progress, the agent would sometimes appear offline. DS-72189

Known issues

After upgrading the Deep Security Agent 20.0.0-5761 to 20.0.0-5810 on Windows, a reboot is required to solve an issue that causes computers to crash. For details including steps to work around the issue, see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74383

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Release date: September 22, 2022

Build number: 20.0.0-5512

Enhancements

Deep Security Agent now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). This requires Deep Security Manager 20.0.677 or later. DS-72828

Resolved issues

Integrity Monitoring events (Events and Reports > Integrity Monitoring) were created with N/A displayed in the KEY and TYPE columns. SF05533287/SEG-139293/DS-71899
Updating Deep Security Agent and removing the expired TLS session key caused some systems to crash. SF06007238/SEG-153175/DS-73404
With Anti-Malware enabled, some computers froze in a "Security Update In Progress" state. SF05106626/SEG-129777/DSSEG-7500
With Deep Security Agent self-protection enabled, enabling or disabling Advanced TLS inspection service caused "Event ID 7006" in the Windows Service Control Manager. DS-73305
Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.0

Highest severity: High

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

Release date: August 29, 2022

Build number: 20.0.0-5394

Enhancements

Application Control now detects software changes for executables with non executable extensions. DS-70805
Added SYSTEM user network drives and mount points for Windows to the information collected when generating a diagnostics package. DS-71816
Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
Updated Deep Security Agent so Application Control automatically authorizes test PowerShell scripts created by AppLocker. DS-71762
Behavior Monitoring exclusions now support wildcard characters. DS-71976
Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
When Behavior Monitoring is enabled, Deep Security Agent would sometimes prevent Docker on Windows from starting. SF05709278/SEG-146323/DSSEG-7660
Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
Deep Security Agent would sometimes retrieve incorrect PID information on Windows for connection metrics and log events. DS-72526
Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host would crash. SF05713918/SF05850687/SEG-146660/SEG-148664/DSSEG-7664

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

Release date: July 26, 2022

Build number: 20.0.0-5137

New features

Advanced TLS Traffic Inspection: Deep Security Agent 20.0.0-5137 or later adds Advanced TLS Traffic Inspection support to platforms that run system updates or package updates. Note that this feature is currently only supported for Trend Micro – Cloud One Workload Security. Support for Deep Security Manager (On-Premise) will be added later.

Enhancements

Deep Security Agent 20.0.5137 or later for Windows uses an additional certificate: "Microsoft Identity Verification Root Certificate Authority 2020". For details see Updating the VeriSign, DigiCert, USERTrust RSA certificate on Deep Security and Trend Cloud One - Endpoint & Workload Security. DS-72711
Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders no longer work and need to be changed to use a globstar \*\*. DS-71817

Resolved issues

With Anti-Malware enabled, Deep Security Agent had a driver conflict causing some third-party applications to freeze. SF05570686/SEG-140749/DSSEG-7650
Deep Security Agent's Scanner (SAP) library install sometimes failed because required certificates on hosts were outdated. DS-71917
Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Release date: July 4, 2022

Build number: 20.0.0-4959

Resolved issues

Deep Security Agent caused increased CPU usage for systems running the WMI provider service (WmiPrvSE.exe). 05528968/SEG-142736/DS-71626
Deep Security Agent Scanner (SAP) reports displayed .SAR files in the wrong order. DS-71651
Deep Security Agent had a conflict preventing TMUMH drivers from loading (on Windows 11 and Windows 2022), and in some cases causing a system crash (affecting all Windows platforms). SEG-143164/DSSEG-7596
Using the command line (dsa_control -b), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600
With Log Inspection enabled, updates to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
When Anti-Malware is enabled alongside Integrity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
With Anti-Malware enabled, Deep Security Agent generated "Anti-Malware Engine Offline" errors caused by service restarts following a software upgrade. SF05521775/SEG-144639/DSSEG-7615
With Anti-Malware enabled, Deep Security Agent sometimes caused a system crash or high system memory usage, or failed to deliver event reports. SF05475742/SEG-142632/DSSEG-7626
Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 6.2

Highest severity: Medium

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Release date: May 31, 2022

Build number: 20.0.0-4726

Enhancements

Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763

Resolved issues

Trust Entities "Allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Release date: April 28, 2022

