Deep Security Administration Guide · TrendMicroDeepSecurityforAzureMarketplace10.3 4 SUSELinux(10.3Agents) 74 Ubuntu(10.3Agent) 75 Debian(10.3Agent) 75 CloudLinux(10.3Agent) 76 Amazon(10.3Agents)

Deep Security 10.3

Azure Marketplace

Trend Micro Incorporated reserves the right to make changes to this document and to theproducts described herein without notice. Before installing and using the software, please reviewthe release notes and the latest version of the applicable user documentation, which areavailable from the Trend Micro Web site at:

https://help.deepsecurity.trendmicro.com/software.html

Trend Micro, and the Trend Micro t-ball logo are trademarks or registered trademarks of TrendMicro Incorporated. All other company or product names may be trademarks or registeredtrademarks of their owners. Information contained in this document is subject to change withoutnotice.

© 2017 Trend Micro Incorporated. All rights reserved

Protected by U.S. Patent No. 7,630,982 B2.

Privacy Policy

Trend Micro, Inc. is committed to protecting your privacy. Please read the Trend Micro PrivacyPolicy available at www.trendmicro.com.

Document Number: APEM108112_171204

Publication Date: 6/7/2018 3:57 PM

Legal Notices

https://help.deepsecurity.trendmicro.com/software.htmlhttp://www.trendmicro.com/

Trend Micro Deep Security for Azure Marketplace 10.3

3

Contents

Contents 3

Get Started 52

Read the release notes 52

Buy Deep Security Manager from the AzureMarketplace 52

What's new? 53

Deep Security 10.3 feature release 53

Before you install 53

Feature releases 53

Version numbers 54

Feature release life cycle 55

Platform support 55

Support services 55

About the Deep Security components 56

System requirements 57

Deep Security Manager 58

Deep Security Agent 10.3 61

Deep Security Notifier 62

Deep Security Manager - Agent compatibility by platform 63

Docker support 65

Deep Security Agent Linux kernel support 66

Supported features by platform 67

Platforms 67

Windows (10.3 Agents) 68

Red Hat Enterprise Linux (10.3 Agents) 71

CentOS (10.3 Agents) 72

Oracle Linux (10.3 Agents) 73


4

SUSE Linux (10.3 Agents) 74

Ubuntu (10.3 Agent) 75

Debian (10.3 Agent) 75

Cloud Linux (10.3 Agent) 76

Amazon (10.3 Agents) 76

Azure (10.3 Agents) 79

Agentless (NSX) (10.3 Agents) 81

Supported Features by Platform documentation for previous versions of Deep Security 86

Sizing 86

Database disk space 86

Disk space estimates 87

Database sizing considerations 88

Deep Security Manager sizing 88

Multiple server nodes 89

Sizing for AzureMarketplace 89

Deep Security Manager 90

Database 90

Notes 91

Port numbers 91

Deep Security Manager ports 93

Incoming (listening ports) 93

Outgoing 94

Deep Security Relay ports 100

Incoming (listening) 100

Outgoing 101

Deep Security Agent ports 102

Incoming (listening ports) 102

Outgoing 103

Prepare a database for Deep Security Manager 108


5

Hardware considerations 110

Dedicated server 110

Hardware recommendations 110

Microsoft SQL Server 111

General requirements 111

Transport protocol 111

Databasemaintenance 111

Oracle Database 111

Oracle RAC (Real Application Clusters) support 112

PostgreSQL recommendations 112

General requirements 113

Tuning PostgreSQL settings 113

Logging settings 114

Lock management 115

Maximum connections 115

Shared buffers 115

Work memory andmaintenance work memory 115

Effective cache size 116

Checkpoints 116

Write-ahead log (WAL) 116

Autovacuum settings 116

High availability 117

Backup and recovery 117

Linux recommendations 117

Transparent Huge Pages (Linux) 117

Strengthen host-based authentication (Linux) 117

Set up authentication for SQL Server 118

Active Directory 118

The Deep Security Manager computer 119


6

Windows 119

Linux 120

Microsoft SQL Server 121

Synchronize system clocks 121

Microsoft SQL Server Express considerations 121

Supported versions 122

Limited number of hosts 122

Security module limitations 122

Minimize the agent size 122

Database pruning 122

Deploy Deep Security 123

Deploy the Deep Security Manager VM for AzureMarketplace 123

Buy Deep Security from the AzureMarketplace 123

Add aMicrosoft Azure account to Deep Security 125

Create a policy 125

Deploy Deep Security Agents 126

Generate and run a deployment script 126

Add a custom script extension to an existing virtual machine 126

RunDeep Security Manager onmultiple nodes 127

Add a node 128

Remove a node 128

Viewing node statuses 129

Network Mapwith Activity Graph 129

Jobs by Node 130

Jobs by Type 131

Total jobs by node and type 132

Update the load balancer's certificate 133

Configure SMTP settings for email notifications 135

Install the agents 136


7

Get Deep Security Agent software 136

Download agent software packages into Deep Security Manager 137

Export the agent installer 137

Manually install the Deep Security Agent 138

Install aWindows agent 139

Installation on AmazonWorkSpaces 139

Installation onWindows 2012 Server Core 140

Install a Red Hat, SUSE, Oracle Linux, or Cloud Linux agent 140

Install an Ubuntu or Debian agent 141

Install a Solaris agent 141

Install an HP-UX agent 143

Install an AIX agent 144

Install the agent on aMicrosoft Azure VM 144

Install the agent on aMicrosoft Azure VM 145

Bake the agent into your AMI orWorkSpace bundle 146

Before you begin 146

Step 1. Configure the activation type 147

Step 2. Launch a 'master' Amazon EC2 instance or AmazonWorkSpace 147

Step 3. Install and activate an agent on themaster 147

Step 4. Verify that the agent was installed and activated properly 149

Step 5. (Optional) Set up policy auto-assignment 149

Step 6. Create an AMI or customWorkSpace bundle based on themaster 150

Step 7. Use the AMI 150

Configure communication between components 151

Agent-manager communication 151

Configure the heartbeat 151

Configure communication directionality 153

Supported cipher suites for agent-manager communication 155

SSL implementation and credential provisioning 156


8

Use agent-initiated communication with cloud accounts 157

Enable agent-initiated communication on the policy 157

Assign the policy to a deployment script 158

Connect agents behind a proxy 158

Requirements 158

Register the proxy in Deep Security Manager 159

Connect agents, appliances, and relays to security updates via proxy 159

Connect agents to security services via proxy 159

Connect agents to a relay via proxy 160

Connect agents to a relay's private IP address 160

Remove a proxy setting 161

Windows 161

Linux 161

Subsequent agent deployments 161

Configure agents that have no Internet access 162

Solutions 162

Use a proxy 162

Install a Smart Protection Server locally 163

Install a relay and supporting components in your DMZ or Internet-ready area 164

Disable the features that use TrendMicro security services 166

Proxy protocols supported by Deep Security 168

Proxy settings 169

Proxy server use 169

Proxy servers 171

Manage trusted certificates 171

Import trusted certificates 171

View trusted certificates 172

Remove trusted certificates 173


9

If I have disabled the connection to the Smart Protection Network, is any other information sent toTrendMicro? 174

