<> Trend Micro Incorporated January 31, 2019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Agent 10.0 Update 17 for Windows, and Deep Security Notifier 10.0 Update 17 for Windows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: https://help.deepsecurity.trendmicro.com/10/0/Welcome.html Patch/SP release documentation: https://help.deepsecurity.trendmicro.com/software.html TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Platforms: Windows Server 2019 (64-bit) Windows Server 2016 (64-bit) Windows Server 2012 / 2012 R2 (64-bit) Full Server or Server Core Windows Server 2008 R2 (64-bit) Windows Server 2008 (32-bit and 64-bit) Windows Server 2003 SP2 / R2 SP2 (32-bit and 64-bit) Windows Server 2003 SP1 (32-bit and 64-bit) with patch "Windows Server 2003 Scalable Networking Pack" Windows 10 RS3 (32-bit and 64-bit) Windows 10 RS2 (32-bit and 64-bit) Windows 10 (32-bit and 64-bit) Windows 10 / 10 TH2 (32-bit and 64-bit) Windows 8.1 (32-bit and 64-bit) Windows 8 (32-bit and 64-bit) Windows 7 (32-bit and 64-bit) Windows XP (32-bit and 64-bit) Hyper-V on Windows 2016, 2012 R2, 2012, 2008 R2, 8, and 8.1(*)(**) (*)There is no agentless solution for Windows Hyper-V. The Agent installed on the Hyper-V hypervisor will only protect the hypervisor itself. In order to protect guest images running on Hyper-V an Agent must be installed on each Hyper-V guest. See Knowledge Base article http://esupport.trendmicro.com/solution/en-us/1103857.aspx for more information. (**) Deep Security Relay is not supported on these platforms. Not currently supported: Windows Server 2008 Core, Microsoft Virtual Server 2005 R2 SP1 Deep Security Agent with Relay is supported on only 64-bit versions. Date: January 31, 2019 Release: 10.0 Update 17 Build Version: 10.0.0-3240 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/index.html Download the latest version of this readme from the Deep Security page at the Trend Micro Download Center website: https://help.deepsecurity.trendmicro.com/software.html Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 10.0 Update 17 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 6. Known Incompatibilities 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third-Party Software =================================================================== 1. About Deep Security 10.0 Update 17 ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security Agent 10.0 Update 17 contains no feature enhancements but includes some bug fixes. For a list of the major changes in Deep Security 10.0, please see the "What's New" section of the Deep Security Help Center. 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running Deep Security 9.5 SP1, 9.6 or 9.6 SP1. All new Deep Security users should install Deep Security 10.0. 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== There are no enhancements in this release. 2.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-3336] The Network Filter Driver lacked error handling for some cases when memory allocation failed. This sometimes resulted in a system crash, especially when the system memory was exhausted. Solution 1: This issue has been resolved in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-3333] Due to a side effect from a previous fix, the Network Filter Driver would pass packets through a broadband wireless interface. Solution 2: This issue has been resolved in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-3245/SEG-38712/SF01358696] The tbimdsa engine sometimes caused a system crash. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-3216] When both Anti-Malware real-time scans and SAP scanner were enabled on a Windows computer that had SAP NetWeaver 7.5+ installed, a virus could be detected and quarantined, but the error code returned to SAP NetWeaver was not correct. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-3109] A native firewall could not be turned on/off automatically after the Deep Security Firewall module was enabled or its configuration was changed. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-3039/SEG-39670] An Integrity Monitoring rule could be triggered unintentionally when the prefix of its base directory path matched that of another rule. For example, if you had rules that monitored "c:\lab\" and "c:\lab1\", and added a file "c:\lab1\sample.txt", both rules would be triggered. Solution 6: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-2608/SEG-32198] When upgrading Deep Security Agent, the operating system would sometimes reboot automatically. Solution 7: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DSSEG-2561/SEG-30840] Deep Security Anti-Malware caused some third-party software to use a large amount of CPU resources, which impacted the system performance. Solution 8: This issue is fixed in this release. Please note that the driver update requires the system to reboot if the target platform is higher than Windows 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3. Documentation Set ======================================================================== - All Deep Security 10.0 documentation, including installation instructions and other content formerly delivered via PDF, is available from the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10/0/Welcome.html - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10/0/Get-Started/Install/system-requirements.html 5. Installation ======================================================================== Refer to the "Get Started" section of the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10/0/upgrade-deep-security.html - Only use the Agent installer package (the .msi or the .rpm file) on its own to install the Deep Security Agent. If you extract the full Agent zip package and then run the Agent installer from the same folder that holds the other zipped Agent components, all the Security Modules will be installed. That may cause a conflict with the Anti-Malware or Firewall driver if you use applications other than Deep Security to provide those functionalities. - Before installing this Patch, please ensure that the Deep Security Manager has already been upgraded to 10.0 Update 17. - All Deep Security Relay-Enabled Agents must first be upgraded to Deep Security Agent 10.0 Update 17 before upgrading other Agents. 6. Known Incompatibilities ======================================================================== 1. Resonate Load Balancer (5.0.1) Deep Security Agents Affected: All Issue: Environments in which the Resonate load balancing software is installed may experience a loss of Resonate functionality when the Deep Security Agent is installed. Resolution: Restart the Resonate Central Dispatch Controller services. 2. Trend Micro Client Server Messaging Security for SMB Deep Security Agents Affected: All Issue: Connectivity issues have been noted when running versions of Trend Micro Client Server Messaging Security for SMB that are older than Version 3.5 Build 1113. Resolution: Upgrade Trend Micro Client Server Messaging Security for SMB to Version 3.5 Build 1138 or higher. 3. Realtek RTL8169/8110 Family Gigabit Ethernet NIC Deep Security Agents Affected: All Issue: Issues have been noted when using Version 5.663.1212.2006 of the Realtek Gigabit Ethernet NIC Resolution: To resolve these issues, upgrade the driver to the latest version. 