Build number: 20.0.0-4416

Enhancements

Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
Updated Deep Security Agent to support enabling the Anti-Malware module while Windows Defender is running in passive mode under some system configurations DS-69161. Currently this is only supported on systems running the following versions:
- Defender (AM) product / engine versions:
- Windows server and desktop versions:
- Deep Security Agent 20.0.0-4416+

Resolved issues

Deep Security Agent generated multiple "Anti-malware Engine Offline" events during agent upgrades under some system configurations. SF04500910/SEG-129316/DSSEG-7458

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

Release date: April 6, 2022

Build number: 20.0.0-4185

New features

Enhancements

Updated Deep Security Agent to properly execute Application Control settings for software changes made during a Windows upgrade. Previously, trust rules auto-authorizing software changes associated with a Windows upgrade would fail if Application Control was in lock down mode. DS-69579
When certificates are missing for an Anti-Malware installation, Deep Security Agent now forwards the certificate details to Deep Security Manager. The specific certificates missing will appear in the manager under Events and Reports > System Events. DS-69074

Resolved issues

Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. Note that an upgrade should not have triggered these events. DS-69888
Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

Release date: March 1, 2022

Build number: 20.0.0-3964

New features

Threat Intelligence: Threat Intelligence (formerly known as Connected Threat Defense) provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.

Enhancements

Updated Deep Security Agent to exclude suspicious characters, such as $, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Resolved issues

Deep Security Agent accepted policy change parameters even if the self-protection password verification did not pass. SF05177188/SEG-129643/DS-69293
Deep Security Agent sometimes went offline unexpectedly after activation. SEG-130280
With Intrusion Prevention enabled, issues establishing an SSL connection caused "Unsupported SSL Version" events. SF04955719/SEG-127437/DS-68689
Deep Security Agent was generating unexpected "Log File Delete Error" system events. DS-69641
Deep Security Agent sometimes created unnecessary User (Created/Deleted) or Group (Added/Removed/Updated) events. DS-62413

Deep Security Agent - 20.0.0-3771 (20 LTS Update 2022-01-24)

Release date: January 26, 2022

Build number: 20.0.0-3771

New features

Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Windows platforms, beginning with Trend Micro Cloud One - Workload Security customers.

Windows 21H2 support: Deep Security Agent 20.0.0-3771 or later now supports Windows 21H2.

Enhancements

Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042

Resolved issues

Pairing Deep Security Agent with a proxy failed on Windows 11 when the "http://" prefix was unexpectedly added to the proxy address. The prefix was added if the address was accessed from the LAN settings window (Control Panel > Network and Internet > Internet Options > Connections > LAN settings), and then the window was closed by selecting OK. DS-68568
Deep Security Agent security update would fail and generate "AMSP" events if Anti-Malware was offline during the update. SF04696674/SEG-120215/DSSEG-7287
Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
Updated Deep Security Agent to enable "Write Defer Scan" by default for real-time Anti-Malware scanning, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write by default. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-66344
With Smart Scan enabled, Deep Security Agent was downloading the full size pattern update file, instead of the incremental one it was expected to, during security updates SEG-124937/DSSEG-7317

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.1

Highest severity: High

Deep Security Agent - 20.0.0-3530 (20 LTS Update 2021-12-15)

Release date: December 15, 2021

Build number: 20.0.0-3530

New features

OS proxy support: Deep Security Agent 20.0.0-3530 or later for Windows can now apply proxy settings from the computer's OS to automatically connect to Trend Micro Cloud One - Workload Security, Deep Security Relay, and other Trend Micro backend services if the default agent-configured proxy loses its connection. This feature is only available to certain Workload Security customers at this time.

Important Notes

Pairing Deep Security Agent with a proxy currently fails on Windows 11 when the "http://" prefix is unexpectedly added to the proxy address after accessing it (under Control Panel > Network and Internet > Internet Options > Connections > LAN settings) and then selecting OK to close the window. This issue will be fixed in a future release. DS-68568

Resolved issues

With Smart Scan enabled, Deep Security Agent downloaded the full size pattern update file instead of the incremental one it was expected to during security updates. DSSEG-7317

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

Release date: November 24, 2021

Build number: 20.0.0-3445

New features

Anti-Malware offline scheduled scan: Deep Security Agent 20.0.0-3445 or later adds the offline scheduled scan feature, enabling Anti-Malware scheduled scans to run while an agent is not connected to Cloud One Workload Security. This feature is only available to certain Cloud One Workload Security customers at this time.
Windows 11 support: Deep Security Agent 20.0.0-3445 or later now supports Windows 11.
Windows Server 2022 support: Deep Security Agent 20.0.0-3445 or later now supports Windows Server 2022.

