Know the issues you may encounter when installing and using Deep Security 9.0.
The following are known issues in Deep Security 9.0:
- In rare cases, when you create a vCloud or AWS cloud connector in Deep Security Manager, it may result in two identical cloud connectors being created. If this happens, you can safely remove either of the connectors and all the computers within it.
- The use of certain search criteria in the Advance Search of anti-malware events returns inaccurate results.
- Results are incorrect when searching events by the following criteria:
Infected Files/Computers/Malware + "Contains"/"Equals" + 'Multiple'
However, these search criteria return correct results:
Infected Files/Computers/Malware + "Does Not Contain"/"Does Not Equal” + 'Multiple'
- Results are inaccurate when you search events using the following criteria:
Infected Files/Malware + specific infected file name
However, results are correct if you use these search criteria:
Malware + specific malware/spyware name or type
- Results are incorrect when searching events by the following criteria:
- The Deep Security Agent cannot detect viruses in a mounted network drive (NFS) on Windows 2008.
- The Web Reputation Service (WRS) function is only supported on Windows platforms, not on Linux, Solaris, HP-UX or AIX. Hence, if you have installed a Deep Security Agent (DSA) on Linux and a Deep Security Virtual Appliance (DSVA) as a coordinated approach, there will be no WRS function because it is not supported on Linux DSA.
- In a cloud environment, if the activation of the Deep Security Agent was initiated from a machine while the DSM lost contact with the cloud provider (i.e. DSM is unable to sync with AWS), the DSA will not be recognized by the DSM. The DSA will be put in the computer folder, even if the cloud provider later establishes communication with the DSM.
If you enable Agent-Initiated Activation with the Allow reactivation of cloned VMs option, the DSM will recognize the DSA and sync it with the cloud provider folder, but the original DSA record will still exist in the computer folder.
- If the DSA components are rolled back to their fresh installation state, the Administration > Updates > Security Update page in the DSM will appear blank. However, the anti-malware components on the DSA still exist, and can be seen in the Computers > Details > Updates page.
- When a bundled Relay (DSM + co-located Relay) is installed on a virtual machine (VM), one instance under Computers in the DSM will appear Managed, while another instance under vCenter will appear Unmanaged. When this occurs, deactivate the one under Computers and activate the instance under vCenter.
- After an upgrade from Deep Security 8.0 SP1 to version 9.0, the Windows 8 and Windows 2012 policies will not exist by default. You can create the policies by running and applying recommendation scan on a new system.
- The Event-Based Task (EBT) for IP change is not supported for VMs in the agentless solution.
- In Windows 8, there is no event reported when the DSA service is restarted. This is a behavior change which also applies to other products/services in Windows 8.
- With DSVA’s 4GB minimum memory requirement, BSOD sometimes occurs during continuous scanning of a large number of files. This is an issue with the VMware vShield Endpoint Driver. It has been reported to VMware for further investigation.
- The control CPU usage made available through a Deep Security 8.0 SP1 hot fix was not included in Deep Security 9.0.
- The DSRU Apply Wizard occasionally gets stuck and times out, even if the rules are being applied successfully.
- When the Enable regular synchronization with Cloud Provider option is disabled, changing the DSA hostname will cause an issue in the DSM/DSA communication. Thus, it is recommended to keep the option enabled.
- If a DSVA is shut down and the VM is migrated from one protected ESX to another protected ESX, the migrated VM will automatically be activated on the new ESX. But if the same VM is migrated back to the original ESX while the DSVA is still shut down, the DSVA will not recognize the VM once it is turned on. You have to manually reactivate the VM as a workaround.
- The DSM will kick off IM scans or baseline rebuilds on stopped VMs that have agentless integrity monitoring enabled. This will lead to issues and error messages in the DSM console.
- Deep Security upgrade issues are occasionally encountered, and these are related to the timing of the VC RTL assemblies being published to WinSxS. It occurs when using Windows Vista or higher, and only when the version of the RTL is not changing. As a workaround, manually install the latest vcredist on your machine prior to upgrading the product, so that the latest RTL DLLs are already in place.
- Agents may go offline when running slow agentless recommendation scans with small heartbeats. As a workaround, increase the heartbeat interval.
- If the Manager node(s) and the database are installed on machines with synchronized clocks but with different time zone configurations, an error will be reported indicating that the clocks are not synchronized.
- If a tenant in a multi-tenant environment is suspended, clicking the Sign In As Tenant button in the T0 environment will automatically log out the T0 user.
- The proxy list in the Settings > Updates tab is not updated until Settings page is refreshed. You can add, delete or rename proxies in the proxy list, but the changes will not appear on other pages until those pages are refreshed.
- The Deep Security 7.5 SP4 hot fix for the memory overwritten/buffer overrun issue is not included in Deep Security 9.0.
- In a multi-tenant environment, the Tn user may have to manually add the DSM IP address in the Ignore Reconnaissance IP list found in Policies > Common Objects > Lists > IP Lists. This is to avoid getting the warning message "Reconnaissance Detected: Network or Port Scan”.
- In order for DSVA to be deployed in a pure IPv6 environment, its hostname must be resolved by either the host file or the DNS server.
- The DSM preview feature will not work in IE8 with Enhanced Security Configuration (ESC) enabled. To use the feature, you have to disable ESC in IE8 or use a different IE version or supported browser.
- On Windows 2008 and Windows Server 2012, the Deep Security Notifier icon does not automatically show up in the Windows notification area after installing DSM with a co-located Relay.
- Occasionally, some computers show “Anti-malware engine offline” in the DSM, and that the Deep Security Agent anti-malware service has stopped running. If this happens due to the corruption of system_config.cfg, it can be fixed with the replacement of the CFG file and a restart of the DSA antimalware service (AMSP):
- Open the system_config.cfg file with a text editor to check if it has no content. This indicates that the file is corrupted.
- Decompress the system_config.cfg file from C:\Program Files\Trend Micro\Deep Security Agent\AMSP.zip.
- Copy the system_config.cfg file to the C:\Program Files\Trend Micro\AMSP folder, to overwrite the corrupted one.
- Restart the computer, or start the AMSP service by running the command "net start amsp" with administrator privileges.
- The DSM cannot correctly show the Windows Server 2012 R2 and Windows 8.1(x86/x64) version information and OS build number on its console.