Activate the agent 174

Deactivate the agent 176

Stop or start the agent 176

Stop or start the appliance 177

Diagnose problems with agent deployment (Windows) 177

Configure teamedNICs 177

Windows 177

Solaris 178

Agent settings 179

Hostnames 179

Agent-Initiated Activation 179

Data Privacy 181

Agentless vCloud Protection 181

Create an Azure app for Deep Security 181

Record the Azure Active Directory ID 181

Create the Azure app 182

Record the Azure app ID and password 182

Record the Subscription ID 182

Assign the Azure app a reader role and add it to your Azure Subscription 183

Distribute security and software updates with relays 183

How relays work 183

Relay groups 184

Determine the number of relays to use 184

Number of agents 184

Geographic region of agents 185

Network configuration and bandwidth 185

Frequency of agent updates 185


10

Sizing recommendations 186

Configure one or more relays 186

Create one or more relay groups 186

Enable one or more relays 188

Assign agents to a relay group 188

Configure relay settings for security and software updates 189

Security updates 189

Software updates 190

Remove relay functionality from an agent 190

10.2 or later 191

10.1 or earlier 191

DevOps, automation and scaling 192

Command-line basics 193

Deep Security Agent 193

dsa_control 193

Usage 194

Agent-initiated activation ("dsa_control -a") 196

Agent-Initiated activation over a private network via proxy 197

Agent-initiated heartbeat command ("dsa_control -m") 198

Activate an agent 205

Windows 205

Linux 206

Configure a proxy for anti-malware and rule updates 206

Windows 206

Linux 206

Configure a proxy for connections to themanager 206

Windows 206

Linux 207

Force the agent to contact themanager 207


11

Windows 207

Linux 207

Initiate amanual anti-malware scan 207

Windows 207

Linux 207

Create a diagnostic package 208

Windows 208

Linux 208

Reset the agent 208

Windows 208

Linux 209

dsa_query 209

Usage 209

Check CPU usage and RAM usage 210

Windows 210

Linux 210

Check that ds_agent processes or services are running 210

Windows 210

Linux 210

Restart an agent on Linux 210

Use the Deep Security REST API 210

Getting Started 211

Enabling the Status Monitoring API (Optional) 211

Creating aWeb Service User Account 212

Obtaining Deep Security Manager's SSLCertificate 212

Developing a REST API Client Application 213

Using the REST API 213

Basic API Access 214

Using the Provided Java REST API Client 214


12

Example Java Code 215

Using the Java Sample Code 219

API Documentation 219

Response Processing 219

HTTP Status Codes 219

Error Responses 220

API Calls Returning javax.ws.rs.core.Response 221

Other Considerations 221

Specifying Dates in Query Parameters 221

Multi-Tenant Permissions 222

Schedule Deep Security to perform tasks 222

Create scheduled tasks 222

Enable or disable a scheduled task 224

Set up recurring reports 224

Automatically perform tasks when a computer is added or changed 225

Create an event-based task 225

Edit or stop an existing event-based task 225

Events that you canmonitor 225

Conditions 226

Actions 229

Order of execution 229

Temporarily disable an event-based task 229

Azure virtual machine scale sets and Deep Security 230

Step 1: (Recommended) Add your Azure account to Deep Security Manager 230

Step 2: Prepare a deployment script 231

Step 3: Add the agent through a custom script extension to your VMSS instances 231

Example 1: Create a new VMSS that includes the agent 232

Example 2: Add the agent to an existing VMSS 234

Use deployment scripts to add and protect computers 237


13

Troubleshooting and tips 239

Protect 240

Intrusion Prevention 240

Anti-Malware 240

Firewall 241

WebReputation 241

Integrity Monitoring 241

Log Inspection 242

Application Control 242

Manage protected computers 242

Add computers and other resources to Deep Security Manager 242

Add computers to themanager 243

Group computers 243

Export your computers list 244

Delete a computer 244

Add local network computers 244

Agent-initiated activation 244

Manually add a computer 245

Discover computers 246

Add AWS cloud accounts 247

Configure an IAM policy 249

Add your AWS accounts using an IAM user and cross account role 250

Step 1. Log in to AWS Account X and complete these tasks: 251

Step 2. Log in to AWS Account Y and complete these tasks: 252

Step 3. Log in to Deep Security Manager and add the access keys: 252

Add your AWS account using AWS access keys 253

Edit a cloud account 254

Remove a cloud account from themanager 255

Add AmazonWorkSpaces 255


14

Protect AmazonWorkSpaces if you already added your AWS account 255

Protect AmazonWorkSpaces if you have not yet added your AWS account 256

How do I migrate to the new cloud connector functionality? 256

Add aMicrosoft Azure account to Deep Security 258

Configure a proxy setting for the Azure account 258

Add virtual machines from aMicrosoft Azure account to Deep Security 259

Quick 259

Advanced 260

Manage Azure classic virtual machines with the Azure ResourceManager connector 260

Remove an Azure account 261

Create an Azure app for Deep Security 261

Record the Azure Active Directory ID 262

Create the Azure app 262

Record the Azure app ID and password 262

Record the Subscription ID 263

Assign the Azure app a reader role and add it to your Azure Subscription 263

Why should I upgrade to the new Azure ResourceManager connection functionality? 263

Add virtual machines hosted on VMware vCloud 264

Proxy setting for cloud accounts 265

Create a VMware vCloudOrganization account for themanager 265

Import computers from a VMware vCloudOrganization Account 266

Import computers from a VMware vCloud Air data center 266

Configure software updates for cloud accounts 267

Remove a cloud account 267

Add computer groups fromMicrosoft Active Directory 268

Additional Active Directory options 269

Remove Directory 269

Synchronize Now 269

Server certificate usage 269


15

Filter Active Directory objects 270

Import users and contacts 270

Keep Active Directory objects synchronized 271

Disable Active Directory synchronization 272

Remove computer groups from Active Directory synchronization 272

Delete Active Directory users and contacts 272

Protect Docker containers 273

Deep Security protection for the Docker host 274

Deep Security protection for Docker containers 274

Limitation on intrusion prevention recommendation scans 274

Computer and agent statuses 275

Status column - computer states 275

Status column - agent or appliance states 276

Task(s) column 276

Computer errors 279

Protectionmodule status 280

Perform other actions on your computers 281

Computers icons 285

Status information for different types of computers 286

Ordinary computer 286

Relay 286

Deep Security Scanner 287

Docker hosts 287

Automatic configuration of iptables 288

Rules added for amanager 288

Rules added for an agent 288

Enable or disable agent self-protection 289

Via Deep Security Manager 289

Via command line 290


16

Are "Offline" agents still protected by Deep Security? 290

Deep Security Notifier 291

How the notifier works 291

Create policies to protect your computers and other resources 295

Create a new policy 296

Other ways to create a policy 296

Edit the settings for a policy or individual computer 297

Assign a policy to a computer 298

Immediately send policy changes 298

Export a policy 299

Policies, inheritance, and overrides 299

Inheritance 300

Overrides 301

Manage and run recommendation scans 302

What gets scanned? 302

Scan limitations 303

Run a recommendation scan 304

Create a scheduled task to regularly run recommendation scans 305

Configure an ongoing scan 306

Manually run a recommendation scan 306

Cancel a recommendation scan 306

Exclude a rule or application type from recommendation scans 307

Automatically implement recommendations 307

Check scan results andmanually assign rules 308

Configure recommended rules 310

Implement additional rules for common vulnerabilities 310

Troubleshooting: Recommendation Scan Failure 311

Communication 311

Server resources 312


17

Timeout values 312

Detect and configure the interfaces available on a computer 312

Configure a policy for multiple interfaces 313

Enforce interface isolation 313

Overview section of the computer editor 314

General tab 314

Computer status 315

Protectionmodule status 316

VMware virtual machine summary 318

Actions tab 318

Activation 318

Policy 318

Agent Software 318

Support 319

TPM tab 319

System Events tab 320

Overview section of the policy editor 320

General tab 320

General 320

Inheritance 321

Modules 321

Computer(s) Using This Policy tab 321

Events tab 321

Network engine settings 321

Define rules, lists, and other common objects used by policies 332

Rules 332

Lists 332

Other 332

Create a firewall rule 333


18

Add a new rule 333

Select the behavior and protocol of the rule 334

Select a Packet Source and Packet Destination 336

Configure rule events and alerts 337

Alerts 338

Set a schedule for the rule 338

Assign a context to the rule 338

See policies and computers a rule is assigned to 338

Export a rule 338

Delete a rule 338

Configure intrusion prevention rules 339

See the list of intrusion prevention rules 339

See information about an intrusion prevention rule 340

General Information 340

Details 340



Identification (TrendMicro rules only) 341

See information about the associated vulnerability (TrendMicro rules only) 342

Assign and unassign rules 342

Automatically assign updated required rules 343

Configure event logging for rules 343

Generate alerts 344

Setting configuration options (TrendMicro rules only) 345

Schedule active times 345

Exclude from recommendations 346

Set the context for a rule 346

Override the behavior mode for a rule 347

Override rule and application type configurations 347


19

Export and import rules 348

Create an integrity monitoring rule 348

Add a new rule 349

Enter integrity monitoring rule information 350

Select a rule template and define rule attributes 350

Registry Value template 350

File template 350

Custom (XML) template 351

Configure TrendMicro integrity monitoring rules 351


Real-time event monitoring 352

Alerts 353


Export a rule 353

Delete a rule 353

Define a log inspection rule for use in policies 353

Create a new log inspection rule 354

Decoders 356

Subrules 357

Groups 357

Rules, ID, and Level 358

Description 359

Decoded As 360

Match 360

Conditional Statements 361

Hierarchy of Evaluation 362

Restrictions on the Size of the Log Entry 363

Composite Rules 364

Real world examples 365


20

Log inspection rule severity levels and their recommended use 374

strftime() conversion specifiers 375

Examine a log inspection rule 376

Log inspection rule structure and the event matching process 376

Duplicate Sub-rules 378

Create a list of directories for use in policies 379

Import and export directory lists 381

See which policies use a directory list 381

Create a list of file extensions for use in policies 381

Import and export file extension lists 382

See whichmalware scan configurations use a file extension list 382

Create a list of files for use in policies 382

Import and export file lists 385

See which policies use a file list 385

Create a list of IP addresses for use in policies 385

Import and export IP lists 386

See which rules use an IP list 386

Create a list of ports for use in policies 386

Import and export port lists 387

See which rules use a port list 387

Create a list of MAC addresses for use in policies 387

Import and export MAC lists 388

See which policies use aMAC list 388

Define contexts for use in policies 388

Configure settings used to determine whether a computer has internet connectivity 388