Enhancements

Updated Deep Security Agent allow the Deep Security Notifier to be locked on (when installed through the command prompt using msiexec /I "Notifier's installer name" LockAppSettingsDefault=1), preventing users from hiding notifications. DS-64527
Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
Updated Deep Security Agent to support using the "process name" property in "Ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

With Anti-Malware enabled, Deep Security Agent caused connectivity issues for third-party software on some systems. SF04087024/SEG-125579/DSSEG-7321
Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
When an expired certificate was removed from the host, the Anti-Malware plug-in update would fail, creating "Anti-Malware Component Update" events. SEG-117871/DS-66139
If an Anti-Malware scan began before the module had completed its installation on Deep Security Agent, it could cause a system crash and "Anti-Malware Engine Offline" errors after a reboot. SEG-108355/DS-63721
Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
When Integrity Monitoring rules using "UserSet" or "GroupSet" were enabled for a Deep Security Agent on Windows Active Directory Domain Controllers, excessive CPU and memory consumption would sometimes occur. Deep Security Agent 20.0.0-3445 blocks these types of Integrity Monitoring rules on Windows Active Directory domain controllers and generates an "Inapplicable Integrity Monitoring Rule" event. DS-65965

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

Release date: October 28, 2021

Build number: 20.0.0-3288

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

On Deep Security Agent 20.0.0-3165, "Anti-Malware Component Update Failed"events were sometimes generated when computers performed security updates. This defect is now fixed in Deep Security Agent 20.0.0-3288. SF04937346/SEG-122765/DSSEG-7268
With Intrusion Protection enabled, Deep Security Agent sometimes caused high CPU usage and sometimes caused the system to crash. DS-65902
With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component. DSSEG-7222
Deep Security Agent did not always check that metadata was ready before initializing connection with the manager. DS-51103
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Release date: October 08, 2021

Build number: 20.0.0-3165

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component DSSEG-7222
Deep Security Agent did always check that metadata was ready before initializing connection with the manager. DS-51103

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)

Release date: August 30, 2021

Build number: 20.0.0-2921

New features

Census feedback: Deep Security Agent 20.0.0-2921 or later can now send census file feedback to the Smart Protection Network (SPN) if Trend Micro Smart Feedback is enabled (System Settings > Smart Feedback).

Enhancements

Updated Deep Security Agent to detect the "HiveNightmare" exploit. DS-65217

Resolved issues

With Application Control enabled, Deep Security Agent sometimes crashed when a .MSI file was launched. SF04647983/SEG-114894/DSSEG-7032
Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)

Release date: July 29, 2021

Build number: 20.0.0-2740

Enhancements

Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

With Application Control enabled, files with '.tmp" extensions were creating a large number of "Application Control Software Changes Detected" events in the Deep Security Manager console. 04671615/SEG-115017/DS-65043
Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Release date: July 01, 2021

Build number: 20.0.0-2593

Resolved issues

Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
Anti-Malware sometimes went offline after enabling Application Control on Deep Security Agent. SF04532752/SEG-110572/DS-63406
Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
Citrix Virtual App or Desktop users sometimes encountered a grey screen (with error code 1003/1005) when Anti-Malware was enabled for Deep Security Agent. DS-64318
Anti-Malware sometimes caused high system CPU usage when the Windows WMI service accessed files repeatedly. SEG-109271/DSSEG-6983

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Deep Security Agent - 20.0.0-2419 (20 LTS Update 2021-06-02)

Release date: June 02, 2021

Build number: 20.0.0-2419

Resolved issues

Deep Security Agent 20.0.0-2395 for Windows always displayed an "Out-of-Date" Security Update Status. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent 20.0.0-2395 for Windows. SF04537047/SEG-110737/DS-63424
Integrity Monitoring alerts sometimes triggered but then did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
Items queued for Anti-Malware scan sometimes caused higher than normal Deep Security Agent CPU usage. DS-63106
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
Deep Security Agent sometimes could not successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

