What's new in Deep Security Manager?

Deep Security Manager - 20.0.414 (20 LTS Update 2021-05-24)

Release date: May 24, 2021

Build number: 20.0.414

New Feature

Re-parent agents: Deep Security Manager now supports moving agents to Trend Micro Cloud One Workload Security using the new "MoveAgent" API command. This command automates the process of re-parenting an activated Deep Security Agent from its current on-premise manager to a Workload Security tenant. If re-parenting is unsuccessful, the agent will re-activate with its on-premise manager, retaining its previous configuration.

Due to feature differences between the Deep Security and Workload Security managers, move tasks may be refused to prevent unexpected behaviors. Customers should disable the following features before moving agents:

  • FIPS 140-2: Deep Security Manager will refuse move tasks if FIPS 140-2 support is enabled.
  • Deep Security Virtual Appliance: Computers protected by Deep Security Virtual Appliance (agentless or combined mode) will refuse move tasks.
  • SAP NetWeaver integration: Agents with SAP NetWeaver integration will accept move tasks. However, after being moved to Workload Security, the SAP NetWeaver integration will not be available until it is supported on Workload Security.


  • Updated Deep Security Manager to enhance the Identified Files download mechanism, including the ability to download from agent-initiated Deep Security Agents, and a new "File Status" field on identified files to indicate download progress. DS-60741

Resolved issues

  • Under some configurations an internal error prevented users from generating a Deep Security Compliance / Best Practice Report.SF04154114/SEG-99975/DS-60897
  • An account permissions issue sometimes caused Trend Micro Vision One registration to fail or display the wrong status (under Administration > System Settings > Trend Micro Vision One). DS-61893
  • Deep Security Manager sometimes had connectivity issues preventing computers from importing properly and preventing Deep Security Relays from activating or deactivating. DS-58417
  • Deep Security Manager sometimes incorrectly prevented users with an Auditor role from viewing Firewall Rules (Policies > Rules > Firewall Rules). SF04220398/SEG-102016/DS-60847
  • Deep Security Manager links to Japanese language content failed to load in setups using an air gapped Online Help package (Administration > Updates > Local). 04442246/SEG-108814/DS-63080

Deep Security Manager - 20.0.393 (20 LTS Update 2021-04-27)

Release date: April 27, 2021

Build number: 20.0.393


  • Updated Deep Security Manager to add a message to an event's description if the event is purged by one of the "Automatically delete Events older than" options (Administration > System Settings > Storage). DS-59349
  • Updated Deep Security Manager to increase the number of "Maximum TCP connections" (Computers > Computers > Details > Settings > Advanced) to 1000000 by default. DS-61032

Resolved issues

  • Deep Security Manager version upgrade sometimes failed when a key value contained special characters. SEG-99875/SF04106715/DS-60581
  • Anti-Malware Scheduled Scan was not working under some configurations. DS-54952
  • The Deep Security Manager console's load time was sometimes slower than normal when many policies existed and/or were assigned to roles. SEG-90429/SF03787758/DS-58871
  • The "Automatically delete Server Logs older than" setting (Administration > System Settings > Storage) appeared for tenants when it should have only appeared for the primary tenant. DS-58669
  • The "View Renewal Instructions" URL was broken in the License Properties menu (Administration > Licenses > View Details). SEG-104258/SF04308332/DS-61343
  • Deep Security Manager was sometimes unable to synchronize with AWS Connectors. SEG-102091/SF04198233/DSSEG-6726
  • Deep Security Manager was unable to validate credentials for some AWS connectors when their region data changed unexpectedly in the database. SEG-97924/DS-60541
  • Deep Security Manager was sometimes unable to access existing Real-Time Malware Scan Configurations (Policies > Common Objects > Other > Malware Scan Configurations). SEG-86700/SF03646616/DS-55577
  • A "Data Pruning" malfunction (Administration > System Settings > Storage) sometimes led to a large number of events, causing performance issues between the Deep Security Manager and database. SEG-97589/SF04073627/DS-61356
  • Deep Security Manager "System Event Reports" (Events & Reports > Generate Reports) were sometimes generated with data missing. DS-61752
  • Deep Security Manager was sometimes unable to generate a password protected "Single Report" or password protected "Scheduled Reports" (Events & Reports > Generate Reports). SEG-105241/SF04341549/DS-61718
  • Updating the password for an Azure Connector (Computers > Computers > right-click Azure Connector > Properties > Connection) sometimes didn't work, causing the account to lose its connection to Deep Security Manager. DS-60479
  • Deep Security Manager sometimes could not remove a vCenter Connector that had NSX installed. DS-61101
  • Deep Security Manager's "Anti-Malware Protection Status" widget (on the Dashboard) sometimes displayed incorrect information. SEG-103625/SF04271447/DS-61598
  • Application Control hours were not being calculated when generating a "Security Module Usage Cumulative Report" (Events & Reports > Generate Reports). SEG-100505/SF04174981/DS-60675

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-51780/DS-61318

Highest CVSS: 8.2

Highest severity: Medium

Deep Security Manager - 20.0.366 (20 LTS Update 2021-03-24)

Release date: March 24, 2021

Build number: 20.0.366

New Feature

Deploy Trend Micro Endpoint Basecamp for Trend Micro Vision One (XDR): After onboarding to Trend Micro Vision One (XDR), you can now select the checkbox for "Trend Micro Endpoint Basecamp Agent Deployment Script" (Support > Deployment Scripts) to automatically deploy it along with your Deep Security Agent on Linux or Windows platforms.