4. Intel(R) PRO/100+ Dual Port Server Adapter Deep Security Agents Affected: All Issue: Issues have been noted when using Intel NIC cards with driver versions lower than 8.0.17.0 Resolution: To resolve the issue, upgrade the driver to version v8.0.19 or higher. 5. Wireshark Deep Security Agents Affected: All when installed in Windows 7, 2008 and 2008 R2. Issue: When Wireshark is monitoring packets they are incorrectly presenting outgoing packets through NdisFilterRecv packet which is the path for incoming packets. Resolution: Use Microsoft Network Monitor instead when doing packet capture. 7. Known Issues ======================================================================== - On Windows 10 1803, when Firewall state is "Not configured" on Deep Security Notifier, Windows Defender Security Center shows "Firewall & network protection - Actions needed in Trend Micro Deep Security 10.0". This a Windows 10 1803 issue. Upgrade to Windows 10 1809 to fix this issue. (DSSEG-4090/SEG-51927) - When the Anti-Malware protection module is installed by enabling Anti-Malware protection on a DSA for the first time on Windows 2016, the Windows Defender service will be stopped, a reboot message will popup on Windows 2016 and a reboot-required event will be displayed on the DSM. After this first time, changing the computer's policy to disable and re-enable anti-malware will not show the reboot-required messages. It is strongly recommended to reboot Windows Server 2016 if the Windows Defender service is stopped by the DSA Anti-Malware policy. (DS-10389) - Windows XP Embedded is not a supported DSA platform in this version. Customers running Windows XP Embedded should continue to use the latest 9.6 SP1 Agent version. (DS-10558) - For Windows OS versions Windows XP, Vista, Windows 2003 Server and Windows Server 2008 operating in an environment without internet connection, when upgrading DSA 9.x Agents with Anti-Malware policy assigned to DSA 10.0 or above then the Agent may successfully upgrade but the AMSP (anti-malware protection) version still remains at v2.6.x. The computer status on DSM and DSA Notifier will show AM offline, and the following error message is generated: Anti-Malware Windows Platform Update Failed. This is because the Trusted Root Certificate cannot be verified without an internet connection. Troubleshooting: 1. Do not attempt to uninstall the DSA. (If you tried this and the AM module could not be removed, then you should re-install the original version of the Agent before proceeding. Hint: To find the version number of your previous DSA, please login to the DSM and search the Computer's Events for "Update: Summary Information" ) 2. Reactivate the DSA from DSM, and the DSA should return to Managed (Online) 3. Obtains and import the certificate "VeriSign Class 3 Public Primary Certification Authority - G5" (DS-9981) - While upgrading DSA 10.0 from a previous version, the Anti-Malware module may fail to upgrade because the certificate of dsuam.exe (which is processing AMSP upgrade) cannot be verified. The following event would be received: Event ID 935 Software Update: Anti-Malware Windows Platform Update Failed. This issue impacts systems on Windows XP, Vista, 2003, 2003 R2 and 2008, and in an environment disconnected from the internet. Other OSs (such as as Windows 7 and Server 2008 R2 and above) do not have this issue. The problem is because legacy and disconnected systems cannot download the new root VeriSign certificate from the Internet. The certificate is required to perform DSA 10.0 (with AM) upgrade. This is a security enhancement to ensure only certified applications can process AM upgrades.) Systems Administrators in a disconnected environment are recommended to ensure the availability of "VeriSign Class 3 Public Primary Certification Authority - G5" in "Trusted Root Certification Authorities". Workaround (if DSA not upgraded): 1. Download verisign_g5.cer and save it to machine to upgrade or download G5 root certificate from https://www.symantec. com/theme/roots 2. Login and run command as system administrator, and run: certutil -addstore "Root" verisign_g5.cer 3. For systems as XP and 2003, please use MMC.exe console, add "Certificates" snap-in, and import certificate to "Trusted Root Certfication Authorties". Troubleshooting (if DSA already upgraded to 10.0 but AM failed to upgrade): 1. Re-install the old version of DSA. To find the version of previous DSA, please search "Update: Summary Information" from "Events" of the machine from DSM. 2. Reactivate DSA from DSM. DSA should return to Managed (Online). 3. Import "VeriSign Class 3 Public Primary Certification Authority - G5" (DS-9020) - Anti-malware endpoint correlation on Windows does not generate hash values. When anti-malware File Hash Calculation is enabled, the following cases may still not generate related hash values: 1. Multiple Spyware detections 2. Trojan detections with multiple files cleaned 3. Endpoint Correlation detection 4. Windows XP SP2 doesn't natively support SHA256 and no SHA256 value will be generated 5. Anti-exploit may calculate the hash values of victim file instead of malware file Note: the Anti-exploit detection often is a victim file instead of a malware file; the hash values of the victim must be carefully used. (DS-9573) - Anti-Malware Memory Scan is not supported on Windows XP and 2003 x64 platforms. (DS-8630) - With a DSA running on Windows 7, when the Network Directory Scan function is enabled in the Real-Time Scan configuration, when scanning a network folder, if a virus is detected, the DSA may show some "clean failed" (delete failed) events. This is caused by OS behaviour when accessing network files on Windows 7 platforms only. (DS-4783) - Under certain circumstances the DSA may fail to upgrade while Windows Process Explorer tool is running on the DSA machine. This issue is isolated to the following conditions only: 1. An Administrator is not logged in to the DSA computer 2. UAC (User Access Control) is enabled on the DSA computer 3. Process Explorer tool is running (and is not being run by the Administrator account) (DS-5788) - Customers should only run one Trend Micro Anti-Malware module on a protected computer. When Deep Security Agent is to be deployed, administrators should ensure that other Trend Micro products such as OfficeScan or Endpoint Sensor are uninstalled. If the DSA anti-malware module goes offline because another product is installed you will need to remove OfficeScan or Endpoint Sensor and reinstall the DSA. (DS-2846) - When upgrading from Deep Security Agent 9.6 SP1 Patch 1 U5 with Anti-Malware enabled to DSA 10.0 on Windows 8, Windows 8.1, Windows 10, Windows 10 TH2, Windows 10 RS1, Windows 2012, Windows 2012 R2, or Windows 2016, a reboot will be required to complete the upgrade. When upgrading from other earlier versions of Deep Security Agent on Windows platforms, a reboot may also be required. A "Computer Reboot Required" event will be displayed on the DSM and popup notification on the host will be displayed if a reboot is necessary. (DS-3590) - In the Windows Control Panel "Notification Area Icons" settings, Deep Security Notifier will remain listed even after uninstalling Deep Security. This is a known issue in Windows that also affects other products. (DS-1300) - Full Windows administrative privileges are required to install the Agent to a non-default installation path. (DS-1191) - In some circumstances, the Windows DSA uninstallation process may hang if there are quarantined files on the system. Workaround Steps: 1. Cancel this uninstallation 2. Delete