Release date: April 12, 2021

Build number: 20.0.0-2204

Resolved issues

When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
When Anti-Malware self-protection was enabled, sometimes third-party software could not be installed. SEG-101840/DSSEG-6694
Behavior Monitoring exceptions sometimes did not work properly. SF03775351/SEG-89899/DSSEG-6718
With Anti-Malware enabled, network transfer speeds slowed down significantly on some systems. SF04299217/SEG-103986/DSSEG-6780
Anti-Malware Behavior Monitoring exceptions sometimes did not work properly. SF04259521/SEG-102792/DSSEG-6714

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Release date: March 08, 2021

Build number: 20.0.0-2009

Enhancements

Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011

Resolved issues

The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
Behavior Monitoring sometimes blocked a program without generating an event. SF03604820/SEG-86752/DS-60526
When Anti-Malware was enabled, a high amount of CPU was used. SF04106889/SEG-99034/DS-60526
Deep Security Agent sometimes crashed during an Anti-Malware manual scan. SEG-100231/DSSEG-6664

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Release date: February 08, 2021

Build number: 20.0.0-1876

Resolved issues

The Deep Security Agent sometimes crashed when running Intrusion Prevention in passive mode. DS-57497

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

Resolved issues

After a Windows update occurred, "Maintenance mode" for Application Control turned off automatically. SF03905860/SEG-93631/DS-58413

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

This release contains general improvements.

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

Enhanced platform support

Windows 10 20H2

Improved security

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Enhanced memory usage to improve performance. DS-53012
Deep Security Agent now supports custom actions for Behavior Monitoring and Predictive Machine Learning. DS-48081

Resolved issues

When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Notice

In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0.1337

New features

Enhancements

Added various executable files as trusted installers so they are automatically recognized by Application Control. SF03568205/SEG-85141/DS-54884
Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800/DS-51879
Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

In combined mode with agent-only and agent-preferred settings enabled, Deep Security Notifier sometimes turned the Antivirus status in the Windows action center on and off, which caused high CPU. DS-54799
After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
The Behavior Monitoring feature of Anti-Malware sometimes raised false alarms. DS-44974
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
Deep Security Agent crashed unexpectedly because it was unable to detect the Docker engine version on Windows Servers. DS-29590
Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
There were detection issues with real-time Anti-Malware scans. DS-50286
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. DS-53144

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Known issues

While the Deep Security Relay is upgrading co-located or independent relays, the alerts "Anti-Malware protection is absent or out of date" and "Security Update: Security Update Check and Download Failed (Agent/Appliance error)" might occur for up to 20 minutes or longer before they're automatically resolved and the respective alerts cleared. For any subsequent Deep Security Agent upgrades to succeed, wait for the Deep Security Relay alerts to clear automatically. DS-54056

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Improved security

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Protect AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, the computer is now created outside of the account and the agent is allowed to activate.

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Improved quality and management

Reboot requirement removed for agent upgrade: Previously, there were several situations where a Windows server would require a reboot for a new agent to complete the upgrade. The need to reboot when upgrading from Deep Security Agent 11.0, 12.0, or 20.0 on any Windows Operating System has been completely removed, enabling the application to not be impacted as result of upgrading Deep Security Agent.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Manager FR 2020-04-30. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been canceled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time scan. This provides a starting point for performance evaluating and tuning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:

By the command dsa_control --AmTopNScan
By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

Information about why process exclusion items are not functioning correctly is now provided, so you can troubleshoot the issue and know which actions to take to resolve it.
The process exception configuration workflow has been improved to make it more robust.

Windows Event Channel for Log Inspection: Windows Event Channel logging provides a new option for tracking OS and Application logging for Windows platforms newer than Windows Vista. Event channels can be used to collect Log Inspection events which you can view later.

Enhancements

Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Removed Integrity Monitoring and Application Control's dependency on Anti-Malware, so they no longer require Anti-Malware to be installed to function.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Added support for agentless mode on vCloud connector for version 9.5 or later.
Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
Enhanced the Malware Scan Failure event description to indicate the possible reason.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Added support for Deep Security Agent delayed upgrade to reduce the Anti-Malware offline issue after triggering an upgrade.

