What's new in Deep Security Agent?

Linux

Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)

Release date: March 22, 2023

Build number: 20.0.0-6658

New features

Oracle Linux 9 support: Deep Security Agent (version 20.0.0-6658+) now supports Oracle Linux 9, including FIPS mode and Secure Boot support. (This requires Deep Security Manager version 20.0.737+).

Service Gateway: Deep Security Agent (version 20.0.0-6658+) now supports the Service Gateway feature, providing forward proxy functionality. (This requires Deep Security Manager version 20.0.741+.)

Enhancements

When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard will now apply to all files in any directory matching the rule's path. (Previously, the globstar (**) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*) wildcard which would only match within the path rule's directory.) DS-75133
Intrusion Prevention's Web Reputation Service now includes OS platform metadata. DS-75453
Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491
Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
Deep Security Agent now sends full command lines for processes to Deep Security Manager, improving the Recommendation Scan's rule recommendations. (Previously, the agent only sent the first 2048 characters of each process's command line.) C1WS-11728
Deep Security Agent (version 20.0.0-6658+) now supports Secure Boot for Ubuntu 22. (This requires Deep Security Manager version 20.0.737+.) DS-73729
Deep Security Agent (version 20.0.0-6658+) now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User Defined Suspicious Object (UDSO). DS-75365
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598

The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
- Debug: Enable the debug log messages (Default: false)
- Count: Number of log files to generate (Default: 5)
- Size: Maximum size of each log file in bytes (Default: 2097152)
```
Example config file:
                        {
                            "Debug": true,
                            "Count": 5,
                            "Size": 2097152
                        }
```

Resolved issues

When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
The Deep Security Agent kernel support package download was sometimes interrupted, generating "Agent Integrity Check Failed" warnings and "Kernel Unsupported" errors. SEG-169497/DS-76545
Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
Anti-Malware Behavior Monitoring had a driver issue causing kernel warnings on some systems. SF06254724/SEG-163042/ORCA-762
When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
Deep Security Agent was generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
Deep Security Agent was unable to connect to the Anti-Malware Smart Scan service on some systems. SEG-168468/DS-76433
Deep Security Agent caused performance issues on systems generating a large number of container environment Application Control events. SF06538377/SEG-169605/DS-76594

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

Release date: January 31, 2023

Build number: 20.0.0-6313

New feature

Agent self-protection: This feature helps prevent users on the local system from tampering with the agent. For more information, and help configuring agent self-protection, see Enable or disable agent self-protection in Linux.

Rocky Linux 9 support: Deep Security Agent (version 20.0.0-6313+) now supports Rocky Linux 9, including FIPS mode and Secure Boot support (This requires Deep Security Manager version 20.0.716+). DS-73727

Enhancements

Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676

To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If one of more agents were updated to version 20.0.0-6313 or newer before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.
With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent now monitors for suspicious behavior to improve protection against MITRE attack scenarios. This functionality requires Deep Security Manager version 20.0.716+. DS-73644
Deep Security Agent (version 20.0.0-6313+) now supports FIPS mode for Oracle Linux 8. (This requires Deep Security Manager version 20.0.711+). DS-73778

Resolved issues

When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent will only show the final successful event. SF06207160/SEG-160085/DSSEG-7765
Deep Security Agent crashes and issues connecting with Deep Security Manager caused Anti-Malware Offline events. SF06061098/SEG-154701/DS-74665
With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335
With Activity Monitoring enabled, a connectivity issue caused Deep Security agents to appear offline for some Trend Micro Cloud One - Workload Security customers. The agent introducing this issue is no longer available. For more details, please see Removal of Deep Security Agent 20.0.0-5953 for Linux. SEG-161456
With Activity Monitoring enabled, the internal MQTT channel sometimes became inaccessible. This caused high CPU usage and Deep Security Agent errors (MQTT offline, hub is busy, cannot connect to dsa-connect) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638/DS-75367/DS-75193
Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
Integrity Monitoring sometimes failed to create events after running certain console commands (for example, passwd or mv commands). 05718251/SEG-148552/DS-72643
Older Application Control events were not being removed from the database as intended, causing the events.db file size to increase indefinitely. SF06172729/SEG-159548/DS-74706
When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470

Known issues

Deep Security Agent is having connectivity issues on some systems, resulting in "Event ID 9012, Smart Protection Server Disconnected for Smart Scan" error messages. For more details including temporary workaround instructions, see https://success.trendmicro.com/dcx/s/solution/000292267. SF06512673/SEG-168468

Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)

Release date: November 22, 2022

Build number: 20.0.0-5953

New feature

Enhancements

Deep Security Agent (version 20.0.0-5953+) now supports FIPS mode for Oracle Linux 8. (This requires Deep Security Manager version 20.0.711+).

Resolved issues

With Activity Monitoring enabled, the internal MQTT channel sometimes became inaccessible. This caused Deep Security Agent errors (MQTT offline, hub is busy, cannot connect to dsa-connect) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638
Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
Integrity Monitoring sometimes failed to create events after running certain console commands (for example, passwd or mv commands). 05718251/SEG-148552/DS-72643
Older Application Control events were not being removed from the database as intended, causing the events.db file size to increase indefinitely. SF06172729/SEG-159548/DS-74706
When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470

Known issues

With Activity Monitoring enabled, a connectivity issue causes Deep Security agents to appear offline for some Trend Micro Cloud One - Workload Security customers. This issue can be mitigated by restarting the dsa-connect or ds_agent services. For more details, please see Removal of Deep Security Agent 20.0.0-5953 for Linux. SEG-161456

Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)

Release date: October 21, 2022

Build number: 20.0.0-5761

New feature

Enhanced platform support

SAP Scanner support for Oracle Linux 7: Deep Security Agent for Oracle Linux 7 now supports SAP Scanner. VO-1849

Enhancements

Updated Deep Security Agent to include additional metadata (like UserAgent and Referrer) for Web Reputation Services. DS-72196
Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
Deep Security Agent now can be deployed without additional dependency on System V packages. DS-73588

Resolved issues

With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
With Advanced TLS traffic inspection enabled, Deep Security Agent had a memory issue that prevented some applications from running. SEG-150631/DS-74039
Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
On RedHat Enterprise Linux computers, Anti-Malware being enabled would sometimes cause a system crash. SEG-155143/DS-74008

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Release date: September 22, 2022

Build number: 20.0.0-5512

Enhancements

Updated Deep Security Agent kernel device module files to comply with Security-Enhanced Linux (SELinux) requirements. DSSEG-7378
Deep Security Agent now reports host information with additional details. DS-72609
Deep Security Agent now reports host metadata for installed software with additional details. DS-72608
Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798
Deep Security Agent now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). This requires Deep Security Manager version 20.0.677+. DS-72828

Resolved issues

Trust Entities settings were not being re-applied after turning Application Control off and back on again. SF05930535/SEG-152439/DS-73312
When installed on a system that uses secure boot without importing the required sign key, Deep Security Agent generated an Anti-Malware Engine error code with "Reason ID: 13" when it should have generated the code with "Reason ID: 11". For details on Reason IDs, see Warning: Anti-Malware Engine has only Basic Functions. DS-72891
Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8100/VRTS-8101/DS-73087/DS-72528

Highest CVSS score: 7.0

Highest severity: High

Known issues

With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

Release date: August 29, 2022

Build number: 20.0.0-5394

New features

Ubuntu 22.04 (AWS ARM-based Graviton 2) support: Deep Security Agent (version 20.0.0-5394+) is now supported on Ubuntu 22.04 (AWS ARM-based Graviton 2) (This requires Deep Security Manager version 20.0.677+.)

Enhancements

The Deep Security Agent process will now restart automatically if the file descriptor count is abnormally high, and a counter was added to track how many times this event occurs. SF05212995/SEG-130431/DS-72616
Application Control now detects software changes for executables with non executable extensions. DS-70805
Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
Anti-Malware would sometimes leak file descriptors. SF05212995/SEG-130431/DS-72979
When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
Patched third-party libraries. Before patch, the Deep Security Virtual Appliance agent would sometimes crash. SF05559993/SEG-140234/DS-72510

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

Release date: July 26, 2022

Build number: 20.0.0-5137

New features

Advanced TLS Traffic Inspection: Deep Security Agent (version 20.0.0-5137+) adds Advanced TLS Traffic Inspection support to platforms that run system updates or package updates. Please note that this feature is currently only supported for Trend Micro – Cloud One Workload Security. Support for Deep Security Manager (On-Premise) will be added later.

Red Hat 9 support: Deep Security Agent (version 20.0.0-5137+) now supports Red Hat 9. (This requires Deep Security Manager version 20.0.651+.)

Amazon Linux 2 support: Deep Security Agent (version 20.0.0-5137+) now supports Amazon Linux 2 for AWS Graviton 3. (This requires Deep Security Manager version 20.0.651+.)