  • Updated Deep Security Manager to make error messages, and the action(s) required to troubleshoot them, clearer during Trend Micro Vision One (XDR) registration. DS-61057

Resolved issues

  • Deep Security Manager "System Event Reports" (Events & Reports > Generate Reports) sometimes had no data in the section for "Most Active Computers Ranked by Number of System Events." DS-28985
  • The "Malware scan Status" widget on the Dashboard sometimes displayed the wrong data. DS-57263
  • Deep Security Manager's "Security Updates Overview" (Administration > Updates > Security) sometimes showed "No Scheduled Task" even if there was one in Administration > Scheduled Tasks. SEG-97381/DS-60271
  • Entering certain terms in the Computers search field (in the Computers tab) would cause the search to fail and display an "Internal server error." SEG-98108/SF03976840/DS-60133
  • A user with "View-Only" privileges was able to make changes to Deep Security Manager's Application Control Ruleset actions. SEG-81133/03347924/DS-61041

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-61209/ VRTS-4382/03116764/DS-49429

Highest CVSS: 7.5

Highest severity: High

Deep Security Manager - 20.0.344 (20 LTS Update 2021-02-23)

Release date: February 23, 2021

Build number: 20.0.344


  • Updated Deep Security Manager's Anti-Malware default real-time scan exclusions to enhance performance. DS-55169
  • Updated Deep Security Manager UI to rename "Trend Micro XDR" as "Trend Micro Vision One." DS-60273
  • Updated Deep Security Manager to add deployment script support for CentOS 8 and RedHat 8. DS-60413
  • Updated Trend Micro Vision One tab "learn more" links to point to content based on the language of a user's locale (EN/JP). DS-60487
  • Updated the Deep Security Software page to fix some incorrect links. DS-60494
  • Updated Deep Security Manager to add "2 Days" as an option for the Inactive Agent Cleanup feature (Administration > Agents > Inactive Agent Cleanup). SEG-91358/SF03711833/DS-59591
  • Updated Deep Security Manager to improve vCenter connectivity when a Deep Security Agent's IP is unreachable, and when Manager-Initiated communication is enabled. DS-58526
  • Updated Deep Security Manager to add support for ports 32767-65535. SEG-98840/SF04119337/DS-60122
  • Updated the Deep Security Manager's XDR Basecamp (XBC) deployment script UI to provide a link to the latest platform support info on the online help center. DS-60206

Resolved issues

  • When a VM was managed through both the Computers > Add Active Directory and Add Azure Account options, issues with host updates and rehoming occurred. SEG-97266/SF03911224/DS-59853
  • Deep Security Manager's Anti-Malware Protection Status Widget (in the Dashboard tab) sometimes failed to display data. DS-48046
  • Deep Security Manager integration with an SAML identity provider sometimes failed if all roles didn't match the expected format. SEG-90158/SF03783432/DS-57687

Deep Security Manager - 20.0.321 (20 LTS Update 2021-01-26)

Release date: January 26, 2021

Build number: 20.0.321


  • Updated Deep Security Manager to display the correct deployment script when it is selected from the Platform drop-down menu (under Administration > System Settings > Trend Micro Vision One). DS-59825
  • Updated Deep Security Manager to support agentless mode for NSX-T on VMWare Cloud Director version 10.2 or later. DS-54044

Resolved issues

  • Running multiple "Check for Security Update" scheduled tasks at the same time sometimes resulted in updates being skipped. DS-59715

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-59917

Highest CVSS: 6.1

Highest severity: Medium

Deep Security Manager - 20.0.313 (20 LTS Update 2021-01-18)

Release date: January 18, 2021

Build number: 20.0.313

New Feature

Trend Micro Endpoint Basecamp Agent: Trend Micro Endpoint Basecamp (XBC) Agent integrates XDR tools and functionality into Deep Security, following Trend Micro Vision One onboarding. For more information see Integrate with Trend Micro Vision One (XDR) .


