<> Trend Micro Incorporated January 16, 2018 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch for Windows, and Deep Security Notifier 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch for Windows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Platforms: Windows Server 2012 (64-bit), Windows Server 2012 R2 (64-bit), Windows 8.1 (32-bit and 64-bit), Windows 8 (32-bit and 64-bit), Windows 7 (32-bit and 64-bit), Windows Server 2008 R2 (64-bit), Windows Server 2008 (32-bit and 64-bit), Windows Vista (32-bit and 64-bit), Windows Server 2003 SP1 (32-bit and 64-bit) with patch "Windows Server 2003 Scalable Networking Pack" (***), Windows Server 2003 SP2 (32-bit and 64-bit), Windows Server 2003 R2 SP2 (32-bit and 64-bit), Windows XP (32-bit and 64-bit), Windows XP Embedded (32-bit) (**)(***), Hyper-V on Windows 2012 R2, 2012, 8, 8.1 and 2008 R2(*) (*) There is no agentless solution for Windows Hyper-V. The Agent installed on the Hyper-V hypervisor will only protect the hypervisor itself. In order to protect guest images running on Hyper-V, an Agent must be installed on each Hyper-V guest. See Knowledge Base article http://esupport.trendmicro.com/solution/en-us/1103857.aspx for more information. (**) Due to the customization possible with Windows XP Embedded, we request that customers validate correct operation in their own environment to ensure the services and ports necessary to run the Deep Security Agent have been enabled. (***) Deep Security Notifier is not supported on these platforms. Not currently supported: Windows Server 2008 and 2012 Core, Microsoft Virtual Server 2005 R2 SP1 Deep Security Agent with Relay Feature Platforms: Windows Server 2012(64-bit), Windows Server 2012 R2(64-bit), Windows 8.1 (64-bit), Windows 8 (64-bit), Windows 7 (64-bit), Windows Server 2008 R2 (64-bit), Windows Server 2008 (64-bit), Windows Vista (64-bit), Windows Server 2003 SP1 (64-bit) with patch "Windows Server 2003 Scalable Networking Pack"(***), Windows Server 2003 SP2 (64-bit), Windows Server 2003 R2 SP2 (64-bit) Date: January 16, 2018 Release: 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch Build Version: 9.5.3-7845 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ index.html Download the latest version of this readme from the Deep Security page at the Trend Micro Download Center website: https://help.deepsecurity.trendmicro.com/software-9-5.html Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 6. Known Incompatibilities 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third-Party Software =================================================================== 1. About Deep Security 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch contains one feature enhancement and no bug fixes. For a list of the major changes in Deep Security 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch, please see the "What's New" section of the Installation Guides, which are available for download from the Trend Micro Download Center. 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running Deep Security 8.0, 9.0, or 9.5. All new Deep Security users should install Deep Security 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch. 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== There is one enhancement in this release: Enhancement 1: [DSSEG-1866] Microsoft requested that anti-virus vendors set a registry key that will allow a critical system patch for Microsoft Windows. The Deep Security Agent now sets the required registry key upon installation. For details, see https://success.trendmicro.com/solution/1119183 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 Resolved Known Issues ===================================================================== This release does not resolve any issues. 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.5. - Installation Guide: The Installation Guide contains information on requirements and procedures for installing and deploying Deep Security 9.5. The following Installation Guides are available in Trend Micro Download Center: Deep_Security_95_SP1_Install_Guide_basic_EN.pdf Deep_Security_95_SP1_Install_Guide_vcloud_EN.pdf Deep_Security_95_SP1_Install_Guide_nsx_EN.pdf Deep_Security_95_SP1_Install_Guide_vmsafe_EN.pdf Deep_Security_95_SP1_Install_Guide_azure_EN.pdf - Administrator's Guide: The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.5. It also contains post-installation instructions on how to configure the settings to help you get Deep Security "up and running". All of the content of the Administrator's Guide can be found in the Deep Security Manager's online help. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Deep Security 9.5 Installation Guide. 5. Installation ======================================================================== Refer to the "Deep Security Manager 9.5 Installation Guide" document available for download from the Trend Micro Download Center. - Only use the Agent installer package (the .msi or the .rpm file) on its own to install the Deep Security Agent. If you extract the full Agent zip package and then run the Agent installer from the same folder that holds the other zipped Agent components, all the Security Modules will be installed. That may cause a conflict with the Anti-Malware or Firewall driver if you use applications other than Deep Security to provide those functionalities. - Before installing this Patch, please ensure that the Deep Security Manager has already been upgraded to 9.5 Service Pack 1 Patch 3 Update 8. - All Deep Security Relay-Enabled Agents must first be upgraded to Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch before upgrading other Agents. 