Linux

Deep Security Agent - 20.0.2-4961 (20 LTS Update 2025-03-12)

New features

Enhancements

• The dsa_scan command now includes a scanLargeFile option for managing larger files. DSA-8825

Resolved issues

• SAP Scanner sometimes incorrectly classified CSV files if they were larger than 4096 bytes. PCT-51974/DSA-9139
• Deep Security Agent experienced reduced performance when using TLS 1.3 with some network protocols. DSA-6959

Known issues

Deep Security Agent - 20.0.2-1390 (20 LTS Update 2025-01-15)

New features

Enhancements

• Deep Security Agent now queues packets to handle them in sequence, improving performance. DSA-6916

Resolved issues

• Deep Security Agent sometimes had connectivity issues when Advanced TLS Traffic Inspection was enabled. DSA-8577

Security updates

Deep Security Agent - 20.0.1-25771 (20 LTS Update 2024-12-10)

New features

Enhancements

• Deep Security Agent 20.0.1.25771 or later supports FIPS mode for Ubuntu 22.04. DSA-7699
• Deep Security Agent now supports Advanced TLS Traffic Inspection for Intrusion Prevention on Apache Tomcat servers running OpenJDK 8 on 64-bit Linux operating systems. DSA-8244
• Deep Security SAP Scanner can now report results to SAP applications when it identifies password-protected compressed files attached to an email in Microsoft Outlook Item (MSG) format. SF07873657/PCT-23367/DSA-7716
• Anti-Malware's Behavior Monitoring detection level and prevention level can now be configured. DSA-6796
• Deep Security Agent now detects if its relay proxy is Trend Vision One Service Gateway Forward Proxy Service, and uses the Service Gateway domain allow list to decide whether the connection should use the relay proxy or not. SF07267852/PCT-29311/DSA-6274
• Deep Security Agent now supports additional options to fine-tune detection sensitivity for Anti-Malware, Behavior Monitoring, and Predictive Machine Learning for real-time scan. This enhancement is only available in Trend Cloud One - Endpoint & Workload Security. DSA-6062
• Improved detection and protection against malicious processes that can be launched through a memory file descriptor (memfd). DSA-6009

Resolved issues

• Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074
• Some systems with Anti-Malware enabled encountered a memory leak. DSA-8243
• Some systems encountered a memory issue that caused Anti-Malware to stop working. PCT-46330/DSA-8156
• Deep Security SAP Scanner would incorrectly report scan failures when two or more files with the same content were included in a compressed file. PCT-38781/DSA-7324
• Deep Security Agent had higher than usual CPU usage if Integrity Monitoring was disabled following an Integrity Monitoring scan. SF07991055/PCT-31459/DSA-6195
• Rebooting caused some systems to hang if agent self-protection was enabled. PCT-27574/PCT-29800/DSA-6007
• When SAP was enabled, duplicate exclude paths were sometimes created and would remain even after SAP was disabled. DSA-7595

Security updates

Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)

Enhancements

• Deep Security Agent 20.0.1-23340 or later adds additional support for Red Hat Enterprise Linux 9 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-7234
• Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314
• Connection timeout for the Predictive Machine Learning service was extended to nine seconds to reduce the number of "Census, Good File Reputation, and Predictive Machine Learning Service Disconnected" events (Event ID 945). DSA-5321

Resolved issues

• When Deep Security Agent had Advanced TLS Traffic Inspection enabled using Transport Layer Security (TLS) 1.3, some systems encountered a kernel panic crash. PCT-43009/DSA-7787
• Some systems running Deep Security Agent encountered an operating system crash caused by retrieving an invalid memory address. PCT-33865/DSA-6335

Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)

New features

Enhancements

• Advanced Threat Scan Engine has been updated to version 24.5. DSA-7354

Resolved issues

• High CPU usage would occur when both Application Control and FIPS were enabled. DSA-6842
• When the SAP Scanner library re-established connections to Deep Security Agent, the scan requests sent from the SAP Scanner library would sometimes be rejected. SF08196066/PCT-34824/DSA-7608
• Deep Security SAP Scanner would sometimes crash when scanning for files in certain formats, like CSV. PCT-41353/DSA-7609

Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)

New features

Enhancements

• Updated Deep Security Agent to improve compatibility with older versions of the SAP Scanner. SF08196066/PCT-34824/DSA-6819
• Deep Security Agent now supports the Alibaba Cloud connector type. DSA-6018

Resolved issues

• Deep Security Agent caused high CPU usage on systems with both Application Control and FIPS enabled. DSA-6842
• Anti-Malware engine did not start correctly during Deep Security Agent startup on systems using XDR Endpoint Sensor. DSA-7158
• An issue detecting the operating system information sometimes prevented Deep Security Agent from installing on Rocky Linux 9. PCT-26151/DSA-5630

Security updates

Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)

Enhancements

• Web Reputation Service "Smart Protection Server Disconnected" events now include FQDN or IP address information in the description field. DSA-5408
• SAP Scanner now classifies Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages as text files. SF07895338/PCT-24359/DSA-5790
• SAP Scanner now associates JavaScript with compatible file extensions. For details, see Supported MIME types. SF08102626/PCT-31518/DSA-6192

Resolved issues

• Anti-Malware engine sometimes crashed. DSA-5536
• SAP Scanner incorrectly classified valid CSV files if the data was formatted on a single line. SF07967718/PCT-26844/DSA-6102
• SAP Scanner sometimes incorrectly identified image files as ASP scripts. SF07764878/PCT-20406/DSA-6122
• Kernel Support Package (KSP) did not reload automatically after being imported. DSA-6159
• Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
• Deep Security Agent failed to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
• Deep Security Agent sometimes failed to shut down completely if integrating with Trend Micro Endpoint Basecamp (XBC) agent. SF08143019/PCT-32915/DSA-6347
• Deep Security Agent incorrectly created a temporary directory named /opt/ds_agent@tmp during installation. DSA-6412
• When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596
• When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host crashed. SF05713918/SF05850687/SF07038125/SEG-146660/SEG-148664/SEG-186072/PCT-41910/PCT-5467/DSSEG-7664

Known issues

• Deep Security Agent Application Control causes high CPU usage. PCT-36414
• Anti-Malware engine is not starting correctly during Deep Security Agent startup on systems using XDR Endpoint Sensor. DSA-7158

Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)

New features

Enhancements

• SAP Scanner now associates the following MIME types with compatible file extensions. For details, see Integrate with SAP NetWeaver.

  • TrueType Font (TTF). SF08102626/PCT-31518/DSA-6049
  • Java Archive (JAR). SF08102626/PCT-31518/DSA-6044
  • Apple QuickTime File Format (QTFF). SF07967718/SF07840151/PCT-22825/PCT-26844/DSA-5887/DSA-5567
  • Microsoft Advanced Systems Format (ASF). SF07967718/PCT-26844/DSA-5886

Resolved issues

• Deep Security Agent still tried to test connections for Service Gateways. DSA-5814
• A Deep Security Agent restart sometimes caused Application Control to report drift events. SF07813110/PCT-25731/DSA-5798
• Deep Security Agent was only able to use the primary IP address for Service Gateway. DSA-4513
• Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
• Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes caused Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090

Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)

Enhancements

• Deep Security Agent 20.0.1-12510 or later adds additional support (including SAP Scanner) for Red Hat Enterprise Linux 8.6 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-4835
• Advanced TLS Traffic Inspection now supports separate configurations for "Inspect Inbound TLS/SSL Traffic" and "Inspect Outbound TLS/SSL Traffic". For detailed configuration steps, see https://help.deepsecurity.trendmicro.com/20_0/on-premise/intrusion-prevention-ssl-traffic.html#EnableTLS.

Resolved issues

• When Anti-Malware had only basic functions, some systems would hang. DSA-4821
• When Anti-Malware was enabled, Deep Security Agent sometimes failed to shut down completely. PCT-26090/DSA-5492

Security updates

Known issues

• There is a performance impact when Inspect Inbound TLS/SSL Traffic and Inspect Outbound TLS/SSL Traffic are enabled at the same time in Advanced TLS Inspection settings. For details, see Performance impact of bi-directional TLS inspection in Deep Security. DSA-5959
• Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090
• Switching to User Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6104

Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)

New features

Enhancements

• SAP Scanner now supports the SCANLOGPATH parameter. For details, see Integrate with SAP NetWeaver. PCT-21958/DSA-4924
• Updated Deep Security Agent to improve the priority for configurations using a proxy. DSA-4817/PCT-21750
• Deep Security Agent can now retrieve Service Gateway settings from the Trend Micro Endpoint Basecamp (XBC) agent. DSA-4841/V1E-13468

Resolved issues

• Deep Security Agent security updates sometimes failed after reconfiguring proxy settings. PCT-18382/DSA-5390
• Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
• Deep Security Agent Anti-Malware and network drivers were unable to load on systems using Security-Enhanced Linux (SELinux) enforcing mode with its default policies. PCT-14630/DSA-4917
• Deep Security Agent was sometimes unable to detect Linux system firewall port settings, which prevented the agent Firewall from allowing ports required for it to function. SF07650853/PCT-16253/DSA-4849
• Anti-Malware on-demand scans sometimes used file descriptors incorrectly, which resulted in "Bad file descriptor" log errors. DSA-4051
• Anti-Malware engine sometimes crashed. PCT-25789/DSA-4051

Security updates

Known issues

• This release excludes the Deep Security Agent package for Oracle Linux 6 (32-bit) as it reports the Anti-Malware Engine status incorrectly. DSA-5557
• Switching from User Mode to Kernel Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6090
• Switching to User Mode (Computer or Policy > System > General > Choose whether to use Drivers for System Protection) sometimes causes Deep Security Agent to lose real-time Anti-Malware protection. DSA-6104

Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)

New features

Enhancements

• Deep Security Agent 20.0.1-7380 or later adds additional support (including SAP Scanner) for SUSE Linux Enterprise Server 12 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-2626
• Deep Security Agent 20.0.1-7380 or later adds additional support (including SAP Scanner) for SUSE Linux Enterprise Server 15 (PowerPC little-endian). For details, see supported features by platform for Deep Security 20 LTS or Trend Cloud One - Endpoint & Workload Security. DSA-2630
• Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
• Deep Security Agent can have its proxy configuration set by the Trend Vision One Proxy Manager. V1E-14557

Resolved issues

• Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861
• When SAP Scanner was enabled, system events for "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" sometimes displayed during Deep Security Agent upgrade. These system event messages were triggered by the restart of Deep Security Agent modules. There was no functional impact. DSA-4603
• Deep Security Agent caused high CPU usage on some systems using TLS inspection with the tm_netagent process running. PCT-22031/DSA-4805
• After enabling Trend Micro Service Gateway Generic Caching Service (GCS) from Trend Vision One, Deep Security Manager and Trend Cloud One - Endpoint & Workload Security displayed the "Check Status Failed" error when communicating with Deep Security Agent. DSA-4763
• The local Smart Protection Server sometimes showed an incorrect number of Deep Security Agents. DSA-3780

Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)

New features

Enhancements

• SAP Scanner is now supported on Deep Security Agent 20.0.1-4540 or later for Red Hat Enterprise Linux 9. DSA-4213
• The SAP Scanner status for Deep Security Agent is now displayed in the console. DSA-3329
• The Deep Security Agent version is now displayed in the SAP Scanner library. SF07483850/PCT-10077/DSA-3304

Resolved issues

• Some systems encountered higher than normal CPU usage and performance issues if Deep Security Agent lost its connection to the Smart Protection Server. SF07552865/PCT-12430/DSA-3784
• Deep Security Agent incorrectly classified the MIME type of .dwg files generated by AutoCAD, from AutoCAD 2004 to AutoCAD 2024. SF07027236/SEG-186079/PCT-5797/DSA-2901

Known issues

• When SAP Scanner is enabled, system events may cause a message "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" to be displayed temporary during the Deep Security Agent upgrade. This is caused by the restart of Deep Security Agent modules. There is no functional impact. DSA-4572
• After enabling Trend Micro Service Gateway Generic Caching Service (GCS) from Trend Vision One, Deep Security Manager and Trend Cloud One - Endpoint & Workload Security display "Check Status Failed" error when communicating with Deep Security Agent. For details, see Deep Security Agent reports "Check Status Failed" after enabling Service Gateway Generic Caching Service. DSA-2756

Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)

Enhancements

• Deep Security Scanner (SAP) now reports files containing Microsoft Office Macros as Active Content, while previously they were identified as Malware. PCT-5979/DSA-3911

Resolved issues

• Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
• The expected MIME type for .msg files by the Deep Security Agent SAP Scanner was incorrect. PCT-5797/DSA-4050
• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965
• Deep Security Agent could not start because a keyword in its system configuration was incorrectly interpreted. SEG-156447/PCT-8768/DSA-3897
• Smart Scan hung during its update because the IPv6 configuration could not be detected automatically. DSA-3287
• When Deep Security Agent is installed on a system with Fanotify enabled, the Anti-Malware process restarting or stopping sometimes caused the system to freeze. PCT-6047/SEG-190061/DSA-4474

Known issues

• The Application Control Trust Entities block by target trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324

Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)

New features

Enhancements

• From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584.For details, see Preparedness of DSM/DSA for Supporting 20.0.1 Linux Kernel Support Package (KSP).

Resolved issues

• Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564
• When FIPS mode was disabled, Deep Security Agent used the OpenSSL configuration specified by the system environment variables rather than the config specified by the agent. PCT-4914/DSA-2651/DSA-2737/DSA-2738
• Deep Security Agent would incorrectly log network errors when the SAP scanner was enabled. DSA-3548
• Files added to the SAP Scanner allow list without including a file extension were being blocked when they should have been allowed. SF06565062/SEG-170933/DS-77132/DSA-3424
• When using Deep Security Agent on a system with Fanotify enabled, quarantining a file sometimes caused the system to freeze. PCT-6047/SEG-190061/DSA-2473

Known issues

• Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317
• With the release of Deep Security Agent 20.0.1-690, Trend Micro is changing the version number of the Kernel Support Package (KSP) from 20.0.0 to 20.0.1. This may cause issues downloading the latest kernel driver on some agent versions. To maintain kernel support after the KSP revision, it is suggested that users upgrade to Deep Security Agent 20.0.0-8453 or later. For details, see Kernel driver download issues with Deep Security Agent (DSA) Linux. DSA-3588
• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-8453 (20 LTS Update 2024-01-17)

Resolved issues

• Upgrading to Deep Security Agent 20.0.0-7943, 20.0.0-8137, 20.0.0-8268, or 20.0.0-8438 sometimes failed when Firewall, Web Reputation Service, or Intrusion Prevention System were enabled.This issue is resolved for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834

Enhancements

• Updated Deep Security Agent to support 20.0.1 Kernel Support Packages. In order to continue Linux Kernel support in 2024, upgrade to Deep Security Agent to 20.0.0-8453+. For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release. DSA-1217

Known issues

• Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy. DSA-3564

Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)

New features

Enhancements

• Remove some file types from the scanning list to avoid high CPU and disk consumption. SF07099651/SEG-188688/DSA-2010
• Agent self-protection now protects the Advanced TLS Traffic Inspection process (tm_netagent) preventing local users with administrator privileges from stopping it. DSA-1042/DSA-1043
• Telemetry now reports the IPv4 and IPv6 address of all network interfaces. V1E-4543

Resolved issues

• When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981
• A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370

Security updates

Known issues

• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
• Upgrading to Deep Security Agent 20.0.0-8438 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834
• Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy. DSA-3564

Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)

New Features

• Deep Security Agent now supports Trend Micro Service Gateway Generic Caching Service (GCS). DSA-2035
• Deep Security Agent now supports FIPS mode for Debian 10 and Debian 11. This requires Deep Security Manager 20.0.854 or later. DSA-1955

Resolved issues

• Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
• Deep Security Manager displayed the status of the VM protected by the Deep Security Virtual Appliance as Offline, after the Deep Security Virtual Appliance had been upgraded to version 20.0.0-7943 or 20.0.0-8137. The Deep Security Virtual Appliance itself was functioning properly and displayed the status as Managed (Online). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259
• Deep Security Agent incorrectly classified MIME type of .xml files generated by Microsoft Word, Excel, PowerPoint, as well as .dwg files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202

