<> Trend Micro Incorporated February 21, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 6 for Windows, and Deep Security Notifier 9.6 Service Pack 1 Patch 1 Update 6 for Windows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Platforms: Windows Server 2016 (64-bit), Windows Server 2012 (64-bit), Windows Server 2012 R2(64-bit), Windows Server Core 2012 (64-bit), Windows Server Core 2012 R2 (64-bit), Windows 10 (32-bit and 64-bit), Windows 8.1 (32-bit and 64-bit), Windows 8 (32-bit and 64-bit), Windows 7 (32-bit and 64-bit), Windows Server 2008 R2 (64-bit), Windows Server 2008 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows Server 2003 R2 SP2 (32-bit and 64-bit), Windows XP SP3 (32-bit and 64-bit), Windows XP Embedded (32-bit) (**)(***), Hyper-V on Windows 2012 R2, 2012, 8, 8.1 and 2008 R2(*) (*)There is no agentless solution for Windows Hyper-V. The Agent installed on the Hyper-V hypervisor will only protect the hypervisor itself. In order to protect guest images running on Hyper-V an Agent must be installed on each Hyper-V guest. See Knowledge Base article http://esupport.trendmicro.com/solution/en-us/1103857.aspx for more information. (**)Due to the customization possible with Windows XP Embedded, we request that customers validate correct operation in their own environment to ensure the services and ports necessary to run the Deep Security Agent have been enabled. (***) Deep Security Notifier is not supported on these platforms. Not currently supported: Windows Server 2008 Core, Microsoft Virtual Server 2005 R2 SP1 Deep Security Agent with Relay Feature Platforms: Windows Server 2012 (64-bit), Windows Server 2012 R2(64-bit), Windows Server Core 2012 (64-bit), Windows Server Core 2012 R2 (64-bit), Windows 10 (64-bit), Windows 8.1 (64-bit), Windows 8 (64-bit), Windows 7 (64-bit), Windows Server 2008 R2 (64-bit), Windows Server 2008 (64-bit), Windows Vista (64-bit), Windows Server 2003 R2 SP2 (64-bit), Windows XP (64-bit), Date: February 22, 2017 Release: 9.6 Service Pack 1 Patch 1 Update 6 Build Version: 9.6.2-7723 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ index.html Download the latest version of this readme from the Deep Security page at the Trend Micro Download Center website: http://downloadcenter.trendmicro.com/ Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 9.6 Service Pack 1 Patch 1 Update 6 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Resolved Known Issues 2.2 Enhancements 3. Documentation Set 4. System Requirements 5. Installation 6. Known Incompatibilities 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third-Party Software =================================================================== 1. About Deep Security 9.6 Service Pack 1 Patch 1 Update 6 ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 6 contains feature enhancements as well as bug fixes. For a list of the major changes in Deep Security 9.6 Service Pack 1, please see the "What's New" section of the Installation Guides, which are available for download from the Trend Micro Download Center. 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running Deep Security 9.0 SP1 Patch 5, 9.5 SP1 Patch 2, or 9.6. All new Deep Security users should install Deep Security 9.6 Service Pack 1 Patch 1. 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== The following enhancement(s) are included in this release: Enhancement 1: [DSSEG-735] If a vCloud Director has been added into the Deep Security Manager under T0, and there is no multi- tenancy enabled and vCloud Director has Virtual Machines installed with Deep Security Agents and those virtual machines are using Fully Qualified Domain Name (FQDN), then agent-initiated activation using dsa_control command does not activate the virtual machine under the vCloud Director, but creates a new virtual machine record under computers and activates it. The same behaviour does not occur if virtual machine is not using FQDN. Note 1: This issue is not being reported if vCloud Director is being used under multi-tenant deployment with VCenter, ESXi, DSVA and VMs imported in T0 of DSM and vCloud is being added under TN. To handle this specific scenario, dsa_control -a option has been appended and added with "FQDN:false" sub-option which can be used as follows: dsa_control –a dsm://:4120:/ "FQDN:false" Note 1: The above command needs to be run manually or as a batch job, but cannot be downloaded as an option from deployment script from Deep Security Manager's Console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 Resolved Known Issues ===================================================================== This release resolves the following issue(s): Issue 1: [DSSEG-717] Deep Security Agent should allow you to enable the Windows Firewall by creating a ds_agent.ini file that contains: dsp.fwdpi.disableNativeFirewall=false This setting did not work. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-703] When the Deep Security Agent generated Web Threat Protection (WTP) syslog messages, it did not follow the syslog format. When the syslog is set to "direct forward" from the agent, the log message should be Common Event Format (CEF). Solution 2: This issue is fixed in this release. The WRS Syslog format is now CEF. