What's new in Deep Security Agent?

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)
Release date: September 26, 2023
Build number: 20.0.0-7943
New features
Red Hat Enterprise Linux 8.6 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943+ supports only the Anti-Malware on-demand scan feature for Red Hat Enterprise Linux 8.6 (PowerPC little-endian). This requires Deep Security Manager 20.0.817+. Security updates are currently unsupported for this platform.
SUSE Linux Enterprise Server 12 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943+ supports only the Anti-Malware on-demand scan feature for SUSE Linux Enterprise Server 12 (PowerPC little-endian). This requires Deep Security Manager 20.0.817+. Security updates are currently unsupported for this platform.
SUSE Linux Enterprise Server 15 (PowerPC little-endian) on-demand scan support: Deep Security Agent 20.0.0-7943+ supports only the Anti-Malware on-demand scan feature for SUSE Linux Enterprise Server 15 (PowerPC little-endian). This requires Deep Security Manager 20.0.817+. Security updates are currently unsupported for this platform.
Security updates are currently unsupported on PowerPC platforms. The Advanced Threat Scan Engine (ATSE) status will not display correctly, and the following alerts are expected on RHEL 8.6, SUSE 12, and SUSE 15:
- Security Update: Security Update Check and Download Failed (Agent/Appliance error)
- Status: Out of Date
Enhancements
- New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
DSA-864 - All Trend Micro public keys that are used to validate kernel module signatures are now included by default in the Deep Security Agent packages. SF06915385/SEG-185980/DSA-1569
- Updated Deep Security Agent to support 20.0.1 Kernel Support Packages. In order to continue Linux Kernel support in 2024, please upgrade to Deep Security Agent to 20.0.0-7943+. For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release. DSA-1217
Resolved issues
- When Activity Monitoring was enabled some systems encountered a memory leak. DS-78200
Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)
Release date: August 29, 2023
Build number: 20.0.0-7719
New features
Miracle Linux 8 support: Deep Security Agent 20.0.0-7719+ now supports Miracle Linux 8, including FIPS mode. This requires Deep Security Manager 20.0.817+.
Enhancements
- Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
- Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. (Agents configured as a Deep Security Relay still download all pattern updates.) DSA-1000
- The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
- Advanced Threat Scan Engine version has been updated to 22.6. DSA-453
Resolved issues
- Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
- Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
- Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)
Release date: July 25, 2023
Build number: 20.0.0-7476
Enhancements
- Updated the dsa-connect service to improve CPU performance. C1WS-12970
- Deep Security Agent 20.0.0-7476 now supports FIPS mode for Red Hat Enterprise Linux 9. DS-77642
- Updated Deep Security Agent Scanner (SAP) to accept up to 512 parallel client connections established by SAP NetWeaver. (The previous connection limit was 256.) SF06983349/SEG-184190/DS-78229
Resolved issues
- Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858
Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)
Release date: June 28, 2023
Build number: 20.0.0-7303
New features
Amazon Linux 2023 support: Deep Security Agent 20.0.0-7303+ now supports Amazon Linux 2023, including FIPS mode (This requires Deep Security Manager 20.0.789+).
At time of release, Amazon Linux 2023 is not yet certified for FIPS. See the Amazon Linux 2023 release notes for the latest support information.
Amazon Linux 2023 (AWS ARM-Based Graviton 2): Deep Security Agent 20.0.0-7303+ now supports Amazon Linux 2023 on AWS Graviton 2 (This requires Deep Security Manager 20.0.789+).
Advanced TLS Traffic Inspection now supports Oracle Linux 9 (64-bit), Red Hat Enterprise Linux 9 (64-bit), and Ubuntu 22.04 (64-bit).
Enhancements
- Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation (such as fe80:0:0:0:0:0:0:1/24 or fe80::01). SF04849178/SEG-122076/DS-67280
- Activity Monitoring events will now display the FQDN instead of the hostname. SF06709374/SEG-179186/C1WS-14644
- Web Reputation Service will now automatically monitor the port(s) used by the OS proxy configuration. DS-77233
- Removed unnecessary proxy scheduled tasks from the Deep Security Virtual Appliance. This should prevent
Timed out waiting for relay to msg
andError creating task...
errors in the logs. SF06844880/SEG-179554/DS-77440
Resolved issues
- When Secure Boot is enabled but the signing key has not been loaded, the system would crash when Anti-Malware used the fanotify facility. SF06464888/SEG-167771/DS-76161
- Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
- The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
- Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
- The Deep Security Agent connection count could overflow under certain conditions. DS-76902
- Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709
Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)
Release date: May 29, 2023
Build number: 20.0.0-7119
Enhancements
- MQTT connection credentials were entered in the Deep Security Agent log file (
ds_agent.log
) in certain scenarios. SEG-174560/C1WS-13282 - Updated Deep Security Agent to reduce the amount of redundant data sent when Activity Monitoring is enabled. DS-77657
- Deep Security Agent crashed some systems when they were out of memory. SF06704797/SEG-175243/DSSEG-7875
- Agent self-protection now secures the Advanced TLS inspection process (
ds_nuagent
), preventing local users with administrator privileges from stopping it. DS-74080
Systems running Red Hat Enterprise Linux 7 (64-bit) with SELinux may require some manual configuration to avoid permission issues following this update. For details, see https://success.trendmicro.com/dcx/s/solution/000293160?language=en_US. - Deep Security Agent now runs within a predefined group and accept outbound traffic. DS-77415
Resolved issues
- Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
- After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
- When Anti-Malware was enabled, Deep Security Agent caused high CPU usage on some systems. DS-77758
Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)
Release date: May 02, 2023
Build number: 20.0.0-6912
New features
Red Hat Enterprise Linux Workstation 7 support: Deep Security Agent 20.0.0-6912+ now supports Red Hat Enterprise Linux Workstation 7, including Secure Boot support. (This requires Deep Security Manager 20.0.759+.)
AlmaLinux 9 support: Deep Security Agent 20.0.0-6912+ now supports AlmaLinux 9, including Secure Boot support. (This requires Deep Security Manager 20.0.759+.)
Enhancements
- Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to
ds_agent.ini
. SF06664116/SEG-173848/DS-77182
Example proxy probing line inds_agent.ini
config file:dsa.proxymanager.ProbeTimeoutInSec=120
- Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
- Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
- Deep Security Agent now includes path and PID (process ID) for Anti-Malware events. SF05682761/SEG-147452/DS-72909
Resolved issues
- When connecting through a proxy with FIPS mode enabled, Deep Security Agent sometimes had connectivity issues with IoT devices. SEG-174776/DS-77197
- Deep Security Agent's Anti-Malware module sometimes failed to restart following an IPC (inter-process communication) timeout. DS-76889/SEG-169218
- A compatibility issue between the Deep Security Agent network driver and some third-party products caused systems to crash. SEG-156743/DS-75377
- Deep Security Virtual Appliance sometimes crashed when connecting by HTTPS to a Smart Protection Server. SEG-169451/DS-76968
- Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
- When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
- Files added to the SAP Scanner allow list without including a file extension were being blocked when they should have been allowed. SF06565062/SEG-170933/DS-77132
- Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961
- Deep Security Agent caused some systems to reboot unexpectedly. SF06584000/SEG-171147/DSSEG-7851
Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)
Release date: March 22, 2023
Build number: 20.0.0-6658
New features
Oracle Linux 9 support: Deep Security Agent 20.0.0-6658+ with Deep Security Manager 20.0.737+ now supports Oracle Linux 9, including FIPS mode and Secure Boot support.
Service Gateway: Deep Security Agent 20.0.0-6658+ with Deep Security Manager 20.0.741+ now supports the Service Gateway feature, providing forward proxy functionality.
Enhancements
- When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard will now apply to all files in any directory matching the rule's path. (Previously, the globstar (
**
) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*
) wildcard which would only match within the path rule's directory.) DS-75133 - Web Reputation Service now includes OS platform metadata. DS-75453
- Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491
- Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
- Deep Security Agent now sends full command lines for processes to Deep Security Manager, improving the Recommendation Scan's rule recommendations. (Previously, the agent only sent the first 2048 characters of each process's command line.) C1WS-11728
- Deep Security Agent 20.0.0-6658+ with Deep Security Manager 20.0.737+ now supports Secure Boot for Ubuntu 22.04. DS-73729
- Deep Security Agent 20.0.0-6658+ now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User-Defined Suspicious Object (UDSO). DS-75365
-
Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (
dsa-connect-X.log
) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598The logger supports an on-demand JSON config file (either
dsa-connect.ini
ordsa-connect.conf
) with the following configurable options:- Debug: Enable the debug log messages (Default: false)
- Count: Number of log files to generate (Default: 5)
- Size: Maximum size of each log file in bytes (Default: 2097152)
Example config file:
{ "Debug": true, "Count": 5, "Size": 2097152 }
Resolved issues
- When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
- The Deep Security Agent kernel support package download was sometimes interrupted, generating "Agent Integrity Check Failed" warnings and "Kernel Unsupported" errors. SEG-169497/DS-76545
- Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
- Anti-Malware Behavior Monitoring had a driver issue causing kernel warnings on some systems. SF06254724/SEG-163042/ORCA-762
- When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
- Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
- A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
- When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
- Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
- Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
- Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
- Deep Security Agent was unable to connect to the Anti-Malware Smart Scan service on some systems. SEG-168468/DS-76433
- Deep Security Agent caused performance issues on systems generating a large number of container environment Application Control events. SF06538377/SEG-169605/DS-76594
Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)
Release date: January 31, 2023
Build number: 20.0.0-6313
New feature
Agent self-protection: This feature helps prevent users on the local system from tampering with the agent. For more information, and help configuring agent self-protection, see Enable or disable agent self-protection in Linux.
Rocky Linux 9 support: Deep Security Agent 20.0.0-6313+ with Deep Security Manager 20.0.716+ now supports Rocky Linux 9, including FIPS mode and Secure Boot support. DS-73727
Enhancements
-
Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL/TLS certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313+ before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm. - With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent 20.0.0-6313+ with Deep Security Manager 20.0.716+ now monitors for suspicious behavior to improve protection against MITRE attack scenarios. DS-73644
- Deep Security Agent 20.0.0-6313+ with Deep Security Manager 20.0.711+ now supports FIPS mode for Oracle Linux 8. DS-73778
Resolved issues
- When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
- For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent will only show the final successful event. SF06207160/SEG-160085/DSSEG-7765
- Deep Security Agent crashes and issues connecting with Deep Security Manager caused Anti-Malware Offline events. SF06061098/SEG-154701/DS-74665
- With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (
_
) entered in a command was replaced with a dash (-
), and an uppercase Z was replaced with a lowercase z. DS-74335 - With Activity Monitoring enabled, a connectivity issue caused Deep Security agents to appear offline for some Trend Micro Cloud One - Workload Security customers. The agent introducing this issue is no longer available. For more details, please see Removal of Deep Security Agent 20.0.0-5953 for Linux. SEG-161456
- With Activity Monitoring enabled, the internal MQTT channel sometimes became inaccessible. This caused high CPU usage and Deep Security Agent errors (
MQTT offline
,hub is busy
,cannot connect to dsa-connect
) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638/DS-75367/DS-75193 - Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
- Integrity Monitoring sometimes failed to create events after running certain console commands (for example,
passwd
ormv
commands). 05718251/SEG-148552/DS-72643 - Older Application Control events were not being removed from the database as intended, causing the
events.db
file size to increase indefinitely. SF06172729/SEG-159548/DS-74706 - When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470
Known issues
- Deep Security Agent is having connectivity issues on some systems, resulting in "Event ID 9012, Smart Protection Server Disconnected for Smart Scan" error messages. For more details including temporary workaround instructions, see https://success.trendmicro.com/dcx/s/solution/000292267. SF06512673/SEG-168468
Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)
Release date: November 22, 2022
Build number: 20.0.0-5953
New feature
Agent self-protection: This feature helps prevent users on the local system from tampering with the agent. For more information, and help configuring agent self-protection, see Enable or disable agent self-protection in Linux.
Enhancements
- Deep Security Agent 20.0.0-5953+ with Deep Security Manager 20.0.711+ now supports FIPS mode for Oracle Linux 8.