Enhancements

Updated Deep Security Agent to add Anti-Malware support for Red Hat OpenShift. DS-72368
Updated Deep Security Agent to reduce CPU usage and improve container performance for real-time Anti-Malware scanning. Previously, all files were scanned during read/write. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-65581
Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders will no longer work and will need to be changed to use a globstar \*\*. DS-71817

Resolved issues

Deep Security Agent Scanner (SAP) sometimes displayed duplicate Anti-Malware events for .SAR file types. DS-71879
Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
Deep Security Agent had connectivity issues on some systems. DS-72219

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Release date: July 4, 2022

Build number: 20.0.0-4959

New features

Ubuntu 22.04: Deep Security Agent (version 20.0.0-4959+) now supports Ubuntu 22.04. (This requires Deep Security Manager version 20.0.651+.)

FIPS mode on Ubuntu 20.04: Deep Security Agent (version 20.0.0-4959+) now supports FIPS mode for Ubuntu 20.04.

Enhancements

Updated Deep Security Agent to improve Anti-Malware support on systems using Fanotify. Previously, "Anti-Malware Engine Offline" events interrupted Anti-Malware function on these systems. Now, an "Anti-Malware with basic functions" event will be recorded and users will maintain basic file scanning function, but not advanced scan mechanisms like Predictive Machine Learning. (This requires Deep Security Manager version 20.0.414 or newer.) DS-68552

Resolved issues

Deep Security Agent Scanner (SAP) had a connectivity issue preventing it from loading the correct libraries on some systems. DS-71623
Deep Security Agent Scanner library sometimes caused SAP applications to crash. DS-71849
Anti-Malware was unable to remove immutable or append-only files on some systems. VRTS-7110/DS-52383
Using the command line (dsa_control -b), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600
With Log Inspection enabled, Deep Security Agents upgraded to version 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Release date: May 31, 2022

Build number: 20.0.0-4726

Enhancements

Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763

Resolved issues

Trust entities "allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
With Activity Monitoring enabled, Deep Security Agent had high system CPU usage when events were being generated rapidly. 05107582/SEG-128170/DS-71486
Deep Security Agent Scanner library didn't work properly with highly-interrupted SAP applications on Linux systems. This resulted in files were scanned, but results might be unable to report to the SAP applications. SF05390384/SEG-136659/DS-71251
Following an upgrade, Deep Security Agent would send continuous "Security update in progress" reports to Deep Security Manager. SF05253107/SEG-131983/DS-69747
Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
Secondary DNS setting from IP pool was not configured when Appliance was deployed. SF05215036/SEG-134844/DSSEG-7535

Security updates

Highest CVSS score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Release date: April 28, 2022

Build number: 20.0.0-4416

Enhancements

Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515

Resolved issues

With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Highest CVSS score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

Release date: April 6, 2022

Build number: 20.0.0-4185

New features

Advanced TLS traffic inspection: Advanced TLS traffic inspection adds the capability for inspecting TLS traffic encrypted with modern ciphers, including Perfect Forward Secrecy (PFS). It also enhances virtual patching for HTTPS servers to help protect against vulnerabilities such as Log4j.

Resolved issues

Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. (An upgrade should not have triggered these events.) DS-69888
Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
Deep Security Agent had SSL connectivity issues when Web Reputation Service was enabled. DS-67675
Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

Release date: March 1, 2022

Build number: 20.0.0-3964

New features

Threat Intelligence: Threat Intelligence (formerly known as "Connected Threat Defense") provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.

Enhanced platform support

Deep Security Agent (version 20.0.0-3964+) is now supported on these platforms:

Red Hat 8 (AWS ARM-Based Graviton 2) (this requires Deep Security Manager version 20.0.605+)
Debian 11 (this requires Deep Security Manager version 20.0.605+)

Enhancements

Updated Deep Security Agent to exclude suspicious characters (such as $) found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Resolved issues

With real-time Integrity Monitoring enabled, Integrity Monitoring delete events were not being generated after editing a file and then deleting it. DS-69057
Deep Security Agent caused high CPU usage for systems protecting containers. Container protection can now be enabled or disabled in Deep Security Manager (from Computer (or Policy) > Settings > Container Protection). SEG-115751/DSSEG-7334

Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)

Release date: January 24, 2022

Build number: 20.0.0-3770

New features

Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Linux platforms, beginning with Trend Micro Cloud One - Workload Security customers.

CRI-O support: A Deep Security Agent's "CRI-O engine version" is now displayed in Deep Security Manager, as well as Anti-Malware event information for containers. Please note that CRI-O is currently only supported for Deep Security Manager (On-Premise). Support for Trend Micro - Cloud One Workload Security will be added later.

Enhancements

Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
Updated Deep Security Agent to correctly display the host's IP address in the "LastIpUsed" field. Previously, the field displayed the load balancer or proxy IP in environments using one of those. SF05283977/SEG-133073

Resolved issues

A Deep Security Agent conflict with network interface controllers (NICs) caused systems with multiple NICs to crash. 05048124/SEG-126094/DS-68730
When an Integrity Monitoring scan timed out, it sometimes generated false "create" or "delete" events for "user" or "group" entities. SEG-117739/DS-66885
Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
With Activity Monitoring enabled, Deep Security Agent caused high CPU usage. DS-62849
A Deep Security Agent parsing issue was causing "Anti-Malware Engine Offline" errors. SF05171312/SEG-129367/DSSEG-7428

Security updates

Highest CVSS score: 9.1

Highest severity: High

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

Release date: November 24, 2021

Build number: 20.0.0-3445

Enhancements

Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
Deep Security Agent was upgraded to use locally installed kernel modules when new ones can't be fetched from the Deep Security Relay. DS-66599
Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control trust entities on Cloud One Workload Security. DS-67322
Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

Insufficient file access permission for the Deep Security Relay sometimes caused the agent installer to fail. DS-67278
Deep Security Agent sometimes showed an incorrect "No such file or directory" error message during installation. DS-67317
Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
Deep Security Agent sometimes could not start after an upgrade. SF04943063/SEG-123155/DS-67475
Deep Security Agent sometimes changed the access time of files during the on-demand Anti-Malware scan. DS-67119
The Deep Security Agent and MQTT connection would sometimes go offline, requiring an agent restart. DS-67487
Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
With Anti-Malware real-time scan enabled, Deep Security Agent would sometimes scan unchanged files. DS-67806
Deep Security Agent sometimes caused the system to crash. SEG-123338/DS-67445

Security updates

Highest CVSS score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

Release date: October 28, 2021

Build number: 20.0.0-3288

New features

Kernel support package updates: You can now choose when to perform kernel support package updates, using the new "Automatically update kernel package when agent restarts" option in the computer or policy editor.

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:

Agent size requirements have increased, including a slightly larger installer package on most platforms.
All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Enhanced platform support

Deep Security Agent (version 20.0.0-3288+) is now supported on these platforms:

AlmaLinux 8 (requires Deep Security Manager version 20.0.503+)
Rocky Linux 8 (requires Deep Security Manager version 20.0.543+)
Ubuntu 20.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager version 20.0.503+)
Ubuntu 18.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager version 20.0.482+)

Secure boot support: Deep Security Agent now supports Oracle Linux 7 (in both uek-R5 and uek-R6) and Oracle Linux 8 with Secure boot enabled.

Enhancements

Updated Deep Security Agent to prevent agents upgraded from version 10.0 to 20.0 from losing their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
You can now exclude container file events from the kernel module. DS-65547

Resolved issues

Anti-Malware updates sometimes failed, resulting in "Security Update: Pattern Update on Agents/Appliances Failed" errors. 04763356/SEG-119138/DS-66569
The Deep Security Agent Scanner library sometimes couldn't be loaded by SAP NetWeaver. DS-67530
With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Release date: October 08, 2021

Build number: 20.0.0-3165

Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it will not be made available on the Deep Security Agent software download page or released to customers using Deep Security Manager.

New features

AlmaLinux 8 support: Deep Security Agent is now supported on AlmaLinux 8.
Ubuntu 18.04 (AWS ARM-Based Graviton 2) support: Deep Security Agent is now supported on Ubuntu 18.04 (AWS ARM-Based Graviton 2).
Oracle Linux 7 support: Deep Security Agent is now supported on Oracle Linux 7 with Secure Boot (in both uek-R5 and uek-R6).
Kernel support package updates: You can now choose when to perform kernel support package updates, using the new Automatically update kernel package when agent restarts option in the computer or policy editor.
Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Enhancements

Updated Deep Security Agent to prevent agents upgraded from version 10.0 to 20.0 from losing their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
You can now exclude container file events from the kernel module. DS-65547

Resolved issues

Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2971 (20 LTS Update 2021-09-08)

Release date: September 08, 2021

Build number: 20.0.0-2971

New features

FIPS mode on Red Hat Enterprise Linux 8: Deep Security Agent (version 20.0.0-2971+) now supports FIPS mode for Red Hat Enterprise Linux 8.

