What's new in Deep Security Agent?

Deep Security Agent FR 2020-06-17

Build number: 12.5.0-1033

New features

Enhanced platform support

  • Ubuntu 20.04 (64-bit)

Improved security

Protect VMs in NSX-T environments: We have integrated the latest VMware Service Insertion and Guest Introspection technologies which enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.

Seamless network protection: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.

Improved management and quality

Upgrade to supported paths: The "upgrade on activation" feature will only upgrade the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the "upgrade on activation" feature will detect the newer version and complete the upgrade to the designated release.

NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), we've made the network throughput three times faster when compared with prior technology.

Enhancements

  • Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.

Resolved issues

  • Ceph caused kernel panic. SEG-75664/SF03131718/DS-50298
  • Deep Security Agent sometimes crashed. SEG-76460/SF03218198/DS-50852
  • Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
  • The Deep Security Virtual Appliance did not detect an Eicar file. SEG-71955/SF02955546/DS-49387
  • Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocked in lock down mode. SEG-73174/DS-50696

Upgrade notice

Deep Security Manager FR 2020-06-16 or later is now required to successfully activate Deep Security Agent FR 2020-06-16 or later. Please be aware of your manager version if you plan to use the latest agent.

Deep Security Agent FR 2020-05-19

Build number: 12.5.0.936

New features

Enhanced platform support

  • Cloud Linux 8 (64-bit)

Improved security

SELinux Support: Security-Enhanced Linux (SELinux) enforcing mode is supported on Red Hate Enterprise Linux 7 and Red Hate Enterprise Linux 8 . Deep Security Agent is compatible with the default SELinux policies. Anti-Malware software such as ds_agent is required to run in an unconfined domain in order to protect the system. Any additional SELinux policy customization or configuration might be block blocked or fail because of ds_agent.

Improved management and quality

Protection for AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Manager FR 2020-04-29 . For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Enhancements

  • Added support for systemD on Cloud Linux 8.

Resolved issues

  • Deep Security Virtual Appliance sometimes went offline. (SEG-53294/DS-46728)
  • The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. (VRTS-3704)

Deep Security Agent FR 2020-04-02

Build number: 12.5.0.814

New features

Enhanced platform support

  • Debian Linux 10 (64-bit)
  • Oracle Linux 8 (64-bit)
  • SUSE Linux Enterprise Server 15 (64-bit)
  • Red Hat Enterprise Linux 8 (64-bit)
  • CentOS 8 (64-bit)

SystemD support: SystemD provides a kind of service layer, that provides the ability to start, stop, monitor and enforce policy of services. It allows services to declare dependencies, which can enforce load and unload sequences of kernel modules and other services. See Systemd support for information about which platforms are supported. (DS-37395)

Secure Boot support: Deep Security Agent supports additional Linux OS’s with Secure Boot enabled. For details, see Secure Boot support.

Improved security

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Seamless Anti-Malware protection on Deep Security Virtual Appliance: After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans will continue where they left off, without delay. This feature only applies to NSX-T environments.

Improved management and quality

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been cancelled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time Scan. This provides a starting point for performance evaluating and tunning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:

  • By the command dsa_control --AmTopNScan
  • By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

  • We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
  • We've improved the process exception configuration workflow to make it more robust.

Enhancements

  • Improved the Deep Security Agent activation experience in the following ways:
    • Updated the minimum required Deep Security Manager to Deep Security Manager FR 2019-10-23 (12.5.349).
    • Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
  • After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans will now continue where they left off, without delay. This feature only applies to NSX-T environments.
  • Increased the scan engine's URI path length limitation.
  • Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
  • Enhanced Linux real-time Anti-Malware performance when executing a Docker pull command.
  • Improved the time it takes to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment. This feature requires Deep Security Manager FR 2019-12-12 or newer releases.
  • Streamlined event management for improved agent performance.
  • Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
  • Enhanced the Malware Scan Failure event description to indicate the possible reason.
  • Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
  • Added the ability to retrieve process and container information for Intrusion Prevention events, including process name, container ID, container name, image name, image digest and pod ID.