Known issues

• Linux virtual machines froze when trying to update the Smart Scan pattern. As a workaround, you can add the /opt/ds_agent/lib/libvmpd_scanctrl.so=icrc_try_update=0 key to the ds_am.ini file and restart the DSA service. SF07031242/PCT-5795/DSA-2616
• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
• Upgrading to Deep Security Agent 20.0.0-8268 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834

Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)

New features

Known issues

• Upgrading to Deep Security Agent 20.0.0-8137 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. For details, see Failure to install or upgrade to Deep Security Agent version 20.0.0-7943 to 20.0.0-8438 for Linux when Network Modules are enabled. DSA-3834
• Deep Security Manager displays the status of guest VMs protected by the Deep Security Virtual Appliance 20.0.0-7943 as Offline or Check Status Failed (Activation Required). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)

New features

Note Security updates are not supported on PowerPC platforms at this time. The Advanced Threat Scan Engine (ATSE) status does not display correctly and the following alerts are expected on RHEL 8.6, SUSE 12, and SUSE 15: Security Update: Security Update Check and Download Failed (Agent/Appliance error) Status: Out of Date

Enhancements

• New commands exist to get proxy information from the command line: dsa_query -c GetProxyInfo dsa_query -c GetProxyInfo details=trueDSA-864
• All Trend Micro public keys that are used to validate kernel module signatures are now included by default in the Deep Security Agent packages. SF06915385/SEG-185980/DSA-1569
• In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759 or later. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531

Resolved issues

• Deep Security Agent ignored the file if the exclusion list for the file or folder contained an empty path from Deep Security Manager. PCT-1066/DSA-1873

Known issues

• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
• Upgrading to Deep Security Agent 20.0.0-7943 sometimes fails when Firewall, Web Reputation Service, or Intrusion Prevention System are enabled.This issue is resolved in Deep Security Agent 20.0.0-8453 or later for Trend Cloud One - Endpoint & Workload Security, but continues to affect Deep Security Manager 20.0.854, 20.0.864, and 20.0.879. DSA-3834
• Deep Security Manager displays the status of guest VMs protected by the Deep Security Virtual Appliance 20.0.0-7943 as Offline or Check Status Failed (Activation Required). SF07317008/SF07313849/SF07331882/PCT-4330/PCT-4607/PCT-4899/DSA-2259

Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)

New features

Enhancements

• Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
• Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. (Agents configured as a Deep Security Relay still download all pattern updates.) DSA-1000
• The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
• Advanced Threat Scan Engine has been updated to version 22.6. DSA-453

Resolved issues

• Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
• Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
• Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
• TLS Inspection Package updates sometimes caused the ds_nuagent service to stop unexpectedly. DSA-1319

Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)

Enhancements

• Updated the dsa-connect service to improve CPU performance. C1WS-12970
• Deep Security Agent 20.0.0-7476 now supports FIPS mode for Red Hat Enterprise Linux 9. DS-77642
• Updated Deep Security Agent Scanner (SAP) to accept up to 512 parallel client connections established by SAP NetWeaver. Note that the previous connection limit was 256. SF06983349/SEG-184190/DS-78229

Resolved issues

• Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858

Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)

New features

Note At time of release, Amazon Linux 2023 is not yet certified for FIPS. See the Amazon Linux 2023 release notes for the latest support information.

Enhancements

• Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
• Web Reputation Service now automatically monitor the ports used by the OS proxy configuration. DS-77233
• Removed unnecessary proxy scheduled tasks from the Deep Security Virtual Appliance. This should prevent Timed out waiting for relay to msg and Error creating task... errors in the logs. SF06844880/SEG-179554/DS-77440

Resolved issues

• When Secure Boot is enabled but the signing key has not been loaded, the system would crash when Anti-Malware used the fanotify facility. SF06464888/SEG-167771/DS-76161
• Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
• The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
• Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
• The Deep Security Agent connection count could overflow under certain conditions. DS-76902
• Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709

Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)

Enhancements

• MQTT connection credentials were entered in the Deep Security Agent log file (ds_agent.log) in certain scenarios. SEG-174560/C1WS-13282
• Deep Security Agent crashed some systems when they were out of memory. SF06704797/SEG-175243/DSSEG-7875
• Agent self-protection now secures the Advanced TLS inspection process (ds_nuagent), preventing local users with administrator privileges from stopping it. DS-74080Systems running Red Hat Enterprise Linux 7 (64-bit) with SELinux may require some manual configuration to avoid permission issues following this update. For details, see BPF permission denied for ds_nuagent with RedHat 7 SELinux enforcing mode in Deep Security.
• Deep Security Agent now runs within a predefined group and accept outbound traffic. DS-77415

Resolved issues

• Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
• After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
• When Anti-Malware was enabled, Deep Security Agent caused high CPU usage on some systems. DS-77758

Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)

New features

Enhancements

• Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to ds_agent.ini. SF06664116/SEG-173848/DS-77182Example proxy probing line in ds_agent.ini config file:dsa.proxymanager.ProbeTimeoutInSec=120
• Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
• Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
• Deep Security Agent now includes path and PID (process ID) for Anti-Malware events. SF05682761/SEG-147452/DS-72909

Resolved issues

• When connecting through a proxy with FIPS mode enabled, Deep Security Agent sometimes had connectivity issues with IoT devices. SEG-174776/DS-77197
• Deep Security Agent's Anti-Malware module sometimes failed to restart following an IPC (inter-process communication) timeout. DS-76889/SEG-169218
• A compatibility issue between the Deep Security Agent network driver and some third-party products caused systems to crash. SEG-156743/DS-75377
• Deep Security Virtual Appliance sometimes crashed when connecting by HTTPS to a Smart Protection Server. SEG-169451/DS-76968
• Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
• When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
• Files added to the SAP Scanner allow list without including a file extension were being blocked when they should have been allowed. SF06565062/SEG-170933/DS-77132
• Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961
• Deep Security Agent caused some systems to reboot unexpectedly. SF06584000/SEG-171147/DSSEG-7851

Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)

New features

Enhancements

• When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard now applies to all files in any directory matching the rule's path. Note that previously, the globstar (**) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*) wildcard which would only match within the path rule's directory. DS-75133
• Web Reputation Service now includes OS platform metadata. DS-75453
• Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491
• Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
• Deep Security Agent now sends full command lines for processes to Deep Security Manager, improving the Recommendation Scan's rule recommendations. Note that previously, the agent only sent the first 2048 characters of each process's command line. C1WS-11728
• Deep Security Agent 20.0.0-6658 or later with Deep Security Manager 20.0.737 or later now supports Secure Boot for Ubuntu 22.04. DS-73729
• Deep Security Agent 20.0.0-6658 or later now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User-Defined Suspicious Object (UDSO). DS-75365
• The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
  • Debug: Enable the debug log messages. The default value is false.
  • Count: Number of log files to generate. The default value is 5.
  • Size: Maximum size of each log file in bytes. The default value is 2097152.
  Example config file:
  { "Debug": true, "Count": 5, "Size": 2097152 }
• Deep Security Agent can now have a maximum of 1024 process tasks when deployed on RedHat or SUSE. PCT-25908/DSA-5507

Resolved issues

• When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
• The Deep Security Agent kernel support package download was sometimes interrupted, generating "Agent Integrity Check Failed" warnings and "Kernel Unsupported" errors. SEG-169497/DS-76545
• Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
• Anti-Malware Behavior Monitoring had a driver issue causing kernel warnings on some systems. SF06254724/SEG-163042/ORCA-762
• When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
• Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
• A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
• When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
• Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
• Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
• Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
• Deep Security Agent was unable to connect to the Anti-Malware Smart Scan service on some systems. SEG-168468/DS-76433
• Deep Security Agent caused performance issues on systems generating a large number of container environment Application Control events. SF06538377/SEG-169605/DS-76594

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

New feature

Enhancements

• Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL/TLS certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
• With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.716 or later now monitors for suspicious behavior to improve protection against MITRE attack scenarios. DS-73644
• Deep Security Agent 20.0.0-6313 or later with Deep Security Manager 20.0.711 or later now supports FIPS mode for Oracle Linux 8. DS-73778

Resolved issues

• When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
• For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
• Deep Security Agent crashes and issues connecting with Deep Security Manager caused Anti-Malware Offline events. SF06061098/SEG-154701/DS-74665
• With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335
• Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
• Integrity Monitoring sometimes failed to create events after running certain console commands (for example, passwd or mv commands). 05718251/SEG-148552/DS-72643
• Older Application Control events were not being removed from the database as intended, causing the events.db file size to increase indefinitely. SF06172729/SEG-159548/DS-74706
• When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470

Known issues

• Deep Security Agent is having connectivity issues on some systems, resulting in "Event ID 9012, Smart Protection Server Disconnected for Smart Scan" error messages. For more details including temporary workaround instructions, see Smart Protection Server disconnected messages appear in Deep Security. SF06512673/SEG-168468

Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)

New feature

Enhancements

• Deep Security Agent 20.0.0-5953 or later with Deep Security Manager 20.0.711 or later now supports FIPS mode for Oracle Linux 8.

Resolved issues

• Application Control sometimes failed to block programs running in namespace mode. SF05929869/SEG-151363/DS-74116
• Integrity Monitoring sometimes failed to create events after running certain console commands (for example, passwd or mv commands). 05718251/SEG-148552/DS-72643
• Older Application Control events were not being removed from the database as intended, causing the events.db file size to increase indefinitely. SF06172729/SEG-159548/DS-74706
• When Integrity Monitoring event generation is interrupted by a process or system crash, it could lead to incorrect events being created. SF05508030/SEG-138756/DS-72470

Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)

New feature

Enhanced platform support

• SAP Scanner support for Oracle Linux 7: Deep Security Agent for Oracle Linux 7 now supports SAP Scanner. VO-1849

Enhancements

• Updated Deep Security Agent to include additional metadata, such as UserAgent and Referrer, for Web Reputation Services. DS-72196
• Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
• Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085
• Deep Security Agent now can be deployed without additional dependency on System V packages. DS-73588

Resolved issues

• With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
• If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
• With Advanced TLS traffic inspection enabled, Deep Security Agent had a memory issue that prevented some applications from running. SEG-150631/DS-74039
• Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
• Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
• The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
• On RedHat Enterprise Linux computers, Anti-Malware being enabled would sometimes cause a system crash. SEG-155143/DS-74008

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Enhancements

• Updated Deep Security Agent kernel device module files to comply with Security-Enhanced Linux (SELinux) requirements. DSSEG-7378
• Deep Security Agent now reports host information with additional details. DS-72609
• Deep Security Agent now reports host metadata for installed software with additional details. DS-72608
• Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798
• Deep Security Agent with Deep Security Manager 20.0.677 or later now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). DS-72828

Resolved issues

• Trust Entities settings were not being re-applied after turning Application Control off and back on again. SF05930535/SEG-152439/DS-73312
• When installed on a system that uses secure boot without importing the required sign key, Deep Security Agent generated an Anti-Malware Engine error code with "Reason ID: 13" when it should have generated the code with "Reason ID: 11". For details on Reason IDs, see Warning: Anti-Malware Engine has only Basic Functions. DS-72891
• Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

New features

Enhancements

• The Deep Security Agent process now restarts automatically if the file descriptor count is abnormally high, and a counter was added to track how many times this event occurs. SF05212995/SEG-130431/DS-72616
• Application Control now detects software changes for executables with non executable extensions. DS-70805
• Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
• Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

• When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
• Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
• Anti-Malware would sometimes leak file descriptors. SF05212995/SEG-130431/DS-72979
• When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
• Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
• When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
• Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
• Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
• Patched third-party libraries. Before patch, the Deep Security Virtual Appliance agent would sometimes crash. SF05559993/SEG-140234/DS-72510

Known issues

• When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

New features

Enhancements

• Updated Deep Security Agent to add Anti-Malware support for Red Hat OpenShift. DS-72368
• Updated Deep Security Agent to reduce CPU usage and improve container performance for real-time Anti-Malware scanning. Previously, all files were scanned during read/write. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-65581
• Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
• Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
• Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders no longer work and need to be changed to use a globstar \*\*. DS-71817

Resolved issues

• Deep Security Agent Scanner (SAP) sometimes displayed duplicate Anti-Malware events for .SAR file types. DS-71879
• Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
• Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889
• Deep Security Agent had connectivity issues on some systems. DS-72219

Security updates

Known issues

• When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

New features

Enhancements

• Deep Security Agent 20.0.0-4959 or later with Deep Security Manager 20.0.0-414 or later now has improved Anti-Malware support on systems using Fanotify. Previously, "Anti-Malware Engine Offline" events interrupted Anti-Malware function on these systems. Now, an Anti-Malware with basic functions event is recorded and users maintain basic file scanning function, but not advanced scan mechanisms such as Predictive Machine Learning. DS-68552

Resolved issues

• Deep Security Agent Scanner (SAP) had a connectivity issue preventing it from loading the correct libraries on some systems. DS-71623
• Deep Security Agent Scanner library sometimes caused SAP applications to crash. DS-71849
• Anti-Malware was unable to remove immutable or append-only files on some systems. VRTS-7110/DS-52383
• Using the command line (dsa_control -b), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600
• With Log Inspection enabled, upgrades to Deep Security Agents 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
• When Anti-Malware is enabled alongside Integrity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
• With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
• Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
• Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Enhancements

• Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763

Resolved issues

• Trust Entities "allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
• Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
• Deep Security Agent Scanner library didn't work properly with highly-interrupted SAP applications on Linux systems. This resulted in files were scanned, but results might be unable to report to the SAP applications. SF05390384/SEG-136659/DS-71251
• Following an upgrade, Deep Security Agent would send continuous "Security update in progress" reports to Deep Security Manager. SF05253107/SEG-131983/DS-69747
• Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
• Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
• An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
• Secondary DNS setting from IP pool was not configured when Appliance was deployed. SF05215036/SEG-134844/DSSEG-7535

Security updates

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Enhancements

• Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515

Resolved issues

• With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

New features

Resolved issues

• Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
• Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. Note that an upgrade should not have triggered these events. DS-69888
• Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
• Deep Security Agent had SSL connectivity issues when Web Reputation Service was enabled. DS-67675
• Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

New features

Enhanced platform support

• Deep Security Agent 20.0.0-3964 or later is now supported on these platforms:
  • Red Hat 8 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.605+)
  • Debian 11 (requires Deep Security Manager 20.0.605+)

Enhancements

• Updated Deep Security Agent to exclude suspicious characters, such as $, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Resolved issues

• With real-time Integrity Monitoring enabled, Integrity Monitoring delete events were not being generated after editing a file and then deleting it. DS-69057
• Deep Security Agent caused high CPU usage for systems protecting containers. Container protection can now be enabled or disabled in Deep Security Manager (from Computer (or Policy) > Settings > Container Protection). SEG-115751/DSSEG-7334

Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)

New features

Enhancements

• Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042
• Updated Deep Security Agent to correctly display the host's IP address in the "LastIpUsed" field. Previously, the field displayed the load balancer or proxy IP in environments using one of those. SF05283977/SEG-133073

Resolved issues

• A Deep Security Agent conflict with network interface controllers (NICs) caused systems with multiple NICs to crash. 05048124/SEG-126094/DS-68730
• When an Integrity Monitoring scan timed out, it sometimes generated false "create" or "delete" events for "user" or "group" entities. SEG-117739/DS-66885
• Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
• A Deep Security Agent parsing issue was causing "Anti-Malware Engine Offline" errors. SF05171312/SEG-129367/DSSEG-7428

Security updates

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

New features

Enhancements

• Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
• Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
• Deep Security Agent was upgraded to use locally installed kernel modules when new ones can't be fetched from the Deep Security Relay. DS-66599
• Updated Deep Security Agent to support using the "process name" property in "ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
• Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

• Insufficient file access permission for the Deep Security Relay sometimes caused the agent installer to fail. DS-67278
• Deep Security Agent sometimes showed an incorrect "No such file or directory" error message during installation. DS-67317
• Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
• Deep Security Agent sometimes could not start after an upgrade. SF04943063/SEG-123155/DS-67475
• Deep Security Agent sometimes changed the access time of files during the on-demand Anti-Malware scan. DS-67119
• The Deep Security Agent and MQTT connection would sometimes go offline, requiring an agent restart. DS-67487
• Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
• With Anti-Malware real-time scan enabled, Deep Security Agent would sometimes scan unchanged files. DS-67806
• Deep Security Agent sometimes caused the system to crash. SEG-123338/DS-67445

Security updates

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

New features

Enhanced platform support

• Deep Security Agent 20.0.0-3288 or later now supports these platforms:
  • AlmaLinux 8 (requires Deep Security Manager 20.0.503+)
  • Rocky Linux 8 (requires Deep Security Manager 20.0.543+)
  • Ubuntu 20.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.503+)
  • Ubuntu 18.04 (AWS ARM-Based Graviton 2) (requires Deep Security Manager 20.0.482+)
• Secure boot support: Deep Security Agent now supports Oracle Linux 7 (in both UEK-R5 and UEK-R6) and Oracle Linux 8 with Secure Boot enabled.