FIPS mode on Amazon Linux 2: Deep Security Agent (version 20.0.0-2971+) now supports FIPS mode for Amazon Linux 2.

Enhancements

Updated Deep Security Agent to improve performance and compatibility by using a unified driver for file, process, and network events. DS-61784
Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

Deep Security Agent sometimes caused performance issues on systems with folders in NFS format. SF04816680/SEG-118993/DS-66280
With Integrity Monitoring enabled, Deep Security Agent sometimes caused high CPU usage. DS-65986
Deep Security Agent (Linux version 20.0.0-2740) was causing performance and third-party compatibility issues on some systems. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent (DSA) Build 20.0.0-2740 for Linux from Download Center.
Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
Deep Security Agent sometimes failed to properly display items under Events & Reports. DSSEG-7057
Deep Security Agent was sometimes unable to create or manage tasks on RPM-based platforms due to a SystemD (Linux service manager) process limitation. SF04543580/SEG-113833/DS-65550
Deep Security Agent Anti-Malware Real-Time Scan exclusions sometimes failed within container environments. DS-65528
Deep Security Agent Anti-Malware Real-Time Scan directory exclusions sometimes failed if filenames were not in UTF-8 format. SEG-115198/DS-65495
With Anti-Malware enabled, Deep Security Agent encountered an "Insufficient Disk Space" alert which sometimes crashed the agent or stopped other programs from working properly. SF04584157/SEG-113377/DS-64405
Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
Deep Security Agent upgrade (Administration > Updates > Software) sometimes failed if a previous (RPM package) upgrade was triggered using console commands. SF04586071/SEG-113583/DS-64978
With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855
With Integrity Monitoring real-time scan enabled, Deep Security Agent sometimes prevented files on network drives from being deleted. SEG-108636/C1WS-1787

Security updates

Highest CVSS score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Release date: July 01, 2021

Build number: 20.0.0-2593

New feature

FIPS mode on Ubuntu 18.04: Deep Security Agent (version 20.0.0-2593+) now supports FIPS mode for Ubuntu 18.04.

Resolved issues

Integrity Monitoring alerts sometimes triggered but did not appear in the Events & Reports tab. 04266346/SEG-103731/DS-62992
Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
The MQTT connection sometimes went offline when Deep Security Agent had Activity Monitoring enabled. SF04216172/SEG-101691/DS-63458
Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)

Release date: May 24, 2021

Build number: 20.0.0-2395

New features

Enhanced platform support

Application Control and Integrity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Application Control and Integrity Monitoring for Amazon Linux 2 on AWS Graviton 2. DS-62775
Activity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Activity Monitoring for Amazon Linux 2 on AWS Graviton 2.

Enhancements

Updated Deep Security Agent (version 20.0.0-2395+) to add support for Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates will expire on 2022/07/09. After that time, only agents that have been upgraded to version 20.0.0-2395 or higher will have the latest Anti-Malware Smart Scan protection. DS-63010
Updated Deep Security Agent to add Predictive Machine Learning support for Malware Scan on Linux platforms. DS-62857
Updated Deep Security Agent's Anti-Malware default configuration to monitor file access from the local host only, improving compatibility for some file systems. DS-62222

Resolved issues

Anti-Malware Real-Time Scan sometimes didn't detect files properly with the "During read" setting selected (Computers > Details > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Edit > Advanced > Real-Time Scan). SEG-104496/DS-61836
Deep Security Agent was unable to install in some environments because it misidentified the OS. DSSEG-2915/DS-28321
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
Anti-Malware Real-Time Scan sometimes caused high CPU usage. 04331007/SEG-107814/DS-62593
Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
Anti-Malware Real-Time Scan caused unintentional file changes under some configurations. DS-62412
Deep Security Agent sometimes couldn't successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692
Anti-Malware kernel modules sometimes didn't bypass file activity on remote shared storages when Network Directory Scan was disabled. DS-62985

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

Release date: April 12, 2021

Build number: 20.0.0-2204

New feature

Enhanced platform support

Anti-Malware and Log Inspection support for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Anti-Malware and Log Inspection for Amazon Linux 2 on AWS Graviton 2. Agent version 20.0.0-2204+ supports the Anti-Malware, Firewall, Intrusion Prevention, Log Inspection, and Web Reputation protection modules. Please note that Advanced Threat Scan Engine update is not currently supported for Amazon Linux 2 on AWS Graviton 2, but will be added in a future release.

Resolved issues

With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
When Integrity Monitoring real-time scan was enabled, sometimes directories on NFS volumes couldn't be removed. SF03977538/SEG-98656/DS-61062
When Intrusion Prevention was enabled, the system would crash under some configurations. SF04286712/SEG-103971/DS-61274
A proxy server issue sometimes caused connectivity issues with Deep Security Agents after registering with Trend Micro Vision One (XDR). SF04318864/SEG-104847/DS-61516

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Release date: March 08, 2021

Build number: 20.0.0-2009

Enhancements

Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011

Resolved issues

The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
When Firewall, Intrusion Prevention, and Web Reputation were enabled, the system sometimes crashed. SF03992370/SEG-100828/DS-60589
After restarting Deep Security Virtual Appliance, protected VMs sometimes became inaccessible. SEG-94723/SF03949466/DS-58962

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Release date: February 08, 2021

Build number: 20.0.0-1876

Resolved issues

The Deep Security Agent was sometimes unable to establish an SSL connection to the web server. DS-59893
Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

New features

Enhanced platform support

Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Amazon Linux 2 on AWS Graviton 2. The agent currently supports the Firewall, Intrusion Prevention, and Web Reputation protection modules. Other protection modules are coming soon.

Behavior Monitoring for Linux: This release adds support for Behavior Monitoring on the Linux platform.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

Resolved issues

A driver conflict was causing the Deep Security Agent to hang and require a reboot. SEG-94278/SF03941184/DS-59020
If an error related to Secure Boot occurs, the user will no longer be blocked from installing the plugins and receive a "Secure Boot" error message on Deep Security Manager. Instead, an "engine is offline" error message will be displayed. Users can check "Secure Boot" entries in ds_agent.log for error details. DS-58374
In the SecureBoot environment, the SUSE15 SP2 kernel module load failed with kernel version 5.3.18-24.37-default or later. SEG-93737/DS-58373
Anti-Malware would sometimes restart before fully loading a new driver, causing the AM engine to be offline. DS-58475

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This will resolve issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
Enhanced memory usage to improve performance. DS-53012
Anti-Malware on-demand scans did not function as expected. DS-58346

Resolved issues

Deep Security Agent didn't detect Secure Boot state correctly. SEG-89042/03730368 /DS-57014
The error "scheduling while atomic" occurred because the dsa_filter caused kernel panic. DS-56514
Anti-Malware events didn't include file hashes in certain scenarios. SEG-91779/SF03818756/DS-57453
The Anti-Malware driver showed warning messages during the initialization. SEG-92204/03784490/DS-57605
After upgrading to Deep Security Agent 20.0.0-1194, the "Intrusion Prevention Rules Failed to Compile" and "Security Update Failed" errors sometimes incorrectly occurred. SEG-90503/03789013/DS-56904
When Anti-Malware real-time scans were enabled, Rancher Kubernetes pods sometimes couldn't be terminated gracefully. SEG-87824/SF03695639/DS-58220
When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Notice

In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0-1337

Resolved issues

When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because of a compatibility issue with third-party security software. SF03700563/SEG-88135/DS-54799
Secure boot appeared active when it was not. SEG-85550/DS-55052

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Release date: October 21, 2020

Build number: 20.0.0-1304

Enhancements

Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

For agentless protected VMs, the settings under Policies > Intrusion Prevention > General > Recommendation were greyed out. DS-56665
When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
Real-time Anti-Malware with filesystem hooking enabled did not work on older kernel versions. SEG-82411/DS-54271
Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
The dsa_query command didn't display Anti-Malware patterns correctly. DS-55389
The Anti-Malware driver did not check compatibility before loading into the kernel. SEG-88135

Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security

This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1304 (or a newer version) by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1304 (or a newer version), Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.

Deep Security Agent 20.0.0-1304 (and newer versions) uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

Release date: October 5, 2020

Build number: 20.0.0-1194

New features

Improved performance for real-time Anti-Malware scanning on Linux: Real-time Anti-Malware scans have been improved for Deep Security Agent on Linux, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write. Now, Anti-Malware scanning is more efficient and file scanning during write is deferred (the file is added to a queue and scanned in the background).

