Security Updates

Deep Security periodically needs to be updated with the latest Security and Software Updates. The update packages are retrieved from Trend Micro in the form of Security Updates. Relay-enabled Agents, organized into Relay Groups (also managed and configured by the Deep Security Manager) are used to retrieve Security Updates from Trend Micro and distribute them to the Agents and Appliances:

Vulnerability Protection periodically needs to be updated with the latest Security Updates. The update packages are retrieved from Trend Micro in the form of Security Updates.

Security Updates

Before configuring Security Updates, you must have installed and activated your Agents and Appliances (as well as the Relay-enabled Agents that will distribute the Updates). Installation instructions for all Deep Security software are in the Deep Security Installation Guide.
Before configuring Security Updates, you must have installed and activated your Agents. Installation instructions for all Vulnerability Protection software are in the Vulnerability Protection Installation Guide.

To configure Security Updates, you will need to:

  1. Configure your Security Update source
  2. Organize your Relay-enabled Agents into Relay Groups
  3. Assign Relay Groups to your Agents/Appliances
  4. Special Case: Configure Updates on a Relay-enabled Agent in an Air-Gapped Environment

To configure Security Updates, you will need to configure your Security Update source.

Configure your Security Update Source

To view your current Update source settings, go to Administration > System Settings > Updates:

Alerts are raised if a Pattern Update has been downloaded from Trend Micro and available for more than an hour but computers have yet to be updated.
Security Updates

In the Security Updates area, set your Update source. By default this will be the Trend Micro Update Server accessed over the Internet. Unless your support provider has told you to do otherwise, leave the setting as is.

You may have Agents installed on roaming computers that are not always in contact with a Vulnerability ProtectionDeep Security Manager or a Vulnerability ProtectionRelay. To allow Agents to use the Update source specified above when their Relay Group is not available, select the Allow Agents/Appliances to download Pattern updates directly from Primary Security Update Source if Relays are not accessible option. To allow Agents to update (either from a Relay or the Update server) when not in contact with a Vulnerability ProtectionDeep Security Manager, select Allow Agents/Appliances to download Pattern updates when Deep Security Manager is not accessible. (You may want to uncheck this option on computers where you do not want to risk a potentially problematic Security Update when the computer is not in contact with a Manager and therefore possibly far away from any support services.)

Automatically apply Rule Updates to Policies: Trend Micro will occasionally issue an update to an existing Vulnerability ProtectionDeep Security Rule. This setting determines whether updated Rules get sent to computers during a Security Update.

Updates to existing Rules are either improvements to the efficiency of the Rule or bug fixes. So although it's a good a idea to test new Rules (either in detect-only mode or in a test environment) before deploying them to a production environment, automatically applying updates to existing Rules is a safe option.
Alerts are raised if a Rule Update has been downloaded from Trend Micro and available for more than thirty minutes but computers have yet to be updated.
Proxy Servers

If your Relays must connect to a proxy to access the Internet (and Trend Micro Update Servers), you can define the proxies in the Proxy Servers area on the Administration > System Settings > Proxies tab.

Initiate Security Updates

For a system-wide update, go to Administration > Updates > Security, and click the Check For Updates and Download... button.

To perform Security Updates on specific Agents/Appliances, select the Agent/Appliance from the list of computers on the Computers page, then right-click and select Actions > Download Security Update.

To schedule a regular Check For Security Updates task , go to Administration > Scheduled Tasks, and create a new Scheduled Task of the Check For Security Updates type.

Organize your Relay-enabled Agents into Relay Groups

A Vulnerability ProtectionDeep Security installation requires at least one Vulnerability ProtectionRelay-enabled Agent. Relay-enabled Agents are organized into Relays Groups (even if there is only one Relay-enabled Agent in the group.) As soon as you activate a Relay-enabled Agent with the Manager, it is added to a Group called Default Relay Group. This Relay Group will always be there as a catch-all for new Relay-enabled Agents. Once activated, you can move your new Relay-enabled Agent from one Relay Group to another.