Define a context 389

Define stateful firewall configurations 390

Add a stateful configuration 390

Enter stateful configuration information 391


21

Select packet inspection options 391

IP packet inspection 391

TCP packet inspection 391

FTP Options 393

UDP packet inspection 393

ICMP packet inspection 394

Export a stateful configuration 394

Delete a stateful configuration 395

See policies and computers a stateful configuration is assigned to 395

Define a schedule that you can apply to rules 395

Lock down software with application control 396

What does app control detect as software? 398

Local vs. shared vs. global rulesets 399

Enable application control 399

Turn on application control 400

Verify application control is enabled 402

Automatically enable application control on new computers 404

Monitor for application control events 405

Choose which application control events to log 406

View application control event logs 406

Respond to application control security events 407

Interpret aggregated security events 407

Monitor application control alerts 409

Allow or block software 409

Allow or block software 410

Example: Allow All in application control 413

Allow software updates 413

Reuse shared allow and block rules on other computers 415

Change from shared to computer-specific allow and block rules 416


22

Globally block by hash 417

Reset application control after toomuch software change 418

Reset application control after toomuch software change 419

Undo blocking or allowing software 420

View application control rulesets 421

Delete an application control ruleset 422

Delete an individual application control rule 423

Delete a global rule 423

Change the action of one application control rule 423

Undomany new rules and rule changes with the decision log 426

Deploy application control rulesets via relays 428

Protect against malware 433

Types of malware scans 434

Real-time scan 434

Manual scan 435

Scheduled scan 435

Quick scan 435

Scan objects and sequence 436

Malware scan configurations 436

Malware events 437

SmartScan 437

PredictiveMachine Learning 438

Malware types 438

Virus 438

Trojans 439

Packer 440

Spyware/grayware 440

Cookie 441

Other threats 441


23

Possible malware 441

Enable and configure anti-malware 441

Turn on the anti-malwaremodule 442

Select the types of scans to perform 442

Configure scan exclusions 443

Ensure that Deep Security can keep up to date on the latest threats 443

Configuremalware scans 444

Create or edit a malware scan configuration 445

Scan for specific types of malware 446

Scan for spyware and grayware 446

Scan for compressed executable files (real-time scans only) 446

Scan process memory (real-time scans only) 447

Scan compressed files 447

Scan embeddedMicrosoft Office objects 448

Specify the files to scan 448

Inclusions 448

Exclusions 449

Syntax for directory lists 450

Syntax of file lists 451

Syntax of file extension lists 453

Syntax of process image file lists (real-time scans only): 453

Scan a network directory (real-time scan only) 454

Specify when real-time scans occur 454

Configure how to handlemalware 454

Customizemalware remedial actions 454

ActiveAction actions 455

Generate alerts for malware detection 456

Identify malware files by file hash digest 456

Configure notifications on the computer 457


24

Performance tips for anti-malware 457

Minimize disk usage 457

Optimize CPU usage 458

Optimize RAM usage 459

DisableWindows Defender after installing Deep Security anti-malware onWindows Server 2016 460

Installing the Anti-Malwaremodule whenWindows Defender is already disabled 460

Detect emerging threats using PredictiveMachine Learning 460

Ensure Internet connectivity 461

Enable PredictiveMachine Learning 461

Enhanced anti-malware and ransomware scanning with behavior monitoring 462

How does enhanced scanning protect you? 462

How to enable enhanced scanning 463

What happens when enhanced scanning finds a problem? 464

What if my agents can't connect to the Internet directly? 469

Smart Protection in Deep Security 469

Anti-malware and Smart Protection 469

Enable Smart Scan 469

Smart Protection Server for File Reputation Service 470

WebReputation and Smart Protection 471

Smart Feedback 472

Handlemalware 472

View and restore identifiedmalware 473

See a list of identified files 473

Working with identified files 474

Search for an identified file 475

Restore quarantined files 477

Create a scan exclusion for the file 477

Restore the file 480

Manually restore quarantined files 480


25

Create anti-malware exceptions 480

Create an exception from an anti-malware event 481

Manually create an anti-malware exception 482

Exception strategies for spyware and grayware 482

Scan exclusion recommendations 483

Increase debug logging for anti-malware in protected Linux instances 483

Block exploit attempts using intrusion prevention 484

Intrusion prevention rules 485

Application types 485

Rule updates 486

Recommendation scans 486

Use behavior modes to test rules 486

Override the behavior mode for rules 487

Intrusion prevention events 488

Support for secure connections 488

Contexts 488

Interface tagging 489

Set up intrusion prevention 489

Enable intrusion prevention in Detect mode 489

Test intrusion prevention 491

Apply recommended rules 492

Monitor your system 494

Monitor system performance 494

Check intrusion prevention events 494

Enable 'fail open' for packet or system failures 494

Switch to prevent mode 494

Implement best practices for specific rules 495

HTTP Protocol Decoding rule 495

Cross-site scripting and generic SQL injection rules 495


26

Configure intrusion prevention rules 496


See information about an intrusion prevention rule 497


Details 498



Identification (TrendMicro rules only) 499

See information about the associated vulnerability (TrendMicro rules only) 499

Assign and unassign rules 500

Automatically assign updated required rules 500

Configure event logging for rules 501

Generate alerts 502

Setting configuration options (TrendMicro rules only) 502

Schedule active times 503

Exclude from recommendations 503

Set the context for a rule 504

Override the behavior mode for a rule 504

Override rule and application type configurations 505

Export and import rules 506

Configure an SQL injection prevention rule 506

What is an SQL injection attack? 507

What are common characters and strings used in SQL injection attacks? 507

How does the Generic SQL Injection Prevention rule work? 509

Examples of the rule and scoring system in action 511

Example 1: Logged and dropped traffic 511

Example 2: No logged or dropped traffic 512

Configure the Generic SQL Injection Prevention rule 513

Character encoding guidelines 516


27

Application types 518

See a list of application types 518


Connection 519

Configuration 520

Options 520

Assigned To 520

Inspect SSL or TLS traffic 520

Configure SSL inspection 521

Change port settings 522

Work around Perfect Forward Secrecy 522

Special considerations for Apache servers 523

Supported ciphers 524

Supported protocols 525

Configure anti-evasion settings 525

Performance tips for intrusion prevention 528

Maximum size for configuration packages 529

Control endpoint traffic using the firewall 530

Firewall rules 530

Set up the Deep Security firewall 531

Test firewall rules before deploying them 532

Test in Tapmode 533

Test in Inlinemode 533

Enable 'fail open' behavior 534

Turn on firewall 535

Default firewall rules 536

Default Bypass rule for Deep Security Manager Traffic 537

Restrictive or permissive firewall design 537

Restrictive firewall 537


28

Permissive firewall 538

Firewall rule actions 538

Firewall rule priorities 539

Allow rules 539

Force Allow rules 539

Bypass rules 540

Recommended firewall policy rules 540

Reconnaissance scans 540

Stateful inspection 542

Example 542

Important things to remember 543

Create a firewall rule 544

Add a new rule 545

Select the behavior and protocol of the rule 545

Select a Packet Source and Packet Destination 548


Alerts 549

Set a schedule for the rule 549

Assign a context to the rule 550


Export a rule 550

Delete a rule 550

Allow trusted traffic to bypass the firewall 550

Create a new IP list of trusted traffic sources 551

Create incoming and outbound firewall rules for trusted traffic using the IP list 551

Assign the firewall rules to a policy used by computers that trusted traffic flows through 552

