<> Trend Micro Incorporated December 07, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Readme for Trend Micro (TM) Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8 for Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Deep Security Agent Platforms: Red Hat Enterprise 5 (32-bit and 64-bit), Red Hat Enterprise 6 (32-bit and 64-bit), Red Hat Enterprise 7 (64-bit), CentOS 5 (32-bit and 64-bit), CentOS 6 (32-bit and 64-bit), CentOS 7 (64-bit), Oracle Linux 5 (32-bit and 64-bit)*, Oracle Linux 6 (32-bit and 64-bit)*, SuSE 10 SP3, SP4 (32-bit and 64-bit), SuSE 11 SP1, SP2, SP3 (32-bit and 64-bit), Amazon AMI Linux EC2 (32-bit and 64-bit), Ubuntu 10.04 LTS (64-bit), Ubuntu 12.04 LTS (64-bit), Ubuntu 14.04 LTS (64-bit), Cloud Linux 5 (32-bit and 64-bit), Cloud Linux 6 (32-bit and 64-bit), Note: Oracle Linux is supported on Red Hat kernels and Unbreakable kernels. For a list of specific Linux kernels supported for each platform, see the document titled "Deep Security 9.5 SP1 Supported Linux Kernels". Deep Security Agent with Relay Feature Platforms: Red Hat Enterprise 5 (64-bit), Red Hat Enterprise 6 (64-bit), Red Hat Enterprise 7 (64-bit), CentOS 5 (64-bit), CentOS 6 (64-bit), CentOS 7 (64-bit), Oracle Linux 5 (64-bit), Oracle Linux 6 (64-bit), SUSE 10 SP3, SP4 (64-bit), SUSE 11 SP1, SP2, SP3 (64-bit), Ubuntu 10.04 LTS (64-bit), Ubuntu 12.04 LTS (64-bit), Ubuntu 14.04 LTS (64-bit), Cloud Linux 5 (64-bit), Cloud Linux 6 (64-bit), Amazon AMI Linux EC2 (64-bit), For a list of supported Deep Security features by software platform, see the document titled "Deep Security 9.5 SP1 Supported Features by Platform." Date: December 07, 2017 Release: 9.5 Service Pack 1 Patch 3 Update 8 Build Version: 9.5.3-7814 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This product is subject to the terms detailed in the license agreement and copied to the install directory. For more information about the Trend Micro suite of Deep Security products, visit our website at: http://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ index.html Download the latest version of this readme from the Deep Security page at the Trend Micro Download Center website: http://downloadcenter.trendmicro.com/ Trend Micro is always seeking to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Contents =================================================================== 1. About Deep Security 9.5 Service Pack 1 Patch 3 Update 8 1.1 Overview of This Release 1.2 Who Should Install This Release 1.3 Upgrade Notice 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 6. Known Incompatibilities 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement 13. Third-Party Software =================================================================== 1. About Deep Security 9.5 Service Pack 1 Patch 3 Update 8 ======================================================================== 1.1 Overview of This Release ===================================================================== Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8 contains feature enhancements and no bug fixes. For a list of the major changes in Deep Security 9.5 Service Pack 1 Patch 3 Update 8, please see the "What's New" section of the Installation Guides, which are available for download from the Trend Micro Download Center. 1.2 Who Should Install This Release ===================================================================== You should install this release if you are currently running Deep Security 8.0, 9.0, or 9.5. All new Deep Security users should install Deep Security 9.5 Service Pack 1 Patch 3 Update 8. 1.3 Upgrade Notice ===================================================================== Upgrade the Deep Security Filter Driver to SP1 Patch 3 build 9.5.3.4507 before upgrading the Deep Security Virtual Appliance to 9.5 SP1 Patch 3 Update 2 on a non-NSX environment. Engine offline errors will occur if you upgrade the Deep Security Virtual Appliance before upgrading the Filter Driver. 2. What's New ======================================================================== 2.1 Enhancements ===================================================================== The following enhancements are included in this release: Enhancement 1:[DSSEG-1709] The Deep Security Virtual Appliance ds_agent startup script has been enhanced to ensure the necessary kernel module is placed in the correct path and to wake up the vmtoolsd service if it doesn't run. The Deep Security Virtual Appliance patching process is separate from ds_agent to avoid patching activity from being interrupted by Deep Security Agent operation. Patch package Agent-DSVA_CentOS6.4-1.0.0-171128.x86_64.zip is available for import starting with Deep Security 9.5 SP1 Patch 3 Update 8. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2:[DSSEG-1631] The File Scanning Engine used in Deep Security Agent has been updated to version 10.000.1004. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2.2 Resolved Known Issues ===================================================================== There are no issues fixed in this release. 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.5. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying Deep Security 9.5. The following Installation Guides are available in Trend Micro Download Center: Deep_Security_95_SP1_Install_Guide_basic_EN.pdf Deep_Security_95_SP1_Install_Guide_vcloud_EN.pdf Deep_Security_95_SP1_Install_Guide_nsx_EN.pdf Deep_Security_95_SP1_Install_Guide_vmsafe_EN.pdf Deep_Security_95_SP1_Install_Guide_azure_EN.pdf - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Deep Security 9.5. It also contains post-installation instructions on how to configure the settings to help you get Deep Security "up and running". All of the content of the Administrator's Guide can be found in the Deep Security Manager's online help. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ======================================================================== For a complete list of the System requirements, please refer to the Deep Security 9.5 Installation Guide. 5. Installation ======================================================================== Refer to the "Deep Security Manager 9.5 Installation Guide" document available for download from the Trend Micro Download Center. - Only use the Agent installer package (the .msi or the .rpm file) on its own to install the Deep Security Agent. If you extract the full Agent zip package and then run the Agent installer from the same folder that holds the other zipped Agent components, all the Security Modules will be installed. That may cause a conflict with the Anti-Malware or Firewall driver if you use applications other than Deep Security to provide those functionalities. - Before installing this Patch, please ensure that the Deep Security Manager has already been upgraded to 9.5 Service Pack 1 Patch 3 Update 8. - All Deep Security Relay-Enabled Agents must first be upgraded to Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8 before upgrading other Agents. 