~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security(TM) Virtual Appliance 9.0 Service Pack 1 Patch 1 Platforms: ESXi 5.1, 5.0 Anti-Malware Support: Microsoft(TM) Windows(TM) Vista(TM) (32-bit, 64-bit), Windows 7 (32-bit, 64-bit), Windows XP SP2 (32-bit, 64-bit), Windows Server 2003 Service Pack 2 (32-bit, 64-bit), Windows Server 2003 R2 (32-bit, 64-bit), Windows Server 2008 (32-bit, 64-bit), Windows Server 2008 R2 (64-bit) Date: September 5, 2013 Release: 9.0 Service Pack 1 Patch 1 Build Version: 9.0.0.2401 Deep Security Virtual Appliance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: http://us.trendmicro.com/us/solutions/enterprise/security-solutions/ virtualization/deep-security/ Download the latest version of this readme from the "Software" page at the Trend Micro Download Center website: http://downloadcenter.trendmicro.com/ Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security Virtual Appliance 9.0 Service Pack 1 Patch 1 1.1 Overview of this Release 1.2 Who Should Install this Release 1.3 Support Expiration Notice 1.4 Upgrade Notice 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation/Uninstallation 6. Known Incompatibilities 7. Known Issues 8. Release History 8.1 Previous Deep Security Virtual Appliance 9.0 and Deep Security Filter Driver 9.0 Releases 9. Files Included in this Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third Party Software =================================================================== 1. About Deep Security Virtual Appliance 9.0 Service Pack 1 Patch 1 ======================================================================== 1.1 Overview of this Release ===================================================================== Deep Security Virtual Appliance 9.0 Service Pack 1 Patch 1 contains solutions to as well as some new feature enhancements. 1.2 Who Should Install this Release ===================================================================== You should install the Patch 1 if you are currently running Deep Security Virtual Appliance 7.0, 7.5, 8.0, or 9.0 Service Pack 1. Note: When upgrading to Deep Security Virtual Appliance 9.0 Service Pack 1 Patch 1 you need to be running Deep Security Filter Driver 9.0 Service Pack 1. 1.3 Support Expiration Notice ===================================================================== Trend Micro strongly urges you to upgrade to the most recent version to take full advantage of new features and improved performance. Please visit the Trend Micro Download Center website to download the latest releases at: http://downloadcenter.trendmicro.com/ 1.4 Upgrade Notice ===================================================================== If you are currently using Deep Security 7.5 with Deep Security Virtual Appliance, you should upgrade your Deep Security Virtual Appliance and Filter Driver to version 8.0 Service Pack 2 or any higher version. Deep Security Manager 9.0 does not support Deep Security Virtual Appliance 7.5 or any older version. Also be sure to read the VMware documentation for upgrading your VMware environment including the KB article on the VMware website: Unmanaged vShield Endpoint 1.0 components remain after upgrading vShield Manager from version 4.1 to 5.0 (http://kb.vmware.com/kb/2011482). 2. What's New ======================================================================== For major changes in Deep Security Virtual Appliance 9.0 Service Pack 1 Patch 1 from previously released versions of Deep Security Virtual Appliance, please read the "What's New in Deep Security Virtual Appliance 9 Service Pack 1" section of the Deep Security Manager on-line help, the Deep Security Virtual Appliance Administrator's Guide or Deep Security Virtual Appliance Installation Guide, available for download from the Trend Micro Download Center. 2.1 Enhancements ===================================================================== There are no new enhancements for this release. 2.2 Resolved Known Issues ===================================================================== Issue 1: [FB19417/TT268968/TT272438] Under certain scenarios, Deep Security Notifier stops sending notifications and shows "Unknown/Unreachable". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: Deep Security Notifier now uses "fopen()" instead of "fopen_s()" which resolves the issue. Issue 2: [FB19186/TT207905/TT274271] The "ds_filter" process stops repeatedly while processing the "/var/opt/ds_agent/slowpath" folder which contains several "core.ds_filter.xxxx" files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This issue has been resolved. Issue 3: [FB19373/TT272170] When a guest virtual machine is alive, the "dvfilter-dsa: tb_trace_write_formatted:43: iap_core_ioctl:280 IOCTL [UUID] cmd: 3, dom: 3999996 srclen: 8 outlen: 8 retlen: 8 rc: 0" error message appears several times in "vmkernel.log". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This Patch minimizes the occurrence of the error message in "vmkernel.log" while a guest machine is alive. Issue 4: [FB17993/TT263949] The Deep Security Virtual Appliance diagnostic package does not include ds_monitor logs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This Patch removes the symbolic link for "ds_montor.log" from the "dsa-state-capture.sh" script since this is already added by the C++ CreateDiagnosticThread. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [FB19441] After a component update, some ds_guest_agents do not restart automatically because of a segmentation fault that occurs while these shutdown. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This Patch resolves an issue with the blacklist handling process to help resolve this issue. Issue 6: [FB19201/TT268577] Users cannot reconfigure the settings of guest virtual machines and encounter an "Operation timed out" on Deep Security Manager. When this happens, Deep Security Virtual Appliance settings needs to be reset to recover. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This Patch resolves a deadlock issue to help ensure that users can successfully reconfigure guest virtual machines. Issue 7: [FB19636/TT274385] WRS SPS fail over function can no longer work properly after a user configures more than one local SPS server because the server connection function does not attempt to reconnect after it encounters a connection problem. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This patch enables the server connection function to attempt to reconnect after it encounters a connection problem. 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: o Deep Security Virtual Appliance 9.0 Service Pack 1 Installation Guide (IG) -- Provides product overview, deployment plan, installation steps and basic information intended to help you deploy Deep Security Virtual Appliance smoothly. o Deep Security Virtual Appliance 9.0 Service Pack 1 Administrator's Guide (AG) -- Provides post-installation instructions on how to configure the settings to help you get Deep Security "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Deep Security Virtual Appliance. o Readme files -- version enhancements, known issues, and release history. There is one readme for each installable Deep Security component: Manager, Agent (including Relay and Notifier), Virtual Appliance and ESXi Filter Driver. Electronic versions of the manuals are available from the Trend Micro Download Center at: http://downloadcenter.trendmicro.com/ o Online help -- Context-sensitive help screens that provide guidance for performing a task. o TrendEdge is a program for Trend Micro employees, partners, and other interested parties that provides information on unsupported, innovative techniques, tools, and best practices for Trend Micro products. The TrendEdge database contains numerous documents covering a wide range of topics. http://trendedge.trendmicro.com o Knowledge Base -- a searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the "Deep Security Virtual Appliance 9.0 Service Pack 1 Installation Guide." 5. Installation/Uninstallation ======================================================================== - See the "Deep Security Virtual Appliance 9.0 Service Pack 1 Installation Guide" document available for download from the Trend Micro Download Center. - Version 9.0 Service Pack 1 of Deep Security Virtual Appliance requires the 9.0 Service Pack 1 version of the Deep Security Filter Driver. - When a Deep Security Virtual Appliance is deployed in a VMware environment that makes use of the VMware Distributed Resource Scheduler (DRS), it is important that Deep Security Virtual Appliance does not get vMotioned. Deep Security Virtual Appliance must be "pinned" to its particular ESXi host. You must actively change the DRS settings for all Deep Security Virtual Appliances to "Manual" or "Disabled" (recommended) so that these will not be vMotioned by the DRS. If a Deep Security Virtual Appliance (or any virtual machine) is set to "Disabled", the vCenter Server does not migrate that virtual machine or provide migration recommendations for it. This is known as "pinning" the virtual machine to its registered host and is the recommended course of action for Deep Security Virtual Appliances in a DRS environment. An alternative is to deploy Deep Security Virtual Appliance onto a local store as opposed to a shared store. When Deep Security Virtual Appliance is deployed onto a local store it cannot be vMotioned by DRS. For further information on DRS and pinning virtual machines to a specific ESXi, please consult your VMware documentation. 