Firewall rule actions and priorities 552

Firewall rule actions 552

More about Allow rules 553


29

More about Bypass rules 553

Default Bypass rule for Deep Security Manager traffic 554

More about Force Allow rules 555

Firewall rule sequence 555

A note on logging 556

How firewall rules work together 557

Rule Action 557

Rule priority 559

Putting rule action and priority together 559

Firewall settings 560

General 561

Firewall 561

Firewall Stateful Configurations 561

Port Scan (Computer Editor only) 561

Assigned Firewall Rules 562

Interface Isolation 562

Interface Isolation 562

Interface Patterns 562

Reconnaissance 563

Reconnaissance Scans 563

Advanced 566

Events 566

Events 566

Firewall settings with Oracle RAC 566

Add a rule to allow communication between nodes 566

Add a rule to allow UDP port 42424 567

Allow other RAC-related packets 569

Ensure that the Oracle SQL Server rule is assigned 572

Ensure that anti-evasion settings are set to "Normal" 572


30

Define stateful firewall configurations 573

Add a stateful configuration 574

Enter stateful configuration information 574

Select packet inspection options 574

IP packet inspection 574

TCP packet inspection 575

FTP Options 576

UDP packet inspection 577

ICMP packet inspection 577

Export a stateful configuration 578

Delete a stateful configuration 578

See policies and computers a stateful configuration is assigned to 578

Scan for open ports 579

Monitor for system changes with integrity monitoring 580

Set up integrity monitoring 580

How to enable Integrity Monitoring 580

Turn on Integrity Monitoring 581

Run a Recommendation scan 582

Apply the Integrity Monitoring rules 583

Build a baseline for the computer 585

Periodically scan for changes 585

When Integrity Monitoring scans are performed 585

Integrity Monitoring scan performance settings 586

Limit CPU usage 586

Change the content hash algorithm 587

Enable a VM Scan Cache configuration 587

Integrity Monitoring event tagging 587

Create an integrity monitoring rule 588

Add a new rule 589


31

Enter integrity monitoring rule information 589

Select a rule template and define rule attributes 590

Registry Value template 590

File template 590

Custom (XML) template 591

Configure TrendMicro integrity monitoring rules 591


Real-time event monitoring 592

Alerts 592


Export a rule 592

Delete a rule 592

Integrity monitoring rules language 593

Entity Sets 594

Hierarchies and wildcards 595

Syntax and concepts 596

Include tag 597

Exclude tag 598

Case sensitivity 598

Entity features 599

ANDs andORs 601

Order of evaluation 602

Entity attributes 602

Shorthand attributes 603

onChange attribute 604

Environment variables 604

Environment variable overrides 605

Registry values 605

Use of ".." 606


32

Best practices 606

DirectorySet 607

Tag Attributes 607

Entity Set Attributes 608

Short Hand Attributes 609

Meaning of "Key" 609

Sub Elements 609

FileSet 610

Tag Attributes 610



Drives Mounted as Directories 612

Alternate Data Streams 612


Sub Elements 613

Special attributes of Include and Exclude for FileSets: 614

GroupSet 614

Tag Attributes 614




Include and Exclude 615

InstalledSoftwareSet 615

Tag Attributes 616




Sub Elements 617

Special attributes of Include and Exclude for InstalledSoftwareSets: 617


33

PortSet 618

Tag Attributes 618



IPV6 619

Matching of the Key 619

Sub Elements 620

Special attributes of Include and Exclude for PortSets: 620

ProcessSet 621

Tag Attributes 621




Sub Elements 623

Special attributes of Include and Exclude for ProcessSets: 623

RegistryKeySet 624

Tag Attributes 624




Sub Elements 625

RegistryValueSet 626

Tag Attributes 626




Default Value 627

Sub Elements 628

ServiceSet 628


34

Tag Attributes 628




Sub Elements 630

Special attributes of Include and Exclude for ServiceSets: 631

UserSet 631

Tag Attributes 631


Common Attributes 631

Windows-only Attributes 632

Linux-only Attributes 633



Sub Elements 634

Include and Exclude 634

Special attributes of Include and Exclude for UserSets 634

WQLSet 635


Meaning of Key 639

Include Exclude 639

Analyze logs with log inspection 639

Set up log inspection 640

Turn on the log inspectionmodule 641

Run a recommendation scan 641

Apply the recommended log inspection rules 642

Configure log inspection event forwarding and storage 643

Define a log inspection rule for use in policies 644

Create a new log inspection rule 644


35

Decoders 646

Subrules 648

Groups 648

Rules, ID, and Level 648

Description 650

Decoded As 650

Match 651

Conditional Statements 652

Hierarchy of Evaluation 652

Restrictions on the Size of the Log Entry 654

Composite Rules 654

Real world examples 656

Log inspection rule severity levels and their recommended use 665

strftime() conversion specifiers 666

Examine a log inspection rule 667

Log inspection rule structure and the event matching process 667

Duplicate Sub-rules 669

Block access tomalicious URLs with web reputation 670

Turn on the web reputationmodule 671

Switch between inline and tapmode 671

Enforce the security level 672

To configure the security level: 672

Create exceptions 673

To create URL exceptions: 673

Configure the Smart Protection Server 674

Smart Protection Server ConnectionWarning 675

Edit advanced settings 675

Blocking Page 675

Alert 676


36

Ports 676

Test WebReputation threshold values 676

Deep Security Best Practice Guide 677

Maintain 677

Check your license information 677

Licensing for AzureMarketplace 678

Back up and restore your database 678

Microsoft SQL Server Database 679

Restore the database only 679

Restore both the Deep Security Manager and the database 680

Export objects in XML or CSV format 680

Import objects 681

Keep your security up to date 682

How do agents validate the content of updates provided by themanager? 682

Update Deep Security software 682

How updates are performed 683

Determine how to distribute the software updates 684

Import software updates into Deep Security Manager 684

Manually import software updates 684

Automatically import software updates 685

Delete a software package from the Deep Security database 685

Upgrade agents following an alert 686

Initiate an upgrade 687

Use a web server to distribute software updates 688

Web server requirements 688

Copy the folder structure 688

Configure agents to use the new software repository 690

Get and distribute security updates 690

Configure a security update source and settings 693


37

Perform security updates 694

Special case: configure updates on a relay-enabled agent in an air-gapped environment 694

Check your security update status 695

See details about pattern updates 695

See details about rule updates 696

Disable emails for New Pattern Update alerts 697

Harden Deep Security 698

Protect Deep Security Manager with an agent 698

Replace the Deep Security Manager SSL certificate 699

See your trusted certificates 700

Replace the SSL certificate in aWindows environment 701

Create a new .keystore file and add your certificates to the cacerts file 701

Create a PKCS12 keychain file and import it into the new .keystore file 702

Configure Deep Security Manager to use the new .keystore file 703

Replace the SSL certificate in a Linux environment 704

Create a new .keystore file and add your certificates to the cacerts file 704

Create a PKCS12 keychain file and import it into the new .keystore file 705

Configure the Deep Security Manager to use the new .keystore file 706

Encrypt communication between the Deep Security Manager and the database 706

Encrypt communication between themanager and database 707

Microsoft SQL Server database (Linux) 707

Microsoft SQL Server (Windows) 708

Oracle Database 709

PostgreSQL 710

Running an agent on the database server 711

Disable encryption between themanager and database 711

Microsoft SQL Server database (Linux) 711

Microsoft SQL Server (Windows) 712

Oracle Database 712


38

PostgreSQL 712

Change the Deep Security Manager database password 713

Change your Microsoft SQL Server password 713

Change your Oracle password 713

Change your PostgreSQL password 714

Enable Content Security Policy and HTTP Public Key Pinning 715

Add a content security policy or public key pin policy 715

Reset your configuration 715

Content security policy 715

Public key pin policy 716

Enforce user password rules 716

Specify password requirements 716

Use another identity provider for sign-on 717

Add amessage to the Deep Security Manager Sign In page 718

Present users with terms and conditions 718

Other Security settings 718

Set upmulti-factor authentication 718

Enablemulti-factor authentication 719

Disablemulti-factor authentication 720

Supportedmulti-factor authentication (MFA) applications 721

TroubleshootingMFA 721

What if my MFA is enabled but not working? 721

What if my MFA device is lost or stops working? 722

Configure alerts 722

View alerts in Deep Security Manager 723

Configure alert settings 723

Set up email notification for alerts 724

Turn alert emails on or off 725

Configure an individual user to receive alert emails 726


39

Configure recipients for all alert emails 726

Generate reports about alerts and other activity 727

Set up a single report 727

Set up a recurring report 730

Customize the dashboard 731

Date and time range 732

Computers and computer groups 732

Filter by tags 733

Select dashboard widgets 734

Change the layout 734

Save andmanage dashboard layouts 735

Event collection in Deep Security 736

Where are event logs on the agent? 736

When are events sent to themanager? 736

How long are events stored? 737

System events 737

Security events 737

See the events associated with a policy or computer 738

View details about an event 738

Filter the list to search for an event 739

Export events 740

Improve logging performance 740

Log and event storage best practices 740

Troubleshooting 742

Limit log file sizes 742

Event logging tips 744

Apply tags to identify and group events 744

Manual tagging 745

Auto-tagging 746


40

Set the precedence for an auto-tagging rule 746

Auto-tagging log inspection events 747

Trusted source tagging 747

Local trusted computer 748

How does Deep Security determine whether an event on a target computer matches an event on atrusted source computer? 748