6. Known Incompatibilities ======================================================================== 1. Resonate Load Balancer (5.0.1) Deep Security Agents Affected: All Issue: Environments in which the Resonate load balancing software is installed may experience a loss of Resonate functionality when the Deep Security Agent is installed. Resolution: Restart the Resonate Central Dispatch Controller services. 2. Trend Micro Client Server Messaging Security for SMB Deep Security Agents Affected: All Issue: Connectivity issues have been noted when running versions of Trend Micro Client Server Messaging Security for SMB that are older than Version 3.5 Build 1113. Resolution: Upgrade Trend Micro Client Server Messaging Security for SMB to Version 3.5 Build 1138 or higher. 3. Realtek RTL8169/8110 Family Gigabit Ethernet NIC Deep Security Agents Affected: All Issue: Issues have been noted when using Version 5.663.1212.2006 of the Realtek Gigabit Ethernet NIC Resolution: To resolve these issues, upgrade the driver to the latest version. 4. Intel(R) PRO/100+ Dual Port Server Adapter Deep Security Agents Affected: All Issue: Issues have been noted when using Intel NIC cards with driver versions lower than 8.0.17.0 Resolution: To resolve the issue, upgrade the driver to version v8.0.19 or higher. 5. Wireshark Deep Security Agents Affected: All when installed in Windows Vista, 7, 2008 and 2008 R2. Issue: When Wireshark is monitoring packets they are incorrectly presenting outgoing packets through NdisFilterRecv packet which is the path for incoming packets. Resolution: Use Microsoft Network Monitor instead when doing packet capture. 7. Known Issues ======================================================================== - Deep Security Agent does not support scanning a mounted network folder (SMB) on the following Windows platforms: Windows 2016 Server (64-bit) Windows 2012 Server R2 (64-bit) Windows 2012 Server (64-bit) Windows 10 (32/64-bit) Windows 8.1 (32/64-bit) Windows 8 (32/64-bit) [22016] - When using Agentless protection in an NSX environment, Deep Security Notifier will not work if only the Web Reputation feature is turned on. Agentless Anti-Malware must be enabled for Deep Security Notifier to work. [22210] - The Relay feature uses TCP port 4122. When enabling the Relay feature, make sure TCP port 4122 is allowed in any firewall being used. [22749] - The Relay feature is not supported on Windows XP. [17729] - The Deep Security Agent anti-malware files and folder might not get removed on upgraded 9.0 to 9.5 Agents when uninstall is performed. This only happens when the Anti-Malware feature is enabled and then disabled in 9.0 before upgrading to 9.5 and the Anti-Malware feature was never enabled in 9.5 before uninstalling. When this happens, follow the manual uninstall procedures in http://esupport.trendmicro.com/solution/en-US/1096150.aspx to completely uninstall. [21716] - Some Anti-Malware events are not generated when using the Windows built-in decompress tool on Windows Vista and later versions. This issue does not happen when using 3rd-party decompress tools. [23055] - Windows Add/Remove Programs or Programs and Features does not show the exact version of the Deep Security Agent. The Deep Security Agent version consists of major.minor.sp-build, but Windows only shows the version as major.minor.build. [21990] - CPU usage control in Scan for Integrity may not work after a reboot. Rebuild Integrity Baseline or reactivation will fix this. [20725/20563] - During an Anti-Malware realtime scan, the Deep Security Agent may sometimes produce multiple "Delete Failed" events even when the deletion was successful. This rarely occurs but it happens when the file is being locked temporarily by another process. [23520] - When upgrading to Deep Security Agent 9.5 on Windows 2012, an error message saying "Service ‘Trend Micro Deep Security Agent’(ds_agent) could not be installed. Verify that you have sufficient privileges to install system services." may appear. This may be fixed by running Windows Update troubleshooter in http://support.microsoft.com/kb/910336. [23728] - Deep Security Notifier will show the status of Intrusion Prevention as Not Configured if the IPS has no rules assigned even if it's On. [22938] - Some security components of Deep Security Agent with Relay feature enabled may get removed unexpectedly after an update. As a workaround, retry the security update. [24004] - Upgrading to Deep Security Agent 9.5 by running a deployment script on an AWS instance that already has Deep Security Agent 9.0 will not work. Deep Security Agent upgrade must be done from the Deep Security Manager. [25598] - When the real-time Integrity Monitoring feature of Deep Security Agent is being used on Windows, the event "Get Events Failed" and "Agent/Appliance Error" may appear with the following description: "SQLITE_BUSY[5]: database is locked." When this event occurs, restart the Deep Security Agent service. [26615] - After a Deep Security Agent upgrade, the event "Abnormal Restart Detected" may appear. The upgrade is not affected by this event and may be safely ignored. Do "Clear Warnings and Errors" and perform a "Check Status" to reflect the actual status of the agent. [26619] - In some cases, a laptop computer may have the "Microsoft Virtual Wi-Fi Miniport Adapter" option enabled. Such devices, used