What's new in Deep Security Agent?

Linux

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

New features

Enhanced platform support

Amazon Linux 2 (64-bit Arm): Deep Security Agent now supports Amazon Linux 2 on AWS Graviton2 Arm. The agent currently supports the Firewall, Intrusion Prevention, and Web Reputation protection modules. Other protection modules are coming soon.

Behavior Monitoring for Linux: This release adds support for Behavior Monitoring on the Linux platform.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

Resolved issues

A driver conflict was causing the Deep Security Agent to hang and require a reboot. SEG-94278/SF03941184/DS-59020
If an error related to Secure Boot occurs, the user will no longer be blocked from installing the plugins and receive a "Secure Boot" error message on Deep Security Manager. Instead, an "engine is offline" error message will be displayed. Users can check "Secure Boot" entries in ds_agent.log for error details. DS-58374
In the SecureBoot environment, the SUSE15 SP2 kernel module load failed with kernel version 5.3.18-24.37-default or later. SEG-93737/DS-58373
Anti-Malware would sometimes restart before fully loading a new driver, causing the AM engine to be offline. DS-58475

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

TLS Directionality: The manager heartbeat port can now act as both a TLS client and TLS server. Future agents will connect as TLS clients, not TLS servers. This will resolve issues with agent-initiated connections through a proxy or firewall that requires TLS sessions to be initiated in the same direction as the TCP layer of the connection.

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
Enhanced memory usage to improve performance. DS-53012
Anti-Malware on-demand scans did not function as expected. DS-58346

Resolved issues

Deep Security Agent didn't detect Secure Boot state correctly. SEG-89042/03730368 /DS-57014
The error "scheduling while atomic" occurred because the dsa_filter caused kernel panic. DS-56514
Anti-Malware events didn't include file hashes in certain scenarios. SEG-91779/SF03818756/DS-57453
The Anti-Malware driver showed warning messages during the initialization. SEG-92204/03784490/DS-57605
After upgrading to Deep Security Agent 20.0.0-1194, the "Intrusion Prevention Rules Failed to Compile" and "Security Update Failed" errors sometimes incorrectly occurred. SEG-90503/03789013/DS-56904
When Anti-Malware real-time scans were enabled, Rancher Kubernetes pods sometimes couldn't be terminated gracefully. SEG-87824/SF03695639/DS-58220
When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Security events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0-1337

Resolved issues

When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because of a compatibility issue with third-party security software. SF03700563/SEG-88135/DS-54799
Secure boot appeared active when it was not. SEG-85550/DS-55052

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Release date: October 21, 2020

Build number: 20.0.0-1304

Enhancements

Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

For agentless protected VMs, the settings under Policies > Intrusion Prevention > General > Recommendation were greyed out. DS-56665
When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
Real-time Anti-Malware with filesystem hooking enabled did not work on older kernel versions. SEG-82411/DS-54271
Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
The dsa_query command didn't display Anti-Malware patterns correctly. DS-55389
The Anti-Malware driver did not check compatibility before loading into the kernel. SEG-88135

Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security

This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1304 (or a newer version) by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1304 (or a newer version), Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.

Deep Security Agent 20.0.0-1304 (and newer versions) uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

Release date: October 5, 2020

Build number: 20.0.0-1194

New features

Improved performance for real-time Anti-Malware scanning on Linux: Real-time Anti-Malware scans have been improved for Deep Security Agent on Linux, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write. Now, Anti-Malware scanning is more efficient and file scanning during write is deferred (the file is added to a queue and scanned in the background).

Differentiated platforms: Deep Security Manager can now distinguish between Red Hat and CentOS platforms and operations. DS-52682

Continued network scans: After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's network scans will now continue where they left off, without delay. This feature only applies if you are using NSX-T Data Center and guest machines are using a policy without network feature overrides. DS-50482

Enhancements

Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
Ceph is now excluded from file system kernel hooking to prevent kernel panic. SEG-75664/SF03131718/DS-50298
Recommendation Scans and Integrity Monitoring are now enabled for NSX-T environments. DS-50478
Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800

