<> Trend Micro Incorporated June 18, 2019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Agent 12.0 and Deep Security Notifier 12.0 for Windows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This readme file was current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates. GM release documentation: https://help.deepsecurity.trendmicro.com/12_0/on-premise/Welcome.html Patch/SP release documentation: https://help.deepsecurity.trendmicro.com/software.html TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deep Security Agent Platforms: - Windows Server 2019 version 1809 (64-bit) - Windows Server 2016 version 1607, 1709, or 1803 (64-bit) - Windows Server 2012 or 2012 R2 (64-bit) - Windows Server 2008 R2 (64-bit) (***) - Windows Server 2008 (32-bit and 64-bit) (*) (***) - Windows 10 version 1607, 1703, 1709, or 1803 (32-bit or 64-bit) (*) - Windows 10 version 1809 or 1903 (64-bit) - Windows 10 Embedded (64-bit) - Windows 8.1 (32-bit and 64-bit) (*) - Windows 8.1 Embedded (32-bit) (*) - Windows 8 (32-bit and 64-bit) (*) - Windows 7 (32-bit and 64-bit) (*) - Windows 7 Embedded (32-bit) (*) - Hyper-V on Windows 2016, 2012 R2, 2012, 2008 R2, 7, and 8.1 (**) (*) Deep Security Relay is supported only on 64-bit versions. (**) There is no agentless solution for Windows Hyper-V. The Agent installed on the Hyper-V hypervisor will only protect the hypervisor itself. In order to protect guest images running on Hyper-V an Agent must be installed on each Hyper-V guest. See Knowledge Base article https://success.trendmicro.com/solution/1103857 for more information. Deep Security Relay is not supported on these platforms. (***) Full version only. Core version is not supported. For a list of supported Deep Security features by software platform, see: https://help.deepsecurity.trendmicro.com/12_0/on-premise/supported-features-by-platform.html Date: June 18, 2019 Release: 12.0 Build Version: 12.0.0-360 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: https://www.trendmicro.com/en_us/business/products/hybrid-cloud.html Download the latest version of this readme from the Deep Security Help Center, Software page: https://help.deepsecurity.trendmicro.com/software.html Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 12.0 1.1 Overview of This Release 1.2 Who Should Install This Release 2. Release History 3. What's New 3.1 Enhancements 3.2 Resolved Known Issues 3.3 Security Updates 4. Documentation Set 5. System Requirements 6. Known Incompatibilities 7. Known Issues in Deep Security Agent 12.0 8. Files Included in This Release 9. Contact Information 10. About Trend Micro 11. License Agreement 12. Third Party Software =================================================================== 1. About Deep Security 12.0 ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security 12.0 contains feature enhancements, bug fixes and security updates For a complete list of the major changes in Deep Security 12.0, see the "What's New?" page on the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/12_0/on-premise/whats-new.html 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running Deep Security 10.0 Update 17, Deep Security 10.1, Deep Security 10.2, Deep Security 10.3, Deep Security 11.0 Update 7, Deep Security 11.1, Deep Security 11.2, and Deep Security 11.3. All new Deep Security users should install Deep Security 12.0. 2. Release History ======================================================================== - Deep Security Agent 12.0, Build 12.0.0-360, June 18, 2019 3. What's New ======================================================================== 3.1 Enhancements ===================================================================== This release includes several new features that have been added since Deep Security 11.0. For more information, visit our Help Center: https://help.deepsecurity.trendmicro.com/12_0/on-premise/whats-new.html Additional enhancements since Deep Security 11.0 include: Enhancement 1: [DS-27501] Delayed the Deep Security Agent Upgrade until you reboot the system to reduce the Anti-Malware offline issues that were triggered when an agent was upgraded. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DS-23497/DSSEG-2257] The Anti-Malware engine offline error is not reported when the computer is preparing to shutdown. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 3: [DSSEG-2321/DSSEG-2770/DSSEG-2771/DSSEG-2769] The Deep Security Agent installer no longer installs all feature modules when the module plug-in files are located in the same folder as the installer. The required plug-in files are downloaded from a Deep Security Relay when a policy is applied to a protected computer. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 4: [DSSEG-2703] A report is created when Windows Anti-Malware encounters an install/upgrade failure or error because of an interop or timing issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.2 Resolved Known Issues ===================================================================== This release resolves the following issues that were identified in previous versions of Deep Security: Issue 1: [DS-33576] On AIX servers, the Deep Security Agent processing of User and Group information for Integrity Monitoring leaked file descriptors. This lead to an increasing number of file descriptors associated to the ds_agent process. This build up of file descriptors could potentially cause creation of defunct processes, high memory usage for the ds_agent process or cause a server restart. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-3777] The Tbimdsa driver crashed due to an invalid IPv6 header. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DS-31614] Certain data structures in the Deep Security Agent packet engine were cleaned up prematurely, leading to a kernel panic and system crash. Solution 3: The code has been modified to address the premature data structure clean up. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DS-33843] Integrity Monitoring events showed an incorrect file path with Unicode encoding. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DS-29167] Installation or uninstallation of the Deep Security network driver on Windows Server 2019 caused an interruption to current connections. Solution 5: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DS-33459] The "Smart Protection Server Disconnected for Smart Scan" alert did not automatically clear after the connection had been restored. Solution 6: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DS-32484] Deep Security Agent process potentially crashed when the detailed logging of SSL message was enabled and output. Solution 7: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DS-32634] Deep Security Agent's Intrusion Prevention module silently dropped zero payload UDP packets. Solution 8: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [DS-31384] When the Application Control driver failed to load (for example, if the driver was corrupted during a Deep Security Agent upgrade), the agent sent system events to Deep Security Manager repeatedly as it tried to reload the driver. The large number of generated events consumed database storage and made the System Events extremely slow to load. Solution 9: This issue is fixed in this release. The Application Control driver loading exception is now tracked and the Application Control server is stopped after 5 failed attempts to load the driver. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [DS-30145/DSSEG-3353/DSSEG-3177/SEG-39670] An Integrity Monitoring rule could be triggered unintentionally when the prefix of its base directory path matched that of another rule. For example, if you had rules that monitored "c:\lab\" and "c:\lab1\", and added a file "c:\lab1\sample.txt", both rules would be triggered. Solution 10: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [DS-30461] When 'Reactivate unknown agents' was enabled, Deep Security Manager mistakenly reactivated the Deep Security Virtual Appliance or created a new computer using the Deep Security Virtual Appliance IP address. Solution 11: This release includes new logic for recognizing the agent when processing heartbeats from the Deep Security Virtual Appliance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 12: [DS-27215] When upgrading Deep Security Agent, the operating system would sometimes reboot automatically. Solution 12: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 13: [DS-32865/DSSEG-3470/SEG-45004/SF01704358] For Web Reputation, Deep Security Agent sent the incorrect credentials to the proxy, which returned HTTP 407. Solution 13: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 14: [DSSEG-3536/SEG-44773/SF01633410] Every time a Powershell script was executed it would generate temporary files in the temp folder which resulted in an excessive amount of drift and events being reported. Solution 14: This issue is fixed in this release. Added Powershell to the list of trusted update rules for the files created in the temp folder to reduce the drift events being reported ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 15: [DSSEG-2962/SF01337805/SEG-38476] When the Anti-Malware module could not recognize one of its digital signatures, it crashed. Solution 15: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 16: [DS-30834/DSSEG-3332/SEG-41367] Due to a side effect from a previous fix, the Network Filter Driver would pass packets through a broadband wireless interface. Solution 16: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 17: [DS-28644/DSSEG-3215] When both Anti-Malware real-time scans and SAP scanner were enabled on a Windows computer that had SAP NetWeaver 7.5+ installed, a virus could be detected and quarantined, but the error code returned to SAP NetWeaver was not correct. Solution 17: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 18: [DS-30637/DSSEG-3144/SF01350094/SEG-39265] When a system boots up, both the Deep Security Agent and Anti-Malware engine (AMSP service) are started. The AMSP service sometimes takes longer to initialize than the agent. If the agent launched a security update task before the AMSP initialization was finished, the update task failed with the error "Anti- Malware Engine Offline". Solution 18: This issue is fixed in this release. If the AMSP service starts normally (within approximately 180 seconds), the pattern update will be successful. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 19: [DSSEG-727/DSSEG-3110] A native Firewall could not be turned on/off automatically after the Deep Security Firewall module was enabled or its configuration was changed. Solution 19: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 20: [DSSEG-2608/DSSEG-2758] When upgrading Deep Security Agent, the operating system would sometimes reboot automatically. Solution 20: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 21: [DS-29553/DSSEG-2740/SF01098357/SEG-33956] The Deep Security Agent process would crash due to a race condition in the Web Reputation Service rating thread when the protocol of the connection to the rating server (Smart Protection Server) was "https". Solution 21: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 22: [DS-26701/DSSEG-2735/DSSEG-2801/SEG-34502] When a TCP connection was established with the same tuples as a previously tracked one, the network engine could set the connection track to an incorrect status. This sometimes happened on a busy server where rapid connections reused a recycled connection. The network engine treated it as an "Out of connection" error and dropped the packet. Solution 22: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 23: [DS-25216/DS-26455/DSSEG-2466/SEG-30270/SF00900562] When a host machine's locale was not set to UTF-8, the Deep Security Agent installation would not complete and the agent could not be activated. Solution 23: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 24: [DS-24885/DSSEG-2228/SEG-23148/SF00700687] The Anti-Malware module validates each process by querying the file's signature information, but the query may take a long time in certain environments, causing the computer to slow down. Solution 24: This issue is fixed in this release. To prevent the computer from slowing down, there is a new timeout value for the signature query. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 22: [DS-22485/DSSEG-2173/SEG-23387] The Deep Security Agent query script, dsa_query.cmd or dsa_query.sh, would sometimes fail. Solution 22: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 26: [DS-27810/DSSEG-2835/SEG-33414/00854640] The Deep Security Agent's CPU usage spiked every 10 seconds. Solution 26: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 27: [DSSEG-2739/DSSEG-2810/DSSEG-2819/SF00874980/SEG-29750] When Deep Security Agent was installed on a virtual machine (VM) and the VM was reverted to an earlier state, Log Inspection event data was not synchronized properly between the Deep Security Agent and Deep Security Manager. Solution 27: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 28: [DS-24567/DSSEG-2417/00817382/SEG-26134] When certain Intrusion Prevention rules for Oracle Database Server were enforced, the computer sometimes crashed due to an issue with the network filter driver. Solution 28: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 29: [DSSEG-2184/SEG-24555/SF00745590/SEG-24082] When the Anti-Malware module attempts to remove files or folders but encounters an error, it adds a registry entry indicating that the files should be removed the next time the computer reboots. However, the Anti-Malware module sometimes created a registry entry when attempting to remove temp files, which might no longer exist. This caused third-party applications to sometimes prompt users to reboot unnecessarily. Solution 29: The version of AMSP used by this release fixes this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 30: [DSSEG-2248/00822625/SEG-27661] When a user configured a Firewall bypass rule with a port range containing port 65535, the Deep Security Agent configuration sometimes failed to compile. Solution 30: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 31: [DSSEG-2306/SEG-26904] When a security event syslog was forwarded directly from the Deep Security Agent to a syslog server, it contained an incorrect IPv6 address in the dvchost field. Solution 31: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 32: [DSSEG-2484/SF00600663/SEG-16112] When a malware scan configuration included a "Process Image File List" scan exclusion, and that list included an item on a network drive, all entries in the list were not applied correctly. Solution 32: The Anti-Malware module has been improved. When a "Process Image File List" contains an item on a network drive, that entry is ignored, but other valid entries are applied successfully. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 33: [DSSEG-2513] When the Anti-Malware or Firewall features were enabled, Deep Security Agent was not registered to the Windows Security Center on Windows 10 version 1803 (April 2018 Update). This caused the status of Anti-Malware and Firewall to be incorrect in the Windows Security Center and Windows Defender Security Center. Solution 33: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 34: [DSSEG-2566] When Firewall or Intrusion Prevention rules were assigned to specific network interfaces, it sometimes did not trigger network configuration recompilation, and the Deep Security Agent Network Engine wouldn't load the expected configuration. Solution 34: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 35: [DSSEG-2086/SEG-21208] Deep Security Agent restarted abnormally along with an "Unable to send data to Notifier app." error message in ds_agent.log. Solution 35: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 36: [DS-14544] A new Anti-Malware module was introduced in Deep Security 10.2 for Windows. When Anti-Malware scans were enabled on a Windows platform, a system reboot was required after upgrading the Deep Security Agent from a pre-10.2 version. Before the system reboot, you may have seen intermittent Error alert(s) transactions that could be ignored. Solution 