Differentiated platforms: Deep Security Manager can now distinguish between Red Hat and CentOS platforms and operations. DS-52682

Continued network scans: After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's network scans will now continue where they left off, without delay. This feature only applies if you are using NSX-T Data Center and guest machines are using a policy without network feature overrides. DS-50482

Enhancements

Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
Ceph is now excluded from file system kernel hooking to prevent kernel panic. SEG-75664/SF03131718/DS-50298
Recommendation Scans and Integrity Monitoring are now enabled for NSX-T environments. DS-50478
Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800

Resolved issues

Secure boot appeared active when it was not. DS-55052
Deep Security Agent could not install any plugins with UEFI Secure Boot enabled. DS-54041
After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
The Anti-Malware engine on Deep Security Virtual Appliance went offline when the signer field in the Census server reply was empty. DS-49807
Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
Deep Security Agent on Linux would sometimes crash. SEG-76460/SF03218198/DS-50852
Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
The Deep Security Virtual appliance did not detect the Eicar test file. SEG-71955/SF02955546/DS-49387
Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocking in lock down mode. DS-50696
The Anti-Malware driver caused a system hang on Linux platforms where autofs was used. DS-51926
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
There was an upgrade issue with Deep Security Agent which would sometimes prevent the agent from going online if Integrity Monitoring or Log Inspection were enabled. DS-50672
Kernel Panic occurred when Web Reputation, Firewall, or Intrusion Prevention were enabled. SEG-80201/DSSEG-5846/DS-52975
When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. SEG-73893/DSSEG-5866/DS-53144
When Deep Security real-time Anti-Malware was enabled on a Linux system, it caused a high amount of CPU usage. SEG-75739/DS-52976

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Enhanced platform support

Ubuntu 20.04 (64-bit)
Cloud Linux 8 (64-bit)
Debian Linux 10 (64-bit)
Oracle Linux 8 (64-bit)
SUSE Linux Enterprise Server 15 (64-bit)
Red Hat Enterprise Linux 8 (64-bit)
CentOS 8 (64-bit)

SystemD support: SystemD is a Linux service manager that allows services to declare dependencies, which can enforce load and unload sequences of kernel modules and other services. See Systemd support for information about which platforms are supported. (DS-37395)

Secure Boot support: Deep Security Agent supports additional Linux operating systems with Secure Boot enabled. For details, see Secure Boot support.

Improved security

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Protect VMs in NSX-T environments: We have integrated the latest VMware Service Insertion and Guest Introspection technologies which enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.

Seamless network protection: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.

SELinux Support: Security-Enhanced Linux (SELinux) enforcing mode is supported on Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Deep Security Agent is compatible with the default SELinux policies. Anti-Malware software such as ds_agent is required to run in an unconfined domain in order to protect the system. Any additional SELinux policy customization or configuration might be block blocked or fail because of ds_agent.

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Continuous Anti-Malware protection: Deep Security Manager now sends guest VMs' Anti-Malware real-time configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the Anti-Malware real-time feature during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments.

Improved management and quality

Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.

NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), we've made the network throughput three times faster when compared with prior technology.

Upgrade to supported paths: The "upgrade on activation" feature will only upgrade the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the "upgrade on activation" feature will detect the newer version and complete the upgrade to the designated release.

Protection for AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported in this release. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been cancelled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Improved process exceptions: The process exception experience has been improved in the following ways:

We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
We've improved the process exception configuration workflow to make it more robust.

Enhancements

Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
Improved the Deep Security Agent activation experience in the following ways:

Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.

After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans will now continue where they left off, without delay. This feature only applies to NSX-T environments.
Increased the scan engine's URI path length limitation.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Enhanced Linux real-time Anti-Malware performance when executing a Docker pull command.
Improved the time it takes to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment. This feature requires Deep Security Manager FR 2019-12-12 or newer releases.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Enhanced the Malware Scan Failure event description to indicate the possible reason.
Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
Added the ability to retrieve process and container information for Intrusion Prevention events, including process name, container ID, container name, image name, image digest and pod ID.

Resolved issues

When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
When Deep Security real-time Anti-Malware was enabled in Linux, it caused a high amount of CPU system usage. SEG-75739/SF03036857/DS-52976
Ceph caused kernel panic. SEG-75664/SF03131718/DS-50298
Deep Security Agent sometimes crashed. SEG-76460/SF03218198/DS-50852
Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
The Deep Security Virtual Appliance did not detect an Eicar file. SEG-71955/SF02955546/DS-49387
Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocked in lock down mode. SEG-73174/DS-50696
Deep Security Virtual Appliance sometimes went offline. (SEG-53294/DS-46728)
The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)
In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, Integrity Monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. (SEG-22509/DS-25250)
Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
Anti-Malware events displayed a blank file path with invalid Unicode encoding. (SEG-46912/DS-34011)
Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. (SF01423970/SEG-43481/DS-34436)
Kernel panic occurred when dsa_filter.ko was obtaining network device's information. (SEG-50480/DS-35192)
An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. (SF01339187/SEG-38497/SEG-33163/DS-31330)
Kernel panic occurred because of redirfs. (SF01137463/SEG-34751/DS-32182)
Deep Security Anti-Malware caused the 'fusermount' process to fail when mounting the filesystem. (SF01531697/SEG-43146/DS-32753)
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
Deep Security Agent GSCH driver had an issue with another third-party file system. (SF01248702/SEG-44565/DS-33155)
The "Environment Variable Overrides" for Deep Security Anti-Malware did not work in Linux. (SEG-43362/DS-31328)
Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
Deep Security Agent failed to install on Ubuntu 18.04. (SF01593513/SEG-43300/DS-37359)
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
The agent operating system would sometimes crash when Firewall interface ignores were set. (SF01775560/SEG-49866/DS-39339)
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
Too many file open events were being processed in user mode, resulting in high cpu usage. (SF02179544/SEG-55745/DS-39638)
The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. (SF02042265/SEG-52088/DS-39890)
Linux kernel logs were flooded by Deep Security Anti-Malware driver. (SF02299406/SEG-57561/DS-41589)
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
Deep Security Agent real-time Anti-Malware scans didn't work with Debian 10 64-bit.
When a guest VM was migrated between ESXi hosts frequently (using vMotion), sometimes the VM couldn't save the state file. This caused the guest to lose the protection of the Deep Security Virtual Appliance for several minutes after migration, until the VM was reactivated by Deep Security Manager automatically under the new ESXi server. (DSSEG-4341/DS-38221)
When uninstalling Deep Security Agent in Linux, the uninstall log included a typo. (DSSEG-4139/DS-34504)
Deep Security Anti-Malware detected sample malware files but did not automatically delete them. (SF02230778/SEG-55891/DS-40687)
When the Deep Security Agent connected through a proxy to the Deep Security Manager on Deep Security as a Service, Identified Files could not be deleted. (SF01979829/SEG-51013/DS-37252)
After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. (SEG-60728/DSSEG-5094)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DSSEG-4995)

Security updates

Highest CVSS Score: 7.8

Highest Severity: High

Updated NGINX to 1.16.1 (DSSEG-4600)
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Kernel support

To see which Linux kernels are currently supported, see Deep Security Agent Linux kernel support.

If you'd like to view the Linux kernel release history, see the Readme for Trend Micro (TM) Deep Security Agent 20.0 for Linux.

Known issues

Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints will not be unmounted successfully. (SEG-58841)

Windows

Deep Security Agent - 20.0.0-6690 (20 LTS Update 2023-03-29)

Release date: March 29, 2023

Build number: 20.0.0-6690

New features

Service Gateway: Deep Security Agent (version 20.0.0-6690+) now supports the Service Gateway feature, providing forward proxy functionality. (This requires Deep Security Manager version 20.0.741+.)