Resolved issues

Secure boot appeared active when it was not. DS-55052
Deep Security Agent could not install any plugins with UEFI Secure Boot enabled. DS-54041
After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
The Anti-Malware engine on Deep Security Virtual Appliance went offline when the signer field in the Census server reply was empty. DS-49807
Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
Deep Security Agent on Linux would sometimes crash. SEG-76460/SF03218198/DS-50852
Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
The Deep Security Virtual appliance did not detect the Eicar test file. SEG-71955/SF02955546/DS-49387
Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocking in lock down mode. DS-50696
The Anti-Malware driver caused a system hang on Linux platforms where autofs was used. DS-51926
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
There was an upgrade issue with Deep Security Agent which would sometimes prevent the agent from going online if Integrity Monitoring or Log Inspection were enabled. DS-50672
Kernel Panic occurred when Web Reputation, Firewall, or Intrusion Prevention were enabled. SEG-80201/DSSEG-5846/DS-52975
When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. SEG-73893/DSSEG-5866/DS-53144
When Deep Security real-time Anti-Malware was enabled on a Linux system, it caused a high amount of CPU usage. SEG-75739/DS-52976

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. VRTS-3704/DS-41233

Highest CVSS score: 4.4

Severity: Medium

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Enhanced platform support

Ubuntu 20.04 (64-bit)
Cloud Linux 8 (64-bit)
Debian Linux 10 (64-bit)
Oracle Linux 8 (64-bit)
SUSE Linux Enterprise Server 15 (64-bit)
Red Hat Enterprise Linux 8 (64-bit)
CentOS 8 (64-bit)

SystemD support: SystemD is a Linux service manager that allows services to declare dependencies, which can enforce load and unload sequences of kernel modules and other services. See Systemd support for information about which platforms are supported. (DS-37395)

Secure Boot support: Deep Security Agent supports additional Linux operating systems with Secure Boot enabled. For details, see Secure Boot support.

Improved security

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Protect VMs in NSX-T environments: We have integrated the latest VMware Service Insertion and Guest Introspection technologies which enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.

Seamless network protection: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.

SELinux Support: Security-Enhanced Linux (SELinux) enforcing mode is supported on Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Deep Security Agent is compatible with the default SELinux policies. Anti-Malware software such as ds_agent is required to run in an unconfined domain in order to protect the system. Any additional SELinux policy customization or configuration might be block blocked or fail because of ds_agent.

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Continuous Anti-Malware protection: Deep Security Manager now sends guest VMs' Anti-Malware real-time configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the Anti-Malware real-time feature during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments.

Improved management and quality

Automate the upgrade of agents in your environment: Deep Security gives you the flexibility to decide if new agents, when activated, should be upgraded to a newer version if one is available. This can be particularly useful in cases where application teams are using older golden images containing a version of the agent that is out of date. Simply enable upgrade on activation, define the lineup of agents you want to use in your environment using Agent Version Control, and as older agents come online and activate they are automatically upgraded for you.

NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), we've made the network throughput three times faster when compared with prior technology.

Upgrade to supported paths: The "upgrade on activation" feature will only upgrade the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the "upgrade on activation" feature will detect the newer version and complete the upgrade to the designated release.

Protection for AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported in this release. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been cancelled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Improved process exceptions: The process exception experience has been improved in the following ways:

We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
We've improved the process exception configuration workflow to make it more robust.

Enhancements

Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
Improved the Deep Security Agent activation experience in the following ways:

Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.

After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans will now continue where they left off, without delay. This feature only applies to NSX-T environments.
Increased the scan engine's URI path length limitation.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Enhanced Linux real-time Anti-Malware performance when executing a Docker pull command.
Improved the time it takes to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment. This feature requires Deep Security Manager FR 2019-12-12 or newer releases.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Enhanced the Malware Scan Failure event description to indicate the possible reason.
Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
Added the ability to retrieve process and container information for Intrusion Prevention events, including process name, container ID, container name, image name, image digest and pod ID.

