<<<>>> Trend Micro, Inc. January 14, 2019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro (TM) Deep Security(TM) 9.0 Deep Security Agent 9.0 Service Pack 1 Patch 5 Hot Fix - Build 5616 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This hot fix was developed as a workaround or solution to a customer-reported problem. As such, this hot fix has received limited testing and has not been certified as an official product update. Consequently, THIS HOT FIX IS PROVIDED "AS IS". TREND MICRO MAKES NO WARRANTY OR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS HOT FIX NOR DOES IT WARRANT THAT THIS HOT FIX IS ERROR FREE. TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRO DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Contents =================================================================== 1. Hot Fix Release Information 1.1 Issues 1.2 Enhancements 1.3 Files Included in this Release 2. Documentation Set 3. System Requirements 4. Installation/Uninstallation 4.1 Installation 4.2 Uninstallation 5. Post-installation Configuration 6. Known Issues 7. Release History 8. Contact Information 9. About Trend Micro 10. License Agreement =================================================================== 1. Hot Fix Release Information ======================================================================== NOTE: Please install this hot fix before completing any procedures in this section (see "Installation"). 1.1 Issues ===================================================================== This hot fix resolves the following issues: Issue 1: [DSSEG-3125] Deep Security Agent encountered issues when upgrading to version 11.0 for Solaris. Solution: The upgrade path to Deep Security 11.0 is now fixed. On Solaris, to upgrade the agent successfully from Deep Security 9.0 to Deep Security 11.0, first apply this fix to Deep Security Agent 9.0, and then upgrade to Deep Security Agent 11.0. Note: On Solaris servers, this Deep Security Agent build must only be used with Deep Security Manager 10.0 or later. 1.2 Enhancements ===================================================================== This hot fix does not add any enhancements. 1.3 Files Included in this Release ===================================================================== A. Files for Current Issue -------------------------------------------------------------------- Filename Build No. ----------------------------------------------------------------- Agent-Solaris_5.10_U5-9.0.0-5616.sparc.pkg.gz 5616 Agent-Solaris_5.10_U5-9.0.0-5616.x86_64.pkg.gz 5616 Agent-Solaris_5.10_U7-9.0.0-5616.sparc.pkg.gz 5616 Agent-Solaris_5.10_U7-9.0.0-5616.x86_64.pkg.gz 5616 Agent-Solaris_5.11-9.0.0-5616.sparc.p5p.gz 5616 Agent-Solaris_5.11-9.0.0-5616.x86_64.p5p.gz 5616 2. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: o Installation Guide -- Provides product overview, deployment plan, installation steps and basic information intended to help you deploy Deep Security smoothly. o User's Guide -- Provides post-installation instructions on how to configure the settings to help you get Deep Security "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Deep Security. o Readme.txt files -- version enhancements, known issues, and release history. There is one readme for each installable Deep Security component: Manager, Agent, Virtual Appliance and ESX Filter Driver. o Electronic versions of the documents are available at: http://docs.trendmicro.com/en-us/enterprise/deep-security.aspx o Online help -- Context-sensitive help screens available on the Deep Security Manager that provide guidance for performing a task. o Knowledge Base -- a searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 3. System Requirements ======================================================================== Refer to the "Installation Guide" or release notes for a complete list of system requirements. 4. Installation/Uninstallation ======================================================================== 4.1 Installation ===================================================================== Refer to the "Installation Guide" on the following web site for the complete installation procedure: http://docs.trendmicro.com/en-us/enterprise/deep-security.aspx 4.2 Uninstallation ===================================================================== Refer to the "Installation Guide" on the following web site for the complete uninstallation procedure: http://docs.trendmicro.com/en-us/enterprise/deep-security.aspx 5. Post-installation Configuration ======================================================================== No post-installation steps are required. 6. Known Issues ======================================================================== Recent regression testing with the Deep Security Agent on SPARC servers running Solaris has revealed the following issues. Issue 1. On Solaris, in rare cases, activating an agent or sending a policy may fail. In these cases, repeat the action. If this does not resolve the issue, log in to the affected server and restart the ds_agent process with the following command: svcadm restart ds_agent Issue 2. On Solaris, when Deep Security Integrity Monitoring is enabled and the rule "1003513 - Unix - File attributes changed in /etc location" is assigned, the following syslog log may occur: ds_agent[1316]: [ID 702911 local0.error] Mapping failed for offset 0 of file /etc/mnttab (error 89: Operation not applicable) /etc/mnttab is an instance of a specialized file system and cannot be loaded into memory for analysis. Similar error messages for the following files may appear: /etc/utmppipe /etc/saf/zsmon/_pmpipe /etc/saf/_sacpipe /etc/svc/volatile/init.state /etc/dfs/sharetab You can add these files to the "File path to be ignored under 'etc' path" section of the rule configuration tab to exclude them from processing. Issue 3. On Solaris, if the "1002831Unix - Syslog" rule is assigned and Issue 2 is occurring, log inspection events may be generated if the log inspection module is enabled. Issue 4. In rare cases, on Solaris 10u7 SPARC, the Deep Security Agent may fail to install and require that the pfil package be installed first. The pfil package is available on the Trend Micro Download Center at: https://help.deepsecurity.trendmicro.com/software-9-0.html by selecting the Solaris_5.10_u5 Agent. For other known issues, please refer to the product release notes. 