What's new in Deep Security Manager?
Deep Security Manager FR 2020-06-17
Build number: 12.5.985
Protect VMs in NSX-T environments: We have integrated the latest VMware Service Insertion and Guest Introspection technologies which enables you to protect your guest VMs using Intrusion Prevention, Web Reputation, Firewall, Integrity Monitoring and recommendation scans on NSX-T hosts with agentless protection.
Seamless network protection: Deep Security Manager now sends guest VMs' network configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the network features during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments where the guest machine is using an assigned policy without network features overrides.
Improved management and quality
Organize computers with Smart Folders: Smart Folders can be configured to use GCP Labels and Network Tags, which you can use to organize and find computers in your cloud environment.
NSX-T Network Throughput improvement: By introducing the Data Plane Development Kit (DPDK), we've made the network throughput three times faster when compared with prior technology, Raw Socket.
Upgrade on activation: The 'upgrade on activation' feature will only upgrade the agent on the computer from the last two major releases.
If the agent does not meet the criteria, you must upgrade the agent manually to a release within the last two major releases. Then the 'upgrade on activation' feature will detect the newer version and complete the upgrade to the designated release.
- Added the "VMware NSX Policy Configuration Conflict" system event. This event is generated when Deep Security Manager detects that a NSX-T group is configured with different security policies for Endpoint Protection and Network Introspection (E-W).
- Empty AWS groups can now be hidden in all areas of the console that display a list of computer groups. Previously, this was only available on the Computers page.
- Corrected the "Auto-Generated DSM SSL Configuration" description to "SSL configuration for the Deep Security Manager GUI".
- Updated Deep Security Manager to allow vCloud accounts to be added even if the virtual machine hardware information is missing.
- Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
- Increased the timeout used when synchronizing AWS Workspace directories in an AWS account, to reduce failures for large directories.
- When you upgrade the Deep Security Virtual Appliance SVM in NSX-T Manager, Deep Security Manager will now detect that a new SVM is now protecting guest VMs, and will auto-activate those VMs after the upgrade.
- Upgraded the vCloud Connector in Deep Security Manager supports vCloud 9.7 and vCloud 10.0.
- Added the ability to sync Deep Security Manager policies to NSX-T environments.
- Improved the experience when deleting vCenter Connectors with NSX-T Manager. Previously, you had to manually remove the NSX-T component as a service profile, endpoint rules and service deployments, or the vCenter deletion would fail.
- When the Alert on any Computer action was selected for Intrusion Prevention, Firewall, Integrity Monitoring or Log Inspection rules, the computers were not automatically updated with the new policy. DS-50216/SEG-77260
- Anti-Malware events that were marked as "Pass" were not properly counted on the dashboard or under Anti-Malware events. DS-49364/SEG-70872
- When an agent activated with no AWS metadata but then provided it on a later heartbeat, the cloud provider was not updated, which caused the computer to never be rehomed properly. DS-50713/SEG-77150
- When you did an advanced search on the Computers page for Status Light > Equals > Managed [Green], then selected Export to CSV, the CSV file did not contain the listed computers. DS-49936/SEG-74140
- Azure accounts could not be added in Azure Government regions because the login endpoint was changed. This only applies to Azure Marketplace deployments. DS-52399
- After upgrading VMware ESX, you had to manually re-sync the vCenter to see the new platform information. DS-50053
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses. Please note, in line with responsible disclosure practices, CVE details will only be made available for select security updates once patches have been made available for all impacted releases. DS-51336/DS-50192/DS-50368/DS-30757
Highest CVSS score: 7.5
Highest severity: Critical
This is the final Deep Security Manager that supports NSX-T Manager version 2.x. Upgrade your NSX-T Manager to version 3.0.0 or later. DS-50387
The automatic removal of a vCenter account from Deep Security will fail if NSX-T is configured to have the same service chain bound to Deep Security and third-party services simultaneously. This problem occurs because the NSX-T API doesn't allow Deep Security to modify the service chain with its associated service profiles.
To work around this issue, remove vCenter manually. For details, see Uninstall Deep Security from your NSX environment. DS-47944
Build number: 12.5.855
Enhanced platform support
- Red Hat Enterprise Linux 8 (64-bit)
- Windows Server 2019 (64-bit)
Continuous Anti-Malware protection: Deep Security Manager now sends guest VMs' Anti-Malware real-time configuration to all Deep Security Virtual Appliances that are under the same cluster. The effect is that the appliances can now maintain the protection of guest machines that use the Anti-Malware real-time feature during and after a vMotion migration from one ESXi host to another under the same cluster. This feature only applies to NSX-T environments.