Resolved issues
- With Activity Monitoring enabled, the internal MQTT channel sometimes became inaccessible. This caused Deep Security Agent errors (
MQTT offline
,hub is busy
,cannot connect to dsa-connect
) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638 - Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
- Integrity Monitoring sometimes failed to create events after running certain console commands (for example,
passwd
ormv
commands). 05718251/SEG-148552/DS-72643 - Older Application Control events were not being removed from the database as intended, causing the
events.db
file size to increase indefinitely. SF06172729/SEG-159548/DS-74706 - When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470
Known issues
dsa-connect
or ds_agent
services. For more details, please see Removal of Deep Security Agent 20.0.0-5953 for Linux. SEG-161456Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)
Release date: October 21, 2022
Build number: 20.0.0-5761
New feature
Enhanced platform support
- SAP Scanner support for Oracle Linux 7: Deep Security Agent for Oracle Linux 7 now supports SAP Scanner. VO-1849
Enhancements
- Updated Deep Security Agent to include additional metadata (like
UserAgent
andReferrer
) for Web Reputation Services. DS-72196 - Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
- Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
- Deep Security Agent now can be deployed without additional dependency on System V packages. DS-73588
Resolved issues
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
- With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
- If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
- With Advanced TLS traffic inspection enabled, Deep Security Agent had a memory issue that prevented some applications from running. SEG-150631/DS-74039
- Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
- Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
- The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
- On RedHat Enterprise Linux computers, Anti-Malware being enabled would sometimes cause a system crash. SEG-155143/DS-74008
Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)
Release date: September 22, 2022
Build number: 20.0.0-5512
Enhancements
- Updated Deep Security Agent kernel device module files to comply with Security-Enhanced Linux (SELinux) requirements. DSSEG-7378
- Deep Security Agent now reports host information with additional details. DS-72609
- Deep Security Agent now reports host metadata for installed software with additional details. DS-72608
- Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798
- Deep Security Agent with Deep Security Manager 20.0.677+ now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). DS-72828
Resolved issues
- Trust Entities settings were not being re-applied after turning Application Control off and back on again. SF05930535/SEG-152439/DS-73312
- When installed on a system that uses secure boot without importing the required sign key, Deep Security Agent generated an Anti-Malware Engine error code with "Reason ID: 13" when it should have generated the code with "Reason ID: 11". For details on Reason IDs, see Warning: Anti-Malware Engine has only Basic Functions. DS-72891
- Deep Security Agent reported host metadata in an unexpected format. DS-73411
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8100/VRTS-8101/DS-73087/DS-72528
Highest CVSS score: 7.0
Highest severity: High
Known issues
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)
Release date: August 29, 2022
Build number: 20.0.0-5394
New features
Ubuntu 22.04 (AWS ARM-based Graviton 2) support: Deep Security Agent 20.0.0-5394+ with Deep Security Manager 20.0.677+ is now supported on Ubuntu 22.04 (AWS ARM-based Graviton 2).
Enhancements
- The Deep Security Agent process will now restart automatically if the file descriptor count is abnormally high, and a counter was added to track how many times this event occurs. SF05212995/SEG-130431/DS-72616
- Application Control now detects software changes for executables with non executable extensions. DS-70805
- Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
- Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833
Resolved issues
- When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
- Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
- Anti-Malware would sometimes leak file descriptors. SF05212995/SEG-130431/DS-72979
- When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
- Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
- When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
- Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
- Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
- Patched third-party libraries. Before patch, the Deep Security Virtual Appliance agent would sometimes crash. SF05559993/SEG-140234/DS-72510
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)
Release date: July 26, 2022
Build number: 20.0.0-5137
New features
Advanced TLS Traffic Inspection: Deep Security Agent 20.0.0-5137+ adds Advanced TLS Traffic Inspection support to platforms that run system updates or package updates. Please note that this feature is currently only supported for Trend Micro - Cloud One Workload Security. Support for Deep Security Manager (On-Premise) will be added later.
Red Hat 9 support: Deep Security Agent 20.0.0-5137+ with Deep Security Manager 20.0.651+ now supports Red Hat 9.
Amazon Linux 2 support: Deep Security Agent 20.0.0-5137+ with Deep Security Manager 20.0.651+ now supports Amazon Linux 2 for AWS Graviton 3.
Enhancements
- Updated Deep Security Agent to add Anti-Malware support for Red Hat OpenShift. DS-72368
- Updated Deep Security Agent to reduce CPU usage and improve container performance for real-time Anti-Malware scanning. Previously, all files were scanned during read/write. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-65581
- Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
- Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
- Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar
\*\*
which matches many sub directories. Single star\*
now only matches within your current directory. Existing rules that used a single star\*
to match many folders will no longer work and will need to be changed to use a globstar\*\*
. DS-71817
Resolved issues
- Deep Security Agent Scanner (SAP) sometimes displayed duplicate Anti-Malware events for .SAR file types. DS-71879
- Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
- Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
- Deep Security Agent had connectivity issues on some systems. DS-72219
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7102/VRTS-7070/VRTS-7041/VRTS-7039/DSSEG-7636
Highest CVSS score: 4.4
Highest severity: Medium
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)
Release date: July 4, 2022
Build number: 20.0.0-4959
New features
Ubuntu 22.04: Deep Security Agent 20.0.0-4959+ now supports Ubuntu 22.04. (This requires Deep Security Manager 20.0.651+.
FIPS mode on Ubuntu 20.04: Deep Security Agent 20.0.0-4959+ now supports FIPS mode for Ubuntu 20.04.
Enhancements
- Deep Security Agent 20.0.0-4959+ with Deep Security Manager 20.0.0-414+ now has improved Anti-Malware support on systems using Fanotify. Previously, "Anti-Malware Engine Offline" events interrupted Anti-Malware function on these systems. Now, an "Anti-Malware with basic functions" event will be recorded and users will maintain basic file scanning function, but not advanced scan mechanisms like Predictive Machine Learning. DS-68552
Resolved issues
- Deep Security Agent Scanner (SAP) had a connectivity issue preventing it from loading the correct libraries on some systems. DS-71623
- Deep Security Agent Scanner library sometimes caused SAP applications to crash. DS-71849
- Anti-Malware was unable to remove immutable or append-only files on some systems. VRTS-7110/DS-52383
- Using the command line (
dsa_control -b
), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600 - With Log Inspection enabled, upgrades to Deep Security Agents 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
- When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
- With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
- Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
- Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866
Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)
Release date: May 31, 2022
Build number: 20.0.0-4726
Enhancements
- Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763
Resolved issues
- Trust entities "allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
- Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
- With Activity Monitoring enabled, Deep Security Agent had high system CPU usage when events were being generated rapidly. 05107582/SEG-128170/DS-71486
- Deep Security Agent Scanner library didn't work properly with highly-interrupted SAP applications on Linux systems. This resulted in files were scanned, but results might be unable to report to the SAP applications. SF05390384/SEG-136659/DS-71251
- Following an upgrade, Deep Security Agent would send continuous "Security update in progress" reports to Deep Security Manager. SF05253107/SEG-131983/DS-69747
- Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
- Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
- An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
- Secondary DNS setting from IP pool was not configured when Appliance was deployed. SF05215036/SEG-134844/DSSEG-7535
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-52329
Highest CVSS score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)
Release date: April 28, 2022
Build number: 20.0.0-4416
Enhancements
- Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
Resolved issues
- With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7132/DS-70518
Highest CVSS score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)
Release date: April 6, 2022
Build number: 20.0.0-4185
New features
Advanced TLS traffic inspection: Advanced TLS traffic inspection adds the capability for inspecting TLS traffic encrypted with modern ciphers, including Perfect Forward Secrecy (PFS). It also enhances virtual patching for HTTPS servers to help protect against vulnerabilities such as Log4j.
Resolved issues
- Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
- Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. (An upgrade should not have triggered these events.) DS-69888
- Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
- Deep Security Agent had SSL connectivity issues when Web Reputation Service was enabled. DS-67675
- Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810
Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)
Release date: March 1, 2022
Build number: 20.0.0-3964
New features
Threat Intelligence: Threat Intelligence (formerly known as "Connected Threat Defense") provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.
Enhanced platform support
- Deep Security Agent 20.0.0-3964+ is now supported on these platforms:
- Red Hat 8 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.605+)
- Debian 11 (requires Deep Security Manager 20.0.605+)
Enhancements
- Updated Deep Security Agent to exclude suspicious characters (such as
$
) found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989
Resolved issues
- With real-time Integrity Monitoring enabled, Integrity Monitoring delete events were not being generated after editing a file and then deleting it. DS-69057
- Deep Security Agent caused high CPU usage for systems protecting containers. Container protection can now be enabled or disabled in Deep Security Manager (from Computer (or Policy) > Settings > Container Protection). SEG-115751/DSSEG-7334
Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)
Release date: January 24, 2022
Build number: 20.0.0-3770
New features
Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Linux platforms, beginning with Trend Micro Cloud One - Workload Security customers.
CRI-O support: A Deep Security Agent's "CRI-O engine version" is now displayed in Deep Security Manager, as well as Anti-Malware event information for containers. Please note that CRI-O is currently only supported for Deep Security Manager (On-Premise). Support for Trend Micro - Cloud One Workload Security will be added later.
Enhancements
- Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
- Updated Deep Security Agent to correctly display the host's IP address in the "LastIpUsed" field. Previously, the field displayed the load balancer or proxy IP in environments using one of those. SF05283977/SEG-133073
Resolved issues
- A Deep Security Agent conflict with network interface controllers (NICs) caused systems with multiple NICs to crash. 05048124/SEG-126094/DS-68730
- When an Integrity Monitoring scan timed out, it sometimes generated false "create" or "delete" events for "user" or "group" entities. SEG-117739/DS-66885
- Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
- With Activity Monitoring enabled, Deep Security Agent caused high CPU usage. DS-62849
- A Deep Security Agent parsing issue was causing "Anti-Malware Engine Offline" errors. SF05171312/SEG-129367/DSSEG-7428
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-68180
Highest CVSS score: 9.1
Highest severity: High
Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)
Release date: November 24, 2021
Build number: 20.0.0-3445
New features
Collection of the agent metrics in the on-premise environment: You can now collect the agent metrics on-premises for SEG troubleshooting purposes. These metrics are stored as ZIP files on Windows in the C:\ProgramData\Trend Micro\Deep Security Agent\metrics
directory and on Linux, AIX, and Solaris in the /var/opt/ds_agent/metrics
directory. The ZIP files are rotated periodically on the local file system. Each ZIP file is approximately 1 MB in size and contains up to 100 files. The metrics are collected along with the diagnostic package.
Enhancements
- Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
- Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
- Deep Security Agent was upgraded to use locally installed kernel modules when new ones can't be fetched from the Deep Security Relay. DS-66599
- Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control trust entities on Cloud One Workload Security. DS-67322
- Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347
Resolved issues
- Insufficient file access permission for the Deep Security Relay sometimes caused the agent installer to fail. DS-67278
- Deep Security Agent sometimes showed an incorrect "No such file or directory" error message during installation. DS-67317
- Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
- Deep Security Agent sometimes could not start after an upgrade. SF04943063/SEG-123155/DS-67475
- Deep Security Agent sometimes changed the access time of files during the on-demand Anti-Malware scan. DS-67119
- The Deep Security Agent and MQTT connection would sometimes go offline, requiring an agent restart. DS-67487
- Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
- With Anti-Malware real-time scan enabled, Deep Security Agent would sometimes scan unchanged files. DS-67806
- Deep Security Agent sometimes caused the system to crash. SEG-123338/DS-67445
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6489/DSSEG-7210/DS-65113/DS-67367
Highest CVSS score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)
Release date: October 28, 2021
Build number: 20.0.0-3288
New features
Kernel support package updates: You can now choose when to perform kernel support package updates, using the new "Automatically update kernel package when agent restarts" option in the computer or policy editor.
Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Enhanced platform support
- Deep Security Agent 20.0.0-3288+ now supports these platforms:
- AlmaLinux 8 (requires Deep Security Manager 20.0.503+)
- Rocky Linux 8 (requires Deep Security Manager 20.0.543+)
- Ubuntu 20.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.503+)
- Ubuntu 18.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.482+)
- Secure boot support: Deep Security Agent now supports Oracle Linux 7 (in both UEK-R5 and UEK-R6) and Oracle Linux 8 with Secure Boot enabled.
