<> Trend Micro Incorporated June 18, 2019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Agent 12.0 for Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This readme file was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates. GM release documentation: https://help.deepsecurity.trendmicro.com/12_0/on-premise/Welcome.html Patch/SP release documentation: https://help.deepsecurity.trendmicro.com/software.html TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deep Security Agent Platforms: - Red Hat Enterprise Linux 8 (64-bit) - Red Hat Enterprise Linux 7 (64-bit) - Red Hat Enterprise Linux 6 (32-bit and 64-bit) - CentOS 7 (64-bit) - CentOS 6 (32-bit and 64-bit) - Oracle Linux 7 (64-bit)* - Oracle Linux 6 (32-bit and 64-bit)* - SUSE Enterprise Linux 11 SP1, SP2, and SP3 (32-bit and 64-bit) - SUSE Enterprise Linux 11 SP4 (64-bit) - SUSE Enterprise Linux 12 SP1, SP2, and SP3 (64-bit) - SUSE Enterprise Linux 15 (64-bit) - CloudLinux 7 (64-bit) - CloudLinux 7.1 (64-bit) - Debian 9 (64-bit) - Debian 8 (64-bit) - Debian 7 (64-bit) - Ubuntu 18.04 LTS (64-bit) - Ubuntu 16.04 LTS (64-bit) - Amazon Linux 2 (64-bit) - Amazon Linux (64-bit) * Oracle Linux is supported on Red Hat kernels and Unbreakable kernels. For a list of specific Linux kernels supported for each platform, see: https://files.trendmicro.com/documentation/guides/deep_security/Kernel Support/12.0/Deep_Security_12_0_kernels_EN.html For a list of supported Deep Security features by software platform, see: https://help.deepsecurity.trendmicro.com/12_0/on-premise/supported-features-by-platform.html Date: June 18, 2019 Release: 12.0 Build Version: 12.0.0-364 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html Download the latest version of this readme from the Deep Security Help Center, Software page: https://help.deepsecurity.trendmicro.com/software.html Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 12.0 1.1 Overview of This Release 1.2 Who Should Install This Release 2. Release History 3. What's New 3.1 Enhancements 3.2 Resolved Known Issues 3.3 Security Updates 4. Documentation Set 5. System Requirements 6. Known Incompatibilities 7. Known Issues in Deep Security Agent 12.0 8. Files Included in This Release 9. Contact Information 10. About Trend Micro 11. License Agreement 12. Third Party Software =================================================================== 1. About Deep Security 12.0 ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security 12.0 contains feature enhancements, bug fixes and security updates. For a complete list of the major changes in Deep Security 12.0, see the "What's New?" page on the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/12_0/on-premise/whats-new.html 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running, Deep Security 10.0 Update 17, Deep Security 10.1, Deep Security 10.2, Deep Security 10.3, Deep Security 11.0 Update 7, Deep Security 11.1, Deep Security 11.2, and Deep Security 11.3. All new Deep Security users should install Deep Security 12.0. 2. Release History ======================================================================== Deep Security Agent 12.0, Build 12.0.0-364, June 18, 2019 3. What's New ======================================================================== 3.1 Enhancements ===================================================================== This release includes several new features that have been added since Deep Security 11.0. For more information, visit our Help Center: https://help.deepsecurity.trendmicro.com/12_0/on-premise/whats-new.html Additional enhancements since Deep Security 11.0 include: Enhancement 1: [DS-32877] Added platform version information in the Software page to distinguish between SuSE 11 and SuSE 12. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-1754/SEG-17076] The Advanced Threat Scan Engine used in Deep Security Agent has been updated to version 10.200.1006. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 3: [DS-19943/DSSEG-1980] This release adds support for Amazon Linux 2. In order to use this platform, you need Deep Security Manager 10.0 Update 8 or above. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 4: [DSSEG-2092/DSSEG-1974/SEG-6472/SEG-6201] When the kernel module (gsch) in Deep Security Agent Anti-Malware feature in Linux was loaded and hooked a system call, unloading the gsch module or disabling the Anti-Malware feature would cause a system crash if other vendor's kernel module was hooking the system call later than the gsch driver. Deep Security Agent has been enhanced to avoid this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 5: [DSSEG-3311/SEG-39216] Real-time Anti-Malware scans are now supported for CloudLinux 6 (64-bit). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 6: [DS-25615/DSSEG-2995] Deep Security Agent has been updated to support PFS cipher suites. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 7: [DS-26997/DSSEG-2788] The Linux Deep Security Agent fresh install will not download the older version engine from iAU if the Deep Security Agent Anti-Malware module already includes the new engine. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 8: [DS-23497/DSSEG-2257] The Anti-Malware engine offline error is not reported when the computer is preparing to shutdown. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 9: [DSSEG-2746/SF00374619/SF00340345/00425845/00389528/ SF179909/00368352/SF159145/SF318628/00513686/00528775/ 538145/441559/00611107] In this release, the Deep Security Agent installer checks the installation platform to prevent installation of an agent that does not match the platform. This feature is supported on: - Amazon Linux 2 - Red Hat Enterprise Linux 6 and 7 - CentOS 6 and 7 - Cloud Linux 7 - Oracle Linux 6 and 7 - SUSE Linux Enterprise Server 11 and 12 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 10: [DSSEG-2274] Deep Security Agent is now supported on Ubuntu 18.04. This agent compatible with the corresponding Deep Security Manager update. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.2 Resolved Known Issues ===================================================================== This release resolves the following issues that were identified in previous versions of Deep Security: Issue 1: [DS-33991] Anti-Malware events displayed a blank file path with invalid Unicode encoding. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DS-33576] On AIX servers, the Deep Security Agent processing of User and Group information for Integrity Monitoring leaked file descriptors. This lead to an increasing number of file descriptors associated to the ds_agent process. This build up of file descriptors could potentially cause creation of defunct processes, high memory usage for the ds_agent process or cause a server restart. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DS-34289] Using a default system language to set the locale on a Linux computer sometimes caused Anti-Malware to not function correctly. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DS-31614] Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. Solution 4: The code has been modified to address the premature data structure clean up. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-3777] The Tbimdsa driver crashed due to an invalid IPv6 header. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DS-32484] Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and output. Solution 7: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DS-33738] Deep Security Anti-Malware caused the 'fusermount' process to fail when mounting the filesystem. Solution 8: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [DS-32886] Deep Security Agent real-time Anti-Malware scans didn't work correctly with Oracle Linux 6 64-bit and Oracle Linux 7 64-bit. Solution 9: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [DS-33736] Deep Security Agent GSCH driver had an issue with another third-party file system. Solution 10: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [DS-33463/DSSEG-3480/SF01137463/SEG-34751] Kernel panic occurred because of redirfs. Solution 11: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 12: [DS-32634] Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. Solution 12: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 13: [DS-31384] When the Application Control driver failed to load (for example, if the driver was corrupted during a Deep Security Agent upgrade), the agent sent system events to Deep Security Manager repeatedly as it tried to reload the driver. The large number of generated events consumed database storage and made the System Events extremely slow to load. Solution 13: This issue is fixed in this release. The Application Control driver loading exception is now tracked and the Application Control server is stopped after 5 failed attempts to load the driver. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 14: [DS-30702/DSSEG-2954] Deployment of the Deep Security Agent on Amazon Linux 2 WorkSpaces sometimes failed. Solution 14: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 15: [DS-30461] When 'Reactivate unknown agents' was enabled, Deep Security Manager mistakenly reactivated the Deep Security Virtual Appliance or created a new computer using the Deep Security Virtual Appliance IP address. Solution 15: This release includes new logic for recognizing the agent when processing heartbeats from the Deep Security Virtual Appliance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 16: [DS-30145/DSSEG-3039/SEG-39670] An Integrity Monitoring rule could be triggered unintentionally when the prefix of its base directory path matched that of another rule. For example, if you had rules that monitored "c:\lab\" and "c:\lab1\", and added a file "c:\lab1\sample.txt", both rules would be triggered. Solution 16: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 17: [DS-31934/DSSEG-3081/SF01339187/SEG-38497/SEG-33163] An SAP system with Java running in a Linux environment failed to start when Deep Security Scanner returned an error code without an error message. Solution 17: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 18: [DS-32865] For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. Solution 18: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 19: [DSSEG-3536] Every time a Powershell script was executed it would generate temporary files in the temp folder which resulted in an excessive amount of drift and events being reported. Solution 19: This issue is fixed in this release. Added Powershell to the list of trusted update rules for the files created in the temp folder to reduce the drift events being reported ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 20: [DSSEG-2954] In a previous release, deployment of the Deep Security Agent on Amazon Linux 2 WorkSpaces sometimes failed. Solution 20: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 21: [DS-18215] When a Deep Security Agent had the relay feature enabled and then the agent was demoted to remove the relay while packages were being downloaded to the relay, those packages sometimes were not removed from the agent. Solution 21: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 22: [DSSEG-1885/SEG-11876] When SSL inspection was enabled on an SSL server, clients sometimes failed to establish an SSL session and a "Record Layer Message (not ready)"" Intrusion Prevention event would occur. Solution 22: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 23: [DS-19314/DSSEG-1825/3-1-1493237865/SEG-18925] Anti-Malware scan inclusions and exclusions did not work when the path contained multi-byte characters. Solution 23: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 24: [DS-12459/DSSEG-1411] Agentless vMotion sometimes failed when there were more than two vNICs. Solution 24: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 25: [DS-20256/DSSEG-2017] The Linux syslog received many filp_open failure logs when the ds_agent Anti-Malware kernel module failed to open files. Solution 25: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 26: [DS-20655/DSSEG-1992/SEG-22602] Deep Security Agent incompatibilities with c5 and m5 instance types in AWS Elastic Compute Cloud (EC2) running Linux operating systems caused an issue where computers that failed to be correctly identified were activated outside of an AWS cloud connector, were not assigned EC2 metadata, and may not have been assigned the expected security policy. In these cases, assigning a security policy or relay groups based on EC2 metadata using Event Based Tasks (EBT's) for example - was incorrect. In addition, consumption-based billing for large instances was incorrect. Existing EC2 instance types that have Deep Security Agents already installed or newly deployed are unaffected. For details, please refer to: https://success.trendmicro.com/solution/1119433 Solution 26: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 27: [DS-14482/DSSEG-2076/SEG-23938/SEG-23938] SSL/TLS compression was not disabled while initiating SSL context for DSA listening port (4118). Solution 27: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 28: [DSSEG-3386/SEG-40130] Deep Security Scanner encountered problems when an SAP client program created a large number of scan tasks. Solution 28: Scanner has been improved and can now handle a larger number of scan tasks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 29: [DSSEG-3309] Deep Security Agent real-time Anti-Malware scans and Application Control didn't work correctly with a Linux 4.18 kernel. Solution 29: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 30: [DSSEG-3262/DSSEG-3267] Deep Security Agent real-time Anti-Malware scans didn't work correctly with a Linux 4.12 kernel. Solution 30: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 31: [DSSEG-3216] When both Anti-Malware real-time scans and SAP scanner were