Views:
To remain effective at identifying new threats, your agents need periodic security updates.
By default, the relays provided as part of the Server & Workload Protection service (the "Primary Tenant Relay Group") provide security updates to your agents. You can also deploy your own relays that get security updates from the Primary Tenant Relay Group and then distribute the updates to your agents. For details see How relays work.
You can:

Configure the security update source Parent topic

The default configuration for security updates is adequate for most environments, but you can change the settings to suit your needs:

Procedure

  1. Go to Administration System Settings Updates.
    update-source=32331e06-3e75-481e-b32d-79c9e10bd014.png
    {.zoom}
  2. Select an option for the Primary Security Update Source.
    By default, the primary source is Trend Micro Update Server, which is accessed via the Internet. Don't change the setting unless your support provider has instructed you to configure Other update source. Alternative update source URLs must include "http://" or "https://".
  3. Configure the Secondary Source for security updates. Usually, agents connect to a relay to obtain security updates when Server & Workload Protection tells them to. But if your computers can't always connect with Server & Workload Protection or relays (such as during scheduled maintenance times) and enough Internet/WAN bandwidth is available, these options are useful:
    • Allow Agents/Appliances to download security updates directly from Primary Security Update Source if Relays are not accessible
    • Allow Agents/Appliances to download security updates when Server & Workload Protection is not accessible
    Tip
    Tip
    If you protect laptops and portable computers, they might be located far from support services. To avoid risk of a potentially problematic security update while at a remote location, deselect these options.
  4. Trend Micro sometimes updates an existing security rule to improve performance or fix a bug. By default, Automatically apply Rule Updates to Policies is selected.
  5. If you have deployed your own relays and they will be providing updates for regions other than the one where Server & Workload Protection is located, select Download Patterns for all Regions. This setting is disabled by default because it uses more disk space.
  6. If you do not want to use the default relays provided by the Server & Workload Protection service, deselect Use the Primary Tenant Relay Group as my Default Relay Group.
    Note
    Note
    If this option is deselected, when you click Administration Updates Relay Groups, the relay group name is "Default Relay Group", not "Primary Tenant Relay Group".

What to do next

Initiate security updates Parent topic

Tip
Tip
Instead of manually checking for updates, configure Server & Workload Protection to automatically check for security updates via a scheduled task. See Schedule Server & Workload Protection to perform tasks.
You can manually initiate security updates at any time, regardless of scheduled tasks.
To get security updates on a single agent, go to Computers, select the agent, then right-click and select Actions Download Security Update.
Note
Note
Deep Security Agent version 20.0.0-179+ for macOS supports rolling back a security update. Agents for macOS older than 20.0.0-179 do not support rolling back a security update.

Check your security update status Parent topic

To view the status of your security updates, go to Administration Updates Security.
  • Trend Micro Update Server: Indicates whether or not relays can connect to Trend Micro ActiveUpdate to check for the latest security updates.
  • Server & Workload Protection: Indicates when the last successful check and download were performed, and when the next scheduled check will be performed. All Relays are in sync indicates that all relays are distributing the latest successfully downloaded pattern updates.
    Tip
    Tip
    Out-of-sync status usually indicates that the relay cannot connect to Trend Micro Update Servers. In most cases, this is not an expected behavior and you should fix network connectivity problems. However, in "air-gapped" deployments, network isolation is intentional, so you must provide updates manually.
  • Computers: Indicates if any computers are out-of-date compared to the pattern updates currently on the relays. To prompt all computers to get the latest pattern updates from their assigned relays, click Send Patterns to Computers.

View details about pattern updates Parent topic

To view a list of the components in an Anti-Malware pattern update, go to Administration Updates Security Patterns. This page is displayed only when Server & Workload Protection has an active relay.
  • Component: The type of update component.
  • For Use By: The Server & Workload Protection product this component is intended for
  • Platform: The operating system for which the update is intended.
  • Current Version: The version of the component currently being distributed by the relays.
    Tip
    Tip
    To check which security update component version is being used on a protected computer, go to Computers, double-click the computer, and then select Updates.
  • Last Updated: When the current security update was downloaded from Trend Micro.

