Choose agentless vs. combined mode protection

If you are protecting virtual machines (VMs) you can install Deep Security Agent, just as you would for other types of computers. But in Deep Security 9.6 or later, there are two other ways to protect VMs:

  • Agentlessly (via virtual appliance), or
  • Mixture of agent-based and agentless ("combined mode")

Agentless protection

Anti-malware and Integrity Monitoring protection can be provided without installing Deep Security Agent. Instead, the VMware Tools driver installed on the VM can offload security processing to a Deep Security Virtual Appliance.

On Linux VMs, Deep Security Agent provides anti-malware protection, not the Deep Security Virtual Appliance.

In Deep Security 9.5 or earlier, to protect VMs without installing a Deep Security Agent, you would use the Deep Security Virtual Appliance and filter driver. The filter driver was installed on the ESXi server and was used to intercept network traffic at the hypervisor, and send it to the appliance. VMware does not support vShield (VMsafe-NET API driver) anymore, so the old driver is not supported by Deep Security 20, and must be removed.

Because agentless protection requires fast connectivity between the appliance and the computer you want to protect, don't use agentless if the computer is far from the appliance, on a remote ESXi server or another data center.

See also Deploy the appliance in a vCloud environment.

Combined mode

If you require other protection features that Deep Security Virtual Appliance doesn't support, you must install the Deep Security Agent on each of your VMs, but you can still use the Deep Security Virtual Appliance to provide some of the protection, which can improve performance. Both the appliance and agent used together is known as "combined mode".

With combined mode, the appliance provides the anti-malware and integrity monitoring. The Deep Security Agent provides other features.

Conversion of coordinated approach to combined mode

  • Coordinated approach — In Deep Security 9.5, if the agent on a VM was offline, protection features would be provided by the Deep Security Virtual Appliance instead as an alternative. However, it could not be configured separately for each feature.
  • Combined mode — In Deep Security 9.6, each protection feature was configurable to use either the agent or appliance. However, if the preferred protection source was offline, the computer didn't use the other alternative.

In Deep Security 10.0 and later, its "protection source" settings provide both behaviors:

  • whether each feature is provided by the agent or appliance
  • whether to use the agent or appliance alternative if the preferred protection is not available

So if you need behavior like the old coordinated approach, you might want to avoid upgrading to Deep Security 9.6, and instead upgrade from Deep Security 9.5 to Deep Security 10.0 and then to 12.

Choose an agent or appliance for each protection feature

If a computer could be protected by either an appliance or agent, you can select which will provide each protection feature.

Log inspection and application control do not have this setting. With current VMware integration technologies, Deep Security Virtual Appliance cannot provide those features.

To configure the protection source, import a VMware vCenter into Deep Security Manager, then in the Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Settings > General.

For each protection module or group of protection modules, select either:

  • Appliance Only: Only the Deep Security Virtual Appliance will provide protection, even if there is an agent on the VM and the appliance is deactivated or removed.

    Don't use the appliance if you require the scanner (SAP). It requires Deep Security Agent anti-malware.
    When anti-malware is enabled on the agent, the agent downloads the Anti-malware Solution Platform (AMSP) and starts it as a service. If you do not want this, then from Anti-Malware, select Appliance Only. That way, even if the appliance is deactivated, the agent won't start the AMSP service.
  • Appliance Preferred: If there is an activated appliance on the ESXi server, it will provide the protection. But if the appliance is deactivated or removed, then the agent will provide protection instead.
  • Agent Only:Only the agent will provide protection, even if there is an activated appliance available.
  • Agent Preferred: If there is an activated agent on the VM, it will provide the protection. But if there is no activated agent, then the appliance will provide protection instead.

Enable combined mode in a vCloud Director environment with agent-initiated activation

When the hostname of a vCloud Director virtual machine is not resolvable from Deep Security Manager, use agent-initiated activation to enable combined mode. To enable combined mode on a vCloud Director virtual machine:

  1. Go to Computers, right-click on the target vCloud Director computer, and select Activate.
  2. Double-click the target vCloud Director computer, and select Settings > General in the pop-up window. Change the Communication Direction to Agent/Appliance Initiated.
  3. Install Deep Security Agent on the target vCloud Director computer, and activate the agent.