  • Updated vCenter to make changing an NSX Manager simpler by using the Remove NSX Manager button (Properties > NSX Manager) rather than editing the Manager Address: field. DS-58377
  • Updated the Deep Security Manager so that, by default, Trend Micro Vision One is enabled after the onboarding experience and after migrating to a paid license. DS-58788
  • Removed the News button from Deep Security Manager. For the latest news on product changes, see What's new? DS-58808
  • Aligned package naming for Deep Security Manager and Deep Security Agent on the Download Center. DS-56806
  • Updated Deep Security Manager to include the option to log Trend Micro Vision One issues (Administration > System Information > Diagnostic Logging...). DS-58533
  • Updated Deep Security Manager's "Default Real-Time Scan Configuration" (Computers > Details > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration) to enable Behavior Monitoring and Predictive Machine Learning by default. Newer Deep Security Agents (Windows agent and higher, and Linux agent 20.0.0-1822 and higher) will have "Use custom actions" set to "Pass" by default, and will log Anti-Malware Events. Older agents will have Behavior Monitoring and Predictive Machine turned off if their Possible Malware “action to take” is set to "Pass." DS-59282
  • Updated the Deep Security Manager to make Trend Micro Vision One related settings and features consistent after the onboarding. DS-58788
  • Updated the Deep Security Manager to improve "Search Computer API" and "List Computer API" performance. DS-56722

Resolved issues

  • When the Deep Security Manager installer detected at least 16 GB of RAM on the operating system, it was not automatically allocating 8 GB of RAM to the Java Virtual Machine as is recommended for best performance. SEG-87319/03645194/DS-55701
  • The Deep Security Manager was unable to communicate with agents in some environments, causing agent offline issues. SEG-86783/SF03637359/DS-56400
  • Anti-Malware Scan scheduled tasks that timed out sometimes restarted instead of triggering a "Scheduled Task Skipped" event as expected. DS-59252
  • The Deep Security Manager console command used to set a preferred IP address for Deep Security Agents with multiple IPs was sometimes not working, causing some agents to be unable to connect. DS-58878
  • Deep Security Manager version update install was failing under some configurations. SEG-95357/SF03988405/DS-59222
  • Deep Security Manager installed an incorrect version of the relay in some cases. DS-59634
  • The Deep Security license check for Trend Micro Vision One registration was sometimes failing. DS-59645
  • After changing the settings for a policy (Policies > Details > Settings > General), the "Reset all settings to Inherent" button did not work for "Automatically send Policy changes to computers" or "Perform ongoing Recommendation Scans." DS-56830
  • Links were sometimes not clickable in the "Computer status" widget of the Dashboard tab, and for "Agent/Appliance Upgrade Recommended (New Version Available)" alerts opened in the List View of the Alerts tab. DS-57968

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-33781/DS-58415/DS-58917/DS-51741/DS-59636

Highest CVSS: 9.8

Highest severity: Critical

Deep Security Manager - 20.0.262 (20 LTS Update 2020-11-26)

Release date: November 26, 2020

Build number: 20.0.262

New Features

Integrate with Trend Micro Vision One: Trend Micro Vision One applies effective expert analytics and global threat intelligence using data collected across multiple vectors - email, endpoints, servers, cloud workloads, and networks. For more information, see Integrate with Trend Micro Vision One (XDR) .

Custom actions for Behavior Monitoring and Machine Learning: This release provides the ability to specify custom actions for Behavior Monitoring and Predictive Machine Learning.


  • The "Computer Description" field for Smart Folders can be used as a search criteria. SEG-85288/DS-55034
  • Improved the Support > Contact Support form by pre-populating the Product field with the product you're currently using. C1C-1193
  • Added the Migrate an agentless solution from NSX-V to NSX-T Help Center article. DS-51619

Resolved issues

  • In the Smart Folder Editor, the computer type was listed as "Undefined" instead of "Physical computers". DS-32765
  • On the vCenter connector properties page, when a user clicked Remove NSX Manager and then re-registered the NSX-T manager, the network-related features displayed Not supported (NSX license limited). DS-56411
  • An internal server error occurred when AWS was added to a Smart Folders sub-folder with the Version condition selected. DS-50785
  • When Log Inspection or Intrusion Prevention rules were added, the Web Application Firewall sometimes blocked the page. DS-56448
  • The settings on Policies > Settings > Advanced could not be changed because the Inherited option could not be deselected. SEG-89996/C1WS-67

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-57603

Highest CVSS: 3.7

Highest severity: Low

Deep Security Manager 20.0.198 (20 LTS Update 2020-10-19)

Release date: October 19, 2020

Build number: 20.0.198


  • Enhanced the description of the "Activation Failed" event to specify why the event occurred. DS-29719

Resolved issues

  • If you installed standalone agents on VMware VMs, and then you subsequently added vCenter to Deep Security Manager, you would see duplicate computer records in the manager for one VM. DS-55316
  • The settings on Policies > Settings > Advanced could not be changed because the Inherited option could not be deselected. DS-56309
  • The Administration > Updates > Security page took a long time to load.

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-54102/DS-53674

CVSS Score: 6.5

Severity: Medium

Deep Security Manager 20.0.174 (20 LTS Update 2020-09-16)

Release date: September 16, 2020

Build number: 20.0.174

New features

Improved management and quality

Agent Version Report: The Agent Version Report has been created in order for you to view a summary of how many agents are using a specific agent version, the percentage of total agents each version is using and an overview of how many agents are online and how many are offline, all of which are broken down based on the Deep Security Agent's platform (OS). To generate the report, go to Events & Reports > Generate Reports > Single Report > New > Agent Version Report.

