Trend Micro Incorporated July 14, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Manager 10.1 Feature Release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IMPORTANT: Deep Security 10.1 is a feature release. Feature releases are interim releases that provide early access to new features before the next major release becomes available. The lifecycle and support for feature releases are different from long-term support releases like 10.0. For details, see: https://help.deepsecurity.trendmicro.com/10_1/on-premise/feature-packs.html NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: https://help.deepsecurity.trendmicro.com/10_1/on-premise/Welcome.html Patch/SP release documentation: https://help.deepsecurity.trendmicro.com/software.html TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deep Security Manager Platforms: - Red Hat Enterprise Linux 7 (64-bit) - Red Hat Enterprise Linux 6 (64-bit) - Red Hat Enterprise Linux 5 (64-bit) - Windows Server 2012 and 2012 R2 (64-bit) - Windows Server 2008 and 2008 R2 (64-bit) Not Supported: - Red Hat Enterprise Linux (RHEL) Xen Hypervisor - Windows Server 2012 Core - Windows Server 2008 Core - Deep Security Manager is not supported on 32-bit versions of the Windows platform. Date: July 6, 2017 Release: 10.1 Build Version: 10.1.406 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/index.html Download the latest version of this readme from the Deep Security Help Center, Software page: https://help.deepsecurity.trendmicro.com/software.html Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 10.1 1.1 Overview of This Release 1.2 Who Should Install This Release 1.3 Upgrade Notice 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 6. Known Incompatibilities 7. Known Issues in Deep Security Manager 10.1 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third-Party Software =================================================================== 1. About Deep Security 10.1 ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security 10.1 contains a number of new feature enhancements as well as bug fixes. For a complete list of the major changes in Deep Security 10.1 from previously released versions of Deep Security, please see the "What's New in Deep Security 10.1" page on the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10_1/on-premise/whats-new.html 1.2 Who Should Install This Release ===================================================================== Deep Security 10.1 is a feature release. Feature releases are interim releases that provide early access to new features before the next major release becomes available. The lifecycle and support for feature releases are different from long-term support releases like 10.0. For details, see: https://help.deepsecurity.trendmicro.com/10_1/on-premise/feature-packs.html 1.3 Upgrade Notice ===================================================================== - If Application Control is turned on prior to upgrading the agents, Maintenance Mode must be enabled to prevent Application Control from blocking the upgrade of Deep Security components or reporting software changes depending on the configuration. - If you choose to upgrade your Deep Security Manager to version 10.1 while running older versions of Deep Security Agents under protection, you will be warned during the upgrade installation if this version will no longer be able to communicate with those agents. Deep Security Manager 10.1 ONLY supports the latest 9.6 SP1, 10.0, and 10.1 versions of Deep Security Agent, and Deep Security Virtual Appliance. Please refer to the "Known Incompatibilities" section of this readme file for details. - If you are using Microsoft SQL Server 2008 SP3 or earlier, or Microsoft SQL Server 2008 R2 SP1 or earlier as your Deep Security database, prior to upgrading the Deep Security Manager to 10.1, check if the communication between the Deep Security Manager and the database is encrypted. Note that this is disabled by default and would have been manually configured. To check, verify whether the Deep Security Manager\webclient\webapps\ROOT\WEB-INF\ dsm.properties file contains the line: database.SqlServer.ssl=require If it exists, disable the encryption before upgrading and then re-enable it when the upgrade is complete. For instructions, see: https://help.deepsecurity.trendmicro.com/Manage-Components/dsm-db-encrypt.html Failure to disable the encryption will cause the upgrade to fail. - Deep Security 10.1 includes significant improvements to the upgrade process which contains functionality that checks your currently installed Deep Security components and makes personalized recommendations for your upgrade path. The upgrade process also upgrades the database schema without requiring manual steps. - As usual, backup your database before upgrading and consider performing the upgrade during off-hours. For more information see: https://help.deepsecurity.trendmicro.com/10_1/on-premise/Manage-Components/update-database.html - The Deep Security console (default port: 4119) now requires clients to use TLS v1.2 in order to connect. Customers who are using Windows Powershell for their deployment scripts will need to update the deployment script to include the line: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; prior