Enhancements
- Deep Security Agent 10.0 to 20.0 upgrades now keep their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
- You can now exclude container file events from the kernel module. DS-65547
Resolved issues
- Anti-Malware updates sometimes failed, resulting in "Security Update: Pattern Update on Agents/Appliances Failed" errors. 04763356/SEG-119138/DS-66569
- The Deep Security Agent Scanner library sometimes couldn't be loaded by SAP NetWeaver. DS-67530
- With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
- With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
- Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-46018/DSSEG-7210/DSSEG-7217
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)
Release date: October 08, 2021
Build number: 20.0.0-3165
Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it will not be made available on the Deep Security Agent software download page or released to customers using Deep Security Manager.
New features
- AlmaLinux 8 support: Deep Security Agent is now supported on AlmaLinux 8.
- Ubuntu 18.04 (AWS ARM-Based Graviton 2) support: Deep Security Agent is now supported on Ubuntu 18.04 (AWS ARM-Based Graviton 2).
- Oracle Linux 7 support: Deep Security Agent is now supported on Oracle Linux 7 with Secure Boot (in both uek-R5 and uek-R6).
- Kernel support package updates: You can now choose when to perform kernel support package updates, using the new Automatically update kernel package when agent restarts option in the computer or policy editor.
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Enhancements
- Updated Deep Security Agent to prevent agents upgraded from version 10.0 to 20.0 from losing their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
- You can now exclude container file events from the kernel module. DS-65547
Resolved issues
- Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7210/DSSEG-7217
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2971 (20 LTS Update 2021-09-08)
Release date: September 08, 2021
Build number: 20.0.0-2971
New features
FIPS mode on Red Hat Enterprise Linux 8: Deep Security Agent 20.0.0-2971+ now supports FIPS mode for Red Hat Enterprise Linux 8.
FIPS mode on Amazon Linux 2: Deep Security Agent 20.0.0-2971+ now supports FIPS mode for Amazon Linux 2.
Enhancements
- Updated Deep Security Agent to improve performance and compatibility by using a unified driver for file, process, and network events. DS-61784
- Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
- Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547
Resolved issues
- Deep Security Agent sometimes caused performance issues on systems with folders in NFS format. SF04816680/SEG-118993/DS-66280
- With Integrity Monitoring enabled, Deep Security Agent sometimes caused high CPU usage. DS-65986
- Deep Security Agent 20.0.0-2740 fr Linux was causing performance and third-party compatibility issues on some systems. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent (DSA) Build 20.0.0-2740 for Linux from Download Center.
- Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
- Deep Security Agent sometimes failed to properly display items under Events & Reports. DSSEG-7057
- Deep Security Agent was sometimes unable to create or manage tasks on RPM-based platforms due to a SystemD (Linux service manager) process limitation. SF04543580/SEG-113833/DS-65550
- Deep Security Agent Anti-Malware Real-Time Scan exclusions sometimes failed within container environments. DS-65528
- Deep Security Agent Anti-Malware Real-Time Scan directory exclusions sometimes failed if filenames were not in UTF-8 format. SEG-115198/DS-65495
- With Anti-Malware enabled, Deep Security Agent encountered an "Insufficient Disk Space" alert which sometimes crashed the agent or stopped other programs from working properly. SF04584157/SEG-113377/DS-64405
- Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
- Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
- Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
- Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
- Deep Security Agent upgrade (Administration > Updates > Software) sometimes failed if a previous (RPM package) upgrade was triggered using console commands. SF04586071/SEG-113583/DS-64978
- With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
- With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855
- With Integrity Monitoring real-time scan enabled, Deep Security Agent sometimes prevented files on network drives from being deleted. SEG-108636/C1WS-1787
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. SF04613197/SEG-113566/DS-64050
Highest CVSS score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)
Release date: July 01, 2021
Build number: 20.0.0-2593
New feature
FIPS mode on Ubuntu 18.04: Deep Security Agent 20.0.0-2593+ now supports FIPS mode for Ubuntu 18.04.
Resolved issues
- Integrity Monitoring alerts sometimes triggered but did not appear in the Events & Reports tab. 04266346/SEG-103731/DS-62992
- Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
- The MQTT connection sometimes went offline when Deep Security Agent had Activity Monitoring enabled. SF04216172/SEG-101691/DS-63458
- Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-5850/DS-54705
Highest CVSS score: 4.4
Highest severity: Medium
Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)
Release date: May 24, 2021
Build number: 20.0.0-2395
New features
Enhanced platform support
- Application Control and Integrity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Application Control and Integrity Monitoring for Amazon Linux 2 on AWS Graviton 2. DS-62775
- Activity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Activity Monitoring for Amazon Linux 2 on AWS Graviton 2.
Enhancements
- Deep Security Agent 20.0.0-2395+ now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates will expire on 2022/07/09. After that time, only Deep Security Agent 20.0.0-2395+ will have the latest Anti-Malware Smart Scan protection. DS-63010
- Updated Deep Security Agent to add Predictive Machine Learning support for Malware Scan on Linux platforms. DS-62857
- Updated Deep Security Agent's Anti-Malware default configuration to monitor file access from the local host only, improving compatibility for some file systems. DS-62222
Resolved issues
- Anti-Malware Real-Time Scan sometimes didn't detect files properly with the "During read" setting selected (Computers > Details > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Edit > Advanced > Real-Time Scan). SEG-104496/DS-61836
- Deep Security Agent was unable to install in some environments because it misidentified the OS. DSSEG-2915/DS-28321
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
- Anti-Malware Real-Time Scan sometimes caused high CPU usage. 04331007/SEG-107814/DS-62593
- Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
- Anti-Malware Real-Time Scan caused unintentional file changes under some configurations. DS-62412
- Deep Security Agent sometimes couldn't successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692
- Anti-Malware kernel modules sometimes didn't bypass file activity on remote shared storages when Network Directory Scan was disabled. DS-62985
Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)
Release date: April 12, 2021
Build number: 20.0.0-2204
New feature
Enhanced platform support
- Anti-Malware and Log Inspection support for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent 20.0.0-2204+ now supports the Anti-Malware, Firewall, Intrusion Prevention, Log Inspection, and Web Reputation protection modules. Please note that Advanced Threat Scan Engine (ATSE) update is not currently supported for Amazon Linux 2 on AWS Graviton 2, but will be added in a future release.
Resolved issues
- With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
- When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
- When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
- When Integrity Monitoring real-time scan was enabled, sometimes directories on NFS volumes couldn't be removed. SF03977538/SEG-98656/DS-61062
- When Intrusion Prevention was enabled, the system would crash under some configurations. SF04286712/SEG-103971/DS-61274
- A proxy server issue sometimes caused connectivity issues with Deep Security Agents after registering with Trend Micro Vision One (XDR). SF04318864/SEG-104847/DS-61516
Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)
Release date: March 08, 2021
Build number: 20.0.0-2009
Enhancements
- Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011
Resolved issues
- The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
- When Firewall, Intrusion Prevention, and Web Reputation were enabled, the system sometimes crashed. SF03992370/SEG-100828/DS-60589
- After restarting Deep Security Virtual Appliance, protected VMs sometimes became inaccessible. SEG-94723/SF03949466/DS-58962
Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)
Release date: February 08, 2021
Build number: 20.0.0-1876
Resolved issues
- The Deep Security Agent was sometimes unable to establish an SSL connection to the web server. DS-59893
- Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519
Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)
Release date: January 20, 2021
Build number: 20.0.0-1822
New features
Enhanced platform support
- Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Amazon Linux 2 on AWS Graviton 2. The agent currently supports the Firewall, Intrusion Prevention, and Web Reputation protection modules. Other protection modules are coming soon.
Behavior Monitoring for Linux: This release adds support for Behavior Monitoring on the Linux platform.
Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)
Release date: January 04, 2021
Build number: 20.0.0-1681
Resolved issues
- A driver conflict was causing the Deep Security Agent to hang and require a reboot. SEG-94278/SF03941184/DS-59020
- If an error related to Secure Boot occurs, the user will no longer be blocked from installing the plugins and receive a "Secure Boot" error message on Deep Security Manager. Instead, an "engine is offline" error message will be displayed. Users can check "Secure Boot" entries in ds_agent.log for error details. DS-58374
- In the SecureBoot environment, the SUSE15 SP2 kernel module load failed with kernel version 5.3.18-24.37-default or later. SEG-93737/DS-58373
- Anti-Malware would sometimes restart before fully loading a new driver, causing the AM engine to be offline. DS-58475
Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)
Release date: December 07, 2020
Build number: 20.0.0-1559
New features
TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This will resolve issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.
Enhancements
- Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
- Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
- Enhanced memory usage to improve performance. DS-53012
- Anti-Malware on-demand scans did not function as expected. DS-58346
Resolved issues
- Deep Security Agent didn't detect Secure Boot state correctly. SEG-89042/03730368 /DS-57014
- The error "scheduling while atomic" occurred because the dsa_filter caused kernel panic. DS-56514
- Anti-Malware events didn't include file hashes in certain scenarios. SEG-91779/SF03818756/DS-57453
- The Anti-Malware driver showed warning messages during the initialization. SEG-92204/03784490/DS-57605
- After upgrading to Deep Security Agent 20.0.0-1194, the "Intrusion Prevention Rules Failed to Compile" and "Security Update Failed" errors sometimes incorrectly occurred. SEG-90503/03789013/DS-56904
- When Anti-Malware real-time scans were enabled, Rancher Kubernetes pods sometimes couldn't be terminated gracefully. SEG-87824/SF03695639/DS-58220
- When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
- Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
- Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688
Notice
In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.
Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)
Release date: October 28, 2020
Build number: 20.0.0-1337
Resolved issues
- When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because of a compatibility issue with third-party security software. SF03700563/SEG-88135/DS-54799
- Secure boot appeared active when it was not. SEG-85550/DS-55052
Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)
Release date: October 21, 2020
Build number: 20.0.0-1304
Enhancements
- Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680
Resolved issues
- For agentless protected VMs, the settings under Policies > Intrusion Prevention > General > Recommendation were greyed out. DS-56665
- When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
- Real-time Anti-Malware with filesystem hooking enabled did not work on older kernel versions. SEG-82411/DS-54271
- Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
- Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
- The dsa_query command didn't display Anti-Malware patterns correctly. DS-55389
- The Anti-Malware driver did not check compatibility before loading into the kernel. SEG-88135
Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security
This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1304 (or a newer version) by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1304 (or a newer version), Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.
Deep Security Agent 20.0.0-1304 (and newer versions) uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.
Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)
Release date: October 5, 2020
Build number: 20.0.0-1194
New features
Improved performance for real-time Anti-Malware scanning on Linux: Real-time Anti-Malware scans have been improved for Deep Security Agent on Linux, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write. Now, Anti-Malware scanning is more efficient and file scanning during write is deferred (the file is added to a queue and scanned in the background).
Differentiated platforms: Deep Security Manager can now distinguish between Red Hat and CentOS platforms and operations. DS-52682
Continued network scans: After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's network scans will now continue where they left off, without delay. This feature only applies if you are using NSX-T Data Center and guest machines are using a policy without network feature overrides. DS-50482
Enhancements
- Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
- Ceph is now excluded from file system kernel hooking to prevent kernel panic. SEG-75664/SF03131718/DS-50298
- Recommendation Scans and Integrity Monitoring are now enabled for NSX-T environments. DS-50478
- Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
Resolved issues
- Secure boot appeared active when it was not. DS-55052
- Deep Security Agent could not install any plugins with UEFI Secure Boot enabled. DS-54041
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
- The Anti-Malware engine on Deep Security Virtual Appliance went offline when the signer field in the Census server reply was empty. DS-49807
- Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
- Deep Security Agent on Linux would sometimes crash. SEG-76460/SF03218198/DS-50852
- Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
- The Deep Security Virtual appliance did not detect the EICAR test file. SEG-71955/SF02955546/DS-49387
- Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocking in lock down mode. DS-50696
- The Anti-Malware driver caused a system hang on Linux platforms where autofs was used. DS-51926
- When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
- There was an upgrade issue with Deep Security Agent which would sometimes prevent the agent from going online if Integrity Monitoring or Log Inspection were enabled. DS-50672
- Kernel Panic occurred when Web Reputation, Firewall, or Intrusion Prevention were enabled. SEG-80201/DSSEG-5846/DS-52975
- When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
- When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. SEG-73893/DSSEG-5866/DS-53144
- When Deep Security real-time Anti-Malware was enabled on a Linux system, it caused a high amount of CPU usage. SEG-75739/DS-52976
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/DS-41233
Highest CVSS score: 4.4
Highest severity: Medium
Deep Security Agent 20 (long-term support release)
Release date: July 30, 2020
Build number: 20.0.0.877
New features
Enhanced platform support
- Ubuntu 20.04 (64-bit)
- Cloud Linux 8 (64-bit)
- Debian Linux 10 (64-bit)
- Oracle Linux 8 (64-bit)
- SUSE Linux Enterprise Server 15 (64-bit)
- Red Hat Enterprise Linux 8 (64-bit)
- CentOS 8 (64-bit)
SystemD support: SystemD is a Linux service manager that allows services to declare dependencies, which can enforce load and unload sequences of kernel modules and other services. See Linux systemd support for information about which platforms are supported. (DS-37395)
Secure Boot support: Deep Security Agent supports additional Linux operating systems with Secure Boot enabled. For details, see Linux Secure Boot support.