Resolved issues

When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
When Deep Security real-time Anti-Malware was enabled in Linux, it caused a high amount of CPU system usage. SEG-75739/SF03036857/DS-52976
Ceph caused kernel panic. SEG-75664/SF03131718/DS-50298
Deep Security Agent sometimes crashed. SEG-76460/SF03218198/DS-50852
Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocked in lock down mode. SEG-73174/DS-50696
Deep Security Virtual Appliance sometimes went offline. (SEG-53294/DS-46728)
The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)
In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, Integrity Monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. (SEG-22509/DS-25250)
Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
Anti-Malware events displayed a blank file path with invalid Unicode encoding. (SEG-46912/DS-34011)
Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. (SF01423970/SEG-43481/DS-34436)
Kernel panic occurred when dsa_filter.ko was obtaining network device's information. (SEG-50480/DS-35192)
An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. (SF01339187/SEG-38497/SEG-33163/DS-31330)
Kernel panic occurred because of redirfs. (SF01137463/SEG-34751/DS-32182)
Deep Security Anti-Malware caused the 'fusermount' process to fail when mounting the filesystem. (SF01531697/SEG-43146/DS-32753)
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
Deep Security Agent GSCH driver had an issue with another third-party file system. (SF01248702/SEG-44565/DS-33155)
The "Environment Variable Overrides" for Deep Security Anti-Malware did not work in Linux. (SEG-43362/DS-31328)
Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
Deep Security Agent failed to install on Ubuntu 18.04. (SF01593513/SEG-43300/DS-37359)
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
The agent operating system would sometimes crash when Firewall interface ignores were set. (SF01775560/SEG-49866/DS-39339)
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
Too many file open events were being processed in user mode, resulting in high cpu usage. (SF02179544/SEG-55745/DS-39638)
The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. (SF02042265/SEG-52088/DS-39890)
Linux kernel logs were flooded by Deep Security Anti-Malware driver. (SF02299406/SEG-57561/DS-41589)
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
Deep Security Agent real-time Anti-Malware scans didn't work with Debian 10 64-bit.
When a guest VM was migrated between ESXi hosts frequently (using vMotion), sometimes the VM couldn't save the state file. This caused the guest to lose the protection of the Deep Security Virtual Appliance for several minutes after migration, until the VM was reactivated by Deep Security Manager automatically under the new ESXi server. (DSSEG-4341/DS-38221)
When uninstalling Deep Security Agent in Linux, the uninstall log included a typo. (DSSEG-4139/DS-34504)
Deep Security Anti-Malware detected sample malware files but did not automatically delete them. (SF02230778/SEG-55891/DS-40687)
When the Deep Security Agent connected through a proxy to the Deep Security Manager on Deep Security as a Service, Identified Files could not be deleted. (SF01979829/SEG-51013/DS-37252)
After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. (SEG-60728/DSSEG-5094)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DSSEG-4995)

Security updates

Highest CVSS Score: 7.8

Highest Severity: High

Updated NGINX to 1.16.1 (DSSEG-4600)
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Kernel support

To see which Linux kernels are currently supported, see Deep Security Agent Linux kernel support.

If you'd like to view the Linux kernel release history, see the Readme for Trend Micro (TM) Deep Security Agent 20.0 for Linux.

Known issues

Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints will not be unmounted successfully. (SEG-58841)

Windows

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

This release contains general improvements.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

This release contains general improvements.

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

Enhanced platform support

Windows 10 20H2

Improved security

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
Enhanced memory usage to improve performance. DS-53012

Resolved issues

When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Security events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0.1337

New features

Enhancements

Added various executable files as trusted installers so they are automatically recognized by Application Security. SF03568205/SEG-85141/DS-54884
Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800/DS-51879
Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

In combined mode with agent-only and agent-preferred settings enabled, Deep Security Notifier sometimes turned the Antivirus status in the Windows action center on and off, which caused high CPU. DS-54799
After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
The Behavior Monitoring feature of Anti-Malware sometimes raised false alarms. DS-44974
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
Deep Security Agent crashed unexpectedly because it was unable to detect the Docker engine version on Windows Servers. DS-29590
Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
There were detection issues with real-time Anti-Malware scans. DS-50286
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. DS-53144

Security updates

Highest CVSS score: 4.4

Severity: Medium

Action required: Customers participating in the Trend Micro XDR Activity Monitoring preview for Workload Security

This Deep Security Agent release includes required updates for the Trend Micro XDR Activity Monitoring preview. If you are currently participating in the preview, you must upgrade to Deep Security Agent 20.0.0-1337 (or a newer version) by November 16, 2020. If you do not upgrade to Deep Security Agent 20.0.0-1337 (or a newer version), Activity Monitoring data will stop being collected on November 16, 2020. For more information about XDR and Activity Monitoring, see Integrate Workload Security with XDR.

Deep Security Agent 20.0.0-1337 (and newer versions) uses a new network connection to send Activity Monitoring data to Trend Micro. The connection details can be found in Enable Activity Monitoring. Ensure that agent traffic to this destination is allowed so Activity Monitoring data can be sent to Trend Micro.