Enhancements

• Deep Security Agent 10.0 to 20.0 upgrades now keep their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
• You can now exclude container file events from the kernel module. DS-65547

Resolved issues

• Anti-Malware updates sometimes failed, resulting in "Security Update: Pattern Update on Agents/Appliances Failed" errors. 04763356/SEG-119138/DS-66569
• The Deep Security Agent Scanner library sometimes couldn't be loaded by SAP NetWeaver. DS-67530
• With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
• With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
• Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
• Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Note Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it is not available on the Deep Security Agent software download page or released to customers using Deep Security Manager.

New features

• AlmaLinux 8 support: Deep Security Agent is now supported on AlmaLinux 8.
• Ubuntu 18.04 (AWS ARM-Based Graviton 2) support: Deep Security Agent is now supported on Ubuntu 18.04 (AWS ARM-Based Graviton 2).
• Oracle Linux 7 support: Deep Security Agent is now supported on Oracle Linux 7 with Secure Boot (in both uek-R5 and uek-R6).
• Kernel support package updates: You can now choose when to perform kernel support package updates, using the new Automatically update kernel package when agent restarts option in the computer or policy editor.
• Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:

  • Agent size requirements have increased, including a slightly larger installer package on most platforms.
  • All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
  • The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Enhancements

• Updated Deep Security Agent to prevent agents upgraded from version 10.0 to 20.0 from losing their "NIC bypass" configuration (used for bypassing a network interface). DS-64985
• You can now exclude container file events from the kernel module. DS-65547

Resolved issues

• Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929

Security updates

Deep Security Agent - 20.0.0-2971 (20 LTS Update 2021-09-08)

New features

Enhancements

• Updated Deep Security Agent to improve performance and compatibility by using a unified driver for file, process, and network events. DS-61784
• Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
• Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

• Deep Security Agent sometimes caused performance issues on systems with folders in NFS format. SF04816680/SEG-118993/DS-66280
• With Integrity Monitoring enabled, Deep Security Agent sometimes caused high CPU usage. DS-65986
• Deep Security Agent 20.0.0-2740 fr Linux was causing performance and third-party compatibility issues on some systems. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent (DSA) Build 20.0.0-2740 for Linux from Download Center.
• Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
• Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057
• Deep Security Agent was sometimes unable to create or manage tasks on RPM-based platforms due to a SystemD (Linux service manager) process limitation. SF04543580/SEG-113833/DS-65550
• Deep Security Agent Anti-Malware Real-Time Scan exclusions sometimes failed within container environments. DS-65528
• Deep Security Agent Anti-Malware Real-Time Scan directory exclusions sometimes failed if filenames were not in UTF-8 format. SEG-115198/DS-65495
• With Anti-Malware enabled, Deep Security Agent encountered an "Insufficient Disk Space" alert which sometimes crashed the agent or stopped other programs from working properly. SF04584157/SEG-113377/DS-64405
• Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
• Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
• Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
• Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
• Deep Security Agent upgrade (Administration > Updates > Software) sometimes failed if a previous (RPM package) upgrade was triggered using console commands. SF04586071/SEG-113583/DS-64978
• With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
• With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855
• With Integrity Monitoring real-time scan enabled, Deep Security Agent sometimes prevented files on network drives from being deleted. SEG-108636/C1WS-1787

Security updates

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

New feature

Resolved issues

• Integrity Monitoring alerts sometimes triggered but did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
• Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
• Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608

Security updates

Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)

New features

Enhanced platform support

• Application Control and Integrity Monitoring for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Application Control and Integrity Monitoring for Amazon Linux 2 on AWS Graviton 2. DS-62775

Enhancements

• Deep Security Agent 20.0.0-2395 or later now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates expire on 2022/07/09. After that date, only Deep Security Agent 20.0.0-2395 or later will have the latest Anti-Malware Smart Scan protection. DS-63010
• Updated Deep Security Agent to add Predictive Machine Learning support for Malware Scan on Linux platforms. DS-62857
• Updated Deep Security Agent's Anti-Malware default configuration to monitor file access from the local host only, improving compatibility for some file systems. DS-62222

Resolved issues

• Anti-Malware Real-Time Scan sometimes didn't detect files properly with the "During read" setting selected (Computers > Details > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Edit > Advanced > Real-Time Scan). SEG-104496/DS-61836
• Deep Security Agent was unable to install in some environments because it misidentified the OS. DSSEG-2915/DS-28321
• Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
• Anti-Malware Real-Time Scan sometimes caused high CPU usage. 04331007/SEG-107814/DS-62593
• Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
• Anti-Malware Real-Time Scan caused unintentional file changes under some configurations. DS-62412
• Deep Security Agent sometimes could not successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692
• Anti-Malware kernel modules sometimes did not bypass file activity on remote shared storages when Network Directory Scan was disabled. DS-62985

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

New feature

Enhanced platform support

• Anti-Malware and Log Inspection support for Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent 20.0.0-2204 or later now supports the Anti-Malware, Firewall, Intrusion Prevention, Log Inspection, and Web Reputation protection modules. Note that Advanced Threat Scan Engine (ATSE) update is not currently supported for Amazon Linux 2 on AWS Graviton 2, but will be added in a future release.

Resolved issues

• With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (that is, processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
• When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
• When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
• When Integrity Monitoring real-time scan was enabled, sometimes directories on NFS volumes couldn't be removed. SF03977538/SEG-98656/DS-61062
• When Intrusion Prevention was enabled, the system would crash under some configurations. SF04286712/SEG-103971/DS-61274
• A proxy server issue sometimes caused connectivity issues with Deep Security Agents after registering with Trend Micro Vision One (XDR). SF04318864/SEG-104847/DS-61516

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Enhancements

• Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011

Resolved issues

• The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
• When Firewall, Intrusion Prevention, and Web Reputation were enabled, the system sometimes crashed. SF03992370/SEG-100828/DS-60589
• After restarting Deep Security Virtual Appliance, protected VMs sometimes became inaccessible. SEG-94723/SF03949466/DS-58962

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Resolved issues

• The Deep Security Agent was sometimes unable to establish an SSL connection to the web server. DS-59893

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

New features

Enhanced platform support

• Amazon Linux 2 (AWS ARM-Based Graviton 2): Deep Security Agent now supports Amazon Linux 2 on AWS Graviton 2. The agent currently supports the Firewall, Intrusion Prevention, and Web Reputation protection modules. Other protection modules are coming soon.

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Resolved issues

• A driver conflict was causing the Deep Security Agent to hang and require a reboot. SEG-94278/SF03941184/DS-59020
• If an error related to Secure Boot occurs, the user is no longer blocked from installing the plugins and receive a "Secure Boot" error message on Deep Security Manager. Instead, an "Engine is offline" error message is displayed. Users can check "Secure Boot" entries in ds_agent.log for error details. DS-58374
• In the SecureBoot environment, the SUSE15 SP2 kernel module load failed with kernel version 5.3.18-24.37-default or later. SEG-93737/DS-58373
• Anti-Malware would sometimes restart before fully loading a new driver, causing the AM engine to be offline. DS-58475

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

New features

Enhancements

• Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
• Enhanced memory usage to improve performance. DS-53012
• Anti-Malware on-demand scans did not function as expected. DS-58346

Resolved issues

• Deep Security Agent didn't detect Secure Boot state correctly. SEG-89042/03730368 /DS-57014
• The error "scheduling while atomic" occurred because the dsa_filter caused kernel panic. DS-56514
• Anti-Malware events didn't include file hashes in certain scenarios. SEG-91779/SF03818756/DS-57453
• The Anti-Malware driver showed warning messages during the initialization. SEG-92204/03784490/DS-57605
• After upgrading to Deep Security Agent 20.0.0-1194, the "Intrusion Prevention Rules Failed to Compile" and "Security Update Failed" errors sometimes incorrectly occurred. SEG-90503/03789013/DS-56904
• When Anti-Malware real-time scans were enabled, Rancher Kubernetes pods sometimes couldn't be terminated gracefully. SEG-87824/SF03695639/DS-58220
• When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
• Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
• Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Resolved issues

• When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because of a compatibility issue with third-party security software. SF03700563/SEG-88135/DS-54799
• Secure boot appeared active when it was not. SEG-85550/DS-55052

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Enhancements

• Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

• For agentless protected VMs, the settings under Policies > Intrusion Prevention > General > Recommendation were greyed out. DS-56665
• When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
• Real-time Anti-Malware with filesystem hooking enabled did not work on older kernel versions. SEG-82411/DS-54271
• Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
• Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
• The dsa_query command didn't display Anti-Malware patterns correctly. DS-55389
• The Anti-Malware driver did not check compatibility before loading into the kernel. SEG-88135

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

New features

Enhancements

• Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
• Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061
• Ceph is now excluded from file system kernel hooking to prevent kernel panic. SEG-75664/SF03131718/DS-50298
• Recommendation Scans and Integrity Monitoring are now enabled for NSX-T environments. DS-50478
• Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800

Resolved issues

• Secure boot appeared active when it was not. DS-55052
• Deep Security Agent could not install any plugins with UEFI Secure Boot enabled. DS-54041
• After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
• The Anti-Malware engine on Deep Security Virtual Appliance went offline when the signer field in the Census server reply was empty. DS-49807
• Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
• Deep Security Agent on Linux would sometimes crash. SEG-76460/SF03218198/DS-50852
• Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
• The Deep Security Virtual appliance did not detect the EICAR test file. SEG-71955/SF02955546/DS-49387
• Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocking in lock down mode. DS-50696
• The Anti-Malware driver caused a system hang on Linux platforms where autofs was used. DS-51926
• When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
• There was an upgrade issue with Deep Security Agent which would sometimes prevent the agent from going online if Integrity Monitoring or Log Inspection were enabled. DS-50672
• Kernel Panic occurred when Web Reputation, Firewall, or Intrusion Prevention were enabled. SEG-80201/DSSEG-5846/DS-52975
• When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
• When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. SEG-73893/DSSEG-5866/DS-53144
• When Deep Security real-time Anti-Malware was enabled on a Linux system, it caused a high amount of CPU usage. SEG-75739/DS-52976

Security updates

Deep Security Agent 20 (long-term support release)

New features

Enhanced platform support

• Ubuntu 20.04 (64-bit)
• Cloud Linux 8 (64-bit)
• Debian Linux 10 (64-bit)
• Oracle Linux 8 (64-bit)
• SUSE Linux Enterprise Server 15 (64-bit)
• Red Hat Enterprise Linux 8 (64-bit)
• CentOS 8 (64-bit)

Improved security

Improved management and quality

• Information about why process exclusion items are not functioning correctly is provided, enabling you to troubleshoot the issue and know which actions to take to resolve it.
• The process exception configuration workflow has been improved to make it more robust.

Enhancements

• Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
• Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
• Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
• Improved the Deep Security Agent activation experience in the following ways:
  • Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
• After migrating guest VMs to another ESXi host in the same cluster using vMotion, the Deep Security Virtual Appliance's Anti-Malware real-time scans now continue where they left off, without delay. This feature only applies to NSX-T environments.
• Increased the scan engine's URI path length limitation.
• Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
• Enhanced Linux real-time Anti-Malware performance when executing a Docker pull command.
• Improved the time it takes to auto-activate guest VMs protected by the Deep Security Virtual Appliance in an NSX-T environment. This feature requires Deep Security Manager FR 2019-12-12 or newer releases.
• Streamlined event management for improved agent performance.
• Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
• Enhanced the Malware Scan Failure event description to indicate the possible reason.
• Enhanced the Anti-Malware kernel level exclusion on Linux. File events coming from remote file systems won't be handled by Deep Security Agent anymore when Network Directory Scan is disabled.
• Added the ability to retrieve process and container information for Intrusion Prevention events, including process name, container ID, container name, image name, image digest and pod ID.

Resolved issues

• When Anti-Malware real-time scans were enabled in Linux, sometimes the system crashed because buffers from procfs were not validated. SEG-80183/DS-53204
• When Deep Security real-time Anti-Malware was enabled in Linux, it caused a high amount of CPU system usage. SEG-75739/SF03036857/DS-52976
• Ceph caused kernel panic. SEG-75664/SF03131718/DS-50298
• Deep Security Agent sometimes crashed. SEG-76460/SF03218198/DS-50852
• Deep Security Agent reported incorrect network interface information. SEG-77161/DS-51397
• Application Control did not include scripts with the extension ".bash" in the inventory. This resulted in these scripts being blocked in lock down mode. SEG-73174/DS-50696
• Deep Security Virtual Appliance sometimes went offline. SEG-53294/DS-46728
• The interface isolation feature was still on when Firewall was turned off. SEG-32926/DS-27099
• In a Red Hat Enterprise Linux 5 or 6 or a CentOS 5 or 6 environment, Integrity Monitoring events related to the following rule were displayed even if users or groups were not created or deleted: 1008720 - Users and Groups - Create and Delete Activity. SEG-22509/DS-25250
• Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
• Anti-Malware events displayed a blank file path with invalid Unicode encoding. SEG-46912/DS-34011
• Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. SF01423970/SEG-43481/DS-34436
• Kernel panic occurred when dsa_filter.ko was obtaining network device's information. SEG-50480/DS-35192
• An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. SF01339187/SEG-38497/SEG-33163/DS-31330
• Kernel panic occurred because of redirfs. SF01137463/SEG-34751/DS-32182
• Deep Security Anti-Malware caused the fusermount process to fail when mounting the filesystem. SF01531697/SEG-43146/DS-32753
• Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
• For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. SF01704358/SEG-45004/DS-32077
• Deep Security Agent GSCH driver had an issue with another third-party file system. SF01248702/SEG-44565/DS-33155)
• The Environment Variable Overrides for Deep Security Anti-Malware did not work in Linux. SEG-43362/DS-31328
• Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and outputted. SF01745654/SEG-45832/DS-33007
• When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
• The Send Policy action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
• Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
• The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
• Deep Security Agent failed to install on Ubuntu 18.04. SF01593513/SEG-43300/DS-37359
• The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
• Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
• The agent operating system would sometimes crash when Firewall interface ignores were set. SF01775560/SEG-49866/DS-39339
• Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
• Too many file open events were being processed in user mode, resulting in high cpu usage. SF02179544/SEG-55745/DS-39638
• The "mq_getattr: Bad file descriptor" error occurred while accessing the message queue when Deep Security real-time Anti-Malware was enabled. SF02042265/SEG-52088/DS-39890
• Linux kernel logs were flooded by Deep Security Anti-Malware driver. SF02299406/SEG-57561/DS-41589
• Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
• High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
• Deep Security Agent real-time Anti-Malware scans didn't work with Debian 10 64-bit.
• When a guest VM was migrated between ESXi hosts frequently (using vMotion), sometimes the VM couldn't save the state file. This caused the guest to lose the protection of the Deep Security Virtual Appliance for several minutes after migration, until the VM was reactivated by Deep Security Manager automatically under the new ESXi server. DSSEG-4341/DS-38221
• When uninstalling Deep Security Agent in Linux, the uninstall log included a typo. DSSEG-4139/DS-34504
• Deep Security Anti-Malware detected sample malware files but did not automatically delete them. SF02230778/SEG-55891/DS-40687
• When the Deep Security Agent connected through a proxy to the Deep Security Manager on Deep Security as a Service, Identified Files could not be deleted. SF01979829/SEG-51013/DS-37252
• After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. SEG-60728/DSSEG-5094
• Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DSSEG-4995

Security updates

• Updated NGINX to 1.16.1 (DSSEG-4600)
• Updated to curl 7.67.0.
• Updated to openssl-1.0.2t.
• Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Kernel support

Known issues

• Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints are unmounted successfully. SEG-58841

Windows

Deep Security Agent - 20.0.2-4960 (20 LTS Update 2025-03-12)