to the agent download step. To download the agent to systems that do not support TLS 1.2 at all, a possible workaround is to host the agent software on a web server that supports TLS 1.0. Alternatively, a you can use the procedure below to re-enable TLS 1.0 on the Deep Security Manager. Another side-effect of this change is that for customers using Deep Security 9.5 and 9.6, after upgrading the Deep Security Manager to 10.1, the 9.5 and 9.6 Deep Security Relays will fail to replicate and serve the Deep Security Agent 10.1 packages. To resolve this, temporarily enable TLS 1.0, 1.1 and 1.2 by adding the line below in the dsm.properties file then reboot the Deep Security Manager server: protocols=TLSv1,TLSv1.1,TLSv1.2 After the successful upgrade of all relays and agents, remove TLSv1,TLSv1.1 from the line above and reboot the Deep Security Manager server. This is for enhanced security. 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== This release includes the following enhancements: - Identity provider support via SAML 2.0 - Single deployment script for Windows and Linux - PostgreSQL support - SQL Server Express support - Docker enhancements - News feed - New platform support for application control - Computers page enhancements - Time-boxed anti-malware scans - Zero impact network driver install - New support for AIX 7.2 - New support for Debian 8 For details, see: https://help.deepsecurity.trendmicro.com/10_1/on-premise/whats-new.html Deep Security Manager 10.1 also includes this enhancement: Enhancement 1: [DS-12493] This release adds the ability to manually add an Azure application without requiring the "Global Admin" permission. For instructions, see https://help.deepsecurity.trendmicro.com/10_2/azure/create-azure-application.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 Resolved Known Issues ===================================================================== This release resolves the known issues identified in Deep Security 10.0 and earlier, with the exception of those listed in the section "Known Issues in Deep Security Agent 10.1", below. 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: - Information formerly contained in the Deep Security Installation Guides and Deep Security Administrator's Guide is now available on the Deep Security Help Center https://help.deepsecurity.trendmicro.com/10_1/on-premise/Welcome.html and includes: -- product overview, deployment plan, installation steps and basic information intended to help you smoothly deploy Deep Security. -- post-installation instructions on how to configure the settings to help you get Deep Security "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Deep Security. - You can easily search the Help Center content or get context-sensitive help from your Deep Security Manager. 4. System Requirements ======================================================================== For a complete list of the system requirements, please refer to the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10_1/on-premise/Get-Started/Install/system-requirements.html 5. Installation ======================================================================== Refer to the "Get Started" section of the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/10_1/on-premise/upgrade-deep-security.html 6. Known Incompatibilities ======================================================================== - Deep Security Manager 10.1 does not support version 9.5 and earlier versions of Deep Security Virtual Appliance and Deep Security Agent (except for some Solaris, AIX and HPUX Agents). For a full list of compatible agents please see https://help.deepsecurity.trendmicro.com/10_1/on-premise/Manage-Components/Software-Updates/compatibility.html - When adding vCloud in this version of Deep Security, it must be added only to the tenants. Adding vCloud to the primary tenant is not supported. 7. Known Issues in Deep Security Manager 10.1 ======================================================================== - Multi-tenant deployments are not yet supported with PostgreSQL. This support will be introduced in a future release. (DS-13000, DS-11890, DS-14176) - In VDI deployments, if you recompose the VDI pool, vCenter will create VMs and the Deep Security Manager will get a "Computer Created" event that can be used to trigger the Event-Based Task (EBT) for activation. After activation is done, if the VDI pool is refreshed or reset, all VMs will revert to an unmanaged state. In this case, vCenter will send a "Computer Powered On" event. Since the computer had previously been created and only the protection state has been reset, the "Computer Created" EBT will not be triggered and an EBT based on "Computer Powered On" is required. (DS-14223) - In rare circumstances, anti-malware could go offline after the Deep Security Agent finishes upgrading. When you check the Windows Application events log, it will show that Microsoft-Windows-RestartManager has stopped the Anti-Malware Solution Platform (AMSP) and Trend Micro Solution Platform service, and the service will need to be restarted. See  https://success.trendmicro.com/solution/1117465 for more details. (DS-11331) - If a malware scan generates a very large number of malware