enabled on a Windows computer that had SAP NetWeaver 7.5+ installed, a virus could be detected and quarantined, but the error code returned to SAP NetWeaver was not correct. Solution 31: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 32: [DSSEG-3109] A native Firewall could not be turned on/off automatically after the Deep Security Firewall module was enabled or its configuration was changed. Solution 32: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 33: [DSSEG-3103] In certain configurations, the Deep Security Agent kernel driver loaded an incorrect configuration, causing an OS crash. Solution 33: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 34: [DSSEG-3123] When real-time Anti-Malware scans were enabled on Linux, a lot of Linux Security Module logs were generated. Solution 34: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 35: [DSSEG-3110] A native Firewall could not be turned on/off automatically after the Deep Security Firewall module was enabled or its configuration was changed. Solution 35: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 36: [DSSEG-2740/SF01098357/SEG-33956] The Deep Security Agent process would crash due to a race condition in the Web Reputation Service rating thread when the protocol of the connection to the rating server (Smart Protection Server) was "https". Solution 36: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 37: [DS-26701/DSSEG-2735/DSSEG-2801/SEG-34502] When a TCP connection was established with the same tuples as a previously tracked one, the network engine could set the connection track to an incorrect status. This sometimes happened on a busy server where rapid connections reused a recycled connection. The network engine treated it as an "Out of connection" error and dropped the packet. Solution 37: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 38: [DS-25216/DS-26455/DSSEG-2466/SEG-30270/SF00900562] When a host machine's locale was not set to UTF-8, the Deep Security Agent installation would not complete and the agent could not be activated. Solution 38: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 39: [DS-27157/DS-26152/DSSEG-2685/SEG-33407] When Anti-Malware real-time driver initialization failed, the operating system sometimes crashed. Solution 39: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 40: [DS-24621/DSSEG-2408/00863552/SEG-29915] Deep Security Agent would sometimes crash when collecting truncated logs from the kernel module. Solution 40: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 41: [DS-21921/DSSEG-2103/SEG-21286/00684294] Real-time Anti-Malware scans sometimes caused a kernel panic on some specific file systems. Solution 41: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 42: [DS-22485/DSSEG-2173/SEG-23387] The Deep Security Agent query script, dsa_query.cmd or dsa_query.sh, would sometimes fail. Solution 42: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 43: [DS-22321/DSSEG-2068] If the Deep Security Agent failed to download the Kernel Support Package, the agent would not retry the download. Solution 43: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 44: [DS-26232/DSSEG-2542/SEG-31883/SF00958979] An invalid dentry object sometimes caused a kernel panic. Solution 44: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 45: [DSSEG-2799/SEG-34463] The Agent operating system could crash when Anti- Malware was enabled or the Agent was stopped. Solution 45: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 46: [DS-27810/DSSEG-2835/SEG-33414/00854640] The Deep Security Agent's CPU usage spiked every 10 seconds. Solution 46: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 47: [DSSEG-2739/DSSEG-2810/DSSEG-2819/SF00874980/SEG-29750] When Deep Security Agent was installed on a virtual machine (VM) and the VM was reverted to an earlier state, Log Inspection event data was not synchronized properly between the Deep Security Agent and Deep Security Manager. Solution 47: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 48: [DS-24567/DSSEG-2417/00817382/SEG-26134] When certain Intrusion Prevention rules for Oracle Database Server were enforced, the computer sometimes crashed due to an issue with the network filter driver. Solution 48: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 49: [DSSEG-2306/SEG-26904] When a security event syslog was forwarded directly from the Deep Security Agent to a syslog server, it contained an incorrect IPv6 address in the dvchost field. Solution 49: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 50: [DSSEG-2411/DSSEG-2382/SEG-29766/SF00875293] When Anti-Malware was enabled, a kernel