Known issues

While the Deep Security Relay is upgrading co-located or independent relays, the alerts “Anti-Malware protection is absent or out of date” and “Security Update: Security Update Check and Download Failed (Agent/Appliance error)” might occur for up to 20 minutes or longer before they're automatically resolved and the respective alerts cleared. For any subsequent Deep Security Agent upgrades to succeed, please wait for the Deep Security Relay alerts to clear automatically. DS-54056

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Improved security

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Protect AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Improved quality and management

Reboot requirement removed for agent upgrade: Previously, there were several situations where a Windows server would require a reboot for a new agent to complete the upgrade. The need for the reboot has been completely removed, enabling the application to not be impacted as result of upgrading a Deep Security Agent.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Manager FR 2020-04-30. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been canceled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time scan. This provides a starting point for performance evaluating and tuning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:

By the command dsa_control --AmTopNScan
By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
We've improved the process exception configuration workflow to make it more robust.

Windows Event Channel for Log Inspection: Windows Event Channel logging provides a new option for tracking OS and Application logging for Windows platforms newer than Windows Vista. Event channels can be used to collect Log Inspection events which you can view later.

Enhancements

Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Removed Integrity Monitoring and Application Control's dependency on Anti-Malware, so they no longer require Anti-Malware to be installed to function.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Added support for agentless mode on vCloud connector for version 9.5 or later.
Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
Enhanced the Malware Scan Failure event description to indicate the possible reason.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Added support for Deep Security Agent delayed upgrade to reduce the Anti-Malware offline issue after triggering an upgrade.

Resolved issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. (DS-49828)
Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
Deep Security Agent restarted unexpectedly because of the way Log Inspection was accessing the SQLite database. (DS-48395)
The interface isolation feature stayed active when Firewall was turned off. (SEG-32926/DS-27099)
Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. (DS-48916)
Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-38578)
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
Deep Security's Notifier.exe process caused high CPU usage. (SF01716752/SEG-45507/DS-33645)
The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. (SF1609675/SEG-43574/DS-32947)
In some cases, the Windows driver did not correctly release spinlock, causing the system to hang. (SF01990859/SEG-50709/DS-36066)
Deep Security Agent process sometimes crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app." error message in ds_agent.log. (SEG-21208/DS-33134/DS-21352)
When the system region format is "Chinese (Traditional, Hong Kong SAR)", Deep Security Notifier displayed simplified Chinese instead of traditional Chinese. (SEG-48075/DS-34778)
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
Too many file open events were being processed in user mode resulting in high CPU usage. (SF02179544/SEG-55745/DS-39638)
The "Type" attribute wasn't displayed in Integrity Monitoring events when the default "STANDARD" attribute was set to monitor registry value changes. (SF02412251/SEG-59848/DS-41118)
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-39981)
Deep Security failed to download security updates because of an outdated user agent string. (SF02043400/SEG-52069/DS-41316)
When machines wrote document files to a file server, Anti-Malware needed to scan the files frequently, which caused other machines to fail to write the file because the file was being scanned. (SF01949194/SEG-49854/DS-40100)
When Deep Security Agent scanned large files for viruses, it consumed a large amount of memory. (SF01572110/SEG-48704/DS-43114)

Security updates

Highest CVSS Score: 7.8

Highest Severity: High

Updated NGINX to 1.16.1 (DSSEG-4600)
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Known issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error may occur. To work around this issue, right-click the affected computer and select Actions > Clear Warnings/Errors, then Send Policy.
After upgrading the Deep Security Agent on Windows 2008, Anti-Malware may go offline. If this occurs, fully uninstall Deep Security Agent, reboot your server, then reinstall the agent.

Upgrade notice

If you have Application Control enabled, there may be a temporary performance impact while your software inventory is automatically rebuilding. (DS-41775)

Unix

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Release date: January 20, 2021

Build number: 20.0.0-1822

New feature

Anti-Malware support for AIX: This release adds support for Anti-Malware on the AIX platform.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Release date: January 04, 2021

Build number: 20.0.0-1681

This release contains general improvements.