events, the Deep Security Agent could fail to report the events to the Deep Security Manager, generating a "Get Events Failed" event. (DS-11178) - On the Computers page, doing a search for entries in the Status column will produce no result when the complete string is used, for example, using the format 'Error (Reason)'. However, searching for only 'Error' or for only 'Reason' will produce results. (DS-13099) - If you enable anti-malware and application control in a policy and apply it to a pre-10.1 Deep Security Agent on Windows, then upgrade the agent to 10.1, it may display the status “Software Update: Anti-Malware Windows Platform Update Failed”. This error is due to a timing issue and it can be ignored because the anti-malware component upgrade was successful. (DS-14221) - Application control build inventory, which happens after enabling application control, will take longer to finish on Windows 2008 R2 compared to other supported platforms. (DS-13120) - When using application control, if you create a golden image, update it with required patches, create a shared ruleset, and then apply that shared ruleset to other computers, when you install those same patches on the other computer, they will be allowed to execute because they are in the shared ruleset. However, the patch updates will appear on the Software Changes page. To avoid this, set application control to maintenance mode when applying patches. (DS-13686) - Application control is not compatible with Windows Defender. Running both can result in severe performance impacts. However, if both application control and anti-malware are enabled, then Deep Security will automatically disable Windows Defender for normal operation. (DS-12890) - When using application control for Windows computers, if you selected "Block unrecognized software until it is explicitly allowed", you must enable maintenance mode before you update the computer's operating system. This includes when you perform an "update and restart" action on a computer running Windows. Failure to do this could break the computer because application control would block execution of updated files in the OS until you create the allow rules. Depending on which OS file was updated, you might need to use an OS recovery mode or external tool to recover from this misconfiguration. (DS-13419) - Application control build inventory, which happens after enabling application control, will be slower when TiWorker.exe is running. TiWorker.exe is the Windows Modules Installer Worker, which is used when performing Windows updates. (DS-14313) - When application control is configured to "Block unrecognized software until it is explicitly allowed", you will not be able to upgrade or uninstall the Deep Security Agent on that computer. To unblock the procedure, enable maintenance mode. (DS-14369) - AWS instance types have different throughputs and computing resources. Shared ruleset creation time can vary widely depending on the instance type and may take an hour or longer on m3.medium and smaller instances. (DS-13747) - In environments with Integrity Monitoring enabled and a large number of computers, the database may experience high CPU. This applies to Microsoft SQL Server databases. To resolve the issue maintenance on the 'entitys' table should be done using the 'EXEC sp_updatestats' command. (DS-10471) - Upgrading to DS 10.1 with an Oracle 12c Database is not supported in a multi-tenant deployment. (DS-8139) - Using Windows 10 Edge as your browser for DSM may show certificate errors. Microsoft Edge is a web browser included in Windows 10/2016 operation systems. Unlike IE, the Edge browser does not have a configuration option for Trusted Sites which allows the user to add websites (e.g. the DSM URL). However, administrators can still add the DSM URL to the list of trusted sites from the Control Panel (Control Panel > Network and Internet > Internet Options > select Security). (DS-4618) - Online Help Search does not support special characters such as "!", "#" and "%". (DS-6453) - A "Refresh" notification appears on the UI after undoing an action in Application Control. (DS-10151) - Using a Safari browser, the filter search option in Application Control under the ACTIONS tab only works one time, then you need to flip to another tab and back to do another search. On Chrome, Firefox and IE11 it works every time. (DS-7844) - In Application Control, the drift number and button for "ALLOW ALL" or "BLOCK ALL" on the Action tab won't reflect the last executed state after user switches to any other page. The information displayed on the Action tab page will depend on how many unrecognized software items are being allowed or blocked by the current action, and if the number of items is very large then the page will take longer to be updated. (DS-10294) - In the Application Control > Actions tab page, it takes longer than expected to display the first drift card, and if there is a huge amount of drift, the performance is affected. (DS-9808) - When using Application Control, if the existing rule set is large, it can take several minutes to enforce the action on the Agent protecting the computer. (DS-9464) - If the Anti-Malware feature is enabled on a Windows 2016 DSA, Windows Defender will be disabled (default is up-and-running) and a popup warning for system reboot will be shown. After reboot of the system, administrators should be aware that the reboot-required warning event won't be dismissed on the DSM. (DS-10369) - Anti-malware endpoint correlation on Windows does not generate hash values. When anti-malware File Hash Calculation is enabled, the following cases may still not generate related hash values: 1. Multiple Spyware detections 2. Trojan detections with multiple files cleaned 3. Endpoint Correlation detection 4. Windows XP SP2 doesn't natively support SHA256 and no SHA256 value will be generated 5. Anti-exploit may calculate the hash values of victim file instead of malware file Note: the Anti-exploit detection often is a viction file instead of a malware file; the hash values of the victim must be carefully used. (DS-9573) - When using Trend Micro Control Manager (TMCM) with a locally installed Smart Protection Server (SPS) for the Connected Threat Defense feature, Deep Security (DS) will not only take the action according to Deep Security Web Reputation features (Security Level /score) but also take action according to Control Manager/Smart Protection Server (Log or Block for a URL). However, DS blocking page and events still show the risk information instead of specific action/reason or category information for this. For example: 1. Some pages rated/shown with Suspicious Risk Level are blocked when user setting of Web Reputation Security Level is Medium, to block Dangerous and Highly Suspicious pages 2. Some Web Reputation events are log events instead of block events and the user can’t tell which is log event in DSM Web Reputation event pages.To clearly know this information, the user needs to login to TMCM to view the web reputation events with action/reason information. (DS-3947) - When using TMCM 6.0 SP3, a user-defined Suspicious Object doesn't have a filterCRC value and therefore Deep Security cannot detect/block this type of file. (DS-768) - When using Connected Threat Defense, sometimes, the "Submission Status" field of Identified files may become "Report Unavailable" because DS can't get the analysis result from Deep Discovery Analyzer for the submission over one day. DS will no longer wait for the result of this submission and the user will have to choose the identified file (event) and button to submit the file to Deep Discovert Analyzer manually. Then, DSM will submit the file, reset the submission date, and wait/retrieve for DDAn analysis result again. (DS-98) - When using a Policy with SAP turned on, if the SAP license has expired, although it may appear on the DSM UI as though the SAP Policy is still On, the policy sent to Agents will have SAP off. SAP will not run on an Agent with an expired license. (DS-4534) - With the SAP module enabled and Netweaver running on the same host, when a realtime scan detects a malicious file it will be reported twice. To prevent this, users should add the Netweaver GUI process path e.g. "C:\Program Files (x86)\SAP\FrontEnd\SAPgui\saplogon.exe" to their AM realtime scan exclusion list. (DS-6615) - When a user disables the scanner functionality and then enables the Relay after assigning a Scanner "On" policy to this Relay-enabled Agent, then deactivating and reactivating the Agent, on the Computer details page there will be a delay in display showing scanner icon and information first, then change to relay icon and information. (DS-4988) - When using Deep Security Scanner (SAP for Windows) to successfully scan and block MIME types for graphics files such as jpg, bmp and gif on the SAP WinGUI, administrators should enable the configuration parameter SCANBESTEFFORT. (DS-2499) - When using Deep Security Scanner (SAP for Windows), if a file extension does not match the MIME Type set of the file itself, the scan for virus will takd the Rule Violation error will not appear shortly. (DS-2484) - When using Deep Security Scanner (SAP for Windows) and the block MIME Type is set to application/zip on the SAP WinGUI, the scan will proceed but will not block the .zip file immediately and will take some time to return the result if the .zip file is large. (DS-2470) - When using Deep Security Scanner (SAP for Windows), if the file to be scanned exceeds the DSM scan size limitation then instead of an "Extracted file size exceeded the limit" error, a "Skip file error" result will be returned. (DS-2002) - When using Deep Security Scanner (SAP for Windows), there is a difference in compressed files scan behavior between .zip and .sar file types. If the file to be scanned is a .sar file and the scanned file, when extracted, is larger than the Scan Limit configured on the DSM, then the scan will be skipped. For .zip files, the scan will be completed as long as the scanned file, when extracted is smaller than the Extract size configured through the SAP profile (DS-1126) - When using Anti-Malware with containers there is currently no ability to specify paths within containers when defining policy for inclusion / exclusion lists. (DS-11086) - Users should take care when manually adding a zip file to Administration > Software > Local. If the original filename is not maintained (as on the Download Center) it will not deploy correctly to