About upgrades

Types of Deep Security updates from Trend Micro include:

  • Software upgrades: New software such as the Deep SecurityAgent and Relay.

  • Security updates: Rules and malware patterns that Deep Security Agent software uses to identify potential threats. Types of security updates include:

    • Pattern updates: Used by Anti-Malware.

    • Rule updates: Used by:

      • Firewall
      • Intrusion Prevention
      • Integrity Monitoring
      • Log Inspection

(Application Control rule updates are created locally, based on your computers' software. They are not from Trend Micro.)

Trend Micro releases new rule updates every Tuesday, with additional updates as new threats are discovered. Information about the updates is available in the Trend Micro Threat Encyclopedia.

How relays work

Relays redistribute both software updates and security updates to your agents to help your deployment perform well at scale. (Alternatively, software updates — but not security updates — can be distributed by a local mirror web server.) Relays can:

  • Reduce WAN bandwidth costs by reducing external update traffic
  • Speed up update distribution in large scale deployments
  • Provide update distribution redundancy

Update sources are different for relays and agents, depending on their parent relay group and the type of update.

Deep Security update diagram

Agents get a randomly ordered list of relays for their assigned relay group. When an agent needs to download an update, they try the first relay. If there's no response, the agent tries the next in the list until it can successfully download the update. Because the list is random for each agent, this distributes update load evenly across relays in a group.

If relays/agents can't connect to their the manager/relay, they will use their fallback update sources. For best performance, network connectivity between Deep Security components should be reliable.

Unlike other rule updates, Application Control rules are not downloaded from Trend Micro. However relays can similarly redistribute shared (not local) Application Control rulesets. See Deploy application control rulesets via relays.

About relay hierarchy, cost, and performance

Relay groups can be organized in a hierarchy: one or more first-level ("parent") relay groups download updates directly from the manager and Primary Security Update Source (usually via their Internet/WAN connection), and then second-level ("child") relay groups download updates indirectly via the first-level group, and so on. If you put a relay on each local network, then agent updates usually use the local network connection — not remote connections to the Internet. This saves external connection bandwidth (a typical performance bottleneck) and makes updates faster, especially for large deployments with many networks or data centers.

Performance and bandwidth usage can be affected by relay group hierarchy. Hierarchy can specify:

  • Update order — Child relay sub-groups download from their parent group, which must finish its own download first. So a chain of sub-groups can be useful if you want a delay, so that all updates aren't at the exact same time.
  • Cost — If large distances or regions are between your parent and child relay groups, it might be cheaper for them to download directly instead of via parent relay groups.
  • Speed — If many or low-bandwidth subnets are between your parent and child relay groups, it might be faster for them to download directly or via a grandparent instead of via parent relay groups. However if too many relays do this, it will consume external connection bandwidth and eventually decrease speed.

How Deep Security Manager checks for software upgrades

Deep Security Manager periodically connects to Trend Micro Update servers to check for updates to software, such as:

  • Deep Security Agent
  • Deep Security Manager

This checks based on the local inventory, not the Download Center. (There is a separate alert for new software on the Download Center.)

Deep Security will only inform you of minor version updates-not major-of software.

For example, if you have Deep Security Agent 9.6.100, and Trend Micro releases 9.6.200, an alert will tell you that software updates are available. However, if 10.0.xxx (a major version difference) is released and you don't have any 10.0 agents, the alert will not appear (even though 10.0is newer than 9.6.100).

Updated software packages are automatically imported into Deep Security as a Service and appear on Administration > Updates > Software > Local.

How Deep Security validates update integrity

Both software updates and security updates are digitally signed. In addition to automatic checks, if you want to manually validate the signatures or checksums, you can use external tools such as:

Digital signatures

When security updates are viewed, used, or imported into the Deep Security Manager database (either manually or automatically, via scheduled task), the manager validates the signature. A correct digital signature indicates that the software is authentically from Trend Micro and hasn't been corrupted or tampered with. If the digital signature is invalid, the manager does not use the file. A warning is also recorded in log files such as server0.log:

WARNING: ThID:85|TID:0|TNAME:Primary|UID:1|UNAME:MasterAdmin|Verifying the signature failed.

com.thirdbrigade.manager.core.general.exceptions.FileNotSignedValidationException: "corrupted_rules.zip." has not been digitally signed by Trend Micro and cannot be imported.

If you manually import a security update package with an invalid digital signature, the manager also displays an error message.

Old security updates that aren't signed will fail validation if they are used, even if you successfully imported them in a previous version of Deep Security Manager that did not enforce signatures. For better protection, use new security updates instead. However if you still require the old security updates, you can contact your support provider to request a file that is signed, and then manually import the security update.

Deep Security Agent also validates the digital signature, compares checksums (sometimes called hashes or fingerprints) and uses other, non-disclosed integrity methods.


Software checksums (also called hashes or fingerprints) are published on the Download Center. To view the SHA-256 hash, click the + button next to the software's name.

Deep Security download hash