Enhancements

• The dsa_scan command now includes a scanLargeFile option for managing larger files. DSA-8785
• SAP scans are now faster due to the introduction of a caching mechanism and reduction of unnecessary operations. DSA-7219
• Deep Security Agent can now log Device Control events directly to security information and event management (SIEM) for the system. V1E-40316

Resolved issues

• SAP Scanner sometimes incorrectly classified CSV files if they were larger than 4096 bytes. PCT-51974/DSA-9139
• If the Windows Base Filtering Engine service was not running, the Trend Micro Windows Filtering Platform (TBIMWFP) driver sometimes crashed while it was stopping. PCT-38921/PCT-53750/DSA-9154
• Certificate-related error events were being generated with outdated links to solution articles in their event description fields. These links led to a "404 page not found." PCT-54305/DSA-9113

Deep Security Agent - 20.0.2-1390 (20 LTS Update 2025-01-15)

New features

Enhancements

• Deep Security Agent now queues packets to handle them in sequence, improving performance. DSA-6916
• Updated Deep Security Agent to improve spyware prevention. PCT-18199/DSA-5889

Resolved issues

• Deep Security Agent sometimes had connectivity issues when Advanced TLS Traffic Inspection was enabled. DSA-8577

Security updates

Deep Security Agent - 20.0.1-25770 (20 LTS Update 2024-12-10)

New features

Enhancements

• Updated Deep Security Agent to reduce the duration of on-demand scans when the CPU Usage is set to Medium (Computer or Policy > Settings > General > CPU Usage Control). DSA-8171
• Deep Security SAP Scanner can now report results to SAP applications when it identifies password-protected compressed files attached to an email in Microsoft Outlook Item (MSG) format. SF07873657/PCT-23367/DSA-7562
• Deep Security Agent now detects if its relay proxy is Trend Vision One Service Gateway Forward Proxy Service, and uses the Service Gateway domain allow list to decide whether the connection should use the relay proxy or not. SF07267852/PCT-29311/DSA-6274
• Deep Security Agent can now add existing detections (by malware name, or rule ID for Anti-Malware or Behavior Monitoring) to the Rule Exceptions list from Computer or Policy > Anti-Malware > Advanced. DSA-6318
• Deep Security Agent now supports additional options to fine-tune detection sensitivity for Anti-Malware, Behavior Monitoring, Predictive Machine Learning, Process Memory Scan, and the Windows Antimalware Scan Interface for real-time scan. This enhancement is only available in Trend Cloud One - Endpoint & Workload Security. DSA-6062

Resolved issues

• Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074
• Deep Security Agent had higher than usual CPU usage if Integrity Monitoring was disabled following an Integrity Monitoring scan. SF07991055/PCT-31459/DSA-6195
• Anti-Malware manual scans of files or folders with special characters sometimes failed. PCT-43895/DSA-8126
• The Trend Micro Windows Filtering Platform (TBIMWFP) driver caused a memory leak on some systems, which led to higher than normal memory usage. DSA-7968
• Deep Security SAP Scanner would incorrectly report scan failures when two or more files with the same content were included in a compressed file. PCT-38781/DSA-7557
• The Anti-Malware Solution Platform (AMSP) service was crashing on some systems. PCT-41566/DSA-7952

Security updates

Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)

New features

Enhancements

• Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314
• Advanced Transport Layer Security (TLS) inspection can now support Windows Local Security Authority (LSA) protection. DSA-5642

Resolved issues

• Deep Security Agent sometimes caused a file handle leak when performing an Anti-Malware manual scan. DSA-7676

Security updates

Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)

Enhancements

• Add a failsafe to help prevent the Firewall driver causing systems to be stuck in a Blue Screen (BSoD) loop. DSA-7448
• Add new Windows events to logs when the Firewall driver is initialized. Events include Windows Base Filtering Engine State changes and the results registered by the tbimwfp driver. DSA-7547

Resolved issues

• High CPU usage would occur when both Application Control and FIPS were enabled. DSA-6842
• Deep Security Agent would crash the system if the Windows Base Filtering Engine Service was not running. PCT-38921/DSA-7334
• When the SAP Scanner library re-established connections to Deep Security Agent, the scan requests sent from the SAP Scanner library would sometimes be rejected. SF08196066/PCT-34824/DSA-7608
• Deep Security SAP Scanner would sometimes crash when scanning for files in certain formats, like CSV. PCT-41353/DSA-7609

Security updates

Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)

Enhancements

• Updated Deep Security Agent to improve compatibility with older versions of the SAP Scanner. SF08196066/PCT-34824/DSA-6819
• Deep Security Agent now supports the Alibaba Cloud connector type. DSA-6018
• Web Reputation Service can now provide protection when using HTTPS in Mozilla Firefox on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. DSA-6770

Resolved issues

• Deep Security Agent caused high CPU usage on systems with both Application Control and FIPS enabled. DSA-6842

Security updates

Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)

Enhancements

• Web Reputation Service "Smart Protection Server Disconnected" events now include FQDN or IP address information in the description field. DSA-5408
• SAP Scanner now classifies Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages as text files. SF07895338/PCT-24359/DSA-5790
• SAP Scanner now associates JavaScript with compatible file extensions. For details, see Supported MIME types. SF08102626/PCT-31518/DSA-6192
• uAgentWscHandler.exe is a new process that supports Windows Anti-Malware Protected Process Light technology and integrates with Windows Security Center on Windows 10 or Windows 11. DSA-5138
• Advanced Threat Scan Engine has been updated to version 24.550. DSA-5968

Resolved issues

• SAP Scanner would incorrectly classify valid CSV files if the data was formatted on a single line. SF07967718/PCT-26844/DSA-6102
• SAP Scanner sometimes incorrectly identified image files as ASP scripts. SF07764878/PCT-20406/DSA-6122
• Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
• Deep Security Agent would fail to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
• Deep Security Agent would sometimes cause an Operating System crash if Advanced TLS inspection was enabled. PCT-34149/DSA-6346
• When Anti-Malware was enabled, some Citrix Virtual Desktop Infrastructure (VDI) environments encountered a blue screen (BSoD) error. PCT-26799/DSA-6036
• When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596

Security updates

Known issues

• Deep Security Agent Application Control causes high CPU usage. PCT-36414

Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)

Enhancements

• SAP Scanner now associates the following MIME types with compatible file extensions. For details, see Integrate with SAP NetWeaver.

  • TrueType Font (TTF). SF08102626/PCT-31518/DSA-6049
  • Java Archive (JAR). SF08102626/PCT-31518/DSA-6044
  • Apple QuickTime File Format (QTFF). SF07967718/SF07840151/PCT-22825/PCT-26844/DSA-5887/DSA-5567
  • Microsoft Advanced Systems Format (ASF). SF07967718/PCT-26844/DSA-5886

Resolved issues

• Deep Security Agent would still try to test connections for Service Gateways. DSA-5814
• A Deep Security Agent restart sometimes caused Application Control to report drift events. SF07813110/PCT-25731/DSA-5798
• Deep Security Agent was only able to use the primary IP address for Service Gateway. DSA-4513
• Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
• The Anti-Malware configuration file size was impacting SAP Scanner performance on some systems. SF08057009/PCT-30380/DSA-5987

Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)

Enhancements

• Advanced TLS Traffic Inspection now supports separate configurations for "Inspect Inbound TLS/SSL Traffic" and "Inspect Outbound TLS/SSL Traffic". For detailed configuration steps, see https://help.deepsecurity.trendmicro.com/20_0/on-premise/intrusion-prevention-ssl-traffic.html#EnableTLS.

Resolved issues

• Web Reputation Service might cause high CPU usage in VDI environments. PCT-24431/PCT-28543/PCT-29364/PCT-29712/PCT-30043/PCT-30401/PCT-30669/DSA-5766
• Edge Relay couldn't use the operating system proxy configuration without IoT features enabled. PCT-16603/DSA-5422

Known issues

• There is a performance impact when Inspect Inbound TLS/SSL Traffic and Inspect Outbound TLS/SSL Traffic are enabled at the same time in Advanced TLS Inspection settings. For details, see Performance impact of bi-directional TLS inspection in Deep Security. DSA-5959

Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)

Enhancements

• SAP Scanner now supports the SCANLOGPATH parameter. For details, see Integrate with SAP NetWeaver. PCT-21958/DSA-4924
• Updated Deep Security Agent to improve the priority for configurations using a proxy. DSA-4817/PCT-21750
• Deep Security Agent can now retrieve Service Gateway settings from the Trend Micro Endpoint Basecamp (XBC) agent. DSA-4841/V1E-13468
• Web Reputation Service now supports HTTPS protection for Google Chrome browser's Incognito mode and Microsoft Edge browser's InPrivate mode on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. DSA-4296

Resolved issues

• Deep Security Agent security updates sometimes failed after reconfiguring proxy settings. PCT-18382/DSA-5390
• Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
• Using multiple Smart Protection Servers sometimes generated "Smart Protection Server Disconnected for Smart Scan" warnings, even if Smart Scan was still connected. PCT-13313/DSA-4488
• Deep Security Agent security updates sometimes failed after an agent update was applied. PCT-23614/DSA-5371

Security updates

Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)

Enhancements

• Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
• Deep Security Agent can have its proxy configuration set by the Trend Vision One Proxy Manager. V1E-14557
• Deep Security Agent now supports custom actions "ActiveAction" or "Pass" for the Process Memory Scan. This is only supported for Trend Cloud One - Endpoint & Workload Security users on Windows platforms at this time. DSA-3621

Resolved issues

• Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861
• When SAP Scanner was enabled, system events for "SAP: Anti-Malware module is not ready" or "SAP: Virus Scan service is not working correctly" sometimes displayed during Deep Security Agent upgrade. These system event messages were triggered by the restart of Deep Security Agent modules. There was no functional impact. DSA-4603

Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)

Enhancements

• The SAP Scanner status for Deep Security Agent is now displayed in the console. DSA-3329
• The Deep Security Agent version is now displayed in the SAP Scanner library. SF07483850/PCT-10077/DSA-3304
• Stopping a Deep Security Agent managed by Trend Cloud One - Endpoint & Workload Security now takes less time. DSA-4208
• Anti-Malware events (Events & Reports > Anti-Malware Events) now display the date and time that files or folders were created and modified. SF07199253/PCT-1378/DSA-3578

Resolved issues

• Deep Security Agent incorrectly classified the MIME type of .dwg files generated by AutoCAD, from AutoCAD 2004 to AutoCAD 2024. SF07027236/SEG-186079/PCT-5797/DSA-2901

Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)

New features

• Anti-Malware now supports Advanced Process Memory Scan by default in Trend Cloud One. Process Memory Scan is now available for Manual Scan and Scheduled Scan configurations (this is in addition to the Real Time Scan configuration). The Action to Take option in Process Memory Scan is available in Real Time Scan, Manual Scan, and Scheduled Scan configurations. DSA-4242

Enhancements

• Deep Security Scanner (SAP) now reports files containing Microsoft Office Macros as Active Content, while previously they were identified as Malware. PCT-5979/DSA-3911

Resolved issues

• Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
• Remote Desktop Services on Windows Server 2008 R2 was blocked by the TLS inspection process (tm_netagent). PCT-12049/PCT-12172/PCT-13878/DSA-3944
• Behavior Monitoring exclusions sometimes failed to apply because they were case sensitive. PCT-16168/PCT-16005/PCT-16476/CTSKA-27/DSA-4116
• The expected MIME type for .msg files by the Deep Security Agent SAP Scanner was incorrect. PCT-5797/DSA-4050
• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965
• When a password is required for a local override, the password was checked after the Deep Security Agent self-protection was locally disabled. PCT-10861/DSA-3293
• Uninstalling Deep Security Agent did not remove all folders associated with Deep Security Agent. DSA-2460

Security updates

Known issues

• The Application Control Trust Entities "block by target" trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324

Deep Security Agent - 20.0.1-700 (20 LTS Update 2024-04-17)

Enhancements

• Updated Deep Security Agent to improve the priority for configurations using a proxy. This is only supported for Trend Cloud One - Endpoint & Workload Security customers on Windows x64 platforms at this time. DSA-4817/PCT-21750

Known issues

• Updating to Deep Security Agent 20.0.1.700 fails on some 20.0.0 versions when using Deep Security Relay. For more details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1. DSA-3317
• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For more details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)

New features

Enhancements

• From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release.

Resolved issues

• Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564
• Deep Security Agent could have memory leaks on some systems while trying to route to Domain Controllers. DSA-3266
• Deep Security Agent sometimes froze at launch if Windows APIs were verifying digital signatures for portable executable (PE) files. DSA-3626
• When FIPS mode was disabled, Deep Security Agent used the OpenSSL configuration specified by the system environment variables rather than the config specified by the agent. PCT-4914/DSA-2651/DSA-2737/DSA-2738

Security updates

Known issues

• Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317
• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)

New features

Enhancements

• Remove some file types from the scanning list to avoid high CPU and disk consumption. SF07099651/SEG-188688/DSA-2010
• Agent self-protection now protects the Advanced TLS Traffic Inspection process (tm_netagent) preventing local users with administrator privileges from stopping it. DSA-1042/DSA-1043

Resolved issues

• When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981
• Anti-Malware scan mode would sometimes not match the policy configuration. SF07117203/SEG-191043/PCT-7856/DSA-2561
• A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370

Security updates

Known issues

• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773
• Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent (DSA) connection issues with Smart Protection Server (SPS) when using proxy DSA-3564

Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)

Resolved issues

• Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
• Deep Security Agent incorrectly classified MIME type of .xml files generated by Microsoft Word, Excel, PowerPoint, as well as .dwg files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202

Known issues

• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)

New features

• Process Memory Scan: Anti-Malware manual and scheduled scans now support the process memory scan which scans the memory of running processes. This requires Deep Security Manager 20.0.844 or later. This feature will be disabled in the November release of Deep Security Manager and in Trend Cloud One - Workload Security. For more information, see High Memory Usage for random process when using Deep Security Agent 20.0.0-8137

Resolved issues

• When Intrusion Prevention System was enabled on a machine with Windows Network Load Balancing (NLB) installed and Unicast Mode configured, Network Load Balancing performance was sometimes affected. SF06426122/SEG-169878/DSSEG-7852
• When agent self-protection was enabled for Deep Security Agent 20.0.0-7719, access violation errors would sometimes appear in the Windows System Log. DSA-1962

Known issues

• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent might result in a TLS inspection process (tm_netagent) error log rotation issue. For details, see TLS inspection process error log rotation problem in Deep Security. DSA-3773

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)

Enhancements

• In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759+. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531
• New commands exist to get proxy information from the command line: dsa_query -c GetProxyInfo dsa_query -c GetProxyInfo details=true. DSA-864
• Web Reputation Service now supports the "Trend Micro Toolbar for Enterprise" browser extension for Microsoft Edge on Windows 10 (64-bit), Windows 11, Windows Server 2016, Windows Server 2019 and Windows Server 2022. DSA-1565

Resolved issues

• When Log Inspection was enabled, Deep Security Agent sometimes crashed on Windows Server 2019 systems. DS-77766

Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)

New features

Enhancements

• Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
• Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. Note that agents configured as a Deep Security Relay still download all pattern updates. DSA-1000
• The blocking page Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
• Deep Security Agent now triggers a security update automatically when the Anti-Malware Solution Platform (AMSP) service is ready. Previously, security updates could fail if triggered before the AMSP was ready, causing "Anti-Malware Engine Offline" and "Pattern Update on Agents/Appliances Failed" errors. DSA-1020

Resolved issues

• Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
• Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
• When Anti-Malware was enabled, Deep Security Agent impacted the performance of some third-party applications. SEG-182065/DSA-790
• Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756
• Device Control blocked Windows Server Storage Area Network (SAN) drives that should have been allowed. SEG-178278/V1E-3895
• Network drivers failed to bind to the network interface automatically on some Azure VMs. DSA-1040

Security updates

Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)

New features

Enhancements

• If anti-malware is offline because AMSP service was not installed correctly, Deep Security Agent now tries to reinstall AMSP when the agent service launches. DSSEG-7903/SEG-181443
• Updated the dsa-connect service to improve CPU performance. C1WS-12970
• Updated Deep Security Agent to support the Notifier Anti-Malware Protected Process Light (AM-PPL) service for Windows 10 desktop platforms. This requires Deep Security Manager 20.0.789 - 20.0.833. DS-77160
• Improved Advanced TLS Traffic Inspection coverage for Windows Server 2012 R2, 2016, and 2019. SEG-182585/DSA-583