Agents. For example downloading a second copy of an Agent file can result in a file named something like this: Agent-amzn1-10.0.2-7690.i386 (1).zip. (DS-11078) - When a virtual machine is added through vCloud connector, after vMotion from unprotected ESXi host to a protected ESXi host, the virtual machine will not go from Agent-only protection to combined mode. (DS-557) - When a virtual machine is added through vCloud connector, after vMotion from a protected ESXi host to an unprotected ESXi host, the virtual machine will not go from combined mode to Agent-only protection. (DS-558) - In an Agentless environment with a GuestVM Windows 2008 R2 64-bit protected by a DSVA, the SAP Configuration page will display "Platform not supported." (DS-4987) - If DSVA is configured in Agent-Initiated mode, user cannot successfully activate the guest agents via DSM's web UI. A "Protocol error" is shown in the web UI. The best practice for deploying DSVA is bi-directional mode. (DS-9924) - Some platforms (e.g. Linux) do not distinguish network interfaces at the packet level, when they are connected to the same network. When enabling "Policy -> Interface Types -> Rules can apply to specific interfaces" on these platforms, firewall policies that attempt to distinguish between network interfaces connected to the same network will result in only one of the policies being applied. [29543] - The Trusted Platform Module (TPM) monitoring does not work on vSphere 6 environment. When enabled, the event "The vCenter sent empty or unreliable TPM information that has been ignored. This is only an issue if the problem persists" will appear. In rare circumstances, the value may also be unreliable on vSphere 5.5 environment. VMware is already investigating this issue. [29268/27166] - When doing vMotion of many simultaneous VMs, some of the VMs may appear as Anti-Malware Engine Offline after it moves to the new host. This occurred because the DSM checked the status of the VMs during heartbeat before the vMotion is finished. Doing another check status or waiting for the next heartbeat will fix the status. [28825] - Deep Security Azure Connector does not identify virtual machines created by Azure Resource Manager a.k.a ARM VM (v2). DSA installed in ARM VM will not be included in Azure connector but in normal computer list. This limitation will have no impact on security features provided by Deep Security. [29630] - If vMotion occurs while Anti-Malware scan is happening, there is a possibility that the scan will not continue after moving from one Agentless protected host to another. If you see an event saying "Manual Malware Scan Failure" or if you see a "Manual Malware Scan Started" without a corresponding "Manual Malware Scan Completed", then this means that the scan has stopped and did not finish. [28059] - During the upgrade process after removing the Filter Driver, Deep Security Manager will display "Intrusion Prevention Engine Offline and Firewall Engine Offline" regardless of policy until the Deep Security Virtual Appliance is upgraded.[28992] - If the Deep Security Relay is down during deployment of Deep Security Virtual Appliance, it will fail to upgrade and will cause the vShield Endpoint to not register. Even after the Deep Security Virtual Appliance upgrade becomes successful, the vShield Endpoint will remain in a Not Registered state. Reactivating the Deep Security Virtual Appliance will resolve this issue. [28712] - If agentless Anti-Malware real-time protection is turned off, the notifier will not get any status updates from the appliance. It will then turn off Antivirus protection in the Windows Action Center. [29230/29574] - When you deactivate the Deep Security Virtual Appliance or agentless protection, the notifier will not be able to get any status from the Deep Security Virtual Appliance. The notifier knows that Anti-Malware is not working so it will turn it off in the Windows Action Center. It does not know the status of the firewall so it will leave the firewall status in the Windows Action center in its last known state. [29230/29574] - The CPU Usage (Agent only) setting under Manual and Scheduled Scan Configuration in the Deep Security Manager console is not working on SUSE 10 SP3 and SP4. [20717] - Agentless protection is not supported in ESX 5.1 with NSX. ESX 5.5, VCenter 5.5 and NSX Manager 6.0.5 are the minimum requirements for agentless protection. [22062] - Excluding a folder in Anti-Malware agentless protection would also exclude folders that starts with the same folder name. For example, excluding c:\temp also excludes c:\temp1 and c:\temp2 from Anti-Malware scanning. [22037] - Anti-Malware, Web Reputation, Integrity Monitoring, and Log Inspection should not be enabled on the policy that is assigned to the Deep Security Virtual Appliance itself. These features are not supported when applied to the Deep Security Virtual Appliance and may produce error events. [21250] - It can take up to 30 minutes before the appliance is ready for deployment through NSX Manager after importing the Deep Security Virtual Appliance package to the DSM. Deploying the appliance before the package is in place at \temp would result in failure. [23150] - The Deep Security Manager will display the platform of CentOS