6. Known Incompatibilities ======================================================================== There are no known incompatibilities for this release 7. Known Issues ======================================================================== - If Deep Security Virtual Appliance does not have enough disk space for an upgrade, it does not clear up disk space or warn users before running the upgrade. As a result, the upgrade fails and triggers error messages from vCenter and Deep Security Manager. [18706] - In some cases, if you deploy Deep Security Virtual Appliance and you select to use a static IP address, the default DNS domain will be set incorrectly. To resolve this, log on to the Deep Security Virtual Appliance console command line and run "vi /etc/resolv.conf". Ensure the values for search and nameserver are correct for your environment. [Deep Security 8.0 Tier 2-00184] - SYN Flood protection is only supported on versions 7.5 or older Windows Agent versions and on versions 7.5 or older Virtual Appliance versions. It is not supported on versions 7.5 Service Pack 1 or higher Windows Agent versions or versions 7.5 Service Pack 1 or higher Virtual Appliance versions. It is not supported on any version of the Linux or Solaris Agents. - On some Windows platforms, when downloading malware using Microsoft Internet Explorer(TM), the download process windows closes upon detection. The file will still be detected and cleaned even though no error or warning was given. [00619] - The quarantine action may fail if the maximum quarantine size is set too high. The default size is 32 MB. It is recommended not to set the limit higher than 200 MB. - If your ESXi or Deep Security Virtual Appliance are in a different domain than your Deep Security Manager, they may have problems connecting to Deep Security Manager. Renaming your Deep Security Manager to use the fully qualified name fixes this, for example, "manager.hq.local". For information on how to rename your Deep Security Manager hostname, refer to the documentation. - For any images you have on your ESXi machine, ensure you have the latest VMware Tools installed. - Deep Security Virtual Appliance cannot perform Log Inspection which means users cannot assign Log Inspection Rules to machines without an in-guest Deep Security Agent. - Users cannot reconfigure the settings of guest virtual machines and encounter an "Operation timed out" on Deep Security Manager. When this happens, Deep Security Virtual Appliance settings needs to be reset to recover. [TT268577/19201] 8. Release History ======================================================================== See the following website for more information about updates to this product: http://www.trendmicro.com/download 8.1 Previous Deep Security Virtual Appliance 9.0 and Deep Security Filter Driver 9.0 Releases ===================================================================== - Deep Security Virtual Appliance 9.0.0.883, January 30, 2013 - Deep Security Filter Driver 9.0.0.854, January 30, 2013 - Deep Security Virtual Appliance 9.0.0.2009, May 21, 2013 - Deep Security Filter Driver 9.0.0.995, May 21, 2013 Deep Security Virtual Appliance 9.0.0.2009 (9.0 Service Pack 1) ===================================================================== Issue 1: [17840/17881/TT263949] Under certain circumstances Deep Security Manager would open a connection to the Deep Security Virtual Appliance master agent but does not supply the tunneling header. This would leave the Deep Security Virtual Appliance master agent waiting for a blocking read. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: A 30-second timeout has been added in Deep Security Virtual Appliance. After 30 seconds, Deep Security Virtual Appliance will generate a log that states that it did not receive the tunneling header and that it would re-establish communication with Deep Security Manager. Issue 2: [TT268579] The ds_am process stops unexpectedly because of an error in the handling of the EPSecStatus return code. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: Deep Security Virtual Appliance can now properly handle the zero rtscan_epsec_read() return code in ds_am. Issue 3: [17994/17943/TT263949] The diagnostic package for new ds_monitor logs does not pick up all the required log files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: The diagnostic package now picks up all the required log files. Issue 4: [18762/TT269591/TT270131/TT268865/TT268779/TT268134/ TT269224] A race condition may occur when resources are being de-allocated for a virtual machine. This de-allocation may occur while virtual machines shut down or a during a vMotion action. The race condition can be triggered more often on ESXi servers that have a large range of varying remote addresses (i.e. connections inbound) that are sending IP (any IP/IPv6) packets to a given virtual machine/s. A list of tracked hosts