Improved security
Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.
Protect VMs in NSX-T environments: We have integrated the latest VMware Service Insertion and Guest Introspection technologies which enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.
Seamless network protection: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.
SELinux Support: Security-Enhanced Linux (SELinux) enforcing mode is supported on Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Deep Security Agent is compatible with the default SELinux policies. Anti-Malware software such as ds_agent is required to run in an unconfined domain in order to protect the system. Any additional SELinux policy customization or configuration might be block blocked or fail because of ds_agent.
SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.
Continuous Anti-Malware protection: Deep Security Manager now sends guest VMs' Anti-Malware real-time configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the Anti-Malware real-time feature during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments.
Improved management and quality
Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.
NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), we've made the network throughput three times faster when compared with prior technology.
Upgrade to supported paths: The "upgrade on activation" feature will only upgrade the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the "upgrade on activation" feature will detect the newer version and complete the upgrade to the designated release.
Protection for AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.
Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported in this release. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?
Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been cancelled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.
Improved process exceptions: The process exception experience has been improved in the following ways:
- We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
- We've improved the process exception configuration workflow to make it more robust.
Enhancements
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
- Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
- Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
- Improved the Deep Security Agent activation experience in the following ways:
- Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
- After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans will now continue where they left off, without delay. This feature only applies to NSX-T environments.
- Increased the scan engine's URI path length limitation.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
- Enhanced Linux real-time Anti-Malware performance when executing a Docker pull command.
- Improved the time it takes to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment. This feature requires Deep Security Manager FR 2019-12-12 or newer releases.
- Streamlined event management for improved agent performance.
- Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
- Enhanced the Malware Scan Failure event description to indicate the possible reason.
- Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
- Added the ability to retrieve process and container information for Intrusion Prevention events, including process name, container ID, container name, image name, image digest and pod ID.
Resolved issues
- When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
- When Deep Security real-time Anti-Malware was enabled in Linux, it caused a high amount of CPU system usage. SEG-75739/SF03036857/DS-52976
- Ceph caused kernel panic. SEG-75664/SF03131718/DS-50298
- Deep Security Agent sometimes crashed. SEG-76460/SF03218198/DS-50852
- Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
- The Deep Security Virtual Appliance did not detect an Eicar file. SEG-71955/SF02955546/DS-49387
- Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocked in lock down mode. SEG-73174/DS-50696
- Deep Security Virtual Appliance sometimes went offline. (SEG-53294/DS-46728)
- The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)
- In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, Integrity Monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. (SEG-22509/DS-25250)
- Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
- Anti-Malware events displayed a blank file path with invalid Unicode encoding. (SEG-46912/DS-34011)
- Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. (SF01423970/SEG-43481/DS-34436)
- Kernel panic occurred when dsa_filter.ko was obtaining network device's information. (SEG-50480/DS-35192)
- An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. (SF01339187/SEG-38497/SEG-33163/DS-31330)
- Kernel panic occurred because of redirfs. (SF01137463/SEG-34751/DS-32182)
- Deep Security Anti-Malware caused the 'fusermount' process to fail when mounting the filesystem. (SF01531697/SEG-43146/DS-32753)
- Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
- For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
- Deep Security Agent GSCH driver had an issue with another third-party file system. (SF01248702/SEG-44565/DS-33155)
- The "Environment Variable Overrides" for Deep Security Anti-Malware did not work in Linux. (SEG-43362/DS-31328)
- Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
- When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
- The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
- The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
- Deep Security Agent failed to install on Ubuntu 18.04. (SF01593513/SEG-43300/DS-37359)
- The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
- Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
- The agent operating system would sometimes crash when Firewall interface ignores were set. (SF01775560/SEG-49866/DS-39339)
- Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
- Too many file open events were being processed in user mode, resulting in high cpu usage. (SF02179544/SEG-55745/DS-39638)
- The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. (SF02042265/SEG-52088/DS-39890)
- Linux kernel logs were flooded by Deep Security Anti-Malware driver. (SF02299406/SEG-57561/DS-41589)
- Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
- High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
- Deep Security Agent real-time Anti-Malware scans didn't work with Debian 10 64-bit.
- When a guest VM was migrated between ESXi hosts frequently (using vMotion), sometimes the VM couldn't save the state file. This caused the guest to lose the protection of the Deep Security Virtual Appliance for several minutes after migration, until the VM was reactivated by Deep Security Manager automatically under the new ESXi server. (DSSEG-4341/DS-38221)
- When uninstalling Deep Security Agent in Linux, the uninstall log included a typo. (DSSEG-4139/DS-34504)
- Deep Security Anti-Malware detected sample malware files but did not automatically delete them. (SF02230778/SEG-55891/DS-40687)
- When the Deep Security Agent connected through a proxy to the Deep Security Manager on Deep Security as a Service, Identified Files could not be deleted. (SF01979829/SEG-51013/DS-37252)
- After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. (SEG-60728/DSSEG-5094)
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DSSEG-4995)
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. (VRTS-3704/VRTS-3176)
Highest CVSS Score: 7.8
Highest Severity: High
- Updated NGINX to 1.16.1 (DSSEG-4600)
- Updated to curl 7.67.0.
- Updated to openssl-1.0.2t.
- Updated JRE to the latest Java Update (8.0.241/8.43.0.6).
Kernel support
To see which Linux kernels are currently supported, see Linux kernel compatibility.
To view the Linux kernel support release history, see the Readme for Trend Micro (TM) Deep Security Agent 20.0 for Linux.
Known issues
- Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints will not be unmounted successfully. (SEG-58841)

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)
Release date: September 26, 2023
Build number: 20.0.0-7943
Enhancements
- In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943+ requires Deep Security Manager 20.0.759+. SEG-190866/SEG-191017/DSA-1531
- New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
DSA-864 - Web Reputation Service now supports the "Trend Micro Toolbar for Enterprise" browser extension for Microsoft Edge on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019 and Windows Server 2022. DSA-1565
Resolved issues
- When Log Inspection was enabled, Deep Security Agent sometimes crashed on Windows Server 2019 systems. DS-77766
Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)
Release date: August 29, 2023
Build number: 20.0.0-7719
New features
New language support: Deep Security Agent now supports Polish and Czech.
Enhancements
- Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
- Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. (Agents configured as a Deep Security Relay still download all pattern updates.) DSA-1000
- The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
- Deep Security Agent now triggers a security update automatically when the Anti-Malware Solution Platform (AMSP) service is ready. Previously, security updates could fail if triggered before the AMSP was ready, causing "Anti-Malware Engine Offline" and "Pattern Update on Agents/Appliances Failed" errors. DSA-1020
- Activity Monitoring now includes "hypersensitive mode" to provide improved MITRE coverage. DS-76971/DS-76972/DSA-797
Resolved issues
- Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
- Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
- When Anti-Malware was enabled, Deep Security Agent impacted the performance of some third-party applications. SEG-182065/DSA-790
- Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
- Device Control blocked Windows Server Storage Area Network (SAN) drives that should have been allowed. SEG-178278/V1E-3895
- Network drivers failed to bind to the network interface automatically on some Azure VMs. DSA-1040
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7976/DSA-1386
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)
Release date: July 25, 2023
Build number: 20.0.0-7476
New features
Deep Security Agent Right-Click Scan: Deep Security Agent now allows users to trigger a manual scan from Windows File Explorer by right-clicking a file or folder and selecting Scan. (This feature is only available to Vision One Endpoint users and Cloud One Workload Security users at this time.)
Enhancements
- If anti-malware is offline because AMSP service was not installed correctly, Deep Security Agent now tries to reinstall AMSP when the agent service launches. DSSEG-7903/SEG-181443
- Updated the dsa-connect service to improve CPU performance. C1WS-12970
- Updated Deep Security Agent to support the Notifier Anti-Malware Protected Process Light (AM-PPL) service for Windows 10 desktop platforms. This requires Deep Security Manager 20.0.777+. DS-77160
- Improved Advanced TLS Traffic Inspection coverage for Windows Server 2012 R2, 2016, and 2019. SEG-182585/DSA-583
Resolved issues
- Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858
- The system sometimes crashed when Intrusion Prevention was enabled. SF06983729/SEG-184423/DSSEG-7907
- Deep Security Agent upgrades triggered from the Deep Security Manager console would fail on some system configurations, returning MSI error code 1601: Windows installer is not accessible. SEG-177789/DS-78084
- Deep Security Agent sometimes reported that the network module was disabled (Event ID 1013, Trend Micro LightWeight Driver failed to bind on all network interfaces) even if the module was enabled. SEG-184701/SEG-182649/DSA-686
- Updated Deep Security Agent to support systems using Dell MAC Address Passthrough. SEG-177651/DSA-455
Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)
Release date: June 28, 2023
Build number: 20.0.0-7303
Enhancements
- Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation (such as fe80:0:0:0:0:0:0:1/24 or fe80::01). SF04849178/SEG-122076/DS-67280
- Activity Monitoring events will now display the FQDN instead of the hostname. SF06709374/SEG-179186/C1WS-14644
- Web Reputation Service will now automatically monitor the port(s) used by the OS proxy configuration. DS-77233
- When a specific process is sending backup packets through an unencrypted connection, Intrusion Prevention will optimize the scan flow to reduce CPU impact. SF06456142/SEG-166877/DS-76500
Resolved issues
- The Windows Malicious Software Removal Tool (MSRT) installation could fail while Application Control is in maintenance mode. SF06446534/SEG-172729/DS-77094
- Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
- The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
- The Deep Security Agent upgrade would fail when specific features were enabled. SF06794868/SEG-177789/DS-78008
- Deep Security Agent sometimes crashed when it was unable to connect to Deep Security Manager using a proxy. DS-77786
- When Application Control was enabled, MSI file installations failed on some versions of Windows. SF06509811/SEG-170485/DS-76906
- Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
- Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709
Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)
Release date: May 29, 2023
Build number: 20.0.0-7119
Enhancements
- Updated Deep Security Agent to reduce data usage when generating Activity Monitoring events or when operating while integrated with Trend Micro Vision One. DS-77622
- When Application Control is enabled, MSI file installations fail on some systems. SF06509811/SEG-170485/DS-76906
- Agent self-protection now secures the Advanced TLS inspection process (
ds_nuagent
), preventing local users with administrator privileges from stopping it. DS-74080 - Deep Security Agent 20.0.0-7119+ now supports FIPS mode for the
dsa-connect
service for Workload Security customers on Windows platforms that support FIPS mode as detailed here: Supported features by platform. C1WS-7467
Resolved issues
- Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
- After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
- If Advanced TLS traffic inspection was enabled, rebooting the operating system sometimes caused Deep Security Agent to get stuck on the "stopping services" screen. SF06494167/SEG-170082/DS-76880
- The Deep Security Notifier service (
ds_notifier
) caused a memory leak during agent updates on some systems. SF06454240/SEG-167684/DSSEG-7863
Known issues
- Upgrading to Deep Security Agent version 20.0.0-6860, 20.0.0-6690, or 20.0.0-7119 using the Deep Security Manager console sometimes results in upgrade failure. After the upgrade failure, the Deep Security Agent service stops and may show "Agent Offline" from the manager console. For more details, see https://success.trendmicro.com/dcx/s/solution/000293284?language=en_U. SEG-177789, SEG-177748, SEG-178496, SEG-178742, SEG-177423, SEG-178470, SEG-178940, SEG-178956
Deep Security Agent - 20.0.0-6860 (20 LTS Update 2023-04-25)
Release date: April 25, 2023
Build number: 20.0.0-6860
Enhancements
- Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to
ds_agent.ini
. SF06664116/SEG-173848/DS-77182
Example proxy probing line inds_agent.ini
config file:dsa.proxymanager.ProbeTimeoutInSec=120
- Made improvements to Deep Security Agent to prevent it incorrectly sending "MQTT Connection Offline" warnings when the connection is online. SEG-171358/C1WS-12979
- Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
- Updated Deep Security Agent to include path and PID (process ID) for Anti-Malware events. SF05682761/SEG-147452/DS-72909
- Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
- Error messages from the Trend Micro Deep Security Notifier now provide more details when the on-demand scans fail. VO-2132
Resolved issues
- Deep Security Agent was unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. DS-75176
- Deep Security Agent would sometimes freeze on system startup, which caused the Windows Service Control Manager service to generate "service hung on starting" events (Event ID 7022). DS-77212
- When Anti-Malware Predictive Machine Learning was enabled, file operations initiated by Powershell sometimes encountered sharing violations. SF05904706/SEG-150738/DSSEG-7695
- When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
- Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8320/DSSEG-7865
Highest CVSS score: 2.9
Highest severity: Low
Deep Security Agent - 20.0.0-6690 (20 LTS Update 2023-03-29)
Release date: March 29, 2023
Build number: 20.0.0-6690
New features
Service Gateway: Deep Security Agent 20.0.0-6690+ with Deep Security Manager 20.0.741+ now supports the Service Gateway feature, providing forward proxy functionality.