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-222] In certain situations, if a DPI event was already sent to the Deep Security Manager, then restarting the Deep Security Agent service would send the event again to the Deep Security Manager again, causing duplicate events to appear in the Deep Security Manager console, on the DPI events tab. Solution 3: This issue has been fixed in the current release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.6. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying Deep Security 9.6. The following Installation Guides are available in Trend Micro Download Center: Deep_Security_96_SP1_Install_Guide_basic_EN.pdf Deep_Security_96_SP1_Install_Guide_vcloud_EN.pdf Deep_Security_96_SP1_Install_Guide_nsx_EN.pdf Deep_Security_96_SP1_Install_Guide_vmsafe_EN.pdf Deep_Security_96_SP1_Install_Guide_azure_EN.pdf - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.6. It also contains post-installation instructions on how to configure the settings to help you get Deep Security "up and running". All of the content of the Administrator's Guide can be found in the Deep Security Manager's online help. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Deep Security 9.6 Service Pack 1 Installation Guide. 5. Installation ======================================================================== Refer to the "Deep Security Manager 9.6 Service Pack 1 Installation Guide" document available for download from the Trend Micro Download Center. - Only use the Agent installer package (the .msi or the .rpm file) on its own to install the Deep Security Agent. If you extract the full Agent zip package and then run the Agent installer from the same folder that holds the other zipped Agent components, all the Security Modules will be installed. That may cause a conflict with the Anti-Malware or Firewall driver if you use applications other than Deep Security to provide those functionalities. - Before installing this Patch, please ensure that the Deep Security Manager has already been upgraded to 9.6 Service Pack 1. - All Deep Security Relay-Enabled Agents must first be upgraded to Deep Security Agent 9.6 Service Pack 1 before upgrading other Agents. 6. Known Incompatibilities ======================================================================== 1. Resonate Load Balancer (5.0.1) Deep Security Agents Affected: All Issue: Environments in which the Resonate load balancing software is installed may experience a loss of Resonate functionality when the Deep Security Agent is installed. Resolution: Restart the Resonate Central Dispatch Controller services. 2. Trend Micro Client Server Messaging Security for SMB Deep Security Agents Affected: All Issue: Connectivity issues have been noted when running versions of Trend Micro Client Server Messaging Security for SMB that are older than Version 3.5 Build 1113. Resolution: Upgrade Trend Micro Client Server Messaging Security for SMB to Version 3.5 Build 1138 or higher. 3. Realtek RTL8169/8110 Family Gigabit Ethernet NIC Deep Security Agents Affected: All Issue: Issues have been noted when using Version 5.663.1212.2006 of the Realtek Gigabit Ethernet NIC Resolution: To resolve these issues, upgrade the driver to the latest version. 4. Intel(R) PRO/100+ Dual Port Server Adapter Deep Security Agents Affected: All Issue: Issues have been noted when using Intel NIC cards with driver versions lower than 8.0.17.0 Resolution: To resolve the issue, upgrade the driver to version v8.0.19 or higher. 5. Microsoft Network Load Balancer (MS-NLB) Deep Security Agents Affected: All Issue: Issues have been noted when using Microsoft Network Load Balancer (MS-NLB) Resolution: MS-NLB is incompatible with Deep Security Agent and currently there is no solution available for this incompatibility. 6. Wireshark Deep Security Agents Affected: All when installed in Windows Vista, 7, 2008 and 2008 R2. Issue: When Wireshark is monitoring packets they are incorrectly presenting outgoing packets through NdisFilterRecv packet which is the path for incoming packets. Resolution: Use Microsoft Network Monitor instead when doing packet capture. 7. Known Issues ======================================================================== - In rare circumstances, when enabling Anti-Malware feature on Deep Security Agent running on Windows XP, the AMSP service installation may fail with the error message "AMSP error code (0x20ff0000)". As a workaround, reinstall the Deep Security Agent. [29436] - On Windows 32-bit platforms, there is a configuration limit of 20MB because of the smaller kernel memory available on these platforms. The event "Agent configuration package too large" may appear if there are too many rules enabled on the Deep Security policy being assigned. This may be fixed by trimming down the Intrusion Prevention rules strictly to Recommended for Assignment only. [27162] - If the Integrity monitoring feature in Combined Mode is disabled, the Deep Security Notifier status will display it as Not Capable instead of Not Configured. [29403] - Deep Security Azure Connector does not identify virtual machines created by Azure Resource Manager a.k.a ARM VM (v2). DSA installed in ARM VM will not be included in Azure connector but in the normal computer list. This limitation will have no impact on security features provided by Deep Security. [29630] - Deep Security Agent could not convert shift-jis encoded characters to UTF-8. Therefore, any folders named with shift-jis encoding will be skipped during Integrity Monitoring scanning. [28879] - If agentless Anti-Malware real-time protection is turned off, the Notifier will not get any