36: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.3 Security Updates ===================================================================== Security updates are included in this release. For more information about how we protect against vulnerabilities, visit https://success.trendmicro.com/vulnerability-response. Update 1: [DSSEG-3452] The version of SQLite used by the Deep Security Agent has been updated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: - Information formerly contained in the Deep Security Installation Guides and Deep Security Administrator's Guide is now available on the Deep Security Help Center https://help.deepsecurity.trendmicro.com/12_0/on-premise/Welcome.html and includes: -- product overview, deployment plan, installation steps and basic information intended to help you smoothly deploy Deep Security. -- post-installation instructions on how to configure the settings to help you get Deep Security "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Deep Security. - You can easily search the Help Center content or get context-sensitive help from your Deep Security Manager. 5. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Deep Security Help Center: https://help.deepsecurity.trendmicro.com/12_0/on-premise/Get-Started/Install/system-requirements.html 6. Known Incompatibilities ======================================================================== 1. Resonate Load Balancer (5.0.1) Deep Security Agents Affected: All Issue: Environments in which the Resonate load balancing software is installed may experience a loss of Resonate functionality when the Deep Security Agent is installed. Resolution: Restart the Resonate Central Dispatch Controller services. 2. Trend Micro Client Server Messaging Security for SMB Deep Security Agents Affected: All Issue: Connectivity issues have been noted when running versions of Trend Micro Client Server Messaging Security for SMB that are older than Version 3.5 Build 1113. Resolution: Upgrade Trend Micro Client Server Messaging Security for SMB to Version 3.5 Build 1138 or higher. 3. Realtek RTL8169/8110 Family Gigabit Ethernet NIC Deep Security Agents Affected: All Issue: Issues have been noted when using Version 5.663.1212.2006 of the Realtek Gigabit Ethernet NIC Resolution: To resolve these issues, upgrade the driver to the latest version. 4. Intel(R) PRO/100+ Dual Port Server Adapter Deep Security Agents Affected: All Issue: Issues have been noted when using Intel NIC cards with driver versions lower than 8.0.17.0 Resolution: To resolve the issue, upgrade the driver to version v8.0.19 or higher. 5. Wireshark Deep Security Agents Affected: All when installed in Windows 7, 2008 and 2008 R2. Issue: When Wireshark is monitoring packets they are incorrectly presenting outgoing packets through NdisFilterRecv packet which is the path for incoming packets. Resolution: Use Microsoft Network Monitor instead when doing packet capture. 6. Windows Defender Deep Security Agents Affected: All Issue: Application Control is not compatible with Windows Defender. Running both can result in severe performance impacts. However, if both Application Control and Anti-Malware are enabled, then Deep Security will automatically disable Windows Defender for normal operation. Resolution: Disable Windows Defender. (DS-12890) 7. Known Issues in Deep Security Agent 12.0 ======================================================================== - When the Network Directory Scan function is enabled in the Real-Time Scan configuration, when scanning a network folder, if a virus is detected, the DSA may show some "clean failed" (delete failed) events. This is happens in all Windows platforms. (DS-29339) - Curly brackets ( { and } ) are not accepted characters for the passphrase of Credentials and the password of Proxy configuration. (SEG-41886/SEG-49339) - Deep Security does not report its Anti-Malware and Firewall status to Windows Security Center (WSC) on Windows Server 2019. WSC does not show any Deep Security information for "Virus & threat protection" or "Firewall & network protection". You can check the status of those protection modules in Deep Security Manager or in the Deep Security Notifier on the agent computer. (DS-28667) - After a relay is upgraded successfully and all software packages are imported into Deep Security Manager, users should wait at least ten minutes before upgrading agents. Otherwise, a "Software Update: Agent Software Upgrade Failed" error may occur. (DS-23195) - On a Windows 10 computer with Microsoft Application Virtualization (App-V) enabled, if you enable Deep Security Anti-Malware protection, the Deep Security Agent may display the message "A computer reboot is required to complete an Anti-Malware cleanup or restoration task". The App-v client service must be restarted to enable Anti-Malware scanning on the virtual drive. (DS-22761) - If you activate a Deep Security Agent on an AWS WorkSpace and apply a policy that uses the default Firewall rules, the workspace will become "unhealthy". You must alter the policy to allow access to the ports required by WorkSpaces. (DS-17460) - Disabling the relay feature on a Windows 10 agent can sometimes take more than ten minutes to complete. (DS-18685) - When an agent with relay functionality is in the "Enabling" or "Disabling" state, the operation cannot be canceled. If the operation hangs in either of these states, the agent with the relay functionality needs to be deactivated and then reactivated. (DS-16407) - Advanced threat detection (machine learning) does not detect threats on USB storage devices on Windows 7. (DS-17536) - Application Control is not supported with 32-bit versions of Deep Security Agent. However, Deep Security 10.1 and 10.2 would download the Application Control component to 32-bit agents even though it did not work. The presence of this component can cause an upgrade failure when upgrading the Deep Security Agent to version 11.0 or higher. To fix this issue: 1. In Deep Security Manager, disable Application Control for the agents that need to be upgraded. 