panic sometimes occurred due to a memory allocation failure. Solution 50: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 51: [DSSEG-2566] When Firewall or Intrusion Prevention rules were assigned to specific network interfaces, it sometimes did not trigger network configuration recompilation, and the Deep Security Agent Network Engine wouldn't load the expected configuration. Solution 51: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 52: [DSSEG-2333/SEG-26904] When a security event syslog was forwarded directly from the Deep Security Agent to a syslog server, it contained an incorrect IPv6 address in the dvchost field. Solution 52: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 53: [DSSEG-2304/00853021/SEG-28060] After upgrading Deep Security Agent from version 9.6 to 10.0 on a Linux platform, the Component Set version was not updated, which caused the Security Update Status to display "Out-of-Date". Solution 53: The Component Set version is updated when upgrading to Deep Security Agent 11.1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 54: [DS-34175] Deep Security Agent running on a Linux computer did not generate quarantine events for files with the detection name PACP_XXX. Solution 54: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.3 Security Updates ===================================================================== Security updates are included in this release. For more information about how we protect against vulnerabilities, visit https://success.trendmicro.com/vulnerability-response. Update 1: [DS-27358/DSSEG-3452] The version of SQLite used by the Deep Security Agent has been updated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: - Information formerly contained in the Deep Security Installation Guides and Deep Security Administrator's Guide is now available on the Deep Security Help Center https://help.deepsecurity.trendmicro.com/12_0/on-premise/Welcome.html and includes: -- product overview, deployment plan, installation steps and basic information intended to help you smoothly deploy Deep Security. -- post-installation instructions on how to configure the settings to help you get Deep Security "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Deep Security. - You can easily search the Help Center content or get context-sensitive help from your Deep Security Manager. 5. System Requirements ======================================================================== For a complete list of the system requirements, please refer to the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/12_0/on-premise/Get-Started/Install/system-requirements.html 6. Known Incompatibilities ======================================================================== There are no known incompatibilities for Deep Security 12.0. 7. Known Issues in Deep Security Agent 12.0 ======================================================================== - Autofs is currently not supported for use when real-time Anti-Malware is enabled. If autofs is used with real-time Anti-Malware enabled, some mountpoints will not be unmounted successfully. (SEG-58841) - Curly brackets ( { and } ) are not accepted characters for the passphrase of Credentials and the password of Proxy configuration. (SEG-49339/SEG-41886) - Deep Security Agent real-time Anti-Malware scans do not work correctly on Debian8 64-bit with non-default kernel configurations (for example, "/proc/sys/kernel/kptr_restrict" is 2). As a workaround, set the kernel configurations to default (for example, set "/proc/sys/kernel/kptr_restrict" to "1"). (DS-30602) - In a Docker environment with an AUFS storage driver, Anti-Malware real-time scans sometimes detect and delete a virus directly from the Docker image rather than from the container folder. (DS-30295) - When Anti-Malware real-time scanning performs a malware file clean-up action on GlusterFS servers, even when the malware is deleted or quarantined by Deep Security Agent, it may still appear on the servers as a harmless file. (DS-28923) - Deep Security does a system hook at the Linux kernel level for real-time Anti-Malware, real-time Integrity Monitoring, and Application Control. When third-party software does a similar system hook, the Deep Security driver may not be unloaded correctly and you could encounter an incomplete uninstallation or upgrade. There are two workarounds to unload the driver: - Unload/uninstall the third-party software first. Enable one of the Deep Security modules (mentioned above) and then disable the module. - Reboot the host computer. (DS-28076) - In a Red Hat Enterprise Linux 6 or a CentOS 6 environment, Integrity