status updates from the Appliance. It will then turn off Antivirus protection in the Windows Action Center. [29230/29574] - When you deactivate the Deep Security Virtual Appliance or agentless protection, the Notifier will not be able to get any status from the Deep Security Virtual Appliance. The Notifier knows that anti-malware is not working so it will turn it off in the Windows Action Center. It does not know the status of the firewall so it will leave the firewall status in the Windows Action center in its last known state. [29230/29574] - The Deep Security Notifier installed in the virtual machines should be upgraded to 9.6 Service Pack 1 Patch 1 Update 4 to correctly display the status of protection in 9.6 Service Pack 1 Patch 1 Update 4, especially when using Combined Mode. [28557] - Deep Security does not support switching the Windows 2012 server mode between Server Core and Full (GUI) modes after the Deep Security Agent is installed. [28481] - If you are using Server Core mode in a Hyper-V environment, you will need to use Hyper-V Manager to remotely manage the Server Core computer from another computer. When the Server Core computer has the Deep Security Agent installed and Firewall enabled, the Firewall will block the remote management connection. To manage the Server Core computer remotely, turn off the Firewall module. [28481] - Hyper-V provides a migration function used to move a guest VM from one Hyper-V server to another. The Deep Security Firewall module will block the connection between Hyper-V servers, so you will need to turn off the Firewall module to use the migration function. [28481] - Deep Security Agent does not support scanning a mounted network folder (SMB) on the following Windows platforms: Windows 2012 Server R2 (64-bit) Windows 2012 Server (64-bit) Windows 8.1 (32/64-bit) Windows 8 (32/64-bit) [22016] - Deep Security Notifier when using agentless protection in NSX environment will not work if only WRS feature is turned on. Agentless anti-malware must be enabled for Deep Security Notifier to work. [22210] - The Relay feature uses TCP port 4122. When enabling the Relay feature, make sure TCP port 4122 is allowed in any firewall being used. [22749] - Relay feature is not supported on Windows XP. [17729] - The Deep Security Agent anti-malware files and folder might not get removed on upgraded 9.0 to 9.5 Agents when uninstall is performed. This only happens when anti-malware feature is enabled then disabled in 9.0 before upgrading to 9.5 and the anti-malware feature was never enabled in 9.5 before uninstalling. When this happens, follow manual uninstall procedures in http://esupport.trendmicro.com/solution/en-US/1096150.aspx to completely uninstall. [21716] - Some Anti-Malware events are not generated when using Windows built-in decompress tool on Windows Vista and later versions. This issue will not happen when using 3rd party decompress tool. [23055] - Windows Add/Remove Programs or Programs and Features doesn't show the exact version of the Deep Security Agent. Deep Security Agent version consists of major.minor.sp-build but Windows only show them as major.minor.build. [21990] - CPU usage control in Scan for Integrity may not work after a reboot. Rebuild Integrity Baseline or reactivation will fix this. [20725/20563] - During anti-malware realtime scan, Deep Security Agent may sometimes produce multiple Delete Failed events even when the deletion was successful. This rarely occurs but it happens when the file is being locked by other process temporarily. [23520] - When upgrading to Deep Security Agent 9.5 on Windows 2012, an error message saying "Service 'Trend Micro Deep Security Agent'(ds_agent) could not be installed. Verify that you have sufficient privileges to install system services." may appear. This may be fixed by running Windows Update troubleshooter in http://support.microsoft.com/kb/910336. [23728] - Deep Security Notifier will show the status of Intrusion Prevention as Not Configured if the IPS has no rules assigned even if it's On. [22938] - Some security components of Deep Security Agent with Relay feature enabled may get removed unexpectedly after an update. As a workaround, retry the security update. [24004] - Upgrading to Deep Security Agent 9.5 or 9.6 Patch 1 by running a deployment script on an AWS instance that already has Deep Security Agent 9.0 will not work. Deep Security Agent upgrade must be done from the Deep Security Manager. [25598] - After Deep Security Agent upgrade, the event "Abnormal Restart Detected" may appear. The upgrade is not affected by this event and may be safely ignored. Do Clear Warnings and Errors and perform a Check Status to reflect the actual status of the Agent. [26619] - In some cases, a laptop computer has the "Microsoft Virtual Wi-Fi Miniport Adapter" option enabled. Such devices, used for creating Wi-Fi hotspots (ad hoc networks) through the wireless adapter, would enable both the real device for the true wireless connection and the "Microsoft Virtual Wi-Fi Miniport Adapter" for the ad hoc connections, with the same MAC address. This triggers Deep Security Agent on such laptop computers to request for an interface update on every heartbeat. [17502] - In a cloud provider environment, if the "Enable regular synchronization with Cloud Provider" option is disabled, changing the Deep Security Agent hostname will disrupt the communication between Deep Security Manager and Deep Security