6. Known Incompatibilities ======================================================================== The Anti-Malware feature of Deep Security Agent is incompatible with Docker containers and partitions. 7. Known Issues ======================================================================== - The CPU Usage (Agent only) setting under Manual and Scheduled Scan Configuration in the Deep Security Manager console is not working on SUSE 10 SP3 and SP4. [20717] - Deep Security Agent may not successfully install on the first release of Ubuntu 12.04 without any updates and patches. [23797] - The Relay feature uses TCP port 4122. When enabling the Relay feature, make sure TCP port 4122 is allowed in any firewall being used. [22749] - Disable Deep Security Agent's Anti-malware realtime scan when installing on SAP server with Virus Scan Adapter to prevent a race condition. [23621] - CPU usage control in Scan for Integrity may not work after a reboot. Rebuild Integrity Baseline or reactivation will fix this. [20725/20563] - In Linux platforms, some malware may not be detected if the DNS is very slow to respond to queries. [21208] - Some security components of Deep Security Agent with the Relay feature enabled may get removed unexpectedly after an update. As a workaround, retry the security update. [24004] - The Deep Security Manager will display the platform of the Agent package regardless of the platform where it is installed. For example, since the Agent package used in CentOS and Red Hat are the same and labeled as Red Hat Agent package, Deep Security Manager will display the platform as Red Hat.[21674/25156] - Using the systemctl command in RHEL 7 to stop, start or restart ds_filter does not work. As a workaround, use the service command. [25669] - Anti-Malware is unable to scan fuse-based file-system if the mount owner is not root and the mount does not allow other users to access it. [26265] - Deep Security Agent running on SUSE on Azure cloud will not be managed under the Azure cloud account in the Deep Security Manager. The Agent will appear under the normal computers list. [26499] - After Deep Security Virtual Appliance upgrade, the error "Exceeded maximum concurrent events" may be noticed in the /var/log/messages file and the Agentless protected guest virtual machines status changed to "Anti-Malware Engine Offline". Rebooting the Deep Security Virtual Appliance will fix this issue. [26361] - Intrusion Prevention is not supported over SSL connections when using IPv6. - SYN Flood protection is only supported on versions 7.5 or earlier of the Windows Agents and on versions 7.5 or earlier of the Virtual Appliance. It is not supported on versions 7.5 Service Pack 1 or later of the Windows Agents or versions 7.5 Service Pack 1 or later of the Virtual Appliance. It is not supported on any versions of the Linux or Solaris Agents. - Log entries (Firewall and IPS Events) for OUTGOING traffic show zero-ed out MAC addresses. - When the network engine is working in TAP mode and the in-guest Agent is offline, the Deep Security Virtual Appliance status will be "Stand By". When this occurs, Deep Security Virtual Appliance is actually online and Intrusion Prevention and Firewall events will be logged when rules are triggered. [10948] - Log Inspection event logs are limited to 6000 characters. 8. Release History ======================================================================== See the following website for more information about updates to this product: http://www.trendmicro.com/download - Deep Security Agent 9.5, Build 9.5.2-2022, August 27, 2014 - Deep Security Agent 9.5 Critical Patch, Build 9.5.2-2044, November 05, 2014 - Deep Security Agent 9.5 SP1, Build 9.5.3.2754, January 30, 2015 - Deep Security Agent 9.5 SP1 Critical Patch, Build 9.5.3-3016, May 02, 2015 - Deep Security Agent 9.5 SP1 Patch 1, Build 9.5.3-4017, July 31, 2015 - Deep Security Agent 9.5 SP1 Patch 2, Build 9.5.3-4518, Sept 23, 2015 - Deep Security Agent 9.5 SP1 Patch 3, Build 9.5.3-5500, Nov 06, 2015 - Deep Security Agent 9.5 SP1 Patch 3 Update 1, Build 9.5.3-5749, Jan 11, 2016 - Deep Security Agent 9.5 SP1 Patch 3 Update 2, Build 9.5.3-5954, March 01, 2016 - Deep Security Agent 9.5 SP1 Patch 3 Update 3, Build 9.5.3-7523, March 10, 2017 - Deep Security Agent 9.5 SP1 Patch 3 Update 4, Build 9.5.3-7568, April 05, 2017 - Deep Security Agent 9.5 SP1 Patch 3 Update 6, Build 9.5.3-7707, August 28, 2017 - Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 7, Build 9.5.3-7747, September 28, 2017 - Deep Security Agent 9.5 Service Pack 1 Patch 3 Update 8, Build 9.5.3-7814, December 07, 2017 8.1 Deep Security Agent 9.5.2-2022 ===================================================================== 8.1.1 Enhancements ===================================================================== Smarter, Lightweight Agent - Lightweight installer - Security Modules installed only as required by Security Policy - Automatic new Linux Kernel support Linux Support - New Distributions: Oracle Unbreakable - On-demand Anti-Malware scanning for all distributions - Real-Time Anti-Malware for Red Hat Enterprise and SuSE 8.1.2 Resolved Known Issues ===================================================================== - This release includes all resolved issues that were resolved in Deep Security 9.0 SP1 Patch 3, except those explicitly listed in the section "Known Issues in Deep Security Agent 9.5 - Linux" below. 8.2 Deep Security Agent 9.5.2.2044 (Critical Patch) ===================================================================== 8.2.1 Enhancements ===================================================================== There are no enhancements for this critical patch release. 8.2.2 Resolved Known Issues ===================================================================== This critical patch resolves the following issues: Issue: Deep Security Virtual Appliance 9.5 uses a version of the Bash shells that is affected by the CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187 vulnerabilities. Solution: This critical patch updates the Bash version in Deep Security Virtual Appliance 9.5 to prevent shellshock vulnerabilities. Note: To apply this critical patch to Deep Security Virtual Appliance, import this critical patch from Trend Micro download center directly to Deep Security Manager and perform upgrade on the Deep Security Virtual Appliance. To Import this package, log into Deep Security Manager, go to Administration > Updates > Software > Download Center and import this critical patch. To upgrade the Deep Security Virtual Appliance, go to Administration > Updates > Software and then click "Upgrade Agent/Appliance Software". 