2. As a user with the appropriate administrative access, remove the Application Control security module component files from the agent installation folder (on Windows, the installation folder is typically c:\Program Files\Trend Micro\Deep Security Agent). You will need to remove: /dep/ac.deplua /lib/ac.dll /ext/ac.dse /ext/ac.dse.version 3. Restart the agent software by performing a restart of the agent node. 4. Upgrade the agent package to Deep Security Agent 11.0 or higher. (DS-22499/DS-15695) - Application Control build inventory, which happens after enabling Application Control, will take longer to finish on Windows Server 2008 R2 compared to other supported platforms. (DS-13120) - If you have created an Application Control block rule for a batch file or PowerShell script, you will not be able to copy, move, or rename the file using its associated interpreter (powershell.exe for PowerShell scripts or cmd.exe for batch files). (DS-13253) - Application Control build inventory, which happens after enabling Application Control, will be slower when TiWorker.exe is running. TiWorker.exe is the Windows Modules Installer Worker, which is used when performing Windows updates. (DS-14313) - When Application Control is configured to "Block unrecognized software until it is explicitly allowed", you will not be able to upgrade or uninstall the Deep Security Agent on that computer. To unblock the procedure, enable maintenance mode. (DS-14369) - In rare circumstances, Anti-Malware could go offline after the Deep Security Agent finishes upgrading. When you check the Windows Application events log, it will show that Microsoft-Windows-RestartManager has stopped the Anti-Malware Solution Platform (AMSP) and Trend Micro Solution Platform service, and the service will need to be restarted. See: https://success.trendmicro.com/solution/1117465 for more details. (DS-11331) - When the Anti-Malware protection module is installed by enabling Anti-Malware protection on a DSA for the first time on Windows 2016, the Windows Defender service will be stopped, a reboot message will popup on Windows 2016 and a reboot-required event will be displayed on the DSM. After this first time, changing the computer's policy to disable and re-enable Anti-Malware will not show the reboot-required messages. It is strongly recommended to reboot Windows Server 2016 if the Windows Defender service is stopped by the DSA Anti-Malware policy. (DS-10389) - Customers should only run one Trend Micro Anti-Malware module on a protected computer. When Deep Security Agent is to be deployed, administrators should ensure that other Trend Micro products such as OfficeScan are uninstalled. If the Deep Security Agent Anti-Malware module goes offline because another product is installed you will need to remove OfficeScan and reinstall the agent. One exception to this Trend Micro Endpoint Sensor (TMES), which is compatible with the Deep Security Agent Anti-Malware feature enabled on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012R2 only. (DS-2846) - Windows XP Embedded is not a supported DSA platform in this version. Customers running Windows XP Embedded should continue to use the latest 9.6 SP1 Agent version. (DS-10558) - For Windows Server 2008 operating in an environment without internet connection, when upgrading DSA 9.x Agents with Anti-Malware policy assigned to DSA 10.0 or higher then the Agent may successfully upgrade but the AMSP (Anti-Malware protection) version still remains at v2.6.x. The computer status on DSM and DSA Notifier will show AM offline, and the following error message is generated: Anti-Malware Windows Platform Update Failed. This is because the Trusted Root Certificate cannot be verified without an internet connection. Troubleshooting: 1. Do not attempt to uninstall the agent. (If you tried this and the Anti-Malware module could not be removed, then you should re-install the original version of the agent before proceeding. Hint: To find the version number of your previous agent, log in to the Deep Security Manager and search the Computer's Events for "Update: Summary Information" ) 2. Reactivate the agent from the Deep Security Manager and the agent should return to Managed (Online). 