7. Release History ======================================================================== Deep Security Agent 9.0 Service Pack 1 Patch 1 Build 9.0.2404, September 11, 2013 Deep Security Agent 9.0 Service Pack 1 Patch 2 Build 9.0.3044, December 17, 2013 Deep Security Agent 9.0 Service Pack 1 Patch 3 Build 9.0.3500, June 10, 2014 Deep Security Agent 9.0 Service Pack 1 Patch 4 Build 9.0.4002, October 8, 2014 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5001, May 15, 2015 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5409, August 18, 2016 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5434, February 15, 2017 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5485, August 1, 2017 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5508, September 27, 2017 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5528, March 27, 2018 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5545, April 17, 2018 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5546, May 4, 2018 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5592, June 28, 2018 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5602, August 1, 2018 Deep Security Agent 9.0 Service Pack 1 Patch 5 Build 9.0.5612, November 13, 2018 See the following web site for more information about updates to this product: http://www.trendmicro.com/download 7.1 Prior Hot Fixes ==================================================================== NOTE: Only the new hot fix was tested for this release. Prior hot fixes were tested at the time of their release. Hot Fix 5612 (November 13, 2018) Issue 1: [DSSEG-2884] Deep Security Agent generated a large number of unnecessary error log messages. Solution: This issue is fixed in this release. Note: On Solaris servers, this Deep Security Agent build must only be used with Deep Security Manager 10.0 or later. Hot Fix 5602 (August 1, 2018) Issue 1: [DSSEG-2625] AIX servers running Deep Security Firewall and/or Intrusion Prevention experienced dropped connections due to out-of-memory events under high rates of connection initiation. This was due to slow growth of the memory pool used by the Deep Security kernel extension (ds_filter) to store UDP and TCP connection data. Solution 1: The memory pool used by the Deep Security kernel extension (ds_filter) was modified to grow more quickly to avoid dropped connections. Note 1: In order to avoid consuming too much kernel memory, this fix has a hard limit of 50000 simultaneous UDP or TCP connections. Traffic above this limit may be dropped. Note 2: On AIX servers, this Deep Security Agent build must only be used with a Deep Security Manager of Version 10.0 or later. Hot Fix 5592 (June 28, 2018) Issue 1: [DSSEG-2474] Communications between the Deep Security Manager and the Deep Security Agent on Solaris servers were using the TLS 1.0 protocol. Solution 1: The Deep Security Agent was modified so that it only allows communications from the manager to the Deep Security Agent on Solaris servers using the TLS 1.2 protocol. Note: On Solaris servers, this Deep Security Agent build must only be used with Deep Security Manager 10.0 or later. Hot Fix 5546 (May 4, 2018) Issue 1: [DSSEG-2203] Deep Security Agent had a problem with packet processing on Solaris 10 updates 4, 5, and 6. Solution 1: The packet processing problem has been corrected. Hot Fix 5546 (May 4, 2018) Issue 1: [DSSEG-2203] Deep Security Agent had a problem with packet processing on Solaris 10 updates 4, 5, and 6. Solution 1: The packet processing problem has been corrected. Hot Fix 5545 (April 17, 2018) Issue 1: [DSSEG-2018] On AIX servers, the Deep Security Agent processing of User and Group information for Integrity Monitoring leaked file descriptors. This lead to an increasing number of file descriptors associated to the ds_agent process. This build up of file descriptors could potentially cause creation of defunct processes, high memory usage for the ds_agent process or cause a server restart. Solution 1: The Deep Security Agent was modified to not leak file descriptors. Note: On AIX servers, this Deep Security Agent build must only be used with a Deep Security Manager of Version 10.0 or later. Hot Fix 5528 (March 12, 2018) Issue 1: [DSSEG-788/DSSEG-1996] Communications between the Deep Security Manager and the Deep Security Agent on AIX servers were using the TLS 1.0 protocol. Solution 1: The Deep Security Agent was modified so that it only allows communications from the manager to the Deep Security Agent on AIX servers using the TLS 1.2 protocol. Note 1: On AIX servers, this Deep Security Agent build must only be used with a Deep Security Manager of Version 10.0 or later. Hot Fix 5508 (September 27, 2017) Issue 1: [DSSEG-1434] The AIX Deep Security Agent Packet Driver did not clean up correctly when unloading. This prevented the IPsec driver from being disabled. Solution 1: The AIX Deep Security Agent Packet Driver cleanup has been corrected. Note 1: Enabling the Deep Security Firewall and/or Intrusion Protection Features on an AIX Server that is using IPsec is NOT supported and will create a security risk. It could prevent the Deep Security Firewall and/or Intrusion Prevention modules from protecting the server or could prevent IPsec from filtering or encrypting packets. This fix is provided only to support transition between the use of the Deep Security Firewall and/or Intrusion Prevention modules and the use of the IPsec feature (and vice-versa). To disable IPSec on an AIX server that has the Deep Security Agent installed and has the Firewall and/or Intrusion Prevention modules enabled: 1. In Deep Security Manager, disable the Firewall and Intrusion Prevention modules for this server. 