Tag events based on a local trusted computer 749

Tag events based on the TrendMicro Certified Safe Software Service 749

Tag events based on a trusted common baseline 750

Delete a tag 751

Reduce the number of logged events 751

Rank events to quantify their importance 753

Web reputation event risk values 753

Firewall rule severity values 754

Intrusion prevention rule severity values 754

Integrity monitoring rule severity values 754

Log inspection rule severity values 754

Asset values 755

Forward Deep Security events to an external syslog or SIEM server 755

Forward system events to a syslog or SIEM server 756

Forward security events to a syslog or SIEM server 756

Forward security events directly from agent computers to a syslog or SIEM server 757

Forward security events from the agent computers via the Deep Security Manager 757

Define a syslog configuration 758

Troubleshooting 760

"Failed to Send SyslogMessage" alert 760

Can't edit syslog configurations 761

Can't see the syslog configuration sections of Deep Security Manager 761

Syslog not transferred due to an expired certificate 761


41

Syslog not delivered due to an expired or changed server certificate 761

Syslog or SIEM servers used for testing 761

Syslogmessage formats 762

CEF syslogmessage format 762

LEEF 2.0 syslogmessage format 764

Events originating in theManager 765

System event log format 765

Events originating in the agent 766

Anti-malware event format 766

Application control event format 775

Firewall event log format 780

Integrity monitoring log event format 784

Intrusion prevention event log format 787

Log inspection event format 794

Web reputation event format 796

Configure Red Hat Enterprise Linux to receive event logs 798

Set up a Syslog on RedHat Enterprise Linux 6 or 7 798

Set up a Syslog on RedHat Enterprise Linux 5 799

Access events with Amazon SNS 800

Create an AWS user 800

Create an Amazon SNS topic 801

Enable SNS 801

Create subscriptions 802

JSON SNS configuration 802

Version 803

Statement 803

Topic 803

Condition 804

Bool 804


42

Exists 805

IpAddress 806

NotIpAddress 806

NumericEquals 807

NumericNotEquals 808

NumericGreaterThan 809

NumericGreaterThanEquals 809

NumericLessThan 810

NumericLessThanEquals 811

StringEquals 811

StringNotEquals 812

StringEqualsIgnoreCase 813

StringNotEqualsIgnoreCase 813

StringLike 813

StringNotLike 814

Event Description 815

Event Data Types 815

Event Properties 816

Example events in JSON format 832

Example Configurations 834

Send all critical intrusion prevention events to an SNS topic 834

Send different events to different SNS topics 835

Multiple statements vs. multiple conditions 836

Multiple statements 836

Multiple conditions 837



Forward system events to a remote computer via SNMP 838

Lists of events and alerts 838


43

Predefined alerts 839

Agent events 849

System events 853

Anti-malware events 877

What information is displayed for anti-malware events? 877

List of all anti-malware events 878

Firewall events 879

What information is displayed for firewall events? 880

List of all firewall events 881

Intrusion prevention events 888

What information is displayed for intrusion prevention events? 888

List of all intrusion prevention events 889

Integrity monitoring events 892

What information is displayed for integrity monitoring events? 892

List of all integrity monitoring events 893

Log inspection events 895

What information is displayed for log inspection events? 895

List of all log inspection events 896

Web reputation events 897

What information is displayed for web reputation events? 897

Add a URL to the list of allowed URLs 897

Troubleshoot common events, alerts, and errors 897

Why am I seeing firewall events when the firewall module is off? 898

Why am I getting "Unrecognized Client" events? 899

Troubleshoot "Smart Protection Server disconnected" errors 899

Check the error details 899

Is the issue on a Deep Security Virtual Appliance? 900

Error: Activation Failed 900

Activation Failed - Protocol Error 900


44

Agent-initiated communication 901

Bidirectional communication 901

Activation Failed - Unable to resolve hostname 901

Activation Failed - No Agent/Appliance 901

Error: Agent version not supported 902

Error: Installation of Feature 'dpi' failed: Not available: Filter 902

Additional information 902

Error: Interface out of sync 903

Check the specific virtual computer interfaces 903

Check the virtual computer interface information in vCenter 903

Check the vmx file and the virtual computer interface information in Deep Security Manager 904

Check the virtual computer interface information in the Deep Security Virtual Appliance 904

WorkaroundOptions 905

Option 1 905

Option 2 905

Option 3 905

Further Troubleshooting 905

Error: Integrity Monitoring Engine Offline and other errors occur after activating a virtual machine 907

Error: Module installation failed (Linux) 907

Error: There are one or more application type conflicts on this computer 908

Resolution 908

Consolidate ports 909

Disable the inherit option 909

Error: Unable to connect to the cloud account 910

Your AWS account access key ID or secret access key is invalid 910

The incorrect AWS IAM policy has been applied to the account being used by Deep Security 910

NAT, proxy, or firewall ports are not open, or settings are incorrect 911

Error: Unable to resolve instance hostname 911

Error: Anti-malware engine offline 911


45

Agent-based protection 912

If your agent is Windows: 912

If your agent is Linux: 913

Agentless protection 913

Error: Check Status Failed 914

Error: Log Inspection Rules Require Log Files 915

If the file's location is required: 915

If the files listed do not exist on the protectedmachine: 915

Alert: Integrity Monitoring information collection has been delayed 916

Alert: Thememory warning threshold of Manager Node has been exceeded 916

Increase the allocatedmemory on aWindows server 917

Increase the allocatedmemory on a Linux server 917

Verify thememory allocation change 917

Alert: Relay Update Service Unavailable 917

Alert: Manager TimeOut of Sync 918

Event: Max TCP connections 918

Warning: Reconnaissance Detected 919

Types of reconnaissance scans 919

Suggested actions 919

Warning: Insufficient disk space 920

Tips 921

Create andmanage users 921

Synchronize with an Active Directory 921

Filtering the Active Directory 922

Add or edit an individual user 923

Change a user's password 926

Lock out a user or reset a lockout 926

View system events associated with a user 926

Delete a user 926


46

Define roles for users 926

Add or edit a role 928

Default settings for full access, auditor, and new roles 934

Add users who can only receive reports 942

Add or edit a contact 942

Delete a contact 942

Unlock a locked out user name 943

Unlock users as an administrator 943

Unlock administrative users from a command line 943

Implement SAML single sign-on 944

What are SAML and single sign-on? 944

How SAML single sign-on works in Deep Security 944

Establishing a trust relationship 944

Creating Deep Security accounts from user identities 944

Implement SAML single sign-on in Deep Security 945

Getting started with SAML single sign-on 946

Configure pre-set up requirements 946

Configure Deep Security as a SAML service provider 947

Configure SAML in Deep Security 948

Import your identity provider's SAMLmetadata document 948

Create Deep Security roles for SAML users 949

Provide information for your identity provider administrator 949

Download the Deep Security Manager service provider SAMLmetadata document 949

Send URNs and the Deep Security SAMLmetadata document to the identity provider administrator 949

SAML claims structure 950

Deep Security user name (required) 950

Sample SAML data (abbreviated) 950

Deep Security user role (required) 951



47

Maximum session duration (optional) 951


Preferred language (optional) 952


Test SAML single sign-on 952

Review the set-up 953

Create a Diagnostic Package 953

Service and identity provider settings 953

Navigate and customize Deep Security Manager 953

Group computers dynamically with smart folders 954

Create a smart folder 954

Edit a smart folder 956

Clone a smart folder 957

Focus your search using sub-folders 957

Automatically create sub-folders 958

Searchable Properties 958

General 958

AWS 961

Azure 962

vCenter 963

vCloud 963

Folder 964

Operators 964

View active Deep Security Manager nodes 965

Customize advanced system settings 967

Primary Tenant Access 967

Load Balancers 968

Multi-tenant Mode 968

Deep Security Manager Plug-ins 968


48

SOAPWeb Service API 969

Status Monitoring API 969

Export 969

Whois 969

Licenses 970

Scan Cache Configurations 970

CPU Usage During Recommendation Scans 970

Logo 970

Manager AWS Identity 970

Application control 971

Meet PCI DSS requirements with Deep Security 976

Bypass vulnerability management scan traffic in Deep Security 977

Create a new IP list from the vulnerability scan provider IP range or addresses 977