for creating Wi-Fi hotspots (ad hoc networks) through the wireless adapter, would enable both the real device for the true wireless connection and the "Microsoft Virtual Wi-Fi Miniport Adapter" for the ad hoc connections, with the same MAC address. This triggers Deep Security Agent on such laptop computers to request for an interface update on every heartbeat. [17502] - In a cloud provider environment, if the "Enable regular synchronization with Cloud Provider" option is disabled, changing the Deep Security Agent hostname will disrupt the communication between Deep Security Manager and Deep Security Agent. Trend Micro strongly recommends keeping the "Enable regular synchronization with Cloud Provider" option ON. [15608] - On Windows 2008 and Windows Server 2012, after installing Deep Security Manager with a co-located Relay, the Deep Security Notifier icon does not automatically show up in the Windows notification area. However, Deep Security Notifier will still work. Users need to re-launch Deep Security Notifier from the "Start" menu or restart the system. [17533] - Deep Security Notifier 8.0 is incompatible with Deep Security Virtual Appliance 9.x in VMware environments due to an architectural change in VMware vSphere 5.1 and later. In vSphere (ESXi) 5.1 and later, Deep Security Notifier 9.x is compatible with Deep Security Virtual Appliance 9.x. - The following system event log appears when you install Deep Security Agent on the Windows Vista, Windows 2008, or Windows 7 platform: "The Trend Micro Deep Security Agent service is marked as an interactive service. However, the system is configured not allow interactive services. This service may not function properly." This is a normal warning on Windows Vista or higher Windows versions. On these platforms, Windows does not allow services to interact with the user's desktop, so the operating system displays the warning when Deep Security Agent tries to use interactive services. This desktop interaction feature is used by the Deep Security Agent to provide the restart notice on pre-Vista versions of Windows. The warning message can be safely ignored. [Deep Security 8.0 Tier 2-00253] - In Windows Vista and higher releases, sometimes, you will encounter problems while upgrading the Deep Security Agent. The problem is related to the timing of the VC RTL assemblies being published to WinSxS, but it only seems to cause trouble on Vista or higher and only if the version of the RTL is not changing. The root cause is some corrupted Windows components. To work around this, you can either run the Windows System File Checker (sfc.exe) to repair the operating system, or install the Microsoft Visual C++ Redistributable Package from the following URL before starting the upgrade procedure again. http://www.microsoft.com/download/en/details.aspx?id=26347 After installing the package from Microsoft, you should restart the computer or else the upgrade may still fail. To recover from this, you can install the package, re-run the installer, and restart the computer. [Deep Security 8.0-01044] - Deep Security Notifier may not start after a remote upgrade of the Deep Security Agent. If this occurs, manually restart the Notifier from the "Start" menu, or restart the machine. [Deep Security 8.0-01196] - Intrusion Prevention (DPI) is not supported over SSL connections when using IPv6. - On Windows XP, you may encounter a "Fatal Error During Installation." message if you attempt to uninstall the Deep Security Agent through the "Add/Remove programs" page while the Agent's "Self Protection" function is enabled. This message comes from Windows, indicating that the uninstall did not proceed because self-protection is enabled. It is not a Deep Security error. [Deep Security 8.0-00410] - When running an Anti-Malware Manual Scan with Smart Scan enabled, if the Deep Security Agent cannot contact the Smart Scan server, the resulting error event will indicate a "Real-Time" scan type instead of "Manual". [Deep Security 8.0 Tier 2-00024] - If network connectivity is lost for an extended period of time during a Deep Security Agent upgrade, you may need to restart the host machine. - It is possible that NDIS drivers will stop responding during Deep Security Agent installation or uninstallation if they do not properly free packets when requested to unbind. Deep Security Agent with NDIS 5.1 or NDIS 6.0 driver can free all packets correctly before upgrading or uninstalling. However, when installing or uninstalling NDIS drivers, Microsoft requires that all NDIS drivers be unbound and then rebound. This means that if other third-party NDIS drivers do not properly free packets, it is still possible for the Deep Security Agent install, upgrade, or uninstall process to stop responding. This is beyond Trend Micro's control and will only happen rarely. If this does occur then you can restart the computer and try to install, uninstall, or upgrade Deep Security Agent again. - Log Inspection Event logs are limited to 6000 characters. - When the network engine is working in TAP mode and the in-guest Agent is offline, the Deep Security Virtual Appliance status will display "Stand By". But, the Deep Security Virtual Appliance is actually online and IP/FW events logs are still generated as rules are triggered. [10948] 8. Release History ======================================================================== See the following website for more information about updates to this product: http://www.trendmicro.com/download - Deep Security