Enhancements
- Deep Security Agent installation now performs a pre-check to verify if its operating system meets Azure Code Signing (ACS) requirements. For more information, see Trend Micro Server and Endpoint Protection Agent Minimum Windows Version Requirements. DS-75552
- Application Control now checks the execution of Microsoft Windows Control Panel Applet (.CPL) files. DS-74587
- Application Control now checks the execution of Microsoft Compiled HTML help (.CHM) files. DS-74828
- When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard will now apply to all files in any directory matching the rule's path. (Previously, the globstar (
**
) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*
) wildcard which would only match within the path rule's directory.) DS-75133 - Web Reputation Service now includes OS platform metadata. DS-75453
- Deep Security Agent 20.0.0-6690+ now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User Defined Suspicious Object (UDSO). DS-75365
- Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (
dsa-connect-X.log
) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598
The logger supports an on-demand JSON config file (eitherdsa-connect.ini
ordsa-connect.conf
) with the following configurable options:- Debug: Enable the debug log messages (Default: false)
- Count: Number of log files to generate (Default: 5)
- Size: Maximum size of each log file in bytes (Default: 2097152)
Example config file:
{ "Debug": true, "Count": 5, "Size": 2097152 }
- The Web Reputation Service's Browser Extension now allows Trend Micro Toolbar for Chrome browser to inspect URLs for content scripts in all frames. DS-75387
- Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491
Resolved issues
- Deep Security Agent events and module status changes sometimes failed to appear in the console. DS-46344/SEG-67100/SEG-101719/SEG-112311
- When Anti-Malware's "Enable network directory scan" option was enabled (Computer or Policy > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Advanced > Network Directory Scan)), malware was detected but a corresponding event was not recorded in some cases. SF06198579/SEG-160763/DSSEG-7786
- When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
- Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
- When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
- Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
- Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
- Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
- Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
- When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
- A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
- Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
- Deep Security Agent Scanner (SAP) couldn't generate reports for files with one or more trailing dots
.
in their file name. SF06181341/SEG-166326/DS-76404
Known issues
- Deep Security Agent 20.0.0-6313+ is currently unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. If you need these three features on a Windows 2008 system, please avoid upgrading your agent. DS-75176
- Updating Deep Security Agent causes Deep Security Manager to show an unknown error event (ID: 740) on some systems. A future Deep Security Manager release will address this issue. For more details, see Unrecognized Agent\Appliance Error Event in Deep Security Manager (Event ID 1010 - 1013). DS-76813
Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)
Release date: January 31, 2023
Build number: 20.0.0-6313
New features
Windows 10 22H2 support: Deep Security Agent 20.0.0-6313+ with Deep Security Manager 20.0.716+ now supports Windows 10 22H2.
Enhancements
-
Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to Deep Security Agent 20.0.0-6313+ before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm. - With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent now monitors for suspicious behavior to improve protection against MITRE attack scenarios. This functionality requires Deep Security Manager 20.0.711+. DS-73644
- Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise" Chrome browser extension, improving HTTPS protection for Web Reputation Service. DS-74870
Resolved issues
- When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
- An issue with the TLS protocol record layer in Deep Security Agent caused some systems to crash. SF06297487/SEG-162236/DSSEG-7774
- Deep Security Agent sometimes caused file handle leaks when communicating with Deep Security Manager or agent command-line tools. DS-75111
- For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent will only show the final successful event. SF06207160/SEG-160085/DSSEG-7765
- With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (
_
) entered in a command was replaced with a dash (-
), and an uppercase Z was replaced with a lowercase z. DS-74335
Deep Security Agent - 20.0.0-5995 (20 LTS Update 2022-11-28)
Release date: November 28, 2022
Build number: 20.0.0-5995
New features
Windows 11 22H2 support: Deep Security Agent 20.0.0-5995+ with Deep Security Manager 20.0.711+ now supports Windows 11 22H2.
Enhancements
- Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise," a Chrome browser extension that extends HTTPS protection for Web Reputation Service. This is only supported for Trend Micro Cloud One - Workload Security customers at this time. DS-74568
- Updated the Web Reputation Service to support multi-thread processing on the web browser extension, improving the query rate. DS-74098
- Updated Deep Security Agent to include the details of command line Behavior Monitoring violations in the console under Events & Reports > Events > Anti-Malware Events. DS-72866
Resolved issues
- A file handle leak in the Deep Security notifier (
notifier.exe
) caused high system memory usage. DS-74325 - In Workload Security, enabling OS proxy (by setting "Allow agents to apply OS proxy or direct connect when the configured proxy is inaccessible" set to "Yes" from Administration > System Settings > Proxies) would cause Deep Security Agent to crash if the proxy data the agent needed was missing on the operating system side. SEG-158968/DS-75034
- With Activity Monitoring enabled, high message volume sometimes made the internal MQTT channel inaccessible. This caused Deep Security Agent errors (
MQTT offline
,hub is busy
,cannot connect to dsa-connect
) as well as Trend Micro Vision One connectivity loss and the inability to send telemetry. SEG-160263/SEG-161138/SEG-160116/SEG-159318/DS-74638 - While running Application Control in maintenance mode, executable files that should have been accessible were sometimes blocked due to a sharing violation. SF04922652/SEG-131710/DS-74592
- Application Control was unable to block scripts executed using GitBash shell (
sh.exe
). DS-73827 - With Activity Monitoring enabled, Deep Security Agent caused file handle leaks on some systems. DS-74301
- Deep Security Agent caused an outdated "Early Launch Anti-Malware Pattern" component to appear on the Security Updates page, causing the Security Update Status to be "Out-of-Date". This pattern was unused, which is why it always appeared as an outdated component. SEG-158345/DSSEG-7745
- Deep Security Agent sometimes allowed a higher access level than the one set by a user's group. For example, the "Users" group was able to modify files even if it had read-only access. SEG-157530/DSSEG-7737
- With Anti-Malware enabled, a Deep Security Agent driver caused some systems running Windows Server 2008 to crash. SF05926337/SEG-157388/DSSEG-7739
Deep Security Agent - 20.0.0-5810 (20 LTS Update 2022-10-27)
Release date: October 27, 2022
Build number: 20.0.0-5810
New features
Installed software reporting: Deep Security Agent now reports installed software with additional details from the Microsoft Windows Installer. This is currently only available to Trend Micro Cloud One Workload Security customers.
Enhancements
- Updated Deep Security Agent to include additional metadata (like
UserAgent
andReferrer
) for Web Reputation Services. DS-72196 - Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
- Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
Resolved issues
- With Anti-Malware Behavior Monitoring enabled, uninstalling or upgrading from Deep Security Agent 20.0.0-5761 caused some systems to crash. For more details see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74322
- With Activity Monitoring enabled, Deep Security Agent caused file handle leaks on some systems. DS-74301
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
- With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
- If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
- Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
- Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
- The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
- While an Application Control inventory build is in progress, the agent would sometimes appear offline. DS-72189
Known issues
- After upgrading the Deep Security Agent 20.0.0-5761 to 20.0.0-5810 on Windows, a reboot is required to solve an issue that causes computers to crash. For more details including steps to work around the issue, please see https://success.trendmicro.com/dcx/s/solution/000291718?language=en_US. DS-74383
Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)
Release date: September 22, 2022
Build number: 20.0.0-5512
Enhancements
- Deep Security Agent now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). This requires Deep Security Manager 20.0.677+. DS-72828
Resolved issues
- Integrity Monitoring events (Events & Reports > Integrity Monitoring) were created with "N/A" displayed in the KEY and TYPE columns. SF05533287/SEG-139293/DS-71899
- Updating Deep Security Agent and removing the expired TLS session key caused some systems to crash. SF06007238/SEG-153175/DS-73404
- With Anti-Malware enabled, some computers froze in a "Security Update In Progress" state. SF05106626/SEG-129777/DSSEG-7500
- With Deep Security Agent self-protection enabled, enabling or disabling Advanced TLS inspection service caused "Event ID 7006" in the Windows Service Control Manager. DS-73305
- Deep Security Agent reported host metadata in an unexpected format. DS-73411
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8100/VRTS-8101/DS-73087/DS-72528
Highest CVSS score: 7.0
Highest severity: High
Known issues
- With Activity Monitoring enabled, Deep Security Agent encountered a resource leak that caused system crashes, high memory usage affecting other applications, and agent connectivity issues leading to large numbers of reconnect attempts. SEG-154142/SEG-155126/SEG-156653/SEG-157277/SEG-156052/SEG-157254/SEG-156483
Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)
Release date: August 29, 2022
Build number: 20.0.0-5394
Enhancements
- Application Control now detects software changes for executables with non executable extensions. DS-70805
- Added SYSTEM user network drives and mount points for Windows to the information collected when generating a diagnostics package. DS-71816
- Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
- Updated Deep Security Agent so Application Control will automatically authorize test PowerShell scripts created by AppLocker. DS-71762
- Behavior Monitoring exclusions now support wildcard characters. DS-71976
- Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833
Resolved issues
- When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
- Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
- When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
- When Behavior Monitoring is enabled, Deep Security Agent would sometimes prevent Docker on Windows from starting. SF05709278/SEG-146323/DSSEG-7660
- Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
- When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
- Deep Security Agent would sometimes retrieve incorrect PID information on Windows for connection metrics and log events. DS-72526
- Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
- Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
- When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host would crash. SF05713918/SF05850687/SEG-146660/SEG-148664/DSSEG-7664
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
- Deep Security Agent 20.0.0-5137+ is unable to load the third-party libraries needed for Activity Monitoring on Windows 2008 platform. If you need Activity Monitoring for a Windows 2008 system, please avoid upgrading your agent. (This issue will be fixed in a future release.) DS-72573
Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)
Release date: July 26, 2022
Build number: 20.0.0-5137
New features
Advanced TLS Traffic Inspection: Deep Security Agent 20.0.0-5137+ adds Advanced TLS Traffic Inspection support to platforms that run system updates or package updates. Please note that this feature is currently only supported for Trend Micro – Cloud One Workload Security. Support for Deep Security Manager (On-Premise) will be added later.