Resolved issues

• Smart Protection Servers would sometimes lose connectivity with Web Reputation Service. SF06423462/SEG-166651/DSSEG-7858
• The system sometimes crashed when Intrusion Prevention was enabled. SF06983729/SEG-184423/DSSEG-7907
• Deep Security Agent upgrades triggered from the Deep Security Manager console would fail on some system configurations, returning MSI error code 1601: Windows installer is not accessible. SEG-177789/DS-78084
• Deep Security Agent sometimes reported that the network module was disabled (Event ID 1013, Trend Micro LightWeight Driver failed to bind on all network interfaces) even if the module was enabled. SEG-184701/SEG-182649/DSA-686
• Updated Deep Security Agent to support systems using Dell MAC Address Passthrough. SEG-177651/DSA-455

Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)

Enhancements

• Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
• Web Reputation Service now automatically monitor the ports used by the OS proxy configuration. DS-77233
• When a specific process is sending backup packets through an unencrypted connection, Intrusion Prevention optimizes the scan flow to reduce CPU impact. SF06456142/SEG-166877/DS-76500

Resolved issues

• The Windows Malicious Software Removal Tool (MSRT) installation could fail while Application Control is in maintenance mode. SF06446534/SEG-172729/DS-77094
• Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
• The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
• The Deep Security Agent upgrade would fail when specific features were enabled. SF06794868/SEG-177789/DS-78008
• Deep Security Agent sometimes crashed when it was unable to connect to Deep Security Manager using a proxy. DS-77786
• When Application Control was enabled, MSI file installations failed on some versions of Windows. SF06509811/SEG-170485/DS-76906
• Deep Security Relay 20.0.0-7119 failed to provide security and software updates when using the improved Relay. SF06935222/SEG-183184/DS-78201
• Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709

Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)

Enhancements

• When Application Control is enabled, MSI file installations fail on some systems. SF06509811/SEG-170485/DS-76906
• Agent self-protection now secures the Advanced TLS inspection process (ds_nuagent), preventing local users with administrator privileges from stopping it. DS-74080
• Deep Security Agent 20.0.0-7119 or later now supports FIPS mode for the dsa-connect service for Workload Security customers on Windows platforms that support FIPS mode as detailed here: Supported features by platform. C1WS-7467

Resolved issues

• Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
• After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453
• If Advanced TLS traffic inspection was enabled, rebooting the operating system sometimes caused Deep Security Agent to get stuck on the "stopping services" screen. SF06494167/SEG-170082/DS-76880
• The Deep Security Notifier service (ds_notifier) caused a memory leak during agent updates on some systems. SF06454240/SEG-167684/DSSEG-7863

Known issues

• Upgrading to Deep Security Agent version 20.0.0-6860, 20.0.0-6690, or 20.0.0-7119 using the Deep Security Manager console sometimes results in upgrade failure. After the upgrade failure, the Deep Security Agent service stops and may show "Agent Offline" from the manager console. SEG-177789, SEG-177748, SEG-178496, SEG-178742, SEG-177423, SEG-178470, SEG-178940, SEG-178956

Deep Security Agent - 20.0.0-6860 (20 LTS Update 2023-04-25)

Enhancements

• Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to ds_agent.ini. SF06664116/SEG-173848/DS-77182Example proxy probing line in ds_agent.ini config file:dsa.proxymanager.ProbeTimeoutInSec=120
• Made improvements to Deep Security Agent to prevent it incorrectly sending "MQTT Connection Offline" warnings when the connection is online. SEG-171358/C1WS-12979
• Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840
• Deep Security Agent installer now prevents the agent from updating if it detects SHA-1 was used to sign the certificate on the agent installer. This prevents the agent from updating and becoming unresponsive, since Deep Security Agent 20.0.0-6313 and higher requires RSA-2048 and SHA-256. For more information on certificate upgrade, see Upgrade the Deep Security cryptographic algorithm. DS-76499
• Error messages from the Trend Micro Deep Security Notifier now provide more details when the on-demand scans fail. VO-2132

Resolved issues

• Deep Security Agent was unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. DS-75176
• Deep Security Agent would sometimes freeze on system startup, which caused the Windows Service Control Manager service to generate "service hung on starting" events (Event ID 7022). DS-77212
• When Anti-Malware Predictive Machine Learning was enabled, file operations initiated by Powershell sometimes encountered sharing violations. SF05904706/SEG-150738/DSSEG-7695
• When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
• Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896

Security updates

Deep Security Agent - 20.0.0-6690 (20 LTS Update 2023-03-29)

New features

Enhancements

• Deep Security Agent installation now performs a pre-check to verify if its operating system meets Azure Code Signing (ACS) requirements. For more information, see Trend Micro Server and Endpoint Protection Agent Minimum Windows Version Requirements. DS-75552
• Application Control now checks the execution of Microsoft Windows Control Panel Applet (.CPL) files. DS-74587
• Application Control now checks the execution of Microsoft Compiled HTML help (.CHM) files. DS-74828
• When an Application Control Trust Entities path rule uses a wildcard without specifying a filename, the wildcard now applies to all files in any directory matching the rule's path. Note that previously, the globstar (**) wildcard would apply to a path rule's directory and subdirectories, as opposed to the single star (*) wildcard which would only match within the path rule's directory. DS-75133
• Web Reputation Service now includes OS platform metadata. DS-75453
• Deep Security Agent 20.0.0-6690 or later now supports the Proxy Manager for Trend Micro Vision One (XDR) Threat Intelligence - User Defined Suspicious Object (UDSO). DS-75365
• Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
  • Debug: Enable the debug log messages. The default value is false.
  • Count: Number of log files to generate. The default value is 5.
  • Size: Maximum size of each log file in bytes. The default value is 2097152.
  Example config file:

   { 
  "Debug": true, 
  "Count": 5, 
  "Size": 2097152 
  } 

• The Web Reputation Service's Browser Extension now allows Trend Micro Toolbar for Chrome browser to inspect URLs for content scripts in all frames. DS-75387
• Anti-Malware events generated by the SAP Scanner now include file hashes. DS-75648/SEG-165491

Resolved issues

• Deep Security Agent events and module status changes sometimes failed to appear in the console. DS-46344/SEG-67100/SEG-101719/SEG-112311
• When Anti-Malware's "Enable network directory scan" option was enabled (Computer or Policy > Anti-Malware > General > Real-Time Scan > Malware Scan Configuration > Advanced > Network Directory Scan)), malware was detected but a corresponding event was not recorded in some cases. SF06198579/SEG-160763/DSSEG-7786
• When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
• Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
• When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
• Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835
• Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
• Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
• Application Control now checks web browser execution of .HTML, .HTM, and .JS files. DS-75102
• When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
• Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
• Deep Security Agent Scanner (SAP) couldn't generate reports for files with one or more trailing dots . in their file name. SF06181341/SEG-166326/DS-76404

Known issues

• Deep Security Agent 20.0.0-6313 or later is currently unable to load the third-party libraries required to use Remote Shell, File Collection, or Network Isolation on the Windows 2008 platform. If you need these three features on a Windows 2008 system, refrain from upgrading your agent. DS-75176
• Updating Deep Security Agent causes Deep Security Manager to show an unknown error event (ID: 740) on some systems. A future Deep Security Manager release will address this issue. For more details, see Unrecognized Agent / Appliance Error Event in Deep Security Manager (Event ID 1010 - 1013). DS-76813

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

New features

Enhancements

• Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676
• With Anti-Malware and Behavior Monitoring enabled, Deep Security Agent now monitors for suspicious behavior to improve protection against MITRE attack scenarios. This functionality requires Deep Security Manager 20.0.711+. DS-73644
• Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise" Chrome browser extension, improving HTTPS protection for Web Reputation Service. DS-74870

Resolved issues

• When Application Control was enabled, Deep Security Agent's status sometimes became stuck at "Application Control Ruleset Update In Progress". DS-74627
• An issue with the TLS protocol record layer in Deep Security Agent caused some systems to crash. SF06297487/SEG-162236/DSSEG-7774
• Deep Security Agent sometimes caused file handle leaks when communicating with Deep Security Manager or agent command-line tools. DS-75111
• For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
• With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335

Deep Security Agent - 20.0.0-5995 (20 LTS Update 2022-11-28)

New features

Enhancements

• Updated Deep Security Agent to support the "Trend Micro Toolbar for Enterprise," a Chrome browser extension that extends HTTPS protection for Web Reputation Service. This is only supported for Trend Micro Cloud One - Workload Security customers at this time. DS-74568
• Updated the Web Reputation Service to support multi-thread processing on the web browser extension, improving the query rate. DS-74098
• Updated Deep Security Agent to include the details of command line Behavior Monitoring violations in the console under Events and Reports > Events > Anti-Malware Events. DS-72866

Resolved issues

• A file handle leak in the Deep Security notifier (notifier.exe) caused high system memory usage. DS-74325
• In Workload Security, enabling OS proxy (by setting Allow agents to apply OS proxy or direct connect when the configured proxy is inaccessible to Yes from Administration > System Settings > Proxies) would cause Deep Security Agent to crash if the proxy data the agent needed was missing on the operating system side. SEG-158968/DS-75034
• While running Application Control in maintenance mode, executable files that should have been accessible were sometimes blocked due to a sharing violation. SF04922652/SEG-131710/DS-74592
• Application Control was unable to block scripts executed using GitBash shell (sh.exe). DS-73827
• Deep Security Agent caused an outdated "Early Launch Anti-Malware Pattern" component to appear on the Security Updates page, causing the Security Update Status to be "Out-of-Date". This pattern was unused, which is why it always appeared as an outdated component. SEG-158345/DSSEG-7745
• Deep Security Agent sometimes allowed a higher access level than the one set by a user's group. For example, the "Users" group was able to modify files even if it had read-only access. SEG-157530/DSSEG-7737
• With Anti-Malware enabled, a Deep Security Agent driver caused some systems running Windows Server 2008 to crash. SF05926337/SEG-157388/DSSEG-7739

Deep Security Agent - 20.0.0-5810 (20 LTS Update 2022-10-27)

New features

Enhancements

• Updated Deep Security Agent to include additional metadata, such as UserAgent and Referrer, for Web Reputation Services. DS-72196
• Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
• Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085

Resolved issues

• With Anti-Malware Behavior Monitoring enabled, uninstalling or upgrading from Deep Security Agent 20.0.0-5761 caused some systems to crash. For more details see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74322
• With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
• If the Deep Security Agent service stopped while running Application Control in Maintenance Mode, executable files created after the service stopped were not being auto-approved as intended. SF05961688/SEG-152045/DS-73570
• Software, if renamed or copied while Application Control had Maintenance Mode enabled, would remain authorized in the software inventory under its original filename or location. DS-74015
• Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an "Offline (Activation required)" status. SEG-153050/DS-73807
• The TLS inspection support package failed to download on Deep Security Agents using Edge Relay. DS-73789
• While an Application Control inventory build is in progress, the agent would sometimes appear offline. DS-72189

Known issues

• After upgrading the Deep Security Agent 20.0.0-5761 to 20.0.0-5810 on Windows, a reboot is required to solve an issue that causes computers to crash. For details including steps to work around the issue, see BSOD Encountered During Uninstall of Deep Security Agent 20.0.0-5761. DS-74383

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Enhancements

• Deep Security Agent now supports the automatic update of Advanced TLS Traffic Inspection as operating system libraries change (Computer or Policy > Settings > TLS Inspection Package Update). This requires Deep Security Manager 20.0.677 or later. DS-72828

Resolved issues

• Integrity Monitoring events (Events and Reports > Integrity Monitoring) were created with N/A displayed in the KEY and TYPE columns. SF05533287/SEG-139293/DS-71899
• Updating Deep Security Agent and removing the expired TLS session key caused some systems to crash. SF06007238/SEG-153175/DS-73404
• With Anti-Malware enabled, some computers froze in a "Security Update In Progress" state. SF05106626/SEG-129777/DSSEG-7500
• With Deep Security Agent self-protection enabled, enabling or disabling Advanced TLS inspection service caused "Event ID 7006" in the Windows Service Control Manager. DS-73305
• Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

Enhancements

• Application Control now detects software changes for executables with non executable extensions. DS-70805
• Added SYSTEM user network drives and mount points for Windows to the information collected when generating a diagnostics package. DS-71816
• Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
• Updated Deep Security Agent so Application Control automatically authorizes test PowerShell scripts created by AppLocker. DS-71762
• Behavior Monitoring exclusions now support wildcard characters. DS-71976
• Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

• When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
• Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
• When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
• When Behavior Monitoring is enabled, Deep Security Agent would sometimes prevent Docker on Windows from starting. SF05709278/SEG-146323/DSSEG-7660
• Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
• When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
• Deep Security Agent would sometimes retrieve incorrect PID information on Windows for connection metrics and log events. DS-72526
• Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
• Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071
• When Anti-Malware accessed files on a Cluster Shared Volume, the Hyper-V host would crash. SF05713918/SF05850687/SEG-146660/SEG-148664/DSSEG-7664

Known issues

• When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

New features

Enhancements

• Deep Security Agent 20.0.5137 or later for Windows uses an additional certificate: "Microsoft Identity Verification Root Certificate Authority 2020". For details see Updating the VeriSign, DigiCert, USERTrust RSA certificate on Deep Security and Trend Cloud One - Endpoint & Workload Security. DS-72711
• Deep Security Agent Scanner (SAP) now generates infection reports with additional details. DS-71660
• Updated Deep Security Agent to improve the "zero-config" SSL process for outbound connections. DS-70715
• Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders no longer work and need to be changed to use a globstar \*\*. DS-71817

Resolved issues

• With Anti-Malware enabled, Deep Security Agent had a driver conflict causing some third-party applications to freeze. SF05570686/SEG-140749/DSSEG-7650
• Deep Security Agent's Scanner (SAP) library install sometimes failed because required certificates on hosts were outdated. DS-71917
• Deep Security Agent SAP scanner could not detect the MIME (.TTF) files. DS-55897
• Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889

Security updates

Known issues

• When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Resolved issues

• Deep Security Agent caused increased CPU usage for systems running the WMI provider service (WmiPrvSE.exe). 05528968/SEG-142736/DS-71626
• Deep Security Agent Scanner (SAP) reports displayed .SAR files in the wrong order. DS-71651
• Deep Security Agent had a conflict preventing TMUMH drivers from loading (on Windows 11 and Windows 2022), and in some cases causing a system crash (affecting all Windows platforms). SEG-143164/DSSEG-7596
• Using the command line (dsa_control -b), Deep Security Relay failed to extract the bundle file required to update in a closed network environment. SF05715642/SEG-144571/DSSEG-7600
• With Log Inspection enabled, updates to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
• When Anti-Malware is enabled alongside Integrity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
• With Anti-Malware enabled, Deep Security Agent generated "Anti-Malware Engine Offline" errors caused by service restarts following a software upgrade. SF05521775/SEG-144639/DSSEG-7615
• With Anti-Malware enabled, Deep Security Agent sometimes caused a system crash or high system memory usage, or failed to deliver event reports. SF05475742/SEG-142632/DSSEG-7626
• Updated Deep Security Agent to immediately report its status to Deep Security Manager when Application Control's maintenance mode is enabled on the agent. DS-71617
• Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Security updates

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Enhancements

• Updated Deep Security Relay to record its status and other metrics for potential troubleshooting. DS-65763

Resolved issues

• Trust Entities "Allow by target" rules sometimes blocked processes they weren't intended to block. SF04922652/SEG-131710/DS-71060
• Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
• Updated Deep Security Relay to prevent Deep Security Agent from retrieving incomplete signature files for packages. SF05332854/SEG-134394/DS-71228
• Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
• An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333
• With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Enhancements

• Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515
• Updated Deep Security Agent to support enabling the Anti-Malware module while Windows Defender is running in passive mode under some system configurations DS-69161. Currently this is only supported on systems running the following versions:

  • Defender (AM) product / engine versions:
    • AMProductVersion: 4.18.2202.4
    • AMEngineVersion: 1.1.18900.3
  • Windows server and desktop versions:
    • Windows Server 2016 and newer
    • Windows 10 x64 RS5 and newer
  • Deep Security Agent 20.0.0-4416+