Resolved issues

  • In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, integrity monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. (SEG-22509/DS-25250)
  • Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
  • Anti-Malware events displayed a blank file path with invalid Unicode encoding. (SEG-46912/DS-34011)
  • Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. (SF01423970/SEG-43481/DS-34436)
  • Kernel panic occurred when dsa_filter.ko was obtaining network device's information. (SEG-50480/DS-35192)
  • An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. (SF01339187/SEG-38497/SEG-33163/DS-31330)
  • Kernel panic occurred because of redirfs. (SF01137463/SEG-34751/DS-32182)
  • Deep Security Anti-Malware caused the 'fusermount' process to fail when mounting the filesystem. (SF01531697/SEG-43146/DS-32753)
  • Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
  • For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
  • Deep Security Agent GSCH driver had an issue with another third-party file system. (SF01248702/SEG-44565/DS-33155)
  • The "Environment Variable Overrides" for Deep Security Anti-Malware did not work in Linux. (SEG-43362/DS-31328)
  • Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
  • When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
  • The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
  • Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
  • The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
  • Deep Security Agent failed to install on Ubuntu 18.04. (SF01593513/SEG-43300/DS-37359)
  • The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
  • Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
  • The agent operating system would sometimes crash when Firewall interface ignores were set. (SF01775560/SEG-49866/DS-39339)
  • Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
  • Too many file open events were being processed in user mode resulting in high cpu usage. (SF02179544/SEG-55745/DS-39638)
  • The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. (SF02042265/SEG-52088/DS-39890)
  • Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app. " error message in ds_agent.log. (SEG-21208/DS-21352)
  • Linux kernel logs were flooded by Deep Security Anti-Malware driver. (SF02299406/SEG-57561/DS-41589)
  • Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
  • High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
  • Deep Security Agent real-time Anti-Malware scans didn't work with Debian 10 64-bit.
  • When a guest VM was migrated between ESXi hosts frequently (using vMotion), sometimes the VM couldn't save the state file. This caused the guest to lose the protection of the Deep Security Virtual Appliance for several minutes after migration, until the VM was reactivated by Deep Security Manager automatically under the new ESXi server. (DSSEG-4341/DS-38221)
  • When uninstalling Deep Security Agent in Linux, the uninstall log included a typo. (DSSEG-4139/DS-34504)
  • Deep Security Anti-Malware detected sample malware files but did not automatically delete them. (SF02230778/SEG-55891/DS-40687)
  • When the Deep Security Agent connected through a proxy to the Deep Security Manager on Deep Security as a Service, Identified Files could not be deleted. (SF01979829/SEG-51013/DS-37252)
  • After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. (SEG-60728/DSSEG-5094)
  • Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DSSEG-4995)
  • The interface isolation feature was still on when Firewall was turned off. (SEG-32926/DS-27099)

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit our Vulnerability Responses. (VRTS-3176)

  • Updated NGINX to 1.16.1 (DSSEG-4600)

Known issues

  • Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints will not be unmounted successfully. (SEG-58841)

Deep Security Agent FR 2020-06-17

Build number: 12.5.0.1033

New features

Improved quality and management

Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Manager FR 2020-04-30 or later. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?

Upgrade Anti-Malware driver without reboots: The Deep Security Agent Anti-Malware driver can be upgraded without rebooting your computers. Previously, if the driver required an upgrade you would receive the system event "765: Computer Reboot Required" and reboot your computer accordingly. By removing the need to reboot your computer, the friction involved with operation efforts is drastically reduced. There are still scenarios where a reboot is required, for example when the system events " 1533: A computer reboot is required to complete an Anti-Malware cleanup or restoration task" or "1534: A computer reboot is required to complete Anti-Malware protection" occur.

Upgrade to supported paths: The "upgrade on activation" feature will only upgrade the agent on the computer from the last two major releases. If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the "upgrade on activation" feature will detect the newer version and complete the upgrade to the designated release.

Enhancements

  • Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.

Resolved issues

  • After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. (DS-49828)
  • Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-41233

CVSS score: 4.4

Severity: Medium

Upgrade notice

Deep Security Manager FR 2020-06-16 or later is now required to successfully activate Deep Security Agent FR 2020-06-16 or later. Please be aware of your manager version if you plan to use the latest agent.

Deep Security Agent FR 2020-04-16

Build number: 12.5.0.834

New features

Improved security

Protect AWS accounts with incorrect credentials: In the past, if your credentials were entered incorrectly for AWS accounts in Deep Security, the agent failed to activate. This might have occurred because the credentials were entered incorrectly or because, over time, the credentials changed without a corresponding update on Deep Security. To help ensure protection remains in place in this situation, which in many cases is a simple configuration error, we will now create the computer outside of the account and allow the agent to activate.

Enhancements

  • Removed Integrity Monitoring and Application Control's dependency on Anti-Malware, so they no longer require Anti-Malware to be installed to function.
  • Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
  • Added support for agentless mode on vCloud connector for version 9.5 or later.
  • Increased the scan engine's URI path length limitation.
  • Updated the minimum required Deep Security Manager to Deep Security Manager FR 2019-10-23 (12.5.349)
  • Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.

Resolved issues

  • Deep Security Agent restarted unexpectedly because of the way Log Inspection was accessing the SQLite database. (DS-48395)
  • The interface isolation feature stayed active when Firewall was turned off. (SEG-32926/DS-27099)
  • Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. (DS-48916)

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. (DS-15780)

Known issues

After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error may occur. To workaround this issue, right-click the affected computer and select Actions > Clear Warnings/Errors, then Send Policy.