Enhancements
- Deep Security Agent 20.0.5137+ for Windows, will use an additional certificate: "Microsoft Identity Verification Root Certificate Authority 2020". For details see the following article: https://success.trendmicro.com/dcx/s/solution/1104241-Updating-the-VeriSign-DigiCert-USERTrust-RSA-certificate-on-Deep-Security-and-Cloud-One-Workload-Security?language=en_US. DS-72711
- Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
- Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
- Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar
\*\*
which matches many sub directories. Single star\*
now only matches within your current directory. Existing rules that used a single star\*
to match many folders will no longer work and will need to be changed to use a globstar\*\*
. DS-71817
Resolved issues
- With Anti-Malware enabled, Deep Security Agent had a driver conflict causing some third-party applications to freeze. SF05570686/SEG-140749/DSSEG-7650
- Deep Security Agent's Scanner (SAP) library install sometimes failed because required certificates on hosts were outdated. DS-71917
- Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
- Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7102/VRTS-7070/VRTS-7041/VRTS-7039/DSSEG-7636
Highest CVSS score: 4.4
Highest severity: Medium
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
- Deep Security Agent 20.0.0-5137 is unable to load the third-party libraries needed for Activity Monitoring on Windows 2008. If you need Activity Monitoring for a Windows 2008 system, please avoid upgrading to Deep Security Agent 20.0.0-5137. (This issue will be fixed in a future release.) DS-72573
Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)
Release date: July 4, 2022
Build number: 20.0.0-4959
Resolved issues
- Deep Security Agent caused increased CPU usage for systems running the WMI provider service (WmiPrvSE.exe). 05528968/SEG-142736/DS-71626
- Deep Security Agent Scanner (SAP) reports displayed .SAR files in the wrong order. DS-71651
- Deep Security Agent had a conflict preventing TMUMH drivers from loading (on Windows 11 and Windows 2022), and in some cases causing a system crash (affecting all Windows platforms). SEG-143164/DSSEG-7596
- Using the command line (
dsa_control -b
), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600 - With Log Inspection enabled, updates to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
- When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
- With Anti-Malware enabled, Deep Security Agent generated "Anti-Malware Engine Offline" errors caused by service restarts following a software upgrade. SF05521775/SEG-144639/DSSEG-7615
- With Anti-Malware enabled, Deep Security Agent sometimes caused a system crash or high system memory usage, or failed to deliver event reports. SF05475742/SEG-142632/DSSEG-7626
- Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
- Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7633/DS-71687
Highest CVSS score: 6.2
Highest severity: Medium
Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)
Release date: May 31, 2022
Build number: 20.0.0-4726
Enhancements
- Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763
Resolved issues
- Trust entities "allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
- Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
- Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
- Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
- An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
- With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7090/DSSEG-7541/DS-52329
Highest CVSS score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)
Release date: April 28, 2022
Build number: 20.0.0-4416
Enhancements
- Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
- Updated Deep Security Agent to support enabling the Anti-Malware module while Windows Defender is running in passive mode under some system configurations DS-69161. Currently this is only supported on systems running the following versions:
- Defender (AM) product / engine versions:
- AMProductVersion: 4.18.2202.4
- AMEngineVersion: 1.1.18900.3
- Windows server and desktop versions:
- Windows Server 2016 and newer
- Windows 10 x64 RS5 and newer
- Deep Security Agent 20.0.0-4416+
Resolved issues
- Deep Security Agent generated multiple "Anti-malware Engine Offline" events during agent upgrades under some system configurations. SF04500910/SEG-129316/DSSEG-7458
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7132/DS-70518
Highest CVSS score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)
Release date: April 6, 2022
Build number: 20.0.0-4185
New features
Advanced TLS traffic inspection: Advanced TLS traffic inspection adds the capability for inspecting TLS traffic encrypted with modern ciphers, including Perfect Forward Secrecy (PFS). It also enhances virtual patching for HTTPS servers to help protect against vulnerabilities such as Log4j.
Enhancements
- Updated Deep Security Agent to properly execute Application Control settings for software changes made during a Windows upgrade. Previously, trust rules auto-authorizing software changes associated with a Windows upgrade would fail if Application Control was in lock down mode. DS-69579
- When certificates are missing for an Anti-Malware installation, Deep Security Agent now forwards the certificate details to Deep Security Manager. The specific certificates missing will appear in the manager under Events & Reports > System Events. DS-69074
Resolved issues
- Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
- Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. (An upgrade should not have triggered these events.) DS-69888
- Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
- Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810
Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)
Release date: March 1, 2022
Build number: 20.0.0-3964
New features
Threat Intelligence: Threat Intelligence (formerly known as "Connected Threat Defense") provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.
Enhancements
- Updated Deep Security Agent to exclude suspicious characters (such as
$
) found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989
Resolved issues
- Deep Security Agent accepted policy change parameters even if the self-protection password verification did not pass. SF05177188/SEG-129643/DS-69293
- Deep Security Agent sometimes went offline unexpectedly after activation. SEG-130280
- With Intrusion Prevention enabled, issues establishing an SSL connection caused "Unsupported SSL Version" events. SF04955719/SEG-127437/DS-68689
- Deep Security Agent was generating unexpected "Log File Delete Error" system events. DS-69641
- Deep Security Agent sometimes created unnecessary "User (Created/Deleted)" or "Group (Added/Removed/Updated)" events. DS-62413
Deep Security Agent - 20.0.0-3771 (20 LTS Update 2022-01-24)
Release date: January 26, 2022
Build number: 20.0.0-3771
New features
Zero config IPS inspection: Deep Security Agent adds the capability for Intrusion Prevention to inspect TLS encrypted traffic without manually importing certificates. This adds support for more cipher suites as well. This feature is being rolled out gradually for Windows platforms, beginning with Trend Micro Cloud One - Workload Security customers.
Windows 21H2 support: Deep Security Agent 20.0.0-3771+ now supports Windows 21H2.
Enhancements
- Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
Resolved issues
- Pairing Deep Security Agent with a proxy failed on Windows 11 when the "http://" prefix was unexpectedly added to the proxy address. The prefix was added if the address was accessed from the LAN settings window (Control Panel > Network and Internet > Internet Options > Connections > LAN settings), and then the window was closed by selecting OK. DS-68568
- Deep Security Agent security update would fail and generate "AMSP" events if Anti-Malware was offline during the update. SF04696674/SEG-120215/DSSEG-7287
- Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
- Updated Deep Security Agent to enable "Write Defer Scan" by default for real-time Anti-Malware scanning, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write by default. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-66344
- With Smart Scan enabled, Deep Security Agent was downloading the full size pattern update file, instead of the incremental one it was expected to, during security updates SEG-124937/DSSEG-7317
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6187/DS-65070/DS-68180
Highest CVSS score: 9.1
Highest severity: High
Deep Security Agent - 20.0.0-3530 (20 LTS Update 2021-12-15)
Release date: December 15, 2021
Build number: 20.0.0-3530
New features
- OS proxy support: Deep Security Agent 20.0.0-3530+ for Windows can now apply proxy settings from the computer's OS to automatically connect to Trend Micro Cloud One - Workload Security, Deep Security Relay, and other Trend Micro backend services if the default agent-configured proxy loses its connection. This feature is only available to certain Workload Security customers at this time.
Important Notes
- Pairing Deep Security Agent with a proxy currently fails on Windows 11 when the "http://" prefix is unexpectedly added to the proxy address after accessing it (under Control Panel > Network and Internet > Internet Options > Connections > LAN settings) and then selecting OK to close the window. This issue will be fixed in a future release. DS-68568
Resolved issues
- With Smart Scan enabled, Deep Security Agent downloaded the full size pattern update file instead of the incremental one it was expected to during security updates. DSSEG-7317
Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)
Release date: November 24, 2021
Build number: 20.0.0-3445
New features
- Anti-Malware offline scheduled scan: Deep Security Agent 20.0.0-3445+ adds the offline scheduled scan feature, enabling Anti-Malware scheduled scans to run while an agent is not connected to Cloud One Workload Security. This feature is only available to certain Cloud One Workload Security customers at this time.
- Windows 11 support: Deep Security Agent 20.0.0-3445+ now supports Windows 11.
- Windows Server 2022 support: Deep Security Agent 20.0.0-3445+ now supports Windows Server 2022.
Enhancements
- Updated Deep Security Agent allow the Deep Security Notifier to be locked on (when installed through the command prompt using
msiexec /I "Notifier's installer name" LockAppSettingsDefault=1
), preventing users from hiding notifications. DS-64527 - Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
- Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
- Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control trust entities on Cloud One Workload Security. DS-67322
- Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347
Resolved issues
- With Anti-Malware enabled, Deep Security Agent caused connectivity issues for third-party software on some systems. SF04087024/SEG-125579/DSSEG-7321
- Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
- When an expired certificate was removed from the host, the Anti-Malware plug-in update would fail, creating "Anti-Malware Component Update" events. SEG-117871/DS-66139
- If an Anti-Malware scan began before the module had completed its installation on Deep Security Agent, it could cause a system crash and "Anti-Malware Engine Offline" errors after a reboot. SEG-108355/DS-63721
- With Activity Monitoring enabled, Deep Security Agent sometimes crashed due to an issue with SQLite. 04958386/SEG-123752/DSSEG-7300
- Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
- When Integrity Monitoring rules using "UserSet" or "GroupSet" were enabled for a Deep Security Agent on Windows Active Directory Domain Controllers, excessive CPU and memory consumption would sometimes occur. Deep Security Agent 20.0.0-3445 blocks these types of Integrity Monitoring rules on Windows Active Directory domain controllers and generates an "Inapplicable Integrity Monitoring Rule" event. DS-65965
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6489/DSSEG-7210/DS-65113/VRTS-6207/DSSEG-7026
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)
Release date: October 28, 2021
Build number: 20.0.0-3288
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- On Deep Security Agent 20.0.0-3165, "Anti-Malware Component Update Failed"events were sometimes generated when computers performed security updates. This defect is now fixed in Deep Security Agent 20.0.0-3288. SF04937346/SEG-122765/DSSEG-7268
- With Intrusion Protection enabled, Deep Security Agent sometimes caused high CPU usage and sometimes caused the system to crash. DS-65902
- With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
- With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
- Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
- CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component. DSSEG-7222
- Deep Security Agent did not always check that metadata was ready before initializing connection with the manager. DS-51103
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-46018/DSSEG-7210/DSSEG-7217
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)
Release date: October 08, 2021
Build number: 20.0.0-3165
Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it will not be made available on the Deep Security Agent software download page or released to customers using Deep Security Manager.
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
- CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component DSSEG-7222
- Deep Security Agent did always check that metadata was ready before initializing connection with the manager. DS-51103
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7210/DSSEG-7217
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)
Release date: August 30, 2021
Build number: 20.0.0-2921
New features
Census feedback: Deep Security Agent 20.0.0-2921+ can now send census file feedback to the Smart Protection Network (SPN) if Trend Micro Smart Feedback is enabled (System Settings > Smart Feedback).
