If you are protecting virtual machines (VMs) you can install Deep Security Agent,
just as you would for other types of computers. But in Deep Security 9.6 or later,
there are two other ways to protect VMs:
-
Agentlessly (via virtual appliance), or
-
Mixture of agent-based and agentless ("combined mode")
Agentless protection
Anti-malware and Integrity Monitoring protection can be provided without installing
Deep Security Agent. Instead, the VMware Tools driver installed on the VM can offload
security processing to a Deep Security Virtual Appliance.
![]() |
NoteOn Linux VMs, Deep Security Agent provides anti-malware protection, not the Deep Security
Virtual Appliance.
|
![]() |
NoteIn Deep Security 9.5 or earlier, to protect VMs without installing a Deep Security
Agent, you would use the Deep Security Virtual Appliance and filter driver. The filter
driver was installed on the ESXi server and was used to intercept network traffic
at the hypervisor, and send it to the appliance. VMware does not support vShield (VMsafe-NET API driver) anymore, so the old driver
is not supported by Deep Security , and must be removed.
|
Because agentless protection requires fast connectivity between the appliance and
the computer you want to protect, don't use agentless if the computer is far from
the appliance, on a remote ESXi server or another data center.
Combined mode
If you require other protection features that Deep Security Virtual Appliance doesn't
support, you must install the Deep Security Agent on each of your VMs, but you can
still use the Deep Security Virtual Appliance to provide some of the protection, which
can improve performance. Both the appliance and agent used together is known as "combined
mode".
With combined mode, the appliance provides the anti-malware and integrity monitoring.
The Deep Security Agent provides other features.
Conversion of coordinated approach to combined mode
-
Coordinated approach — In Deep Security 9.5, if the agent on a VM was offline, protection features would be provided by the Deep Security Virtual Appliance instead as an alternative. However, it could not be configured separately for each feature.
-
Combined mode — In Deep Security 9.6, each protection feature was configurable to use either the agent or appliance. However, if the preferred protection source was offline, the computer didn't use the other alternative.
In Deep Security 10.0 and later, its "protection source" settings provide both behaviors:
-
whether each feature is provided by the agent or appliance
-
whether to use the agent or appliance alternative if the preferred protection is not available
So if you need behavior like the old coordinated approach, you might want to avoid
upgrading to Deep Security 9.6, and instead upgrade from Deep Security 9.5 to Deep
Security 10.0 and then to 12.
Choose an agent or appliance for each protection feature
If a computer could be protected by either an appliance or agent, you can select which
will provide each protection feature.
![]() |
NoteLog inspection and application control do not have this setting. With current VMware
integration technologies, Deep Security Virtual Appliance cannot provide those features.
|
To configure the protection source, import a VMware vCenter into Deep Security Manager,
then in the Computer or Policy editor, go to Settings > General.

For each protection module or group of protection modules, select either:
-
Appliance Only: Only the Deep Security Virtual Appliance will provide protection, even if there is an agent on the VM and the appliance is deactivated or removed.
WARNING
Don't use the appliance if you require the scanner (SAP). It requires Deep Security Agent anti-malware.Tip
When anti-malware is enabled on the agent, the agent downloads the Anti-malware Solution Platform (AMSP) and starts it as a service. If you do not want this, then from Anti-Malware, select Appliance Only. That way, even if the appliance is deactivated, the agent won't start the AMSP service. -
Appliance Preferred: If there is an activated appliance on the ESXi server, it will provide the protection. But if the appliance is deactivated or removed, then the agent will provide protection instead.
-
Agent Only:Only the agent will provide protection, even if there is an activated appliance available.
-
Agent Preferred: If there is an activated agent on the VM, it will provide the protection. But if there is no activated agent, then the appliance will provide protection instead.
Enable combined mode in a vCloud Director environment with agent-initiated activation
When the hostname of a vCloud Director virtual machine is not resolvable from Deep
Security Manager, use agent-initiated activation to enable combined mode. To enable
combined mode on a vCloud Director virtual machine:
-
Go to Computers, right-click on the target vCloud Director computer, and select Activate.
-
Double-click the target vCloud Director computer, and select Settings > General in the pop-up window. Change the Communication Direction to Agent/Appliance Initiated.
-
Install Deep Security Agent on the target vCloud Director computer, and activate the agent.