quarantined files manually. Quarantine files are stored at C:\ProgramData\Trend Micro\AMSP\quarantine for Vista and later versions. C:\Documents and Settings\ All Users\Application Data\\AMSP\quarantine for XP. 3. Uninstall the DSA (DS-874) - The Deep Security Notifier icon may sometimes disappear on Windows 10. (DS-1301) - When a virtual machine is added through vCloud connector, after vMotion from a protected ESXi host to an unprotected ESXi host, the virtual machine will not go from combined mode to Agent-only protection. (DS-558) - When a virtual machine is added through vCloud connector, after vMotion from unprotected ESXi host to a protected ESXi host, the virtual machine will not go from Agent-only protection to combined mode. (DS-557) - Full Windows administrative privileges are required to install the Agent to a non-default installation path. (DS-1191) - On Windows Agents, if the Anti-Malware (AMSP) service is still starting up when the DSM sends a new policy switching Smart Scan on/off, it will return the warning message: "Security Update: Pattern Update on Agents/Appliances Failed". NOTE: This warning is not an AMSP offline/failure. The Anti-Malware protection is still active with the warning. Administrators need to manually clear the warning since the DSM will not clear it automatically. (DS-4101) 7.1 Known Issues from Deep Security Agent 9.6 SP1 Patch 1 U6 ======================================================================== - In the Windows Control Panel "Notification Area Icons" settings, Deep Security Notifier will remain listed even after uninstalling Deep Security. This is a known issue in Windows that also affects other products. [DS-1300] - The Deep Security Notifier system tray icon may not appear after installation if multiple users are logged in to Windows. Logging off and logging back in or manually executing the notifier.exe will make the system tray icon appear. [DS-602] - Deep Security Agent does not support Code Integrity checking on Windows 10 hosts (32- or 64-bit platforms). Enabling Code Integrity checking on Windows 10 hosts with the Deep Security Agent installed may cause a Blue Screen error. [883/254] - When a virtual machine is added through vCloud connector, after vMotion from a protected ESXi host to an unprotected ESXi host, the virtual machine will not go from combined mode to Agent-only protection. [558] - When a virtual machine is added through vCloud connector, after vMotion from an unprotected ESXi host to a protected ESXi host, the virtual machine will not go from Agent-only protection to combined mode. [557] - In rare circumstances, when enabling Anti-Malware feature on Deep Security Agent running on Windows XP, the AMSP service installation may fail with the error message "AMSP error code (0x20ff0000)". As a workaround, reinstall the Deep Security Agent. [29436] - On Windows 32-bit platforms, there is a configuration limit of 20MB because of the smaller kernel memory available on these platforms. The event "Agent configuration package too large" may appear if there are too many rules enabled on the Deep Security policy being assigned. This may be fixed by trimming down the Intrusion Prevention rules strictly to Recommended for Assignment only. [27162] - If the Integrity monitoring feature in Combined Mode is disabled, the Deep Security Notifier status will display it as Not Capable instead of Not Configured. [29403] - Deep Security Azure Connector does not identify virtual machines created by Azure Resource Manager a.k.a ARM VM (v2). DSA installed in ARM VM will not be included in Azure connector but in normal computer list. This limitation will have no impact on security features provided by Deep Security. [29630] - Deep Security Agent could not convert shift-jis encoded characters to UTF-8. Therefore, any folders named with shift-jis encoding will be skipped during Integrity Monitoring scanning. [28879] - If agentless Anti-Malware real-time protection is turned off, the notifier will not get any status updates from the appliance. It will then turn off Antivirus protection in the Windows Action Center. [29230/29574] - When you deactivate the Deep security Virtual Appliance or agentlesl protection, the notifier will not be able to get any status from the Deep Security Virtual Appliance. The notifier knows that anti-malware is not working so it will turn it off in the Windows Action Center. It does not know the status of the firewall so it will leave the firewall status in the Windows Action center in its last known state. [29230/29574] - The Deep Security Notifier installed in the virtual machines should be upgraded to correctly display the status of protection especially in using Combined Mode. [28557] - Deep Security does not support switching the Windows 2012 server mode between Server Core and Full (GUI) modes after the Deep Security Agent is installed. [28481] - If you are using Server Core mode in a Hyper-V environment, you will need to use Hyper-V Manager to remotely manage the Server Core computer from another computer. When the Server Core computer has the Deep Security Agent installed and Firewall enabled, the Firewall will block the remote management connection. To manage the Server Core computer remotely, turn off the Firewall module. [28481] - Hyper-V provides a migration function used to move a guest VM from one Hyper-V server to another. The Deep Security Firewall module will block the connection between Hyper-V servers, so you will need to turn off the Firewall module to use the migration function. [28481] - Deep Security Agent does not support scanning a mounted network folder (SMB) on the following Windows platforms: Windows 2016 Server (64-bit) Windows 2012 Server R2 (64-bit) Windows 2012 Server (64-bit) Windows 10 (32/64-bit) Windows 8.1 (32/64-bit) Windows 8 (32/64-bit) [22016] - Deep Security Notifier when using agentless protection in NSX environment will not work if only WRS feature is turned on. Agentless anti-malware must be enabled for Deep Security Notifier to work. [22210] - The Relay feature uses TCP port 4122. When enabling the relay feature, make sure TCP port 4122 is allowed in any firewall being used. [22749] - Relay feature is not supported on Windows XP. [17729] - The Deep Security Agent anti-malware files and folder might not get removed on upgraded agents when uninstall is performed. This only happens when anti-malware feature is enabled then disabled before upgrading and the anti-malware feature was never enabled before uninstalling. When this happens, follow manual uninstall procedures in http://esupport.trendmicro.com/solution/en-US/1096150.aspx to completely uninstall. [21716] - Some Anti-Malware events are not generated when using Windows built-in decompress tool on Windows Vista and later versions. This issue will not happen when using 3rd party decompress tool. [23055] - Windows Add/Remove Programs or Programs and Features doesn't show the exact version of the Deep Security Agent. Deep Security Agent version consists of major.minor.sp-build but Windows only show them as major.minor.build. [21990] - CPU usage control in Scan for Integrity may not work after a reboot. Rebuild Integrity Baseline or reactivation will fix this. [20725/20563] - During anti-malware realtime scan, Deep Security Agent may sometimes produce multiple Delete Failed events even when the deletion was successful. This rarely occurs but it happens when the file is being locked by other