Enhancements

Deep Security Agent installation now performs a pre-check to verify if its operating system meets Azure Code Signing (ACS) requirements. For more information, see Trend Micro Server and Endpoint Protection Agent Minimum Windows Version Requirements. DS-75552
Application Control now checks the execution of Microsoft Windows Control Panel Applet (.CPL) files. DS-74587
Application Control now checks the execution of Microsoft Compiled HTML help (.CHM) files. DS-74828
When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard will now apply to all files in any directory matching the rule's path. (Previously, the globstar (**) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*) wildcard which would only match within the path rule's directory.) DS-75133
Web Reputation Service now includes OS platform metadata. DS-75453
Deep Security Agent (version 20.0.0-6690+) now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User Defined Suspicious Object (UDSO). DS-75365
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598

The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
- Debug: Enable the debug log messages (Default: false)
- Count: Number of log files to generate (Default: 5)
- Size: Maximum size of each log file in bytes (Default: 2097152)
Example config file:
```
                        {
                            "Debug": true,
                            "Count": 5,
                            "Size": 2097152
                        }
```
The Web Reputation Service's Browser Extension now allows Trend Micro Toolbar for Chrome browser to inspect URLs for content scripts in all frames. DS-75387
Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491

Resolved issues

Deep Security Agent events and module status changes sometimes failed to appear in the console. DS-46344/SEG-67100/SEG-101719/SEG-112311
When Anti-Malware's "Enable network directory scan" option was enabled (Computer or Policy > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Advanced > Network Directory Scan)), malware was detected but a corresponding event was not recorded in some cases. SF06198579/SEG-160763/DSSEG-7786
When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
Deep Security Agent Scanner (SAP) couldn't generate reports for files with one or more trailing dots . in their file name. SF06181341/SEG-166326/DS-76404

Known issues

Deep Security Agent versions 20.0.0-6313 and newer are currently unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. If you need these three features on a Windows 2008 system, please avoid upgrading your agent. DS-75176
Updating Deep Security Agent causes Deep Security Manager to show an unknown error event (ID: 740) on some systems. A future Deep Security Manager release will address this issue. For more details, see Unrecognized Agent\Appliance Error Event in Deep Security Manager (Event ID 1010 - 1013). DS-76813

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

Release date: January 31, 2023

Build number: 20.0.0-6313

New features

Windows 10 22H2 support: Deep Security Agent (version 20.0.0-6313+) now supports Windows 10 22H2. (This requires Deep Security Manager version 20.0.716+.)

Enhancements

Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676

To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If one of more agents were updated to version 20.0.0-6313 or newer before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.
With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent now monitors for suspicious behavior to improve protection against MITRE attack scenarios. This functionality requires Deep Security Manager version 20.0.711+. DS-73644
Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise" Chrome browser extension, improving HTTPS protection for Web Reputation Service. DS-74870

Resolved issues

When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
An issue with the TLS protocol record layer in Deep Security Agent caused some systems to crash. SF06297487/SEG-162236/DSSEG-7774
Deep Security Agent sometimes caused file handle leaks when communicating with Deep Security Manager or agent command-line tools. DS-75111
For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent will only show the final successful event. SF06207160/SEG-160085/DSSEG-7765
With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335

Deep Security Agent - 20.0.0-5995 (20 LTS Update 2022-11-28)

Release date: November 28, 2022

Build number: 20.0.0-5995

New features

Windows 11 22H2 support: Deep Security Agent (version 20.0.0-5995+) now supports Windows 11 22H2. (This requires Deep Security Manager version 20.0.711+.)

Enhancements

Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise," a Chrome browser extension that extends HTTPS protection for Web Reputation Service. This is only supported for Trend Micro Cloud One - Workload Security customers at this time. DS-74568
Updated the Web Reputation Service to support multi-thread processing on the web browser extension, improving the query rate. DS-74098
Updated Deep Security Agent to include the details of command line Behavior Monitoring violations in the console under Events & Reports > Events > Anti-Malware Events. DS-72866

Resolved issues

A file handle leak in the Deep Security notifier (notifier.exe) caused high system memory usage. DS-74325
In Workload Security, enabling OS proxy (by setting "Allow agents to apply OS proxy or direct connect when the configured proxy is inaccessible" set to "Yes" from Administration > System Settings > Proxies) would cause Deep Security Agent to crash if the proxy data the agent needed was missing on the operating system side. SEG-158968/DS-75034
With Activity Monitoring enabled, high message volume sometimes made the internal MQTT channel inaccessible. This caused Deep Security Agent errors (MQTT offline, hub is busy, cannot connect to dsa-connect) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638
While running Application Control in maintenance mode, executable files that should have been accessible were sometimes blocked due to a sharing violation. SF04922652/SEG-131710/DS-74592
Application Control was unable to block scripts executed using GitBash shell (sh.exe). DS-73827
With Activity Monitoring enabled, Deep Security Agent caused file handle leaks on some systems. DS-74301
Deep Security Agent caused an outdated "Early Launch Anti-Malware Pattern" component to appear on the Security Updates page, causing the Security Update Status to be "Out-of-Date". This pattern was unused, which is why it always appeared as an outdated component. SEG-158345/DSSEG-7745
Deep Security Agent sometimes allowed a higher access level than the one set by a user's group. For example, the "Users" group was able to modify files even if it had read-only access. SEG-157530/DSSEG-7737
With Anti-Malware enabled, a Deep Security Agent driver caused some systems running Windows Server 2008 to crash. SF05926337/SEG-157388/DSSEG-7739

Deep Security Agent - 20.0.0-5810 (20 LTS Update 2022-10-27)

Release date: October 27, 2022

Build number: 20.0.0-5810

New features

Installed software reporting: Deep Security Agent now reports installed software with additional details from the Microsoft Windows Installer. This is currently only available to Trend Micro Cloud One Workload Security customers.

Enhancements

Updated Deep Security Agent to include additional metadata (like UserAgent and Referrer) for Web Reputation Services. DS-72196
Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085

Resolved issues

With Anti-Malware Behavior Monitoring enabled, uninstalling or upgrading from Deep Security Agent 20.0.0-5761 caused some systems to crash. For more details see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74322
With Activity Monitoring enabled, Deep Security Agent caused file handle leaks on some systems. DS-74301
With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789

Known issues

After upgrading the Deep Security Agent package for Windows from version 20.0.0-5761 to 20.0.0-5810, a reboot is required to solve an issue causing systems to crash. For more details including steps to workaround the issue, please see https://success.trendmicro.com/dcx/s/solution/000291718?language=en_US. DS-74383

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Release date: September 22, 2022

Build number: 20.0.0-5512

Enhancements

Deep Security Agent now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). This requires Deep Security Manager version 20.0.677+. DS-72828

Resolved issues

Integrity Monitoring events (Events & Reports > Integrity Monitoring) were created with "N/A" displayed in the KEY and TYPE columns. SF05533287/SEG-139293/DS-71899
Updating Deep Security Agent and removing the expired TLS session key caused some systems to crash. SF06007238/SEG-153175/DS-73404
With Anti-Malware enabled, some computers got stuck in a "Security Update In Progress" state. SF05106626/SEG-129777/DSSEG-7500
With Deep Security Agent self-protection enabled, enabling or disabling Advanced TLS inspection service caused "Event ID 7006" in the Windows Service Control Manager. DS-73305
Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Highest CVSS score: 7.0

Highest severity: High

Known issues

With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

Release date: August 29, 2022

Build number: 20.0.0-5394

Enhancements

Application Control now detects software changes for executables with non executable extensions. DS-70805
Added SYSTEM user network drives and mount points for Windows to the information collected when generating a diagnostics package. DS-71816
Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
Updated Deep Security Agent so Application Control will automatically authorize test PowerShell scripts created by AppLocker. DS-71762
Behavior Monitoring exclusions now support wildcard characters. DS-71976
Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
When Behavior Monitoring is enabled, Deep Security Agent would sometimes prevent Docker on Windows from starting. SF05709278/SEG-146323/DSSEG-7660
Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
Deep Security Agent would sometimes retrieve incorrect PID information on Windows for connection metrics and log events. DS-72526
Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host would crash. SF05713918/SF05850687/SEG-146660/SEG-148664/DSSEG-7664

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
Deep Security Agent versions 20.0.0-5137+ are unable to load the third-party libraries needed for Activity Monitoring on Windows 2008 platform. If you need Activity Monitoring for a Windows 2008 system, please avoid upgrading your agent. (This issue will be fixed in a future release.) DS-72573

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

Release date: July 26, 2022

Build number: 20.0.0-5137

New features

Enhancements

Deep Security Agent (version 20.0.5137+) for Windows, will use an additional certificate: "Microsoft Identity Verification Root Certificate Authority 2020". For details see the following article: https://success.trendmicro.com/dcx/s/solution/1104241-Updating-the-VeriSign-DigiCert-USERTrust-RSA-certificate-on-Deep-Security-and-Cloud-One-Workload-Security?language=en_US. DS-72711
Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders will no longer work and will need to be changed to use a globstar \*\*. DS-71817

Resolved issues

With Anti-Malware enabled, Deep Security Agent had a driver conflict causing some third-party applications to freeze. SF05570686/SEG-140749/DSSEG-7650
Deep Security Agent's Scanner (SAP) library install sometimes failed because required certificates on hosts were outdated. DS-71917
Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
Deep Security Agent version 20.0.0-5137 is unable to load the third-party libraries needed for Activity Monitoring on Windows 2008 platform. If you need Activity Monitoring for a Windows 2008 system, please avoid upgrading your agent to version 20.0.0-5137. (This issue will be fixed in a future release.) DS-72573