Resolved issues

• Deep Security Agent generated multiple "Anti-malware Engine Offline" events during agent upgrades under some system configurations. SF04500910/SEG-129316/DSSEG-7458

Security updates

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

New features

Enhancements

• Updated Deep Security Agent to properly execute Application Control settings for software changes made during a Windows upgrade. Previously, trust rules auto-authorizing software changes associated with a Windows upgrade would fail if Application Control was in lock down mode. DS-69579
• When certificates are missing for an Anti-Malware installation, Deep Security Agent now forwards the certificate details to Deep Security Manager. The specific certificates missing will appear in the manager under Events and Reports > System Events. DS-69074

Resolved issues

• Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
• Deep Security Agent created an "Application Control Engine Offline" error during agent upgrade, and an "Application Control Engine Online Again" message after upgrade completion. Note that an upgrade should not have triggered these events. DS-69888
• Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
• Deep Security Agent sometimes consumed a high amount of system resources during policy updates. SEG-134417/DS-69810

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

New features

Enhancements

• Updated Deep Security Agent to exclude suspicious characters, such as $, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Resolved issues

• Deep Security Agent accepted policy change parameters even if the self-protection password verification did not pass. SF05177188/SEG-129643/DS-69293
• Deep Security Agent sometimes went offline unexpectedly after activation. SEG-130280
• With Intrusion Prevention enabled, issues establishing an SSL connection caused "Unsupported SSL Version" events. SF04955719/SEG-127437/DS-68689
• Deep Security Agent was generating unexpected "Log File Delete Error" system events. DS-69641
• Deep Security Agent sometimes created unnecessary User (Created/Deleted) or Group (Added/Removed/Updated) events. DS-62413

Deep Security Agent - 20.0.0-3771 (20 LTS Update 2022-01-24)

New features

Enhancements

• Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042

Resolved issues

• Pairing Deep Security Agent with a proxy failed on Windows 11 when the "http://" prefix was unexpectedly added to the proxy address. The prefix was added if the address was accessed from the LAN settings window (Control Panel > Network and Internet > Internet Options > Connections > LAN settings), and then the window was closed by selecting OK. DS-68568
• Deep Security Agent security update would fail and generate "AMSP" events if Anti-Malware was offline during the update. SF04696674/SEG-120215/DSSEG-7287
• Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494
• Updated Deep Security Agent to enable "Write Defer Scan" by default for real-time Anti-Malware scanning, resulting in increased response time, faster processing, and reduced CPU usage. Previously, all files were scanned during read/write by default. Now, Anti-Malware file scanning during write is deferred (the file is added to a queue and scanned in the background). DS-66344
• With Smart Scan enabled, Deep Security Agent was downloading the full size pattern update file, instead of the incremental one it was expected to, during security updates SEG-124937/DSSEG-7317

Security updates

Deep Security Agent - 20.0.0-3530 (20 LTS Update 2021-12-15)

New features

• OS proxy support: Deep Security Agent 20.0.0-3530 or later for Windows can now apply proxy settings from the computer's OS to automatically connect to Trend Micro Cloud One - Workload Security, Deep Security Relay, and other Trend Micro backend services if the default agent-configured proxy loses its connection. This feature is only available to certain Workload Security customers at this time.

Important Notes

• Pairing Deep Security Agent with a proxy currently fails on Windows 11 when the "http://" prefix is unexpectedly added to the proxy address after accessing it (under Control Panel > Network and Internet > Internet Options > Connections > LAN settings) and then selecting OK to close the window. This issue will be fixed in a future release. DS-68568

Resolved issues

• With Smart Scan enabled, Deep Security Agent downloaded the full size pattern update file instead of the incremental one it was expected to during security updates. DSSEG-7317

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

New features

• Anti-Malware offline scheduled scan: Deep Security Agent 20.0.0-3445 or later adds the offline scheduled scan feature, enabling Anti-Malware scheduled scans to run while an agent is not connected to Cloud One Workload Security. This feature is only available to certain Cloud One Workload Security customers at this time.
• Windows 11 support: Deep Security Agent 20.0.0-3445 or later now supports Windows 11.
• Windows Server 2022 support: Deep Security Agent 20.0.0-3445 or later now supports Windows Server 2022.

Enhancements

• Updated Deep Security Agent allow the Deep Security Notifier to be locked on (when installed through the command prompt using msiexec /I "Notifier's installer name" LockAppSettingsDefault=1), preventing users from hiding notifications. DS-64527
• Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
• Deep Security Agent no longer uses CBC cipher suites by default in order to improve security. DS-67204
• Updated Deep Security Agent to support using the "process name" property in "Ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
• Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

• With Anti-Malware enabled, Deep Security Agent caused connectivity issues for third-party software on some systems. SF04087024/SEG-125579/DSSEG-7321
• Deep Security Agent sometimes showed plugin installation failures during an upgrade even when the upgrade was successful. DS-67336
• When an expired certificate was removed from the host, the Anti-Malware plug-in update would fail, creating "Anti-Malware Component Update" events. SEG-117871/DS-66139
• If an Anti-Malware scan began before the module had completed its installation on Deep Security Agent, it could cause a system crash and "Anti-Malware Engine Offline" errors after a reboot. SEG-108355/DS-63721
• Deep Security Agent couldn't properly handle SAP NetWeaver MIME type scan requests containing leading and trailing spaces. DS-67448
• When Integrity Monitoring rules using "UserSet" or "GroupSet" were enabled for a Deep Security Agent on Windows Active Directory Domain Controllers, excessive CPU and memory consumption would sometimes occur. Deep Security Agent 20.0.0-3445 blocks these types of Integrity Monitoring rules on Windows Active Directory domain controllers and generates an "Inapplicable Integrity Monitoring Rule" event. DS-65965

Security updates

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

New features

• Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:

  • Agent size requirements have increased, including a slightly larger installer package on most platforms.
  • All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
  • The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

• On Deep Security Agent 20.0.0-3165, "Anti-Malware Component Update Failed"events were sometimes generated when computers performed security updates. This defect is now fixed in Deep Security Agent 20.0.0-3288. SF04937346/SEG-122765/DSSEG-7268
• With Intrusion Protection enabled, Deep Security Agent sometimes caused high CPU usage and sometimes caused the system to crash. DS-65902
• With Intrusion Protection enabled, Deep Security Agent caused the system to crash under some configurations. SF04931669/SEG-123338/DS-67441
• With SAP integrated and running, Deep Security Agent would block MP4 files. 04660120/SEG-117094/DSSEG-7254
• Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
• CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component. DSSEG-7222
• Deep Security Agent did not always check that metadata was ready before initializing connection with the manager. DS-51103
• Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Note Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it is not available on the Deep Security Agent software download page or released to customers using Deep Security Manager.

New features

• Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:

  • Agent size requirements have increased, including a slightly larger installer package on most platforms.
  • All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
  • The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

• Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
• CPU usage would spike when Deep Security Agent queried the runtime status of the Anti-Malware component DSSEG-7222
• Deep Security Agent did always check that metadata was ready before initializing connection with the manager. DS-51103

Security updates

Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)

New features

Enhancements

• Updated Deep Security Agent to detect the "HiveNightmare" exploit. DS-65217

Resolved issues

• With Application Control enabled, Deep Security Agent sometimes crashed when a .MSI file was launched. SF04647983/SEG-114894/DSSEG-7032
• Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
• Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057

Security updates

Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)

Enhancements

• Updated Deep Security Agent to improve TLS traffic inspection. This feature is being rolled out gradually, beginning with Trend Micro Cloud One - Workload Security customers. DS-15576
• Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

• With Application Control enabled, files with '.tmp" extensions were creating a large number of "Application Control Software Changes Detected" events in the Deep Security Manager console. 04671615/SEG-115017/DS-65043
• Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
• Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
• Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
• Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
• With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963

Security updates

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Resolved issues

• Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
• Anti-Malware sometimes went offline after enabling Application Control on Deep Security Agent. SF04532752/SEG-110572/DS-63406
• Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608
• Citrix Virtual App or Desktop users sometimes encountered a grey screen (with error code 1003/1005) when Anti-Malware was enabled for Deep Security Agent. DS-64318
• Anti-Malware sometimes caused high system CPU usage when the Windows WMI service accessed files repeatedly. SEG-109271/DSSEG-6983

Security updates

Deep Security Agent - 20.0.0-2419 (20 LTS Update 2021-06-02)

Resolved issues

• Deep Security Agent 20.0.0-2395 for Windows always displayed an "Out-of-Date" Security Update Status. This agent was removed from the Trend Micro Download Center. For more information see Removal of Deep Security Agent 20.0.0-2395 for Windows. SF04537047/SEG-110737/DS-63424
• Integrity Monitoring alerts sometimes triggered but then did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
• Items queued for Anti-Malware scan sometimes caused higher than normal Deep Security Agent CPU usage. DS-63106
• Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154
• Insufficient host information caused by connectivity issues sometimes resulted in offline or duplicate listings in the Computers tab for Deep Security Agents on AWS workspaces. SF04198134/SEG-102818/DS-61666
• Deep Security Agent sometimes could not successfully perform an upgrade because of a missing package. SF04302125/SEG-104084/DS-62692

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

Resolved issues

• When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
• When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067
• When Anti-Malware self-protection was enabled, sometimes third-party software could not be installed. SEG-101840/DSSEG-6694
• Behavior Monitoring exceptions sometimes did not work properly. SF03775351/SEG-89899/DSSEG-6718
• With Anti-Malware enabled, network transfer speeds slowed down significantly on some systems. SF04299217/SEG-103986/DSSEG-6780
• Anti-Malware Behavior Monitoring exceptions sometimes did not work properly. SF04259521/SEG-102792/DSSEG-6714

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Enhancements

• Updated Deep Security Agent to include CPU information (number of logical cores) to improve diagnostics and performance tracking. DS-60011

Resolved issues

• The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893
• Behavior Monitoring sometimes blocked a program without generating an event. SF03604820/SEG-86752/DS-60526
• When Anti-Malware was enabled, a high amount of CPU was used. SF04106889/SEG-99034/DS-60526
• Deep Security Agent sometimes crashed during an Anti-Malware manual scan. SEG-100231/DSSEG-6664

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Resolved issues

• The Deep Security Agent sometimes crashed when running Intrusion Prevention in passive mode. DS-57497

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

Resolved issues

• After a Windows update occurred, "Maintenance mode" for Application Control turned off automatically. SF03905860/SEG-93631/DS-58413

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

New features

Enhanced platform support

• Windows 10 20H2

Improved security

Enhancements

• Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
• Enhanced memory usage to improve performance. DS-53012
• Deep Security Agent now supports custom actions for Behavior Monitoring and Predictive Machine Learning. DS-48081

Resolved issues

• When Integrity Monitoring was enabled, a high amount of CPU was used. SEG-88619/03720485/DS-56613
• Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
• Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

New features

Enhancements

• Added various executable files as trusted installers so they are automatically recognized by Application Control. SF03568205/SEG-85141/DS-54884
• Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800/DS-51879
• Real-time Integrity Monitoring explicitly matches the directory specified in the base directory. Previously, it matched all paths that started with the base directory. DS-52692
• Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

• In combined mode with agent-only and agent-preferred settings enabled, Deep Security Notifier sometimes turned the Antivirus status in the Windows action center on and off, which caused high CPU. DS-54799
• After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
• The Behavior Monitoring feature of Anti-Malware sometimes raised false alarms. DS-44974
• When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058
• When "Serve Application Control rulesets from relays" was enabled, unnecessary relay error events occurred. DS-50905
• Deep Security Agent crashed unexpectedly because it was unable to detect the Docker engine version on Windows Servers. DS-29590
• Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
• There were detection issues with real-time Anti-Malware scans. DS-50286
• Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719
• When a re-transmission packet with new packets was sent, it sometimes produced an "Unsupported SSL Version" Intrusion Prevention event. DS-53144

Security updates

Known issues

Deep Security Agent 20 (long-term support release)

New features

Improved security

Improved quality and management

• By the command dsa_control --AmTopNScan
• By the diagnostic service

• Information about why process exclusion items are not functioning correctly is now provided, so you can troubleshoot the issue and know which actions to take to resolve it.
• The process exception configuration workflow has been improved to make it more robust.

Enhancements

• Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
• Removed Integrity Monitoring and Application Control's dependency on Anti-Malware, so they no longer require Anti-Malware to be installed to function.
• Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
• Added support for agentless mode on vCloud connector for version 9.5 or later.
• Enhanced the agent-initiated activation experience by displaying the activation status (for example, a success message or a message that explains a newer Deep Security Manager version is required) on Deep Security Manager.
• Enhanced the Malware Scan Failure event description to indicate the possible reason.
• Streamlined event management for improved agent performance.
• Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
• Added support for Deep Security Agent delayed upgrade to reduce the Anti-Malware offline issue after triggering an upgrade.

Resolved issues

• After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
• Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
• Deep Security Agent restarted unexpectedly because of the way Log Inspection was accessing the SQLite database. DS-48395
• The interface isolation feature stayed active when Firewall was turned off. SEG-32926/DS-27099
• Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. DS-48916
• Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
• The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. SF02092464/SEG-53938/DS-38578
• Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
• For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. SF01704358/SEG-45004/DS-32077
• Deep Security's Notifier.exe process caused high CPU usage. SF01716752/SEG-45507/DS-33645
• The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. SF1609675/SEG-43574/DS-32947
• In some cases, the Windows driver did not correctly release spinlock, causing the system to hang. SF01990859/SEG-50709/DS-36066
• Deep Security Agent process sometimes crashed when the detailed logging of SSL message was enabled and outputted. SF01745654/SEG-45832/DS-33007
• When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
• The Send Policy action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
• Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
• The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
• The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
• Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app." error message in ds_agent.log. SEG-21208/DS-33134/DS-21352
• When the system region format is "Chinese (Traditional, Hong Kong SAR)", Deep Security Notifier displayed simplified Chinese instead of traditional Chinese. SEG-48075/DS-34778
• Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
• Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
• Too many file open events were being processed in user mode resulting in high CPU usage. SF02179544/SEG-55745/DS-39638
• The Type attribute was not displayed in Integrity Monitoring events when the default STANDARD attribute was set to monitor registry value changes. SF02412251/SEG-59848/DS-41118
• Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
• High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
• The Windows Update procedure was blocked when Application Control was enabled in Block-Mode. SF02092464/SEG-53938/DS-39981
• Deep Security failed to download security updates because of an outdated user agent string. SF02043400/SEG-52069/DS-41316
• When machines wrote document files to a file server, Anti-Malware needed to scan the files frequently, which caused other machines to fail to write the file because the file was being scanned. SF01949194/SEG-49854/DS-40100
• When Deep Security Agent scanned large files for viruses, it consumed a large amount of memory. SF01572110/SEG-48704/DS-43114

Security updates

• Updated NGINX to 1.16.1. DSSEG-4600
• Updated to curl 7.67.0.
• Updated to openssl-1.0.2t.
• Updated JRE to the latest Java Update (8.0.241/8.43.0.6).

Known issues

• After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error may occur. To work around this issue, right-click the affected computer and select Actions > Clear Warnings/Errors, then Send Policy.
• After upgrading the Deep Security Agent on Windows 2008, Anti-Malware may go offline. If this occurs, fully uninstall Deep Security Agent, reboot your server, then reinstall the agent.