Improved management and quality
Search Cloud Instance Metadata: Added the ability to do a simple search or advanced search for Cloud Instance Metadata on the Computers page. This allows you to easily find workloads with specific labels, network tags, and more.
Instance Metadata Service Version 2 (IMDSv2) support: IMDSv2 is supported with Deep Security Agent FR 2020-05-19. For details, see How does Deep Security Agent use the Amazon Instance Metadata Service?
- Updated the descriptions related to memory on the System Information page so they're more accurate and easier to understand.
- Added installation log rotation for Deep Security Manager.
- Improved the capability of event-based tasks by adding support for GCP security automation with account name, labels, network tags and more in the task conditions.
- Introduced "Cloud Vendor" in the event-based tasks conditions in order to limit a task's scope for a specific public vendor (for example, AWS or GCP).
- Improved the description of Behavior Monitoring events by including the reason the event occurred.
- Added a GCP Network Tag column to the Computers tab.
- Added support for agentless mode on vCloud connector for version 9.5 or later.
- Added the CentOS platform as an option to select on Updates > Software > Agent Version Control. This means when you deploy an agent using the deployment scripts, you can specify that only CentOS agents are deployed.
- For tenants, the Security Module Usage Report was only visible if you had access to the default "Full Access" role. (SEG-70494/SF02940195/DS-47492)
- The sign-up page did not render properly in Internet Explorer. (SEG-73072/SF03075345/DS-48944)
- When several emails with large bodies were queued, they were loaded all at once instead of in batches, which caused a large amount of memory to be used. (SEG-71863/SF03024164/DS-49833)
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Responses.
- If you are using an Oracle database, this upgrade will take longer than usual due to a database schema change.
- When a new Deep Security Virtual Appliance is deployed, the VM name is displayed as "Trend Micro_Custom - <version>", if you're using a local web server to store the Deep Security Virtual Appliance software package. This has no effect on the integrity of the appliance.
Deep Security Manager FR 2020-03-09
Build number: 12.5.732
Enhanced platform support
Secure Boot support: Deep Security Agent now supports additional Linux OS's with Secure Boot enabled. If the Secure Boot environment or configuration is invalid, the manager now shows new agent and system events.
Improved management and quality
AWS manager-generated external ID: To better align with AWS best practices and improve AWS account security, we have made a change to the process of adding a new AWS account into Deep Security using cross-account roles. Previously when using a cross-account role for authentication, Deep Security required two pieces of information: a role ARN, and an external ID trusted by the role. This has now changed to a new process where Deep Security provides the external ID, and requires that the role provided has included this external ID in its IAM trust policy. This change provides stronger security in shared Deep Security environments, and ensures that strong external IDs are always used. For details on switching your external ID to a manager-generated one, see Update the external ID. For details on the new process of adding cross-account roles using manager-generated external ID, see Add an AWS account using a cross-account role.
Security Module Usage Report: If you are using metered billing and looking for a way to break out costs by individual cloud accounts we have made the Security Module Usage Report (Event & Reports > Generate Reports) available. This report contains a detailed breakout of consumption hours by cloud account. This data can be used to breakout the single Deep Security as a Service line item on your marketplace bill supporting chargeback to your teams.
- Added GCP information such as Instance ID, Labels, Network tags, and more, to Computer Editor > Overview > General.
- Added the Cloud Instance Metadata field to the computers page.
- Added a progress bar to Administration > User Management > Roles > New > Computer Rights > Selected Computers to indicate the status of the computers list that's loading.
- Improved the heartbeat handling for AWS Workspace deployments when the Workspace sync feature is not turned on for the the matching AWS account.
- Optimized the time it takes to discover and map new GCP instances for known Google Projects inside existing GCP accounts. When an agent-initiated activation occurs, the time it takes to complete the activation and for the GCP data to be available to Deep Security as a Service has been reduced to make the product more responsive.
- If there are a lot of agent events in a single heartbeat, they will be split into multiple "Event Retrieved" events.