Azure Government improvement: Azure Government resources can be added through the Deep Security Manager Azure connector (Computers > Add > Add Azure Account). For more information, see How do I protect Azure Government instances?.

Database encryption: The process of encrypting the communication between Deep Security Manager and your database has been simplified. For more information, see Encrypt communication between the Deep Security Manager and the database.


  • Reduced the time it takes to validate GCP service accounts when changing your GCP Account Properties configuration. Previously, this took a long time when there were a large number of auto-generated GCP projects. SEG-81743/SF03452889/DS-53515
  • Updated the pager numbers, phone numbers and mobile numbers listed on the User Properties window (click your email at the top of the console and select User Properties) so they can be configured to exceed more than 30 digits.
  • Updated the "My User Summary" widget on the console and the "User and Contact Report" (Events & Reports > Generate Reports > Single Report) to reflect the logins that have occurred in the last 30 days. SEG-81216/03407489/DSSEG-5897
  • Added support for VMware Cloud Director (vCloud) 10.1.1 (with NSX-V only).
  • Improved the "Scheduled report sending failed" error message by adding a more thorough description. For more information, see Troubleshoot: Scheduled report sending failed. SEG-77886/03221276/DS-54615
  • Updated the New Malware Scan Configuration Properties (Policies > Common Objects > Malware Scans > New) default settings to match the default settings for the Default Malware Scan Configuration Properties.

Resolved issues

  • The Computer Status widget on Deep Security Manager's dashboard did not display the correct number of managed computers. DS-53294
  • The Deep Security Agent trusted certificates were not automatically renewed. SEG-79146/SF03240076/DS-52488
  • The "AWS Contract License Exceeded" alert sometimes occurred even though the number of protected computers did not exceed the limit. SEG-82932/SF03491496/DSSEG-5974
  • Imported VMs in vClouds were unable to activate. SEG-75542/03189161/DS-53447
  • The console sometimes showed the incorrect Log Inspection status. /DS-54630
  • Some Intrusion Prevention rules were designed to operate exclusively in "Detect Only" mode, however you were able to change their behavior on the policy and computer pages. DS-54667
  • An incorrect number of overrides were displayed on Computer/Policy Editor > Overrides. SEG-83802/03513073/DS-54710
  • There was a rights issue with Scheduled Tasks that caused incorrect behaviors to occur when creating them. SEG-78610/SF03320936/DS-53292
  • The MasterAdmin could not create a scheduled task for all computers. DS-55522
  • The "Ransomware Event History" widget on the dashboard displayed incorrect information. DS-55494

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. ( DS-52678 /DS-21167 /DS-53059)

Highest CVSS Score: 7.0

Highest severity: High


Red Hat Enterprise Linux 5 and 6 are no longer supported platforms for Deep Security Manager. For a list of supported Deep Security Manager platforms, see Deep Security Manager requirements.

Deep Security Manager 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.60

Action required if you use cross-account roles to add AWS accounts to Deep Security using the API /rest/cloudaccounts/aws

To better align with AWS best practices and improve AWS account security, we have made a change to the process of adding a new AWS account into Deep Security using cross-account roles. Previously, when using a cross-account role for authentication, Deep Security required two pieces of information: a role ARN, and an external ID trusted by the role. This has now changed to a new process where Deep Security provides the external ID, and requires that the role provided has included this external ID in its IAM trust policy. This change provides stronger security in shared Deep Security environments, and ensures that strong external IDs are always used. For details on the new process of adding cross-account roles using manager-generated external ID, see Add an AWS account using a cross-account role.

Action Required:

Switch your external ID to a manager-generated one: Update the external ID.

If you're using cross-account roles with the API /rest/cloudaccounts/aws, see Action required if you are using cross-account roles with the API /rest/cloudaccounts/aws.

New features

Updated platform support

  • Red Hat Enterprise Linux 8 (64-bit)
  • Windows Server 2019 (64-bit)
  • Oracle 18 database support
  • Oracle 19c database support
  • PostgreSQL 11 database support
  • SQL Server 2019 database support

Google Cloud Platform: Google Cloud Platform (GCP) has been integrated with Deep Security. You can now view new GCP instances that come online or are removed, and which instances have protection. If you are using multiple clouds on-premise and in your data center, Deep Security can provide visibility for all of your environments. This feature is available for VMs that have Deep Security Agent 12.0 or later installed. For details, see Add a Google Cloud Platform account.

End of Support for Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 6 is no longer a supported platform for Deep Security Manager. Please upgrade your operating system.

Improved Security

Protect VMs in NSX-T environments: We have integrated the latest VMware Service Insertion and Guest Introspection technologies which enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.

Seamless network protection for NSX-T environments: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.