2. Disable IPsec on the AIX server. 3. Re-enable the Firewall and/or Intrusion Prevention modules on the AIX server if you disabled them in step 1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hot Fix 5485 (August 1, 2017) Issue 1: [DSSEG-1049] AIX Servers running Deep Security Firewall and/or Intrusion Prevention experienced dropped connections due to out-of-memory events under high rates of connection initiation. This was due to small pre-allocated memory pool extension (ds_filter) to store UDP and TCP connection data. Solution 1: The Deep Security kernel extension was re-engineered to automatically allocate 15% of the maximum pinnable memory on the server for the memory pool and to grow the pool more quickly when needed. As a result, the Deep Security kernel extension can support approximately 900 simultaneous TCP or UDP connections per gigabyte of maximum pinnable memory (from the "vmstat -v" output: maximum pinnable memory in GB = memory pages x 4 x maxpin percentage/104857600). If there is insufficient pinnable memory available for pre-allocation, the Deep Security Agent kernel module will choose not to load. If this occurs, one or more of these errors will be displayed in Deep Security Manager for the affected server: Intrusion Prevention Engine Offline Firewall Engine Offline If this occurs, refer to the following link to increase the pinnable memory on the server and, if necessary, add physical memory: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.performance/support_pinned_mem.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hot Fix 5434 (February 15, 2017) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [DSSEG-716] When no Firewall or Intrusion Prevention rules were assigned, Deep Security Agent would raise an Agent/Appliance Error event: "Engine command code GET_INTERFACES failed" because the ds_filter driver was not loaded. Solution 1: The issue is fixed in the hotfix. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-728] AIX computers would sometimes crash when the Deep Security Agent reset a connection. Solution 2: Adopted a new approach to reset the connection safely and avoid a system crash. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hot Fix 5422 (December 2, 2016) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [TT351301/DSSEG-264] Version 9.0 of the Deep Security Agent for Solaris would sometimes fail to upgrade remotely on Solaris 10 because of an improper shutdown order during upgrade. As a result, the Deep Security Agent service would enter maintenance mode and be offline. Solution 1: The Deep Security Agent upgrade logic has been refined to avoid the timing issue during the shutdown process. Issue 2: [TT356718/DSSEG-574] When a user changed the communication direction to "agent-initiated only" on a Solaris 10/11 computer that only had IPv4 support, the Deep Security Agent would enter maintenance mode because it failed to bind the address. Solution 2: This issue is resolved in this release. Hot Fix 5409 (August 18, 2016) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [TT349685/TT342031/DSSEG-380] When Deep Security Agent was installed on AIX Servers that were configured as an Oracle Real Time Application Cluster (RAC) and the Intrusion Prevention module was turned ON, the Oracle RAC Nodes were sometimes evicted and the Oracle Alert.log files showed that an IPC Send Timeout was detected. Also, sometimes while running the index rebuilding process and defining more than 30 parallel threads on one of the Oracle RAC nodes, the index rebuilding process failed and “parallel query server died unexpectedly” was reported. Solution 1: This issue has been fixed in the current release in the scenario where Oracle RAC is being configured with multiple NIC cards on AIX platforms. You can completely by-pass the heavy network traffic monitoring by the Deep Security Filter Driver (ds_filter) on specific NIC cards defined in the exclusive list. These NIC cards are normally used for making inter-node communication between Oracle RAC nodes. To implement this fix: 1. Upgrade the Deep Security Agent to Build 9.0.0.5409 or later. 2. Stop the Deep Security Agent Service using this command: #stopsrc –s ds_agent 3. Create a file under /etc directory namely "ds_filter.conf" 4. Open the /etc/ds_filter.conf fie. 5. Add the MAC addresses of all NIC cards used for inter-node communication, as follows: MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX 6. Start the Deep Security Agent service. 