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

Release date: December 07, 2020

Build number: 20.0.0-1559

New features

Enhancements

Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
Improved Deep Security Agent to better support Activity Monitoring on Trend Micro Cloud One - Workload Security. For more information, see Enable Activity Monitoring. DS-55230
Enhanced memory usage to improve performance. DS-53012

Resolved issues

On Solaris servers where Integrity Monitoring was enabled and the rule: "Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)" was assigned, a rule compile error was generated that referenced an "Unsupported Feature in Integrity Monitoring Rule". DS-55884
When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
Application Security events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Release date: October 28, 2020

Build number: 20.0.0.1337

Resolved issues

When using Deep Security Agent on Solaris, the Integrity Monitoring port scanning feature did not work because the agent did not have access to information on the user ID under which a given port was opened. This prevented storage of any listening port information. The port scanning feature on Solaris agents has been modified to store the string "n/a" for the userid. This allows the remaining port information to be stored and used in the port scanning function. However, exclusions and inclusions based on User ID still do not function correctly because this information is not available. DS-53922

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Release date: October 21, 2020

Build number: 20.0.0.1304

Enhancements

Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

Release date: October 5, 2020

Build number: 20.0.0.1194

Enhancements

Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061

Resolved issues

Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
Deep Security Agent crashed on Solaris 10 during upgrades. SEG-72634/SF02975849/DS-49295
When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058

Security updates

Highest CVSS score: 4.4

Severity: Medium

Deep Security Agent 20 (long-term support release)

Release date: July 30, 2020

Build number: 20.0.0.877

New features

Improved security

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Agent integrity check: Deep Security verifies your signature on the Deep Security Agent to ensure that the software files have not changed since the time of signing.

Improved quality and management

By the command dsa_control --AmTopNScan
By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
We've improved the process exception configuration workflow to make it more robust.

Enhancements

Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
Increased the scan engine's URI path length limitation.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
Streamlined event management for improved agent performance.
Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.

Resolved issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. (DS-49828)
Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
The displayed packet header data contained redundant payload data. (DS-45792)
Memory leaked during SSL decryption because of a flaw in the SSL processing. (SEG-68263/DS-44360)
On specific Deep Security Agent servers the CPU usage spiked to 100% and pattern merges failed during the active update process. (SEG-66210/02711299/DS-46429)
When a security update was triggered before Anti-Malware was ready, the security updates failed. (DS-36952)
When real-time Integrity Monitoring was enabled with the rule "1002875: Unix Add/Remove Software" applied, the RPM database potentially locked. (SEG-67275/SF02663756/DS-48524)
Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. (SEG-71825/SF03021819/DS-48916)
Incorrect linking of certain libraries could lead to Deep Security Agent instability. (SEG-72958/03071960/DS-49324)
Anti-Malware directory exclusion with wildcard didn't match subdirectories correctly. (SF03131855/SEG-74892/DS-50245)
High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)
After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. (SEG-60728/DS-42332
Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SEG-48728/SF01919585/DS-34022)
On Solaris servers with clusters, the Deep Security Intrusion Prevention module would come under heavy load while inspecting the clusters' private traffic. The extra load caused latency issues, node evictions, and loss of synchronization events.

You can now configure the Packet Processing Engine on the agent to bypass traffic inspection on a specified interface. Where a specific interface on a computer is dedicated to cluster private traffic, this configuration can be used to bypass inspection of packets sent to and received from this interface. This results in faster packet processing on the bypassed interface and other interfaces.

Use of this configuration to bypass traffic inspection is a security risk. It is up to you to determine if the benefit of reduced latency outweighs the risk involved. It is also up to you to determine whether only the nodes in the cluster have access to the subnet whose interface is being bypassed.

To implement the bypass, do the following:

Upgrade the Deep Security Agent to the latest build containing this fix.
Create a file under /etc directory named "ds_filter.conf".
Open the /etc/ds_filter.conf file.
Add the MAC addresses of all NIC cards used for cluster communication, as follows:

MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX

Save.
Wait 60 seconds for your changes to take effect.

In the /etc/ds_filter.conf file:

The MAC_EXCLUSIVE_LIST line must be the first line in the file.
All letters in the MAC address must be uppercase.
Leading zeros in each byte must be included.

Valid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E,6A:23:F0:0F:AB:34

Invalid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=B:3A;12:F8:32:5E

MAC_EXCLUSIVE_LIST=0b:3a;12:F8:32:5e,6a:23:F0:0F:ab:34

MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E

If the MAC address is not valid, the interface will not be bypassed. If the exact string "MAC_EXCLUSIVE_LIST=" is not present at the beginning of the line no interfaces will be bypassed. (DSSEG-4055)

Security updates

Highest CVSS Score: 7.8

Highest Severity: High

Updated NGINX to 1.16.1 (DSSEG-4600)
Updated to curl 7.67.0.
Updated to openssl-1.0.2t.
Updated JRE to the latest Java Update (8.0.241/8.43.0.6).