Create firewall rules for incoming and outbound scan traffic 978

Assign the new firewall rules to a policy to bypass vulnerability scans 979

Upgrade Deep Security Manager VM for AzureMarketplace 979

Will my virtual machines still be protected during the upgrade? 980

Before you begin 980

Upgrade to the latest version 980

Migrate aMicrosoft SQL Server Express database to Enterprise 982

Uninstall Deep Security 984

Uninstall Deep Security Relay 984

Uninstall a relay (Windows) 984

Uninstall a relay (Linux) 985

Uninstall Deep Security Agent 985

Uninstall an agent (Windows) 985

Uninstall an agent (Linux) 986

Uninstall an agent (Solaris 9 or 10) 986

Uninstall an agent (Solaris 11) 987


49

Uninstall an agent (AIX) 987

Uninstall an agent (HP-UX) 987

Uninstall Deep Security Notifier 987

Uninstall Deep Security Manager 987

Uninstall themanager (Windows) 987

Uninstall themanager (Linux) 988

FAQs 988

Deep Security release life cycle and support policy 988

Support milestones for major releases 989

Major release support services 989

How do I get news about Deep Security? 990

Deep Security Manager uses TLS 1.2 991

Support for TLS 1.2 onWindows computers 991

Support for TLS 1.2 on Linux computers 991

Use agent deployment scripts on older operating systems 992

Make DSVAs available to VMware vCenter 5.5 servers 992

Agent deployment scripts for older operating systems 992

Windows script 992

Linux script 993

Re-enable TLS 1.0 on the Deep Security Manager 994

How can I minimize heartbeat alerts for offline environments in an AWS Elastic Beanstalk environment? 994

Troubleshooting 995

Troubleshooting common issues 995

Troubleshooting: Purple screen of death 996

Troubleshooting: "Offline" agent 996

Causes 996

Verify that the agent is running 997

Verify DNS 998

Allow outbound ports (agent-initiated heartbeat) 998


50

Allow inbound ports (manager-initiated heartbeat) 999

Allow ICMP on Amazon AWS EC2 instances 1000

Troubleshooting: Security update connectivity 1000

Communication 1001

Prevent MTU-related agent communication issues across Amazon Virtual Private Clouds (VPC) 1001

Why does my Windows machine lose network connectivity when I turn on protection? 1003

Enable diagnostic logging 1003

Start the Diagnostic Logging wizard 1003

Create a diagnostic package 1004

Create a diagnostic package for the Deep Security Manager 1004

Create a diagnostic package for an agent 1004

Create a diagnostic package for an agent from the Deep Security Manager 1005

Create a diagnostic package directly from an agent 1005

Why can't I addmy Azure server using the Azure cloud connector? 1006

Why can't I view all of the VMs in an Azure subscription in Deep Security? 1006


51


52

Get Started

Read the release notes

You can find the release notes for all Deep Security software on the Deep Security Softwarepage. On the page, click

next to the software item to reveal the link to the related release notes.

Buy Deep Security Manager from the Azure Marketplace

To buy Deep Security Manager from the Azure Marketplace, you first need to obtain a license forDeep Security. For help with obtaining one, contact [email protected].

Once you have a license, see "Deploy the Deep Security Manager VM for Azure Marketplace"on page 123 for instructions on how to purchase and install the Deep Security Manager VM, anddeploy Deep Security Agents to your Azure virtual machines.

https://help.deepsecurity.trendmicro.com/software.htmlmailto:[email protected]


53

What's new?

Deep Security 10.3 feature release

Below are major changes in Deep Security 10.3, which is a feature release (see "Featurereleases" below for details about feature release support). For a list of new features that wereincluded in previous releases, choose a different Deep Security version from the version selectorat the top of the page.

l Cloud VDI (Amazon WorkSpaces support): Amazon WorkSpaces is a fully managed,secure desktop computing service that runs on the AWS cloud. Deep Security 10.3 offersimproved management capabilities for Amazon WorkSpaces. For more information, see"Add Amazon WorkSpaces" on page 255.

l Relay management: This release makes it easier to manage your relay-enabled agents.With previous releases, customers sometimes accidentally promoted Deep SecurityAgents to act as relays. With this release, the "Enable Relay" button has been removedfrom the Computers page. You can now perform all actions related to relays from the newAdministration > Relay Management page. For customers who have accidentallypromoted an agent to a relay, demoting the relay back to an agent is now a much simplerprocess. For more information, see "Distribute security and software updates with relays"on page 183.

Before you install

Feature releases

Major releases of Deep Security Manager, such as Deep Security Manager 10.0, are madeavailable on an annual basis, and include new functionality and enhancements for existingfunctionality. Feature Releases are interim versions of Deep Security that provide early accessto new functionality and are made available at regular intervals between major releases. Thismeans that with Feature Releases you can immediately benefit from new functionality withouthaving to wait for the next major release of Deep Security. Feature Releases meet the same


54

quality and release criteria as major releases, and are intended for use in productionenvironments.

Feature Releases are comprised of new versions of Deep Security Manager and Agent. Thenew manager is compatible with both the new and older versions of agent. However, newfeatures in a Feature Release can require that both the new manager and the new agent areused. For information about which new features require an agent update, see “What’s New”.

While several Feature Releases may become available between major releases, thefunctionality of all Feature Releases is cumulative and is ultimately rolled into the next majorrelease, which continue to be made available on an annual basis. For example, if you are nowusing the latest major release of Deep Security, you can obtain the Deep Security FeatureRelease to immediately take advantage of new functionality that it provides.

Note: If you are constrained to longer adoption cycles, wait for the next major release tobenefit from the new functionality.

For more information about major releases and support services, see "Deep Security release lifecycle and support policy" on page 988.

Version numbers

You can easily distinguish major releases and Feature Releases by the version number:

l Major releases use the x.0.z version pattern, for example the 10.0 GM version number is10.0.3259, where 10 is the major version, 0 is the minor version, and 3259 is the buildnumber:l Maintenance update versions are distinguished on the Deep Security Software pagewith a “U” suffix, for example 10.0_U1.

l Maintenance updates have the build number incremented, for example the firstmaintenance update of 10.0 is 10.0.3271.

l Feature Releases increment the minor version number, for example 10.1.z, or 10.2.z,where z is the build number.

You can obtain Feature Releases from the Feature Releases tab on the Deep Security Softwarepage.

https://help.deepsecurity.trendmicro.com/software.htmlhttps://help.deepsecurity.trendmicro.com/software.html


55

Feature release life cycle

Deep Security Feature Releases have a shorter life cycle than major releases, and you shouldupgrade to the next major release when it becomes available. If you do not upgrade, you riskrunning an unsupported version of Deep Security. To ease the challenges of scheduling theupgrade in your production environment, support for Feature Releases is provided until 6months after the next major release is available. The following diagram illustrates the timing ofFeature Release availability and the support duration with respect to that of the major releases.

Platform support

Feature Releases support the same platforms that the next major release supports. Do notequate the platform support of the current major release with that of Feature Releases. To see alist of older operating system versions and Deep Security Agents that are supported, see"Supported features by platform" on page 67.

Support services

Most support items are provided for Feature Releases.

Support itemMajorrelease

FeatureRelease

Deliverymechanism

Small enhancements (no change to core functionality) ✔ Update

Linux kernel updates ✔ ✔Linux KernelPackage (LKP)

General bug fixes ✔ Update


56

Support itemMajorrelease

FeatureRelease

Deliverymechanism

Critical bug fixes (system crash or hang, or loss of majorfunctionality)

✔ ✔ Update or Hot-fix

Critical and high vulnerability fixes ✔ ✔ Update or Hot-fix

Medium and low vulnerability fixes ✔ Update

Anti-Malware pattern updates ✔ ✔iAU (ActiveUpdate)

Intrusion prevention system, integrity monitoring, and loginspection rules updates

✔ ✔ iAU

Support for Agents and Deep Security Manager on new versionsof supported operating systems

✔ Update

Although updates that include small enhancements, general bug fixes, and support for newversions of operating systems are not provided for Feature Releases, these improvements areincluded in new Feature Release versions. For example, if you use 10.1, to benefit from any ofthese support items you need to obtain 10.2 when it is released. You should use the currentlyavailable Feature Release to benefit from these continual improvements.