Agent. Trend Micro strongly recommends keeping the "Enable regular synchronization with Cloud Provider" option ON. [15608] - On Windows 2008 and Windows Server 2012, after installing Deep Security Manager with a co-located Relay, the Deep Security Notifier icon does not automatically show up in the Windows notification area. However, Deep Security Notifier will still work. Users need to re-launch Deep Security Notifier from the "Start" menu or restart the system. [17533] - The following system event log appears when you install Deep Security Agent on the Windows Vista, Windows 2008, or Windows 7 platform: "The Trend Micro Deep Security Agent service is marked as an interactive service. However, the system is configured not allow interactive services. This service may not function properly." This is a normal warning on Windows Vista or higher Windows versions. On these platforms, Windows does not allow services to interact with the user's desktop, so the operating system displays the warning when Deep Security Agent tries to use interactive services. This desktop interaction feature is used by the Deep Security Agent to provide the restart notice on pre-Vista versions of Windows. The warning message can be safely ignored. [Deep Security 8.0 Tier 2-00253] - In Windows Vista and higher releases, sometimes, you will encounter problems while upgrading the Deep Security Agent. The problem is related to the timing of the VC RTL assemblies being published to WinSxS, but it only seems to cause trouble on Vista or higher and only if the version of the RTL is not changing. The root cause is some corrupted Windows components. To work around this, you can either run the Windows System File Checker (sfc.exe) to repair the operating system, or install the Microsoft Visual C++ Redistributable Package from the following URL before starting the upgrade procedure again. http://www.microsoft.com/download/en/details.aspx?id=26347 After installing the package from Microsoft, you should restart the computer or else the upgrade may still fail. To recover from this, you can install the package, re-run the installer and restart the computer. [Deep Security 8.0-01044] - Intrusion Prevention (DPI) is not supported over SSL connections when using IPv6. - On Windows XP, you may encounter a "Fatal Error During Installation." message if you attempt to uninstall the Deep Security Agent through the "Add/Remove programs" page while the Agent's "Self Protection" function is enabled. This message comes from Windows indicating that the uninstall did not proceed because self-protection is enabled. It is not a Deep Security error. [Deep Security 8.0-00410] - When running an Anti-Malware Manual Scan with Smart Scan enabled, if the Deep Security Agent cannot contact the Smart Scan server, the resulting error event will indicate a "Real-Time" scan type instead of "Manual". [Deep Security 8.0 Tier 2-00024] - If network connectivity is lost for an extended period of time during a Deep Security Agent upgrade, you may need to restart the host machine. - It is possible that NDIS drivers will stop responding during Deep Security Agent installation or uninstallation if they do not properly free packets when requested to unbind. Deep Security Agent with NDIS 5.1 or NDIS 6.0 driver can free all packets correctly before upgrading or uninstalling. However, when installing or uninstalling NDIS drivers, Microsoft requires that all NDIS drivers be unbound and then rebound. This means that if other third-party NDIS drivers do not properly free packets, it is still possible for the Deep Security Agent install, upgrade, or uninstall process to stop responding. This is beyond Trend Micro's control and will only happen rarely. If this does occur then you can restart the computer and try to install, uninstall, or upgrade Deep Security Agent again. - Log Inspection Event logs are limited to 6000 characters. - When the network engine is working in TAP mode and the in-guest Agent is offline, the Deep Security Virtual Appliance status will display "Stand By". But, Deep Security Virtual Appliance is actually online and IP/FW events logs are still generated as rules are triggered. [10948] 8. Release History ======================================================================== See the following website for more information about updates to this product: http://www.trendmicro.com/download - Deep Security Agent 9.6, Build 9.6.1-1308, August 12, 2015 - Deep Security Agent 9.6 Patch 1, Build 9.6.1-3500, October 30, 2015 - Deep Security Agent 9.6 Service Pack 1, Build 9.6.2-5029, December 15, 2015 - Deep Security Agent 9.6 Service Pack 1 Update 2, Build 9.6.2-5449, March 11, 2016 - Deep Security Agent 9.6 Service Pack 1 Patch 1, Build 9.6.2.6400, April 22, 2016 - Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 1, Build 9.6.2-7050, June 30, 2016 - Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 2, Build 9.6.2-7256, July 29, 2016 - Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 3, Build 9.6.2-7516, October 14, 2016 - Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 6, Build 9.6.2-7723, February 22, 2017 8.1 Deep Security Agent 9.6.1-1308 ===================================================================== 8.1.1 Enhancements ===================================================================== VMware vSphere 6 Support - Deep Security 9.6 now supports vSphere 6. NSX 6.1.4 Support and Integration - Agentless Anti-Malware, Integrity Monitoring, WRS, Firewall and Intrusion Prevention are available with NSX. vCNS 5.5.4 Support - Agentless Anti-Malware and Integrity Monitoring are available for vCNS Combined Mode with Agentless Anti-Malware and Integrity Monitoring and agent based support for WRS, Firewall and Intrusion Prevention. Additional Platform Support - Deep Security 9.6 adds support for the following platforms: Debian 6 & 7 Windows 2012 Server Core Cloud Linux 7 Oracle Linux 7 SuSE Enterprise Linux 12 Deep Security Relay Downloads from Trend Micro Download Center - In situations where the Deep Security relay cannot directly access the Deep Security Manager, the relay can now download software updates from Trend Micro Download Center. 