8.3 Deep Security Agent 9.5.3.2754 ===================================================================== 8.3.1 Enhancements ===================================================================== Extended support for Microsoft Azure - Deep Security can now connect to Microsoft Azure accounts using shared certificates. For more information, see the Deep Security 9.5 SP1 Installation Guide (Cloud). Extended support for VMware NSX Security Policies - Event-Based Tasks are now available that allow users to monitor the VMware NSX Security Policy assigned to a VM and perform Deep Security Tasks (such as the activation or deactivation of Deep Security protection) based on changes to the NSX Security Policy. For more information, see "Deploying Agentless Protection in an NSX Environment" in the Deep Security 9.5 SP1 Installation Guide (NSX). Extended support for NSX tagging - Deep Security can now apply NSX tags based on Intrusion Prevention Events (as well as Anti-Malware Events). For more information, see "Deploying Agentless Protection in an NSX Environment" in the Deep Security 9.5 SP1 Installation Guide (NSX). SSL Enhancements - Extended SSL Support for TLS 1.2 and the following ciphers: TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 Extended Proxy Support for Relays - Relay Groups can now be configured to use unique proxy servers to retrieve Security Updates from Trend Micro. The option is available in the Relay Group's properties window. Linux Support - Support has been added for Red Hat Enterprise Linux 7 and CentOS 7 Support for log-only HTTP Protocol Decoder errors - Certain errors determined by the HTTP Protocol decoder can now be manually set to be log-only. The errors are: Double Decoding Exploit Illegal Character in URI Invalid Hex Encoding Invalid Use of Character Invalid UTF8 Encoding Scan Engine Enhancement - Scan Engine (VSAPI) has been updated to version 9.8. 8.3.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [24819/24586/TT306574] Deep Security Virtual Appliance 9.5 used a version of the Bash shells that is affected by the CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, CVE-2014-7187 vulnerabilities. Solution 1: This release updates the Bash version in Deep Security Virtual Appliance 9.5 to prevent shellshock vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [24690/25760/TT307260/TT310302] If an environment variable was defined under the scan exclusions directory list, and that environment variable was defined under the "Settings > view environment variable" tab, the exclusion did not work properly. The files that match the environment variable were still scanned. Solution 2: This release ensures that scan exclusions that use environment variables work properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [24815/TT310736] When users changed the default Relay port in Deep Security Manager, the Relay's listening port did not change. Solution 3: This release ensures that the Relay configuration is updated promptly after users change the default Relay port in Deep Security Manager. Note: When a user changes the default relay port in Deep Security Manager, the Relay's listening port will change after the user sends the policy to the Relay. For this to work, right-click the Relay machine in the Deep Security Manager console and click the "Send Policy" button. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [25822/25823/TT311223] If the browser was configured to use a proxy server, virtual machines protected by Deep Security Virtual Appliance under Web Reputation sometimes were not able to block blocked URLs. Solution 4: This release resolves an issue in the Web Reputation Service (WRS) module to ensure that virtual machines can successfully block URLs when the browser is configured to use a proxy server. 8.4 Deep Security Agent 9.5.3-3016 (Critical Patch) ===================================================================== 8.4.1 Enhancements ===================================================================== This Critical Patch does not add any enhancement. 8.4.2 Resolved Known Issues ===================================================================== This critical patch resolves the following issues: Issue 1: The Deep Security 9.5 Manual Anti-Malware scan engine could potentially fail to detect malware if it was located in a directory with certain specific characteristics. Solution 1: This critical patch will send alerts to Deep Security Manager to indicate that administrators need to check the path manually. The alert is "Files were not scanned because the file path exceeded the maximum file path length limit." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: RHEL did not pick up the right kernel module, which caused a system crash when autofs was ON. Solution 2: This critical patch repacks the correct kernel package. 8.5 Deep Security Agent 9.5.3-4017 ===================================================================== 8.5.1 Enhancements ===================================================================== This release adds following enhancement: Enhancement 1: [26974/TT310071/TT316754] The Deep Security Virtual Appliance is now capable of providing Real-Time Anti-Malware Protection on Citrix VDI for read/writes from USB or Network Shares re-directed/virtual device mapped into the VDI session via Citrix Receiver. Enhancement 2: [29018/29234/29019/29311/29312] The Deep Security Network Engine has been enhanced to handle Maximum TCP/UDP connections. This drastically reduced the Out of Connection issues found in heavy load environments. The connection cleanup methodology has been improved to handle idle connections and new connection requests. Event Aggregation is now performed for same events appearing in the Deep Security Manager console to avoid event flooding and filling up the database space. The same events are now aggregated in multiple of hundreds, under Repeat Counter columns. Enhancement 3: This Release contains improvements in TCP/IP connection handling to eliminate the potential under certain conditions for evasion of IDS/IPS (Intrusion Prevention) functionality. These improvements do not affect Firewall functionality. Enhancement 4: [29389/TT320281] The Deep Security Virtual Appliance agent process would crash when the number of protected virtual machines exceeded 100. To address this issue, the Simple Lua Binder (SLB) version has been upgraded from SLB to SLB 3. 8.5.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [26025/TT310077] The Deep Security Virtual Appliance sometimes became unresponsive due to dsa_slowpath crash that happened due to a lock condition. Solution 1: Code has been fixed to ensure that this crash will not happen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [26410/320346] Unexpected "Illegal Character in URI" Events were being generated on some protected VMs even though the "HTTP Protocol Decoding" Intrusion Prevention rule had been configured to allow the characters on those particular machines. This was because changes to the "HTTP Protocol Decoding" rule intended for a single customized policy were being applied to all policies and therefore to all VMs. Solution 2: This release ensures that customizations of the "HTTP Protocol Decoding" rule can be applied at the individual policy level. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [27794/TT318001] Kernel Crash happened in a Linux environment if the Deep Security Agent was enabled with Real-Time Anti-Malware Scanning and the system had file-on-file mounted on the mount table. Solution 3: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [27806/TT317533] The Deep Security Virtual Appliance Agentless firewall did not work on the guest virtual machine with multiple network interface cards environment. This happened when rules were configured for a specific NIC only. This issue did not happen on Deep Security Agent and Deep Security Relay Firewall. Solution 4: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [27835] The Deep Security Relay's nginx server allowed SSLv3 connections. Solution 5: This release disables SSLv3 connections to the Relay's nginx server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [27892/TT316820] The Anti-Malware scan engine does not support scanning files larger than 2GB. However, it flooded the log with file open failure messages. Solution 6: The priority of the log message has been changed from notice to information. By default, this message will no longer show up. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [27930/TT318225] When the autofs service was enabled on Red Hat Enterprise Linux 5 and 6, the correct kernel module was not picked up, resulting in a system crash. Solution 7: This release repacks the correct kernel package. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [27972] During upgrade, if the kernel symbol link already exists, the upgrade fails to update the symbol link. Solution 8: If the symbol link exists, unlink it and create the new symbol link to point to the correct kernel module. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [28091/TT318306] The Deep Security 9.5 Manual Anti-Malware scan engine could potentially fail to detect malware if it was located in a directory with certain specific characteristics. Solution 9: This release will send alerts to Deep Security Manager to indicate that administrators need to check the path manually. The alert is "Files were not scanned because the file path exceeded the maximum file path length limit." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [28141] When Linux Agents were imported into Deep Security as a Service using the cloud connector for Azure, they sometimes showed up out of the scope of the Azure connector in the Deep Security Manager console. This was because of a timing/waiting for TCP packet timeout issue in the Agent query for cloud metadata. Solution 10: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [28149] The Deep Security Agent on Linux/Unix caused a system panic due to a NULL pointer deference. Solution 11: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 12: [28180/320166] On an Azure instance, the Deep Security Agent service would keep restarting when the Cluster service was enabled. Solution 12: The Deep Security Agent should work normally with this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 13: [28185] Deep Security Agent caused a kernel panic due to a race condition in network traffic packet handling. Solution 13: This release fixes this issue. The TCP connection management code has been improved to avoid improper connection movement between management lists. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 14: [28214] The Deep Security Agent could not start because it could not find some IM file mapping. Solution 14: The file mapping code for the Linux platform was updated to use parameters that avoid the error. Files are successfully mapped and baselined. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 15: [28249] The Deep Security Anti-malware process (ds_am) in Deep Security Virtual Appliance (DSVA) crashed during recommendation scan. Solution 15: After this fix, ds_am should run recommendation scans without crashing. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 16: [28407] The Deep Security Virtual Appliance splash screen only displayed one Deep Security Manager node, even when multiple Deep Security Manager nodes were configured. Solution 16: The issue is fixed in this release. NOTE: This fix ONLY applies to the Deep Security Virtual Appliance. After the DSVA upgrade, restart dsplash from the DSVA command line, using these commands: # stop dsplash # start dsplash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 17: [28477/TT321699] Active content in an XSL file was not recognized. Solution 17: In this release, active content in XSL files is recognized. NOTE: This fix ONLY applies to the Deep Security Agent on SAP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 18: [28495/TT318241] The Deep Security Virtual Appliance leaked thread stack memory during vMotion. Solution 18: The Appliance thread now releases stack memory after being destroyed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 19: [28654/TT320387] Deep Security Agent could fail during Integrity Monitoring scanning due incorrect shift-jis to utf-8 conversion. Solution 19: Character conversion failures are now detected, to avoid the Agent crash. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 20: [28777/TT317669] The Deep Security Agent sometimes reported false positive results for Integrity Monitoring scans on unchanged files, due to an incorrect SQL query. Solution 20: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 21: [28779/TT314867] On a single-core machine, Deep Security Agent 9.5 would sometimes greatly increase the CPU usage in a very short time. Solution 21: The notification service script that caches the queried data result has been improved. Customers who have experienced this behavior can also change the internet test interval to max value 5 minutes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 22: [28808/TT320934] On shutdown of the Deep Security Virtual Appliance, the console command line and other DSVA functions could freeze, preventing completion of the shutdown. Solution 22: Integrated a newer version of the package that was causing the freeze. NOTE: This fix ONLY applies to the Deep Security Virtual Appliance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 23: [28855/TT323506] The Anti-malware engine would go offline due to orphaned ds_am processes that were created while downloading the pattern updates. Solution 23: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 24: [28865] "Agent Configuration Package Too Large" warning was observed after installing a new Deep Security Agent on Windows and Linux, and Deep Security Virtual Appliance. Solution 24: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 25: [29133/TT323803] When using the SSL configuration wizard in Deep Security Manager, if a user uploaded an SSL private key that