- When the "Untagged" filter was selected on the dashboard, some widgets continued to display tagged items. (SEG-63290/SF02585007/DS-43795)
- Tenants in a multi-tenant setup could move their relays to the primary tenant relay group. This would cause the relays to disappear from their 'Relay Management' page. Tenants are now prevented from moving their relays to the primary tenant relay group. (SEG-57715/02322762/DS-47509)
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. (DS-45446)
- Updated the JRE to the latest Java Update (8.0.241/126.96.36.199).
Deep Security Manager FR 2020-01-27
Build number: 12.5.613
- Enhanced the Relay management experience by providing possible solutions for the "Empty Relay Group Assigned" alert in the alert's description and removing the relay count for tenants that are using the Primary Tenant Relay Group.
- Performance issues occurred when there were 1,000s of requests to download the same SVG file because the file wasn't cached. (SEG-64280/DS-45002)
- AIA hosts with the same Virtual UUID fail when "Activate a new Computer with the same name" was selected. (SEG-66346/02725330/DS-45423)
- In some multi-tenant environments, you could not log in as a tenant. For more information, see https://success.trendmicro.com/solution/000238704. (SF02873892/SEG-68674/DS-46391)
- When Integrity Monitoring was enabled but Anti-Malware was turned off, a warning message would appear indicating "Security Update: Pattern Update on Agents/Appliance Failed". (SEG-68454/SEG-67859/DS-32205)
Deep Security Manager FR 2020-01-16
Build number: 12.5.579
- Added the following hidden setting command:
dsm_c -action changesetting -name com.trendmicro.ds.antimalware:settings.configuration.maxSelfExtractRTScanSizeMB -value 512
When Deep Security Agent could not determine the type of the target file, the scan engine loaded the file to memory to identify if it was a self-extract file. If there were many of these large files, the scan engine consumed lots of memory. Using the command above, the file-size limitation is set to 512MB for loading target files. When the file-size exceeds the set limitation, the scan engine will skip this process and scan the file directly.
To implement this enhancement:
- Run the command in Deep Security Manager to change the value in the database.
- Send the policy to your target Deep Security Agent to deploy the setting.
- In the Malware Scan configurations window, the content of the Advanced tab was displayed in the General tab. (SEG-64701/SF02657864/DS-44176)
- Deep Security Manager had issues loading the computers trees on some pages when there were a lot of computers and folders. (SEG-58089/SF02345427/DS-44424)
- AWS connectors sometimes failed to synchronize. (SEG-66472/DS-45029)
- The column names in the CSV output of the "Security Module Usage Report" were partially misaligned with the data columns.(SEG-66717/SF02619240/DS-45130)
- In the Malware Scan Configuration window (Computers/Policies > Anti-Malware > General > Manual Scan > Edit > Advanced and select Scan Compressed File) the Maximum number of files to extract setting could not be set to 0, meaning unlimited. (SEG-65997/02685854/DS-45081)
- Deep Security Manager with PostgreSQL sometimes stopped forwarding events to AWS SNS. (SEG-67362/SF02798561/DS-45594)
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit Vulnerability Response. (DS-44955/DS-43627)
- Updated third-party libraries used by Deep Security Manager. (DS-24214)
Deep Security Manager FR 2019-12-12
Build number: 12.5.494
Agent version control: Agent version control gives you and your security operations team control over the specific versions of the Deep Security Agent that can be used by features like deployment scripts and upgrade on activation. This provides increased control over the Deep Security Agent used in your environment. For more information, see Configure agent version control.
Improved management and quality
Upgrade on activation: Deep Security Manager now has options (Administration > System Settings > Agents > Automatically upgrade Linux/Windows agents on activation) that enable you to automatically upgrade the Deep Security Agent on Linux and Windows computers to the version specified in Administration > System Settings > Updates > Software > Agent Version Control when the agent is activated or reactivated. For details, refer to Automatically upgrade agents on activation.
- Added the "Kernel Unsupported" system event to indicate if your computer has been upgraded to an unsupported kernel.
- Added a reason ID for the "Manual Malware Scan Cancellation complete" system event. The reason ID is displayed in REST API calls, SNS information and SIEM information.
- Renamed the scheduled task "AWS Billing Usage Task" to "Metered Billing Usage Task" because the task now applies to both AWS and Azure billing.
- Added the "TrendMicroDsPacketData" field to Firewall events that are syslog forwarded via the Deep Security Manager.
- Aggregated identical agent events in a single heartbeat under a single event.
- Modernized the Policies > Lists > Port Lists page.