To view your current Relay Groups or to create new Relay Groups, go to Administration > Updates > Relay Groups.

The Update Source for a Relay-enabled Agent is assigned at the Group level. By default, a Relay Group is configured to get its updates from the Update source designated on the Administration > System Settings > Updates tab. However, a Relay Group can be configured to get its updates from another Relay Group, creating a hierarchy of Relay Groups.

A Relay-enabled Agent can obtain security updates from another Relay Group, but not from another Relay-enabled Agent (even if they are both part of the same Relay Group). A Relay-enabled Agent must obtain updates from another Relay Group further up the hierarchy or another configured security update source.

For more information on Relay Groups, see Relay Groups in the User's Guide.

Assign Relay Groups to your Agents/Appliances

Once your Relay Groups are established and configured to connect with an Update Source, you can assign the Relay Groups to your Agents and Appliances.

To assign a Relay Group to an Agent/Appliance, go to the Computers page, right-click on the computer and select Actions > Assign Relay Group.... The list of available Relay Groups will appear and you can select from it.

Special Case: Configure Updates on a Relay-enabled Agent in an Air-Gapped Environment

In a typical environment, at least one Relay-enabled Agent is configured and able to download Updates from the Trend Micro Update Server and the rest of the Relay-enabled Agents or Agents and Appliances connect to that Relay-enabled Agent for Update distribution.

However, if your environment requires that the Vulnerability ProtectionRelay-enabled Agent is not allowed to connect to a Relay-enabled Agent or Update server via the Internet, then an alternative method is available to import a package of Updates to a Relay-enabled Agent for distribution to other Vulnerability ProtectionDeep Security Software components.

Using a Relay-enabled Agent to generate an Updates package

A Relay-enabled Agent that is able to download the latest updates from the Trend Micro Update Server can be instructed to generate an exportable package of Security Updates that can be imported to another air-gapped Relay-enabled Agent.

To create a Security Updates package, from the command line on the Relay-enabled Agent, enter:

dsa_control -b

The command line output will show the name and location of the .zip file that was generated.

Importing Updates to the Air-Gapped Relay-enabled Agent

Copy the .zip file generated by the command-line to the installation directory of the Relay-enabled Agent in the offline environment. (On Windows the default directory is "C:\Program Files\Trend Micro\Deep Security Agent". On Linux the default directory is "/opt/ds_agent".)

When a Security Update Download is initiated from the Vulnerability ProtectionDeep Security Manager (either scheduled or manual), if any Vulnerability ProtectionRelay-enabled Agent is unable to get the update from the configured Update Source location, it will automatically check for the presence of a Relay Updates .zip file in its installation directory. If it finds the zipped Updates package, the Relay-enabled Agent will extract and import the Updates.

Do not rename the Updates .zip file.
Delete the Updates .zip file after the Updates have been successfully imported to the Relay-enabled Agent.
Configuring an Update Source for an Air-Gapped Relay-enabled Agent

An air-gapped Relay-enabled Agent will still try to contact an Update server to check for Updates. To avoid Update failure Alerts, set the Relay-enabled Agent to use itself as an Update source:

  1. In the Vulnerability ProtectionDeep Security Manager, go to Administration > System Settings > Updates > Primary Security Update Source.
  2. In the Security Updates area, select Other Update Source and enter "https://localhost:4122".
  3. Click OK.

Initiate Security Updates

For a system-wide update, go to Administration > Updates > Security, and click the Check For Updates and Download... button.

To perform Security Updates on specific Agents/Appliances, select the Agent/Appliance from the list of computers on the Computers page, then right-click and select Actions > Download Security Update.

To schedule a regular Check For Security Updates task , go to Administration > Scheduled Tasks, and create a new Scheduled Task of the Check For Security Updates type.