Resolved issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
Deep Security Agent restarted unexpectedly because of the way Log Inspection was accessing the SQLite database. DS-48395
The interface isolation feature stayed active when Firewall was turned off. SEG-32926/DS-27099
Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. DS-48916
Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. SF02092464/SEG-53938/DS-38578
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. SF01704358/SEG-45004/DS-32077
Deep Security's Notifier.exe process caused high CPU usage. SF01716752/SEG-45507/DS-33645
The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. SF1609675/SEG-43574/DS-32947
In some cases, the Windows driver did not correctly release spinlock, causing the system to hang. SF01990859/SEG-50709/DS-36066
Deep Security Agent process sometimes crashed when the detailed logging of SSL message was enabled and outputted. SF01745654/SEG-45832/DS-33007
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
The Send Policy action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app." error message in ds_agent.log. SEG-21208/DS-33134/DS-21352
When the system region format is "Chinese (Traditional, Hong Kong SAR)", Deep Security Notifier displayed simplified Chinese instead of traditional Chinese. SEG-48075/DS-34778
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
Too many file open events were being processed in user mode resulting in high CPU usage. SF02179544/SEG-55745/DS-39638
The Type attribute was not displayed in Integrity Monitoring events when the default STANDARD attribute was set to monitor registry value changes. SF02412251/SEG-59848/DS-41118
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. SF02092464/SEG-53938/DS-39981
Deep Security failed to download security updates because of an outdated user agent string. SF02043400/SEG-52069/DS-41316
When machines wrote document files to a file server, Anti-Malware needed to scan the files frequently, which caused other machines to fail to write the file because the file was being scanned. SF01949194/SEG-49854/DS-40100
When Deep Security Agent scanned large files for viruses, it consumed a large amount of memory. SF01572110/SEG-48704/DS-43114

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Updated NGINX to 1.16.1. DSSEG-4600
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Known issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error may occur. To work around this issue, right-click the affected computer and select Actions > Clear Warnings/Errors, then Send Policy.
After upgrading the Deep Security Agent on Windows 2008, Anti-Malware may go offline. If this occurs, fully uninstall Deep Security Agent, reboot your server, then reinstall the agent.

Upgrade notice

If you have Application Control enabled, there may be a temporary performance impact while your software inventory is automatically rebuilding. DS-41775

Unix

Deep Security Agent - 20.0.2-1390 (20 LTS Update 2025-01-15)

Release date: January 15, 2025

Build number: 20.0.2-1390

Enhancements

Deep Security Agent now queues packets to handle them in sequence, improving performance. DSA-6916

Resolved issues

Deep Security Agent sometimes had connectivity issues when Advanced TLS Traffic Inspection was enabled. DSA-8577

Deep Security Agent - 20.0.1-25771 (20 LTS Update 2024-12-10)

Release date: December 10, 2024

Build number: 20.0.1-25771

Resolved issues

Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074

Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)

Release date: November 13, 2024

Build number: 20.0.1-23340

Enhancements

Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314

Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)

Release date: October 16, 2024

Build number: 20.0.1-21510

This release contains general improvements.

Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)

Release date: September 18, 2024

Build number: 20.0.1-19250

This release contains general improvements.

Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)

Release date: August 21, 2024

Build number: 20.0.1-17380

Resolved issues

Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
Deep Security Agent would fail to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596

Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)

Release date: July 17, 2024

Build number: 20.0.1-14610

Resolved issues

Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
Deep Security Agent for AIX platforms was sometimes unable to start without configuring a supported locale. DSA-5876

Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)

Release date: June 19, 2024

Build number: 20.0.1-12510

Resolved issues

When Anti-Malware was enabled, Deep Security Agent sometimes failed to shut down completely. PCT-26090/DSA-5492

Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)

Release date: May 16, 2024

Build number: 20.0.1-9400

Resolved issues

Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
The Anti-Malware Scheduled Scan on AIX platforms was including Network File System (NFS) contents, which should have been excluded. PCT-13912/DSA-4098

Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)

Release date: April 24, 2024

Build number: 20.0.1-7380

Enhancements

Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
Updated Deep Security Agent for AIX platforms to increase the pre-remove script timeout to 120 seconds. PCT-19843/DSA-4839

Resolved issues

Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861

Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)

Release date: March 20, 2024

Build number: 20.0.1-4540

This release contains general improvements.

Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)

Release date: February 29, 2024

Build number: 20.0.1-3180

Resolved issues

Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Known issues

The Application Control Trust Entities "block by target" trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324

Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)

Release date: January 17, 2024

Build number: 20.0.1-690

Enhancements

From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584.

For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release.

Resolved issues

Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564

Known issues

Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317

Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)

Release date: December 12, 2023

Build number: 20.0.0-8438

Resolved issues

When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.8

Highest severity: Critical

Known issues

Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent connection issues with Smart Protection Server when using proxy DSA-3564

Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)

Release date: November 21, 2023

Build number: 20.0.0-8268

Resolved issues

Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
Deep Security Agent incorrectly classified MIME type of .xml files generated by Microsoft Word, Excel, PowerPoint, as well as .dwg files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202
A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370

Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)

Release date: October 26, 2023

Build number: 20.0.0-8137

This release contains general improvements.

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)

Release date: September 26, 2023

Build number: 20.0.0-7943

Enhancements

New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
DSA-864
In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759 or later. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531

Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)

Release date: August 29, 2023

Build number: 20.0.0-7719

Enhancements

Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. Note that agents configured as a Deep Security Relay still download all pattern updates. DSA-1000
The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
Intrusion Prevention can now limit how many bytes are scanned for connections with a dynamic port number between 10001-65535. DS-78036
Advanced Threat Scan Engine has been updated to version 22.6. DSA-453

Resolved issues

Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756

Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)

Release date: July 25, 2023

Build number: 20.0.0-7476

Enhancements

Updated the dsa-connect service to improve CPU performance. C1WS-12970

Resolved issues

Deep Security Agent upgrades from 20.0.0.6313 to a newer version would sometimes fail, generating an "Abnormal Restart Detected" warning. SF06897730/SEG-180989/DS-78063

Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)

Release date: June 28, 2023

Build number: 20.0.0-7303

Enhancements

Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
Web Reputation Service now automatically monitors the ports used by the OS proxy configuration. DS-77233

Resolved issues

Deep Security Agents on AIX would sometimes crash when trying to upgrade to a new version. SF06643647/SEG-173140/DS-77359
Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709

Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)

Release date: May 29, 2023

Build number: 20.0.0-7119

Enhancements

Updated Deep Security Agent for Solaris to add an option to enable collecting interface latency metrics on Azure Data Explorer dashboards. DS-77025

Resolved issues

MQTT connection credentials were entered in the Deep Security Agent log file (ds_agent.log) in certain scenarios. SEG-174560/C1WS-13282
Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453

Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)

Release date: May 02, 2023

Build number: 20.0.0-6912

Enhancements

Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to ds_agent.ini. SF06664116/SEG-173848/DS-77182

Example proxy probing line in ds_agent.ini config file:
dsa.proxymanager.ProbeTimeoutInSec=120
Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840

Resolved issues

Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961

Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)

Release date: March 22, 2023

Build number: 20.0.0-6658

New features

Service Gateway: Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.741 or later now supports the Service Gateway feature, providing forward proxy functionality.

Enhancements

Web Reputation Service now includes OS platform metadata. DS-75453
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598

The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
- Debug: Enable the debug log messages. The default value is false.
- Count: Number of log files to generate. The default value is 5.
- Size: Maximum size of each log file in bytes. The default value is 2097152.
Example config file:
```
                            {
                            "Debug": true,
                            "Count": 5,
                            "Size": 2097152
                            }
```

Resolved issues

When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

Release date: January 31, 2023

Build number: 20.0.0-6313

Enhancements

Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676

To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313 or later before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.

Resolved issues

Updated Deep Security Agent for AIX platforms to support Advanced Threat Scan Engine (ATSE) version 21.600. DS-75323
For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
The Deep Security Agent log file (ds-agent.log) sometimes failed to rotate, causing it to use more disk space than intended. SF05306459/SEG-137003/DS-72899
With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335

Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)

Release date: November 22, 2022

Build number: 20.0.0-5953

This release contains general improvements. Note that this release only includes an agent for Solaris platforms.

Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)

Release date: October 21, 2022

Build number: 20.0.0-5761

Enhancements

Updated Deep Security Agent to include additional metadata, such as UserAgent and Referrer, for Web Reputation Services. DS-72196
Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085

Resolved issues

With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an Offline (Activation required) status. SEG-153050/DS-73807

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Release date: September 22, 2022

Build number: 20.0.0-5512

Enhancements

Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798

Resolved issues

Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.0

Highest severity: High

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

Release date: August 29, 2022

Build number: 20.0.0-5394

New features

AIX7.3 support: Deep Security Agent 20.0.0-5394 or later with Deep Security Manager 20.0.677 or later now supports AIX 7.3.

Enhancements

Application Control now detects software changes for executables with non executable extensions. DS-70805
Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

Release date: July 26, 2022

Build number: 20.0.0-5137

Enhancements

Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders no longer work and need to be changed to use a globstar \*\*. DS-71817

Resolved issues

Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Release date: July 4, 2022

Build number: 20.0.0-4959

Resolved issues

With Log Inspection enabled, upgrades to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
When Anti-Malware is enabled alongside Integrity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Release date: May 31, 2022

Build number: 20.0.0-4726

Resolved issues

On AIX servers, when the LIBPATH or LD_LIBRARY_PATH environment variables for the system are defined, Deep Security Agent sometimes would not start. DS-70882
Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Release date: April 28, 2022

Build number: 20.0.0-4416

Enhancements

Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515

Resolved issues

With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

Release date: April 6, 2022

Build number: 20.0.0-4185

Resolved issues

Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
Log Inspection was unable to parse system logs containing a single digit date format. SF04562942/SEG-115435/DS-69757

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

Release date: March 1, 2022

Build number: 20.0.0-3964

New features

Threat Intelligence: Threat Intelligence (formerly known as Connected Threat Defense) provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.

Enhancements

Updated Deep Security Agent to exclude suspicious characters, such as $, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)

Release date: January 24, 2022

Build number: 20.0.0-3770

Enhancements

Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042

Resolved issues

Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.1

Highest severity: High

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

Release date: November 24, 2021

Build number: 20.0.0-3445

Enhancements

Updated Deep Security Agent to use TLS 1.2 strong cipher suite by default to improve security. The agent previously used the CBC cipher suite by default. DS-67204
Updated Deep Security Agent to support using the "process name" property in "Ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
Deep Security Agent sometimes caused connectivity issues, high CPU usage, or the system to crash. SEG-120758/SEG-123885/DS-67291

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

Release date: October 28, 2021

Build number: 20.0.0-3288

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
Some customers encountered an issue when the run-time CPU number was larger than expected, which led to crashes. DS-65757
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Release date: October 08, 2021

Build number: 20.0.0-3165

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
Some customers encountered an issue when the run-time CPU number was larger than expected, led to crashes. DS-65757

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)

Release date: August 30, 2021

Build number: 20.0.0-2921

Resolved issues

Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057

Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)

Release date: July 29, 2021

Build number: 20.0.0-2740

Enhancements

Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Release date: July 01, 2021

Build number: 20.0.0-2593

Resolved issues

Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
Integrity Monitoring alerts sometimes triggered but did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
Deep Security Agent failed to detect the correct platform under some configurations. 03804296/SEG-90864/DS-57809
Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)

Release date: May 24, 2021

Build number: 20.0.0-2395

Enhancement

Deep Security Agent 20.0.0-2395 or later now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates expire on 2022/07/09. After that date, only Deep Security Agent 20.0.0-2395 or later will have the latest Anti-Malware Smart Scan protection. DS-63010

Resolved issues

Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

Release date: April 12, 2021

Build number: 20.0.0-2204

New feature

Enhanced platform support

Anti-Malware support for AIX: Deep Security Agent 20.0.0-2204 or later now supports Anti-Malware for AIX 6.1, AIX 7.1, and AIX 7.2.

Resolved issues

With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (that is, processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Release date: March 08, 2021

Build number: 20.0.0-2009

Resolved issues

The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Release date: February 08, 2021

Build number: 20.0.0-1876

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

New feature

Anti-Malware support for AIX: Deep Security Agent 20.0.0-1822 or later now supports Anti-Malware for AIX 7.1 and 7.2.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

This release contains general improvements.