Enhancements
- Updated Deep Security Agent to detect the "HiveNightmare" exploit. DS-65217
Resolved issues
- With Application Control enabled, Deep Security Agent sometimes crashed when a .MSI file was launched. SF04647983/SEG-114894/DSSEG-7032
- Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
- Deep Security Agent sometimes failed to properly display items under Events & Reports. DSSEG-7057
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7046/DS-65668
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)
Release date: July 29, 2021
Build number: 20.0.0-2740
Enhancements
- Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
- Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547
Resolved issues
- With Application Control enabled, files with '.tmp" extensions were creating a large number of "Application Control Software Changes Detected" events in the Deep Security Manager console. 04671615/SEG-115017/DS-65043
- Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
- Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
- Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
- Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
- With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. SF04613197/SEG-113566/DS-64050
Highest CVSS score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)
Release date: July 01, 2021
Build number: 20.0.0-2593
Resolved issues
- Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
- The MQTT connection sometimes went offline when Deep Security Agent had Activity Monitoring enabled. SF04216172/SEG-101691/DS-63458
- Anti-Malware sometimes went offline after enabling Application Control on Deep Security Agent. SF04532752/SEG-110572/DS-63406
- Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
- Citrix Virtual App or Desktop users sometimes encountered a grey screen (with error code 1003/1005) when Anti-Malware was enabled for Deep Security Agent. DS-64318
- Anti-Malware sometimes caused high system CPU usage when the Windows WMI service accessed files repeatedly. SEG-109271/DSSEG-6983
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-5850/DS-54705
Highest CVSS score: 4.4
Highest severity: Medium
Deep Security Agent - 20.0.0-2419 (20 LTS Update 2021-06-02)
Release date: June 02, 2021
Build number: 20.0.0-2419
Resolved issues
- Deep Security Agent 20.0.0-2395 for Windows always displayed an "Out-of-Date" Security Update Status. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent 20.0.0-2395 for Windows. SF04537047/SEG-110737/DS-63424
- Integrity Monitoring alerts sometimes triggered but then did not appear in the Events & Reports tab. 04266346/SEG-103731/DS-62992
- Items queued for Anti-Malware scan sometimes caused higher than normal Deep Security Agent CPU usage. DS-63106
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
- Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
- Deep Security Agent sometimes couldn't successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692
Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)
Release date: April 12, 2021
Build number: 20.0.0-2204
Resolved issues
- When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
- When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
- When Anti-Malware self-protection was enabled, sometimes third-party software could not be installed. SEG-101840/DSSEG-6694
- Behavior Monitoring exceptions sometimes did not work properly. SF03775351/SEG-89899/DSSEG-6718
- With Anti-Malware enabled, network transfer speeds slowed down significantly on some systems. SF04299217/SEG-103986/DSSEG-6780
- Anti-Malware Behavior Monitoring exceptions sometimes did not work properly. SF04259521/SEG-102792/DSSEG-6714
Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)
Release date: March 08, 2021
Build number: 20.0.0-2009
Enhancements
- Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011
Resolved issues
- The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
- Behavior Monitoring sometimes blocked a program without generating an event. SF03604820/SEG-86752/DS-60526
- When Anti-Malware was enabled, a high amount of CPU was used. SF04106889/SEG-99034/DS-60526
- Deep Security Agent sometimes crashed during an Anti-Malware manual scan. SEG-100231/DSSEG-6664
Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)
Release date: February 08, 2021
Build number: 20.0.0-1876
Resolved issues
- The Deep Security Agent sometimes crashed when running Intrusion Prevention in passive mode. DS-57497
- Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519
Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)
Release date: January 20, 2021
Build number: 20.0.0-1822
Resolved issues
- After a Windows update occurred, "Maintenance mode" for Application Control turned off automatically. SF03905860/SEG-93631/DS-58413
Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)
Release date: January 04, 2021
Build number: 20.0.0-1681
This release contains general improvements.
Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)
Release date: December 07, 2020
Build number: 20.0.0-1559
New features
Enhanced platform support
- Windows 10 20H2
Improved security
TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This will resolve issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.
Enhancements
- Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
- Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
- Enhanced memory usage to improve performance. DS-53012
- Deep Security Agent now supports custom actions for Behavior Monitoring and Predictive Machine Learning. DS-48081
Resolved issues
- When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
- Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
- Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688
Notice
In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.
Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)
Release date: October 28, 2020
Build number: 20.0.0.1337
New features
Upgrade to supported paths: The "upgrade on activation" feature will only upgrade the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the "upgrade on activation" feature will detect the newer version and complete the upgrade to the designated release.
Enhancements
- Added various executable files as trusted installers so they are automatically recognized by Application Control. SF03568205/SEG-85141/DS-54884
- Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800/DS-51879
- Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
- Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680
Resolved issues
- In combined mode with agent-only and agent-preferred settings enabled, Deep Security Notifier sometimes turned the Antivirus status in the Windows action center on and off, which caused high CPU. DS-54799
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
- The Behavior Monitoring feature of Anti-Malware sometimes raised false alarms. DS-44974
- When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
- When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
- Deep Security Agent crashed unexpectedly because it was unable to detect the Docker engine version on Windows Servers. DS-29590
- Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
- There were detection issues with real-time Anti-Malware scans. DS-50286
- Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
- When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. DS-53144
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/DS-41233
Highest CVSS score: 4.4
Highest severity: Medium
Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security
This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1337 (or a newer version) by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1337 (or a newer version), Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.
Deep Security Agent 20.0.0-1337 (and newer versions) uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.
Known issues
While the Deep Security Relay is upgrading co-located or independent relays, the alerts "Anti-Malware protection is absent or out of date" and "Security Update: Security Update Check and Download Failed (Agent/Appliance error)" might occur for up to 20 minutes or longer before they're automatically resolved and the respective alerts cleared. For any subsequent Deep Security Agent upgrades to succeed, please wait for the Deep Security Relay alerts to clear automatically. DS-54056
Deep Security Agent 20 (long-term support release)
Release date: July 30, 2020
Build number: 20.0.0.877
New features
Improved security
Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.
Protect AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.
SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.
Improved quality and management
Reboot requirement removed for agent upgrade: Previously, there were several situations where a Windows server would require a reboot for a new agent to complete the upgrade. The need to reboot when upgrading from Deep Security Agent 11.0, 12.0, or 20.0 on any Windows Operating System has been completely removed, enabling the application to not be impacted as result of upgrading Deep Security Agent.
Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.
Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Manager FR 2020-04-30. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?
Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been canceled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.
Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time scan. This provides a starting point for performance evaluating and tuning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:
- By the command dsa_control --AmTopNScan
- By the diagnostic service
Improved process exceptions: The process exception experience has been improved in the following ways:
- We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
- We've improved the process exception configuration workflow to make it more robust.
Windows Event Channel for Log Inspection: Windows Event Channel logging provides a new option for tracking OS and Application logging for Windows platforms newer than Windows Vista. Event channels can be used to collect Log Inspection events which you can view later.
Enhancements
- Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
- Removed Integrity Monitoring and Application Control's dependency on Anti-Malware, so they no longer require Anti-Malware to be installed to function.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
- Added support for agentless mode on vCloud connector for version 9.5 or later.
- Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
- Enhanced the Malware Scan Failure event description to indicate the possible reason.
- Streamlined event management for improved agent performance.
- Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
- Added support for Deep Security Agent delayed upgrade to reduce the Anti-Malware offline issue after triggering an upgrade.
Resolved issues
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. (DS-49828)
- Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
- Deep Security Agent restarted unexpectedly because of the way Log Inspection was accessing the SQLite database. (DS-48395)
- The interface isolation feature stayed active when Firewall was turned off. (SEG-32926/DS-27099)
- Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. (DS-48916)
- Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
- The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-38578)
- Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
- For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
- Deep Security's Notifier.exe process caused high CPU usage. (SF01716752/SEG-45507/DS-33645)
- The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. (SF1609675/SEG-43574/DS-32947)
- In some cases, the Windows driver did not correctly release spinlock, causing the system to hang. (SF01990859/SEG-50709/DS-36066)
- Deep Security Agent process sometimes crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
- When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
- The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
- The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
- The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
- Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app." error message in ds_agent.log. (SEG-21208/DS-33134/DS-21352)
- When the system region format is "Chinese (Traditional, Hong Kong SAR)", Deep Security Notifier displayed simplified Chinese instead of traditional Chinese. (SEG-48075/DS-34778)
- Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
- Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
- Too many file open events were being processed in user mode resulting in high CPU usage. (SF02179544/SEG-55745/DS-39638)
- The "Type" attribute wasn't displayed in Integrity Monitoring events when the default "STANDARD" attribute was set to monitor registry value changes. (SF02412251/SEG-59848/DS-41118)
- Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
- High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
- The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-39981)
- Deep Security failed to download security updates because of an outdated user agent string. (SF02043400/SEG-52069/DS-41316)
- When machines wrote document files to a file server, Anti-Malware needed to scan the files frequently, which caused other machines to fail to write the file because the file was being scanned. (SF01949194/SEG-49854/DS-40100)
- When Deep Security Agent scanned large files for viruses, it consumed a large amount of memory. (SF01572110/SEG-48704/DS-43114)
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. (VRTS-3704/VRTS-3176)
Highest CVSS Score: 7.8
Highest severity: High
- Updated NGINX to 1.16.1 (DSSEG-4600)
- Updated to curl 7.67.0.
- Updated to openssl-1.0.2t.
- Updated JRE to the latest Java Update (8.0.241/8.43.0.6).
Known issues
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error may occur. To work around this issue, right-click the affected computer and select Actions > Clear Warnings/Errors, then Send Policy.
- After upgrading the Deep Security Agent on Windows 2008, Anti-Malware may go offline. If this occurs, fully uninstall Deep Security Agent, reboot your server, then reinstall the agent.
Upgrade notice
- If you have Application Control enabled, there may be a temporary performance impact while your software inventory is automatically rebuilding. (DS-41775)

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)
Release date: September 26, 2023
Build number: 20.0.0-7943
Enhancements
- New commands exist to get proxy information from the command line:
dsa_query -c GetProxyInfo
dsa_query -c GetProxyInfo details=true
DSA-864
Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)
Release date: August 29, 2023
Build number: 20.0.0-7719
Enhancements
- Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
- Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. (Agents configured as a Deep Security Relay still download all pattern updates.) DSA-1000
- The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
- Intrusion Prevention can now limit how many bytes are scanned for connections with a dynamic port number between 10001-65535. DS-78036
- Advanced Threat Scan Engine version has been updated to 22.6. DSA-453
Resolved issues
- Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
- Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
- Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)
Release date: July 25, 2023
Build number: 20.0.0-7476
Enhancements
- Updated the dsa-connect service to improve CPU performance. C1WS-12970
Resolved issues
- Deep Security Agent upgrades from 20.0.0.6313 to a newer version would sometimes fail, generating an "Abnormal Restart Detected" warning. SF06897730/SEG-180989/DS-78063
Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)
Release date: June 28, 2023
Build number: 20.0.0-7303
Enhancements
- Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation (such as fe80:0:0:0:0:0:0:1/24 or fe80::01). SF04849178/SEG-122076/DS-67280
- Activity Monitoring events will now display the FQDN instead of the hostname. SF06709374/SEG-179186/C1WS-14644
- Web Reputation Service will now automatically monitor the port(s) used by the OS proxy configuration. DS-77233
Resolved issues
- Deep Security Agents on AIX would sometimes crash when trying to upgrade to a new version. SF06643647/SEG-173140/DS-77359
- Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
- The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
- Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709
Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)
Release date: May 29, 2023
Build number: 20.0.0-7119
Enhancements
- Updated Deep Security Agent for Solaris to add an option to enable collecting interface latency metrics on Azure Data Explorer dashboards. DS-77025
Resolved issues
- MQTT connection credentials were entered in the Deep Security Agent log file (
ds_agent.log
) in certain scenarios. SEG-174560/C1WS-13282 - Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
- After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)
Release date: May 02, 2023
Build number: 20.0.0-6912
Enhancements
- Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to
ds_agent.ini
. SF06664116/SEG-173848/DS-77182
Example proxy probing line inds_agent.ini
config file:dsa.proxymanager.ProbeTimeoutInSec=120
- Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
Resolved issues
- Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
- When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
- Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961
Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)
Release date: March 22, 2023
Build number: 20.0.0-6658
New features
Service Gateway: Deep Security Agent 20.0.0-6658+ with Deep Security Manager 20.0.741+ now supports the Service Gateway feature, providing forward proxy functionality.
Enhancements
- Web Reputation Service now includes OS platform metadata. DS-75453
- Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (
dsa-connect-X.log
) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598
The logger supports an on-demand JSON config file (eitherdsa-connect.ini
ordsa-connect.conf
) with the following configurable options:- Debug: Enable the debug log messages (Default: false)
- Count: Number of log files to generate (Default: 5)
- Size: Maximum size of each log file in bytes (Default: 2097152)
Example config file:
{ "Debug": true, "Count": 5, "Size": 2097152 }
Resolved issues
- When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
- Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
- When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
- Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
- A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
- When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
- Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
- Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
- Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)
Release date: January 31, 2023
Build number: 20.0.0-6313
Enhancements
-
Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
To prevent communication errors between the Deep Security Agent and Deep Security Manager, follow the instructions to Upgrade the Deep Security cryptographic algorithm.
If you updated to agent 20.0.0-6313+ before upgrading the cryptographic algorithms, follow the steps in Deep Security Agent (DSA) offline when OpenSSL 3 rejects certificate with SHA-1 algorithm.
Resolved issues
- Updated Deep Security Agent for AIX platforms to support Advanced Threat Scan Engine (ATSE) version 21.600. DS-75323
- For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent will only show the final successful event. SF06207160/SEG-160085/DSSEG-7765
- The Deep Security Agent log file (
ds-agent.log
) sometimes failed to rotate, causing it to use more disk space than intended. SF05306459/SEG-137003/DS-72899 - With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (
_
) entered in a command was replaced with a dash (-
), and an uppercase Z was replaced with a lowercase z. DS-74335
Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)
Release date: November 22, 2022
Build number: 20.0.0-5953
This release contains general improvements. Please note that this release only includes an agent for Solaris platforms.
Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)
Release date: October 21, 2022
Build number: 20.0.0-5761
Enhancements
- Updated Deep Security Agent to include additional metadata (like
UserAgent
andReferrer
) for Web Reputation Services. DS-72196 - Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
- Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
Resolved issues
- With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
- Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)
Release date: September 22, 2022
Build number: 20.0.0-5512
Enhancements
- Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798
Resolved issues
- Deep Security Agent reported host metadata in an unexpected format. DS-73411
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-8100/VRTS-8101/DS-73087/DS-72528
Highest CVSS score: 7.0
Highest severity: High
Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)
Release date: August 29, 2022
Build number: 20.0.0-5394
New features
AIX7.3 support: Deep Security Agent 20.0.0-5394+ with Deep Security Manager 20.0.677+ now supports AIX 7.3.
Enhancements
- Application Control now detects software changes for executables with non executable extensions. DS-70805
- Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
- Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833
Resolved issues
- When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
- Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
- When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
- Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
- When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
- Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
- Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)
Release date: July 26, 2022
Build number: 20.0.0-5137
Enhancements
- Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar
\*\*
which matches many sub directories. Single star\*
now only matches within your current directory. Existing rules that used a single star\*
to match many folders will no longer work and will need to be changed to use a globstar\*\*
. DS-71817
Resolved issues
- Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7102/VRTS-7070/VRTS-7041/VRTS-7039/DSSEG-7636
Highest CVSS score: 4.4
Highest severity: Medium
Known issues
- When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. (This issue will be fixed in a future release.) DS-72699
Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)
Release date: July 4, 2022
Build number: 20.0.0-4959
Resolved issues
- With Log Inspection enabled, upgrades to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
- When Anti-Malware is enabled alongside either Integrity Monitoring or Activity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
- With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
- Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866
Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)
Release date: May 31, 2022
Build number: 20.0.0-4726
Resolved issues
- On AIX servers, when the
LIBPATH
orLD_LIBRARY_PATH
environment variables for the system are defined, Deep Security Agent sometimes would not start. DS-70882 - Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
- Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
- An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-52329
Highest CVSS score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)
Release date: April 28, 2022
Build number: 20.0.0-4416
Enhancements
- Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
Resolved issues
- With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-7132/DS-70518
Highest CVSS score: 7.5
Highest severity: High
Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)
Release date: April 6, 2022
Build number: 20.0.0-4185
Resolved issues
- Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
- Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
- Log Inspection was unable to parse system logs containing a single digit date format. SF04562942/SEG-115435/DS-69757
Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)
Release date: March 1, 2022
Build number: 20.0.0-3964
New features
Threat Intelligence: Threat Intelligence (formerly known as "Connected Threat Defense") provides enhanced malware protection for new and emerging threats. For more information, visit Detect emerging threats using Threat Intelligence.
Enhancements
- Updated Deep Security Agent to exclude suspicious characters (such as
$
) found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989
Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)
Release date: January 24, 2022
Build number: 20.0.0-3770
Enhancements
- Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
Resolved issues
- Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-68180
Highest CVSS score: 9.1
Highest severity: High
Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)
Release date: November 24, 2021
Build number: 20.0.0-3445
Enhancements
- Updated Deep Security Agent to use TLS 1.2 strong cipher suite by default to improve security. The agent previously used the CBC cipher suite by default. DS-67204
- Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control trust entities on Cloud One Workload Security. DS-67322
- Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347
Resolved issues
- Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
- Deep Security Agent sometimes caused connectivity issues, high CPU usage, or the system to crash. SEG-120758/SEG-123885/DS-67291
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-6489/DSSEG-7210/DS-65113
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)
Release date: October 28, 2021
Build number: 20.0.0-3288
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
- Some customers encountered an issue when the run-time CPU number was larger than expected, which led to crashes. DS-65757
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-46018/DSSEG-7210/DSSEG-7217
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)
Release date: October 08, 2021
Build number: 20.0.0-3165
Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it will not be made available on the Deep Security Agent software download page or released to customers using Deep Security Manager.
New features
- Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:
- Agent size requirements have increased, including a slightly larger installer package on most platforms.
- All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
- The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.
Resolved issues
- Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
- Some customers encountered an issue when the run-time CPU number was larger than expected, led to crashes. DS-65757
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DSSEG-7210/DSSEG-7217
Highest CVSS score: 7.8
Highest severity: High
Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)
Release date: August 30, 2021
Build number: 20.0.0-2921
Resolved issues
- Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
- Deep Security Agent sometimes failed to properly display items under Events & Reports. DSSEG-7057
Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)
Release date: July 29, 2021
Build number: 20.0.0-2740
Enhancements
- Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547
Resolved issues
- Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
- Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
- Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
- Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
- With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
- With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. SF04613197/SEG-113566/DS-64050
Highest CVSS score: 9.8
Highest severity: High
Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)
Release date: July 01, 2021
Build number: 20.0.0-2593
Resolved issues
- Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
- Integrity Monitoring alerts sometimes triggered but did not appear in the Events & Reports tab. 04266346/SEG-103731/DS-62992
- Deep Security Agent failed to detect the correct platform under some configurations. 03804296/SEG-90864/DS-57809
- Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-5850/DS-54705
Highest CVSS score: 4.4
Highest severity: Medium
Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)
Release date: May 24, 2021
Build number: 20.0.0-2395
Enhancement
- Deep Security Agent 20.0.0-2395+ now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates will expire on 2022/07/09. After that time, only agent 20.0.0-2395+ will have the latest Anti-Malware Smart Scan protection. DS-63010
Resolved issues
- Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)
Release date: April 12, 2021
Build number: 20.0.0-2204
New feature
Enhanced platform support
- Anti-Malware support for AIX: Deep Security now Agent 20.0.0-2204+ supports Anti-Malware for AIX 6.1, AIX 7.1, and AIX 7.2.
Resolved issues
- With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
- When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
- When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)
Release date: March 08, 2021
Build number: 20.0.0-2009
Resolved issues
- The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)
Release date: February 08, 2021
Build number: 20.0.0-1876
Resolved issues
- Activity Monitoring data could not be transferred to XDR because a proxy connection was established without a relevant port. SEG-97519
Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)
Release date: January 20, 2021
Build number: 20.0.0-1822
New feature
Anti-Malware support for AIX: Deep Security Agent 20.0.0-1822+ now supports Anti-Malware for AIX 7.1 and 7.2.
Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)
Release date: January 04, 2021
Build number: 20.0.0-1681
This release contains general improvements.
Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)
Release date: December 07, 2020
Build number: 20.0.0-1559
New features
TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This will resolve issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.
Enhancements
- Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
- Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
- Enhanced memory usage to improve performance. DS-53012
Resolved issues
- On Solaris servers where Integrity Monitoring was enabled and the rule: "Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)" was assigned, a rule compile error was generated that referenced an "Unsupported Feature in Integrity Monitoring Rule". DS-55884
- When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
- Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
- Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688
Notice
In this agent update there is a change to how the validation of the TLS certificate used for agent-manager communication is implemented. If you see the following warning during agent activation:
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
The most likely root cause is that agent cannot validate the certificate being presented to it by the manager. Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in Import a Deep Security Manager certificate chain issued by a public CA before activating the Deep Security Agent.
Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)
Release date: October 28, 2020
Build number: 20.0.0.1337
Resolved issues
- When using Deep Security Agent on Solaris, the Integrity Monitoring port scanning feature did not work because the agent did not have access to information on the user ID under which a given port was opened. This prevented storage of any listening port information. The port scanning feature on Solaris agents has been modified to store the string "n/a" for the userid. This allows the remaining port information to be stored and used in the port scanning function. However, exclusions and inclusions based on User ID still do not function correctly because this information is not available. DS-53922
Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)
Release date: October 21, 2020
Build number: 20.0.0.1304
Enhancements
- Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680
Resolved issues
- Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
- Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)
Release date: October 5, 2020
Build number: 20.0.0.1194
Enhancements
- Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
Resolved issues
- Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
- Deep Security Agent crashed on Solaris 10 during upgrades. SEG-72634/SF02975849/DS-49295
- When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/DS-41233
Highest CVSS Score: 4.4
Highest severity: Medium
Deep Security Agent 20 (long-term support release)
Release date: July 30, 2020
Build number: 20.0.0.877
New features
Improved security
SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.
Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.
Improved quality and management
Upgrade to supported paths: The "upgrade on activation" feature will only upgrade the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the "upgrade on activation" feature will detect the newer version and complete the upgrade to the designated release.
Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been canceled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.
Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time scan. This provides a starting point for performance evaluating and tuning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:
- By the command dsa_control --AmTopNScan
- By the diagnostic service
Improved process exceptions: The process exception experience has been improved in the following ways:
- We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
- We've improved the process exception configuration workflow to make it more robust.
Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.
Enhancements
- Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
- Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
- Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
- Increased the scan engine's URI path length limitation.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
- Streamlined event management for improved agent performance.
- Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
- Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Resolved issues
- After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. (DS-49828)
- Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
- The displayed packet header data contained redundant payload data. (DS-45792)
- Memory leaked during SSL decryption because of a flaw in the SSL processing. (SEG-68263/DS-44360)
- On specific Deep Security Agent servers the CPU usage spiked to 100% and pattern merges failed during the active update process. (SEG-66210/02711299/DS-46429)
- When a security update was triggered before Anti-Malware was ready, the security updates failed. (DS-36952)
- When real-time Integrity Monitoring was enabled with the rule "1002875: Unix Add/Remove Software" applied, the RPM database potentially locked. (SEG-67275/SF02663756/DS-48524)
- Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. (SEG-71825/SF03021819/DS-48916)
- Incorrect linking of certain libraries could lead to Deep Security Agent instability. (SEG-72958/03071960/DS-49324)
- Anti-Malware directory exclusion with wildcard didn't match subdirectories correctly. (SF03131855/SEG-74892/DS-50245)
- High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
- Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
- Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
- Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
- The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
- The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
- The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
- When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
- For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
- Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
- Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
- The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)
- After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. (SEG-60728/DS-42332
- Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SEG-48728/SF01919585/DS-34022)
- On Solaris servers with clusters, the Deep Security Intrusion Prevention module would come under heavy load while inspecting the clusters' private traffic. The extra load caused latency issues, node evictions, and loss of synchronization events.
You can now configure the Packet Processing Engine on the agent to bypass traffic inspection on a specified interface. Where a specific interface on a computer is dedicated to cluster private traffic, this configuration can be used to bypass inspection of packets sent to and received from this interface. This results in faster packet processing on the bypassed interface and other interfaces.
Use of this configuration to bypass traffic inspection is a security risk. It is up to you to determine if the benefit of reduced latency outweighs the risk involved. It is also up to you to determine whether only the nodes in the cluster have access to the subnet whose interface is being bypassed.
To implement the bypass, do the following:
- Upgrade the Deep Security Agent to the latest build containing this fix.
- Create a file under /etc directory named "ds_filter.conf".
- Open the /etc/ds_filter.conf file.
- Add the MAC addresses of all NIC cards used for cluster communication, as follows:
- Save.
- Wait 60 seconds for your changes to take effect.
MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX
In the /etc/ds_filter.conf file:
- The MAC_EXCLUSIVE_LIST line must be the first line in the file.
- All letters in the MAC address must be uppercase.
- Leading zeros in each byte must be included.
Valid MAC_EXCLUSIVE_LIST:
MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E
MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E,6A:23:F0:0F:AB:34
Invalid MAC_EXCLUSIVE_LIST:
MAC_EXCLUSIVE_LIST=B:3A;12:F8:32:5E
MAC_EXCLUSIVE_LIST=0b:3a;12:F8:32:5e,6a:23:F0:0F:ab:34
MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E
If the MAC address is not valid, the interface will not be bypassed. If the exact string "MAC_EXCLUSIVE_LIST=" is not present at the beginning of the line no interfaces will be bypassed. (DSSEG-4055)
Security updates
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. (VRTS-3704/VRTS-3176)
Highest CVSS Score: 7.8
Highest severity: High
- Updated NGINX to 1.16.1 (DSSEG-4600)
- Updated to curl 7.67.0.
- Updated to openssl-1.0.2t.
- Updated JRE to the latest Java Update (8.0.241/8.43.0.6).