Agent 9.5, Build 9.5.2-2023, September 5, 2014 - Deep Security Agent 9.5 SP1, Build 9.5.3.2754, January 30, 2015 - Deep Security Agent 9.5 SP1 Patch 1, Build 9.5.3-4017, July 31, 2015 - Deep Security Agent 9.5 SP1 Patch 2, Build 9.5.3-4518, Sept 23, 2015 - Deep Securoty Agent 9.5.SP1 Patch 3, Build 9.5.3-5500, November 6, 2015 - Deep Security Agent 9.5 SP1 Patch 3 Update 3, Build 9.5.3-7523, March 10, 2017 - Deep Security Agent 9.5 SP1 Patch 3 Update 4, Build 9.5.1-7568, April 05, 2017 - Deep Security Agent 9.5 SP1 Patch 3 Update 6, Build 9.5.3-7707, August 28, 2017 - Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 7, Build 9.5.3-7747, September 28, 2017 - Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8, Build 9.5.3-7814, December 07, 2017 - Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8 Critical Patch, Build 9.5.3-7845, January 16, 2018 8.1 Deep Security Agent 9.5.2-2023 ===================================================================== 8.1.1 Enhancements ===================================================================== Smarter, Lightweight Agent - Lightweight installer - Selective deployment of Protection Modules to Agents based on Security Policy requirements results in smaller Agent footprint 8.1.2 Resolved Known Issues ===================================================================== - This release includes all resolved issues that were resolved in Deep Security 9.0 SP1 Patch 3 except those explicitly listed in the section "Known Issues in Deep Security Agent 9.5 - Windows" below. 8.2 Deep Security Agent 9.5.3.2754 ===================================================================== 8.2.1 Enhancements ===================================================================== Extended support for Microsoft Azure - Deep Security can now connect to Microsoft Azure accounts using shared certificates. For more information, see the Deep Security 9.5 SP1 Installation Guide (Cloud). SSL Enhancements - Extended SSL Support for TLS 1.2 and the following ciphers: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 Extended Proxy Support for Relays - Relay Groups can now be configured to use unique proxy servers to retrieve Security Updates from Trend Micro. The option is available in the Relay Group's properties window. Support for log only HTTP Protocol Decoder errors - Certain errors determined by the HTTP Protocol decoder can now be manually set to be log only. The errors are: Double Decoding Exploit Illegal Character in URI Invalid Hex Encoding Invalid Use of Character Invalid UTF8 Encoding Scan Engine Enhancement - Scan Engine (VSAPI) has been updated to version 9.8. 8.2.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [24672/TT307267] When a Deep Security Manager Admin user set the Local override password to enable Deep Security Agent Self Protection, if the password contained a colon (:), for example, "pass:word", any DSA command that required authentication (like TRACE or ResetAgent) would fail with ERROR 403 forbidden error. Solution 1: The code that parses the username:password string is fixed to handle passwords that include colons (:). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [25068/23848/TT-304337] Deep Security Relay 9.0 uses a version of the Nginx web server and its statically linked openssl that are affected by vulnerabilities CVE-2014-0224, CVE-2014-0221, CVE-2014-0195,CVE-2014-0198, CVE-2010-5298, CVE-2014-3470, and CVE-2014-0076. Solution 2: This release updates the Nginx web server program and statically linked openssl in the Deep Security Relay 9.0 to remove the vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [25029/24996/TT306410] In certain Linux environments, the Deep Security Agent's openSSL digest method failed to hand null data, which caused crashes when recommendation scans were run. Solution 3: Added null checking code to guard the digest algorithm. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [23609/23608/TT295719] In general, file names are encoded in UTF-8 on Linux, but Linux does not enforce this. It is up to applications to handle non-UTF-8 encoded file names. Deep Security Agent was designed to handle UTF-8 encoding. If the file name is encoded in multibytes encoding, the log event fails to record the file path. Solution 4: Deep Security product currently does not plan to support multibytes encoding. This fix provides a workaround. If non-UTF-8 encoding is detected in a file path, the file path will be represented in a hex string, which can be used as a hint about which file triggered an event. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [24690/25760/TT307260/TT310302] If an environment variable was defined under the scan exclusions directory list, and that environment variable was defined under the "Settings > view environment variable" tab, the exclusion did not work properly. The files that matched the environment variable were still scanned. Solution 5: This release ensures that scan exclusions that use environment variables work properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [24815/TT310736] When users changed the default Relay port in Deep Security Manager, the Relay's listening port did not change. Solution 6: This release ensures that the Relay configuration is updated promptly after users change the default Relay port in Deep Security Manager. Note: When a user changes the default Relay port in Deep Security Manager, the Relay's listening port will change after the user sends a policy to the Relay. For this to work, right-click the Relay machine under the Manager's console and click the "Send Policy" button. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [26296/26297/TT310403] When the Deep Security was configured to use one or more proxies to download security updates, each Deep Security Relay would attempt to establish contact with each of the sources before downloading, instead of just one. Solution 7: This release will let IAU module try only one source before downloading. If it fails, it will then try next source. 8.3 Deep Security Agent 9.5.3.4017 ===================================================================== 8.3.1 Enhancements ===================================================================== This release adds the following enhancement: Enhancement 1: [26104] Self-protection is enhanced to provide more protection of the Deep Security Agent service. Enhancement 2: [29018/29234/29019/29311/29312] The Deep Security Network Engine has been enhanced to handle Maximum TCP/UDP connections. This drastically reduced the Out of Connection issues found in heavy load environments. The connection cleanup methodology has been improved to handle idle connections and new connection requests. Event Aggregation is now performed for same events appearing in the Deep Security Manager console to avoid event flooding and filling up the database space. The same events are now aggregated in multiple of hundreds, under Repeat Counter columns. Enhancement 3: This Release contains improvements in TCP/IP connection handling to eliminate the potential under certain conditions for evasion of IDS/IPS (Intrusion Prevention) functionality. These improvements do not affect Firewall functionality. 8.3.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [26325] When AMSP scanned a file on a network shared folder, it sometimes did not scan it immediately, and put the file into the defer scan queue to scan later. Solution 1: This release handles this situation correctly and the scan is performed right away. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [26657/TT313695] A bug in tbimdsa.sys caused the operating system to stop unexpectedly and an error message to appear on a blue screen when the driver received an Large Segment Offset (LSO) packet exceeding 64K. Solution 2: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [26660/TT313615] When the Deep Security Agent (along with Notifier) was installed on a Windows computer, the Deep Security 9.5 Agent was registering in MS WMI (Security Center or Action Center) as a Firewall or AntiVirus Product, even if there was no Anti-Malware or Firewall/DPI feature enabled on the machine. In particular, the Anti-Malware feature caused an issue with Command Center, where it was shown as not up-to-date. Solution 3: When the Notifier starts, it will check whether these features have been installed previously. If no plug-in has ever been installed on the machine, there will be no information in Windows Security Center. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [26690/TT310902] a) On a computer served by multiple Deep Security Manager nodes, when the dsa_query utility was used with a command value of "GetAgentStatus" (for example, dsa_query.cmd -c "GetAgentStatus"), the response showed only one Deep Security Manager URL. b) When the dsa_query utility was used with a command value of "GetAgentStatus", the "lastManagerToAgentSession" timestamp was always the time that the command was run instead of the time of the last "Manager to Agent" Session. Solution 4: a) The dsa_query command was modified to show all Deep Security Manager URLs in this case. b) The dsa_query command handler in the Deep Security Agent was modified to correctly track the time of the last "Manager to Agent" session. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [26832/TT313894] When the Deep Security Network Filter Driver received too many outgoing packets in the network buffer, the operating system would sometimes stop unexpectedly, with an error message displayed on a blue screen. Solution 5: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [27215/TT315796] When the Deep Security Network Filter Driver tried to clean timed-out IP fragments, the operating system would sometimes stop unexpectedly, with an error message displayed on a blue screen. Solution 6: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [27279/TT311094] In some configurations, with Deep Security Realtime Anti-Malware checking enabled on a Deep Security Agent, file save operations to a remote shared file system could fail. Solution 7: The configuration for Deep Security Anti-Malware checking has been modified. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [27835] The Deep Security Relay's nginx server allowed SSLv3 connections. Solution 8: This release disables SSLv3 connections to the Relay's nginx server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [27959/TT318451] In cases where a remote file server was used for storing Microsoft Office temporary files and the remote file server was running the Deep Security Agent with Real-time Scanning enabled, saving of Microsoft Office files could 3 fail. Solution 9: The Deep Security Agent Real-time Scanning function has been updated to correctly handle Microsoft Office temporary files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [27988] The Real-time Anti-Malware scan module coreshellservice used high CPU in certain situations. Solution 10: One of the Anti-Malware Service Platform dll files caused this issue. The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [28074/TT319547] Deep Security Agent 9.5 could not connect to the Deep Security Manager via proxy when the Agent was upgraded from version 9.0 and proxy setting was set in Deep Security Agent 9.0. This issue was due to the different proxy URL format used by Deep Security Agent 9.5 and Deep Security Agent 9.0 Solution 11: This release improves the detection of the proxy URL format so that the correct proxy IP can be picked up. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 12: [28180/320166] On an Azure instance, the Deep Security Agent service would keep restarting when the Cluster service was enabled. Solution 12: The Deep Security Agent should work normally with this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 13: [28198] Sometimes, when trying to shut down a computer, the Trend Micro NDIS Filter Driver would cause the operating system to stop unexpectedly, with an error message displayed on a blue screen. Solution 13: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 14: [28414/TT320380] In versions 9.5 or 9.5 Service Pack 1 of the Deep Security Agent, users could not add an SSL configuration when the Microsoft(TM) CryptoAPI credentials were selected. Solution 14: This release updates the Deep Security Agent 9.5 program to ensure that users can add an SSL configuration when CryptoAPI credentials are selected. Note: The "Add SSL configuration" function works only when applying a Firewall or IPS rule. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 15: [28739] A bug in the driver tbimdsa.sys caused it to access an invalid address, resulting in a Deep Security Agent crash. Solution 15: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 16: [28779/TT314867] On a single-core machine, Deep Security Agent 9.5 would sometimes greatly increase the CPU usage in a very short time. Solution 16: The notification service script that caches the queried data result has been improved. Customers who have experienced this behavior can also change the internet test interval to max value 5 minutes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 17: [28865] "Agent Configuration Package Too Large" warning was observed after installing a new Deep Security Agent on Windows and Linux, and Deep Security Virtual Appliance. Solution 17: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 18: [28959] Microsoft Windows 10 display support was not displayed on the Deep Security Manager console. Solution 18: This release has display support Microsoft Windows 10 on Deep Security Manager, on the "Computers" tab. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 19: [29053] Real-Time Scanning sometimes was not enabled when the Anti-Malware Configuration ID was higher than 255. Solution 19: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 20: [29133/TT323803] When using the SSL configuration wizard in Deep Security Manager, if a user uploaded an SSL private key that required a password but not specify the password, the negotiation between the Deep Security Manager and the Deep Security Agent took a long time to finish and caused high CPU usage. Solution 20: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 21: [29177] A Microsoft Windows 2012 machine using Remote Access Services enabled a NIC on the machine that did not have a MAC address associated with it. This address was passed to the Deep Security Manager at the time of activation, causing a "Get Interface Failed" error on the Deep Security Manager console. Solution 21: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 22: [29250] A computer's operating system could stop unexpectedly, with an error message displayed on a blue screen. This issue was caused by the Deep Security Network Driver when the system was out of memory. Solution 22: Code has been modified to handle these extreme situations and no crash will happen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 23: [29308] The AMSP service on Windows Deep Security Agent would crash and not start again until it was manually removed and reinstalled. Solution 23: A new AMSP fix has been incorporated into Deep Security Agent for Windows to avoid such situations in future. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 23: [29334/TT325270] OpenSSL 0.9.8.zf Solution 23: OpenSSL 0.9.8.zg release has been adopted in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 24: [29454] For any incoming TCP packet without a connection, if a FIN packet was sent from an endpoint, the packet was dropped as expected, but the event was not logged into Deep Security Manager. Solution 24: The issue is fixed in this release. 8.4 Deep Security Agent 9.5.3.4518 ===================================================================== 8.4.1 Enhancements ===================================================================== Enhancement 1: [TT329308/30151] The Deep Security Agent uses Anti-Malware Solutions Platform (AMSP) module for providing Anti-Malware protection for Microsoft Windows platforms. This patch release enhances the AMSP ability to detect and remove malware copied from any shared network folders or files to a local system. Enhancement 2: [30152] The Anti-Malware Solutions Platform, which is used for malware scanning and cleaning tasks on Windows systems, has been upgraded to the latest Damage Cleanup Engine (DCE) version 7.5. 8.4.