Upgrade notice

• If you have Application Control enabled, there may be a temporary performance impact while your software inventory is automatically rebuilding. DS-41775

Unix

Deep Security Agent - 20.0.2-4961 (20 LTS Update 2025-03-12)

Enhancements

• The dsa_scan command now includes a scanLargeFile option for managing larger files. DSA-8825

Deep Security Agent - 20.0.2-1390 (20 LTS Update 2025-01-15)

Enhancements

• Deep Security Agent now queues packets to handle them in sequence, improving performance. DSA-6916

Resolved issues

• Deep Security Agent sometimes had connectivity issues when Advanced TLS Traffic Inspection was enabled. DSA-8577

Deep Security Agent - 20.0.1-25771 (20 LTS Update 2024-12-10)

Resolved issues

• Events including packet data were being logged with an incorrect packet size. PCT-45556/DSA-8074

Deep Security Agent - 20.0.1-23340 (20 LTS Update 2024-11-13)

Enhancements

• Web Reputation Service can now use Server Name Indication (SNI) queries when determining the risk level of a website. DSA-7314

Deep Security Agent - 20.0.1-21510 (20 LTS Update 2024-10-16)

Deep Security Agent - 20.0.1-19250 (20 LTS Update 2024-09-18)

Deep Security Agent - 20.0.1-17380 (20 LTS Update 2024-08-21)

Resolved issues

• Deep Security Agent could not load the policy if some policy configuration fields contained curly brackets. DSA-6189
• Deep Security Agent would fail to activate if the hostname contained non-ASCII characters. PCT-32214/DSA-6268
• When Intrusion Prevention was enabled for Deep Security Agent, some third-party applications had connectivity issues if they were reusing a source port. SF07685331/PCT-20541/DSA-5596

Deep Security Agent - 20.0.1-14610 (20 LTS Update 2024-07-17)

Resolved issues

• Integrity Monitoring real-time scans sometimes failed to generate events. SF07269768/PCT-21721/DSA-5877
• Deep Security Agent for AIX platforms was sometimes unable to start without configuring a supported locale. DSA-5876

Deep Security Agent - 20.0.1-12510 (20 LTS Update 2024-06-19)

Resolved issues

• When Anti-Malware was enabled, Deep Security Agent sometimes failed to shut down completely. PCT-26090/DSA-5492

Deep Security Agent - 20.0.1-9400 (20 LTS Update 2024-05-16)

Resolved issues

• Using Deep Security Agent with Web Reputation Service enabled prevented some Application Performance Monitoring (APM) applications from functioning correctly. SF04072723/SEG-97952/PCT-15716/DSA-4750
• The Anti-Malware Scheduled Scan on AIX platforms was including Network File System (NFS) contents, which should have been excluded. PCT-13912/DSA-4098

Deep Security Agent - 20.0.1-7380 (20 LTS Update 2024-04-24)

Enhancements

• Deep Security Agent now supports Trend Vision One Service Gateway exclusions. This is only supported for Trend Cloud One - Endpoint & Workload Security users at this time. V1E-17754
• Updated Deep Security Agent for AIX platforms to increase the pre-remove script timeout to 120 seconds. PCT-19843/DSA-4839

Resolved issues

• Deep Security Agents running in cloud environments sometimes could not be activated for Trend Cloud One - Endpoint & Workload Security. DSA-4861

Deep Security Agent - 20.0.1-4540 (20 LTS Update 2024-03-20)

Deep Security Agent - 20.0.1-3180 (20 LTS Update 2024-02-29)

Resolved issues

• Migration of agents from on-premise Deep Security Manager to Trend Cloud One - Endpoint & Workload Security using Trend Vision One Service Gateway failed. This issue could also occur when migrating using other proxy services. PCT-16649/DSA-4144
• Enabling Intrusion Prevention or Web Reputation Service in Deep Security Agent sometimes resulted in a TLS inspection process (tm_netagent) error log rotation issue. DSA-3965

Security updates

Known issues

• The Application Control Trust Entities "block by target" trust rule sometimes does not work properly when running a copy of an executable file. PCT-11105/DSA-3324

Deep Security Agent - 20.0.1-690 (20 LTS Update 2024-01-17)

Enhancements

• From 2024 onward, Deep Security Agent versioning is being revised from 20.0.0 to 20.0.1. This requires Deep Security Manager 20.0.883 or later. DSA-3584.For details, see Platform support updates for Deep Security Agent (DSA) version revision in January 2024 Update Release.

Resolved issues

• Deep Security Agent was sometimes unable to connect to the local Smart Protection Server. DSA-3564

Known issues

• Updating to Deep Security Agent 20.0.1-690 from some 20.0.0 versions sometimes fails when using Deep Security Relay on Trend Cloud One - Endpoint & Workload Security. For details, see Failed remote upgrade of self-deployed Workload Security relay from 20.0.0-3445 or later to version revision 20.0.1 DSA-3317

Deep Security Agent - 20.0.0-8438 (20 LTS Update 2023-12-12)

Resolved issues

• When using a local Smart Protection Server and a configured proxy, Web Reputation Service would sometimes improperly send traffic through the proxy. Web Reputation Service now sends queries to the local Smart Protection Server directly. DSA-2981

Security updates

Known issues

• Deep Security Agent is sometimes unable to connect to the local Smart Protection Server. This issue is fixed in 20.0.1-690. For details, see Deep Security Agent connection issues with Smart Protection Server when using proxy DSA-3564

Deep Security Agent - 20.0.0-8268 (20 LTS Update 2023-11-21)

Resolved issues

• Deep Security Anti-Malware sometimes did not function as expected after the system had resumed from sleep mode (S0 low-power idle mode of the working state, also known as modern standby). SF07326571/PCT-5476/DSA-2485
• Deep Security Agent incorrectly classified MIME type of .xml files generated by Microsoft Word, Excel, PowerPoint, as well as .dwg files generated by AutoCAD and R2000. SF07027236/SEG-186079/DSA-2202
• A memory leak would occur when loading large Suspicious Object lists. SF06904914/SEG-182231/DSA-1370

Deep Security Agent - 20.0.0-8137 (20 LTS Update 2023-10-26)

Deep Security Agent - 20.0.0-7943 (20 LTS Update 2023-09-26)

Enhancements

• New commands exist to get proxy information from the command line: dsa_query -c GetProxyInfo dsa_query -c GetProxyInfo details=trueDSA-864
• In order to display agent pattern updates properly, Deep Security Agent 20.0.0-7943 or later requires Deep Security Manager 20.0.759 or later. For more information, see Incompatible Agent / Appliance Version error in Deep Security Agent 20.0.0-7943. SEG-190866/SEG-191017/DSA-1531

Deep Security Agent - 20.0.0-7719 (20 LTS Update 2023-08-29)

Enhancements

• Deep Security Agent no longer updates the Smart Scan agent pattern when Smart Scan is disabled, saving network bandwidth. SEG-186625/DSA-1063
• Deep Security Agent now downloads fewer incremental pattern updates, saving network bandwidth. Note that agents configured as a Deep Security Relay still download all pattern updates. DSA-1000
• The "blocking page" Web Reputation Service redirects users to when they try to access a blocked URL can now be viewed in Czech or Polish. DSA-444
• Intrusion Prevention can now limit how many bytes are scanned for connections with a dynamic port number between 10001-65535. DS-78036
• Advanced Threat Scan Engine has been updated to version 22.6. DSA-453

Resolved issues

• Stopping the Deep Security Agent service (ds_agent) took longer than usual on some systems. SEG-187365/DSA-1212
• Deep Security Agent sometimes performed security updates even if none were scheduled. SEG-187449/DSA-1064
• Deep Security Agent caused high CPU usage on some systems. SEG-185563/DSA-756

Deep Security Agent - 20.0.0-7476 (20 LTS Update 2023-07-25)

Enhancements

• Updated the dsa-connect service to improve CPU performance. C1WS-12970

Resolved issues

• Deep Security Agent upgrades from 20.0.0.6313 to a newer version would sometimes fail, generating an "Abnormal Restart Detected" warning. SF06897730/SEG-180989/DS-78063

Deep Security Agent - 20.0.0-7303 (20 LTS Update 2023-06-28)

Enhancements

• Deep Security Agent now supports IPv6 addresses using either CIDR or double colon notation, such as fe80:0:0:0:0:0:0:1/24 or fe80::01. SF04849178/SEG-122076/DS-67280
• Web Reputation Service now automatically monitors the ports used by the OS proxy configuration. DS-77233

Resolved issues

• Deep Security Agents on AIX would sometimes crash when trying to upgrade to a new version. SF06643647/SEG-173140/DS-77359
• Intrusion Prevention (IPS) might not read the correct payload value, which can result in rule malfunctions. DS-74647
• The Deep Security Agent would report "dsa-connect has not provided status" on every heartbeat, even when Endpoint Sensor was not in use. C1WS-14696
• Some MQTT messages would be sent repeatedly and cause dsa-connect to get stuck in a shutdown loop. DS-76709

Deep Security Agent - 20.0.0-7119 (20 LTS Update 2023-05-29)

Enhancements

• Updated Deep Security Agent for Solaris to add an option to enable collecting interface latency metrics on Azure Data Explorer dashboards. DS-77025

Resolved issues

• MQTT connection credentials were entered in the Deep Security Agent log file (ds_agent.log) in certain scenarios. SEG-174560/C1WS-13282
• Deep Security Agent only reported a single Anti-Malware event for an infected compressed file, even if it contained multiple infected files. DS-76339
• After replacing a connection, Deep Security Agent reported metrics as though it was still connected to the old connection for up to 4 minutes. DS-77453

Deep Security Agent - 20.0.0-6912 (20 LTS Update 2023-05-02)

Enhancements

• Updated Deep Security Agent to make the connection timeout for proxy probing configurable by adding a line to ds_agent.ini. SF06664116/SEG-173848/DS-77182Example proxy probing line in ds_agent.ini config file:dsa.proxymanager.ProbeTimeoutInSec=120
• Updated Deep Security Agent to improve MQTT connection quality and reduce the occurrence of connection timeouts. DS-76840

Resolved issues

• Deep Security Agent sometimes reported the network driver status incorrectly after the driver had restarted. C1WS-12896
• When Web Reputation Service was enabled, Deep Security Agent caused some systems to shutdown unexpectedly. SF06680505/SEG-174730/DSSEG-7866
• Deep Security Agent sometimes crashed when shutting down after downloading new plugins from the relay. DS-76961

Deep Security Agent - 20.0.0-6658 (20 LTS Update 2023-03-22)

New features

Enhancements

• Web Reputation Service now includes OS platform metadata. DS-75453
• Updated Deep Security Agent's logging system to provide additional information and tracing to debug customer issues more efficiently. The agent now generates five (5) log files (dsa-connect-X.log) that are 2MB each instead of the agent's previous three 1MB log files. C1WS-9598The logger supports an on-demand JSON config file (either dsa-connect.ini or dsa-connect.conf) with the following configurable options:
  • Debug: Enable the debug log messages. The default value is false.
  • Count: Number of log files to generate. The default value is 5.
  • Size: Maximum size of each log file in bytes. The default value is 2097152.
  Example config file:

   { 
  "Debug": true, 
  "Count": 5, 
  "Size": 2097152 
  } 

Resolved issues

• When the Advanced TLS Traffic Inspection "Inspect TLS/SSL traffic" option was set to "No" from the console (Computer or Policy > Intrusion Prevention > General > Advanced TLS Traffic Inspection), driver-side SSL packets were sometimes still being processed. DS-76160
• Deep Security Agent's Intrusion Prevention System sometimes failed to block "TCP Congestion Flags" properly. DS-76182
• When Anti-Malware Smart Scan was enabled, an IPC connectivity issue caused some systems to crash. SEG-169132/C1WS-10821
• Deep Security Agent security updates were failing due to a file handle issue that prevented files from being removed during an update. DS-75907
• A process thread timeout caused the Anti-Malware Engine to restart unexpectedly on some systems. SF06524736/SEG-169218/DS-76656
• When a SOCKS proxy was used, Deep Security Agent failed to provide a Web Reputation Services rating for HTTP URLs. DS-73482/DS-73364
• Deep Security Agent upgrade sometimes failed because of a missing signature in the agent package. SF06045259/SEG-154576/DS-73668
• Deep Security Agent was incorrectly generating system events showing that the Advanced Threat Search Engine (ATSE) component had been removed on some systems. SEG-147779/DS-75463
• Updated Deep Security Agent to increase the MQTT timeout from 30 minutes to 2 hours to help resolve connection issues on some systems. C1WS-11835

Deep Security Agent - 20.0.0-6313 (20 LTS Update 2023-01-31)

Enhancements

• Deep Security no longer supports certificates signed with the SHA-1 algorithm. The agent now requires SSL certificates issued using SHA-256 to communicate with the Deep Security Manager. C1WS-5676

Resolved issues

• Updated Deep Security Agent for AIX platforms to support Advanced Threat Scan Engine (ATSE) version 21.600. DS-75323
• For component updates, Deep Security Agent would attempt with and without use of a proxy and generate an event for each attempt. To make event reporting more straightforward, this behavior has been changed so that after a successful update the agent only shows the final successful event. SF06207160/SEG-160085/DSSEG-7765
• The Deep Security Agent log file (ds-agent.log) sometimes failed to rotate, causing it to use more disk space than intended. SF05306459/SEG-137003/DS-72899
• With Web Reputation Enabled, some characters entered in console commands were not being parsed properly. For example, an underscore (_) entered in a command was replaced with a dash (-), and an uppercase Z was replaced with a lowercase z. DS-74335

Deep Security Agent - 20.0.0-5953 (20 LTS Update 2022-11-22)

Deep Security Agent - 20.0.0-5761 (20 LTS Update 2022-10-21)

Enhancements

• Updated Deep Security Agent to include additional metadata, such as UserAgent and Referrer, for Web Reputation Services. DS-72196
• Updated Deep Security Agent to include the Integrity Monitoring database in the agent diagnostic package. DS-73293
• Updated Deep Security Agent to support NULL cipher when inspecting TLS traffic with Intrusion Prevention. DS-71085

Resolved issues

• With Log Inspection enabled, Deep Security Agent sometimes generated "Abnormal Restart Detected" events. SF05951130/SEG-151372/DS-73737
• Virtual Machines using vMotion sometimes deactivated unexpectedly and displayed an Offline (Activation required) status. SEG-153050/DS-73807

Deep Security Agent - 20.0.0-5512 (20 LTS Update 2022-09-22)

Enhancements

• Updated Deep Security Agent to add multi-thread support for On-Demand scan and Scheduled Scan. DS-72797/DS-72798

Resolved issues

• Deep Security Agent reported host metadata in an unexpected format. DS-73411

Security updates

Deep Security Agent - 20.0.0-5394 (20 LTS Update 2022-08-29)

New features

Enhancements

• Application Control now detects software changes for executables with non executable extensions. DS-70805
• Updated Deep Security Agent to add support for inspecting packets using dynamic ports in a TLS connection. DS-71078
• Updated Deep Security Agent to add more metrics for Advanced TLS Inspection. DS-72833

Resolved issues

• When TLS inspection was done on a UDP connection with dynamic ports, the operating system would sometimes crash. SEG-151169/DS-73043
• Log Inspection Engine would go offline when using '$' character in match or regex fields together with variables. SEG-146965/SEG-146966/DS-72325
• When assigning a policy with real-time Anti-Malware turned off to a new guest VM, it would sometimes turn off real-time Anti-Malware for all other guest VMs registered to the same Deep Security Virtual Appliance. SEG-146057/DS-72856
• Application Control would still block access to network files while in maintenance mode. SF04922652/SEG-131710/DS-72037
• When Application Control is enabled, Adobe plugins were generating unexpected security events. SF05823607/SEG-148570/DS-72679
• Deep Security Agent would return "revision mismatch (-10039)" errors when loading certain configuration files during an agent update. DS-72499
• Deep Security Agent would report detected software changes before Application Control inventory scan was completed. DS-72071

Known issues

• When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-5137 (20 LTS Update 2022-07-26)

Enhancements

• Updated Deep Security Agent to improve Trust Entities functionality. Trust rule wildcard support now includes globstar \*\* which matches many sub directories. Single star \* now only matches within your current directory. Existing rules that used a single star \* to match many folders no longer work and need to be changed to use a globstar \*\*. DS-71817

Resolved issues

• Intrusion Prevention rules with certain setting combinations failed to compile. DS-71889

Security updates

Known issues

• When executing multiple custom script tasks, new tasks are currently overwritten by previous unfinished tasks. You can execute custom script tasks one by one to bypass this issue. Note that this issue will be fixed in a future release. DS-72699

Deep Security Agent - 20.0.0-4959 (20 LTS Update 2022-07-04)

Resolved issues

• With Log Inspection enabled, upgrades to Deep Security Agent 20.0.0-4726 encountered "Get Events Failed" and "Command Not Found" alerts. SF05738607/SEG-145679/DS-72117
• When Anti-Malware is enabled alongside Integrity Monitoring, Deep Security Agent caused high CPU usage. SF05169148/SEG-129522/DS-69594
• With Anti-Malware enabled, Deep Security Agent sometimes crashed operating systems that were undergoing an ISO backup. SF05532786/SEG-139280/DS-71299
• Deep Security Agent sometimes created unclear error log entries referencing "invalid" or "badly-formed" proxy URLs. SEG-144613/DS-71866