Revert, import, or view details about rule updates Parent topic

To view a list of the most recent Intrusion Prevention, Integrity Monitoring, and Log Inspection Rules that have been downloaded into the Server & Workload Protection database, go to Administration Updates Security Rules.
From there you can:
  • View details about a rule update: Select a rule update and click View. Details include a list of the update's specific rules.
    Tip
    Tip
    To check which rule update version a relay is distributing, go to Computers, double-click the relay, and then select Security Updates. If Anti-Malware is enabled for that computer, it also displays the computer's pattern version.
  • Roll back a rule update: If a recent rule update has caused problems, you can revert to a previous rule version. Select the rule update that you want to revert to and then click Rollback. Server & Workload Protection generates a preview change summary so that you can confirm results before finalizing.
    Note
    Note
    All policies affected by the reverted rules will be immediately updated on all computers using those policies.
  • Reapply the current rule set:
    check=cc625691-c961-4102-a09e-6f7d842323d9.png
    indicates that a rule update has been applied. To reapply that rule update to protected computers, right-click the rule update and click Reapply.
  • Import a rule update: Normally, rule updates are imported either manually or automatically (via scheduled task). However, if your deployment has no connectivity to the Trend Micro Update servers on the Internet (an "air-gapped" deployment), or if you are asked to do so by your support provider, you can click this button to manually upload and import a security update package.
  • Export a rule update: Normally, you should not need to export a rule update unless your support provider asks you.
  • Delete a rule update: Removes the selected rule update from the Server & Workload Protection database.
Security update packages must have a valid digital signature. If you try to view or use an invalid package (including old security updates that don't have a signature), then Server & Workload Protection displays an error message. See How Server & Workload Protection validates update integrity.

Enable automatic patches for rules Parent topic

Trend Micro sometimes updates an existing Server & Workload Protection rule to improve performance or fix a bug. To automatically apply these patches, go to Computer or Policy editor Settings General and in the Send Policy Changes Immediately area, select Automatically send Policy changes to computers and set the drop-down to Yes. If it's not selected, you must manually apply downloaded rule updates to policies: go to Administration System Settings Updates and click Automatically apply Rule Updates to Policies.
Note
Note
By default, changes to policies are automatically applied to computers.

Enable automatic Anti-Malware engine updates Parent topic

By default, when you update Deep Security Agent, the Deep Security Anti-Malware engine is updated together with it. If you don't update software often, then over time, the Anti-Malware engine might become much older than the malware patterns it uses (which should be frequently updated).
For better protection, you can configure agents to automatically keep the Anti-Malware engine part of the software updated — an approach more similar to the security updates that it uses.

Procedure

  1. Go to Computers or Policies.
  2. Double-click a computer or policy.
  3. Go to Settings Engine Update.
  4. For Automatically update anti-malware engine, select Yes .
    If this setting is disabled, then visit Computer Details Updates Advanced Threat Scan Engine and confirm that the Is Latest section displays "N/A".

What to do next

Note
Note
Regardless of this setting, relays always receive the latest Anti-Malware engine updates. This keeps the relay's local protection and engine update source for the same relay group up to date. Therefore, you cannot enable or disable engine updates directly on a relay.

Enable security updates for older agents Parent topic

For some platforms, Server & Workload Protection supports older versions. See Agent platforms.
By default, to conserve disk space, the relay will not download and distribute security updates for these older agents. To enable security updates for them, go to Administration System Settings Updates. Select Allow supported 8.0 and 9.0 Agents to be updated.
Note
Note
Deep Security Agent 8.0 is no longer supported. This check box only applies to the 9.0 agent.

Change the alert threshold for late security updates Parent topic

If an update has been downloaded from Trend Micro and available for some time, but computers are not updated yet, an alert occurs. For pattern updates, by default, the limit is 1 hour.
If you want to change the time limit for the alert, go to Administration System Settings Alerts and configure Length of time an Update can be pending before raising an Alert.