process temporarily. [23520] - When upgrading Deep Security Agent on Windows 2012, an error message saying "Service ‘Trend Micro Deep Security Agent’(ds_agent) could not be installed. Verify that you have sufficient privileges to install system services." may appear. This may be fixed by running Windows Update troubleshooter in http://support.microsoft.com/kb/910336. [23728] - Deep Security Notifier will show the status of Intrusion Prevention as Not Configured if the IPS has no rules assigned even if it's On. [22938] - Some security components of Deep Security Agent with Relay feature enabled may get removed unexpectedly after an update. As a workaround, retry the security update. [24004] - Upgrading to Deep Security Agent 9.5 or later by running a deployment script on an AWS instance that already has Deep Security Agent 9.0 will not work. Deep Security Agent upgrade must be done from the Deep Security Manager. [25598] - After Deep Security Agent upgrade, the event "Abnormal Restart Detected" may appear. The upgrade is not affected by this event and may be safely ignored. Do Clear Warnings and Errors and perform a Check Status to reflect the actual status of the agent. [26619] - In some cases, a laptop computer has the "Microsoft Virtual Wi-Fi Miniport Adapter" option enabled. Such devices, used for creating Wi-Fi hotspots (ad hoc networks) through the wireless adapter, would enable both the real device for the true wireless connection and the "Microsoft Virtual Wi-Fi Miniport Adapter" for the ad hoc connections, with the same MAC address. This triggers Deep Security Agent on such laptop computers to request for an interface update on every heartbeat. [17502] - In a cloud provider environment if the "Enable regular synchronization with Cloud Provider" option is disabled, changing the Deep Security Agent hostname will disrupt the communication between Deep Security Manager and Deep Security Agent. Trend Micro strongly recommends keeping the "Enable regular synchronization with Cloud Provider" option ON. [15608] - On Windows 2008 and Windows Server 2012, after installing Deep Security Manager with a co-located Relay, the Deep Security Notifier icon does not automatically show up in the Windows notification area. However, Deep Security Notifier will still work. Users need to re-launch Deep Security Notifier from the "Start" menu or restart the system. [17533] - The following system event log appears when you install Deep Security Agent on the Windows Vista, Windows 2008, or Windows 7 platform: "The Trend Micro Deep Security Agent service is marked as an interactive service. However, the system is configured not allow interactive services. This service may not function properly." This is a normal warning on Windows Vista or higher Windows versions. On these platforms, Windows does not allow services to interact with the user's desktop, so the operating system displays the warning when Deep Security Agent tries to use interactive services. This desktop interaction feature is used by the Deep Security Agent to provide the restart notice on pre-Vista versions of Windows. The warning message can be safely ignored. [Deep Security 8.0 Tier 2-00253] - In Windows Vista and higher releases, sometimes, you will encounter problems while upgrading the Deep Security Agent. The problem is related to the timing of the VC RTL assemblies being published to WinSxS, but it only seems to cause trouble on Vista or higher and only if the version of the RTL is not changing. The root cause is some corrupted Windows components. To work around this, you can either run the Windows System File Checker (sfc.exe) to repair the operating system, or install the Microsoft Visual C++ Redistributable Package from the following URL before starting the upgrade procedure again. http://www.microsoft.com/download/en/details.aspx?id=26347 After installing the package from Microsoft, you should restart the computer or else the upgrade may still fail. To recover from this, you can install the package, re-run the installer and restart the computer. [Deep Security 8.0-01044] - Intrusion Prevention (DPI) is not supported over SSL connections when using IPv6. - On Windows XP, you may encounter a "Fatal Error During Installation." message if you attempt to uninstall the Deep Security Agent through the "Add/Remove programs" page while the agent's "Self Protection" function is enabled. This message comes from Windows indicating that the uninstall did not proceed because self-protection is enabled. It is not a Deep Security error. [Deep Security 8.0-00410] - When running an Anti-Malware Manual Scan with Smart Scan enabled, if the Deep Security Agent cannot contact the Smart Scan server, the resulting error event will indicate a "Real-Time" scan type instead of "Manual". [Deep Security 8.0 Tier 2-00024] - If network connectivity is lost for an extended period of time during a Deep Security Agent upgrade, you may need to restart the host machine. - It is possible that NDIS drivers will stop responding during Deep Security Agent installation or uninstallation if they do not properly free packets when requested to unbind. Deep Security Agent with NDIS 5.1 or NDIS 6.0 driver can free all packets correctly before upgrading or uninstalling. However, when installing or uninstalling NDIS drivers, Microsoft requires that all NDIS drivers be unbound and then rebound. This means that if other third-party NDIS drivers do not properly free packets, it is still possible for the Deep Security Agent install, upgrade, or uninstall process to stop responding. This is beyond Trend Micro's control and will only happen rarely. If this does occur then you can restart the computer and try to install, uninstall, or upgrade Deep Security Agent again. - Log Inspection Event logs are limited to 6000 characters. - When the network engine is working in TAP mode and the in-guest Agent is offline, the Deep Security Virtual Appliance status will display "Stand By". But, Deep Security Virtual Appliance is actually online and IP/FW events logs are still generated as rules are triggered. [10948] 8. Release History ======================================================================== - Deep Security Agent 10.0, Build 10.0.0-2094, March 6, 2017 - Deep Security Agent 10.0 Update 1, Build 10.0.0-2240, May 3, 2017 - Deep Security Agent 10.0 Update 2, Build 10.0.0-2358, July 13, 2017 - Deep Security Agent 10.0 Update 3, Build 10.0.0-2413, August 10, 2017 - Deep Security Agent 10.0 Update 4, Build 10.0.0-2470, September 11, 2017 - Deep Security Agent 10.0 Update 5, Build 10.0.0-2548, October 16, 2017 - Deep Security Agent 10.0 Update 5 Critical Patch, Build 10.0.0-2551, October 20, 2017 - Deep Security Agent 10.0 Update 6, Build 10.0.0-2613, December 12, 2017 - Deep Security Agent 10.0 Update 6 Critical Patch, Build 10.0.0-2649, January 08, 2018 - Deep Security Agent 10.0 Update 7, Build 10.0.0-2687, January 24, 2018 - Deep Security Agent 10.0 Update 8, Build 10.0.0-2736, February 28, 2018 - Deep Security Agent 10.0 Update 9, Build 10.0.0-2775, April 4, 2018 - Deep Security Agent 10.0 Update 10, Build 10.0.0-2797, April 24, 2018 - Deep Security Agent 10.0 Update 11, Build 10.0.0-2856, May 22, 2018 - Deep Security Agent 10.0 Update 12, Build 10.0.0-2888, June 12, 2018 - Deep Security Agent 10.0 Update 13, Build 10.0.0-2981, August 13, 2018 - Deep Security Agent 10.0 Update 14, Build 10.0.0-3059, September 27, 2018 - Deep Security Agent 10.0 Update 15, Build 10.0.0-3107, October 30, 2018 - Deep Security Agent 10.0 Update 16, Build 10.0.0-3186, December 17, 2018 - Deep Security Agent 10.0 Update 17, Build 10.0.0-3240, January 31, 2019 8.1 Deep Security Agent 10.0.0-2240 ======================================================================== 8.1.1 Enhancements ===================================================================== The following enhancement is included in this release: Enhancement 1: [DSSEG-934] When a user had privileges to add specific keys to the Windows registry, the user was able to inject code to control the Deep Security Agent. Solution 1: This release enhances agent self-protection to prevent specific keys from being injected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-960] This release of Deep Security Agent adds support for Windows 10 RS2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.1.