Continuous Anti-Malware protection for NSX-T environments: Deep Security Manager now sends guest VMs' Anti-Malware real-time configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the Anti-Malware real-time feature during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments.

Agent version control: Agent version control gives you and your security operations team control over the specific versions of the Deep Security Agent that can be used by features like deployment scripts and upgrade on activation. This provides increased control over the Deep Security Agent used in your environment. For more information, see Configure agent version control.

Improved management and quality

Differentiate between Red Hat and CentOS platforms: Deep Security Manager can distinguish between a Red Hat and CentOS platforms and operations.

Visibility, Protection, and Management on Google Cloud Platform (GCP)​:

  • VMs are organized into projects, which lets you easily see which GCP VMs are protected and which are not.​
  • Assign policies automatically based on the GCP Instance Labels, GCP Network Tags, and other instance attributes while auto-scaling up.
  • Group related GCP instances in Smart Folders based on the GCP instance labels, GCP network tags, and other instance attributes to simplify the management.

Automate Google and AWS accounts via REST API: As you move to more automated deployments, having APIs to perform common tasks becomes a greater requirement Deep Security provides REST APIs to allow you to automate the adding of both AWS and Google Cloud accounts into Deep Security.

Actionable recommendations for Anti-Malware issues: In order for you to understand what is happening in the Anti-Malware system, many Anti-Malware events have been updated to provide more details on why a cancellation or failure has occurred. These events can occur for manual, quick, or scheduled Anti-Malware scans.​ The enhanced detail is provided in the events with Deep Security Manager as well as provided through SIEM or AWS SNS.

NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), we've made the network throughput three times faster when compared with prior technology, Raw Socket.

Search Cloud Instance Metadata: Added the ability to do a simple search or advanced search for Cloud Instance Metadata on the Computers page. This allows you to easily find workloads with specific labels, network tags, and more.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported in this release. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Upgrade on activation: Deep Security Manager now has options (Administration > System Settings > Agents > Automatically upgrade Linux/Windows agents on activation) that enable you to automatically upgrade the Deep Security Agent on Linux and Windows computers to the version specified in Administration > System Settings > Updates > Software > Agent Version Control when the agent is activated or reactivated. For details, refer to Automatically upgrade agents on activation.

Enhanced visibility of scheduled scan tasks and event based tasks: Scheduled scan tasks and event-based tasks have been improved by providing scan visibility as well as specific reasons for each uncompleted Anti-Malware scan and recommended actions to resolve the scan.

Reporting improvements to allow chargeback to cloud accounts: The Security Module Usage Report now includes the Cloud Account ID (AWS Account ID, Azure Subscription ID or GCP Project ID) for protected instances.

Multiple vCenters: You can add multiple vCenters in the Deep Security Manager, and associate them to the same NSX-T Data Center. An overwrite warning message is displayed if you are using NSX Data Center for vSphere (NSX-V), which does not support the use of multiple vCenters, or if the NSX-T Manager has being registered with another Deep Security Manager cluster.


UI improvements:

  • Added file hash values to Anti-Malware events that are exported to CSV (Events & Reports > Anti-Malware Export > Export to CSV). SEG-61890/SF02510024/DS-53441</p>
  • Updated the descriptions related to memory on the System Information page so they're more accurate and easier to understand.
  • Improved the description of Behavior Monitoring events by including the reason the event occurred.
  • Added a GCP Network Tag column to the Computers tab.
  • Added GCP information such as Instance ID, Labels, Network tags, and more, to Computer Editor > Overview > General.
  • Added the Cloud Instance Metadata field to the Computers page.
  • Added a progress bar to Administration > User Management > Roles > New > Computer Rights > Selected Computers to indicate the status of the computers list that's loading.
  • If there are a lot of agent events in a single heartbeat, they will be split into multiple "Event Retrieved" events.
  • Enhanced the Relay management experience by providing possible solutions for the "Empty Relay Group Assigned" alert in the alert's description and removing the relay count for tenants that are using the Primary Tenant Relay Group.
  • Added "Database Type" and "Database Server" columns to Administration > Tenants.
  • Added the "Kernel Unsupported" system event to indicate if your computer has been upgraded to an unsupported kernel.
  • Added a reason ID for the "Manual Malware Scan Cancellation complete" system event. The reason ID is displayed in REST API calls, SNS information and SIEM information.
  • Renamed the scheduled task "AWS Billing Usage Task" to "Metered Billing Usage Task" because the task now applies to both AWS and Azure billing.
  • Added the "TrendMicroDsPacketData" field to Firewall events that are syslog forwarded via the Deep Security Manager.
  • Added the Validate the signature on the agent installer checkbox on Support > Deployment Scripts. For more information, see Check digital signatures on software packages.
  • Improved the "License Changed" event description by specifying if the plan ID is for Azure Marketplace billing.
  • Renamed the Service Token setting to Data Source GUID on Administration > System Settings > Managed Detection and Response.
  • Added a "Agent GUID" column to the Computers page so you can search computers by the Agent GUID.
  • Included a search bar under Administration > Updates > Software > Local.
  • When creating a smart folder, you can now select "Version" as the filter criteria to filter computers based on their Agent version.
  • Added the ability to hide all empty AWS regions, VPCs, subnets, and directories, reducing clutter and increasing load speed on the Computers page.
  • Aggregated identical agent events in a single heartbeat under a single event.
  • Modernized the Policies > Lists > Port Lists page.
  • When creating a smart folder, you can now select "Task(s)" as the filter criteria, which filters for values displayed in the "Task(s)" column on the Computers page. For example, you could create a smart folder that lists all computers that contain "Scheduled Malware Scan Pending (Offline)" as the task. Additionally, if you are using the Deep Security API to search for computers, you can now search on the value of the tasks/agentTasks and tasks/applianceTasks fields.
  • Deep Security Manager now prevents you from importing duplicate Trusted Certificates.
  • Redesigned the Computers > Add Account synchronization scheduling to handle many more connectors per tenant, reduce idle thread time, and sync connectors with invalid credentials less frequently.
  • By default, the "My User Summary" widget on the Dashboard only displays information about sign-ins that have occurred within the last 24 hours.
  • You can choose not to send packet data back to the Deep Security Manager by going to Administration > Agents> Data Privacy and selecting No.
  • Deep Security Manager diagnostic packages have the ability to be encrypted. To encrypt your package and logs, go to Administration > Create Diagnostic Package > Enable AES 256 encryption and enter a password. Encrypted zips cannot be extracted using the default ZIP extraction tool available in Windows, it needs to be extracted by 3rd party tools like 7Zip, WinZip etc.
  • Redacted potentially sensitive information from the diagnostic packages and logs.

