Deployment Scripts

Adding a computer to your list of protected resources in Vulnerability ProtectionDeep Security and implementing protection is a multi-step process. Almost all of these steps can be performed from the command line on the computer and can therefore be scripted. The Vulnerability ProtectionDeep Security Manager contains a deployment script writing assistant which can be accessed from the Manager's Support menu.

Agent-initiated Activation must be enabled before Deployment Scripts can be generated. Got Administration > System Settings > Agents and select Allow Agent-Initiated Activation.

To generate a deployment script:

  1. Start the Deployment Script generator by selecting Deployment Scripts from the Vulnerability ProtectionDeep Security Manager's Support menu (at the top right of the Vulnerability ProtectionDeep Security Manager window).
  2. Select the platform to which you are deploying the software. (Platforms listed in the drop-down menu will correspond to the software that you have imported into the Vulnerability ProtectionDeep Security Manager from the Trend Micro Download Center. For information on importing Deep Security Software, see Administration > Updates.)
  3. Select Activate Agent automatically after installation. (Agents must be activated by the Vulnerability ProtectionDeep Security Manager before a protection Policy can be implemented.)
  4. Select the Policy you wish to implement on the computer (optional)
  5. Select the Computer Group (optional)
  6. Select the Relay Group (optional)

As you make the above selections, the Deployment Script Generator will generate a script which you can import into your deployment tool of choice.

The deployment scripts generated by Vulnerability ProtectionDeep Security Manager for Windows Agent deployments require Windows Powershell version 2.0 or later.

If you are using Amazon Web Services and deploying new EC2 or VPC instances, copy the generated script and paste it into the User Data field. This will let you launch existing Amazon Machine Images (AMI's) and automatically install and activate the Agent at startup. The new instances must be able to access the URLs specified in the generated deployment script. This means that your Deep Security Manager must be either Internet-facing, connected to AWS via VPN/Direct Link, or that your Deep Security Manager be deployed on Amazon Web Services as well.

When copying the deployment script into the User Data field for a Linux deployment, copy the deployment script as-is into the "User Data" field and CloudInit will execute the script as sudo. (If there are failures they will be noted in /var/log/cloud-init.log.)

The User Data field is also used with other services like CloudFormation. For more information, see:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-waitcondition-article.html 
If you do not intend to enable Anti-Malware protection on your computers, you may want to prevent the installation of the Anti-Malware engine entirely. To do so, delete the string "ADDLOCAL=ALL" from the deployment script.