Deep Security Agent FR 2020-03-09

Build number: 12.5.0.713

Upgrade notice

  • If you have Application Control enabled, there may be a temporary performance impact while your software inventory is automatically rebuilding. (DS-41775)

New features

Improved security

SSL improvements: Deep Security supports handshake hello_request (rfc5246) and Extension encrypt_then_mac (rfc7366) in SSL inspection.

Improved management and quality

Actionable recommendations for scan failures: The Deep Security Agent provides actionable information about why a scheduled malware scan has been cancelled, and the recommended actions that should be taken to remedy the failure. For more information, see Anti-Malware scan failures and cancellations.

Anti-Malware real-time file scan report: Deep Security has the ability to determine the top 10 files that are scanned by Anti-Malware real-time Scan. This provides a starting point for performance evaluating and tunning, as you can use this information to set file exclusions and avoid unnecessary scans. The 'AmTopNScan.txt' file with the collected data can be generated using the following methods:

  • By the command dsa_control --AmTopNScan
  • By the diagnostic service

Improved process exceptions: The process exception experience has been improved in the following ways:

  • We've provided information about why process exclusion items are not functioning correctly so you can troubleshoot the issue and know which actions to take to resolve it.
  • We've improved the process exception configuration workflow to make it more robust.

Windows Event Channel for Log Inspection: Windows Event Channel logging provides a new option for tracking OS and Application logging for Windows platforms newer than Windows Vista. Event channels can be used to collect Log Inspection events which you can view later.

Enhancements

  • Enhanced the Malware Scan Failure event description to indicate the possible reason.
  • Streamlined event management for improved agent performance.
  • Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
  • Added support for Deep Security Agent delayed upgrade to reduce the Anti-Malware offline issue after triggering an upgrade.

Resolved issues

  • Integrity Monitoring events showed an incorrect file path with Unicode encoding. (SEG-45239/DS-33911)
  • Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. (SF01423970/SEG-43481/DS-34436)
  • Kernel panic occurred when dsa_filter.ko was obtaining network device's information. (SEG-50480/DS-35192)
  • The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-38578)
  • Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. (SEG-39711/DS-32799)
  • For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
  • Deep Security's Notifier.exe process caused high CPU usage. (SF01716752/SEG-45507/DS-33645)
  • The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. (SF1609675/SEG-43574/DS-32947)
  • In some cases, the Windows driver did not correctly release spinlock, causing the system to hang. (SF01990859/SEG-50709/DS-36066)
  • Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. (SF01745654/SEG-45832/DS-33007)
  • When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. (SF01415702/SEG-42919/DS-33008)
  • The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. (SF1939658/SEG-49191/DS-34222)
  • Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. (SF01919585/SEG-48728/DS-34022)
  • The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. (SEG-50728/DS-35446)
  • The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. (SF01526046/SF02159742/SEG-55453/DS-38812)
  • Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app. " error message in ds_agent.log. (SEG-21208/DS-33134)
  • When the system region format is "Chinese (Traditional, Hong Kong SAR)", Deep Security Notifier displayed simplified Chinese instead of traditional Chinese. (SEG-48075/DS-34778)
  • Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. (SF02187371/SEG-56645/DS-39398)
  • Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. (SF01804378/SEG-47425/DS-33690)
  • Too many file open events were being processed in user mode resulting in high cpu usage. (SF02179544/SEG-55745/DS-39638)
  • Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app. " error message in ds_agent.log. (SEG-21208/DS-21352)
  • The "Type" attribute wasn't displayed in Integrity Monitoring events when the default "STANDARD" attribute was set to monitor registry value changes. (SF02412251/SEG-59848/DS-41118)
  • Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. (SF01780211/SEG-46616/DSSEG-3607)
  • High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. (SF02179544/SEG-55745/DS-41142)
  • The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. (SF02092464/SEG-53938/DS-39981)
  • Deep Security failed to download security updates because of an outdated user agent string. (SF02043400/SEG-52069/DS-41316)
  • When machines wrote document files to a file server, Anti-Malware needed to scan the files frequently, which caused other machines to fail to write the file because the file was being scanned. (SF01949194/SEG-49854/DS-40100)
  • When Deep Security Agent scanned large files for viruses, it consumed a large amount of memory. (SF01572110/SEG-48704/DS-43114)

Security updates

Security updates are included in this release. For more information about how we protect against vulnerabilities, visit our Vulnerability Responses.

Known issues

After upgrading the Deep Security Agent, Anti-Malware went offline for machines using Windows 2008. If this issue occurs, fully uninstall Deep Security Agent, reboot your server, then reinstall the agent.