Event-based tasks:

  • Improved the capability of event-based tasks by adding support for GCP security automation with account name, labels, network tags and more in the task conditions.
  • Introduced "Cloud Vendor" in the event-based tasks conditions in order to limit a task's scope for a specific public vendor (for example, AWS or GCP).


  • Added the following command:
  • dsm_c -action changesetting -name com.trendmicro.ds.antimalware:settings.configuration.maxSelfExtractRTScanSizeMB -value 512

    When Deep Security Agent could not determine the type of the target file, the scan engine loaded the file to memory to identify if it was a self-extract file. If there were many of these large files, the scan engine consumed lots of memory. Using the command above, the file-size limitation is set to 512MB for loading target files. When the file-size exceeds the set limitation, the scan engine will skip this process and scan the file directly.

    To implement this enhancement:

    1. Run the command in Deep Security Manager to change the value in the database.
    2. Send the policy to your target Deep Security Agent to deploy the setting.
  • Added the ability for the Deep Security Administrator to hide unresolved recommendation scan results from the Intrusion Prevention, Integrity Monitoring and Log Inspection tab in the policy pages. To hide the unresolved recommendation scan results, use the following commands
  • Intrusion Prevention:

    dsm_c -action changesetting -name com.trendmicro.ds.network:settings.configuration.showUnresolvedRecommendationsInfoInPolicyPage -value false

    Integrity Monitoring:

    dsm_c -action changesetting -name com.trendmicro.ds.integrity:settings.configuration.showUnresolvedRecommendationsInfoInPolicyPage -value false

    Log Inspection:

    dsm_c -action changesetting -name com.trendmicro.ds.loginspection:settings.configuration.showUnresolvedRecommendationsInfoInPolicyPage -value false

Enhanced scheduled tasks:

  • Task enabled has been renamed to Enable task on the last screen of the Create Scheduled Task wizard
  • Synchronize cloud account now indicates it only supports vCloud and Azure connectors
  • Computer/group selection details now display in list view for Anti-Malware scans and Intrusion Prevention tasks

Virtual Appliance:

  • Added the ability to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment.
  • Added the "VMware NSX Policy Configuration Conflict" system event. This event is generated when Deep Security Manager detects that a NSX-T group is configured with different security policies for Endpoint Protection and Network Introspection (E-W).
  • Updated Deep Security Manager to allow vCloud accounts to be added even if the virtual machine hardware information is missing.
  • When you upgrade the Deep Security Virtual Appliance SVM in NSX-T Manager, Deep Security Manager will now detect that a new SVM is now protecting guest VMs, and will auto-activate those VMs after the upgrade.
  • Upgraded the vCloud Connector in Deep Security Manager supports vCloud 9.7 and vCloud 10.0.
  • Added the ability to sync Deep Security Manager policies to NSX-T environments.
  • Improved the experience when deleting vCenter Connectors with NSX-T Manager. Previously, you had to manually remove the NSX-T component as a service profile, endpoint rules and service deployments, or the vCenter deletion would fail.
  • Deep Security Manager can now connect to NSX-T Data Center using LDAP account credentials. Previously, only local NSX-T account credentials could be used.


  • When Anti-Malware actions fail, the results will be displayed in the Syslog result field.