- Added the Validate the signature on the agent installer checkbox on Support > Deployment Scripts. For more information, see Check digital signatures on software packages.
- Improved the "License Changed" event description by specifying if the plan ID is for Azure Marketplace billing.
- Reduced the maximum number of computers displayed on the Computers page from 2000 to 500 to improve performance.
- Renamed the Service Token setting to Data Source GUID on Administration > System Settings > Managed Detection and Response.
- Added the ability to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment.
- Added a "Agent GUID" column to the Computers page so you can search computers by the Agent GUID.
- Included a search bar under Administration > Updates > Software > Local.
- Enhanced scheduled tasks:
- Task enabled has been renamed to Enable task on the last screen of the Create Scheduled Task wizard
- Synchronize cloud account now indicates it only supports vCloud and Azure connectors
- Computer/group selection details now display in list view for Anti-Malware scans and Intrusion Prevention tasks
- Added the ability to hide all empty AWS regions, VPCs, subnets, and directories, reducing clutter and increasing load speed on the Computers page.
- Added the ability for the Deep Security Administrator to hide unresolved recommendation scan results from the Intrusion Prevention, Integrity Monitoring and Log Inspection tab in the policy pages. To hide the unresolved recommendation scan results, use the following commands
dsm_c -action changesetting -name com.trendmicro.ds.network:settings.configuration.showUnresolvedRecommendationsInfoInPolicyPage -value false
dsm_c -action changesetting -name com.trendmicro.ds.integrity:settings.configuration.showUnresolvedRecommendationsInfoInPolicyPage -value false
dsm_c -action changesetting -name com.trendmicro.ds.loginspection:settings.configuration.showUnresolvedRecommendationsInfoInPolicyPage -value false
- When Deep Security Manager was deployed in an environment with a large number of hosts and protection rules, the manager would sometimes load data for all hosts, even if the user only requested data from some of the hosts. (SF02552257/SEG-62563/DS-43188)
- When booting up, Deep Security Manager validates the database schema of the events tables. Logs always said that the schema was updated, even if no update was actually required. (DS-43196)
- Active Directory synchronization sometimes would not finish. (SEG-52485/DS-38203)
- When a custom Anti-Evasion posture was selected in a parent policy (in the policy editor Settings > Advanced > Network Engine Settings > Anti-Evasion Posture > select 'Custom'), that setting did not appear in the child policies. (SF02434648/SEG-60410/DS-41597)
- On Linux systems, the default maximum number of the concurrent opened files did not meet Deep Security Manager's needs, resulting in the manager failing to acquire file handles. As a result, features in Deep Security Manager failed randomly and a "Too many open files" message appeared in logs. (SEG-59895/DS-43192)
- The "Activity Overview" widget sometime displayed the incorrect database size. (SF02449882/SEG-63362/DS-43946)
- When sorting the "Alert Configuration" page by the "ON" column, the number of alerts was sometimes incorrect. (SF02578797/SEG-63560/DS-43685)
- Certain smart folder search criteria caused an IllegalStateException error. (SF02436019/SEG-60330/DS-41369)
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit our Vulnerability Responses.
Enhanced platform support
Deep Security Manager
- Oracle 18 database support
- Oracle 19c database support
- PostgreSQL 11 database support
Google Cloud Platform: Google Cloud Platform (GCP) has been integrated with Deep Security. You can now view new GCP instances that come online or are removed, and which instances have protection. If you are using multiple clouds on-premise and in your data center, Deep Security can provide visibility for all of your environments. This feature is available for VMs that have Deep Security Agent 12.0 or later installed. For details, see Add a Google Cloud Platform account.
Improved management and quality
Enhanced visibility of scheduled scan tasks and event based tasks: Scheduled scan tasks and event-based tasks have been improved by providing scan visibility as well as specific reasons for each uncompleted Anti-Malware scan and recommended actions to resolve the scan.
Advanced billing reporting: The Security Module Usage Report now includes the Cloud Account ID (AWS Account ID, Azure Subscription ID or GCP Project ID) for protected instances.
Multiple vCenters: You can add multiple vCenters in the Deep Security Manager, and associate them to the same NSX-T Data Center. An overwrite warning message is displayed if you are using NSX Data Center for vSphere (NSX-V), which does not support the use of multiple vCenters, or if the NSX-T Manager has being registered with another Deep Security Manager cluster.