grows in size and when it is cleaned up, such as when a virtual machine shuts down or a vMotion action runs. When this happens, locks may stay enabled for too long which the VMware kernel cannot tolerate. This can result in purple screen of death (PSoD) on the ESXi server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: The race condition can now be avoided. Enhancements in Deep Security Virtual Appliance 9.0.0.883 and Deep Security Filter Driver 9.0.0.854 ===================================================================== - Deep Security Appliance and Deep Security Filter Driver can now support ESXi 5.1. - The Anti-Malware feature has been enhanced to improve scan performance. - The Agentless Recommendation feature has been added. Resolved Known Issues in Deep Security Virtual Appliance 9.0.883 ===================================================================== Issue 1: [FB17095] The 1 GB default memory deployment size of Deep Security Virtual Appliance may cause users to run out of memory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: The default memory size of Deep Security Virtual Appliance has been raised to 2 GB. Issue 2: [TT255553, FB16310, FB16291] The WRS feature does not work through a proxy if the user name contains a backslash "\". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: The WRS feature now works under this scenario. Issue 3: [FB12822] When Context specific FW/Intrusion Prevention rules are assigned to machines without in-guest Deep Security Agent installed, the ESXi server may stop unexpectedly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: The Deep Security Compiler (DSC) in Deep Security Virtual Appliance now ignores DPI/FW Rules associated with Contexts. Note: The use of Contexts with Rules is intended to give rules running on mobile workstations "location awareness" and is not intended for use in Agentless virtualized environments. For information on Contexts, see "Components > Contexts" in the online help. Issue 4: [TT257923, FB16451] The WRS feature with "allow override" does not work as expected in Deep Security Virtual Appliance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: The WRS feature with "allow override" now works as expected in Deep Security Virtual Appliance. Issue 5: [TT253665, FB16360] It may take Deep Security Virtual Appliance a long time to open or copy files from the network file share during an anti-malware scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: A Real-Time scan cache feature has been added in Deep Security Virtual Appliance to help resolve the issue. Issue 6: [TT260076, 16864] Excessive logs are generated when the ds_guest_agent cannot bind to its ListenSocket. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: ds_guest_agent now exits automatically if it cannot create or bind to its ListenSocket. This prevents it from generating excessive amount of logs under this scenario. This release includes all resolved issues that were resolved in Deep Security Virtual Appliance 8.0 Service Pack 2 except those explicitly listed in Section 7, "Known Issues". 9. Files Included in this Release ======================================================================== This release is a complete installation and contains the following file: Appliance-ESX-9.0.0-2401.x86_64.zip 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our website. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, go to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen will display. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Trend Micro, Inc. provides virus protection, anti-spam, and content-filtering security products and services. Copyright 2013, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, Deep Security and "deep security solutions" are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ 13. Third Party Software ======================================================================== This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). Deep Security Agent also makes use of the following software. 3rd party binary distributions: Expat (http://expat.sourceforge.net/) fksec (http://win32.mvps.org/) IP Filter (http://coombs.anu.edu.au/~avalon/) SQLite (http://www.sqlite.org/) WxWidgets (http://www.wxwidgets.org/) zlib (http://www.zlib.net/) 3rd party source: GMTime (http://www.jbox.dk/sanos/source/lib/time.c.html) Tree (http://www.openbsd.org/cgi-bin/cvsweb/src/sys/sys/tree.h) The 3rd party software is subject to the licenses available in the following directory: [INSTALL DIRECTORY]\Licenses Public domain source code licenses are available here: SQLite - http://www.sqlite.org/copyright.html fksec - http://win32.mvps.org/license.html Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2013 Trend Micro Inc. All rights reserved. Published in Canada.