8.1.2 Resolved Known Issues ===================================================================== This release resolves the following issues: This release includes all resolved issues that were resolved in Deep Security 9.5 SP1 except those explicitly listed in the section "Known Issues in Deep Security Agent 9.6 SP1". 8.2 Deep Security Agent 9.6.1-3500 ===================================================================== 8.2.1 Enhancements ===================================================================== Enhancement 1: [30166] The Anti-Malware Solutions Platform, which is used for malware scanning and cleaning tasks on Windows systems, has been upgraded to the latest Damage Cleanup Engine (DCE) version 7.5. Enhancement 2: This Release contains improvements in TCP/IP connection handling to eliminate the potential under certain conditions for evasion of IDS/IPS (Intrusion Prevention) functionality. These improvements do not affect Firewall functionality. Enhancement 3: [30164] The Deep Security Agent uses Anti-Malware Solutions Platform (AMSP) module for providing Anti-Malware protection for Microsoft Windows platforms. This patch release enhances the AMSP ability to detect and remove malware copied from any shared network folders or files to a local system. 8.2.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [30237] In certain situation, the Deep Security Agent's Anti-Malware service module could decrease system performance due to a defect in scan cache handling. Solution 1: This issue has been fixed in this release. 8.3 Deep Security Agent 9.6.2-5029 ===================================================================== 8.3.1 Enhancements ===================================================================== Windows 10 Support - The Deep Security Agent can protect computers that are running Microsoft Windows 10. Note: Agentless support requires an update from VMware and is currently unavailable. 8.3.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [741] In certain circumstances, when a remote session logged off, the DS_Agent service would be stopped because it received a shutdown event. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [742/847] In certain situations, The Deep Security Agent's Anti-Malware module could cause a decrease in system performance due to a defect in scan cache handling. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [520/743] When the number of TCP connections in a network exceeds the maximum number, a race condition occurs and triggers the Deep Security Agent computer to restart unexpectedly. Solution 3: This release helps to prevent the race condition so the Deep Security Agent can run normally under this scenario. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [745] For Deep Security Agent 9.0, the AMSP Windows Eye driver, tmcomm.sys, caused a system crash due a race condition. Solution 4: A code defect in the Windows Eye driver has been fixed. 8.4 Deep Security Agent 9.6.2-5449 ===================================================================== 8.4.1 Enhancements ===================================================================== This release does not add any enhancement. 8.4.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-93] In Azure environments, if one or more machines had the same host name due to staging or production dynamics, the information was not correctly handled by the Azure Cloud Connector and machines went offline. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT332353/DSSEG-76] When a configuration is updated, the Deep Security Agent sends a heartbeat containing the current information to the Deep Security Manager. There was an issue where the local interface information did not match the security configuration information, even when the Deep Security Manager updated the configuration repeatedly. As a result, "Events Retrieved" and "Policy Sent" events were recorded under the System Events tab for every heartbeat. Solution 2: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.5 Deep Security Agent 9.6.2-6400 ===================================================================== 8.5.1 Enhancements ===================================================================== This release adds the following enhancements: Enhancement 1: Currently, Deep Security Manager runs a schedule task for a security update job, sends a command to the Deep Security Agent, and then the Agent downloads the security update from the Global Server (iAU) or Relay. A new feature has been implemented in which the Agent can actively download security updates without a command from the Deep Security Manager. This can be accomplished using the command-line utility dsa_control. To download the security updates from the Agent: 1. Go to the Deep Security Agent's install directory. 