- Updated the AWS account addition error messages to be more specific and include a Help Center link.
- When creating a smart folder, you can now select "Task(s)" as the filter criteria, which filters for values displayed in the "Task(s)" column on the Computers page. For example, you could create a smart folder that lists all computers that contain "Scheduled Malware Scan Pending (Offline)" as the task. Additionally, if you are using the Deep Security API to search for computers, you can now search on the value of the tasks/agentTasks and tasks/applianceTasks fields.
- Added FileSize attribute to the Application Control event description sent to SNS.
- A deployment script for Deep Security Agent for AIX is now available in Deep Security Manager.
- Improved the diagnostic logging options for the AWS connector related features.
- Deep Security Manager now prevents you from importing duplicate Trusted Certificates.
- When creating a smart folder, you can now select "Version" as the filter criteria to filter computers based on their Agent version.
- Improved the scan failure event description by adding more details.
- The memory usage percentage display on the "Manager Node Status" dashboard widget did not match the last recorded system memory usage percentage. (SF02218013/SEG-55761/DS-39149)
- In Deep Security Manager, under Policies > Intrusion Prevention Rules > Application Types > (select DNS client) > Properties > General, the Port setting would change to "Any" after any updates to the port list. (SEG-55634/DS-39444)
- Reconnaissance alerts could not be disabled because the option was not available. (SEG-49907/DS-35122)
- Some Azure Virtual Machine types categorized incorrectly. (SF01885266/SEG-48561/DS-33951)
- Users of AWS Marketplace metered-billing would see an error reported in system events when the billing job was processed. (SF1899351/SEG-48580/DS-33955)
- Integrity Monitoring detailed change and recommendation reports was not running against smart folders. (SF2056260/SEG-51781/DS-35886)
- When the Computers page was grouped by status, it sometimes didn't display the correct total number of computers for each group. (SF01655622/SEG-44858/DS-37769)
- When Deep Security Manager was connected to both a case-sensitive Microsoft SQL database and VMware NSX, the Deep Security Manager upgrade readiness check would sometimes fail and block the upgrade. (SF02060051/SEG-52044/DS-38405)
- Scheduled task scans could be initiated by a user for computer groups that they do not have access to in their roles, which caused an error to occur. (SF02119582/SEG-53275/DS-38892)
- Deep Security Agent sometimes went offline when duplicate virtual UUIDs were stored in the database. (SF01722554/SEG-41425/DS-39272)
- False alerts regarding the license expiration were occasionally raised. (SF01484611/SEG-41437/DS-33831)
- Using a local key secret containing the $ symbol stopped the upgrade or fresh install of Deep Security Manager. (SF02013831/SEG-57243/DS-39526)
- Deep Security used an open source library called SIGAR that is no longer maintained or supported. This can cause applications to crash and other unintended issues in the future. (SF02184158/SEG-54629/DS-39394)
- When an invalid or unresolvable SNMP server name was configured in Administration > System Settings > Event Forwarding > SNMP, it caused SIEM & SNS to also fail. (SF02339427/SEG-57996/DS-39865)
- Forwarding events "via Deep Security Manager" with SIEM event forwarding would not work if the Deep Security Manager hostname was not obtained through DNS resolution. (SEG-50655/DS-37374)
- The events exported via AWS SNS did not contain the HostOwnerID, which corresponds to the AWS Account ID. (SF02420860/SEG-59870/DS-41089)
- In the computer or policy editor in Deep Security Manager, under Anti-Malware > General > Real-Time Scan > Schedule > Edit, the Assigned To tab was sometimes empty, even when the schedule was assigned correctly to computers and policies. (SF02374723/SEG-58761/DS-41036)
- Due to issues discovered during internal testing with SQL 2008 we will now be blocking upgrades to Deep Security feature release when SQL 2008 is the Deep Security Manager database. Microsoft SQL Server 2008 is no longer supported by Microsoft and therefore is no longer being tested and supported for use as a database for the latest releases of Deep Security Manager. For more information from Microsoft please see SQL server 2008 and SQL server 2008 R2 end of support. For the full list of databases supported for use with Deep Security Manager please see Deep Security Manager requirements system requirements. (DS-36715)
Security updates are included in this release. For more information about how we protect against vulnerabilities, visit our Vulnerability Responses. (DS-28754/DS-32322/DS-33833/DS-26068)
- Upgraded Apache Tomcat to 8.5.43. (DS-38558)