7. Repeat these steps on all Oracle-RAC nodes in the cluster. Hot Fix 5390 (June 1, 2016) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [TT343997/DSSEG-264] Version 9.0 of the Deep Security Agent for Solaris would sometimes fail to upgrade remotely on Solaris 11 because of an improper shutdown order during upgrade. As a result, the Deep Security Agent service would enter maintenance mode and be offline. Solution 1: The Deep Security Agent upgrade logic has been refined to avoid the timing issue during the shutdown process. Hot Fix 5378 (April 19, 2016) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [TT341191/DSSEG-213] When a recommendation scan was run on a Solaris machine, the Deep Security Agent collected the installed packages information from pkginfo. The Deep Security Agent logged output in the Agent's log file related to: line arch value = all does not match Intel or Sparc (error 0: Error 0) Solution 1: The logic has been updated to handle this issue and these log messages are no longer appearing in the Deep Security Agent log file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hot Fix 5360 (December 23, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [TT336314/DSSEG-36] In AIX environments, there was sometimes a zombie process as a child process of the Deep Security Agent because the system did not clean up the process-related resource of the child process. Solution 1: The issue is fixed in this hotfix. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT333425/DSSEG-35] The Integrity Monitoring build baseline function would get stuck when there were more than 256 user accounts. The root cause is a defect in 3rd-party library wxWidget 2.8. Solution 2: The issue is fixed in this hotfix. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [TT336310/DSSEG-37] The Deep Security Agent reported an invalid NIC name to Deep Security Manager, causing a send policy failure. Solution 3: The issue is fixed in this hotfix. Hot Fix 5354 (December 11, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [TT333621/DSSEG-30] On Solaris platforms, if the ds_filter driver went into maintenance mode for some unknown reason, it would stay in maintenance mode until the status was cleared manually. Solution 1: This fix will clear the service status so the service can be started during machine boot time. Hot Fix 5353 (December 01, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [30402] With debug logging enabled, a second ds_agent process was sometimes created on AIX systems. This resulted in communication problems between the Deep Security Manager and Deep Security Agent. Solution 1: The debug logging code was modified to prevent the creation of the additional ds_agent process. Hot Fix 5353 (November 19, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [TT333910/30391] The Solaris server crashed in dsa_filter when the UDP packets with the same IP addresses and ports reached different network interfaces at the same time. Solution 1: The issue is fixed in this hotfix. Hot Fix 5342 (November 12, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [29989] Errors in installed software data extraction for Recommendation Scans and Integrity Monitoring were logged under Solaris 11 due to a change in the Solaris 11 packaging system. Solution 1: This Hot Fix updates the installed software data extraction handling. Hot Fix 5324 (September 28, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: [30221] Deep Security Agent for Solaris SPARC triggers kernel panic due to race condition in Agent's kernel driver. Solution 1: This has been fixed in current release. Hot Fix 5319 (August 14, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This Hot Fix adds following enhancements: Enhancement 1: The Deep Security Network Engine has been enhanced to handle Maximum TCP/UDP connections. This drastically reduced the Out of Connection issues found in heavy load environments. The connection cleanup methodology has been improved to handle idle connections and new connection requests. Event Aggregation is now performed for same events appearing in the Deep Security Manager console to avoid event flooding and filling up the database space. The same events are now aggregated in multiple of hundreds, under Repeat Counter columns. This Hot Fix resolves following Issues: Issue 1: In the Deep Security Manager console, when you go to the Computers tab and double-click an AIX system that has an Agent installed, the Interface tab does not display the correct information. Solution 1: The correct function to call interfaces has been implemented in AIX Agents in this release. Hot Fix 5315 (July 13, 2015) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 1: If the URL list contained a dead UDP connection, it stayed there and exhausted kernel memory, preventing any more UDP/TCP connections. Solution 1: The defect in the connection management code has been fixed. 8. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our web site. Global Mailing Address/Telephone numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 9. About Trend Micro ======================================================================== As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With over 20 years of experience, Trend Micro provides top-ranked client, server, and cloud-based solutions that stop threats faster and protect data in physical, virtualized, and cloud environments. As new threats and vulnerabilities emerge, Trend Micro remains committed to helping customers secure data, ensure compliance, reduce costs, and safeguard business integrity. For more information, visit: http://www.trendmicro.com Trend Micro, the t-ball logo, and Deep Security are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2019, Trend Micro Incorporated. All rights reserved. 10. License Agreement ======================================================================== More information about your license agreement with Trend Micro and third-party licensing agreements can be found in the release notes.