2. Run the command: dsa_control -U When the Agent starts to download the security updates, an event will be generated in the Deep Security Manager console, pointing to the DSA > Overview > Events. Note: This feature is available to download security updates only and cannot be used to download software updates. Enhancement 2: [DSSEG-162] Deep Security Agent is now enhanced to log "Agent Self-Protection Enabled" or "Agent Self-Protection Disabled" events under System Events when the Agent Self-Protection settings are modified in the Deep Security Manager console (under Computer > Settings > Agent Self-Protection section), or using the dsa_control command-line utility. Enhancement 3: [TT325376/DSSEG-38] When Deep Security is installed after OfficeScan and the Anti-Malware feature is enabled accidentally, the driver conflicts and causes a fatal error display on a blue screen.The release detects the conflicts before installing the Anti-Malware module, preventing the error. Enhancement 4: [DSSEG-47] The Deep Security Agent needs an upgrade for the AMSP and AEGIS modules. This release upgrades the AMSP version to 2.6.1117 and AEGIS to 6.0.1082. 8.5.2 Resolved Known Issues ==================================================================== This release resolves the following issues: Issue 1: [DSSEG-53] The Deep Security Agent would crash due to accessing an invalid memory address on Agent event writing. The issue would occur if the Deep Security Agent needs to reboot Windows to update the DSA drivers. Solution 1: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-85] The NIC teaming features used in Windows 2012 R2 leads to duplicate or triplicate packets. If the Windows NIC teaming sets NIC to promiscuous mode and the related port in the switch is set to trunk mode, the NICs would receive duplicate packets. An error is being displayed on a blue screen happens due to a race condition in Deep Security Filter Driver when these duplicate or triplicate packets are handled in separate threads, and one of the thread is touching functions that had not been initialized by the other thread. Solution 2: This condition has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [TT339393/DSSEG-100] In a Deep Security Virtual Appliance deployment, due to a timing issue, Anti-Malware and Web Reputation events sometimes do not appear in the Deep Security Notifier in a timely manner. Solution 3: The issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [TT329913/DSSEG-117] In rare case, when System memory is low, the network engine driver could get a NULL memory after configuration and would not handle it correctly. It causes an error message displayed on a blue screen. Solution 4: This Patch avoids the blue screen error when a memory descriptor list (MDL) is not allocated correctly by the Operating System. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-164] When the Deep Security Agent is configured to download security patterns from a primary update source, and the Agent is not in contact with the Deep Security Manager, and the "Allow Agents/Appliances to download Pattern updates when Deep Security Manager is not accessible" option is selected in the Deep Security Manager (under Administration > System Settings > Updates), the security patterns are not downloaded. Solution 5: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-176] During the installation or service restart of the Deep Security Agent, the Windows Firewall (ICS: Internet Connection Sharing) may cause a network disconnection issue. Solution 6: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [TT337910/DSSEG-60] In cases where a remote file server was used for storing Microsoft Office temporary files and the remote file server was running the Deep Security Agent with Realtime Scanning enabled, saving of Microsoft Office files could fail. Solution 7: The Deep Security Agent Realtime Scanning function has been updated to correctly handle Microsoft Office temporary files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.6 Deep Security Agent 9.6.2-7050 ===================================================================== 8.6.1 Enhancements ===================================================================== This release adds the following enhancements: Enhancement 1: [DSSEG-232] In certain scenarios, the Windows Deep Security Agent could significantly impact system performance. This is due to the system clean job performed by the Anti-Malware Solution Platform (AMSP) engine consuming high system resources when realtime malware scan action is taken. System clean is an expensive job and may not always be necessary. With this fix, you can choose to disable system clean for realtime scans and offload this job to a manual scan or scheduled scan. To take advantage of this feature, deploy the Deep Security Manager and Deep Security Agents (Windows) in this combination: DSM: 9.6.3910 or higher DSA (Windows): 9.6.2.6950 or higher After installing/upgrading the Deep Security Manager and Deep Security Agent, you must run this command at the command prompt: C:\Program Files\Trend Micro\Deep Security Manager>dsm_c.exe -action changesetting -name "settings.configuration.enableAmspRealtimeScanSystemClean" -value false Note: By default this value is TRUE After changing this setting, the Deep Security Manager service will restart. To implement this change on the Deep Security Agent, right-click the upgraded Deep Security Agent and then click "Send Policy". Note: This is a global setting that affects all Windows Deep Security Agents running this version or higher. 