machines as Red Hat. This is because the agent package used in CentOS and Red Hat are the same and labeled as Red Hat agent package. [21674/25156] - Location awareness will not work on pure IPv6 environment. [12776] - Infected file will still appear in Quarantined Files list even if the Anti-Malware Event says Quarantine Failed. [21620] - In the computer updates page, DSM will show Smart Scan Agent Pattern, Spyware Active Monitoring Pattern and Virus pattern in Deep Security Agent for Linux regardless of the scan mode. [21829] - Software update using IPv6 is currently not supported by Trend Micro download center. [25937] - Deep Security Agent running on SUSE in Azure cloud will not be managed under Azure cloud account in the Deep Security Manager. The agent will appear under normal computers list. [26499] - After Deep Security Agent upgrade, the event "Abnormal Restart Detected" may appear. The upgrade is not affected by this event and may be safely ignored. Do Clear Warnings and Errors and perform a Check Status to reflect the actual status of the agent. [26619] - The Out of Sync relays hyperlink displays the correct count but clicking the link will display both out of date computers and relays. [23418/21042] - In NSX 6.1.2 and earlier, if more than one NSX Security Groups are defined and applied to the NSX Security Policy that contains Deep Security Services, any un-applying of the policy will not be reflected in Deep Security Manager with respect to NSX Security Group membership. [25304] - In NSX 6.1.1 and earlier, if you remove the Deep Security Services from an NSX Security Policy, it will not be reflected in Deep Security Manager with respect to NSX Security Group membership. [25303] - Deep Security Manager does not support installation paths that contain special characters (non-alphabet and non-numeric characters). The same restriction also applies to the database name and/or database account used by Deep Security Manager. [16708] - When a user runs Agent-initiated recommendation scan using the "dsa_control -m RecommendationScan:true" command, no system event related to recommendation scan is recorded. - In Multi-Tenant installations, the Primary tenant Deep Security Manager may cause "Reconnaissance Detected: Network or Port Scan" alerts on Tenants' Deep Security Managers. To avoid these alerts, Tenants can manually add the Primary Tenant's Deep Security Manager IP address to the "Ignore Reconnaissance" IP list. (Policies > Common Objects > Lists > IP Lists). [17175] - In rare cases, adding a vCloud or AWS Cloud Account in Deep Security Manager can result in the creation of two identical Cloud Accounts. If this occurs, either one of the two accounts can be safely removed. [17280/17051] - In a cloud provider environment if the "Enable regular synchronization with Cloud Provider" option is disabled, changing the Deep Security Agent hostname will disrupt the communication between Deep Security Manager and Deep Security Agent. Trend Micro strongly recommends keeping the "Enable regular synchronization with Cloud Provider" option ON. [15608] - If the Manager node(s) and the Database are installed on machines with synchronized clocks but configured for different time-zones, an error indicating that the clocks are not synchronized will be triggered incorrectly. [17100] - On Windows 2008 and Server 2012 systems, after installing the Deep Security Manager with a co-located Relay, the Deep Security Notifier icon does not automatically appear in the Windows notification area. However, the Deep Security Notifier will still function. Users need to re-launch the Deep Security Notifier from the "Start" menu or restart the system. [17533] - When using Deep Security in iCRC mode, a DNS server must be available. If a DNS server is unavailable the Anti-Malware feature of the Deep Security Virtual Appliance may not function correctly. [Deep Security 8.0-01169] - Deep Security Manager does not support License updates or connecting to the Trend Micro Certified Safe Software Service using a SOCKS5 proxy. To use these two features, use an HTTP proxy. [Deep Security 8.0-1024] - In certain cases, when attempting to use the dsm_s stop command on Linux to stop the Deep Security Manager service, you may get the following message: "Timeout. Daemon did not shutdown yet." Dsm_s is based on install4j whose timeout value is 15 seconds, which cannot be changed. The Deep Security Manager may require longer than this to shut down. To ensure the service has been shut down run the "ps -ef | grep DSMService" command before using the dsm_s stop command. [Deep Security 8.0-00095] - Air-gapped Relays will still try to contact an Update Server to check for Updates. To avoid update failure alerts, set the Relay to use itself as an update source: 1. In the Relay's "Details" window, go to "System > System Settings > Updates". 2. In the "Relays" area, select "Other Update Source:" and add "https://localhost:4122". 