3. Obtain and import the certificate "VeriSign Class 3 Public Primary Certification Authority - G5" (DS-9981) - While upgrading DSA 10.0 or higher from a previous version, the Anti-Malware module may fail to upgrade because the certificate of dsuam.exe (which is processing AMSP upgrade) cannot be verified. The following event would be received: Event ID 935 Software Update: Anti-Malware Windows Platform Update Failed. This issue impacts systems on Windows Server 2008, and in an environment disconnected from the internet. Other OSs (such as Windows 7 and Server 2008 R2 and above) do not have this issue. The problem is because legacy and disconnected systems cannot download the new root VeriSign certificate from the Internet. The certificate is required to perform the agent upgrade with Anti-Malware. This is a security enhancement to ensure only certified applications can process AM upgrades.) Systems Administrators in a disconnected environment are recommended to ensure the availability of "VeriSign Class 3 Public Primary Certification Authority - G5" in "Trusted Root Certification Authorities". Workaround (if Deep Security Agent is not upgraded): 1. Download verisign_g5.cer and save it to machine to upgrade or download G5 root certificate from https://www.websecurity.symantec.com/theme/roots 2. Login and run command as system administrator, and run: certutil -addstore "Root" verisign_g5.cer 3. For systems as XP and 2003, please use MMC.exe console, add "Certificates" snap-in, and import certificate to "Trusted Root Certification Authorities". Troubleshooting (if agent is already upgraded to 11.0 or higher but Anti-Malware failed to upgrade): 1. Re-install the old version of the agent. To find the version of the previous agent, search "Update: Summary Information" from "Events" of the machine from the Deep Security Manager. 2. Reactivate the agent from Deep Security Manager. The agent should return to Managed (Online). 3. Import "VeriSign Class 3 Public Primary Certification Authority - G5" (DS-9020). - Anti-Malware endpoint correlation on Windows does not generate hash values. When Anti-Malware File Hash Calculation is enabled, the following cases may still not generate related hash values: 1. Multiple Spyware detections 2. Trojan detections with multiple files cleaned 3. Endpoint Correlation detection 4. Windows XP SP2 doesn't natively support SHA256 and no SHA256 value will be generated 5. Anti-exploit may calculate the hash values of victim file instead of malware file Note: the Anti-exploit detection often is a victim file instead of a malware file; the hash values of the victim must be carefully used. (DS-9573) - Anti-Malware Memory Scan is not supported on Windows XP and 2003 x64 platforms. (DS-8630) - Under certain circumstances the DSA may fail to upgrade while Windows Process Explorer tool is running on the DSA machine. This issue is isolated to the following conditions only: 1. An Administrator is not logged in to the DSA computer 2. UAC (User Access Control) is enabled on the DSA computer 3. Process Explorer tool is running (and is not being run by the Administrator account) (DS-5788) - When upgrading from Deep Security Agent 9.6 SP1 Patch 1 U5 with Anti-Malware enabled to Deep Security Agent 10.2 or higher on Windows 8, Windows 8.1, Windows 10, Windows 10 TH2, Windows 10 RS1, Windows 2012, Windows 2012 R2, or Windows 2016, a reboot will be required to complete the upgrade. When upgrading from other earlier versions of Deep Security Agent on Windows platforms, a reboot may also be required. A "Computer Reboot Required" event will be displayed on the DSM and popup notification on the host will be displayed if a reboot is necessary. (DS-3590) - In the Windows Control Panel "Notification Area Icons" settings, Deep Security Notifier will remain listed even after uninstalling Deep Security. This is a known issue in Windows that also affects other products. (DS-1300) - Full Windows administrative privileges are required to install the Agent to a non-default installation path. (DS-1191) - In some circumstances, the Windows DSA uninstallation process may hang if there are quarantined files on the system. Workaround Steps: 1. Cancel this uninstallation 2. Delete quarantined files manually. Quarantine files are stored at C:\ProgramData\Trend Micro\AMSP\quarantine or C:\Documents and Settings\All Users\Application Data\AMSP\quarantine. 3. Uninstall the DSA (DS-874) - The Deep Security Notifier icon may sometimes disappear on Windows 10. (DS-1301) - When a virtual machine is added through vCloud connector, after vMotion from a protected ESXi host to an unprotected ESXi host, the virtual machine will not go from combined mode to Agent-only protection. (DS-558) - When a virtual machine is added through vCloud connector, after vMotion from unprotected ESXi host to a protected ESXi host, the virtual machine will not go from Agent-only protection to combined mode. (DS-557) - On Windows Agents, if the Anti-Malware (AMSP) service is still starting up when the DSM sends a new policy switching Smart Scan on/off, it will return the warning message: "Security Update: Pattern Update on Agents/Appliances Failed". NOTE: This warning is not an AMSP offline/failure. The Anti-Malware protection is still active with the warning. Administrators need to manually clear the warning since the DSM will not clear it automatically. (DS-4101) - The Deep Security Notifier system tray icon may not appear after installation if multiple users are logged in to Windows. Logging off and logging back in or manually executing the notifier.exe will make the system tray icon appear. [DS-602] - Deep Security Agent does not support Code Integrity checking on Windows 10 hosts (32- or 64-bit platforms). Enabling Code Integrity checking on Windows 10 hosts with the Deep Security Agent installed may cause a Blue Screen error. [DS-883, DS-254] - In rare circumstances, when