8.6.2 Resolved Known Issues ==================================================================== This release resolves the following issues: Issue 1: [DSSEG-235] On Windows machines, if a Deep Security Relay was being installed and downloaded the Security Updates, instead of downloading the incremental updates, it downloaded full updates. Note: This issue is not observed in Deep Security Relay installed on Linux Platforms. Solution 1: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT341349/DSSEG-245] A Windows error message displayed on a blue screen would sometimes happen when the Deep Security Filter Driver (tbimdsa) received IP fragments out of order. Solution 2: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-293] There is a Known Issue in remotely upgrading (from the Deep Security Manager console) Deep Security Agents on Windows Vista and Windows 2008 platforms, due to Microsoft's CRT (C Run-time Library) being removed and then failing to be reinstalled. Solution 3: MS VC++ SP1 Redistributable libraries has been added in the Deep Security Agent package and resolves this known issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-246] Deep Security Agent required an upgrade to the OpenSSL protocoltoolkit. Solution 4: This release upgraded the Deep Security Agent with OpenSSL version 1.0.2h. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.7 Deep Security Agent 9.6.2-7256 ===================================================================== 8.7.1 Enhancements ===================================================================== This release does not add any enhancement. 8.7.2 Resolved Known Issues ==================================================================== This release resolves the following issues: Issue 1: [DSSEG-328] You can configure Deep Security Agents to forward events from specific protection module logs to a syslog server (in the computer editor, under Settings > SIEM). Under some circumstances, when the syslog server log forwarding process was set up, it failed to forward syslog entries and the Firewall and Intrusion Prevention modules stopped working correctly. Solution 1: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT-346126/DSSEG-332] Intrusion Prevention Rule compilation sometimes failed due to time-out value set to one minute for its compilation. Solution 2: The compilation time-out is extended to three minutes and the event message will show the error without any other note messages. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-338] When there are many application types assigned to monitor the same port, there's some chances that some of those connections wont' be monitored due to an internal defect. Solution 3: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-319] Anti-Malware Module scans do not scan sparse files by default. In some cases it is desirable for sparse files to be scanned. Solution 4: A configurable setting has been added to allow sparse file scanning to be enabled/disabled. To take advantage of this, deploy the updated Deep Security Manager Version 9.6.4025 or later along with this Deep Security Agent version or later release. After installing/upgrading the Deep Security Manager and Deep Security Agent, you must run the following command at the command prompt at the Deep Security Manager: C:\Program Files\Trend Micro\Deep Security Manager>dsm_c.exe -action changesetting -name "settings.configuration.enableSparseFileAmspScan" -value true Note: This setting is a global setting that affects all Windows Deep Security Agents running this version or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.8 Deep Security Agent 9.6.2-7516 ===================================================================== 8.8.1 Enhancements ==================================================================== This release adds following enhancements: Enhancement 1: [DSSEG-251] This release enhances the Deep Security Agent's capability to collect AWS EC2 instance metadata information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-252] When an Amazon AMI with an activated Deep Security Agent is launched, the Deep Security Manager will automatically reactivate the Agent on this instance and invoke any corresponding event-based tasks. Note: This enhancement only works when the Deep Security Manager and the Deep Security Agents are both version 9.6 SP1 Patch 1 Update 3 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.8.2 Resolved Known Issues ==================================================================== This release resolves the following issues: Issue 1: [DSSEG-471] Under certain circumstances, the Deep Security Relay-enabled Agent would fail to download any package if it encountered one failure. In this case, the Agent error log showed "easy handle already used in multi handle". Solution 1: This is now fixed. The Relay-enabled Agent will continue to download other packages even if one fails. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT347308/TT349841/DSSEG-375] The Anti-Malware component update sometimes failed, which required a fix in the Intelligent ActiveUpdate (iAU) Module used by Deep Security. Solution 2: The new iAU fix with version number 6.5.1107 is shipped with this Deep Security Agent to fix this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-419] When a deployment script for activating the Deep Security Agent was run on a virtual machine belonging to a tenant (TN), instead of activating it with TN, the agent was activated with the primary tenant (T0). Solution 3: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [TT350293/DSSEG-456] In some situations, the AMSP module failed to clean some temp files in the Deep Security Agent "AMSP\temp\virus files" folder. Solution 4: This issue has been fixed with an upgrade of AMSP to version 2.6.1123. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-468] The IPS engine could sometimes cause a system error displayed on a blue screen when there was a certain rule combination and traffic pattern, Solution 5: This issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DS-7252/DSSEG-481] If multiple users RDP-ed into a single Windows Server and the real-time Anti-Malware engine detected that one of those users had touched a malware file, the Deep Security Notifier sent a message to all users who were logged in. Solution 6: The anti-malware engine has been fixed so that the Notifier only displays the warning to the relevant user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-454] An OpenSSL minor version upgrade was required to patch low-impact vulnerabilities like: CVE-2016-6305, CVE-2016-2182 and CVE-2016-6304 is required Solution 7: OpenSSL 1.0.2h is upgraded to 1.0.2j ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DSSEG-492] When Deep Security Manager is installed using IPV6 address and the co-located relay option is selected on Windows Platform, the module/feature installation fails due to libcurl.dll library doesn't support IPV6. Solution 8: This is fixed in current release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10 Deep Security Agent 9.6.2-7690 ======================================================================== 8.10.1 Enhancements ===================================================================== Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 5 adds the following enhancement: Enhancement 1: [DSSEG-530] The Deep Security Agent communication port (4118) previously allowed connections using a Triple-DES based cipher suite. The Triple-DES based cipher suite was removed from the list of acceptable cipher suites and new SHA-256 based cipher suites were added. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10.2 Resolved Known Issues ===================================================================== Deep Security Agent 9.6 Service Pack 1 Patch 1 Update 5 fixes the following issues: Issue 1: [DSSEG-563] On Windows Server 2016, Windows Defender is turned on by default and it cannot be turned off automatically by other anti-malware software registering to the Windows Security Center. Performance issues may be observed if the anti-malware feature is enabled at the same time as Windows Defender. Solution 1: Deep Security Agent will disable Windows Defender from the group policy as a workaround before installing the anti-malware feature. Until Microsoft has a further solution addressing this issue, re-enabling Windows Defender manually is required if you want to uninstall Deep Security Agent and use Windows Defender instead. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-631] When Real-Time Scan was off or a Real-Time Scan's Malware Scan configuration was set to "No Configuration", the Deep Security Anti-Malware module (AMSP) would sometimes reach a race condition. This race condition would happen when a Real-Time Scan and a Scheduled Scan both ended up with the same configuration ID and the Real-Time Scan configuration was used for the Scheduled Scan. Solution 2: This issue is resolved in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-636] When Deep Security Notifier is running on Windows XP, the AutoShape object in Microsoft Office Excel 2003 was refreshed repeatedly. Solution 3: This issue is fixed this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-485] The Deep Security Relay Web Server port (4122) allowed SSL connections using Anonymous and Triple DES cipher suites. Solution 4: These cipher suites have been removed from the set of cipher suites allowed to connect to this server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-494] The Web Reputation Smart Protection Server setting was not able to add a local server without a port number. This was due to a logic error in the code. Solution 5: The issue has been fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-556] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Deep Security Agent detects an illegal character, the Deep Security Manager will show the illegal character in an Intrusion Prevention event. However, the Deep Security Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Deep Security Manager. Solution 6: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 9. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Agent-Windows-9.6.2-7723.x86_64.zip (64-bit) Agent-Windows-9.6.2-7723.i386.zip (32-bit) Notifier-Windows-9.6.2-7723.i386.msi (32-bit -can be installed on 64-bit) 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide 13. Third-Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]/licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2017 Trend Micro Inc. All rights reserved. Published in Canada.