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-970] When documents with long file path names were encrypted by ransomware, they sometimes could not be restored. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-943/SEG-4381] After the Deep Security Agent had been running on a web server for a long time, it would interrupt HTTPS traffic. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-937/377091] When firewall was enabled, the agent logged many 'invalid tcp timestamp' events in some circumstances. Solution 3: The default behavior has been changed to not log those events. It can be still enabled in the Anti- Evasion settings. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-910/SEG-2762] The Deep Security Agent would crash when the integrity monitoring module scanned a file path containing a "%" character. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-891] The Deep Security Agent created temporary files in the temp directory but these files were not removed after use, which resulted in inodes filling up. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-855] A custom Log Inspection rule would not work and produced the error: "OSSEC id does not map to DSM id". Solution 6: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-844] Application control failed to download a ruleset when the Deep Security Agent thread was stuck downloading a ruleset from an older configuration. Solution 7: With this release, application control will download the ruleset. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DSSEG-839] On a 'Large Send Offload' (LSO) network, a number of firewall events with a reason of "Invalid IP Datagram Length" sometimes occurred. This happened because the firewall driver incorrectly calculated the IP datagram length in an LSO environment. Solution 8: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.2 Deep Security Agent 10.0.0-2358 ======================================================================== 8.2.1 Enhancements ===================================================================== There are no enhancements in this release. 8.2.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-1138/SEG-5409/00388364] Due to a race condition, a kernel panic would occur when dsa_filter was handling duplicate UDP packets. Solution 1: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-1109] Deep Security file reputation querying to Smart Protection Server was not counted correctly in the Summary of Smart Protection Server. For example, the "Active Users for File Reputation" widget displayed an incorrect number of users. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-1090] In some circumstances, the kernel module for a Linux version of the Deep Security Agent could be replaced by an earlier version of the kernel support package. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-1081] When connections were reset, they were not removed in the kernel module until the connection timed out. This resulted in the maximum number of TCP connections being reached. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-1041/SEG-370] The Deep Security firewall/intrusion prevention driver sometimes did not bind to a specific Network Interface Controller (NIC). When the Deep Security Agent took it as StandbyAdapter, it would cause a Deep Security Agent exception during initialization and fail to generate the firewall/intrusion prevention driver configuration file. Solution 5: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-1040/SBM 352560] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Deep Security Agent detects an illegal character, the Deep Security Manager will show the illegal character in an Intrusion Prevention event. However, the Deep Security Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Deep Security Manager. Solution 6: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-1012] If the Deep Security Agent failed to download the Kernel Support Package, the agent would not retry the download. Solution 7: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DSSEG-975] The Threat Tracing pattern number in Deep Security Agent on Windows was incorrectly set to a large number and could not be updated because the latest ActiveUpdate pattern number was smaller. Solution 8: This release resets the pattern number to 0 during Agent upgrade. The pattern number will then be set to the latest number when the next security update is performed (either manually or using a scheduled task). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [DSSEG-947] When the anti-malware engine encountered a problem during update, it displayed an error code in the endpoint event. Solution 9: An error message is now displayed instead of a code. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [DSSEG-1089/SEG-875] In some environments, the Anti-Malware Solution Platform (AMSP) could cause high disk input/output when the common scan cache was on. Solution 10: By default, the AMSP common scan cache is on. To disable it, open a Windows command prompt on the Deep Security Manager computer, go to the Deep Security Manager root folder, and run this command: dsm_c -action changesetting -name settings.configuration.disableAmspCommonScanCache -value true ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [DS-13501] AMSP CoreServiceShell.exe could cause large memory usage. In Task Manager, the CoreServiceShell.exe process showed a large commit size. Solution 11: This issue is fixed this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.3 Deep Security Agent 10.0.0-2413 ======================================================================== 8.3.1 Enhancements ===================================================================== There are no enhancements in this release. 8.3.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-1279/00474128/SEG-9606] A heap corruption in li.dll caused Deep Security Agent to crash. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-1242/internal case] A race condition caused an error displayed on a blue screen when the intrusion prevention module handled duplicate UDP packets. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-1198/351879] The Deep Security Agent did not securely generate the SSL Master Secret when the "Client key exchange" and "Certificate verify" handshake records were both in one packet. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-1234/SEG-9610/483717] In some environments, the query engine used by Deep Security received different error responses. Certain errors were not handled properly, which caused system slow down. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.4 Deep Security Agent 10.0.0-2470 ======================================================================== 8.4.1 Enhancements ===================================================================== The following enhancement are included in this release: Enhancement 1: [DSSEG-1264/511146/SEG-11066] Deep Security Agent 10.0 Update 4 or later no longer needs the Microsoft Visual C++ 2005 Redistributable Package. It will not be installed unless you are upgrading from a Deep Security 9.x Agent. If you are upgrading from an earlier Deep Security 10.x Agent, you may be required to reboot. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.4.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-1367/SF00472245/SEG-10539] When log inspection was enabled, the Deep Security Agent sometimes used more than 50% (and up to 98%) of the CPU for long periods of time. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-1364/493112] In previous releases, the "Smart Protection Server Disconnected for Web Reputation" alert could only be cleared manually by a user. Solution 2: In this release, Deep Security Manager will clear the alert automatically when it receives a "Smart Protection Server Connected for Web Reputation" event. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-1361/SEG-12002] A copy or rename operation to a large file (over 3MB) from client computer was sometimes delayed if the file was put on a shared folder on a remote server and SMB v3.0 was used. This issue occurred when the Deep Security Agent was installed on the remote file server and anti-malware real-time scanning was enabled. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-1313] A security update occurred every time the Deep Security Agent received an updated policy. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-1239] Deep Security Notifier did not display any information because the ds_agent service's relevant thread exited abnormally. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-1203/SEG-8048/SF00453864] Smart scan pattern updates sometimes failed. Solution 6: This issue is fixed in this release. The iAU module has been upgraded to 1062. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.5 Deep Security Agent 10.0.0-2548 ======================================================================== 8.5.1 Enhancements ===================================================================== The following enhancement is included in this release: Enhancement 1: [DSSEG-1404/TT 353335] A new policy setting (Computer/Policy editor > Settings > General > Suppress all pop-up notifications on host) enables you to hide all pop-up windows on hosts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.5.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-1497] A brief network disconnection occurred during the installation of the Trend Micro Lightweight Filter Driver. This network disconnection would result in the following issues: 1) DNS record disappears in the dual-AD server environment 2) Windows Fail-Over Cluster out-of-sync 3) Windows Network Load Balancing servers out-of-sync. Solution 1: On Windows 2012 R2 or later, network will remain connected even when doing a filter hook/unhook and during installation. During upgrade, a reboot is needed for the Filter Driver's FilterRunType transition. For Windows Network Load Balancing, a few firewall rules are needed in addition to this fix. For details, please see: [https://success.trendmicro.com/solution/1118512] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-1370] The Deep Security Agent sometimes failed to complete an SSL handshake when the agent was using a proxy to connect to Deep Security Manager. Solution 2: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-1271/SEG-10957] A stop error was reported on Windows Servers in an IPv6 environment with vLAN tagging. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-1247] A race condition when the ds_agent kernel module was handling TCP connections caused an error displayed on a blue screen. Solution 4: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-1508/SEG-8557/464768] A driver used by AMSP caused increased kernel memory usage due to a token leak. Solution 5: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-1509/SEG-12733/00474128] The TMUFE engine caused the Deep Security Agent process to crash, due to malformed DNS responses. Solution 6: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-1528/00425793/SEG-7652] The anti-malware engine went offline on a Windows 2012 server. Solution 7: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.6 Deep Security Agent 10.0.0-2551 ======================================================================== 8.6.1 Enhancements ===================================================================== There are no enhancements in this release. 8.6.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-1551] A change made on October 14 to version 2.7 of smBIOS for AWS EC2 instances introduced an incompatibility issue with Deep Security Agents on Linux and Windows. We have seen this issue affecting new instances created in the US-Virginia, Japan, and Singapore regions since October 14, but additional regions will be affected. This issue affects agent activation on any instance with the 2.7 bios and is likely to result in agents entering an unprotected state. Currently running activated agents are not affected. For details, please refer to: https://success.trendmicro.com/solution/1118601 Solution 1: The incompatibility is fixed with this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.7 Deep Security Agent 10.0.0-2613 ======================================================================== 8.7.1 Enhancements ===================================================================== This release includes the following enhancement: Enhancement 1: [DSSEG-1566] The Trend Micro Solution Platform used in the Deep Security Agent has been updated to version 3.9.1198. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.7.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-1744] Sometimes, after a Deep Security Agent upgrade, anti- malware protection would be absent or out of date. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-1714] An EICAR sample was not detected and blocked in a NIC teaming environment. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-1692] When event logs were aggregated, the Mac address for an aggregated firewall or intrusion prevention event could be incorrect. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-1602/00598122/SEG-15655] When an Oracle WebLogic Server created cached directories ending with .jar or .war, the application control feature would enter a loop when reading those directories, resulting in high CPU usage. Solution 4: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-1493] When the Deep Security Agent lightweight filter driver (tbimdsa.sys) was installed in a Windows environment where NIC teaming was configured as LACP mode, the "Microsoft Network Adapter Multiplexor Driver" device would enter a "Network cable unplugged" state. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.8 Deep Security Agent 10.0.0-2649 ======================================================================== 8.8.1 Enhancements ===================================================================== There is one enhancement in this release: Enhancement 1: [DSSEG-1873] Microsoft requested that anti-virus vendors set a registry key that will allow a critical system patch for Microsoft Windows. The Deep Security Agent now sets the required registry key upon installation. For details, see https://success.trendmicro.com/solution/1119183 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.8.2 Resolved Known Issues ===================================================================== This release does not resolve any issues. 8.9 Deep Security Agent 10.0.0-2687 ======================================================================== 8.9.1 Enhancements ===================================================================== There are no enhancements in this release. 8.9.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-1885/SEG-11876] When SSL inspection was enabled on an SSL server, clients sometimes failed to establish an SSL session and a "Record Layer Message (not ready)" intrusion prevention event would occur. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10 Deep Security Agent 10.0.0-2736 ======================================================================== 8.10.1 Enhancements ===================================================================== The following enhancement(s) are included in this release: Enhancement 1: [DSSEG-1710/SEG-17076/SEG-20229/SEG-13878/SEG-17217/ SEG-20808/DSSEG-1950] The Anti-Malware Solution Platform (AMSP) module has been upgraded to version 3.9.1209, which includes these fixes: - The ATSE engine detected some normal files as malicious files. This issues has been fixed. - The AEGIS engine has been enhanced to catch more high profile malware. It also fixes a problem where AEGIS would sometimes crash when filling the feedback event tuple for a registry event. - When anti-malware real-time scanning was enabled, it sometimes took a few minutes for the client computer to extract an archive file. This happened when the AMSP module received a file event containing a file name with a short file path to a Windows shared folder on a network-attached storage server. This issue has been fixed. - The eye driver "path normalization function" sometimes had performance issues on certain machines. The symptoms varied depending on the environment, but could include high CPU usage, high memory usage, or a system hang. The eye driver has implemented "BypassReparsePointMapping" to prevent these issues. If you are experiencing this issue, follow these steps to enable "BypassReparsePointMapping" on your Deep Security Agent computers: 1. Disable Deep Security Agent self-protection if it is enabled. For instructions, see https://success.trendmicro.com/solution/1060690 2. Stop the AMSP service and the Deep Security Agent service. 3. Add this registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tmevtmgr\Parameters] DWORD BypassReparsePointMapping = 1 4. With administrator permission, run the following commands to stop and restart the Trend eye drivers: sc stop tmactmon sc stop tmevtmgr sc stop tmcomm sc start tmcomm sc start tmevtmgr sc start tmactmon 5. Start the AMSP service and the Deep Security Agent service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10.2 Resolved Known Issues ===================================================================== There are no issues fixed in this release. 8.11 Deep Security Agent 10.0.0-2775 ======================================================================== 8.11.1 Enhancements ===================================================================== There are no enhancements in this release. 8.11.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-2076/SEG-23938/SEG-23938] SSL/TLS compression was not disabled while initiating SSL context for DSA listening port (4118). Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.12 Deep Security Agent 10.0.0-2797 ======================================================================== 8.12.1 Enhancements ===================================================================== This release includes the following enhancement: Enhancement 1: [DSSEG-2148] With this release of Deep Security Agent, all pattern updates from the Deep Security Relay or Trend Micro Update Server will require the use of the TLS 1.2 protocol. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.12.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-2173/SEG-23387] The Deep Security Agent query script, dsa_query.cmd or dsa_query.sh, would sometimes fail. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.13 Deep Security Agent 10.0.0-2856 ======================================================================== 8.13.1 Enhancements ===================================================================== This release includes the following enhancement: Enhancement 1: [DSSEG-2161] With this release of Deep Security Agent, all software updates from the Deep Security Relay or Deep Security Manager will require the use of the TLS 1.2 protocol. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.13.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-2228/SEG-23148/SF00700687] The anti-malware module validates each process by querying the file's signature information, but the query may take a long time in certain environments, causing the computer to slow down. Solution 1: This issue is fixed in this release. To prevent the computer from slowing down, there is a new timeout value for the signature query. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-2184/SEG-24555]/SF00745590/SEG-24082] When the anti-malware module attempts to remove files or folders but encounters an error, it adds a registry entry indicating that the files should be removed the next time the computer reboots. However, the anti- malware module sometimes created a registry entry when attempting to remove temp files, which might no longer exist. This caused third-party applications to sometimes prompt users to reboot unnecessarily. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.14 Deep Security Agent 10.0.0-2888 ======================================================================== 8.14.1 Enhancements ===================================================================== The following enhancement is included in this release: Enhancement 1: [DSSEG-2242/VRTS-2470/VRTS-2473/VRTS-2469] This release improves protection by adding checks when agent self-protection is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.14.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-2333/SEG-26904] When a security event syslog was forwarded directly from the Deep Security Agent to a syslog server, it contained an incorrect IPv6 address in the dvchost field. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-2248/00822625/SEG-27661] When a user configured a firewall bypass rule with a port range containing port 65535, the Deep Security Agent configuration would fail to compile. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.15 Deep Security Agent 10.0.0-2981 ======================================================================== 8.15.1 Enhancements ===================================================================== The following enhancement(s) are included in this release: Enhancement 1: [DSSEG-2594] Diagnostic package can collect AMSP logs during uninstall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-2510/SF00908235/SEG-30932] When a cookie is detected as spyware, the related anti-malware event now contains the file path of the cookie. To see this information, double-click the event on the "Anti-Malware Events" page and go to "Spyware Items". The path of the cookie is displayed in the "Object" field. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.15.2 Resolved Known Issues ===================================================================== This release resolves the following issue: Issue 1: [DSSEG-2484/SF00600663/SEG-16112] When a malware scan configuration included a "Process Image File List" scan exclusion, and that list included an item on a network drive, all entries in the list were not applied correctly. Solution 1: The anti-malware module has been improved. When a "Process Image File List" contains an item on a network drive, that entry is ignored, but other valid entries are applied successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-2414/SEG-27607/SF00811737] During a component update, the Anti-malware service sometimes got stuck while purging the cache, so the Deep Security Agent status shown in Deep Security Manager would remain as "Security Update in Progress" for a long time. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-1687] When Deep Security Agent scanned a SAR file that contained relative paths, those relative paths were not extracted to a temporary directory for scanning. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-1686] When messages coming from Deep Security Virus Scan Adapter were too long, it caused a buffer overflow, and the Deep Security Agent would access an invalid memory address. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.16 Deep Security Agent 10.0.0-3059 ======================================================================== 8.16.1 Enhancements ===================================================================== The following enhancement(s) are included in this release: Enhancement 1: [DSSEG-2489] Anti-Malware scan engine can be displayed and has the option to enable or disable an Anti-Malware update. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-2321] The Deep Security Agent installer no longer installs all feature modules when the module plug-in files are located in the same folder as the installer. The required plug-in files are downloaded from a Deep Security Relay when a policy is applied to a protected computer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 3: [DSSEG-2256/SEG-27831] Set the correct installation and upgrade status of Windows Anti-Malware. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.16.2 Resolved Known Issues ===================================================================== This release resolves the following issue(s): Issue 1: [DSSEG-2736/SEG-34502] When a TCP connection was established with the same tuples as a previously tracked one, the network engine could set the connection track to an incorrect status. This sometimes happened on a busy server where rapid connections reused a recycled connection. The network engine treated it as an "Out of connection" error and dropped the packet. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-2588] When the Anti-Malware or Firewall features were enabled, Deep Security Agent was not registered to the Windows Security Center on Windows 10 version 1803 (April 2018 Update). This caused the status of anti- malware and firewall to be incorrect in the Windows Security Center and Windows Defender Security Center. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-2407/SEG-29750/SF00874980] When Deep Security Agent was installed on a virtual machine (VM) and the VM was reverted to an earlier state, Log Inspection event data was not synchronized properly between the Deep Security Agent and Deep Security Manager. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-2313/SEG-26394/815500] When both Application Control and real-time Anti- Malware scanning were enabled and either one became disabled, a system crash would sometimes occur. This could occur when explicitly disabling either feature or when: - stopping the Deep Security Agent service, - upgrading the Deep Security Agent, or - restarting a Deep Security Agent computer. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.17 Deep Security Agent 10.0.0-3107 ======================================================================== 8.17.1 Enhancements ===================================================================== The following enhancement(s) are included in this release: Enhancement 1: [DSSEG-2489] Anti-Malware Scan Engine can be displayed and has the option to enable or disable an Anti-Malware update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-2257] The Anti-Malware engine offline error is not reported when the computer is preparing to shutdown. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 3: [DSSEG-2308] The version of OpenSSL used by the Deep Security Agent and Deep Security Relay has been updated to openssl-1.0.2o. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.17.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-2867/SEG-36902/SF01197096] The Deep Security Agent could not be installed properly on Windows XP and Windows 2003. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-2857/SEG-33085] An unactivated Deep Security Agent could reach 100% CPU usage when handling a long HTTPS request. Solution 2: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.18 Deep Security Agent 10.0.0-3186 ======================================================================== 8.18.1 Enhancements ===================================================================== The following enhancements are included in this release: Enhancement 1: [DSSEG-3022] The version of zlib used by the Deep Security Agent has been updated to zlib-1.2.11. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-2970] The version of curl used by the Deep Security Agent has been updated to curl-7.61.1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 3: [DSSEG-2966] Deep Security Agent has been updated to support PFS cipher suites. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 4: [DSSEG-2677] The URL for the Trend Micro corporate site has changed from http://www.trendmicro.co.jp/ to https://www.trendmicro.com/. Deep Security has been updated to point to the new URL where necessary. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 5: [DSSEG-3005/SEG-37605] This release updates the Anti-Malware scan engine to latest version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.18.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-2878/00461478/573707/00386295/SEG-5825/00487753] Users who are not using a local Smart Protection Server (SPS) reported many Dropped Retransmit "rxjammed" events in the Firewall when using Web Reputation Service, which caused the Firewall logs to fill up. Solution 1: Dropped Retransmit "rxjammed" events are no longer recorded in the Firewall log. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 9. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Agent-Windows-10.0.0-3240.x86_64.zip (64-bit) Agent-Windows-10.0.0-3240.i386.zip (32-bit) Notifier-Windows-10.0.0-3240.i386.msi (32-bit can be installed on 64-bit) 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed by selecting the "About" option in the application user interface. 13. Third-Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]/licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2019 Trend Micro Inc. All rights reserved. Published in Canada.