Trend Micro Incorporated July 3, 2018 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Virtual Appliance 10.0 Platforms: ESXi 6.7, 6.5, 6.0, 5.5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: https://help.deepsecurity.trendmicro.com/10/0/Welcome.html Patch/SP release documentation: https://help.deepsecurity.trendmicro.com/software.html TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deep Security Virtual Appliance platforms For information on platforms supported by Deep Security Virtual Appliance and the features available for each platform, refer to the Deep Security Help Center. The supported platforms and features depends on the version of the Deep Security Agent that the appliance is using. If the agent version is 10.0, see: https://help.deepsecurity.trendmicro.com/10/0/supported-features-by-platform.html#Agent-less If the agent version is 11.0, see: https://help.deepsecurity.trendmicro.com/11_0/on-premise/supported-features-by-platform.html#Agent-less Date: July 3, 2018 Release: 10.0 Build Version: 10.0.0-2888 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html Download the latest version of this readme from the Deep Security Help Center, Software page: https://help.deepsecurity.trendmicro.com/software.html Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 10.0 1.1 Overview of This Release 1.2 Upgrade Notice 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 6. Known Incompatibilities 7. Known Issues in Deep Security Virtual Appliance 10.0 7.1 Known Issues from Deep Security Virtual Appliance 9.5 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third Party Software =================================================================== 1. About Deep Security 10.0 ======================================================================== 1.1 Overview of This Release ===================================================================== This update to the Deep Security Virtual Appliance protects against new vulnerabilities in the operating system of the appliance's virtual machine. This release of Deep Security Virtual Appliance is supported with Deep Security Manager 10.0 Update 12 or higher. It is not supported with Deep Security Manager 10.1. Deep Security Virtual Appliance 10.0 replaces Deep Security Virtual Appliance 9.5, which is reaching end of life soon. (For details about product end of life, see https://success.trendmicro.com/solution/1105726.) 1.2 Upgrade Notice ===================================================================== - Deep Security Virtual Appliance 10.0 requires RHEL7x64 Deep Security Agent packages for upgrade. For information about changes included in the agent, refer to the Deep Security Agent (Linux) readme file. - You must upgrade a vShield Manager environment to NSX before deploying Deep Security Virtual Appliance 10.0. - Deep Security Manager 10.0 does not support Deep Security Virtual Appliance 9.0 or any older version. - Deep Security Virtual Appliance 9.5 cannot be upgraded to version 10.0 directly. You must first uninstall the old appliance, import the 10.0 appliance, and then deploy the appliance. - For more information about updating the Deep Security Virtual Appliance, see this Help Center article: https://help.deepsecurity.trendmicro.com/10/0/Manage-Components/Software-Updates/update-software.html#updateappliance 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== Deep Security Virtual Appliance 10.0 includes these enhancements since version 9.5: Enhancement 1: The base OS has been updated to CentOS7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: The new Deep Security Virtual Appliance OVF has two network interfaces. vmxnex3 has been removed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 3: The hard disk requirement for the appliance is now 40 GB, which reserves space for a future appliance upgrade. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 4: You must use the RHEL_7 DSA package to upgrade the agent within the appliance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 5: The components in the appliance have been updated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 6: The appliance package is now signed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 Resolved Known Issues ===================================================================== This release resolves the following issues that were identified in previous releases of Deep Security Virtual Appliance: Issue 1: [DS-7487] During vMotion, Deep Security Manager would display "Firewall Engine Offline" and "Intrusion Prevention Engine Offline" events, but there would not be a corresponding event when the vMotion was completed and the engine was back online. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DS-14585/SEG-9572] The Deep Security Virtual Appliance would hang at boot time when it was not able to get an IP address. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DS-14873] The Deep Security Manager upgrade removed cached appliance files and caused Deep Security Virtual Appliance deployment failure. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DS-11591/SEG-381] When the appliance was deployed from NSX to an ESX environment using DHCP, each appliance would request two IPs from the DHCP server. This caused exhaustion of the DHCP Server IP pool. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [18091] TLS version 1.1 and 1.2 were not supported in SSL Inspection of Intrusion Prevention feature. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [22681] When preparing ESXi 5.5 to deploy the filter driver, the error "Failed to download VIB" might appear. This happened when the Deep Security Manager had Deep Security Agent installed and intrusion prevention was enabled. TLS version 1.2 was being used and it was not supported in SSL Inspection of intrusion prevention feature. As a workaround in previous releases, Trend Micro recommended disabling intrusion prevention on the agent installed on the Deep Security Manager or creating a bypass rule between the Deep Security Manager and the ESXi host. Solution 6: This issue is fixed in this release and the workaround is no longer required. Note: The "preparing" step was only required with a vShield Manager environment, which is not supported with Deep Security 10.0. Deep Security 10.0 only supports NSX. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DS-23142/SEG-25928] Malware scans that use exclusions would not run in a Deep Security agentless environment when using VMware Tools 10.x. Solution 7: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: - The Deep Security Help Center is available at: https://help.deepsecurity.trendmicro.com/10/0/Welcome.html and includes: -- product overview, deployment plan, installation steps and basic information intended to help you smoothly deploy Deep Security. -- post-installation instructions on how to configure the settings to help you get Deep Security "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Deep Security. - You can easily search the Help Center content or get context-sensitive help from your Deep Security Manager. - The Knowledge Base is a searchable database of known issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the system requirements, please refer to the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10/0/Get-Started/Install/system-requirements.html 5. Installation ======================================================================== - Refer to the "Get Started" section of the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10/0/upgrade-deep-security.html - When a Deep Security Virtual Appliance is deployed in a VMware environment that makes use of the VMware Distributed Resource Scheduler (DRS), it is important that Deep Security Virtual Appliance does not get vMotioned. Deep Security Virtual Appliance must be "pinned" to its particular ESXi host. You must actively change the DRS settings for all Deep Security Virtual Appliances to "Manual" or "Disabled" (recommended) so that these will not be vMotioned by the DRS. If a Deep Security Virtual Appliance (or any virtual machine) is set to "Disabled", the vCenter Server does not migrate that virtual machine or provide migration recommendations for it. This is known as "pinning" the virtual machine to its registered host and is the recommended course of action for Deep Security Virtual Appliances in a DRS environment. An alternative is to deploy Deep Security Virtual Appliance onto a local store as opposed to a shared store. When Deep Security Virtual Appliance is deployed onto a local store it cannot be vMotioned by DRS. For further information on DRS and pinning virtual machines to a specific ESXi, please consult your VMware documentation. 6. Known Incompatibilities ======================================================================== There are no known incompatibilities for this release. 7. Known Issues in Deep Security Virtual Appliance 10.0 ======================================================================== - The Deep Security Manager 10.0 installer blocks upgrades from Deep Security 9.5, including 9.5 versions of the Deep Security Manager, Deep Security Agent, Relay, and Deep Security Virtual Appliance. You can upgrade from Deep Security 9.5 to 9.6 and then to 10.0. (DS-14515) - When using a Deep Security Virtual Appliance deployed in an NSX environment, after turning on a protection module and applying a rule to a protected VM, then when switching between protection module tabs in Deep Security Manager, the status may display "Not Activated" for a brief time before correctly displaying the correct state (for example, "On, 1 rule"). (DS-12380) - You must import software patch packages (in the form of .dsp files) before deploying the Deep Security Virtual Appliance or upgrading it to a newer version. If you see "Event 710 (.dsp xxx patch package is not found)" in the Deep Security Manager system events, it indicates that the patch package for the appliance has not been imported yet. To resolve this event, upgrade the version of the agent used by the appliance to version 10.0 and then follow the instructions in this article to patch the appliance: https://help.deepsecurity.trendmicro.com/10/0/Manage-Components/Software-Updates/update-software.html (DS-16981) - Due to a known issue with the VMWare EPSec API, an advanced threat detection (machine learning) query will be initiated again when deleting files and moving them to the recycle bin. This make the deleting process slower. This only happens for soft-deletes (moving the files to the recycle bin). If a user chooses to delete the files from hard disk directly (hard-delete), the issue will not happen. (DS-14032) 7.1 Known Issues from Deep Security Virtual Appliance 9.5 ===================================================================== - In an NSX environment, the Deep Security Virtual Appliance should be uninstalled prior to moving the ESXi host to a different cluster. NSX 6.2 and later will uninstall the appliance automatically when moving a host from cluster A to cluster B. [23192/23193] - Anti-Malware, Web Reputation, Integrity Monitoring, and Log Inspection should not be enabled on the policy that is