enabling Anti-Malware feature on Deep Security Agent running on Windows XP, the AMSP service installation may fail with the error message "AMSP error code (0x20ff0000)". As a workaround, reinstall the Deep Security Agent. [29436] - On Windows 32-bit platforms, there is a configuration limit of 20MB because of the smaller kernel memory available on these platforms. The event "Agent configuration package too large" may appear if there are too many rules enabled on the Deep Security policy being assigned. This may be fixed by trimming down the Intrusion Prevention rules strictly to Recommended for Assignment only. [27162] - If the Integrity Monitoring feature in Combined Mode is disabled, the Deep Security Notifier status will display it as Not Capable instead of Not Configured. [29403] - Deep Security Azure Connector does not identify virtual machines created by Azure Resource Manager a.k.a ARM VM (v2). DSA installed in ARM VM will not be included in Azure connector but in normal computer list. This limitation will have no impact on security features provided by Deep Security. [29630] - Deep Security Agent could not convert shift-jis encoded characters to UTF-8. Therefore, any folders named with shift-jis encoding will be skipped during Integrity Monitoring scanning. [28879] - If agentless Anti-Malware real-time protection is turned off, the notifier will not get any status updates from the appliance. It will then turn off Antivirus protection in the Windows Action Center. [29230/29574] - When you deactivate the Deep Security Virtual Appliance or agentless protection, the notifier will not be able to get any status from the Deep Security Virtual Appliance. The notifier knows that Anti-Malware is not working so it will turn it off in the Windows Action Center. It does not know the status of the Firewall so it will leave the Firewall status in the Windows Action center in its last known state. [29230/29574] - The Deep Security Notifier installed in the virtual machines should be upgraded to correctly display the status of protection especially in using Combined Mode. [28557] - Deep Security does not support switching the Windows 2012 server mode between Server Core and Full (GUI) modes after the Deep Security Agent is installed. [28481] - If you are using Server Core mode in a Hyper-V environment, you will need to use Hyper-V Manager to remotely manage the Server Core computer from another computer. When the Server Core computer has the Deep Security Agent installed and Firewall enabled, the Firewall will block the remote management connection. To manage the Server Core computer remotely, turn off the Firewall module. [28481] - Hyper-V provides a migration function used to move a guest VM from one Hyper-V server to another. The Deep Security Firewall module will block the connection between Hyper-V servers, so you will need to turn off the Firewall module to use the migration function. [28481] - Deep Security Agent does not support scanning a mounted network folder (SMB) on the following Windows platforms: Windows 2012 Server R2 (64-bit) Windows 2012 Server (64-bit) Windows 8.1 (32/64-bit) Windows 8 (32/64-bit) [22016] - Deep Security Notifier when using agentless protection in NSX environment will not work if only WRS feature is turned on. Agentless Anti-Malware must be enabled for Deep Security Notifier to work. [22210] - The Relay feature uses TCP port 4122. When enabling the relay feature, make sure TCP port 4122 is allowed in any Firewall being used. [22749] - The Deep Security Agent Anti-Malware files and folder might not get removed on upgraded agents when uninstall is performed. This only happens when Anti-Malware feature is enabled then disabled before upgrading and the Anti-Malware feature was never enabled before uninstalling. When this happens, follow manual uninstall procedures in http://esupport.trendmicro.com/solution/en-US/1096150.aspx to completely uninstall. [21716] - Some Anti-Malware events are not generated when the built-in Windows decompress tool. This issue does not happen when using 3rd party decompress tool. [23055] - Windows Add/Remove Programs or Programs and Features doesn't show the exact version of the Deep Security Agent. Deep Security Agent version consists of major.minor.sp-build but Windows only show them as major.minor.build. [21990] - CPU usage control in Scan for Integrity may not work after a reboot. Rebuild Integrity Baseline or reactivation will fix this. [20725/20563] - During Anti-Malware real time scan, Deep Security Agent may sometimes produce multiple Delete Failed events even when the deletion was successful. This rarely occurs but it happens when the file is being locked by other process temporarily. [23520] - When upgrading Deep Security Agent on Windows 2012, an error message saying "Service Trend Micro Deep Security Agent (ds_agent) could not be installed. Verify that you have sufficient privileges to install system services." may appear. This may be fixed by running Windows Update troubleshooter in http://support.microsoft.com/kb/910336. [23728] - Deep Security Notifier will show the status of Intrusion Prevention as Not Configured if the IPS has no rules assigned even if it's On. [22938] - Some security components of Deep Security Agent with Relay feature enabled may get removed unexpectedly after an update. As a workaround, retry the security update. [24004] - Upgrading to Deep