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [TT327357/TT328517/29952] When connection track information was collected from the DSA filter driver for diagnostics, an error message sometimes displayed on a blue screen. Solution 1: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [29950] During the handling of connection metadata structure, the Deep Security Filter Driver caused a purple error code screen on the ESXi server. Solution 2: This issue has been fixed in current release. Note: This change is also implemented to Windows NDIS filter driver due to common code. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.5 Deep Security Agent 9.5.3.5500 ===================================================================== 8.5.1 Enhancements ===================================================================== This release does not add any enhancement. 8.5.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [TT326909/30236] In certain situations, The Deep Security Agent's Anti-Malware module could cause a decrease in system performance due to a defect in scan cache handling. Solution 1: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT326991/30233] In certain circumstances, when a remote session logged off, the DS_Agent service would be stopped because it received a shutdown event. Solution 2: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [TT331286/30249] When the number of TCP connections in a network exceeded the maximum number, a race condition occurred and triggered the Deep Security Agent computer to restart unexpectedly. Solution 3: This hot fix helps to prevent the race condition so the Deep Security Agent can run normally under this scenario. 8.6 Deep Security Agent 9.5.3-7523 ======================================================================== 8.6.1 Enhancements ===================================================================== The following enhancements are included in this release: Enhancement 1: [DSSEG-365] By default, Anti-Malware scans do not scan sparse files. However, you may want to scan sparse files in some cases. To address this need, a configurable setting has been added to enable or disable the scanning of sparse files. To use this setting, use this release of Deep Security Manager and Deep Security Agent. After installing/upgrading the Deep Security Manager and Deep Security Agent, run the following at the command prompt on the computer where Deep Security Manager is installed: C:\Program Files\Trend Micro\Deep Security Manager>dsm_c.exe -action changesetting -name "settings.configuration.enableSparseFileAmspScan" -value true Note 1: This is a global setting that affects all Windows Deep Security Agents running this version or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Patch 3, which made the Deep Security Manager capable of configuring the TLS version in the configuration.properties file, had an issue where the Deep Security Relay failed to download software packages from the Deep Security Manager when it was configured to use TLSv1.2 only. Solution 2: This issue has been fixed. Note: When Deep Security Manager is forced to use TLS 1.2 only, communication between the Deep Security Manager and NSX will be broken because when NSX connects back to the Deep Security Manager over port 4119, it can only use TLS 1.0. This is a current NSX Manager limitation. Similarly, in a non-NSX environment, where Deep Security Filter Driver is deployed, a minimum version of ESXi 5.5 is required to make TLS 1.2 work properly. Limitation: Windows Powershell deployment scripts generated by the Deep Security Manager fail during execution. This happens during an attempt to download the Agent installer from the Deep Security Manager. This is not the case with Linux Platforms. Workaround: To make deployment scripts work, you must add the following line in the script manually: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Requirement: To make these deployment scripts work, Windows platforms must run Powershell version 4.0 or later. Windows 8 or later is equipped with Powershell 4.0. You can upgrade Windows 7 and Windows 2008 R2 from Powershell 2.0 to 4.0. Using the TLS 1.2 option and using deployment scripts with Powershell is not supported on Windows platforms earlier than Windows 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.6.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-753] On a 'Large Send Offload' (LSO) network, a number of firewall events with a reason of "Invalid IP Datagram Length" sometimes occurred. This happened because the firewall driver incorrectly calculated the IP datagram length in an LSO environment. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-750] When there were many application types assigned to monitor the same port, there was a chance that some of those connections were not monitored due to an internal defect. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-738] The DSRU16-032 rule introduced a new rule to monitor HTTP traffic. When the rule was applied and multiple rules monitored HTTP traffic, one particular rule order could mistakenly trigger the 'duplicate content len' event. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-580] The Deep Security NDIS driver (tbimdsa.sys) would drop Wireshark loopback packets, resulting in broken network connections and invalid flags in the Firewall events. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-533] The Intrusion Prevention engine could cause a system error or kernel panic under certain rule combinations and traffic patterns. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-455] OpenSSL minor version upgrade to patch low impact vulnerabilities like: CVE-2016-6305, CVE-2016-2182 and CVE-2016-6304 Solution 6: OpenSSL 1.0.2h is now upgraded to 1.0.2j ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-247] A Windows error message displayed on a blue screen would sometimes happen when the Deep Security Filter Driver (tbimdsa) received IP fragments out of order. Solution 7: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DSSEG-221] In certain situations, if an Intrusion Prevension event was already sent to the Deep Security Manager, then restarting the Deep Security Agent service would send the event again, causing duplicate events to appear in the Deep Security Manager console, on the Intrusion Prevention events tab. Solution 8: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [DSSEG-211] There is a known issue when remotely upgrading (from the Deep Security Manager console) Deep Security Agents on Windows Vista and Windows 2008 platforms, due to Microsoft's CRT (C Run-time Library) being removed and then failing to be reinstalled. This is a "Side-by-Side" issue caused by the Microsoft MSI bug. Solution 9: Microsoft Security Patch SP1 Redistributable Package has been implemented in the Deep Security Agent package and resolves this known issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [DSSEG-206] A Linux server crashed in dsa_filter when UDP packets with the same IP addresses and ports reached different network interfaces at the same time. Solution 10: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.7 Deep Security Agent 9.5.3-7568 ======================================================================== 8.7.1 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-907/SEG-3551] The Deep Security Agent created temporary files in the temp directory but these files were not removed after use, which resulted in disk space filling up. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-776/SEG-2048/TT-338431] The NIC teaming features used in Windows 2012 R2 led to duplicate or triplicate packets. If the NIC teaming sets NIC to promiscuous mode and the related port in the switch is set to trunk mode, the NICs will receive duplicate packets. A stop error on a blue screen happened due to a race condition in the Deep Security filter driver when these duplicate or triplicate packets were handled in separate threads and one of the threads was touching functions that had not been initialized by other threads. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-710] When the Deep Security Agent generated Web Threat Protection (WTP) syslog messages, it did not follow the syslog format. When the syslog is set to "direct forward" from the agent, the log message should be Common Event Format (CEF). Solution 3: This issue is fixed in this release. The WRS Syslog format is now CEF. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-460] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Deep Security Agent detects an illegal character, the Deep Security Manager will show the illegal character in an Intrusion Prevention event. However, the Deep Security Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Deep Security Manager. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.7.2 Enhancements ===================================================================== There are no enhancements in this release. 8.8 Deep Security Agent 9.5.3-7707 ======================================================================== 8.8.1 Enhancements ===================================================================== There are no enhancements in this release. 8.8.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-933] When a user had privileges to add specific keys to the Windows registry, the user was able to inject code to control the Deep Security Agent. Solution 1: This release enhances agent self-protection to prevent specific keys from being injected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.9 Deep Security Agent 9.5.3-7747 ======================================================================== 8.9.1 Enhancements ===================================================================== There are no enhancements in this release. 8.9.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-1332/SEG-9556/SF00483291] The Deep Security Agent sometimes failed to complete an SSL handshake when the agent was using a proxy to connect to Deep Security Manager. Solution 1: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10 Deep Security Agent 9.5.3-7814 ======================================================================== 8.10.1 Enhancements ===================================================================== The following enhancements are included in this release: Enhancement 1:[DSSEG-1630] The Trend Micro Solution Platform used in the Deep Security Agent has been updated to version 2.6.1156. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10.2 Resolved Known Issues ===================================================================== There are no issues fixed in this release. 9. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Agent-Windows-9.5.3-7845.x86_64.zip (64-bit) Agent-Windows-9.5.3-7845.i386.zip (32-bit) Notifier-Windows-9.5.3-7845.i386.msi (32-bit -can be installed on 64-bit) 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide 13. Third-Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]/licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2018 Trend Micro Inc. All rights reserved. Published in Canada.