assigned to the Deep Security Virtual Appliance itself. These features are not supported when applied to the Deep Security Virtual Appliance and may produce error events. [21250] - The NSX (network visualization components on vSphere hosts), VMware endpoint and Trend Micro Deep Security service cannot install and deploy successfully when a new host is added to the same cluster. As a workaround, join the new host to the dvSwitch before adding it to the cluster. [22211] - After Deep Security Virtual Appliance deployment, creating Trend Micro Service in VMware vSphere may produce the error "Cannot complete the operation". This happens when Deep Security Virtual Appliance has just started and some services are not yet running. As a workaround, try the operation again at a later time. - VMWare NSX may not automatically apply the VMWare NSX Security Policy to new VMs, cloned VMs or VMs that are moved to a protected port group. If you notice that the Deep Security Virtual Appliance is not providing protection under the pre-mentioned conditions go into VSphere Web Client edit the Service Composer->Security Group-> Trend VM Security Group, make no changes but simply hit finished. This will trigger NSX to reapply the VMWare NSX Security Policy to the proper VMs. [24039] - In an NSX environment, assigning IPv6 address to the Deep Security Virtual Appliance using IPv6 pool is not supported. [DS-16898, 21695] - In an NSX environment, Layer 2 packets are not passed to the Deep Security Virtual Appliance and are therefore bypassed (e.g. ARP). [23471] - It can take up to 30 minutes before the appliance is ready for deployment through NSX Manager after importing the Deep Security Virtual Appliance package to the DSM. Deploying the appliance before the package is in place at \temp would result in failure. [23150] - In an NSX environment, when deploying the Deep Security Virtual Appliance, the error "Unable to access agent OVF package file at https:/appliance/NSX/system.vmdk may sometimes appear indicating that the user cancelled the task. Retry the installation when this happens. [23305] - When using Firewall and IPS Rule Schedules, the rule will take effect on DSVA's timezone which is configured as UTC in 9.5. [23660] - In a NSX environment, when several agentless protected guest virtual machines are vMotioned simultaneously, some VMs will be reactivated after vMotion. [23500] - NSX Manager shows the status of "Trend Micro Deep Security" installation status as failed on existing cluster when the deployment URL has been changed. When this happens, do not click the "Resolve" button because it will try to upgrade the existing master appliance which will result to the appliance being redeployed. As a result, the VMs that are activated will no longer be activated. Recommendation is to host the appliance dsva.ovf on an external web server, and don't change the URL of the appliance after it has been deployed. [23994] - If Deep Security Virtual Appliance does not have enough disk space for an upgrade, it does not clear up disk space or warn users before running the upgrade. As a result, the upgrade fails and triggers error messages from vCenter and Deep Security Manager. - In some cases, if you deploy Deep Security Virtual Appliance and you select to use a static IP address, the default DNS domain will be set incorrectly. To resolve this, log on to the Deep Security Virtual Appliance console command line and run "vi /etc/resolv.conf". Ensure the values for search and nameserver are correct for your environment. [Deep Security 8.0 Tier 2-00184] - SYN Flood protection is only supported on versions 7.5 or older Windows Agent versions and on versions 7.5 or older Virtual Appliance versions. It is not supported on versions 7.5 Service Pack 1 or higher Windows Agent versions or versions 7.5 Service Pack 1 or higher Virtual Appliance versions. It is not supported on any version of the Linux or Solaris Agents. - On some Windows platforms, when downloading malware using Microsoft Internet Explorer(TM), the download process windows closes upon detection. The file will still be detected and cleaned even though no error or warning was given. [00619] - The quarantine action may fail if the maximum quarantine size is set too high. The default size is 32 MB. It is recommended not to set the limit higher than 200 MB. - If your ESXi or Deep Security Virtual Appliance are in a different domain than your Deep Security Manager, they may have problems connecting to Deep Security Manager. Renaming your Deep Security Manager to use the fully qualified name fixes this, for example, "manager.hq.local". For information on how to rename your Deep Security Manager hostname, refer to the documentation. - For any images you have on your ESXi machine, ensure you have the latest VMware Tools installed. - Deep Security Virtual Appliance cannot perform Log Inspection which means users cannot assign Log Inspection Rules to machines without an in-guest Deep Security Agent. 8. Release History ======================================================================== Deep Security Virtual Appliance 10.0.0-2888, July 3, 2018 9. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Appliance-ESX-10.0.0-2888.x86_64.zip 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via phone or email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed by selecting the "About" option in the application user interface. 13. Third Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]\licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2018 Trend Micro Inc. All rights reserved. Published in Canada.