Security Agent 9.5 or later by running a deployment script on an AWS instance that already has Deep Security Agent 9.0 will not work. Deep Security Agent upgrade must be done from the Deep Security Manager. [25598] - After Deep Security Agent upgrade, the event "Abnormal Restart Detected" may appear. The upgrade is not affected by this event and may be safely ignored. Do Clear Warnings and Errors and perform a Check Status to reflect the actual status of the agent. [26619] - In some cases, a laptop computer has the "Microsoft Virtual Wi-Fi Miniport Adapter" option enabled. Such devices, used for creating Wi-Fi hotspots (ad hoc networks) through the wireless adapter, would enable both the real device for the true wireless connection and the "Microsoft Virtual Wi-Fi Miniport Adapter" for the ad hoc connections, with the same MAC address. This triggers Deep Security Agent on such laptop computers to request for an interface update on every heartbeat. [17502] - In a cloud provider environment if the "Enable regular synchronization with Cloud Provider" option is disabled, changing the Deep Security Agent hostname will disrupt the communication between Deep Security Manager and Deep Security Agent. Trend Micro strongly recommends keeping the "Enable regular synchronization with Cloud Provider" option ON. [15608] - On Windows Server 2008 and Windows Server 2012, after installing Deep Security Manager with a co-located Relay, the Deep Security Notifier icon does not automatically show up in the Windows notification area. However, Deep Security Notifier will still work. Users need to re-launch Deep Security Notifier from the "Start" menu or restart the system. [17533] - The following system event log appears when you install Deep Security Agent on the Windows Server 2008 or Windows 7: "The Trend Micro Deep Security Agent service is marked as an interactive service. However, the system is configured not allow interactive services. This service may not function properly." This is a normal warning on those platform. On these platforms, Windows does not allow services to interact with the user's desktop, so the operating system displays the warning when Deep Security Agent tries to use interactive services. This desktop interaction feature is used by the Deep Security Agent to provide the restart notice on earlier versions of Windows. The warning message can be safely ignored. [Deep Security 8.0 Tier 2-00253] - You may sometimes encounter problems while upgrading the Deep Security Agent. The problem is related to the timing of the VC RTL assemblies being published to WinSxS, but it only seems to cause trouble if the version of the RTL is not changing. The root cause is some corrupted Windows components. To work around this, you can either run the Windows System File Checker (sfc.exe) to repair the operating system, or install the Microsoft Visual C++ Redistributable Package from the following URL before starting the upgrade procedure again. http://www.microsoft.com/download/en/details.aspx?id=26347 After installing the package from Microsoft, you should restart the computer or else the upgrade may still fail. To recover from this, you can install the package, re-run the installer and restart the computer. [Deep Security 8.0-01044] - Intrusion Prevention (DPI) is not supported over SSL connections when using IPv6. - When running an Anti-Malware Manual Scan with Smart Scan enabled, if the Deep Security Agent cannot contact the Smart Scan server, the resulting error event will indicate a "Real-Time" scan type instead of "Manual". [Deep Security 8.0 Tier 2-00024] - If network connectivity is lost for an extended period of time during a Deep Security Agent upgrade, you may need to restart the host machine. - It is possible that NDIS drivers will stop responding during Deep Security Agent installation or uninstallation if they do not properly free packets when requested to unbind. Deep Security Agent with NDIS 5.1 or NDIS 6.0 driver can free all packets correctly before upgrading or uninstalling. However, when installing or uninstalling NDIS drivers, Microsoft requires that all NDIS drivers be unbound and then rebound. This means that if other third-party NDIS drivers do not properly free packets, it is still possible for the Deep Security Agent install, upgrade, or uninstall process to stop responding. This is beyond Trend Micro's control and will only happen rarely. If this does occur then you can restart the computer and try to install, uninstall, or upgrade Deep Security Agent again. - Log Inspection Event logs are limited to 6000 characters. - When the network engine is working in TAP mode and the in-guest Agent is offline, the Deep Security Virtual Appliance status will display "Stand By". But, Deep Security Virtual Appliance is actually online and IP/FW events logs are still generated as rules are triggered. [10948] 8. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Agent-Windows-12.0.0-360.x86_64.zip (64-bit) Agent-Windows-12.0.0-360.i386.zip (32-bit) Notifier-Windows-12.0.0-360.i386.msi (32-bit - can be installed on 64-bit) 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via phone or email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html 12. Third Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]\licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2019 Trend Micro Inc. All rights reserved. Published in Canada.