About the Deep Security components

Trend Micro Deep Security provides advanced server security for physical, virtual, and cloudservers. It protects enterprise applications and data from breaches and business disruptionswithout requiring emergency patching. This comprehensive, centrally managed platform helpsyou simplify security operations while enabling regulatory compliance and accelerating the ROIof virtualization and cloud projects.

For information on the protection modules that are available for Deep Security, see "Protect" onpage 240.

Deep Security consists of the following set of components that work together to provideprotection:


57

l Deep Security Manager, the centralized web-based management console thatadministrators use to configure security policy and deploy protection to the enforcementcomponents: the Deep Security Virtual Appliance and the Deep Security Agent.

l Deep Security Virtual Appliance is a security virtual machine built for VMware vSphereenvironments that agentlessly provides anti-malware and integrity monitoring protectionmodules for virtual machines in a vShield environment. In an NSX environment, the anti-malware, integrity monitoring, firewall, intrusion prevention, and web reputation modulesare available agentlessly.

l Deep Security Agent is a security agent deployed directly on a computer which providesapplication control, anti-malware, web reputation service, firewall, intrusion prevention,integrity monitoring, and log inspection protection to computers on which it is installed.

l The Deep Security Agent contains a Relay module. A relay-enabled agent distributessoftware and security updates throughout your network of Deep Security components.

l Deep Security Notifier is a Windows System Tray application that communicatesinformation on the local computer about security status and events, and, in the case ofrelay-enabled agents, also provides information about the security updates beingdistributed from the local machine.

System requirements

Each part of a Deep Security deployment has its own system requirements.

l "Deep Security Manager" on the next page

l "Deep Security Agent 10.3" on page 61

l "Deep Security Notifier" on page 62

Requirements vary by version. For older versions of Deep Security Manager, agents, or relays,see their documentation:

l Deep Security 9.6 SP1 or earlier

l Deep Security 10.0



http://docs.trendmicro.com/en-us/enterprise/deep-security.aspxhttps://help.deepsecurity.trendmicro.com/10/0/Get-Started/Install/system-requirements.htmlhttps://help.deepsecurity.trendmicro.com/10_1/azure/Get-Started/Install/system-requirements.htmlhttps://help.deepsecurity.trendmicro.com/10_2/azure/Get-Started/Install/system-requirements.html


58

Deep Security Manager

For a list of agents versions that are compatible with this version of Deep Security Manager, see"Deep Security Manager - Agent compatibility by platform" on page 63.

System component Requirements

Minimummemory(RAM)

8GB RAM, which includes:

l 4 GB for heap memory

l 1.5 GB for the Java virtual machine

l 2 GB for the operating system

Minimum RAM requirements depend on the number of agents that arebeing managed. (See "Sizing" on page 86.)

Note:On Linux, reserved system memory is separate from process memory.Therefore, although the installer's estimate might be similar, it willdetect less RAM than the computer actually has. To verify thecomputer's actual total RAM, log in with a superuser account andenter:grep MemTotal /proc/meminfo

Minimum disk space 1.5 GB (5 GB+ recommended)

Operating systeml Red Hat Enterprise Linux 7 (64-bit)

l Red Hat Enterprise Linux 6 (64-bit)

l Red Hat Enterprise Linux 5 (64-bit)

l Windows Server 2016 (64-bit)

l Windows Server 2012 or 2012 R2 (64-bit)


Deep Security Manager for AWS Marketplace requires AWS Linux (64-bit).


59


Databasel Microsoft SQL Server 2016

l Microsoft SQL Server 2014



l Microsoft SQL Server 2008 R2

l Oracle Database 12c

l Oracle Database 11g

l PostgreSQL 9.6. Distributions that have been tested for use withDeep Security are:l PostgreSQL Core Distribution

l Amazon RDS for PostgreSQL

l Microsoft SQL RDS or Oracle RDS

l Azure SQL Database (SaaS) (only with Deep Security ManagerVM for Azure Marketplace)

Disk space required varies by the size of the deployment, dataretention, and frequency of logging. See "Sizing" on page 86.

Minimum free disk space = (2 x database size) + transaction log

For example, if your database plus transaction log is 40 GB, you musthave 80 GB (40 x 2) of free disk space for database schema upgrades.To free disk space, delete any unnecessary event log data andtransaction logs.

Note:l Co-locate the database and all Deep Security Manager nodes inthe same physical data center, with a 1 Gb link or better toensure 2 ms latency or less between them.

l Microsoft SQL Server 2008 and Microsoft SQL Server 2008 R2

https://www.postgresql.org/download/https://aws.amazon.com/rds/postgresql/


60


are deprecated and will not be supported by future releases.Plan to migrate to a newer version of Microsoft SQL Server ifyou're using them.

l Microsoft SQL Server Express is supported in very limiteddeployments. See "Microsoft SQL Server Expressconsiderations" on page 121 for important details.

l Oracle Database Express (XE) is not supported.

l Oracle container database (CDB) configuration is not supportedwith Deep Security Manager multi-tenancy.

l Apache Derby, which provided an embedded database forproof-of-concept and testing in previous versions of DeepSecurity, is not supported anymore.

Web browser Cookies must be enabled.

l Firefox 52.0.1+

l Microsoft Internet Explorer 11+ or Edge

l Google Chrome 57+

l Apple Safari 9+ (for Mac)

Monitor 1024 x 768 resolution at 256 colors or higher

Supported DeepSecurity Agent,Relay, or VirtualAppliance versions

l Deep Security Agent, Relay, or Virtual Appliance 10.3





Note: Relays must be 64-bit. 32-bit relays are not supported.


61


For some platforms, the supported versions of Deep Security Agentlisted above do not exist. Deep Security Manager 10.3 supports olderagents on these specific platforms:

l Deep Security Agent 9.0 on AIX 5.3, 6.1, 7.1 or 7.2

l Deep Security Agent 9.0 on HP-UX 11.31

l Deep Security Agent 9.0 on Solaris 10 Update 4 - 10

l Deep Security Agent 10.0 on Solaris 10 Update 11 (1/13) orSolaris 11

Note: When using an older agent, you must go to Administration> System Settings > Update and select Allow supported 8.0 and 9.0Agents to be updated. Otherwise Deep Security will conserve diskspace by not downloading older update formats.

Deep Security Agent 10.3

Systemcomponent

Requirements

Minimummemory(RAM)

Total systemmemory

Windows

l all protection enabled: 2 GB RAM (4 GB recommended)

l Deep Security Relay feature only: 2 GB RAM (4 GB recommended)

Linux

l all protection enabled: 1 GB RAM (5 GB recommended)

l Deep Security Relay feature only: 1 GB RAM (4 GB recommended)

Note: Requirements vary by OS version. Some versions may requireless RAM. Less RAM is required also if you don't enable all DeepSecurity features.


62

Systemcomponent

Requirements

Minimum diskspace

l all protection enabled: 1 GB

l without anti-malware: 500 MB

l Deep Security Relay feature only: 30 GB

Note: Deep Security Relay must store packages for each of your agents'platforms. If you have many different platforms, more disk space isrequired.

Operatingsystem

For compatible Docker and OS platforms, see "Deep Security Manager -Agent compatibility by platform" on the next page.

Note: Supported Deep Security features vary by platform.

Note: On supported versions of Microsoft Windows, you must have atleast PowerShell version 4.0 to run the agent deployment script.

Deep Security Notifier

If installed, Deep Security Notifier appears in the Windows system tray. If anti-malware islicensed and enabled, it indicates the statuses of Deep Security Agent. Supported platformsinclude:

l Windows Server 2016 (64-bit)


l Windows Server 2008 R2 (64-bit)

l Windows Server 2008 (32-bit and 64-bit)

l Windows 10 (32-bit and 64-bit)

l Windows 8.1 (32-bit and 64-bit)



63


l Windows XP (32-bit and 64-bit)

Deep Security Manager - Agent compatibility by platform

Deep Security Agent compatibility varies by platform. Deep Security Manager 10.3 supports theDeep Security Agents in the table below.

Note: Not all Deep Security features are available on all platforms. See "Supported featuresby platform" on page 67.