Deep Security Agent - 20.0.0-4726 (20 LTS Update 2022-05-31)

Resolved issues

• On AIX servers, when the LIBPATH or LD_LIBRARY_PATH environment variables for the system are defined, Deep Security Agent sometimes would not start. DS-70882
• Deep Security Agent reported false positive "Created/Deleted" Integrity Monitoring events under some configurations. SF05434164/SEG-136425/DS-70656
• Deep Security Agent had connectivity issues caused when a Server Name Indicator (SNI) used an invalid format. SEG-127761/DS-70806
• An abnormal restart of Deep Security Agent sometimes lead to "Anti-Malware Engine Offline" errors. SEG-140234/DS-71333

Security updates

Deep Security Agent - 20.0.0-4416 (20 LTS Update 2022-04-28)

Enhancements

• Updated Deep Security Agent to improve Intrusion Prevention performance when the "Bypass Network Scanner" rule was applied. DS-69515

Resolved issues

• With Intrusion Prevention enabled, a packet transmission error caused some systems to crash. SEG-136843/DSSEG-7524

Security updates

Deep Security Agent - 20.0.0-4185 (20 LTS Update 2022-04-06)

Resolved issues

• Running an Anti-Malware manual scan using the command line sometimes made Deep Security Agent unable to receive incoming connections. SF05385865/SEG-135256/DS-70364
• Application Control sometimes blocked unrecognized software even when running in maintenance mode. SF05234969/SEG-133594/DS-69752
• Log Inspection was unable to parse system logs containing a single digit date format. SF04562942/SEG-115435/DS-69757

Deep Security Agent - 20.0.0-3964 (20 LTS Update 2022-03-01)

New features

Enhancements

• Updated Deep Security Agent to exclude suspicious characters, such as $, found in strings from the "Original IP (XFF)" field for Intrusion Prevention events. SEG-129905/DS-68989

Deep Security Agent - 20.0.0-3770 (20 LTS Update 2022-01-24)

Enhancements

• Updated Deep Security Agent to allow Intrusion Prevention to connect to Deep Security Manager if the manager is using TLS 1.2 strong ciphers. DS-69042

Resolved issues

• Application Control, Anti-Malware, and Real-time Integrity Monitoring failed to function properly for Deep Security Agents with certain combinations of Integrity Monitoring rules configured. DS-68494

Security updates

Deep Security Agent - 20.0.0-3445 (20 LTS Update 2021-11-24)

Enhancements

• Updated Deep Security Agent to use TLS 1.2 strong cipher suite by default to improve security. The agent previously used the CBC cipher suite by default. DS-67204
• Updated Deep Security Agent to support using the "process name" property in "Ignore from source" rules for Application Control Trust Entities on Cloud One Workload Security. DS-67322
• Updated Deep Security Agent's database size management to optimize disk space usage. DS-67347

Resolved issues

• Deep Security Agent sometimes crashed when it could not connect to Deep Security Manager. DS-67654
• Deep Security Agent sometimes caused connectivity issues, high CPU usage, or the system to crash. SEG-120758/SEG-123885/DS-67291

Security updates

Deep Security Agent - 20.0.0-3288 (20 LTS Update 2021-10-28)

New features

• Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:

  • Agent size requirements have increased, including a slightly larger installer package on most platforms.
  • All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
  • The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

• Deep Security Agent sometimes was unable to connect to the manager via proxies. DS-65929
• Some customers encountered an issue when the run-time CPU number was larger than expected, which led to crashes. DS-65757
• Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-65056

Security updates

Deep Security Agent - 20.0.0-3165 (20 LTS Update 2021-10-08)

Note Deep Security Agent 20.0.0.3165 has been released to Trend Micro Cloud One - Workload Security customers. However, it is not available on the Deep Security Agent software download page or released to customers using Deep Security Manager.

New features

• Evolution of the agent installer: The Deep Security Agent installer now installs most agent content. This results in the following changes:

  • Agent size requirements have increased, including a slightly larger installer package on most platforms.
  • All agent content is now installed on the computer being protected. Content remains unloaded on a computer until a plug-in is activated by a policy or by the manager console.
  • The agent is now much less dependent on relays because all plug-in installations use the content already installed with the agent. This mitigates plug-in install issues due to relay communications because plug-ins can be installed without a connection to a relay.

Resolved issues

• Deep Security Agent sometimes was unable to connect to Manager via proxies. DS-65929
• Some customers encountered an issue when the run-time CPU number was larger than expected, led to crashes. DS-65757

Security updates

Deep Security Agent - 20.0.0-2921 (20 LTS Update 2021-08-30)

Resolved issues

• Deep Security Agent console commands sometimes failed to return proxy information for Deep Security Relay or Deep Security Manager. DS-65419
• Deep Security Agent sometimes failed to properly display items under Events and Reports. DSSEG-7057

Deep Security Agent - 20.0.0-2740 (20 LTS Update 2021-07-29)

Enhancements

• Updated Deep Security Agent to improve connectivity with Deep Security Manager during agent deployment and activation. DS-62547

Resolved issues

• Deep Security Agent failed to execute some agent-initiated (dsa_control) console commands. 04564385/SEG-112050/DSSEG-6990
• Deep Security Agent sometimes crashed while trying to establish a connection with Deep Security Manager. 04634804/SEG-113539/DS-64862
• Deep Security Agent sometimes lost connectivity while trying to establish an SSL connection. SF04323898/SEG-107451/DS-64268
• Deep Security Agent was sometimes unable to connect to web applications on systems with older OS versions. SF04451029/SEG-109652/DS-64528
• With Web Reputation enabled, Deep Security Agent caused connectivity issues for some third-party software. SF04072723/SEG-97952/DSSEG-6963
• With Integrity Monitoring enabled, Deep Security Manager caused high CPU usage on the authentication server for some systems. 04488319/SEG-110088/DS-63855

Security updates

Deep Security Agent - 20.0.0-2593 (20 LTS Update 2021-07-01)

Resolved issues

• Deep Security Agent sometimes triggered multiple "Log Inspection Engine Initialized" alerts due to an agent-manager communication issue. SF03968169/SEG-95731/DS-60840
• Integrity Monitoring alerts sometimes triggered but did not appear in the Events and Reports tab. 04266346/SEG-103731/DS-62992
• Deep Security Agent failed to detect the correct platform under some configurations. 03804296/SEG-90864/DS-57809
• Application Control was detecting multiple "Application Control Software Changes Detected" events due to '.tmp" files being generated by PowerShell. C1WS-1608

Security updates

Deep Security Agent - 20.0.0-2395 (20 LTS Update 2021-05-24)

Enhancement

• Deep Security Agent 20.0.0-2395 or later now supports Entrust Root Certificate Authority (G2) certificates. Non-G2 security certificates expire on 2022/07/09. After that date, only Deep Security Agent 20.0.0-2395 or later will have the latest Anti-Malware Smart Scan protection. DS-63010

Resolved issues

• Deep Security Agent sometimes showed package signature errors during an upgrade because of a mismatched Certification Revocation List (CRL). DS-62154

Deep Security Agent - 20.0.0-2204 (20 LTS Update 2021-04-12)

New feature

Enhanced platform support

• Anti-Malware support for AIX: Deep Security Agent 20.0.0-2204 or later now supports Anti-Malware for AIX 6.1, AIX 7.1, and AIX 7.2.

Resolved issues

• With Anti-Malware enabled, Deep Security Agent sometimes caused "defunct processes" (that is, processes that remain in the system process table after they've completed execution). SEG-104452/DS-61593
• When Application Control was in block mode, it was unable to build a proper software inventory in some cases. DS-58813
• When Web Reputation was enabled, the system sometimes crashed. SF04258834/SEG-102756/DS-61067

Deep Security Agent - 20.0.0-2009 (20 LTS Update 2021-03-08)

Resolved issues

• The MQTT connection went offline because an old MQTT connection was not properly cleaned. SF04236908/SEG-102056/DS-60893

Deep Security Agent - 20.0.0-1876 (20 LTS Update 2021-02-08)

Deep Security Agent - 20.0.0-1822 (20 LTS Update 2021-01-18)

New feature

Deep Security Agent - 20.0.0-1681 (20 LTS Update 2021-01-04)

Deep Security Agent 20.0.0-1559 (20 LTS Update 2020-12-07)

New features

Enhancements

• Improved Deep Security Relay's performance by only checking packages that have been modified. DS-55527
• Enhanced memory usage to improve performance. DS-53012

Resolved issues

• On Solaris servers where Integrity Monitoring was enabled and the rule: "Unix - Monitor Processes Running From '/tmp' Directories (ATT&CK T1059)" was assigned, a rule compile error was generated that referenced an "Unsupported Feature in Integrity Monitoring Rule". DS-55884
• When Integrity Monitoring was enabled, a high amount of CPU was used.  SEG-88619/03720485/DS-56613
• Application Control events occurred multiple times for the same incident. SEG-86213/SF03620055/DS-57298
• Security updates were not automatically performed on new machines. SEG-91484/SF03828068/DS-57688

Deep Security Agent 20.0.0-1337 (20 LTS Update 2020-10-28)

Resolved issues

• When using Deep Security Agent on Solaris, the Integrity Monitoring port scanning feature did not work because the agent did not have access to information on the user ID under which a given port was opened. This prevented storage of any listening port information. The port scanning feature on Solaris agents has been modified to store the string "n/a" for the userid. This allows the remaining port information to be stored and used in the port scanning function. However, exclusions and inclusions based on User ID still do not function correctly because this information is not available. DS-53922

Deep Security Agent 20.0.0-1304 (20 LTS Update 2020-10-21)

Enhancements

• Updated the Integrity Monitoring scan completion time in Deep Security Manager events to display in seconds with a thousands separator. DS-54680

Resolved issues

• Deep Security Manager reported a security update timeout because Deep Security Agent received exceptions at security updates. SEG-82072/DS-54720
• Deep Security Manager sometimes showed the incorrect Log Inspection status. SEG-77081/DS-54719

Deep Security Agent 20.0.0-1194 (20 LTS Update 2020-10-05)

Enhancements

• Extended the scope of the "If a computer with the same name already exists" setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers. DS-51800
• Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms. DS-52061

Resolved issues

• Anti-Malware directory exclusion with wildcards didn't match subdirectories correctly. DS-50245
• Deep Security Agent crashed on Solaris 10 during upgrades. SEG-72634/SF02975849/DS-49295
• When Integrity Monitoring was enabled, the owner of a file was incorrectly changed to a user that did not exist. DS-52058

Security updates

Deep Security Agent 20 (long-term support release)

New features

Improved security

Improved quality and management

• By the command dsa_control --AmTopNScan
• By the diagnostic service

• Information about why process exclusion items are not functioning correctly is now provided, so you can troubleshoot the issue and know which actions to take to resolve it.
• The process exception configuration workflow has been improved to make it more robust.

Enhancements

• Integrity Monitoring detects changes to the "setuid" and "setgid" attributes for Linux and Unix platforms.
• Improved the heartbeat handling for Amazon WorkSpaces deployments when the workspace sync feature is not turned on for the matching AWS connector.
• Extended the scope of the If a computer with the same name already exists setting on Administration > System Settings > Agents to apply to existing unactivated computers. Previously, it only applied to existing activated computers.
• Increased the scan engine's URI path length limitation.
• Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.
• Streamlined event management for improved agent performance.
• Added the ability to enable or disable Common Scan Cache for each agent through a CLI command.
• Added the ability for Deep Security Agent Anti-Malware to scan compressed files no matter their data types when IntelliScan is disabled.

Resolved issues

• After upgrading the Deep Security Agent, the "Sending Application Control Ruleset Failed" error sometimes occurred. DS-49828
• Application Control occasionally appeared offline when Application Control and Anti-Malware were enabled at the same time.
• The displayed packet header data contained redundant payload data. DS-45792
• Memory leaked during SSL decryption because of a flaw in the SSL processing. SEG-68263/DS-44360
• On specific Deep Security Agent servers the CPU usage spiked to 100% and pattern merges failed during the active update process. SEG-66210/02711299/DS-46429
• When a security update was triggered before Anti-Malware was ready, the security updates failed. DS-36952
• When real-time Integrity Monitoring was enabled with the rule "1002875: Unix Add/Remove Software" applied, the RPM database potentially locked. SEG-67275/SF02663756/DS-48524
• Web Reputation, Firewall, Intrusion Prevention, and Log Inspection couldn't be enabled correctly when the system locale was set to Turkish. SEG-71825/SF03021819/DS-48916
• Incorrect linking of certain libraries could lead to Deep Security Agent instability. SEG-72958/03071960/DS-49324
• Anti-Malware directory exclusion with wildcard didn't match subdirectories correctly. SF03131855/SEG-74892/DS-50245
• High CPU use occurred when Application Control was enabled and the host application was creating a high volume of non-executable files. SF02179544/SEG-55745/DS-41142
• Non-executable files that were opened with execute permissions resulted in security events and drift that should not have been generated. SF01780211/SEG-46616/DSSEG-3607
• Deep Security Agent did not add Python extension module (PYD) files to the inventory of Application Control. SF01804378/SEG-47425/DS-33690
• Unicode user names could not be displayed in real-time Integrity Monitoring file scan events. SF02187371/SEG-56645/DS-39398
• The Deep Security Agent network engine crashed because the working packet object was deleted accidentally. SF01526046/SF02159742/SEG-55453/DS-38812
• The ds_agent process would sometimes crash under certain conditions when Integrity Monitoring was enabled. SEG-50728/DS-35446
• Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SF01919585/SEG-48728/DS-34022
• The "Send Policy" action failed because of a GetDockerVersion error in Deep Security Agent. SF1939658/SEG-49191/DS-34222
• When multiple Smart Protection Servers were configured, the Deep Security Agent process would sometimes crash due to an invalid sps_index. SF01415702/SEG-42919/DS-33008
• For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. (SF01704358/SEG-45004/DS-32077)
• Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. SEG-39711/DS-32799
• Integrity Monitoring events showed an incorrect file path with Unicode encoding. SEG-45239/DS-33911
• The interface isolation feature was still on when Firewall was turned off. SEG-32926/DS-27099
• After applying rule 1006540, "Enable X-Forwarded-For HTTP Header Logging", Deep Security would extract the X-Forwarded-For header for Intrusion Prevention events correctly. However, a URL intrusion like "Invalid Traversal" would be detected in the HTTP request string before the header was parsed. The Intrusion Prevention engine has been enhanced to search X-Forwarded-For header after the header is parsed. SEG-60728/DS-42332
• Deep Security Agent sent invalid JSON objects in response to Deep Security Manager, which caused errors in Deep Security Manager's log file. SEG-48728/SF01919585/DS-34022
• On Solaris servers with clusters, the Deep Security Intrusion Prevention module would come under heavy load while inspecting the clusters' private traffic. The extra load caused latency issues, node evictions, and loss of synchronization events.

1. Upgrade the Deep Security Agent to the latest build containing this fix.
2. Create a file under /etc directory named "ds_filter.conf".
3. Open the /etc/ds_filter.conf file.
4. Add the MAC addresses of all NIC cards used for cluster communication, as follows:
   MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX
5. Save.
6. Wait 60 seconds for your changes to take effect.

• The MAC_EXCLUSIVE_LIST line must be the first line in the file.
• All letters in the MAC address must be uppercase.
• Leading zeros in each byte must be included.
  Valid MAC_EXCLUSIVE_LIST:
  MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E
  MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E,6A:23:F0:0F:AB:34
  Invalid MAC_EXCLUSIVE_LIST:
  MAC_EXCLUSIVE_LIST=B:3A;12:F8:32:5E
  MAC_EXCLUSIVE_LIST=0b:3a;12:F8:32:5e,6a:23:F0:0F:ab:34
  MAC_EXCLUSIVE_LIST=0B:3A;12:F8:32:5E

Security updates

• Updated NGINX to 1.16.1. DSSEG-4600
• Updated to curl 7.67.0.
• Updated to openssl-1.0.2t.
• Updated JRE to the latest Java Update (8.0.241/8.43.0.6).