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Release date: July 4, 2022

Build number: 20.0.0-4959

Resolved issues

Deep Security Agent caused increased CPU usage for systems running the WMI provider service (WmiPrvSE.exe). 05528968/SEG-142736/DS-71626
Deep Security Agent Scanner (SAP) reports displayed .SAR files in the wrong order. DS-71651
Deep Security Agent had a conflict preventing TMUMH drivers from loading (on Windows 11 and Windows 2022), and in some cases causing a system crash (affecting all Windows platforms). SEG-143164/DSSEG-7596
Using the command line (dsa_control -b), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600
With Log Inspection enabled, Deep Security Agents upgraded to version 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
With Anti-Malware enabled, Deep Security Agent generated "Anti-Malware Engine Offline" errors caused by service restarts following a software upgrade. SF05521775/SEG-144639/DSSEG-7615
With Anti-Malware enabled, Deep Security Agent sometimes caused a system crash or high system memory usage, or failed to deliver event reports. SF05475742/SEG-142632/DSSEG-7626
With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Security updates

Highest CVSS score: 6.2

Highest severity: Medium

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Release date: May 31, 2022

Build number: 20.0.0-4726

Enhancements

Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763

Resolved issues

Trust entities "allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Highest CVSS score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Release date: April 28, 2022

Build number: 20.0.0-4416

Enhancements

Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
Updated Deep Security Agent to support enabling the Anti-Malware module while Windows Defender is running in passive mode under some system configurations DS-69161. Currently this is only supported on systems running the following versions:
- Defender (AM) product / engine versions:
- Windows server and desktop versions:
- Deep Security Agent version 20.0.0-4416 and newer

Resolved issues

Deep Security Agent generated multiple "Anti-malware Engine Offline" events during agent upgrades under some system configurations. SF04500910/SEG-129316/DSSEG-7458

Security updates

Highest CVSS score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

Release date: April 6, 2022

Build number: 20.0.0-4185

New features

Enhancements

Updated Deep Security Agent to properly execute Application Control settings for software changes made during a Windows upgrade. Previously, trust rules auto-authorizing software changes associated with a Windows upgrade would fail if Application Control was in lock down mode. DS-69579
When certificates are missing for an Anti-Malware installation, Deep Security Agent now forwards the certificate details to Deep Security Manager. The specific certificates missing will appear in the manager under Events & Reports > System Events. DS-69074

Resolved issues

Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. (An upgrade should not have triggered these events.) DS-69888
Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

Release date: March 1, 2022

Build number: 20.0.0-3964

New features

Enhancements

Updated Deep Security Agent to exclude suspicious characters (such as $) found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Resolved issues

Deep Security Agent accepted policy change parameters even if the self-protection password verification did not pass. SF05177188/SEG-129643/DS-69293
Deep Security Agent sometimes went offline unexpectedly after activation. SEG-130280
With Intrusion Prevention enabled, issues establishing an SSL connection caused "Unsupported SSL Version" events. SF04955719/SEG-127437/DS-68689
Deep Security Agent was generating unexpected "Log File Delete Error" system events. DS-69641
Deep Security Agent sometimes created unnecessary "User (Created/Deleted)" or "Group (Added/Removed/Updated)" events. DS-62413

Deep Security Agent - 20.0.0-3771 (20 LTS Update 2022-01-24)

Release date: January 26, 2022

Build number: 20.0.0-3771

New features

Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Windows platforms, beginning with Trend Micro Cloud One - Workload Security customers.

Windows 21H2 support: Deep Security Agent (version 20.0.0-3771+) now supports Windows 21H2.

Enhancements

Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042

Resolved issues

Pairing Deep Security Agent with a proxy failed on Windows 11 when the "http://" prefix was unexpectedly added to the proxy address. The prefix was added if the address was accessed from the LAN settings window (Control Panel > Network and Internet > Internet Options > Connections > LAN settings), and then the window was closed by selecting OK. DS-68568
Deep Security Agent security update would fail and generate "AMSP" events if Anti-Malware was offline during the update. SF04696674/SEG-120215/DSSEG-7287
Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
Updated Deep Security Agent to enable "Write Defer Scan" by default for real-time Anti-Malware scanning, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write by default. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-66344
With Smart Scan enabled, Deep Security Agent was downloading the full size pattern update file, instead of the incremental one it was expected to, during security updates SEG-124937/DSSEG-7317

Security updates

Highest CVSS score: 9.1

Highest severity: High

Deep Security Agent - 20.0.0-3530 (20 LTS Update 2021-12-15)

Release date: December 15, 2021

Build number: 20.0.0-3530

New features

OS proxy support: Deep Security Agent (version 20.0.0-3530+ for Windows) can now apply proxy settings from the computer's OS to automatically connect to Trend Micro Cloud One - Workload Security, Deep Security Relay, and other Trend Micro backend services if the default agent-configured proxy loses its connection. This feature is only available to certain Workload Security customers at this time.

Important Notes

Pairing Deep Security Agent with a proxy currently fails on Windows 11 when the "http://" prefix is unexpectedly added to the proxy address after accessing it (under Control Panel > Network and Internet > Internet Options > Connections > LAN settings) and then selecting OK to close the window. This issue will be fixed in a future release. DS-68568

Resolved issues

With Smart Scan enabled, Deep Security Agent downloaded the full size pattern update file instead of the incremental one it was expected to during security updates. DSSEG-7317

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

Release date: November 24, 2021

Build number: 20.0.0-3445

New features

Anti-Malware offline scheduled scan: Deep Security Agent (version 20.0.0-3445+) adds the offline scheduled scan feature, enabling Anti-Malware scheduled scans to run while an agent is not connected to Cloud One Workload Security. This feature is only available to certain Cloud One Workload Security customers at this time.
Windows 11 support: Deep Security Agent (version 20.0.0-3445+) now supports Windows 11.
Windows Server 2022 support: Deep Security Agent (version 20.0.0-3445+) now supports Windows Server 2022.

Enhancements

Updated Deep Security Agent allow the Deep Security Notifier to be locked on (when installed through the command prompt using msiexec /I "Notifier's installer name" LockAppSettingsDefault=1), preventing users from hiding notifications. DS-64527
Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control trust entities on Cloud One Workload Security. DS-67322
Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

With Anti-Malware enabled, Deep Security Agent caused connectivity issues for third-party software on some systems. SF04087024/SEG-125579/DSSEG-7321
Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
When an expired certificate was removed from the host, Deep Security Agent's Anti-Malware plug-in update would fail, creating "Anti-Malware Component Update" events. SEG-117871/DS-66139
If an Anti-Malware scan began before the module had completed its installation on Deep Security Agent, it could cause a system crash and "Anti-Malware Engine Offline" errors after a reboot. SEG-108355/DS-63721
With Activity Monitoring enabled, Deep Security Agent sometimes crashed due to an issue with SQLite. 04958386/SEG-123752/DSSEG-7300
Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
When Integrity Monitoring rules using "UserSet" or "GroupSet" were enabled for a Deep Security Agent on Windows Active Directory Domain Controllers, excessive CPU and memory consumption would sometimes occur. Agent version 20.0.0-3445 blocks these types of Integrity Monitoring rules on Windows Active Directory Domain Controllers and generates an "Inapplicable Integrity Monitoring Rule" event. DS-65965

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

Release date: October 28, 2021

Build number: 20.0.0-3288

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

On the previous Deep Security Agent (version 20.0.0-3165), “Anti-Malware Component Update Failed” events were sometimes generated when computers performed security updates. This defect is now fixed in agent version 20.0.0-3288. SF04937346/SEG-122765/DSSEG-7268
With Intrusion Protection enabled, Deep Security Agent sometimes caused high CPU usage and sometimes caused the system to crash. DS-65902
With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component. DSSEG-7222
Deep Security Agent did not always check that metadata was ready before initializing connection with the manager. DS-51103
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Release date: October 08, 2021

Build number: 20.0.0-3165

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component DSSEG-7222
Deep Security Agent did always check that metadata was ready before initializing connection with the manager. DS-51103

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)

Release date: August 30, 2021

Build number: 20.0.0-2921

New features

Census feedback: Deep Security Agent (version 20.0.0-2921+) can now send census file feedback to the Smart Protection Network (SPN) if Trend Micro Smart Feedback is enabled (System Settings > Smart Feedback).