Resolved issues

  • When the Hide Unlicensed modules option was selected on Administration > User Management > Users > customer's current account > Settings, all of the modules were hidden. SEG-77037/03228448/DS-51202
  • When the Alert on any Computer action was selected for Intrusion Prevention, Firewall, Integrity Monitoring or Log Inspection rules, the computers were not automatically updated with the new policy. SEG-66986/SF02684105/DSSEG-5201
  • Sometimes, you couldn't edit a smart folder. SEG-74078/SF03120830/DSSEG-5450
  • When the Alert on any Computer action was selected for Intrusion Prevention, Firewall, Integrity Monitoring or Log Inspection rules, the computers were not automatically updated with the new policy. DS-50216/SEG-77260
  • Anti-Malware events that were marked as "Pass" were not properly counted on the dashboard or under Anti-Malware events. DS-49364/SEG-70872
  • When an agent activated with no AWS metadata but then provided it on a later heartbeat, the cloud provider was not updated, which caused the computer to never be rehomed properly. DS-50713/SEG-77150
  • When you did an advanced search on the Computers page for Status Light > Equals > Managed [Green], then selected Export to CSV, the CSV file did not contain the listed computers. DS-49936/SEG-74140
  • Azure accounts could not be added in Azure Government regions because the login endpoint was changed. This only applies to Azure Marketplace deployments. DS-52399
  • After upgrading VMware ESX, you had to manually re-sync the vCenter to see the new platform information. DS-50053
  • For tenants, the Security Module Usage Report was only visible if you had access to the default "Full Access" role. (SEG-70494/SF02940195/DS-47492)
  • The sign-up page did not render properly in Internet Explorer. (SEG-73072/SF03075345/DS-48944)
  • When several emails with large bodies were queued, they were loaded all at once instead of in batches, which caused a large amount of memory to be used. (SEG-71863/SF03024164/DS-49833)
  • When the "Untagged" filter was selected on the dashboard, some widgets continued to display tagged items. (SEG-63290/SF02585007/DS-43795)
  • Tenants in a multi-tenant setup could move their relays to the primary tenant relay group. This would cause the relays to disappear from their 'Relay Management' page. Tenants are now prevented from moving their relays to the primary tenant relay group. (SEG-57715/02322762/DS-47509)
  • Performance issues occurred when there were 1,000s of requests to download the same SVG file because the file wasn't cached. (SEG-64280/DS-45002)
  • AIA hosts with the same Virtual UUID fail when "Activate a new Computer with the same name" was selected. (SEG-66346/02725330/DS-45423)
  • In some multi-tenant environments, you could not log in as a tenant. For more information, see https://success.trendmicro.com/solution/000238704. (SF02873892/SEG-68674/DS-46391)
  • When Integrity Monitoring was enabled but Anti-Malware was turned off, a warning message would appear indicating "Security Update: Pattern Update on Agents/Appliance Failed". (SEG-68454/SEG-67859/DS-32205)
  • In the Malware Scan configurations window, the content of the Advanced tab was displayed in the General tab. (SEG-64701/SF02657864/DS-44176)
  • Deep Security Manager had issues loading the computers trees on some pages when there were a lot of computers and folders. (SEG-58089/SF02345427/DS-44424)
  • AWS connectors sometimes failed to synchronize. (SEG-66472/DS-45029)
  • The column names in the CSV output of the "Security Module Usage Report" were partially misaligned with the data columns.(SEG-66717/SF02619240/DS-45130)
  • In the Malware Scan Configuration window (Computers/Policies > Anti-Malware > General > Manual Scan > Edit > Advanced and select Scan Compressed File) the Maximum number of files to extract setting could not be set to 0, meaning unlimited. (SEG-65997/02685854/DS-45081)
  • Deep Security Manager with PostgreSQL sometimes stopped forwarding events to AWS SNS. (SEG-67362/SF02798561/DS-45594)
  • When Deep Security Manager was deployed in an environment with a large number of hosts and protection rules, the manager would sometimes load data for all hosts, even if the user only requested data from some of the hosts. (SF02552257/SEG-62563/DS-43188)
  • When booting up, Deep Security Manager validates the database schema of the events tables. Logs always said that the schema was updated, even if no update was actually required. (DS-43196)
  • Active Directory synchronization sometimes would not finish. (SEG-52485/DS-38203)
  • When a custom Anti-Evasion posture was selected in a parent policy (in the policy editor Settings > Advanced > Network Engine Settings > Anti-Evasion Posture > select 'Custom'), that setting did not appear in the child policies. (SF02434648/SEG-60410/DS-41597)
  • On Linux systems, the default maximum number of the concurrent opened files did not meet Deep Security Manager's needs, resulting in the manager failing to acquire file handles. As a result, features in Deep Security Manager failed randomly and a "Too many open files" message appeared in logs. (SEG-59895/DS-43192)
  • The "Activity Overview" widget sometime displayed the incorrect database size. (SF02449882/SEG-63362/DS-43946)
  • When sorting the "Alert Configuration" page by the "ON" column, the number of alerts was sometimes incorrect. (SF02578797/SEG-63560/DS-43685)
  • Certain smart folder search criteria caused an IllegalStateException error. (SF02436019/SEG-60330/DS-41369)
  • The memory usage percentage display on the "Manager Node Status" dashboard widget did not match the last recorded system memory usage percentage. (SF02218013/SEG-55761/DS-39149)
  • In Deep Security Manager, under Policies > Intrusion Prevention Rules > Application Types > (select DNS client) > Properties > General, the Port setting would change to "Any" after any updates to the port list. (SEG-55634/DS-39444)
  • Reconnaissance alerts could not be disabled because the option was not available. (SEG-49907/DS-35122)
  • Some Azure Virtual Machine types categorized incorrectly. (SF01885266/SEG-48561/DS-33951)
  • Users of AWS Marketplace metered-billing would see an error reported in system events when the billing job was processed. (SF1899351/SEG-48580/DS-33955)
  • Integrity Monitoring detailed change and recommendation reports was not running against smart folders. (SF2056260/SEG-51781/DS-35886)
  • When the Computers page was grouped by status, it sometimes didn't display the correct total number of computers for each group. (SF01655622/SEG-44858/DS-37769)
  • When Deep Security Manager was connected to both a case-sensitive Microsoft SQL database and VMware NSX, the Deep Security Manager upgrade readiness check would sometimes fail and block the upgrade. (SF02060051/SEG-52044/DS-38405)
  • Scheduled task scans could be initiated by a user for computer groups that they do not have access to in their roles, which caused an error to occur. (SF02119582/SEG-53275/DS-38892)
  • Deep Security Agent sometimes went offline when duplicate virtual UUIDs were stored in the database. (SF01722554/SEG-41425/DS-39272)
  • False alerts regarding the license expiration were occasionally raised. (SF01484611/SEG-41437/DS-33831)
  • Using a local key secret containing the $ symbol stopped the upgrade or fresh install of Deep Security Manager. (SF02013831/SEG-57243/DS-39526)
  • Deep Security used an open source library called SIGAR that is no longer maintained or supported. This can cause applications to crash and other unintended issues in the future. (SF02184158/SEG-54629/DS-39394)
  • When an invalid or unresolvable SNMP server name was configured in Administration > System Settings > Event Forwarding > SNMP, it caused SIEM & SNS to also fail. (SF02339427/SEG-57996/DS-39865)
  • Forwarding events "via Deep Security Manager" with SIEM event forwarding would not work if the Deep Security Manager hostname was not obtained through DNS resolution. (SEG-50655/DS-37374)
  • The events exported via AWS SNS did not contain the HostOwnerID, which corresponds to the AWS Account ID. (SF02420860/SEG-59870/DS-41089)
  • In the computer or policy editor in Deep Security Manager, under Anti-Malware > General > Real-Time Scan > Schedule > Edit, the Assigned To tab was sometimes empty, even when the schedule was assigned correctly to computers and policies. (SF02374723/SEG-58761/DS-41036)