required a password but not specify the password, the negotiation between the Deep Security Manager and the Deep Security Agent took a long time to finish and caused high CPU usage. Solution 25: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 26: [29145/323315] Increased Disk I/O has been observed at Deep Security Virtual Appliance, caused by write update frequency to the disk. Solution 26: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 27: [29211/TT323878] If the URL list contained a dead UDP connection, it would not be removed and exhausted kernel memory, preventing further UDP/TCP connections. Solution 27: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 28: [29221/TT322389] A newly-deployed Deep Security Virtual Appliance would always get 169.254.1.39 vNIC address, even if it was being configured differently from the Deep Security Manager console at the time of deployment. Solution 28: This has been fixed in current release. NOTE: This fix ONLY applies to the Deep Security Virtual Appliance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 29: [29247/TT324190] The Deep Security Agent process, ds_agent, sometimes stopped working when a security update was running on a Deep Security Virtual Appliance protecting a large number of virtual machines. Solution 29: This has been fixed in current release. NOTE: This fix ONLY applies to the Deep Security Virtual Appliance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 30: [28773/TT321497] Deep Security Agent saved the Proxy password as plain text. Solution 30: The proxy password is now encrypted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 31: [29091/TT322307] When Agent hardening was enabled on a destination Deep Security Virtual Appliance in a VMotion setup, and the guest virtual machine was password-protected, the VMotion failed and the guest VM went offline. Solution 31: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 32: [29450] The Web Reputation feature does not work when browsing an IPv6 address on a SUSE 11 x64 or Ubuntu 12 x64 platforms. Solution 32: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 33: [29454] For any incoming TCP packet without a connection, if a FIN packet was sent from an endpoint, the packet was dropped as expected, but the event was not logged into Deep Security Manager. Solution 33: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 34: [29526] The iCRC common module used in Deep Security Agent stopped unexpectedly when the computer's locale was set to an invalid value. Solution 34: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 35: [28637] When the Deep Security Virtual Appliance has the Anti-malware Plugin installed and shutdown was initiated, it would take a long time to shut down the Agent. Solution 35: The issue is fixed in this release. NOTE: This fix ONLY applies to the Deep Security Virtual Appliance. 8.6 Deep Security Agent 9.5.3-4518 ===================================================================== 8.6.1 Enhancements ===================================================================== This release adds following enhancement: Enhancement 1: [30137] If a user creates a diagnostic package for Deep Security Virtual Appliance, there exists a charts.html file under the Agent - dsva folder. This charts.html file only displayed charts for system and process statistics. This patch release enhances charts.html to also display the guest_stat.csv file, which is used to identify packet of Guest VM like errors to slowpath, DSVA packet in, DSVA packet out, and error to slowpath in a graphical display. 8.6.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [TT327487/29815] When users installed Deep Security Agent 9.5 SP1 on Red Hat Enterprise Linux 7.1 and enabled real-time Anti-Malware scanning, a kernel crash would occur. Solution 1: This issue has been fixed in this Patch release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT322646/29845] Some users experienced issues such as slow network, disconnection, and RDP login failure. Analysis results indicated that the packet transmission error happened between fastpath and slowpath. It was identified that the issue could be related to data channel NIC reset on a DSVA machine. Solution 2: This issue has been fixed in this Patch release. Note: This release is applicable to Deep Security Virtual Appliance only along with Deep Security Filter Driver for Patch 2 release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [29950] Deep Security Netfilter caused Kernal Panic to Linux servers during handling of connection meta-data structure Solution 3: This issue has been resolved in thisrelease. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [30012] The Deep Security Virtual Appliance and Deep Security Agent (Linux) crashed due to an incompatibility with the VSAPI IOPlugin structures added in its latest release. Deep Security Agent uses Trend Micro Anti-malware scanning engine VSAPI to scan disk files for malware and clean them. This is due to duplication of internal VSAPI IoPlugin type definition with Deep Security Agent's real-time scan structures. Solution 4: This issue has been resolved in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [30140] If a Deep Security Notifier was installed on a virtual machine protected by Deep Security Virtual Appliance, and there was only a single virtual machine protected by the DSVA, the notifier always showed "Unknown/Unrecognized". The reason is that the ds_agent was unable to get the UUID of this virtual machine and therefore was unable to update the status to Notifier. Solution 5: This issue has been resolved in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [TT331266/30210] If the Deep Security Virtual Appliance experienced an ungraceful shutdown or power off, the ds_am.pid file remained under the /var/opt/ds_agent/am directory, pointing to a non-existent process ID. Sometimes, this process ID was taken by another process, which resulted in the PID defined under ds_am.pid pointing to a different process instead of ds_am process. As a result, the ds_am process failed to start because it did not correctly verify that previous ds_am process was still running. Solution 6: This issue has been resolved in this release 8.7 Deep Security Agent 9.5.3-5500 ===================================================================== 8.7.1 Enhancements ===================================================================== This release adds following enhancements: Enhancement 1: This Release contains improvements in TCP/IP connection handling to eliminate the potential, under certain conditions, for evasion of IDS/IPS (Intrusion Prevention) functionality. These improvements do not affect Firewall functionality. Enhancement 2: [30294] In previous versions, the Deep Security Agent only loaded the new kernel support package during process rebooting. So, if a customer imported a supported KSP, they needed to reboot the ds_agent process manually to make it work. This release has been enhanced so that the Agent tries to load the new kernel support automatically when it becomes available in the inventory. 