3. Click "Save". [Deep Security 8.0-01124] - If an ESXi with an installed vShield Endpoint driver is removed from its vCenter, Deep Security Manager cannot detect the installed driver if the ESXi is later re-added to the vf. This will cause any newly Deep Security Virtual Appliance- protected virtual machines to not have Anti-Malware enabled. The workaround is to uninstall and reinstall the driver through the VSM. [Deep Security 8.0-01036] - Intrusion Prevention is not supported over SSL connections when using IPv6. - The Anti-Malware scan inclusion/exclusion directory settings are sensitive to forward slash "/" and backslash "\". For use with Windows operating systems the inclusion/exclusion paths must use the backslash "\". [7.5 SP1-00231] - When creating custom Integrity Monitoring Rules using the "RegistryKeySet" tag, the attribute values must be in uppercase letters. For example, . Using lowercase may result in an "Integrity Monitoring Rule Compile Issue" error. [7.5 SP1-00171] - Malware scans of network shared folders are only supported using real-time scan. Manual scans or scheduled scans will not work. [7.5-00012] - If a CD or a mounted ISO file contains malware and the Anti-Malware configuration is set to "Delete" upon detection, Deep Security Manager will still report that the malware was "deleted" even if it was unable to do so. [7.5-00010] - Deep Security Manager cannot display an incorrect filename event in the Anti-Malware Event if the malware was found in the "Recycle Bin". [7.5-00023] - During an upgrade, the Deep Security Manager service may not be able to install properly on some platforms if the "Services" screen is open. To work around this, make sure the "Services" screen is closed prior to installation or upgrade of Deep Security Manager. - If you receive a "java.lang.OutOfMemoryError" error during the installation of Deep Security Manager, please refer to the "Installation Guide" for instructions on how to configure the maximum memory usage for the installer. - During an upgrade, if you receive a message stating that the Deep Security Manager cannot start the service, restarting Deep Security Manager usually fixes the problem. In rare cases, you may have to run the installer again in Upgrade/Repair mode after restarting. - If Windows Firewall is enabled on Deep Security Manager, it may interfere with port scans causing false port scan results. Windows Firewall may proxy ports 21, 389, 1002, and 1720 resulting in these ports always appearing open regardless of any filter placed on the computer. - By default Exchange 2000 and later servers will dynamically assign a non-privileged port (1024-65535) for communications between the client and the server for the System Attendant, Information Store, and Name Service Provider Interface (NSPI) services. If you will be using the Microsoft Exchange Server profile with an Exchange 2000 or later server then you should configure these services to use static ports as described in the article "Exchange 2000 and Exchange 2003 static port mappings" (http://support.microsoft.com/?kbid=270836). Once static ports have been configured you should extend the appropriate Exchange Server port list to include the ports that have been assigned to these services. You may also want to set the "No RFR Service" registry setting to "1" to prevent the Exchange server from referring clients to the domain controller for address book information. See the article "How Outlook 2000 Accesses Active Directory" (http://support.microsoft.com/?kbid=302914) for more information. Alternatively, it is possible to configure Exchange RPC to run over HTTPS if you are using Outlook 2003 on Windows XP Service Pack 1 or later with Exchange Server 2003. In this case only port 443 needs to be added to the Exchange port list. - The "Recommendation" Alert may remain raised on some computers even after all recommended Intrusion Prevention, Integrity and Log Inspection Rules appear to have been applied. This can occur because even though an "Application Type" may be recommended for a computer, the "Application Type" will not be displayed in the "Show Recommended" view if no Intrusion Prevention Rules associated with Application Type are currently recommended. To resolve the situation, use the "Show All" view of the Intrusion Prevention Rules screen and assign all recommended "Application Types" (even if no associated Rules are currently recommended). Alternatively, you can just dismiss the alert after verifying that you have assigned all recommended rules to the computer. [8345] - When an Appliance-protected VM is migrated from one Appliance-protected ESXi to another, and if that virtual machine currently has warnings or errors associated with it (for example "Reconnaissance Detected"), those errors may incorrectly get cleared during the migration. [10602] - Log Inspection Events have a size limitation of 6000 characters. 8. Release History ======================================================================== See the following website for more information about updates to this product: https://help.deepsecurity.trendmicro.com/software.html - Deep Security Manager 10.1, Build 10.1.406, July 14, 2017 9. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Manager-Linux-10.1.406.x64.sh (64-bit) Manager-Windows-10.1.406.x64.exe (64-bit) 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide 13. Third-Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]/licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2017 Trend Micro Inc. All rights reserved. Published in Canada.