DSA 10.1, 10.2, or 10.3Feature Release

DSA 10.0 DSA 9.6

Windows

XP SP3 (32/64-bit) ✔ ✔2003 R2 SP2 (32/64-bit) ✔ ✔7 (32/64-bit) ✔ ✔ ✔2008 (32/64-bit) and 2008 R2 (64-bit) ✔ ✔ ✔8 (32/64-bit) ✔ ✔ ✔8.1 (32/64-bit) ✔ ✔ ✔10 (32/64-bit) ✔ ✔ ✔2012 and 2012 R2 (64-bit) ✔ ✔ ✔2016 (64-bit) ✔ ✔ ✔XP Embedded ✔ ✔


64

DSA 10.1, 10.2, or 10.3Feature Release

DSA 10.0 DSA 9.6

Linux

Red Hat 5 (32/64-bit) ✔ ✔RedHat 6 (32/64-bit) ✔ ✔ ✔RedHat 7 (64-bit) ✔ ✔ ✔Ubuntu 10.04 LTS (64-bit) ✔Ubuntu 12.04 LTS (64-bit) ✔Ubuntu 14.04 LTS (64-bit) ✔ ✔Ubuntu 16.04 LTS (64-bit) ✔ ✔ ✔CentOS 5 (32/64-bit) ✔ ✔CentOS 6 (32/64-bit) ✔ ✔ ✔CentOS 7 (64-bit) ✔ ✔ ✔Debian 6 (64-bit) ✔Debian 7 (64-bit) ✔ ✔Debian 8 (64-bit) ✔ ✔ *Amazon EC2 Linux (64-bit) ✔ ✔ ✔Oracle Linux 5 (32/64-bit) ✔ ✔Oracle Linux 6 (32/64-bit) ✔ ✔ ✔Oracle Linux 7 (64-bit) ✔ ✔ ✔SUSE 10 SP3 & SP4 (32/64-bit) ✔SUSE 11 SP1, SP2, SP3, SP4 (32/64-bit) ✔ ✔ ✔SUSE 12 (64-bit) ✔ ✔ ✔Cloud Linux 5 (32/64-bit) ✔Cloud Linux 6 (32/64-bit) ✔ ✔Cloud Linux 7 (64-bit) ✔ ✔ ✔

SolarisSolaris 10 Update 11 (1/13) ✔

Solaris 11.2/11.3 ✔

* indicates Deep Security 10.0 Update 1

Note:Deep Security Manager 10.1, 10.2, and 10.3 only support Deep Security Agent 9.6 and above,with exceptions for 9.0 agents on the following platforms:

l Solaris 9

l Solaris 10, Update 1/13

l Solaris 11.2/11.3

l AIX 5.3

l AIX 6.1


65

l AIX 7.1 (9.0 Agent for AIX 7.1 is also compatible with AIX 7.2)

l HP-UX 11.31

If Deep Security Manager 10.1, 10.2, or 10.3 are managing any of the above 9.0 agents, go toAdministration > System Settings > Update, and then select Allow supported 8.0 and 9.0Agents.

Docker support

You can use Deep Security 10.0 or later to protect Docker hosts and containers running on Linuxdistributions. Windows is not supported.

With each Deep Security release, Deep Security supports the last two stable releases of DockerCommunity Edition (CE) and Docker Enterprise Edition (EE). (See Announcing DockerEnterprise Edition.) We do not officially support Docker Edge releases, but strive to test againstDocker Edge releases to the best of our ability.

Support for new stable Docker releases is introduced with each release of Deep Security. Werecommend that you refrain from upgrading to the latest stable release of Docker until TrendMicro documents the support statements for the latest Deep Security release.

Deep Security release Supported Docker Releases

Deep Security 10.0 Docker v1.12.x, v1.13.x

Deep Security 10.1 Docker 17.03-ce, v1.13.x

Deep Security 10.2 Docker 17.03, 17.06

Deep Security 10.3 Docker 17.03, 17.06

Deep Security is committed to supporting the environments, configurations, and platformssupported by Docker: https://docs.docker.com/engine/installation/.

Before deploying Deep Security into your target environment, you should ensure that Dockersupports your target environment and platform configuration.

https://blog.docker.com/2017/03/docker-enterprise-edition/https://blog.docker.com/2017/03/docker-enterprise-edition/https://docs.docker.com/engine/installation/


66

Deep Security Agent Linux kernel support

l Deep Security Agent 10.3 Linux kernel support




l Deep Security Agent 9.6 SP1 Linux kernel support

l Deep Security Agent 9.5 SP1 Linux kernel support

http://files.trendmicro.com/documentation/guides/deep_security/Kernel Support/10.3/Deep_Security_10_3_kernels_EN.htmlhttp://files.trendmicro.com/documentation/guides/deep_security/Kernel Support/10.2/Deep_Security_10_2_kernels_EN.htmlhttp://files.trendmicro.com/documentation/guides/deep_security/Kernel Support/10.1/Deep_Security_10_1_kernels_EN.htmlhttp://files.trendmicro.com/documentation/guides/deep_security/Kernel Support/10.0/Deep_Security_10_kernels_EN.htmlhttp://files.trendmicro.com/documentation/guides/deep_security/Kernel Support/9.6/Deep_Security_96_SP1_kernels_EN.htmlhttp://files.trendmicro.com/documentation/guides/deep_security/Kernel Support/9.5/Deep_Security_95_SP1_kernels_EN.html


67

Supported features by platform

Available Deep Security 10.3 features vary by operating systems and platforms and which version of the Deep Security Agent (if any) is installed.

For previous versions of Deep Security, see "Supported Features by Platform documentation for previous versions of Deep Security" on page 86.

For information on what agent versions the Deep Security Manager 10.3 supports for each operating system, see "Deep Security Manager - Agent compatibility by platform"on page 63.

Platforms

l "Windows (10.3 Agents)" on the next page

l "Red Hat Enterprise Linux (10.3 Agents) " on page 71

l "CentOS (10.3 Agents) " on page 72

l "Oracle Linux (10.3 Agents) " on page 73

l "SUSE Linux (10.3 Agents) " on page 74

l "Ubuntu (10.3 Agent) " on page 75

l "Debian (10.3 Agent) " on page 75

l "Cloud Linux (10.3 Agent) " on page 76

l "Amazon (10.3 Agents) " on page 76

l "Azure (10.3 Agents) " on page 79

l "Agentless (NSX) (10.3 Agents) " on page 81


68

Windows (10.3 Agents)

Anti-Malware

Web

Reputation

Service

Firewall

Intrusion

Prevention

System

Integrity

Monitoring

Log

Inspection

Application

Control

Recomm-

endation

Scan

Relay Scanner

Real-time On-demand Real-time On-demand

Feature

set 1

Feature

set 2

Feature

set 1

Feature

set 2

Unencrypted

Traffic

SSL

Encrypted

Traffic

File and

Directory

Scans

Scans of Running

Services,

Processes, Listening

Ports

File and

Directory

Scans

Registry

Scans

Scans of Running

Services,


Ports

Windows 7 32 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 7 64 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows

Server 2008

32

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows

Server 2008

64

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows

Server 2008

R2 64

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 8 32 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 8 64 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔


69

Anti-Malware

Web

Reputation

Service

Firewall

Intrusion

Prevention

System

Integrity

Monitoring

Log

Inspection

Application

Control

Recomm-

endation

Scan

Relay Scanner


Feature

set 1

Feature

set 2

Feature

set 1

Feature

set 2

Unencrypted

Traffic

SSL

Encrypted

Traffic

File and

Directory

Scans

Scans of Running

Services,


Ports

File and

Directory

Scans

Registry

Scans

Scans of Running

Services,


Ports

Windows 8.1

32✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 8.1

64✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 10

32✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 10

64✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 10

32 TH2✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 10

64 TH2✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 10

RS2 32✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows 10

RS2 64✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔


70

Anti-Malware

Web

Reputation

Service

Firewall

Intrusion

Prevention

System

Integrity

Monitoring

Log

Inspection

Application

Control

Recomm-

endation

Scan

Relay Scanner


Feature

set 1

Feature

set 2

Feature

set 1

Feature

set 2

Unencrypted

Traffic

SSL

Encrypted

Traffic

File and

Directory

Scans

Scans of Running

Services,


Ports

File and

Directory

Scans

Registry

Scans

Scans of Running

Services,


Ports

Windows

Server 2012

64

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows

Server 2012

R2 64

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows

Server Core

2012 64

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows

Server Core

2012 R2 64

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Windows

server 2016

64

✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Trend Micr

Documents

Deep Security Administration Guide · TrendMicroDeepSecurityforAzureMarketplace10.3 4 SUSELinux(10.3Agents) 74 Ubuntu(10.3Agent) 75 Debian(10.3Agent) 75 CloudLinux(10.3Agent) 76 Amazon(10.3Agents)