8.7.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [30300] The Deep Security Virtual Appliance's fastpath/slowpath recovery mechanism was added in Deep Security 9.5 SP1 Patch 2. With that patch, the dsa_slowpath was restarted when the fastpath found the repeated error in forwarding packets to slowpath. However, when the network traffic was heavy, the dsa_slowpath process could be restarted too frequently due to the VMK_NOT_ENOUGH_SLOTS error. Solution 1: To address the issue, a modification was made to ignore the VMK_NOT_ENOUGH_SLOTS error in fastpath. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [TT333433/30312] On some Linux platforms, if iptables or ip6tables was disabled and when customer installed or restarted the Deep Security Agent, the ds_agent process would start iptables and add a rule to open port 4118. Solution 2: With this release, the ds_agent process will check the iptables/ip6tables status. If it is disabled, it will not be changed. If it is enabled, one rule to allow port 4118 for communication will be added. NOTE: If both iptables and ip6tables are disabled, they will remain disabled. If either one is enabled, the ds_agent process will consider them both to be enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [TT333523/30321] When kdump generated the dump kernel, it generated errors such as 'No module gsch found' or 'No module redirfs found'. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [TT324927/30315/30335] The redirfs kernel module which hooks the Virtual File System (VFS) switch in Linux crashed due to race condition. Solution 4: This has been fixed in current release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [TT33315/30331] The index of an internal memory buffer was not correctly calculated when relative offset counters started over at 4GB boundary. This incorrect pointer caused dsa_filter to access an invalid memory address, which lead to a kernel panic. Solution 5: With this Patch, the calculation of the buffer offset is fixed when relative offset counters start over at 4GB boundary. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [TT327952/30297] A thread in the iCRC common module behaved abnormally and could trigger a high CPU usage issue. Solution 6: This Patch resolves the issue by disabling the abnormal thread in the iCRC common module. To apply this fix, please follow these steps: 1- Under /opt/ds_agent/lib, find 'ICRCHdler.ini' file. This is where libICRCHdler.so is available. 2- If the file is there, append the file with following: EnableScheduledThread=0 3- If the file is NOT there, create a file namely \93ICRCHdler.ini\94 and add following contents: [Default] EnableScheduledThread=0 4- Restart the Deep Security Agent Service 8.8 Deep Security Agent 9.5.3-5749 ===================================================================== 8.8.1 Enhancements ===================================================================== This release does not add any enhancement. 8.8.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-42] If the Deep Security Agent is installed on Linux Platform, with autofs configuration and Real Time Antimalware is turned ON, the autofs hangs when the shared folder is mounted. Solution 1: This has been fixed in current release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.9 Deep Security Agent 9.5.3-5954 ===================================================================== 8.9.1 Enhancements ===================================================================== This release does not add any enhancements. 8.9.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-103] The Linux/Unix server crashed in dsa_filter when the UDP packets with the same IP addresses and ports reached different network interfaces at the same time. Solution 1: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-102] On a busy server when the port reuse is very aggressive, a race condition could happen in network driver which could crash the machine. Solution 2: This fix addresses the race condition issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-68] A memory leak was observed in Ubuntu-based systems when the Deep Security Agent was installed. Solution 3: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-98] Enterprise customers using Red Hat Satellite Server for release distribution information had issues if a Red Hat Enterprise Linux Agent package was imported in the system. For example, if could not be imported to RedHat Satellite Server. This was because the RedHat rpm package is commonly released according to this format: - productname-version-buildnumber.release-architecture.rpm However, the Deep Security Agent package was released as: - productname-version-buildnumber-architecture.rpm Solution 4: The Release information for Deep Security Agent has been modified and added with release-architecture. This distinguishes the architecture information and fixes the issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [TT332353/DSSEG-16] When a configuration is updated, the Deep Security Agent sends a heartbeat containing the current information to the Deep security Manager. There was an issue where the local interface information did not match the security configuration information, even when the Deep Security Manager updated the configuration repeatedly. As a result, "Events Retrieved" and "Policy Sent" events were recorded under the System Events tab for every heartbeat. Solution 5: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-97] Deadlocks could sometimes happen on a virtual appliance when it handled a large number of Virtual machines. Solution 6: Unnecessary locks have been removed and the lock granularity has been fine-tuned to improve overall performance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-92] By design, if /etc/use_dsa_with_iptables exists, then the Deep Security Agent does not touch the Linux Firewall. In SUSE Linux, this process did not work so as a result, if the ds_agent service restarted, it stopped the SUSE firewall service. Solution 7: This issue has been fixed in this release. Note: Since ds_agent will not touch the SuSEfirewall2 status, port 4118 is opened but not accessible from Deep Security Manager. You will need to create a firewall rule to allow access through port 4118. If you want to make this Deep Security Agent a Relay, you also need to add a Firewall Rule that allows TCP/IP Traffic on port 4122 on the Relay-enabled Agent. Install Guide (Basic). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DSSEG-96] The Linux Anti-Malware On-Demand Scanning could sometimes get stuck if the "CPU Usage (Agent Only)" setting was changed to Medium or Low. To find the setting, open the Computer or Policy Editor and go to "Anti-Malware" > "General" tab. In the "Manual Scan" section, click "Edit" and go to the "Options" tab. Solution 8: This issue has been fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10 Deep Security Agent 9.5.3-7523 ======================================================================== 8.10.1 Enhancements ===================================================================== The following enhancements are included in this release: Enhancement 1: [DSSEG-510] using Red Hat Enterprise Linux 6 x86_64 with kernel version 2.6.32-642.6.1.el6.x86_64, the Intrusion Prevention and Firewall engines went offline. Solution 1: The required plugins for this kernel support are included in this package, which resolves this issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Enhancement 2: [DSSEG-86] Patch 3, which made the Deep Security Manager capable of configuring the TLS version in the configuration.properties file, had an issue where the Deep Security Relay failed to download software packages from the Deep Security Manager when it was configured to use TLSv1.2 only. Solution 2: This issue has been fixed. Note: When Deep Security Manager is forced to use TLS 1.2 only, communication between the Deep Security Manager and NSX will be broken because when NSX connects back to the Deep Security Manager over port 4119, it can only use TLS 1.0. This is a current NSX Manager limitation. Similarly, in a non-NSX environment, where Deep Security Filter Driver is deployed, a minimum version of ESXi 5.5 is required to make TLS 1.2 work properly. Limitation: Windows Powershell deployment scripts generated by the Deep Security Manager fail during execution. This happens during an attempt to download the Agent installer from the Deep Security Manager. This is not the case with Linux Platforms. Workaround: To make deployment scripts work, you must add the following line in the script manually: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Requirement: To make these deployment scripts work, Windows platforms must run Powershell version 4.0 or later. Windows 8 or later is equipped with Powershell 4.0. You can upgrade Windows 7 and Windows 2008 R2 from Powershell 2.0 to 4.0. Using the TLS 1.2 option and using deployment scripts with Powershell is not supported on Windows platforms earlier than Windows 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.10.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-754] Linux systems would sometimes hang when the Deep Security Agent's kernel module, dsa_filter, was getting the driver's information from certain network interfaces. Solution 1: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-750] When many application types were assigned to monitor the same port, there was a chance that some connections were not monitored due to an internal defect. Solution 2: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-738] The DSRU16-032 rule introduced a new rule to monitor HTTP traffic. When the rule was applied and multiple rules monitored HTTP traffic, one particular rule order could mistakenly trigger the 'duplicate content len' event. Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-582] The Deep Security Agent can handle a maximum of 32 network interfaces. When the Agent was installed on a Red Hat Linux 6x64 computer running KVM (Kernel Virtual Machine), traffic from a larger interface was dropped by the Filter Driver (dsa_filter). Solution 4: This fix enables the Deep Security Agent to bypass traffic created through tap interfaces, incuding traffic generated by the KVM. This results in no traffic being dropped. Note: 1- This fix is applicable to RHEL 6x64 machines running KVM hypervisor only. 2- Bypassing the network traffic through tap interfaces does not create a security concern because the traffic is inspected based on the policy applied at the hypervisor level. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 5: [DSSEG-564] The Deep Security Virtual Appliance (DSVA) restarted abnormally and crashed the dsplash.pl file. Solution 5: A script has been modified to avoid this situation in the future. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 6: [DSSEG-500] Appliance uses a system "curl" tool to initialize the TLS connection with the Deep Security Relay to save or restore status files during vMotion. The curl tool was an older version that did not have the ability to turn off the TLS "CN Verification". After upgrading library are upgraded and by default, the "CN verification" is turned on and causes this error: "certificate subject name 'Deep Security Relay' does not match target host name" when the virtual appliance saves or restores status during vMotion. Solution 6: Install a new version of curl to the DSVA "/opt/ds_agent" folder and use it to disable "CN Check" when the Deep Security Virtual Appliance saves or restores status during vMotion. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 7: [DSSEG-497] The guest VMs' network connectivity was broken and could not recover until the Deep Security Virtual Appliance was restarted. Solution 7: The issue was caused by an inconsistent state in the vmxnet3 driver. To address this issue, vmxnet3.ko will restore the inconsistent state when it is detected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 8: [DSSEG-455] OpenSSL minor version upgrade to patch low impact vulnerabilities like: CVE-2016-6305, CVE-2016-2182 and CVE-2016-6304 Solution 8: OpenSSL 1.0.2h is now upgraded to 1.0.2j ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 9: [DSSEG-428] When ds_am started, the ds_am process caused a segmentation fault that created many core dump files repeatedly. Solution 9: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 10: [DSSEG-384] The Deep Security Agent on Red Hat Linux 7 caused a kernel panic due to the redirfs kernel module used for file-system hooking. Solution 10: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 11: [DSSEG-371] On SuSE Linux, the ds_agent service status checking resulted in incorrect information. Solution 11: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 12: [DSSEG-334] When an Anti-malware realtime scan was enabled in the Deep Security Agent, there was an unacceptable increase in I/O latency of NFS volumes. Solution 12: This issue has been fixed by unhooking the redirfs from NFS volumes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 13: [DSSEG-283] The ds_agent process crashed when a Log Inspection task started to run while the Log Inspection service was asked to restart from another thread. Solution 13: Code now ensures that the Log Inspection service restarts after all tasks are finished. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 14: [DSSEG-261] The syslog would receive a flood of “Assertion Failed: dev” messages because the Deep Security ds_filter driver supported a maximum of only 32 network devices. If this maximum was reached, such as with Docker Containers, the array used to store network devices (lin_devices) would become full and new devices could not be added. Solution 14: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 15: [DSSEG-221] In certain situations, if an Intrusion Prevention event was already sent to the Deep Security Manager, then restarting the Deep Security Agent service would send the event again, causing duplicate events to appear in the Deep Security Manager console, on the Intrusion Prevention events tab. Solution 15: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 16: [DSSEG-214] By default, the maximum number of TCP connections for the Deep Security Agent is set to 1000. If the maximum was reached, the ds_agent.log file was flooded with error messages related to maximum connections reached. This caused the logs to fill very quickly and sometimes filled up the disk space. Solution 16: This fix changes the logging level from "Error" to "Warning" and events are now logged less frequently. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 17: [DSSEG-204] When real-time Anti-malware scanning was enabled on a Linux system (Red Hat, SUSE) and then the "ls" command was executed in a folder where hundreds of thousands of files resided, it took a long time to complete the scan and it seemed as if the machine was hung. Solution 17: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 18: [DSSEG-203] When Anti-Malware was enabled on a Linux system (RedHat, SUSE), the system would crash due to a problem with the GSCH driver. Solution 18: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 19: [DSSEG-201] A kernel panic would sometime happen if there was no extension in the TLS Client Hello Packets received by the Deep Security Filter Driver. Solution 19: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.11 Deep Security Agent 9.5.3-7568 ======================================================================== 8.11.1 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-907/SEG-3551] The Deep Security Agent created temporary files in the temp directory but these files were not removed after use, which resulted in disk space filling up. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-710] When the Deep Security Agent generated Web Threat Protection (WTP) syslog messages, it did not follow the syslog format. When the syslog is set to "direct forward" from the agent, the log message should be Common Event Format (CEF). Solution 2: This issue is fixed in this release. The WRS Syslog format is now CEF. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 3: [DSSEG-707] When writing syslog messages, the "untested" messages were incorrectly written as "suspicious". Solution 3: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 4: [DSSEG-460] When the Intrusion Prevention rule "1000128 - HTTP Protocol Decoding" is enabled and "Specify raw characters that are not allowed in the URI:" is used, when the Deep Security Agent detects an illegal character, the Deep Security Manager will show the illegal character in an Intrusion Prevention event. However, the Deep Security Agent sometimes did not report the correct location of the illegal character, so it was not displayed correctly in the Deep Security Manager. Solution 4: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.11.2 Enhancements ===================================================================== There are no enhancements in this release. 8.12 Deep Security Agent 9.5.3-7707 ======================================================================== 8.12.1 Enhancements ===================================================================== The following enhancement is included in this release: Enhancement 1: [DSSEG-1292] The Virus Scan Engine (VSAPI) in Deep Security Agent for Linux has been updated to version 9.95. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.12.2 Resolved Known Issues ===================================================================== The release resolves the following issues: Issue 1: [DSSEG-995] The Deep Security Virtual Appliance's security update failed or VMs were offline because the Scheduler thread exited abnormally. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8.13 Deep Security Agent 9.5.3-7747 ======================================================================== 8.13.1 Enhancements ===================================================================== There are no enhancements in this release. 8.13.2 Resolved Known Issues ===================================================================== This release resolves the following issues: Issue 1: [DSSEG-1390/VRTS-742/VRTS-1121] Deep Security Virtual Appliance was affected by a vulnerability in the OS layer. Solution 1: This issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Issue 2: [DSSEG-1332/SEG-9556/SF00483291] The Deep Security Agent sometimes failed to complete an SSL handshake when the agent was using a proxy to connect to Deep Security Manager. Solution 2: The issue is fixed in this release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 9. Files Included in This Release ======================================================================== This release is a complete installation. Use one of the following files: Agent-RedHat_EL5-9.5.3-7814.i386.zip Agent-RedHat_EL5-9.5.3-7814.x86_64.zip Agent-RedHat_EL6-9.5.3-7814.i386.zip Agent-RedHat_EL6-9.5.3-7814.x86_64.zip Agent-RedHat_EL7-9.5.3-7814.x86_64.zip Agent-Oracle_OL5-9.5.3-7814.i386.zip Agent-Oracle_OL5-9.5.3-7814.x86_64.zip Agent-Oracle_OL6-9.5.3-7814.i386.zip Agent-Oracle_OL6-9.5.3-7814.x86_64.zip Agent-SuSE_10-9.5.3-7814.i386.zip Agent-SuSE_10-9.5.3-7814.x86_64.zip Agent-SuSE_11-9.5.3-7814.i386.zip Agent-SuSE_11-9.5.3-7814.x86_64.zip Agent-Ubuntu_10.04-9.5.3-7814.x86_64.zip Agent-Ubuntu_12.04-9.5.3-7814.x86_64.zip Agent-Ubuntu_14.04-9.5.3-7814.x86_64.zip Agent-amzn1-9.5.3-7814.i386.zip Agent-amzn1-9.5.3-7814.x86_64.zip Agent-CloudLinux_5-9.5.3-7814.i386.zip Agent-CloudLinux_5-9.5.3-7814.x86_64.zip Agent-CloudLinux_6-9.5.3-7814.i386.zip Agent-CloudLinux_6-9.5.3-7814.x86_64.zip Agent-CloudLinux_7-9.5.3-7814.x86_64.zip Agent-Debian_6-9.5.3-7814.x86_64.zip Agent-Debian_7-9.5.3-7814.x86_64.zip 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, Deep Security, "deep security solutions", and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: www.trendmicro.com/us/about-us/legal-policies/license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide 13. Third-Party Software ======================================================================== Deep Security employs the use of 3rd party binary distributions. The binary distributions are subject to the licenses available in the following directory: [Install Directory]/licenses Where 3rd party licenses require open access to their source code, Trend Micro will provide the necessary materials upon written request. ======================================================================== (C) 2017 Trend Micro Inc. All rights reserved. Published in Canada.