Monitoring events related to the following rule are displayed even if users or groups were not created or deleted: "1008720 - Users and Groups - Create and Delete Activity". (DSSEG-2387) - When the same container is loaded and unloaded quickly, it may reuse the conntrack that was established in the previous container's traffic. Deep Security could pass or block the traffic unexpectedly. (DS-24489) - After a relay is upgraded successfully and all software packages are imported into Deep Security Manager, users should wait at least ten minutes before upgrading agents. Otherwise, a "Software Update: Agent Software Upgrade Failed" error may occur. (DS-23195) - A Deep Security Agent's Anti-Malware status sometimes displays as "offline" after the agent was stopped ungracefully during an OS shutdown. This issue is caused by the shutdown leaving a ds_am pid file in place that points to a process is no longer running. (DSSEG-1958/SEG-20477) - When FIPS 140-2 is enabled on Red Hat Enterprise Linux 7.0 (64-bit) kernel (3.10.0-123*), the installation of the Anti-Malware, Firewall, Intrusion Prevention, web reputation, and application control protection modules may fail due to a Linux kernel limitation. As a workaround, upgrade the system to a newer release to resolve this issue. However, if the Red Hat Enterprise Linux 7.0 kernel is part of requirement and UEFI is used, you can enable Secure Boot on UEFI and enroll Trend Micro Deep Security certificate to make the Linux kernel accept the kernel modules. Please refer to the Deep Security Help Center for more information. (DS-22034) - When an agent with relay functionality is in the "Enabling" or "Disabling" state, the operation cannot be canceled. If the operation hangs in either of these states, the agent with the relay functionality needs to be deactivated and then reactivated. (DS-16407) - When the Linux kernel on the Agent host is updated to a non-supported version, the DSA driver for Web Reputation, Anti-Malware and Intrusion Prevention modules will not be loaded and the modules will show as offline on the DSM UI. However the Web Reputation module is still shown as online. (DS-10586) - There is no threshold limitation on the local DSA DB size when in Application Control Maintenance Mode, and currently no method of pruning. (DS-10961) - When a virtual machine is added through vCloud connector, after vMotion from a protected ESXi host to an unprotected ESXi host, the virtual machine will not go from combined mode to Agent-only protection. [DS-558] - When a virtual machine is added through vCloud connector, after vMotion from an unprotected ESXi host to a protected ESXi host, the virtual machine will not go from Agent-only protection to combined mode. [DS-557] - Some platforms (e.g. Linux) do not distinguish network interfaces at the packet level, when they are connected to the same network. When enabling "Policy -> Interface Types -> Rules can apply to specific interfaces" on these platforms, Firewall policies that attempt to distinguish between network interfaces connected to the same network will result in only one of the policies being applied. [29543] - The Trusted Platform Module (TPM) monitoring does not work on vSphere 6 environment. When enabled, the event "The vCenter sent empty or unreliable TPM information that has been ignored. This is only an issue if the problem persists" will appear. In rare circumstances, the value may also be unreliable on vSphere 5.5 environment. VMware is already investigating this issue. [29268/27166] - If the Integrity Monitoring feature in Combined Mode is disabled, the Deep Security Notifier status will display it as Not Capable instead of Not Configured. [29403] - When doing vMotion of many simultaneous VMs, some of the VMs may appear as Anti-Malware Engine Offline after it moves to the new host. This occurred because the DSM checked the status of the VMs during heartbeat before the vMotion is finished. Doing another check status or waiting for the next heartbeat will fix the status. [28825] - Deep Security Azure Connector does not identify virtual machines created by Azure Resource Manager a.k.a ARM VM (v2). DSA installed in ARM VM will not be included in Azure connector but in normal computer list. This limitation will have no impact on security features provided by Deep Security. [29630] - If vMotion occurs while Anti-Malware scan is happening, there is a possibility that the scan will not continue after moving from one Agentless protected host to another. If you see an event saying "Manual Malware Scan Failure" or if you see a "Manual Malware Scan Started" without a corresponding "Manual Malware Scan Completed", then this means that the scan has stopped and did not finish. [28059] - If the Deep Security Relay is down during deployment of Deep Security Virtual Appliance, it will fail to upgrade and will cause the vShield Endpoint to not register. Even after the Deep Security Virtual Appliance upgrade becomes successful, the vShield Endpoint will remain in a Not Registered state. Reactivating the Deep Security Virtual Appliance will resolve this issue. [28712] - Deep Security Agent could not convert shift-jis encoded characters to UTF-8. Therefore, any folders named with shift-jis encoding will be skipped during Integrity Monitoring scanning. [28879] - The CPU Usage (Agent only) setting under Manual and Scheduled Scan Configuration in the Deep Security Manager console is not working on SUSE 10 SP3 and SP4. [20717] - Deep Security Agent may not successfully install on the first release of Ubuntu 12.04 without any updates and patches. [23797] - CPU usage control in Scan for Integrity may not work after a reboot. Rebuild Integrity Baseline or reactivation will fix this. [20725/20563] - In Linux platforms, some malwares may not be detected if the DNS is very slow to respond to queries. [21208] - Some security components of Deep Security Agent with Relay feature enabled may get removed unexpectedly after an update. As a workaround, retry the security update. [24004] - The Deep Security Manager will display the platform of the agent package regardless of the platform where it is installed. For example, since the agent package used in CentOS and Red Hat are the same and labeled as Red Hat agent package, Deep Security Manager will display the platform as Red Hat. [21674/25156] - Deep Security Agent running on SUSE in Azure cloud will not be managed under Azure cloud account in the Deep Security Manager. The agent will appear under normal computers list. [26499] - After Deep Security Virtual Appliance upgrade, the error "Exceeded maximum concurrent events" may be noticed in the /var/log/messages file and the agentless protected guest virtual machines status change to "Anti-Malware Engine Offline". Rebooting the Deep Security Virtual Appliance will fix this issue. [26361] - Intrusion Prevention is not supported over SSL connections when using IPv6. - SYN Flood protection is only supported on versions 7.5 or earlier of the Windows Agents and on versions 7.5 or earlier of the Virtual Appliance. It is not supported on versions 7.5 Service Pack 1 or later of the Windows Agents or versions 7.5 Service Pack 1 or later of the Virtual Appliance. It is not supported on any versions of the Linux or Solaris Agents. - Log entries (Firewall and IPS Events) for OUTGOING traffic show zero-ed out MAC addresses. - When the network engine is working in TAP mode and the in-guest agent is offline, the Deep Security Virtual Appliance status will be "Stand By". When this occurs, Deep Security Virtual Appliance is actually online and IP/FW events will be logged when rules are triggered. [10948] - Log Inspection event logs are limited to 6000 characters. 8. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Agent-amzn1-12.0.0-364.x86_64.zip Agent-amzn2-12.0.0-364.x86_64.zip Agent-CloudLinux_7-12.0.0-364.x86_64.zip Agent-Debian_7-12.0.0-364.x86_64.zip Agent-Debian_8-12.0.0-364.x86_64.zip Agent-Debian_9-12.0.0-364.x86_64.zip Agent-Oracle_OL6-12.0.0-364.i386.zip Agent-Oracle_OL6-12.0.0-364.x86_64.zip Agent-Oracle_OL7-12.0.0-364.x86_64.zip Agent-RedHat EL6-12.0.0.364xi386.zip Agent-RedHat_EL6-12.0.0-364.x86_64.zip Agent-RedHat_EL7-12.0.0-364.x86_64.zip Agent-RedHat EL8-12.0.0.364x86_64.zip Agent-SuSE 11 12.0.0.364.x86_32.zip Agent-SuSE_11-12.0.0-364.x86_64.zip Agent-SuSE_12-12.0.0-364.x86_64.zip Agent-SuSE_15_12.0.0.364.x86_64.zip Agent-Ubuntu_16.04-12.0.0-364.x86_64.zip Agent-Ubuntu_18.04-12.0.0-364.x86_64.zip To install Deep Security Agent on CentOS, use the Red Hat installer and package. For Amazon EC2, use either the Red Hat Enterprise 6 Agent package 32-bit or 64-bit) or the SUSE 11 Agent package (64-bit), depending on the base operating system used by your Amazon AMI. For a list of specific Linux kernels supported for each platform, see: http://files.trendmicro.com/documentation/guides/deep_security/Kernel%20Support/12.0/Deep_Security_12_0_kernels_EN.html 9. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via phone or email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html 12. Third Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]/licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2019 Trend Micro Inc. All rights reserved. Published in Canada.