There is a compatibility issue in Deep Security Agent (DSA) for Linux. When Deep Security Agent with enabled Integrity Monitoring (real-time), Anti-Malware (real-time), Application Control, or Activity Monitoring runs on a Linux server running with a third-party security software based on kernel system call hooking (e.g. Symantec Endpoint Protection and Imperva), the operating system may crash in certain scenarios.
Below are some samples:
- If you have re-enabled the security features such as Anti-Malware real-time protection
- If you have updated the Kernel Support Package
The compatibility issue happens when re-installing kernel hooks because of the defect in the Deep Security Agent kernel module (TMHook). The affected version of the TMHook driver are versions 1.1.1304 ~ 1.1.1310 and 1.2.1124 ~ 1.2.1149. These are included in the following DSA versions:
- Deep Security Agent 20.0 GM (22.214.171.1247) and newer (released on July 30, 2020)
- Deep Security Agent 12.0 Linux kernel support 126.96.36.1991 and newer (released on August 18, 2020)
To verify if your DSA is using this driver version, run the command below and compare it with the tmhook version stated above.
$ cat /proc/driver/bmhook/tmhook/version # query the TMHook version
The fix is included in the following DSA versions:
- Deep Security 20 Linux Kernel Support 188.8.131.523
- Deep Security Agent 184.108.40.2062
- Deep Security 12 Linux Kernel Support 220.127.116.112
To avoid the issue as much as possible, please perform the procedure below to upgrade Deep Security Agent safely.
- Turn off the security features: Integrity Monitoring (real-time), Anti-Malware (real-time), Application Control, and Activity Monitoring.
- Upgrade DSA to the version that includes the fix (or import KernelSupport).
- Send a policy to DSA.
- Reboot the machine to unload the third-party and the old Deep Security kernel modules.
- Turn on the security features.