Enhancements

Updated Deep Security Agent to detect the "HiveNightmare" exploit. DS-65217

Resolved issues

With Application Control enabled, Deep Security Agent sometimes crashed when a .MSI file was launched. SF04647983/SEG-114894/DSSEG-7032
Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
Deep Security Agent sometimes failed to properly display items under Events & Reports. DSSEG-7057

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)

Release date: July 29, 2021

Build number: 20.0.0-2740

Enhancements

Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

With Application Control enabled, files with '.tmp" extensions were creating a large number of "Application Control Software Changes Detected" events in the Deep Security Manager console. 04671615/SEG-115017/DS-65043
Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963

Security updates

Highest CVSS score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Release date: July 01, 2021

Build number: 20.0.0-2593

Resolved issues

Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
The MQTT connection sometimes went offline when Deep Security Agent had Activity Monitoring enabled. SF04216172/SEG-101691/DS-63458
Anti-Malware sometimes went offline after enabling Application Control on Deep Security Agent. SF04532752/SEG-110572/DS-63406
Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
Citrix Virtual App or Desktop users sometimes encountered a grey screen (with error code 1003/1005) when Anti-Malware was enabled for Deep Security Agent. DS-64318
Anti-Malware sometimes caused high system CPU usage when the Windows WMI service accessed files repeatedly. SEG-109271/DSSEG-6983

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Deep Security Agent - 20.0.0-2419 (20 LTS Update 2021-06-02)

Release date: June 02, 2021

Build number: 20.0.0-2419

Resolved issues

Deep Security Agent (Windows version 20.0.0-2395) always displayed an "Out-of-Date" Security Update Status. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent 20.0.0-2395 for Windows. SF04537047/SEG-110737/DS-63424
Integrity Monitoring alerts sometimes triggered but then did not appear in the Events & Reports tab. 04266346/SEG-103731/DS-62992
Items queued for Anti-Malware scan sometimes caused higher than normal Deep Security Agent CPU usage. DS-63106
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
Deep Security Agent sometimes couldn't successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

Release date: April 12, 2021

Build number: 20.0.0-2204

Resolved issues

When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
When Anti-Malware self-protection was enabled, sometimes third-party software could not be installed. SEG-101840/DSSEG-6694
Behavior Monitoring exceptions sometimes did not work properly. SF03775351/SEG-89899/DSSEG-6718
With Anti-Malware enabled, network transfer speeds slowed down significantly on some systems. SF04299217/SEG-103986/DSSEG-6780
Anti-Malware Behavior Monitoring exceptions sometimes did not work properly. SF04259521/SEG-102792/DSSEG-6714

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Release date: March 08, 2021

Build number: 20.0.0-2009

Enhancements

Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011

Resolved issues

The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
Behavior Monitoring sometimes blocked a program without generating an event. SF03604820/SEG-86752/DS-60526
When Anti-Malware was enabled, a high amount of CPU was used. SF04106889/SEG-99034/DS-60526
Deep Security Agent sometimes crashed during an Anti-Malware manual scan. SEG-100231/DSSEG-6664

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Release date: February 08, 2021

Build number: 20.0.0-1876

Resolved issues

The Deep Security Agent sometimes crashed when running Intrusion Prevention in passive mode. DS-57497
Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

Resolved issues

After a Windows update occurred, "Maintenance mode" for Application Control turned off automatically. SF03905860/SEG-93631/DS-58413

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

This release contains general improvements.

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

Enhanced platform support

Windows 10 20H2

Improved security

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
Enhanced memory usage to improve performance. DS-53012
Deep Security Agent now supports custom actions for Behavior Monitoring and Predictive Machine Learning. DS-48081

Resolved issues

When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Notice

In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0.1337

New features

Enhancements

Added various executable files as trusted installers so they are automatically recognized by Application Control. SF03568205/SEG-85141/DS-54884
Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800/DS-51879
Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

In combined mode with agent-only and agent-preferred settings enabled, Deep Security Notifier sometimes turned the Antivirus status in the Windows action center on and off, which caused high CPU. DS-54799
After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
The Behavior Monitoring feature of Anti-Malware sometimes raised false alarms. DS-44974
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
Deep Security Agent crashed unexpectedly because it was unable to detect the Docker engine version on Windows Servers. DS-29590
Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
There were detection issues with real-time Anti-Malware scans. DS-50286
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. DS-53144

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security

This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1337 (or a newer version) by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1337 (or a newer version), Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.

Deep Security Agent 20.0.0-1337 (and newer versions) uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.

Known issues

While the Deep Security Relay is upgrading co-located or independent relays, the alerts “Anti-Malware protection is absent or out of date” and “Security Update: Security Update Check and Download Failed (Agent/Appliance error)” might occur for up to 20 minutes or longer before they're automatically resolved and the respective alerts cleared. For any subsequent Deep Security Agent upgrades to succeed, please wait for the Deep Security Relay alerts to clear automatically. DS-54056

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Improved security

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Protect AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Improved quality and management

Reboot requirement removed for agent upgrade: Previously, there were several situations where a Windows server would require a reboot for a new agent to complete the upgrade. The need to reboot when upgrading from Deep Security Agent 11.0, 12.0, or 20.0 on any Windows Operating System has been completely removed, enabling the application to not be impacted as result of upgrading Deep Security Agent.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Manager FR 2020-04-30. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been canceled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time scan. This provides a starting point for performance evaluating and tuning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:

By the command dsa_control --AmTopNScan
By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
We've improved the process exception configuration workflow to make it more robust.

Windows Event Channel for Log Inspection: Windows Event Channel logging provides a new option for tracking OS and Application logging for Windows platforms newer than Windows Vista. Event channels can be used to collect Log Inspection events which you can view later.

Enhancements

Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Removed Integrity Monitoring and Application Control's dependency on Anti-Malware, so they no longer require Anti-Malware to be installed to function.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Added support for agentless mode on vCloud connector for version 9.5 or later.
Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
Enhanced the Malware Scan Failure event description to indicate the possible reason.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Added support for Deep Security Agent delayed upgrade to reduce the Anti-Malware offline issue after triggering an upgrade.

Resolved issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. (DS-49828)
Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
Deep Security Agent restarted unexpectedly because of the way Log Inspection was accessing the SQLite database. (DS-48395)
The interface isolation feature stayed active when Firewall was turned off. (SEG-32926/DS-27099)
Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. (DS-48916)
Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-38578)
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
Deep Security's Notifier.exe process caused high CPU usage. (SF01716752/SEG-45507/DS-33645)
The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. (SF1609675/SEG-43574/DS-32947)
In some cases, the Windows driver did not correctly release spinlock, causing the system to hang. (SF01990859/SEG-50709/DS-36066)
Deep Security Agent process sometimes crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app." error message in ds_agent.log. (SEG-21208/DS-33134/DS-21352)
When the system region format is "Chinese (Traditional, Hong Kong SAR)", Deep Security Notifier displayed simplified Chinese instead of traditional Chinese. (SEG-48075/DS-34778)
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
Too many file open events were being processed in user mode resulting in high CPU usage. (SF02179544/SEG-55745/DS-39638)
The "Type" attribute wasn't displayed in Integrity Monitoring events when the default "STANDARD" attribute was set to monitor registry value changes. (SF02412251/SEG-59848/DS-41118)
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-39981)
Deep Security failed to download security updates because of an outdated user agent string. (SF02043400/SEG-52069/DS-41316)
When machines wrote document files to a file server, Anti-Malware needed to scan the files frequently, which caused other machines to fail to write the file because the file was being scanned. (SF01949194/SEG-49854/DS-40100)
When Deep Security Agent scanned large files for viruses, it consumed a large amount of memory. (SF01572110/SEG-48704/DS-43114)

Security updates

Highest CVSS Score: 7.8

Highest severity: High

Updated NGINX to 1.16.1 (DSSEG-4600)
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Known issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error may occur. To work around this issue, right-click the affected computer and select Actions > Clear Warnings/Errors, then Send Policy.
After upgrading the Deep Security Agent on Windows 2008, Anti-Malware may go offline. If this occurs, fully uninstall Deep Security Agent, reboot your server, then reinstall the agent.

Upgrade notice

If you have Application Control enabled, there may be a temporary performance impact while your software inventory is automatically rebuilding. (DS-41775)

Unix

Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)

Release date: March 22, 2023

Build number: 20.0.0-6658

New features

Enhancements

Intrusion Prevention's Web Reputation Service now includes OS platform metadata. DS-75453
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598

The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
- Debug: Enable the debug log messages (Default: false)
- Count: Number of log files to generate (Default: 5)
- Size: Maximum size of each log file in bytes (Default: 2097152)
```
Example config file:
                        {
                            "Debug": true,
                            "Count": 5,
                            "Size": 2097152
                        }
```

Resolved issues

When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
Deep Security Agent was generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

Release date: January 31, 2023

Build number: 20.0.0-6313

Enhancements

Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676

To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If one of more agents were updated to version 20.0.0-6313 or newer before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.

Resolved issues

Updated Deep Security Agent for AIX platforms to support Advanced Threat Scan Engine (ATSE) version 21.600. DS-75323
For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent will only show the final successful event. SF06207160/SEG-160085/DSSEG-7765
The Deep Security Agent log file (ds-agent.log) sometimes failed to rotate, causing it to use more disk space than intended. SF05306459/SEG-137003/DS-72899
With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335

Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)

Release date: November 22, 2022

Build number: 20.0.0-5953

This release contains general improvements. Please note that this release only includes an agent for Solaris platforms.

Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)

Release date: October 21, 2022

Build number: 20.0.0-5761

Enhancements

Updated Deep Security Agent to include additional metadata (like UserAgent and Referrer) for Web Reputation Services. DS-72196
Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085

Resolved issues

With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Release date: September 22, 2022

Build number: 20.0.0-5512

Enhancements

Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798

Resolved issues

Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Highest CVSS score: 7.0

Highest severity: High

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

Release date: August 29, 2022

Build number: 20.0.0-5394

New features

AIX7.3 support: Deep Security Agent (version 20.0.0-5394+) now supports AIX7.3 (This requires Deep Security Manager version 20.0.677+.)

Enhancements

Application Control now detects software changes for executables with non executable extensions. DS-70805
Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

Release date: July 26, 2022

Build number: 20.0.0-5137

Enhancements

Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders will no longer work and will need to be changed to use a globstar \*\*. DS-71817

Resolved issues

Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Known issues

When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Release date: July 4, 2022

Build number: 20.0.0-4959

Resolved issues

With Log Inspection enabled, Deep Security Agents upgraded to version 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Release date: May 31, 2022

Build number: 20.0.0-4726

Resolved issues

On AIX servers, when the LIBPATH or LD_LIBRARY_PATH environment variables for the system are defined, Deep Security Agent sometimes would not start. DS-70882
Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333

Security updates

Highest CVSS score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Release date: April 28, 2022

Build number: 20.0.0-4416

Enhancements

Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515

Resolved issues

With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Highest CVSS score: 7.5

Highest severity: High

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

Release date: April 6, 2022

Build number: 20.0.0-4185

Resolved issues

Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
Log Inspection was unable to parse system logs containing a single digit date format. SF04562942/SEG-115435/DS-69757

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

Release date: March 1, 2022

Build number: 20.0.0-3964

New features

Enhancements

Updated Deep Security Agent to exclude suspicious characters (such as $) found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)

Release date: January 24, 2022

Build number: 20.0.0-3770

Enhancements

Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042

Resolved issues

Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494

Security updates

Highest CVSS score: 9.1

Highest severity: High

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

Release date: November 24, 2021

Build number: 20.0.0-3445

Enhancements

Updated Deep Security Agent to use TLS 1.2 strong cipher suite by default to improve security. The agent previously used the CBC cipher suite by default. DS-67204
Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control trust entities on Cloud One Workload Security. DS-67322
Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
Deep Security Agent sometimes caused connectivity issues, high CPU usage, or the system to crash. SEG-120758/SEG-123885/DS-67291

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

Release date: October 28, 2021

Build number: 20.0.0-3288

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
Some customers encountered an issue when the run-time CPU number was larger than expected, which led to crashes. DS-65757
Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Release date: October 08, 2021

Build number: 20.0.0-3165

New features

Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
Some customers encountered an issue when the run-time CPU number was larger than expected, led to crashes. DS-65757

Security updates

Highest CVSS score: 7.8

Highest severity: High

Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)

Release date: August 30, 2021

Build number: 20.0.0-2921

Resolved issues

Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
Deep Security Agent sometimes failed to properly display items under Events & Reports. DSSEG-7057

Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)

Release date: July 29, 2021

Build number: 20.0.0-2740

Enhancements

Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855

Security updates

Highest CVSS score: 9.8

Highest severity: High

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Release date: July 01, 2021

Build number: 20.0.0-2593

Resolved issues

Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
Integrity Monitoring alerts sometimes triggered but did not appear in the Events & Reports tab. 04266346/SEG-103731/DS-62992
Deep Security Agent failed to detect the correct platform under some configurations. 03804296/SEG-90864/DS-57809
Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)

Release date: May 24, 2021

Build number: 20.0.0-2395

Enhancement

Updated Deep Security Agent (version 20.0.0-2395+) to add support for Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates will expire on 2022/07/09. After that time, only agents that have been upgraded to version 20.0.0-2395 or higher will have the latest Anti-Malware Smart Scan protection. DS-63010

Resolved issues

Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

Release date: April 12, 2021

Build number: 20.0.0-2204

New feature

Enhanced platform support

Anti-Malware support for AIX: Deep Security Agent now supports Anti-Malware for AIX 6.1. Agent version 20.0.0-2204+ supports Anti-Malware for AIX 6.1, AIX 7.1, and AIX 7.2.

Resolved issues

With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Release date: March 08, 2021

Build number: 20.0.0-2009

Resolved issues

The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Release date: February 08, 2021

Build number: 20.0.0-1876

Resolved issues

Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

New feature

Anti-Malware support for AIX: This release adds support for Anti-Malware on the AIX platform. Agent version 20.0.0-1822+ supports Anti-Malware for AIX 7.1 and 7.2.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

This release contains general improvements.

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
Enhanced memory usage to improve performance. DS-53012

Resolved issues

On Solaris servers where Integrity Monitoring was enabled and the rule: "Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)" was assigned, a rule compile error was generated that referenced an "Unsupported Feature in Integrity Monitoring Rule". DS-55884
When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Notice

In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:

[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0.1337

Resolved issues

When using Deep Security Agent on Solaris, the Integrity Monitoring port scanning feature did not work because the agent did not have access to information on the user ID under which a given port was opened. This prevented storage of any listening port information. The port scanning feature on Solaris agents has been modified to store the string "n/a" for the userid. This allows the remaining port information to be stored and used in the port scanning function. However, exclusions and inclusions based on User ID still do not function correctly because this information is not available. DS-53922

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Release date: October 21, 2020

Build number: 20.0.0.1304

Enhancements

Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

Release date: October 5, 2020

Build number: 20.0.0.1194

Enhancements

Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061

Resolved issues

Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
Deep Security Agent crashed on Solaris 10 during upgrades. SEG-72634/SF02975849/DS-49295
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058

Security updates

Highest CVSS score: 4.4

Highest severity: Medium

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Improved security

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Improved quality and management

By the command dsa_control --AmTopNScan
By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
We've improved the process exception configuration workflow to make it more robust.

Enhancements

Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
Increased the scan engine's URI path length limitation.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.

Resolved issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. (DS-49828)
Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
The displayed packet header data contained redundant payload data. (DS-45792)
Memory leaked during SSL decryption because of a flaw in the SSL processing. (SEG-68263/DS-44360)
On specific Deep Security Agent servers the CPU usage spiked to 100% and pattern merges failed during the active update process. (SEG-66210/02711299/DS-46429)
When a security update was triggered before Anti-Malware was ready, the security updates failed. (DS-36952)
When real-time Integrity Monitoring was enabled with the rule "1002875: Unix Add/Remove Software" applied, the RPM database potentially locked. (SEG-67275/SF02663756/DS-48524)
Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. (SEG-71825/SF03021819/DS-48916)
Incorrect linking of certain libraries could lead to Deep Security Agent instability. (SEG-72958/03071960/DS-49324)
Anti-Malware directory exclusion with wildcard didn't match subdirectories correctly. (SF03131855/SEG-74892/DS-50245)
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)
After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. (SEG-60728/DS-42332
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SEG-48728/SF01919585/DS-34022)
On Solaris servers with clusters, the Deep Security Intrusion Prevention module would come under heavy load while inspecting the clusters' private traffic. The extra load caused latency issues, node evictions, and loss of synchronization events.

You can now configure the Packet Processing Engine on the agent to bypass traffic inspection on a specified interface. Where a specific interface on a computer is dedicated to cluster private traffic, this configuration can be used to bypass inspection of packets sent to and received from this interface. This results in faster packet processing on the bypassed interface and other interfaces.

Use of this configuration to bypass traffic inspection is a security risk. It is up to you to determine if the benefit of reduced latency outweighs the risk involved. It is also up to you to determine whether only the nodes in the cluster have access to the subnet whose interface is being bypassed.

To implement the bypass, do the following:

Upgrade the Deep Security Agent to the latest build containing this fix.
Create a file under /etc directory named "ds_filter.conf".
Open the /etc/ds_filter.conf file.
Add the MAC addresses of all NIC cards used for cluster communication, as follows:

MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX

Save.
Wait 60 seconds for your changes to take effect.

In the /etc/ds_filter.conf file:

The MAC_EXCLUSIVE_LIST line must be the first line in the file.
All letters in the MAC address must be uppercase.
Leading zeros in each byte must be included.

Valid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E,6A:23:F0:0F:AB:34

Invalid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=B:3A;12:F8:32:5E

MAC_EXCLUSIVE_LIST=0b:3a;12:F8:32:5e,6a:23:F0:0F:ab:34

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E

If the MAC address is not valid, the interface will not be bypassed. If the exact string "MAC_EXCLUSIVE_LIST=" is not present at the beginning of the line no interfaces will be bypassed. (DSSEG-4055)

Security updates

Highest CVSS Score: 7.8

Highest severity: High

Updated NGINX to 1.16.1 (DSSEG-4600)
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

macOS (supported for Cloud One Workload Security only)