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. (DS-45446/DS-44955/DS-43627/DS-28754/DS-32322/DS-33833/DS-26068)

Highest CVSS score: 9.8

Highest Severity: Critical

  • Updated the JRE to the latest Java Update (8.0.241/
  • Updated third-party libraries used by Deep Security Manager. (DS-24214)
  • Upgraded Apache Tomcat to 8.5.53. (VRTS-4652)

Known issues

  • If you are using an Oracle database, this upgrade will take longer than usual due to a database schema change. For more information about Deep Security Manager upgrades, see Upgrade Deep Security Manager.
  • When a new Deep Security Virtual Appliance is deployed, the VM name is displayed as "Trend Micro_Custom - <version>", if you're using a local web server to store the Deep Security Virtual Appliance software package. This has no effect on the integrity of the appliance.
  • Due to issues discovered during internal testing with SQL 2008 we will now be blocking upgrades to Deep Security feature release when SQL 2008 is the Deep Security Manager database. Microsoft SQL Server 2008 is no longer supported by Microsoft and therefore is no longer being tested and supported for use as a database for the latest releases of Deep Security Manager. For more information from Microsoft please see End of support for SQL Server 2008 and SQL Server 2008 R2. For the full list of databases supported for use with Deep Security Manager please see Deep Security Manager requirements system requirements. (DS-36715)
  • The automatic removal of a vCenter account from Deep Security will fail if NSX-T is configured to have the same service chain bound to Deep Security and third-party services simultaneously. This problem occurs because the NSX-T API doesn't allow Deep Security to modify the service chain with its associated service profiles. To work around this issue, remove vCenter manually. For details, see Uninstall Deep Security from your NSX environment. DS-47944
  • Deep Security Manager no longer supports NSX-T Manager version 2.x. Upgrade your NSX-T Manager to version 3.0.0 or later. DS-50387