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Enhanced memory usage to improve performance. DS-53012

Resolved issues

On Solaris servers where Integrity Monitoring was enabled and the rule: "Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)" was assigned, a rule compile error was generated that referenced an "Unsupported Feature in Integrity Monitoring Rule". DS-55884
When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Notice

In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0.1337

Resolved issues

When using Deep Security Agent on Solaris, the Integrity Monitoring port scanning feature did not work because the agent did not have access to information on the user ID under which a given port was opened. This prevented storage of any listening port information. The port scanning feature on Solaris agents has been modified to store the string "n/a" for the userid. This allows the remaining port information to be stored and used in the port scanning function. However, exclusions and inclusions based on User ID still do not function correctly because this information is not available. DS-53922

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Release date: October 21, 2020

Build number: 20.0.0.1304

Enhancements

Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

Release date: October 5, 2020

Build number: 20.0.0.1194

Enhancements

Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061

Resolved issues

Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
Deep Security Agent crashed on Solaris 10 during upgrades. SEG-72634/SF02975849/DS-49295
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 4.4

Highest severity: Medium

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Improved security

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Improved quality and management

Upgrade to supported paths: The Upgrade on activation feature only upgrades the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the Upgrade on activation feature will detect the newer version and complete the upgrade to the designated release.

By the command dsa_control --AmTopNScan
By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

Information about why process exclusion items are not functioning correctly is now provided, so you can troubleshoot the issue and know which actions to take to resolve it.
The process exception configuration workflow has been improved to make it more robust.

Enhancements

Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
Increased the scan engine's URI path length limitation.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.

Resolved issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
The displayed packet header data contained redundant payload data. DS-45792
Memory leaked during SSL decryption because of a flaw in the SSL processing. SEG-68263/DS-44360
On specific Deep Security Agent servers the CPU usage spiked to 100% and pattern merges failed during the active update process. SEG-66210/02711299/DS-46429
When a security update was triggered before Anti-Malware was ready, the security updates failed. DS-36952
When real-time Integrity Monitoring was enabled with the rule "1002875: Unix Add/Remove Software" applied, the RPM database potentially locked. SEG-67275/SF02663756/DS-48524
Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. SEG-71825/SF03021819/DS-48916
Incorrect linking of certain libraries could lead to Deep Security Agent instability. SEG-72958/03071960/DS-49324
Anti-Malware directory exclusion with wildcard didn't match subdirectories correctly. SF03131855/SEG-74892/DS-50245
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
The interface isolation feature was still on when Firewall was turned off. SEG-32926/DS-27099
After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. SEG-60728/DS-42332
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SEG-48728/SF01919585/DS-34022
On Solaris servers with clusters, the Deep Security Intrusion Prevention module would come under heavy load while inspecting the clusters' private traffic. The extra load caused latency issues, node evictions, and loss of synchronization events.

You can now configure the Packet Processing Engine on the agent to bypass traffic inspection on a specified interface. Where a specific interface on a computer is dedicated to cluster private traffic, this configuration can be used to bypass inspection of packets sent to and received from this interface. This results in faster packet processing on the bypassed interface and other interfaces.

Use of this configuration to bypass traffic inspection is a security risk. It is up to you to determine if the benefit of reduced latency outweighs the risk involved. It is also up to you to determine whether only the nodes in the cluster have access to the subnet whose interface is being bypassed.

To implement the bypass, do the following:

Upgrade the Deep Security Agent to the latest build containing this fix.
Create a file under /etc directory named "ds_filter.conf".
Open the /etc/ds_filter.conf file.
Add the MAC addresses of all NIC cards used for cluster communication, as follows:

MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX

Save.
Wait 60 seconds for your changes to take effect.

In the /etc/ds_filter.conf file:

The MAC_EXCLUSIVE_LIST line must be the first line in the file.
All letters in the MAC address must be uppercase.
Leading zeros in each byte must be included.

Valid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E,6A:23:F0:0F:AB:34

Invalid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=B:3A;12:F8:32:5E

MAC_EXCLUSIVE_LIST=0b:3a;12:F8:32:5e,6a:23:F0:0F:ab:34

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E

If the MAC address is not valid, the interface is not bypassed. If the exact string "MAC_EXCLUSIVE_LIST=" is not present at the beginning of the line, no interfaces are bypassed. DSSEG-4055

Security updates

Highest Common Vulnerability Scoring System (CVSS) score: 7.8

Highest severity: High

Updated NGINX to 1.16.1. DSSEG-4600
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

macOS (supported for Cloud One Workload Security only)